Network+
Guide to Networks, Chapter 11 Review
Network Security
In the early days of computing, when secured mainframes acted as central
hosts and data repositories were accessed only by dumb terminals with limited
rights, network security was all but unassailable. As networks have become more
geographically distributed and heterogeneous, however, the risk of their misuse
has also increased. Consider the largest, most heterogeneous network in
existence: the Internet. Because it contains millions of points of entry,
millions of servers, and millions of miles of transmission paths, it leads to
millions of attacks on private networks every day. The threat of an outsider
accessing an organization’s network via the Internet, and then stealing or
destroying data is very real. In this chapter, you will learn about numerous
threats to your network’s data and infrastructure, how to manage those
vulnerabilities, and, perhaps most important, how to convey the importance of network
security to the rest of your organization through an effective security policy.
If you choose to specialize in network security, consider attaining CompTIA’s
Security+ certification, which requires deeper knowledge of the topics covered
in this chapter.
Security Assessment
Before spending time and money on network security, you should examine
your network’s security risks. As you learn about each risk facing your
network, consider the effect that a loss or breach of data, programs, or access
would have on your network. The more serious the potential consequences, the
more attention you need to pay to the security of your network. Different types
of organizations have different levels of network security risk. For example,
if you work for a large savings and loan institution that allows its clients to
view their current loan status online, you must consider a number of risks
associated with data and access. If someone obtained unauthorized access to
your network, all of your customers’ personal financial data could be
vulnerable. On the other hand, if you work for a local car wash that uses its
internal LAN only to track assets and sales, you may be less concerned if
someone gains access to your network because the implications of unauthorized
access to your data are less dire. When considering security risks, the
fundamental s are: “What is at risk?” and “What do I stand to lose if it is
stolen, damaged, or eradicated?” Every organization should assess its security
risks by conducting a posture assessment, which is a thorough examination of each
aspect of the network to determine how it might be compromised. Posture
assessments should be performed at least annually and preferably quarterly. They
should also be performed after making any significant changes to the network.
For each threat listed in the following sections, your posture assessment
should rate the severity of its potential effects, as well as its likelihood. A
threat’s consequences may be severe, potentially resulting in a network outage
or the dispersal of top-secret information, or it may be mild, potentially
resulting in a lack of access for one user or the dispersal of a relatively
insignificant piece of corporate data. The more devastating a threat’s effects
and the more likely it is to happen, the more rigorously your security measures
should address it. If your IT Department has sufficient skills and time for
routine posture assessments, they can be performed in-house.
A qualified consulting company can also assess the security of your network.
If the company is accredited by an agency that sets network security standards,
the assessment qualifies as a security audit. Certain customers—for example, a
military agency—might require your company to pass an accredited security audit
before they’ll do business with you. Regulators require some types of
companies, such as accounting firms, to host periodic security audits. But even
if an audit is optional, the advantage of having an objective third party
analyze your network is that he might find risks that you overlooked because of
your familiarity with your environment. Security audits might seem expensive,
but if your network hosts confidential and critical data, they are well worth
the cost. In the next section, you will learn about security risks associated
with people, hardware, software, and Internet access.
Security Risks
To understand how
to manage network security, you first need to know how to recognize threats
that your network could suffer. And to do that, you must be familiar with the terms
coined by network security experts. A hacker, in the original sense of the
word, is someone who masters the inner workings of computer hardware and
software in an effort to better understand them. To be called a hacker used to
be a compliment, reflecting extraordinary computer skills. Today, hacker is
used more generally to describe individuals who gain unauthorized access to
systems or networks with or without malicious intent. A weakness of a system,
process, or architecture that could lead to compromised information or
unauthorized access is known as a vulnerability. The means of taking advantage
of a vulnerability is known as an exploit. For example, in Chapter 8 you
learned about the possibility for unauthorized, or rogue, access points to make
themselves available to wireless clients. Once unsuspecting clients associate
with such access points, the hacker can steal data in transit or access
information on the client’s system. When the rogue access point masquerades as
a valid access point, using the same SSID (service set identifier) and potentially
other identical settings, the exploit is known as the evil twin. This exploit
takes advantage of a vulnerability inherent in wireless communications in which
SSIDs are openly broadcast and Wi-Fi clients scan for connections. A zero-day
exploit is one that takes advantage of a software vulnerability that hasn’t yet
become public, and is known only to the hacker who discovered it. Zero-day
exploits are particularly dangerous because the vulnerability is exploited
before the software developer has the opportunity to provide a solution for it.
Most vulnerabilities, however, are well known. Throughout this chapter, you
will learn about several kinds of exploits and how to prevent or counteract
security threats. As you read about each vulnerability, think about how it
could be prevented, whether it applies to your network (and if so, how damaging
it might be), and how it relates to other security threats. Keep in mind that
malicious and determined intruders may use one technique, which then allows
them to use a second technique, which then allows them to use a third
technique, and so on. For example, a hacker might discover someone’s username
by watching her log on to the network; the hacker might then use a password cracking
program to access the network, where he might plant a program that generates an
extraordinary volume of traffic that essentially disables the network’s
connectivity devices.
Risks Associated with People
By some estimates,
human errors, ignorance, and omissions cause more than half of all security
breaches sustained by networks. One of the most common methods by which an
intruder gains access to a network is to simply ask users for their passwords.
For example, the intruder might pose as a technical support analyst who needs to
know the password to troubleshoot a problem. This strategy is commonly called
social engineering because it involves manipulating social relationships to
gain access. A related practice is phishing, in which a person attempts to
glean access or authentication information by posing as someone who needs that
information. For example, a hacker might send an e-mail asking you to submit your
user ID and password to a Website, whose link is provided in the message,
claiming that it’s necessary to verify your account with a particular online
retailer. Following are some additional risks associated with people:
·
Intruders or attackers using social engineering or snooping to
obtain user passwords.
·
An administrator incorrectly creating or configuring user IDs,
groups, and their associated rights on a file server, resulting in file and
logon access vulnerabilities.
·
Network administrators overlooking security flaws in topology or
hardware configuration.
·
Network administrators overlooking security flaws in the
operating system or application configuration.
·
Lack of proper documentation and communication of security
policies, leading to deliberate or inadvertent misuse of files or network
access.
·
Dishonest or disgruntled employees abusing their file and access
rights.
·
An unused computer or terminal being left logged on to the
network, thereby providing an entry point for an intruder.
·
Users or administrators choosing easy-to-guess passwords.
·
Authorized staff leaving computer room doors open or unlocked,
allowing unauthorized individuals to enter.
·
Staff discarding disks or backup tapes in public waste
containers.
·
Administrators neglecting to remove access and file rights for
employees who have left the organization.
·
Vendors or business partners who are granted temporary access to
private networks.
·
Users writing their passwords on paper, then placing the paper
in an easily accessible place (for example, taping it to a monitor or keyboard)
Human errors
account for so many security breaches because taking advantage of them is often
an easy way to circumvent network security.
Risks Associated with Transmission and
Hardware
This section
describes security risks inherent in the Physical, Data Link, and Network
layers of the OSI model. Recall that the transmission media, NICs, network
access methods (for example, Ethernet), switches, routers, access points, and
gateways reside at these layers. At these levels, security breaches require
more technical sophistication than those that take advantage of human errors.
For instance, to eavesdrop on transmissions passing through a switch, an intruder
must use a device such as a protocol analyzer, connected to one of the switch’s
ports. In the middle layers of the OSI model, it is somewhat difficult to
distinguish between hardware and software techniques. For example, because a
router acts to connect one type of network to another, an intruder might take
advantage of the router’s security flaws by sending a flood of TCP/IP
transmissions to the router, thereby disabling it from carrying legitimate
traffic. The following risks are inherent in network hardware and design:
·
Transmissions can be intercepted. One type of attack that relies
on intercepted transmissions is known as a man-in-the-middle attack. It can
take one of several forms, but in all cases a person redirects or captures
secure transmissions as they occur. For example, in the case of an evil twin
attack, a hacker could intercept transmissions between clients and the rogue
access point, and, for instance, learn users’ passwords or even supply users
with a phony Web site that looks valid but presents clickable options capable
of harming their systems.
·
Networks that use leased public lines, such as T1 or DSL
connections to the Internet, are vulnerable to eavesdropping at a building’s
demarc (demarcation point), at a remote switching facility, or in a central
office.
·
Repeating devices broadcast traffic over the entire segment,
thus making transmissions more widely vulnerable to sniffing. By contrast,
switches provide logical point-to-point communications, which limit the
availability of data transmissions to the sending and receiving nodes. Still,
intruders could physically connect to a switch or router and intercept the
traffic it receives and forwards.
·
Unused switch, router, or server ports can be exploited and
accessed by hackers if they are not disabled. A router’s configuration port,
accessible by Telnet, might not be adequately secured. Network administrators
can test how vulnerable their servers, routers, switches, and other devices are
by using a port scanner, or software that searches the node for open ports. The
network administrator can then secure those ports revealed by the scan to be
vulnerable. Later in this chapter, you’ll learn about port scanning tools.
·
If routers are not properly configured to mask internal subnets,
users on outside networks (such as the Internet) can read the private
addresses.
·
If routers aren’t configured to drop packets that match certain,
suspicious characteristics, they are more vulnerable to attack.
·
Access servers used by remote users might not be carefully
secured and monitored.
·
Computers hosting very sensitive data might coexist on the same
subnet with computers open to the general public.
·
Passwords for switches, routers, and other devices might not be
sufficiently difficult to guess, changed frequently, or worse, might be left at
their default value.
Imagine that a
hacker wants to bring a library’s database and mail servers to a halt. Suppose also
that the library’s database is public and can be searched by anyone on the Web.
The hacker might begin by scanning ports on the database server to determine
which ones have no protection. If she found an open port on the database
server, the hacker might connect to the system and deposit a program that would,
a few days later, damage operating system files. Or, she could launch a heavy
stream of traffic that overwhelms the database server and prevents it from
functioning. She might also use her newly discovered access to determine the root
password on the system, gain access to other systems, and launch a similar
attack on the library’s mail server, which is attached to the database server.
In this way, even a single mistake on one server (not protecting an open port)
can open vulnerabilities on multiple systems.
Risks Associated with Protocols and
Software
Like hardware,
networked software is only as secure as you configure it to be. This section describes
risks inherent in the higher layers of the OSI model, such as the Transport,
Session, Presentation, and Application layers. As noted earlier, the
distinctions between hardware and software risks are somewhat blurry because
protocols and hardware operate in tandem. For example, if a router is
improperly configured, a hacker could exploit the openness of TCP/IP to gain
access to a network. NOSs (network operating systems) and application software present
different risks.
In many cases,
their security is compromised by a poor understanding of file access rights or
simple negligence in configuring the software. Remember— even the best
encryption, computer room door locks, security policies, and password rules make
no difference if you grant the wrong users access to critical data and
programs. The following are some risks pertaining to networking protocols and
software:
·
Certain TCP/IP protocols are inherently insecure. For example,
IP addresses can be falsified, checksums can be thwarted, UDP requires no
authentication, and TCP requires only weak authentication. FTP is notorious for
its vulnerabilities. In a famous exploit, FTP bounce, hackers take advantage of
this insecure protocol. When a client running an FTP utility requests data from
an FTP server, it specifies an IP address and port number for the data’s
destination. Normally, the client specifies its own IP address. However, it is
possible for the client to specify any port on any host’s IP address. By
commanding the FTP server to connect to a different computer, a hacker can scan
the ports on other hosts and transmit malicious code. To thwart FTP bounce
attacks, most modern FTP servers will not issue data to hosts other than the
client that originated the request.
·
Trust relationships between one server and another might allow a
hacker to access the entire network because of a single flaw.
·
NOSs might contain “back doors” or security flaws that allow
unauthorized users to gain access to the system. Unless the network
administrator performs regular updates, a hacker may exploit these flaws.
·
Buffer overflow is a vulnerability in all operating systems.
Buffers, which temporarily store information in memory, are not strictly
limited to the areas allocated to them on the hard disk. Someone who wants to
harm a system can write a program that forces the buffer’s size beyond its
allotted space and saves data into adjacent memory areas. In this way, the
malicious program can change the way the computer operates.
·
If the NOS allow server operators to exit to a command prompt,
intruders could run destructive command-line programs.
·
Administrators might accept the default security options after
installing an operating system or application. Often, defaults are not optimal.
For example, the default username that enables someone to modify anything in
Windows Server 2008 R2 is called Administrator. This default is well known, so
if you leave the default username as Administrator, you have given a hacker
half the information he needs to access and obtain full rights to your system.
·
Transactions that take place between applications, such as
databases and Web-based forms, might allow interception.
To understand the
risks that arise when an administrator accepts the default settings associated with
a software program, consider the following scenario. Imagine that you have
invited a large group of computer science students to tour your IT Department.
While you’re in the computer room talking about subnetting, a bored student
standing next to a Windows 7 workstation that is logged on to the network
decides to find out which programs are installed on the workstation. He
discovers that this workstation has the SQL Server administrator software
installed. Your organization uses a SQL Server database to hold all of your employees’
salaries, addresses, and other confidential information. The student knows a
little about SQL Server, including the facts that the default administrator
user ID is called sa, and that, by default, no password is created for this ID
when someone installs SQL Server. He tries connecting to your SQL Server
database with the sa user ID and no password.
Because you
accepted the defaults for the program during its installation, within seconds
the student is able to gain access to your employees’ information. He could
then change, delete, or steal any of the data.
Risks Associated with Internet Access
Although the
Internet has brought computer crime, such as hacking, to the public’s
attention, network security is more often compromised “from the inside” than
from external sources. Nevertheless, the threat of outside intruders is very
real. Users need to be careful when they connect to the Internet. Even the most
popular Web browsers sometimes contain bugs that permit scripts to access their
systems while they’re connected to the Internet, potentially for the purpose of
causing damage. Users must also be careful about providing information while
browsing the Web. Some sites will capture that information to use when
attempting to break into systems. Bear in mind that hackers are creative and
typically revel in devising new ways of breaking into systems. As a result, new
Internet-related security threats arise frequently. By keeping software
current, staying abreast of emerging security threats, and designing your
Internet access wisely, users can prevent most of these threats. Common
Internet-related security issues include the following:
·
A firewall may not provide adequate protection if it is
configured improperly. For example, it may allow outsiders to obtain internal
IP addresses, and then use those addresses to pretend that they have authority
to access your internal network from the Internet—a process called IP spoofing.
Alternately, a firewall may not be configured correctly to perform even its
simplest function, which is preventing unauthorized packets from entering the
LAN from outside. (You will learn more about firewalls later in this chapter.)
Correctly configuring a firewall is one of the best means to protect your
internal LAN from Internet-based attacks.
·
When a user Telnets or FTPs to your site over the Internet, her
user ID and password are transmitted in plain text—that is, unencrypted. Anyone
monitoring the network (that is, running a network monitor program or a hacking
program specially designed to capture logon data) can pick up the user ID and
password and use it to gain access to the system.
·
Hackers may obtain information about your user ID from
newsgroups, mailing lists, or forms you have filled out on the Web.
·
While users remain logged on to Internet chat sessions, they may
be vulnerable to other Internet users who might send commands to their machines
that cause the screen to fill with garbage characters and require them to
terminate their chat sessions. This type of attack is called flashing.
·
After gaining access to your system through the Internet, a
hacker may launch denial-of-service attacks. A denial-of-service attack occurs
when a system becomes unable to function because it has been inundated with
requests for services and can’t respond to any of them. As a result, all data
transmissions are disrupted. This incursion is a relatively simple attack to
launch (for example, a hacker could create a looping program that sends
thousands of e-mail messages to your system per minute). One specific type of
denial-of-service attack, known as a smurf attack, occurs when a hacker issues
a flood of broadcast ping messages. In this case, the originating source
address of the attack is spoofed to appear as a known host on the network.
Because it’s a broadcast transmission, all hosts on the subnet receive the ping
messages and then generate more ICMP traffic by responding to it.
Denial-of-service attacks can also result from malfunctioning software.
Regularly upgrading software is essential to maintaining network security.
Now that you
understand the variety of risks facing networks, you are ready to learn about policies
that help mitigate these risks.
An Effective Security Policy
Network
security breaches can be initiated from within an organization, and many depend
on human errors. This section describes how to minimize the risk of break-ins
by communicating with and managing the users in your organization via a
thoroughly planned security policy. A security policy identifies your security
goals, risks, levels of authority, designated security coordinator and team
members, responsibilities for each team member, and responsibilities for each
employee. In addition, it specifies how to address security breaches. It should
not state exactly which hardware, software, architecture, or protocols will be
used to ensure security, nor how hardware or software will be installed and
configured. These details change from time to time and should be shared only
with authorized network administrators or managers.
Security Policy Goals
Before
drafting a security policy, you should understand why the security policy is
necessary and how it will serve your organization. Typical goals for security
policies are as follows:
·
Ensure that authorized users have appropriate
access to the resources they need.
·
Prevent unauthorized users from gaining
access to the network, systems, programs, or data.
·
Protect sensitive data from unauthorized
access, both from within and from outside the organization.
·
Prevent accidental damage to hardware or
software.
·
Prevent intentional damage to hardware or
software.
·
Create an environment in which the network
and systems can withstand and, if necessary, quickly respond to and recover
from any type of threat.
·
Communicate each employee’s responsibilities
with respect to maintaining data integrity and system security.
A
company’s security policy need not pertain exclusively to computers or
networks. For example, it might state that each employee must shred paper files
that contain sensitive data or that each employee is responsible for signing in
his or her visitors at the front desk and obtaining a temporary badge for them.
Noncomputer related aspects of security policies are beyond the scope of this chapter,
however. After defining the goals of your security policy, you can devise a
strategy to attain them. First, you might form a committee composed of managers
and interested parties from a variety of departments, in addition to your
network administrators. The more decision-making people you can involve, the
more supported and effective your policy will be. This committee can assign a
security coordinator, who will then drive the creation of a security policy. To
increase the acceptance of your security policy in your organization, tie
security measures to business needs and clearly communicate the potential
effects of security breaches. For example, if your company sells clothes over
the Internet and a two-hour outage (as could be caused by a hacker who uses IP
spoofing to gain control of your systems) could cost the company $1 million in
lost sales, make certain that users and managers understand this fact. If they
do, they are more likely to embrace the security policy. A security policy must
address an organization’s specific risks.
To
understand your risks, you should conduct a posture assessment that identifies
vulnerabilities and rates both the severity of each threat and its likelihood
of occurring, as described earlier in this chapter. After risks are identified,
the security coordinator should assign one person the responsibility for
addressing that threat.
Security Policy Content
After
you have identified risks and assigned responsibilities for managing them, you
are ready to outline the policy’s content. Subheadings for the policy outline
might include the following: Password policy, Software installation policy,
Confidential and sensitive data policy, Network access policy, E-mail use
policy, Internet use policy, Remote access policy, Policies for connecting to
customers’ and vendors’ networks, Policies for use of personal smartphones and
laptops, and Computer room access policy. Although compiling all of this
information might seem daunting, the process ensures that everyone understands
the organization’s stance on security and the reasons it is so important. The
security policy should explain to users what they can and cannot do and how
these measures protect the network’s security. A section aimed at users might
organize security rules according to the particular function or part of the
network to which they apply. This approach makes the policy easier for users to
read and understand; it also prevents them from having to read through the
entire document. For example, in the “Passwords” section, guidelines might
include “Users may not share passwords with friends or relatives, “users must
choose passwords that exceed ten characters and are composed of both letters
and numbers,” and “users should choose passwords that bear no resemblance to a
spouse’s name, pet’s name, birth date, anniversary, or other widely available
information.” A security policy should also define what confidential means to the
organization. In general, information is confidential if it could be used by
other parties to impair an organization’s functioning, decrease customers’
confidence, cause a financial loss, damage an organization’s status, or give a significant
advantage to a competitor. However, if you work in an environment such as a
hospital, where most data is sensitive or confidential, your security policy should
classify information in degrees of sensitivity that correspond to how strictly
its access is regulated. For example, top-secret data may be accessible only by
the organization’s CEO and vice presidents, whereas confidential data may be
accessible only to those who must modify or create it (for example, doctors or
hospital accountants).
Response Policy
Finally,
a security policy should provide for a planned response in the event of a
security breach. The response policy should identify the members of a response
team, all of who should clearly understand the security policy, risks, and
measures in place. Each team member should accept a role with certain
responsibilities. The security response team should regularly rehearse their
defense by participating in a security threat drill. Suggested team roles
include the following:
Dispatcher—The person on call who first notices or is alerted to the
problem. The dispatcher notifies the lead technical support specialist and then
the manager. He also creates a record for the incident, detailing the time it
began, its symptoms, and any other pertinent information about the situation.
The dispatcher remains available to answer calls from clients or employees or
to assist the manager.
Manager—This team member coordinates the resources necessary to
solve the problem. If in-house technicians cannot handle the break-in, the manager
finds outside assistance. The manager also ensures that the security policy is
followed and that everyone within the organization is aware of the situation.
As the response ensues, the manager continues to monitor events and communicate
with the public relations specialist.
Technical
support specialist—This team member
focuses on only one thing: solving the problem as quickly as possible. After
the situation has been resolved, the technical support specialist describes in
detail what happened and helps the manager find ways to avert such an incident
in the future. Depending on the size of the organization and the severity of
the incident, this role may be filled by more than one person.
Public
relations specialist—If necessary, this
team member learns about the situation and the response and then acts as
official spokesperson for the organization to the public.
After
resolving a problem, the team reviews what happened, determines how it might
have been prevented, and then implements those measures to prevent future
problems. A security policy alone can’t guard against intruders. Network
administrators must also attend to physical, network design, and NOS
vulnerabilities, as described in the following sections.
Physical Security
An
important element in network security is restricting physical access to its
components. Only trusted networking staff should have access to secure computer
rooms, telco rooms, wiring closets, storage rooms, entrance facilities, and
locked equipment cabinets. Furthermore, only authorized staff should have
access to the premises, such as offices and data centers, where these rooms are
located. If computer rooms are not locked, intruders may steal equipment or
sabotage software or hardware. For example, a malicious visitor could slip into
an unsecured computer room and take control of a server where an administrator
is logged on, then steal data or reformat the server’s hard disk. Although a
security policy defines who has access to the computer room, locking the
locations that house networking equipment is necessary to keep unauthorized
individuals out. Locks may be either physical or electronic. Many large
organizations require authorized employees to wear electronic access badges.
These badges can be programmed to allow their owner access to some, but not
all, rooms in a building. Figure 11-1 on page 504, depicts a typical badge access
security system. A less-expensive alternative to the electronic badge access
system consists of locks that require entrants to punch a numeric code to gain
access. For added security, these electronic locks can be combined with key
locks. A more-expensive solution involves biorecognition access in which a
device scans an individual’s unique physical characteristics, such as the color
patterns in her iris or the geometry of her hand, to verify her identity. On a
larger scale, organizations may regulate entrance through physical barriers to
their campuses, such as gates, fences, walls, or landscaping. Many IT
departments also use closed-circuit TV systems to monitor activity in secured
rooms. Surveillance cameras can be placed in data centers, computer rooms,
telco rooms, and data storage areas, as well as facility entrances. A central
security office might display several camera views at once, or it might switch
from camera to camera. The video footage generated from these cameras is
usually saved for a time in case it’s needed in a security breach investigation
or prosecution. As with other security measures, the most important way to
ensure physical security is to plan for it. You can begin your planning by
asking s related to physical security checks in your security audit. Relevant s
include the following:
·
Which rooms contain critical systems or data
and must be secured?
·
Through what means might intruders gain
access to the facility, computer room, telecommunications room, wiring closet,
or data storage areas (including doors, windows, adjacent rooms, ceilings,
temporary walls, hallways, and so on)?
·
How and to what extent are authorized
personnel granted entry? (Do they undergo background or reference checks? Is
their need for access clearly justified? Are their hours of access restricted?
Who ensures that lost keys or ID badges are reported?)
·
Are employees instructed to ensure security
after entering or leaving secured areas (for example, by not propping open
doors)?
·
Are authentication methods (such as ID
badges) difficult to forge or circumvent?
·
Do supervisors or security personnel make
periodic physical security checks?
·
Are all combinations, codes, or other access
means to computer facilities protected at all times, and are these combinations
changed frequently?
·
Do you have a plan for documenting and
responding to physical security breaches?
Also
consider what you might stand to lose if someone salvaged computers you
discarded. To guard against the threat of information being stolen from a
decommissioned hard disk, you can run a specialized disk sanitizer program to
not only delete the hard drive’s contents but also make file recovery
impossible. Alternatively, you can remove the disk from the computer and erase
its contents using a magnetic hard disk eraser. Some security professionals
even advise physically destroying a disk by pulverizing or melting it to be
certain data is unreadable.
Security in Network Design
Addressing
physical access to hardware and connections is just one part of a comprehensive
security approach. Even if you restrict access to computer rooms, teach
employees how to select secure passwords, and enforce a security policy,
breaches may still occur due to poor LAN or WAN design. In this section, you
will learn how to address some security risks via intelligent network design. Preventing
external security breaches from affecting your network is a matter of restricting
access at every point where your LAN connects to the rest of the world. This
principle forms the basis of hardware- and design-based security.
Router Access Lists
Before
a hacker on another network can gain access to files on your network’s server,
he must traverse a switch or router. Although devices such as firewalls,
described later in this chapter, provide more tailored security, manipulating
switch and router configurations affords a small degree of security. This
section describes a fundamental way to control traffic through routers. A
router’s main function is to examine packets and determine where to direct them
based on their Network layer addressing information. Thanks to a router’s ACL
(access control list, also known as an access list), routers can also decline
to forward certain packets. An ACL instructs the router to permit or deny
traffic according to one or more of the following variables:
·
Network layer protocol (for example, IP or
ICMP)
·
Transport layer protocol (for example, TCP or
UDP)
·
Source IP address
·
Source netmask
·
Destination IP address
·
Destination netmask
·
TCP or UDP port number
Each
time a router receives a packet, it examines the packet and refers to its ACL
to determine whether the packet meets criteria for permitting or denying travel
on the network. If a packet’s characteristics match a variable that’s flagged
as “deny” in the ACL, the router drops the packet. If the packet’s
characteristics match a variable that’s flagged as “permit,” it forwards the
packet.
An
access list may contain many different statements. For example, it might
include a statement to deny all traffic from source addresses whose netmask is
255.255.255.255 and another statement to deny all traffic destined for TCP port
23. Or it might include a statement to permit access to a console port from a
certain subnet that is reserved for use by network administrators. On most
routers, each interface must be assigned a separate ACL. In addition, different
ACLs may be associated with inbound and outbound traffic. Naturally, the more
statements a router must scan (in other words, the longer the ACL), the more
time it takes a router to act, and, therefore, the slower the router’s overall
performance. An access list is not included on a router by default. If you install
a router and do not create an ACL, you are allowing any kind of traffic to go
in or out of that router. Once you create an ACL and assign it to an interface,
you have explicitly permitted or denied certain types of traffic. Furthermore,
any traffic that you do not explicitly permit in the ACL is implicitly denied. An
example of an access list configuration command that will allow traffic from
users outside the LAN to pass through a Cisco router and access a Web server
whose IP address is 10.250.1.10 is: permit tcp any host 10.250.1.10 any eq www.
The command’s syntax begins with a permit or deny statement (permit), followed
by the Transport layer protocol (TCP), the source IP address (any), the
destination’s IP address (10.250.1.10), the source port number ( any), and the
destination’s port number (eq www, which means the Web port 80).
Intrusion Detection and Prevention
Although
a router’s access list can block certain types of traffic, a more proactive
security measure involves detecting suspicious network activity. In the world
outside of computer networks, a business owner might install closed-circuit TV
cameras above her business’s entrance and electrical sensors on its doors to
monitor attempts to enter the building. Similarly, a network administrator
might use techniques to monitor and flag any unauthorized attempt to access an
organization’s secured network resources using an IDS (intrusion-detection
system). An IDS exists as software running on a single computer, such as a
server, or on a connectivity device, such as a switch. IDS that runs on a
single computer, such as a client or server, and that has access to and allows
access from the Internet, is known as HIDS (host-based intrusion detection).
Intrusion detection that occurs on devices that are situated at the edge of the
network or that handle aggregated traffic is known as NIDS (network-based
intrusion detection). The most thorough security combines HIDS and NIDS to
detect a wider scope of threats and provide multiple levels of defense. For example,
an HIDS might detect an attempt to exploit an insecure application that an NIDS
missed. Major vendors of networking hardware, such as Cisco, HP, Juniper
Networks, and Lucent sell IDS devices. Examples of popular open source IDS
software, which can run on virtually any network-connected machine, include
Tripwire and Snort. One technique that an IDS may use to monitor traffic
traveling carried by a switch is port mirroring. In port mirroring, one port is
configured to send a copy of all its traffic to a second port on the switch.
The second port issues the copied traffic to a monitoring program. IDS software
can be configured to detect many types of suspicious traffic patterns,
including those typical of denial-of-service or smurf attacks, for example. For
detecting unauthorized attempts to access a network, its sensors are installed
at the edges of the network, the places where a protected, internal network
intersects with a public network. A network’s protective perimeter is known as
the DMZ, or demilitarized zone. Alternately, an IDS can operate on a host to
monitor suspicious attempts to log on or access the host’s resources. One
drawback to using an IDS at a network’s DMZ is the number of false positives it
can log. For instance, it might interpret multiple logon attempts of a
legitimate user who’s forgotten his password as a security threat. If the IDS
is configured to alert the network manager each time such an event occurs, the
network manager might be overwhelmed with such warnings and eventually ignore
all the IDS’s messages.
Therefore,
to be useful, IDS software must be thoughtfully customized. In addition, to
continue to guard against new threats, IDS software must be updated and rules
of detection reevaluated regularly. Although an IDS can only detect and log
suspicious activity, an IPS (intrusion-prevention system) can react when
alerted to such activity. For example, if a hacker’s attempt to flood the network
with traffic is detected, the IPS can detect the threat and prevent that
traffic, based on its originating IP address, from flowing to the network.
Thereafter the IPS will quarantine that malicious user. At the same time, the
IPS continues to allow valid traffic to pass. As with IDS, an IPS can protect
entire networks through NIPS (network-based intrusion prevention) or only
certain hosts, through HIPS (host-based intrusion prevention). Using NIPS and
HIPS together increases the network’s security. For example, an HIDS running on
a file server might accept a hacker’s attempt to log on if the hacker is posing
as a legitimate client. With the proper NIDS, however, such a hacker would
likely never get to the server. Many vendors sell devices that integrate both
IDS and IPS functions. As with an IDS, an IPS must be carefully configured to
avoid an abundance of false alarms. Figure 11-2 on page 508, illustrates the
placement of an IDS/IPS device on a private network that’s connected to the
Internet. Note that such a device may be positioned between the firewall and the
external network, as shown in Figure 11-2, or behind the firewall. This is an
example of NIDS/NIPS. An IDS/IPS software running on the server or one of the
clients within the internal LAN would be an example of HIDS/HIPS. Intrusion-prevention
systems were originally designed as a more comprehensive traffic analysis and
protection tool than firewalls, which are discussed next. However, firewalls
have evolved, and as a result, the differences between a firewall and an IPS
have diminished.
Firewalls
A
firewall is a specialized device, or a computer installed with specialized
software, that selectively filters or blocks traffic between networks. A
firewall typically involves a combination of hardware and software. The
computer acting as a firewall may reside between two interconnected private
networks or, more typically, between a private network and a public network
(such as the Internet), as shown in Figure 11-3 on page 508. This is an example
of a network-based firewall, so named because it protects an entire network.
Figure
11-4 on page 509 shows a firewall designed for use in a business with many
users. Other types of firewalls, known as host-based firewalls, only protect
the computer on which they are installed. Many types of firewalls exist, and
they can be implemented in many different ways. To understand secure network
design and to qualify for Network+ certification, you should recognize which
functions firewalls can provide, where they can appear on a network, and how to
determine what features you need in a firewall. The simplest form of a firewall
is a packet-filtering firewall, which is a router (or a computer installed with
software that enables it to act as a router) that examines the header of every packet
of data it receives to determine whether that type of packet is authorized to
continue to its destination. If a packet does not meet the filtering criteria,
the firewall prevents the packet from continuing. However, if a packet does
meet filtering criteria, the firewall allows that packet to pass through to the
network connected to the firewall. In fact, nearly all routers can be
configured to act as packet-filtering firewalls. In addition to blocking
traffic on its way into a LAN, packet-filtering firewalls can block traffic attempting
to exit a LAN. One reason for blocking outgoing traffic is to stop worms from spreading.
For example, if you are running a Web server, which in most cases only needs to
respond to incoming requests and does not need to initiate outgoing requests,
you could configure a packet-filtering
firewall to block certain types of outgoing transmissions initiated by the Web
server. In this way, you help prevent spreading worms that are designed to
attach themselves to Web servers and propagate themselves to other computers on
the Internet.
Often,
firewalls ship with a default configuration designed to block the most common
types of security threats. In other words, the firewall may be preconfigured to
accept or deny certain types of traffic. However, many network administrators
choose to customize the firewall settings, for example, blocking additional
ports or adding criteria for the type of traffic that may travel in or out of
ports. Some common criteria a packet-filtering firewall might use to accept or
deny traffic include the following:
·
Source and destination IP addresses
·
Source and destination ports (for example,
ports that supply TCP/UDP connections,
·
FTP, Telnet, ARP, ICMP, and so on)
·
Flags set in the IP header (for example, SYN
or ACK)
·
Transmissions that use the UDP or ICMP
protocols
·
A packet’s status as the first packet in a
new data stream or a subsequent packet
·
A packet’s status as inbound to or outbound
from your private network
Based
on these options, a network administrator could configure his firewall, for
example, to prevent any IP address that does not begin with “196.57,” the
network ID of the addresses on his network, from accessing the network’s router
and servers. Furthermore, he could disable—or block—certain well-known ports,
such as the FTP ports (20 and 21), through the router’s configuration. Blocking
ports prevents any user from connecting to and completing a transmission
through those ports. This technique is useful to further guard against
unauthorized access to the network. In other words, even if a hacker could
spoof an IP address that began with 196.57, he could not access the FTP ports
(which are notoriously insecure) on the firewall. Ports can be blocked not only
on firewalls, but also on routers, servers, or any device that uses ports. For
example, if you established a Web server for testing but did not want anyone in
your organization to connect to your Web pages through his or her browsers, you
could block port 80 on that server. For greater security, you can choose a
firewall that performs more complex functions than simply filtering packets.
Among the factors to consider when making your decision are the following:
·
Does the firewall support encryption? (You
will learn more about encryption later in this chapter.)
·
Does the firewall support user
authentication?
·
Does the firewall allow you to manage it
centrally and through a standard interface?
·
How easily can you establish rules for access
to and from the firewall?
·
Does the firewall support filtering at the
highest layers of the OSI model, not just at the Data Link and Transport
layers? For example, content-filtering firewalls can block designated types of
traffic based on application data contained within packets. A school might
configure its firewall to prevent responses from a Web site with able content
from reaching the client that requested the site.
·
Does the firewall provide logging and
auditing capabilities, such as IDS or IPS?
·
Does the firewall protect the identity of
your internal LAN’s addresses from the outside world?
·
Can the firewall monitor a data stream from
end to end, rather than simply examine each packet individually? If it can view
a data stream, it’s known as a stateful firewall. If not, it’s known as a
stateless firewall. Stateless firewalls perform more quickly than stateful
firewalls, but are not as sophisticated.
You
will recognize examples of firewall placement in most VPN architectures. For
example, you might design a VPN that uses the Internet to connect your Houston
and Denver offices.
To
ensure that only traffic from Houston can access your Denver LAN through an
external connection, you could install a packet-filtering firewall between the
Denver LAN and the Internet. Further, you could configure the firewall to
accept incoming traffic only from IP addresses that match the IP addresses on
your Houston LAN. In a way, the firewall acts like a bouncer at a private club
who checks everyone’s ID and ensures that only club members enter through the
door. In the case of the Houston-Denver VPN, the firewall discards any data
packets that arrive at the Denver firewall and do not contain source IP
addresses that match those of Houston’s LAN. Some devices that provide firewall
services are not called firewalls. For example, a small office or home office
wireless router typically includes packet-filtering options. At the other end
of the spectrum, devices made by Cisco for enterprise-wide security are known
as security appliances and can perform several functions, such as encryption,
load balancing, and IPS, in addition to packet filtering. Examples of software
that enables a computer to act as a packet-filtering firewall include iptables
(for Linux systems), ZoneAlarm, and Comodo Firewall. Some operating systems,
including Windows 7, include firewall software. Because you must tailor a
firewall to your network’s needs, you cannot simply purchase one, install it
between your private LAN and the Internet, and expect it to offer much
security. Instead, you must first consider what type of traffic you want to
filter, and then configure the firewall accordingly. It may take weeks to
achieve the best configuration—not so strict that it prevents authorized users
from transmitting and receiving necessary data, yet not so lenient that you
risk security breaches. Further complicating the matter is that you might need to
create exceptions to the rules. For example, suppose that your human resources
manager is working from a conference center in Salt Lake City while recruiting
new employees and needs to access the Denver server that stores payroll
information. In this instance, the Denver network administrator might create an
exception to allow transmissions from the human resources manager’s
workstation’s IP address to reach that server. In the networking profession, creating
an exception to the filtering rules is called “punching a hole” in the
firewall. Because simple packet-filtering firewalls operate at the Network
layer of the OSI model and examine only network addresses, they cannot
distinguish between a user who is trying to breach the firewall and a user who
is authorized to do so. For example, your organization might host a Web server,
which necessitates accepting requests for port 80 on that server. In this case,
a packet-filtering firewall, because it only examines the packet header, could
not distinguish between a harmless Web browser and a hacker attempting to
manipulate his way through the Web site to gain access to the network. For
higher-layer security, a firewall that can analyze data at higher layers is
required. The next section describes this kind of device.
Proxy Servers
One
approach to enhancing the security of the Network and Transport layers provided
by firewalls is to combine a packet-filtering firewall with a proxy service. A
proxy service is a software application on a network host that acts as an
intermediary between the external and internal networks, screening all incoming
and outgoing traffic. The network host that runs the proxy service is known as
a proxy server. (A proxy server may also be called an Application layer
gateway, an application gateway, or simply, a proxy.) Proxy servers manage security
at the Application layer of the OSI model. To understand how they work, think of
the secure data on a server as the president of a country and the proxy server
as the secretary of state. Rather than have the president risk her safety by
leaving the country, the secretary of state travels abroad, speaks for the
president, and gathers information on the president’s behalf. In fact, foreign
leaders may never actually meet the president. Instead, the secretary of state
acts as her proxy. In a similar way, a proxy server represents a private network
to another network (usually the Internet). Although a proxy server appears to
the outside world as an internal network server, in reality it is merely another
filtering device for the internal LAN.
One
of its most important functions is preventing the outside world from
discovering the addresses of the internal network. For example, suppose your
LAN uses a proxy server, and you want to send an e-mail message from your
workstation to your mother via the Internet. Your message would first go to the
proxy server (depending on the configuration of your network, you might or
might not have to log on separately to the proxy server first). The proxy
server would repackage the data frames that make up the message so that, rather
than your workstation’s IP address being the source, the proxy server inserts
its own IP address as the source. Next, the proxy server passes your repackaged
data to the packet-filtering firewall. The firewall verifies that the source IP
address in your packets is valid (that it came from the proxy server) and then sends
your message to the Internet. Examples of proxy server software include Squid
(for use on UNIX or Linux systems) and Microsoft’s Forefront Threat Management
Gateway, which includes firewall features as well. Figure 11-5 on page 512 depicts
how a proxy server might fit into a WAN design. Proxy servers can also improve
performance for users accessing resources external to their network by caching
files. For example, a proxy server situated between a LAN and an external Web
server can be configured to save recently viewed Web pages. The next time a
user on the LAN wants to view one of the saved Web pages, content is provided
by the proxy server. This eliminates the time required to travel over a WAN and
retrieve the content from the external Web server.
Scanning Tools
Often,
firewall and proxy server features are combined in one device. In other words,
you might purchase a firewall and be able to configure it not only to block
certain types of traffic from entering your network, but also to modify the
addresses in the packets leaving your network. Despite your best efforts to
secure a network with router access lists, IDS/IPS, firewalls, and proxy
servers, you might overlook a critical vulnerability. To ensure that your
security efforts are thorough, it helps to think like a hacker. During a
posture assessment, for example, you might use some of the same methods a
hacker uses to identify cracks in your security architecture. Scanning tools
provide hackers—and you—a simple and reliable way to discover crucial information
about your network, including, but not limited to, the following:
·
Every available host
·
Services, including applications and
versions, running on every host
·
Operating systems running on every host
·
Open, closed, and filtered ports on every
host
·
Existence and type of firewalls
·
Software configurations
·
Unencrypted, sensitive data
For
example, a popular scanning tool called NMAP (Network Mapper) is designed to
scan large networks quickly and provide information about a network and its
hosts. NMAP, which runs on virtually any modern operating system, is available
for download at no cost at www.nmap.org. NMAP began as a simple port scanning
tool, but developers expanded its capabilities to include gathering information
about hosts and their software. When running NMAP, you can choose what type of
information to discover, thereby customizing your scan results. Another tool,
Nessus, from Tenable Security, performs even more sophisticated scans than NMAP.
For example, among other things, Nessus can identify unencrypted, sensitive
data, such as credit card numbers, saved on your network’s hosts. The program
can be purchased to run on your network or to run on off-site servers
continuously maintained and updated by the developer. Because of its
comprehensive nature and its use for revealing security flaws that must be
addressed, Nessus and utilities like it are known as penetration-testing tools.
Another
penetration-testing tool, metasploit, combines known scanning techniques and exploits
to result in potentially new hybrids of exploits. Used intentionally on your
own network, scanning tools improve security by pointing out insecure ports,
software that must be patched, permissions that should be restricted, and so on.
They can also contribute valuable data to asset management and audit reports.
Used by hackers—or, more likely, bots—these tools can lead to compromised
security. In other words, each of these tools has legitimate uses as well as
illegal uses. However, even if the scanning tools are used against you, you can
learn from them. For example, a properly configured firewall will collect
information about scanning attempts in its log. By reviewing the log, you will
discover what kinds of exploits might be—or have been—attempted against your
network. Another way to learn about hackers is to lure them to your network on
purpose, as described next.
Lures
Staying
a step ahead of hackers and constantly evolving exploits requires vigilance.
Those who want to learn more about hacking techniques or nab a hacker in the
act might create a honeypot, or a decoy system that is purposely vulnerable. To
make it attractive to hackers, the system might be given an enticing name, such
as one that indicates its role as a name server or a storage location for
confidential data. Once hackers access the honeypot, a network administrator
can use monitoring software and logs to track the intruder’s moves. In this
way, the network administrator might learn about new vulnerabilities that must
be addressed on his real networked hosts. To fool hackers and gain useful
information, honeypots cannot appear too blatantly insecure, and tracking
mechanisms must be hidden. In addition, a honeypot must be isolated from secure
systems to prevent a savvy hacker from using it as an intermediate host for
other attacks. In more elaborate setups, several honeypots might be connected
to form a honeynet. Decoy systems can provide unique information about hacking
behavior. But in practice, security researchers or those merely curious about
hacking trends are more likely than overworked network administrators to
establish and monitor honeypots and honeynets.
NOS (Network Operating System) Security
Regardless
of whether you run your network on a Microsoft, Macintosh, Linux, or UNIX
NOS,
you can implement basic security by restricting what users are authorized to do
on a network. Every network administrator should understand which resources on
the server all users need to access. The rights conferred to all users are
called public rights because anyone can have them and exercising them presents
no security threat to the network. In most cases, public rights are very
limited. They may include privileges to view and execute programs from the
server and to read, create, modify, delete, and execute files in a shared data
directory. In addition, network administrators need to group users according to
their security levels and assign additional rights that meet the needs of those
groups. Creating groups simplifies the process of granting rights to users. For
example, if you work in the IT Department at a large college, you will most
likely need more than one person to create new user IDs and passwords for
students and faculty. Naturally, the staff in charge of creating new user IDs
and passwords need the rights to perform this task. You could assign the
appropriate rights to each staff member individually, but a more efficient
approach is to put all of the personnel in a group, and then assign the
appropriate rights to the group as a whole.
Logon Restrictions
In
addition to restricting users’ access to files and directories on the server, a
network administrator can constrain the ways in which users can access the
server and its resources. The following is a list of additional restrictions
that network administrators can use to strengthen the security of their
networks:
Time of
day—Some user accounts may be valid only during
specific hours—for example, between 8:00 a.m. and 5:00 p.m. Specifying valid
hours for an account can increase security by preventing any account from being
used by unauthorized personnel after hours.
Total
time logged on—Some user accounts may be restricted to a
specific number of hours per day of logged-on time. Restricting total hours in
this way can increase security in the case of temporary user accounts. For
example, suppose that your organization offers an Adobe Photoshop training
class to a group of high school students one afternoon, and the Photoshop
program and training files reside on your staff server. You might create
accounts that could log on for only four hours on that day.
Source
address—You can specify that user accounts may log on
only from certain workstations or certain areas of the network (that is,
domains or segments). This restriction can prevent unauthorized use of
usernames from workstations outside the network.
Unsuccessful
logon attempts—Hackers might repeatedly attempt to log on
under a valid username for which they do not know the password. As the network administrator,
you can set a limit on how many consecutive unsuccessful logon attempts from a
single user ID the server will accept before blocking that ID from even
attempting to log on. Another security technique that can be enforced by a
network administrator through the NOS is the selection of secure passwords. The
following section discusses the importance and characteristics of choosing a
secure password.
Passwords
Choosing
a secure password is one of the easiest and least expensive ways to guard
against unauthorized access. Unfortunately, too many people prefer to use an
easy-to-remember password. If your password is obvious to you, however, it may
also be easy for a hacker to figure out. The following guidelines for selecting
passwords should be part of your organization’s security policy. It is
especially important for network administrators to choose difficult passwords,
and also to keep passwords confidential and to change them frequently. Tips for
making and keeping passwords secure include the following:
·
Always change system default passwords after
installing new programs or equipment. For example, after installing a router,
the default administrator’s password on the router might be set by the
manufacturer to be “password”.
·
Do not use familiar information, such as your
name, nickname, birth date, anniversary, pet’s name, child’s name, spouse’s
name, user ID, phone number, address, or any other words or numbers that others
might associate with you.
·
Do not use any word that might appear in a
dictionary. Hackers can use programs that try a combination of your user ID and
every word in a dictionary to gain access to the network. This is known as a
dictionary attack, and it is typically the first technique a hacker uses when
trying to guess a password (besides asking the user for her password).
·
Make the password longer than eight
characters—the longer, the better. Choose a combination of letters and numbers;
add special characters, such as exclamation marks or hyphens, if allowed. Use a
combination of uppercase and lowercase letters.
·
Do not write down your password or share it
with others.
·
Change your password at least every 60 days,
or more frequently. If you are a network administrator, establish controls
through the NOS to force users to change their passwords at least every 60
days.
·
Do not reuse passwords after they have
expired.
·
Use different passwords for different
applications. For example, choose separate passwords for your e-mail program,
online banking, VPN connection, and so on. That way, if someone learns one of
your passwords, he won’t necessarily be able to access all of your secured
accounts.
Password
guidelines should be clearly communicated to everyone in your organization through
your security policy. Although users might grumble about choosing a combination
of letters and numbers and changing their passwords frequently, you can assure
them that the company’s financial and personnel data is safer as a result.
Encryption
Encryption
is the use of an algorithm to scramble data into a format that can be read only
by reversing the algorithm—that is, by decrypting the data. The purpose of
encryption is to keep information private. Many forms of encryption exist, with
some being more secure than others. Even as new forms of encryption are
developed, new ways of cracking their codes emerge, too. Encryption is the last
means of defense against data theft. In other words, if an intruder has bypassed
all other methods of access, including physical security (for instance, he has
broken into the data center) and network design security (for instance, he has
defied a firewall’s packet-filtering techniques), data may still be safe if it
is encrypted. Encryption can protect data stored on a medium, such as a hard
disk, or in transit over a communications channel. To protect data, encryption
provides the following assurances:
·
Data was not modified after the sender
transmitted it and before the receiver picked it up.
·
Data can only be viewed by its intended
recipient or at its intended destination.
·
All of the data received at the intended
destination was truly issued by the stated sender and not forged by an
intruder.
The
following sections describe data encryption techniques used to protect data
stored on or traveling across networks.
Key Encryption
The
most popular kind of encryption algorithm weaves a key, or a random string of
characters, into the original data’s bits—sometimes several times in different
sequences—to generate a unique data block. The scrambled data block is known as
ciphertext. The longer the key, the less easily the ciphertext can be decrypted
by an unauthorized system. For example, a 128-bit key allows for 2 possible
character combinations, whereas a 16-bit key allows for 2 possible character
combinations. Hackers may attempt to crack, or discover, a key by using a brute
force attack, which means simply trying numerous possible character
combinations to find the key that will decrypt encrypted data. Typically, a
hacker runs a program to carry out the attack. Through a brute force attack, a
hacker could discover a 16-bit key quickly and without using sophisticated
computers, but would have difficulty discovering a 128-bit key.
Adding 1 bit to an encryption key makes it twice
(21 times) as hard to crack. For example, a 129-bit key would be
twice as hard to crack as a 128-bit key. Similarly, a 130-bit key would be four
(22) times harder to crack as a 128-bit key.
The
process of key encryption is similar to what happens when you finish a card
game, place your five-card hand into the deck, and then shuffle the deck
numerous times. After shuffling, it might take you a while to retrieve your
hand. If you shuffled your five cards into four decks of cards at once, it
would be even more difficult to find your original hand. In encryption,
theoretically only the user or program authorized to retrieve the data knows
how to unshuffle the ciphertext and compile the data in its original sequence.
Figure 11-6 on page 517 provides a simplified view of key encryption and
decryption. Note that actual key encryption does not simply weave a key into
the data once, but rather inserts the key, shuffles the data, shuffles the key,
inserts another copy of the shuffled key into the shuffled data, shuffles the
data again, and so on for several iterations. Keys are randomly generated, as
needed, by the software that manages the encryption. For example, an e-mail
program or a Web browser program may be capable of generating its own keys to
encrypt data. In other cases, special encryption software is used to generate keys.
This encryption software works with other types of software, such as
word-processing or spreadsheet programs, to encrypt data files before they are
saved or transmitted. Key encryption can be separated into two categories:
private key and public key encryption.
Private Key Encryption
In
private key encryption, data is encrypted using a single key that only the
sender and the receiver know. Private key encryption is also known as symmetric
encryption because the same key is used during both the encryption and
decryption of the data. Suppose Leon wants to send a secret message to Mia via
private encryption. Assume he has chosen a private key. Next, he must share his
private key with Mia, as shown in Step 1 of Figure 11-7 on page 518. Then, Leon
runs a program that encrypts his message by combining it with his private key,
as shown in Step 2. Next, Leon sends Mia the encrypted message, as shown in Step
3. After Mia receives Leon’s encrypted message, she runs a program that uses
Leon’s private key to decrypt the message, as shown in Step 4. The result is
that Mia can read the original message Leon wrote. The most popular private, or
symmetric, key encryption is based on DES (pronounced dez), which stands for
Data Encryption Standard. DES, which uses a 56-bit key, was developed by IBM in
the 1970s. When DES was released, a 56-bit key was secure; however, now such a
key could be cracked within days, given sufficient computer power. For greater
security, the modern implementation of DES weaves a 56-bit key through data three
times, using two or three different keys. This implementation is known as
Triple DES (3DES). A more recent private key encryption standard is the AES
(Advanced Encryption Standard), which weaves keys of 128, 160, 192, or 256 bits
through data multiple times. The algorithm used in the most popular form of AES
is known as Rijndael, after its two Belgian inventors, Dr. Vincent Rijmen and
Dr. Joan Daemen. AES is considered more secure than DES and much faster than
Triple DES. AES has replaced DES in situations such as military communications,
which must have the highest level of security. A potential problem with private
key encryption is that the sender must somehow share his key with the
recipient. For example, Leon could call Mia and tell her his key, or he could send
it to her in an e-mail message. But neither of these methods is very secure. To
overcome this vulnerability, a method of associating publicly available keys
with private keys was developed. This method is called public key encryption.
Public Key Encryption
In
public key encryption, data is encrypted using two keys: One is a key known
only to a user (that is, a private key), and the other is a public key
associated with the user. A user’s public key can be obtained the old-fashioned
way—by asking that user—or it can be obtained from a third-party source, such
as a public key server. A public key server is a publicly accessible host (such
as a server on the Internet) that freely provides a list of users’ public keys,
much as a telephone book provides a list of peoples’ phone numbers. Figure 11-8
on page 519, illustrates the process of public key encryption.
For
example, suppose that Mia wants to use public key encryption to send Leon a
message via the Internet. Assume Leon already established a private and a
public key, as shown in Step 1 of Figure 11-8. He stores his public key on a
key server on the Internet, as shown in Step 2, and keeps his private key to
himself. Before Mia can send Leon a message, she must know his public key. Leon
tells Mia where she can find his public key, as shown in Step 3. Next, Mia
writes Leon a message, retrieves his public key from the public key server, and
then uses her encryption software to scramble her message with Leon’s public
key, as shown in Step 4. Mia sends her encrypted message to Leon over the
Internet, as shown in Step 5. When Leon receives the message, his software recognizes
that the message has been encrypted with his public key. In other words, the
public key has an association with the private key. A message that has been encrypted
with Leon’s public key can only be decrypted with his private key. The program
then prompts Leon for his private key to decrypt the message, as shown in Step
6. To respond to Mia in a publicly encrypted message, Leon must obtain Mia’s
public key. Then, the steps illustrated in Figure 11-8 are repeated, with Leon
and Mia’s roles reversed. The combination of a public key and a private key is
known as a key pair. In the private key encryption example discussed
previously, Leon has a key pair, but only he knows his private key, whereas the
public key is available to people, like Mia, who want to send him encrypted
messages. Because public key encryption requires the use of two different keys,
it is also known as asymmetric encryption. Due to their semipublic nature,
public keys are more vulnerable than private keys, and, therefore, public key
algorithms generally use longer keys. The first public, or asymmetric, key
algorithm, called Diffie-Hellman, was released in 1975 by its creators,
Whitfield Diffie and Martin Hellman. However, the most popular public key
algorithm in use today is RSA (named after its creators, Ronald Rivest, Adi
Shamir, and Leonard Adleman), which was made public in 1977. In RSA, a key is
created by first choosing two large prime numbers (numbers that cannot be
divided evenly by anything but 1 or themselves) and multiplying them together.
RSA is routinely used to secure e-commerce transactions. RSA may be used in
conjunction with RC4, a key encryption technique that weaves a key with data
multiple times, as a computer issues the stream of data. RC4 keys can be as
long as 2048 bits. In addition to being highly secure, RC4 is fast. With the
abundance of private and public keys, not to mention the number of places where
each may be kept, users need easier key management. One answer to this problem
is using digital certificates. A digital certificate is a password-protected
and encrypted file that holds an individual’s identification information,
including a public key. In the context of digital certificates, the
individual’s public key verifies the sender’s digital signature. An
organization that issues and maintains digital certificates is known as a CA
(certificate authority). For example, on the Internet, certificate authorities
such as VeriSign will, for a fee, keep your digital certificate on their server
and ensure to all who want to send encrypted messages to you (for example, an
order via your e-commerce site) that the certificate is indeed yours. The use
of certificate authorities to associate public keys with certain users is known
as PKI (Public-key Infrastructure). The following sections detail specific
methods of encrypting data as it is transmitted over a network. These methods
use one or more of the encryption algorithms discussed in this section.
PGP (Pretty Good Privacy)
You
have probably exchanged e-mail messages over the Internet without much concern
for what happens with your message between the time you send it and when your
intended recipient picks it up. In addition, you have probably read e-mails
from friends without thinking that they might not be from your friends, but
rather from other users who are impersonating your friends over the Internet.
In fact, some e-mail communication is highly insecure.
Depending
on the mail server and client, messages may be sent in clear (that is, unencrypted)
text, which makes it readable by anyone who can capture the message on its way
from you to your recipient. In addition, a person with malicious intentions can
easily pretend he is someone else. For example, if your e-mail address is
joe@example.com, someone else could assume your address and send messages that
appear to be sent by joe@example.com. To secure e-mail transmissions, a
computer scientist named Phil Zimmerman developed PGP in the early 1990s. PGP
(Pretty Good Privacy) is a public key encryption system that can verify the
authenticity of an e-mail sender and encrypt e-mail data in transmission. PGP,
which is now administered at MIT, is freely available as both an open source and
a proprietary software package. Since its release, it has become the most popular
tool for encrypting e-mail. However, PGP can also be used to encrypt data on
storage devices (for example, a hard disk) or with applications other than
e-mail (for example, IP telephony).
SSL (Secure Sockets Layer)
SSL
(Secure Sockets Layer) is a method of encrypting TCP/IP transmissions—including
Web pages and data entered into Web forms—en route between the client and
server using public key encryption technology. If you trade stocks or purchase
goods on the Web, for example, you are most likely using SSL to transmit your
order information. SSL is popular and used widely. The most recent versions of
Web browsers, such as Google Chrome and Firefox, include SSL client support in
their software. You have probably noticed that URLs for most Web pages begin
with the HTTP prefix, which indicates that the request is handled by TCP/IP
port 80 using the HTTP protocol. When Web page URLs begin with the prefix HTTPS
(which stands for HTTP over Secure Sockets Layer or HTTP Secure), they require
that their data be transferred from server to client and vice versa using SSL
encryption. HTTPS uses the TCP port number 443, rather than port 80. Each time
a client and server establish an SSL connection, they also establish a unique
SSL session, or an association between the client and server that is defined by
an agreement on a specific set of encryption techniques. An SSL session allows
the client and server to continue to exchange data securely as long as the
client is still connected to the server. An SSL session is created by the SSL
handshake protocol, one of several protocols within SSL, and perhaps the most
significant. As its name implies, the handshake protocol allows the client and
server to introduce each other and establishes terms for how they will securely
exchange data. For example, when you are connected to the Web and you decide to
open your bank’s account access URL, your browser initiates an SSL connection
with the handshake protocol. The handshake protocol sends a special message to
the server, called a client_hello message, which contains information about
what level of security your browser is capable of accepting and what type of
encryption your browser can decipher (for example, RSA or Diffie-Hellman). The
client_hello message also establishes a randomly generated number that uniquely
identifies your client and another number that identifies your SSL session. The
server responds with a server_hello message that confirms the information it
received from your client and agrees to certain terms of encryption based on
the options your client supplied. Depending on the Web server’s preferred encryption
method, the server may choose to issue your browser a public key or a digital certificate
at this time. After the client and server have agreed on the terms of
encryption, they begin exchanging data. SSL was originally developed by
Netscape. Since that time, the IETF has attempted to standardize SSL in a
protocol called TLS (Transport Layer Security). TLS, which is supported by
modern Web browsers, uses slightly different encryption algorithms than SSL,
but otherwise is very similar to the most recent version of SSL.
SSH (Secure Shell)
Earlier
in this book, you learned about Telnet, the TCP/IP utility that provides remote
connections to hosts. For example, if you were a network administrator working
at one of your company’s satellite offices and had to modify the configuration
on a router at the home office, you could telnet to the router and run commands
to modify its configuration. However, Telnet provides little security for
establishing a connection (authenticating) and no security for transmitting
data (encryption). SSH (Secure Shell) is a collection of protocols that does
both. With SSH, you can securely log on to a host, execute commands on that
host, and copy files to or from that host. SSH encrypts data exchanged throughout
the session. It guards against a number of security threats, including
unauthorized access to a host, IP spoofing, interception of data in transit
(even if it must be transferred via intermediate hosts), and DNS spoofing, in
which a hacker forges name server records to falsify his host’s identity.
Depending on the version, SSH may use DES, Triple DES, RSA, Kerberos, or another,
less-common encryption algorithm or method. SSH was developed by SSH
Communications Security, and use of their SSH implementation requires paying
for a license. However, open source versions of the protocol suite, such as
OpenSSH, are available for most computer platforms. To form a secure connection,
SSH must be running on both the client and server. Like Telnet, the SSH client
is a utility that can be run at the shell prompt on a UNIX or Linux system or
at the command prompt on a Windows-based system. Other versions of the program
come with a graphical interface. The SSH suite of protocols is included with
all modern UNIX and Linux distributions and with Mac OS X Server and Mac OS X
client operating systems. For Windows-based computers, you need to download a
freeware SSH client, such as PuTTY. Before you can establish a secure SSH
connection, you must first generate a public key and a private key on your
client workstation by running the ssh keygen command (or by choosing the
correct menu options in a graphical SSH program). The keys are saved in two
different, encrypted files on your hard disk. Next, you must transfer the public
key to an authorization file on the host to which you want to connect. Finally,
you are ready to connect to the host via SSH. On a computer running UNIX or
Linux, this is accomplished by running the slogin -1 username hostname command,
where username is your client username and hostname is the name of the host to
which you are trying to connect. The client and host then exchange public keys,
and if both can be authenticated, the connection is completed. On a Windows-based
computer, follow the menu options in the SSH client application. SSH is highly
configurable. For example, it can be configured to use one of several types of encryption
for data en route between the client and host. It can be configured to require that
the client enter a password in addition to a key. It can also be configured to
perform port forwarding, which means it can redirect traffic that would
normally use an insecure port (such as FTP) to an SSH-secured port. This allows
you to use SSH for more than simply logging on to a host and manipulating
files. With port forwarding, you could, for example, exchange HTTP traffic with
a Web server via a secured SSH connection.
SCP (Secure CoPy) and SFTP (Secure
File Transfer Protocol)
An
extension to OpenSSH is the SCP (Secure CoPy) utility, which allows you to copy
files from one host to another securely. SCP replaces insecure file copy
protocols such as FTP, which do not encrypt usernames, passwords, or data while
transferring them. Most modern OpenSSH packages, such as those supplied with the
UNIX, Linux, and Macintosh OS X (client and server version) operating systems,
include the SCP utility. Not all freeware SSH programs available for Windows
include SCP, but separate, freeware SCP applications, such as WinSCP, exist. SCP
is simple to use. At the shell prompt of a UNIX or Linux system, type scp
filenamel filename2, where filename1 is the name of the file on the source host
and filename2 is the name of the file on the target host.
Suppose
you are copying a file from a server to your client workstation. In that case,
you also need to include your username on the server and the server’s host name
in the command, as follows: scp userid@hostname: filename1 filename2. In this
command, userid is your username on the server; hostname is the server’s fully
qualified host name, filename1 is the name of the file on the server, and
filename2 is what you want to call the file on your client workstation. On a
Windows-based system, follow the menu options in your SSH or SCP client for
copying files with SCP. If your system uses the proprietary version of SSH,
available from SSH Communications Security, you need to use SFTP (Secure File
Transfer Protocol) to copy files rather than SCP. SFTP is slightly different
from SCP, in that it does more than copy files. Like FTP, SFTP first
establishes a connection with a host and then allows a remote user to browse directories,
list files, and copy files. To open an SFTP connection from a UNIX or Linux
system, type sftp hostname at a shell prompt, where hostname is the fully
qualified host name of the computer to which you want to connect. To copy a
file, type get filename1 filename2 , where filename1 is the name of the file on
the source computer and filename2 is what you want to call the file on the
target computer. To close the SFTP connection, type quit and then press Enter.
On a Windows-based system, follow the menu options in the SSH or SFTP client
for copying files with SFTP. The following section describes another technique
for encrypting data in transit on a network.
IPSec (Internet Protocol Security)
IPSec
(Internet Protocol Security) protocol defines encryption, authentication, and
key management for TCP/IP transmissions. It is an enhancement to IPv4 and is
native to IPv6. IPSec is somewhat different from other methods of securing data
in transit. Rather than apply encryption to a stream of data, IPSec actually
encrypts data by adding security information to the header of all IP packets.
In effect, IPSec transforms the data packets. To do so, IPSec operates at the
Network layer of the OSI model. IPSec accomplishes authentication in two
phases. The first phase is key management, and the second phase is encryption.
Key management refers to the way in which two nodes agree on common parameters
for the keys they will use. IPSec relies on IKE (Internet Key Exchange) to
negotiate and authenticate keys. A separate service, ISAKMP (Internet Security Association
and Key Management Protocol), establishes policies for verifying the identity and
the encryption methods that nodes will use for data transmission. After IKE has
managed the shared keys and ISAKMP policies have ensured that both parties
agree on the methods of secure transmission, IPSec invokes its second phase,
encryption. In this phase, two types of encryption may be used: AH (authentication
header) or ESP (Encapsulating Security Payload). Both types of encryption provide
authentication of the IP packet’s data payload through public key techniques.
In addition, ESP encrypts the entire IP packet for added security. IPSec can be
used with any type of TCP/IP transmission. However, it most commonly runs on
routers or other connectivity devices in the context of VPNs. As you learned in
Chapter 10, VPNs are used to transmit private data over public networks.
Therefore, they require strict encryption and authentication to ensure that
data is not compromised. On networks where more than a few simultaneous VPN
connections must be maintained, a specialized device known as a VPN
concentrator can be positioned at the edge of the private network to establish
VPN connections, as shown in Figure 11-9. VPN concentrators authenticate VPN
clients and establish tunnels for VPN connections. Their support of specific
tunneling protocols, authentication mechanisms, and encryption algorithms vary
from one manufacturer and model to another. Some support only IPSec or SSL, while
others support both, for example. Some also provide enhanced features such as packet
filtering. VPN concentrators are one type of encryption device.
Encryption
devices are computers, or, more often, specialized adapters within other
devices, such as routers and servers, that perform encryption. Encryption
devices encrypt and decrypt data faster than software running on other
machines. As a result, they accelerate secure data transmission.
Authentication Protocols
You
have learned that authentication is the process of verifying a user’s
credentials (typically a username and password) to grant the user access to
secured resources on a system or network. Authentication protocols are the
rules that computers follow to accomplish authentication. Several types of
authentication protocols exist. They vary according to which encryption schemes
they rely on and the steps they take to verify credentials. The following sections
describe some common authentication protocols in more detail.
RADIUS and TACACS+
In
environments that support many simultaneous connections and several user IDs
and passwords, it makes sense to use a centralized service to manage access to
resources. This section describes a category of protocols known as AAA
(authentication, authorization, and accounting) that provides that service. AAA
protocols first establish a client’s identity by prompting a user for a
username and password. Next, the protocols examine those credentials and based
on their validity, allow or deny access to a system or network. Finally, AAA protocols
track the client’s system or network usage. By far, the most popular AAA
service is RADIUS (Remote Authentication Dial-In User Service). RADIUS is a
service defined by the IETF that runs over UDP and provides centralized network
authentication, authorization, and accounting for multiple users. RADIUS can operate
as a software application on a remote access server or on a computer dedicated
to this type of authentication, called a RADIUS server. Because RADIUS servers
are highly scalable, many Internet service providers use a RADIUS server as a
central authentication point for mobile or remote users. RADIUS may also be
used to authenticate connections between wireless clients and access points or
on cellular networks. Finally, they may operate in conjunction with other
network servers. For example, an organization might combine a DHCP server with
a RADIUS server to manage allocation of addresses and privileges assigned to
each address on the network. Figure 11-10 illustrates a RADIUS server used for
remote access. RADIUS can run on UNIX, Linux, Windows, or Macintosh networks. Another
AAA protocol, TACACS+ (Terminal Access Controller Access Control System Plus) offers
network administrators the option of separating the access, authentication, and
auditing capabilities. For instance, TACACS+ might provide access and
accounting functions, but use another technique, such as Kerberos (discussed later
in this chapter), to authenticate users. TACACS+ also differs from RADIUS in
that it relies on TCP, not UDP, at the Network layer. TACACS+ is a proprietary
protocol developed by Cisco Systems, Inc., and is typically installed on a
router, rather than on a separate server. Each of the protocols described in
the following sections may play a role in the authentication step of AAA.
PAP (Password Authentication Protocol)
In
Chapter 10’s discussion of remote access protocols, you were introduced to PPP
(Point-to-Point Protocol), which belongs to the Data Link layer of the OSI
model and provides the foundation for connections between remote clients and
hosts. PPP alone, however, does not secure connections. For this, it requires
an authentication protocol. In fact, several types of authentication protocols
can work over PPP. One is PAP (Password Authentication Protocol).
After
establishing a link with a server through PPP, a client uses PAP to send an
authentication request that includes its credentials—usually a username and
password. The server compares the credentials to those in its user database. If
the credentials match, the server responds to the client with an acknowledgment
of authentication and grants the client access to secured resources. If the credentials
do not match, the server denies the request to authenticate. Figure 11-11
illustrates PAP’s two- step authentication process. Thus, PAP is a
simple authentication protocol, but it is not very secure. It sends the
client’s credentials in clear text, without encryption, and this opens the way
for eavesdroppers to capture a username and password. In addition, PAP does not
protect against the possibility of a malicious intruder attempting to guess a
user’s password through a brute force attack. For these reasons, PAP is rarely
used on modern networks. Instead, more sophisticated protocols, such as those
described in the following sections, are preferred.
CHAP and MS-CHAP
CHAP
(Challenge Handshake Authentication Protocol) is another authentication protocol
that operates over PPP. Unlike PAP, CHAP encrypts usernames and passwords for
transmission. It also differs from PAP in that it requires three steps to
complete the authentication process. Together, these steps are known as a
three-way handshake. In CHAP, the authenticating device (for example, a remote
access server) takes the first step in authentication after PPP establishes a
connection between it and the computer requesting authentication (for example,
a remote client). The server sends the client a randomly generated string of
characters called the challenge. In the second step, the client adds its
password to the challenge and encrypts the new string of characters. It sends
this new string of characters in a response to the server. Meanwhile, the
server also concatenates the user’s password with the challenge and encrypts
the new character string, using the same encryption scheme the client used. In
the third step of the three-way handshake, the server compares the encrypted
string of characters it received from the client with the encrypted string of
characters it has generated. If the two match, it authenticates the client. But
if the two differ, it rejects the client’s request for authentication. Figure
11-12 illustrates the three-way handshake used in CHAP. The benefit of CHAP
over PAP is that in CHAP, a password is never transmitted alone, and never as
clear text. This same type of security is offered in MS-CHAP (Microsoft Challenge
Handshake Authentication Protocol), a similar authentication protocol from Microsoft
used with Windows-based computers. One potential flaw in CHAP and MSCHAP authentication
is that someone eavesdropping on the network could capture the string of
characters that is encrypted with the password, decrypt that string, and obtain
the client’s password. To address this, Microsoft released MS-CHAPv2 (Microsoft
Challenge Handshake Authentication Protocol, version 2), which uses stronger
encryption, does not use the same encryption strings for transmission and
reception, and requires mutual authentication. In mutual authentication, both computers
verify the credentials of the other—for example, the client authenticates the
server just as the server authenticates the client. This is more secure than
requiring only one of the communicating computers to authenticate the other. MS-CHAPv2
is available for use with VPN and dial-up connections in the Windows client and
network operating systems. Windows XP, Vista, and 7 clients support the use of
PAP, CHAP, or MS-CHAPv2 when making dial-up connections. An authentication
protocol that is more secure than CHAP or MS-CHAP and is supported by multiple
operating systems is EAP, discussed next.
EAP (Extensible Authentication
Protocol)
EAP (Extensible Authentication Protocol) is another extension
to the PPP protocol suite. It differs from the authentication protocols
discussed previously in that it is only a mechanism for authenticating clients
and servers; it does not perform encryption or authentication on its own.
Instead, it works with other encryption and
authentication schemes to verify the credentials of clients and servers. Like
CHAP, EAP requires the authenticator (for example, the server) to initiate the
authentication process by asking the connected computer (for example, the
client) to verify itself. In EAP, the server usually sends more than one
request. In its first request, it asks the client’s identity and indicates what
type of authentication to use. In subsequent requests, it asks the client for
authentication information to prove the client’s identity. The client responds
to each of the servers’ requests in the required format. If the responses match
what the server expects, the server authenticates the client. One of EAP’s
advantages is its flexibility. It is supported by nearly all modern operating
systems and can be used with any authentication method. For example, although
the typical network authentication involves a user ID and password, EAP also
works with biorecognition methods, such as retina or hand scanning. EAP is also
adaptable to new technology. Therefore, no matter what future wireless
encryption schemes are developed, EAP will support them. In the case of
wireless LANs, EAP is used with older encryption and authentication protocols to
form a new, more secure method of connecting to networks from wireless
stations. A distinct implementation of EAP, described next, forms the basis of
one of the most secure wireless authentication techniques.
802.1x (EAPoL)
The
802.1x standard, codified by IEEE, specifies the use of one of many
authentication methods, plus EAP, to grant access to and dynamically generate
and update authentication keys for transmissions to a particular port. Although
it’s primarily used with wireless networks now, it was originally designed for
wired LANs; thus, it’s also known as EAPoL (EAP over LAN). 802.1x only defines
a process for authentication. It does not specify the type of authentication or
encryption protocols clients and servers must use. However, 802.1x is commonly used
with RADIUS authentication. As you might expect, for nodes to communicate using
802.1x, they must agree on the same authentication method. What distinguishes
802.1x from other authentication standards is the fact that it applies to communication
with a particular port—for example, a physical switch port or a logically defined
port on an access point. When a client wants to access the network, a port on
the authenticator (such as a switch or access point) challenges the client to
prove its identity.
If
the client is running the proper 802.1x software, the client will supply the
authenticator with its credentials. The authenticator next passes on the
client’s credentials to an authentication server—for example, a RADIUS server.
Only after the authentication server has verified a client’s legitimacy will
the switch or access point port be opened to the client’s Layer 3 traffic. For
this reason, 802.1x is sometimes also called port authentication, or port-based
authentication. After the port is opened, the client and network communicate
using EAP and an agreed upon encryption scheme. Figure 11-13 illustrates the
process followed by 802.1x when used with a WLAN (wireless LAN). You’ll learn
more about wireless network security techniques later in this chapter.
Kerberos
Kerberos
is a cross-platform authentication protocol that uses key encryption to verify
the identity of clients and to securely exchange information after a client
logs on to a system. It is an example of a private key encryption service.
Kerberos provides significant security advantages over simple NOS
authentication. Whereas an NOS client/server logon process assumes that clients
are who they say they are and only verifies a user’s name against the password
in the NOS database, Kerberos does not automatically trust clients. Instead, it
requires clients to prove their identities through a third party. This is
similar to what happens when you apply for a passport. The government does not
simply believe that you are “Leah Torres,” but instead requires you to present
proof, such as your birth certificate. In addition to checking the validity of
a client,
Kerberos
communications are encrypted and unlikely to be deciphered by any device on the
network other than the client. Contrast this type of transmission to the
normally unencrypted and vulnerable communication between an NOS and a client. To
understand specifically how a client uses Kerberos, you need to understand some
of the terms used when discussing this protocol. In Kerberos terminology, the
server that issues keys to clients during initial client authentication is
known as the KDC (Key Distribution Center). To authenticate a client, the KDC
runs an AS (authentication service). An AS issues a ticket, which is a
temporary set of credentials that a client uses to prove that its identity has been
validated (note that a ticket is not the same as a key, which is used to
initially validate its identity). A Kerberos client, or user, is known as a
principal. Now that you have learned the terms used by Kerberos, you can follow
the process it requires for client/server communication. Bear in mind that the
purpose of Kerberos is to connect a valid user with the service that user wants
to access. To accomplish this, both the user and the service must register
their keys with the authentication service. Suppose the principal is Jamal
Sayad and the service is called “inventory.” Jamal first logs on to his network
as usual. Next, he attempts to log on to the “inventory” service with his
Kerberos principal name and password. The KDC confirms that Jamal Sayad is in
its database and that he has provided the correct password. Then the AS running
on the KDC randomly generates two copies of a new key, called the session key.
The AS issues one copy to Jamal’s computer and the other copy to the inventory
service. Further, it creates a ticket that allows Jamal to use the inventory
service. This ticket contains the inventory service key and can only be
decrypted using Jamal Sayad’s key. The AS sends the ticket to Jamal Sayad.
Jamal’s computer decrypts the session key with Jamal’s personal key. It then
creates a time stamp associated with his request, and encrypts this time stamp
with the session key. The encrypted time stamp is known as the authenticator.
This time stamp helps the service verify that the ticket is indeed associated
with Jamal Sayad’s request to use the inventory service. Next, Jamal’s computer
sends his ticket and authenticator to the service. The service decrypts the
ticket using its own key and decrypts the authenticator using its session key.
Finally, the service verifies that the principal requesting its use is truly
Jamal Sayad as the KDC indicated. The preceding events illustrate the original
version of the Kerberos authentication process. The problem with the original
version was that a user had to request a separate ticket each time he wanted to
use a different service. To alleviate this inconvenience, Kerberos developers created
the TGS (Ticket-Granting Service), an application separate from the AS that
also runs on the KDC. So that the client does not need to request a new ticket
from the TGS each time it wants to use a different service on the network, the
TGS issues the client a TGT (Ticket-Granting Ticket). After receiving the TGT,
anytime the user wants to contact a service, he requests a ticket not from the
AS, but from the TGS. Furthermore, the reply is encrypted not with the user’s
personal key, but with the session key that the AS provided for use with the
TGS. Inside that reply is the new session key for use with the regular service.
The rest of the exchange continues as described previously. Kerberos, which is
named after the three-headed dog in Greek mythology who guarded the gates of
Hades, was designed at MIT (Massachusetts Institute of Technology). MIT still
provides free copies of the Kerberos code. In addition, many software vendors
have developed their own versions of Kerberos. Kerberos is an example of single
sign-on, a form of authentication in which a client signs on one time to access
multiple systems or resources. The primary advantage of single sign-on is convenience.
Users don’t have to remember several passwords, and network administrators limit
the time they devote to password management. The biggest disadvantage to single
sign-on is that once the obstacle of authentication is cleared, the user has
access to numerous resources. A hacker needs fewer credentials to gain access
to potentially many files or connections. For greater security, some systems
require clients to supply two or more pieces of information to verify their
identity. For example, in a two-factor authentication scenario, a user might
have to pass a fingerprint scan as well as provide his password.
In
general, an authentication process that requires two or more pieces of
information is known as multifactor authentication. For example, multifactor
authentication might require a password, fingerprint scan, plus a piece of
information generated from a security token. A security token is a device or
piece of software that stores or generates information, such as a series of
numbers or letters, known only to its authorized user. One example of a
hardware-based token is the popular SecurID key chain fob from RSA Security, as
shown in Figure 11-14. The SecurID device generates a password that changes
every 60 seconds. When logging in, a user provides the number that currently
appears on the SecurID fob. Before he is allowed access to secured resources,
his network checks with RSA Security’s service to verify that the number is
correct. Google Authenticator, Google’s number generator service, provides
free, software-based security tokens.
Wireless Network Security
Wireless
transmissions are particularly susceptible to eavesdropping. For example, a
hacker could search for unprotected wireless networks by driving around with a
laptop configured to receive and capture wireless data transmissions—a practice
known as war driving. (The term is derived from the term war dialing, which is
a similar tactic involving modems.) War driving is surprisingly effective for
obtaining private information. Years ago, the hacker community publicized the
vulnerabilities of a well-known store chain, which were discovered while war
driving. The retailer used wireless cash registers to help customers make
purchases when the regular, wired cash registers were busy. However, the
wireless cash registers transmitted purchase information, including credit card
numbers and customer names, to network access points in clear text. By chance,
a person in the parking lot who was running a protocol analyzer program on his
laptop obtained several credit card numbers in a very short time. The person
alerted the retailer to the security risk (rather than exploiting the
information he gathered). Needless to say, after the retailer discovered its
error, it abandoned the use of wireless cash registers until after a thorough
evaluation of its data security. Once hackers discover vulnerable access
points, they might make this information public through war chalking, or using
chalk to draw symbols on the sidewalk or wall within range of an access point.
The symbols, patterned after marks that hobos devised to indicate hospitable places
for food or rest, indicate the access point’s SSID and whether it’s secured. Most
access points are not left unsecured. The following sections describe
techniques for encrypting data between Wi-Fi clients and access points. WEP
(Wired Equivalent Privacy) As you have learned, most organizations use one of
the 802.11 protocol standards on their WLANs. By default, the 802.11 standard
does not offer any security. In addition, most access points do not require a
client to authenticate before it can communicate with the AP. The client only
needs to know the access point’s SSID, which many access points broadcast. Network
administrators may prevent their access points from broadcasting the SSIDs, making
them harder to detect. However, this does not provide true security. For some
measure of security, 802.11 allows for optional encryption using the WEP (Wired
Equivalent Privacy) standard. WEP uses keys both to authenticate network
clients and to encrypt data in transit. When configuring WEP, you establish a
character string required to associate with the access point, also known as the
network key. When the client detects the presence of the access point, the user
is prompted to provide a network key before the client can gain access to a
network via the access point. The network key can be saved as part of the
client’s wireless connection’s properties. The first implementation of WEP
allowed for 64-bit network keys, and current versions of WEP allow for more
secure, 128-bit or even 256-bit network keys. Still, WEP’s use of the shared
key for authenticating all users and for exchanging data makes it more
susceptible to discovery than a dynamically generated, random, or single-use
key. An exploit in which a hacker uses a program to determine a WEP key is
known as WEP cracking.
Even
128-bit network keys can be cracked in a matter of minutes. Moreover, because
WEP operates in the Physical and Data Link layers of the OSI model, it does not
offer end-to-end data transmission security. A better wireless security
technique is 802.11i, which is discussed next.
IEEE 802.11i and WPA (Wi-Fi Protected
Access)
A
significant disadvantage to WEP is that it uses the same key for all clients
and the key may never change. Due to this inherent insecurity, IEEE devised a
new wireless security protocol, called 802.11i, that uses 802.1x (EAPoL) to
authenticate devices and dynamically assign every transmission its own key.
802.11i often relies on an encryption key generation and management scheme
known as TKIP (Temporal Key Integrity Protocol), pronounced tee-kip. As you can
imagine, EAPoL makes logging on to a wireless network more complex than it is with
WEP. In 802.11i, a wireless station first issues a request to the access point.
The access point functions as a proxy between the remote access server and
station until the station has successfully authenticated with a remote access
server. Meanwhile, the access point prevents any direct exchange of data
between the two. After obtaining data from an unknown station, the access point
repackages the data and then transmits it to the remote access server. It also repackages
data from the remote access server before issuing it to the station. Thus,
802.11i requires mutual authentication—the station authenticates with the
remote access server, and also, the remote access server authenticates with the
station. After mutual authentication, the remote access server instructs the
access point to allow traffic from the client into the network without first
having to be repackaged. Next, the client and server agree on the encryption key
they will use with the encryption scheme. Finally, they exchange data that has
been encrypted through the mutually agreed-upon method. 802.11i specifies the
AES encryption method and mixes each packet in a data stream with a different
key. Because of its impressive security, 802.11i has replaced the less-secure
WEP as the preferred means for protecting wireless transmissions from
intruders. WPA (Wi-Fi Protected Access) is a subset of the 802.11i standard
endorsed by the Wi-Fi Alliance, an international, nonprofit organization
dedicated to ensuring the interoperability of 802.11-capable devices. In fact,
the Wi-Fi Alliance released WPA before 802.11i was ratified to quickly provide
a more secure alternative to WEP. In WPA, authentication follows the same
mechanism specified in 802.11i. The main difference is that WPA specifies RC4
encryption rather than AES. Since the 802.11i standard was approved, the Wi-Fi
Alliance has released an updated version called WPA2. WPA2 includes support for
the previously released WPA protocol. In all other ways, it is identical to
802.11i. The most secure Wi-Fi communication is made possible by combining a
RADIUS server with WPA or WPA2, known as WPA-Enterprise or WPA2-Enterprise,
respectively. Although they are
significantly more secure than WEP, WPA and WPA2 keys can be discovered through
WPA cracking programs. Table 11-1 summarizes the most important encryption and
authentication methods discussed in this chapter.
Table 11-1 Notable
encryption and authentication methods
|
Security
method
|
Type
|
Primary
use(s)
|
Notes
|
|
PGP
|
Encryption
|
E-mail, but also other applications and stored data
|
Uses public key encryption
|
|
SSL
|
Encryption
|
TCP/IP (Web) transmissions
|
Can use one of many encryption algorithms
|
|
SSH
|
Encryption
|
VPN
|
Can use public or private key exchange and one of many encryption
algorithms
|
|
IPSec
|
Authentication
|
VPN
|
Uses IKE for key management, ISAKMP for secure
associations, and AH or ESP for encryption; native to IPv6
|
|
RADIUS
|
Authentication,
Authorization,
and Accounting
(AAA)
|
Remote access
|
Can use PPP, CHAP, and other protocols for authentication;
relies on UDP at the Transport
layer; supported by multiple platforms
|
|
TACACS+
|
Authentication,
Authorization,
and Accounting
(AAA)
|
Remote access
|
Allows for separation of authentication, authorization,
and accounting services; can use
PPP, CHAP, and other protocols for authentication;
relies on TCP at the Transport layer; Cisco proprietary
|
|
CHAP
|
Authentication
|
Remote access
|
Operates over PPP and requires a three-way handshake
|
|
MS-CHAP
|
Authentication
|
Remote access
|
Microsoft’s version of CHAP
|
|
MS-CHAPv2
|
Authentication
|
Remote access
|
A revised version of MS-CHAP; requires mutual authentication
between client and server
|
|
EAP
|
Authentication
|
Remote access
|
Operates over PPP; does not perform authentication or
encryption, but provides
framework for these
|
|
EAPoL (802.1x)
|
Authentication
|
Wi-Fi
|
Not a protocol, but a process for port-based authentication;
EAPoL combines EAP plus one of many encryption algorithms
|
|
Kerberos
|
Authentication
|
Client logon to services
|
Uses private key encryption to allow single
sign-on to multiple resources
|
|
WEP
|
Authentication
|
Wi-Fi
|
Uses symmetric, private key encryption; keys are
statically assigned; easily thwarted
|
|
WPA
|
Authentication
|
Wi-Fi
|
Uses public key encryption (RC4) and EAPoL to authenticate
devices and dynamically assign every transmission its own public key
|
|
WPA2
|
Authentication
|
Wi-Fi
|
Uses public key encryption (AES) and EAPoL to authenticate
devices and dynamically assign every transmission its own key
|
|
WPA/WPA2-Enterprise
|
Authentication
|
Wi-Fi
|
Adds RADIUS to WPA or WPA2 authentication
|
Chapter Summary
·
Every organization should assess its security
risks by conducting a posture assessment that identifies vulnerabilities and
rates the severity of threats and their potential consequences. Network
administrators use the results of posture assessments to close gaps in
security. If the assessment is conducted by a consulting company that has been accredited
by an agency that sets network security standards, the assessment qualifies as
a security audit.
·
One of the most common methods by which an
intruder gains access to a network is to simply ask users for their passwords.
This strategy is commonly called social engineering because it involves
manipulating social relationships to gain access. Phishing, a related tactic,
involves luring users into revealing information that would allow intruders to
gain access to secured network resources.
·
Security risks that a network administrator
must guard against include incorrectly configuring user accounts or groups and
their privileges; overlooking security flaws in topology or hardware
configuration; overlooking security flaws in operating system or application
configuration; improperly documenting or communicating security policies; and
leaving system settings at their default values.
■
Some risks inherent in network transmission and design include leased lines
that may
allow
for eavesdropping; unused router or server ports that can be exploited and
accessed
by hackers if not disabled; a router’s configuration port, accessible by
Telnet,
that
might not be adequately secured; routers that may not be properly configured to
mask
internal subnets or to deny access to certain hosts; and remote access servers
used
by telecommuting or remote staff that might not be carefully secured and
monitored.
■
Some risks pertaining to networking protocols and software include the
following:
inherent
TCP/IP security flaws; trust relationships between one server and another;
NOS
“back doors” or security flaws; an NOS that allows server operators to exit
to
a command prompt; administrators who accept default operating system
security;
and transactions that take place between applications left open to
interception.
■
A security policy identifies an organization’s security goals, risks, levels of
authority,
designated
security coordinator and team members, responsibilities for each team
member,
responsibilities for each employee, and strategies for addressing security
breaches.
■
Only authorized personnel should be allowed into data centers, computer rooms,
entrance
facilities, and wiring closets. If these areas remain unsecured, intruders may
easily
enter and steal equipment or sabotage software and hardware.
■
A router’s ACL (access control list, also known as an access list) instructs it
to decline
to
forward certain packets according to source IP address, source netmask,
destination
IP
address, destination netmask, or TCP or UDP port, among other things.
■
An IDS (intrusion-detection system) monitors traffic on a network or host for
unauthorized
attempts to access a network’s resources. An IPS (intrusion-prevention
system)
can detect such attempts and automatically react to them—for example, by
denying
access to a host whose traffic triggers an alert.
■
A firewall is a specialized device (typically a router, but possibly only a
desktop
computer
running special software) that selectively filters or blocks traffic between
networks.
It
can be placed between two interconnected private networks or, more
typically,
between a private network and a public network.
■
The most common form of firewall is a packet-filtering firewall, which examines
the
header
of every packet of data that it receives to determine whether that type of
packet
is authorized to continue to its destination.
■
A proxy service is a software application on a network host that acts as an
intermediary
between the external and internal networks, screening all incoming and
outgoing
traffic. The host that runs the proxy service is known as a proxy server.
A
proxy server appears to external machines as a network server, but it is
actually
another
filtering device for the internal LAN.
■
Scanning tools such as NMAP (Network Mapper) and Nessus can quickly reveal
comprehensive
information about a network. Open ports, services, hosts, and even
software
configurations may be discovered. Used legitimately, scanning tools provide
network
administrators with valuable information that can help improve network
security.
■
To learn more about hackers’ techniques or to catch a hacker in the act, some
networking
professionals use intentionally unsecured and isolated systems known
as
honeypots. Once a hacker has compromised the honeypot, his movements can
be
logged and his tactics examined. A network of honeypots is known as a
honeynet.
■
Every NOS provides at least some security by allowing you to limit users’
access to
files
and directories on the network. In addition, network administrators can
constrain
how those with different types of user IDs can use the network by setting
restrictions
on, for example, time of day, total time logged on, source address, and
number
of unsuccessful logon attempts.
■
Choosing secure passwords is one of the easiest and least expensive ways to
guard
against
unauthorized access.
■
Encryption is the use of an algorithm to scramble data into a format that can
be read
only
by reversing the algorithm—or decrypting the data—to keep the information
private.
Many forms of encryption exist, with some being more secure than others.
■
The most popular kind of encryption algorithm weaves a key, or a random string
of
characters,
into the original data’s bits, sometimes several times in different sequences,
to
generate a unique data block. The longer the key, the less easily the encrypted
data
can
be decrypted by an unauthorized program.
■
Key encryption comes in two forms: public and private key encryption. Popular
private
(symmetric) key encryption algorithms include DES (Data Encryption
Standard),
Triple DES (3DES), and AES (Advanced Encryption Standard). Popular
public
(asymmetric) key encryption algorithms include Diffie-Hellman, RSA, and
RC4.
■
Popular methods of encryption include PGP (Pretty Good Privacy), SSL (Secure
Sockets
Layer), SSH (Secure Shell) and OpenSSH, and IPSec (Internet Protocol
Security).
IPSec, which is native to IPv6, is a protocol used on many modern VPNs.
■
SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) are ways of copying
files
securely
via SSH or OpenSSH.
■
Authentication protocols used with PPP connections include RADIUS (Remote
Authentication
Dial-In User Service), TACACS+ (Terminal Access Controller
Access
Control System Plus), PAP (Password Authentication Protocol), CHAP
(Challenge
Handshake Authentication Protocol), MS-CHAP (Microsoft Challenge
Handshake
Authentication Protocol), and MS-CHAPv2 (Microsoft Challenge
Handshake
Authentication Protocol, version 2). Other authentication protocols
include
EAP (Extensible Authentication Protocol), 802.1x (or EAPoL), and
Kerberos.
■
Wireless networks can use the WEP (Wired Equivalent Privacy) method of
encrypting
data in transit between stations and access points. WEP allows for keys
as
long as 256 bits. However, because WEP uses the same key for all stations
attaching
to an access point and for all transmissions, it is not very secure.
■
A better wireless security solution than WEP is provided by IEEE’s 802.11i
standard,
also
known as TKIP (Temporal Key Integrity Protocol). In 802.11i, the 802.1x
authentication
method is combined with AES encryption. Each 802.11i transmission
is
dynamically assigned its own key for encryption.
■
The Wi-Fi Alliance has released two wireless security standards: WPA and WPA2.
WPA
follows the same authentication and encryption processes as 802.11i, but uses
RC4
encryption. WPA2 is identical to 802.11i, but provides backward compatibility
for
clients running WPA. The most secure Wi-Fi communication is made possible by
combining
a RADIUS server with WPA or WPA2, known as WPA-Enterprise or
WPA2-Enterprise,
respectively.
Key
Terms
Ø 3DES See
Triple DES.
Ø 802.11i The
IEEE standard for wireless network encryption and authentication that uses
the EAP
authentication method, strong encryption, and dynamically assigned keys,
which are different
for every transmission. 802.11i specifies AES encryption and
weaves a key into
each packet.
Ø 802.1x A
vendor-independent IEEE standard for securing transmission between nodes
according to the
transmission’s port, whether physical or logical. 802.1x, also known as
EAPoL, is the
authentication standard followed by wireless networks using 802.11i.
Ø AAA
(authentication, authorization, and accounting) The
name of a category of
protocols that
establish a client’s identity; check the client’s credentials and, based on
those, allow or deny
access to a system or network; and, finally, track the client’s
system or network
usage.
Ø access
control list See ACL.
Ø access
list See ACL.
Ø ACL
(access control list) A list of statements used by a router to permit or deny the
forwarding of traffic
on a network based on one or more criteria.
Ø Advanced
Encryption Standard See AES.
Ø AES
(Advanced Encryption Standard) A private key encryption
algorithm that
weaves keys of 128,
160, 192, or 256 bits through data multiple times. The algorithm
used in the most
popular form of AES is known as Rijndael. AES has replaced DES in
situations such as
military communications, which require the highest level of security.
Ø AH
(authentication header) In the context of IPSec, a type of
encryption that provides
authentication of the
IP packet’s data payload through public key techniques.
Ø application
gateway See proxy server.
Ø Application
layer gateway See proxy server.
Ø AS
(authentication service) In Kerberos terminology, the process
that runs on a KDC
(Key Distribution Center)
to initially validate a client who’s logging on. The
authentication
service issues a session key to the client and to the service the client
wants to access.
Ø asymmetric
encryption A type of encryption (such as public key encryption) that uses
a different key for
encoding data than is used for decoding the ciphertext.
Ø authentication,
authorization, and accounting See AAA.
Ø authentication
header See AH.
Ø authentication
protocol A set of rules that governs how servers authenticate clients.
Several types of
authentication protocols exist.
Ø authentication
service See AS.
Ø authenticator In
Kerberos authentication, the user’s time stamp encrypted with the
session key. The
authenticator is used to help the service verify that a user’s ticket is
valid.
Ø biorecognition
access A method of authentication in which a device scans an
individual’s unique
physical characteristics (such as the color patterns in her iris or the
geometry of her hand)
to verify the user’s identity.
Ø brute
force attack An attempt to discover an encryption key or password by trying
numerous possible
character combinations. Usually, a brute force attack is performed
rapidly by a program
designed for that purpose.
Ø CA
(certificate authority) An organization that issues and maintains
digital certificates
as part of the
Public-key Infrastructure.
Ø certificate
authority See CA.
Ø challenge A
random string of text issued from one computer to another in some forms
of authentication. It
is used, along with the password (or other credential), in a response
to verify the
computer’s credentials.
Ø Challenge
Handshake Authentication Protocol See CHAP.
Ø CHAP
(Challenge Handshake Authentication Protocol) An authentication
protocol
that operates over
PPP and that requires the authenticator to take the first step by
offering the other
computer a challenge. The requestor responds by combining the
challenge with its
password, encrypting the new string of characters and sending it to
the authenticator.
The authenticator matches to see if the requestor’s encrypted string of
text matches its own
encrypted string of characters. If so, the requester is authenticated
and granted access to
secured resources.
Ø ciphertext The
unique data block that results when an original piece of data (such as
text) is encrypted
(for example, by using a key).
Ø client_hello In
the context of SSL encryption, a message issued from the client to the
server that contains
information about what level of security the client’s browser is
capable of accepting
and what type of encryption the client’s browser can decipher (for
example, RSA or
Diffie-Hellman). The client_hello message also establishes a
randomly generated
number that uniquely identifies the client, plus another number that
identifies the SSL
session.
Ø content-filtering
firewall A firewall that can block designated types of traffic from
entering a protected
network.
Ø Data
Encryption Standard See DES.
Ø demilitarized
zone See DMZ.
Ø denial-of-service
attack A security attack in which a system becomes unable to
function because it
has been inundated with requests for services and can’t respond to
any of them. As a
result, all data transmissions are disrupted.
Ø DES
(Data Encryption Standard) A popular private key encryption
technique that
was developed by IBM
in the 1970s.
Ø dictionary
attack A technique in which attackers run a program that tries a
combination of a
known user ID and, for a password, every word in a dictionary to
attempt to gain
access to a network.
Ø Diffie-Hellman The
first commonly used public, or asymmetric, key algorithm. Diffie Hellman was released
in 1975 by its creators, Whitfield Diffie and Martin Hellman.
Ø digital
certificate A password-protected and encrypted file that holds an
individual’s
identification
information, including a public key and a private key. The individual’s
public key is used to
verify the sender’s digital signature, and the private key allows the
individual to log on
to a third-party authority who administers digital certificates.
Ø DMZ
(demilitarized zone) The perimeter of a protected, internal network where users,
both authorized and
unauthorized, from external networks can attempt to access it.
Firewalls and IDS/IPS
systems are typically placed in the DMZ.
Ø DNS
spoofing A security attack in which an outsider forges name server records
to
falsify his host’s
identity.
Ø EAP
(Extensible Authentication Protocol) A Data Link layer protocol
defined by the
IETF that specifies
the dynamic distribution of encryption keys and a preauthentication
process in which a
client and server exchange data via an intermediate node (for example, an
access point on a wireless LAN). Only after they have mutually
authenticated can the
client and server exchange encrypted data. EAP can be used with
multiple
authentication and encryption schemes.
Ø EAP
over LAN See EAPoL.
Ø EAPoL
(EAP over LAN) See 802.1x.
Ø Encapsulating
Security Payload See ESP.
Ø encryption The
use of an algorithm to scramble data into a format that can be read only
by reversing the
algorithm—decrypting the data—to keep the information private. The
most popular kind of
encryption algorithm weaves a key into the original data’s bits,
sometimes several
times in different sequences, to generate a unique data block.
Ø encryption
devices Computers or specialized adapters inserted into other devices,
such
as routers or
servers, that perform encryption.
Ø ESP
(Encapsulation Security Payload) In the context of IPSec, a
type of encryption
that provides
authentication of the IP packet’s data payload through public key
techniques. In addition,
ESP also encrypts the entire IP packet for added security.
Ø evil
twin An exploit in which a rogue access point masquerades as a
legitimate access
point, using the same
SSID and potentially other identical settings.
Ø exploit In
the context of network security, the means by which a hacker takes advantage
of a vulnerability.
Ø Extensible
Authentication Protocol See EAP.
Ø flashing A
security attack in which an Internet user sends commands to another Internet
user’s machine that
cause the screen to fill with garbage characters. A flashing attack
causes the user to
terminate her session.
Ø FTP
bounce A security exploit in which an FTP client specifies a different
host’s IP
address and port
number for the requested data’s destination. By commanding the FTP
server to connect to
a different computer, a hacker can scan the ports on other hosts and
transmit malicious
code. To thwart FTP bounce attacks, most modern FTP servers will
not issue data to
hosts other than the client that originated the request.
Ø hacker
Traditionally, a person who masters the inner workings of operating systems
and utilities in an
effort to better understand them. More generally, an individual who
gains unauthorized
access to systems or networks with or without malicious intent.
Ø handshake
protocol One of several protocols within SSL, and perhaps the most
significant. As its
name implies, the handshake protocol allows the client and server to
authenticate (or
introduce) each other and establishes terms for how they securely
exchange data during
an SSL session.
Ø HIDS
(host-based intrusion detection) A type of intrusion
detection that runs on a
single computer, such
as a client or server, that has access to and allows access from the
Internet.
Ø HIPS
(host-based intrusion prevention) A type of intrusion
prevention that runs on a
single computer, such
as a client or server, that has access to and allows access from the
Internet.
Ø honeynet A
network of honeypots.
Ø honeypot A
decoy system isolated from legitimate systems and designed to be
vulnerable to
security exploits for the purposes of learning more about hacking
techniques or nabbing
a hacker in the act. Ø host-based
firewall A firewall that only protects the computer on which it’s
installed.
Ø host-based
intrusion detection See HIDS.
Ø host-based
intrusion prevention See HIPS.
Ø HTTP
over Secure Sockets Layer See HTTPS.
Ø HTTP
Secure See HTTPS.
Ø HTTPS
(HTTP over Secure Sockets Layer) The URL prefix that
indicates that a Web
page requires its
data to be exchanged between client and server using SSL encryption.
HTTPS uses the TCP
port number 443.
Ø IDS
(intrusion-detection system) A dedicated device or
software running on a host
that monitors, flags,
and logs any unauthorized attempt to access an organization’s
secured resources on
a network or host.
Ø IKE
(Internet Key Exchange) The first phase of IPSec
authentication, which
accomplishes key
management. IKE is a service that runs on UDP port 500. After IKE
has established the
rules for the type of keys two nodes use, IPSec invokes its second
phase, encryption.
Ø Internet
Key Exchange See IKE.
Ø Internet
Protocol Security See IPSec.
Ø Internet
Security Association and Key Management Protocol See
ISAKMP.
Ø intrusion-detection
system See IDS.
Ø intrusion-prevention
system See IPS.
Ø IPS
(intrusion-prevention system) A dedicated device or
software running on a host
that automatically
reacts to any unauthorized attempt to access an organization’s
secured resources on
a network or host. IPS is often combined with IDS.
Ø IPSec
(Internet Protocol Security) A Layer 3 protocol that
defines encryption,
authentication, and
key management for TCP/IP transmissions. IPSec is an
enhancement to IPv4
and is native to IPv6. IPSec is unique among authentication
methods in that it
adds security information to the header of all IP packets.
Ø IP
spoofing A security attack in which an outsider obtains internal IP
addresses and
then uses those
addresses to pretend that he has authority to access a private network
from the Internet.
Ø ISAKMP
(Internet Security Association and Key Management Protocol) A
service
for setting policies
to verify the identity and the encryption methods nodes will use in
IPSec transmission.
Ø KDC
(Key Distribution Center) In Kerberos terminology, the server
that runs the
authentication
service and the Ticket-Granting Service to issue keys and tickets to
clients.
Ø Kerberos A
cross-platform authentication protocol that uses key encryption to verify
the identity of
clients and to securely exchange information after a client logs on to a
system. It is an
example of a private key encryption service.
Ø key A
series of characters that is combined with a block of data during that data’s
encryption. To
decrypt the resulting data, the recipient must also possess the key.
Ø Key
Distribution Center See KDC.
Ø key
management The method whereby two nodes using key encryption agree on
common parameters for
the keys they will use to encrypt data.
Ø key
pair The combination of a public and private key used to decipher data
that was
encrypted using
public key encryption.
Ø man-in-the-middle
attack A security threat that relies on intercepted transmissions. It
can take one of
several forms, but in all cases a person redirects or captures secure data
traffic while in
transit.
Ø metasploit A
penetration-testing tool that combines known scanning techniques and
exploits to result in
potentially new types of exploits.
Ø Microsoft
Challenge Handshake Authentication Protocol See MS-CHAP.
Ø Microsoft
Challenge Handshake Authentication Protocol, version 2 See
MS-
CHAPv2.
Ø MS-CHAP
(Microsoft Challenge Handshake Authentication Protocol) An
authentication
protocol provided with Windows operating systems that uses a three-way
handshake to verify a
client’s credentials and encrypts passwords with a challenge text.
Ø MS-CHAPv2
(Microsoft Challenge Handshake Authentication Protocol, version 2)
An authentication
protocol provided with Windows operating systems that follows the
CHAP model, but uses
stronger encryption, uses different encryption keys for
transmission and
reception, and requires mutual authentication between two computers.
Ø multifactor
authentication An authentication process that requires the client to provide
two or more pieces of
information, such as a password, fingerprint scan, and security
token.
Ø mutual
authentication An authentication scheme in which both computers verify the
credentials of each
other.
Ø Nessus A
penetration-testing tool from Tenable Security that performs sophisticated
scans to discover
information about hosts, ports, services, and software.
Ø network-based
firewall A firewall configured and positioned to protect an entire
network.
Ø network-based
intrusion detection See NIDS.
Ø network-based
intrusion prevention See NIPS.
Ø network
key A key (or character string) required for a wireless station to
associate with
an access point using
WEP.
Ø Network
Mapper See NMAP.
Ø NIDS
(network-based intrusion detection) A type of intrusion
detection that occurs
on devices that are
situated at the edge of the network or that handle aggregated traffic.
Ø NIPS
(network-based intrusion prevention) A type of intrusion
prevention that
occurs on devices
that are situated at the edge of the network or that handle aggregated
traffic.
Ø NMAP
(Network Mapper) A scanning tool designed to assess large networks quickly
and provide
comprehensive, customized information about a network and its hosts.
NMAP, which runs on
virtually any modern operating system, is available for download
at no cost at
www.nmap.org.
Ø OpenSSH An
open source version of the SSH suite of protocols.
Ø packet-filtering
firewall A router that examines the header of every packet of data that
it receives to
determine whether that type of packet is authorized to continue to its
destination.
Packet-filtering firewalls are also called screening firewalls.
Ø PAP
(Password Authentication Protocol) A simple authentication
protocol that
operates over PPP.
Using PAP, a client issues its credentials in a request to authenticate,
and the server
responds with a confirmation or denial of authentication after comparing
the credentials with
those in its database. PAP is not very secure and is, therefore, rarely
used on modern
networks.
Ø Password
Authentication Protocol See PAP.
Ø PGP
(Pretty Good Privacy) A key-based encryption system for e-mail that uses a two-
step verification
process.
Ø phishing A
practice in which a person attempts to glean access or authentication
information by posing
as someone who needs that information.
Ø PKI
(Public-key Infrastructure) The use of certificate authorities to
associate public
keys with certain
users.
Ø port
authentication A technique in which a client’s identity is verified by an
authentication server
before a port, whether physical or logical, is opened for the
client’s Layer 3
traffic. See also 802.1x.
Ø port-based
authentication See port authentication.
Ø port
forwarding The process of redirecting traffic from its normally assigned
port to a
different port,
either on the client or server. In the case of using SSH, port forwarding
can send data
exchanges that are normally insecure through encrypted tunnels.
Ø port
mirroring A monitoring technique in which one port on a switch is
configured to
send a copy of all
its traffic to a second port.
Ø port
scanner Software that searches a server, switch, router, or other device
for open
ports, which can be
vulnerable to attack.
Ø posture
assessment An assessment of an organization’s security vulnerabilities.
Posture assessments
should be performed at least annually and preferably quarterly—or
sooner if the network
has undergone significant changes. For each risk found, it should
rate the severity of
a potential breach, as well as its likelihood.
Ø Pretty
Good Privacy See PGP.
Ø principal In
Kerberos terminology, a user or client.
Ø private
key encryption A type of key encryption in which the sender and receiver use
a key to which only
they have access. DES (Data Encryption Standard), which was
developed by IBM in
the 1970s, is a popular example of a private key encryption
technique. Private
key encryption is also known as symmetric encryption.
Ø proxy See
proxy server.
Ø proxy
server A network host that runs a proxy service. Proxy servers may also
be
called gateways.
Ø proxy
service A software application on a network host that acts as an
intermediary
between the external
and internal networks, screening all incoming and outgoing traffic
and providing one
address to the outside world, instead of revealing the addresses of
internal LAN devices.
Ø public
key encryption A form of key encryption in which data is encrypted using two
keys: One is a key
known only to a user, and the other is a key associated with the user
and that can be
obtained from a public source, such as a public key server. Some
examples of public
key algorithms include RSA and Diffie-Hellman. Public key
encryption is also
known as asymmetric encryption.
Ø public-key
infrastructure See PKI.
Ø public
key server A publicly available host (such as an Internet host) that
provides free
access to a list of
users’ public keys (for use in public key encryption).
Ø RADIUS
(Remote Authentication Dial-In User Service) A popular protocol
for
providing centralized
AAA (authentication, authorization, and accounting) for multiple
users. RADIUS runs
over UDP and can use one of several authentication protocols.
Ø RADIUS
server A server that offers centralized authentication services to a
network’s
access server, VPN
server, or wireless access point via the RADIUS protocol.
Ø RC4 An
asymmetric key encryption technique that weaves a key with data multiple
times as a computer
issues the stream of data. RC4 keys can be as long as 2048 bits. In
addition to being
highly secure, RC4 is fast.
Ø Remote
Authentication Dial-In User Service See RADIUS.
Ø RSA An
encryption algorithm that creates a key by randomly choosing two large prime
numbers and
multiplying them together. RSA is named after its creators, Ronald Rivest,
Adi Shamir, and
Leonard Adleman. RSA was released in 1977, but remains popular
today for e-commerce
transactions.
Ø SCP
(Secure CoPy) A method for copying files securely between hosts. SCP is part of
the OpenSSH package,
which comes with modern UNIX and Linux operating systems.
Third-party SCP
applications are available for Windows-based computers.
Ø Secure
CoPy See SCP.
Ø Secure
File Transfer Protocol See SFTP.
Ø Secure
Shell See SSH.
Ø Secure
Sockets Layer See SSL.
Ø security
audit An assessment of an organization’s security vulnerabilities
performed by
an accredited network
security firm.
Ø security
policy A document or plan that identifies an organization’s security
goals,
risks, levels of
authority, designated security coordinator and team members,
responsibilities for
each team member, and responsibilities for each employee. In
addition, it
specifies how to address security breaches.
Ø security
token A device or piece of software used for authentication that stores
or
generates
information, such as a series of numbers or letters, known only to its
authorized user.
Ø server_hello In
the context of SSL encryption, a message issued from the server to the
client that confirms
the information the server received in the client_hello message. It
also agrees to
certain terms of encryption based on the options the client supplied.
Depending on the Web
server’s preferred encryption method, the server may choose to
issue your browser a
public key or a digital certificate at this time.
Ø session
key In the context of Kerberos authentication, a key issued to both
the client
and the server by the
authentication service that uniquely identifies their session.
Ø SFTP
(Secure File Transfer Protocol) A protocol available with
the proprietary
version of SSH that
copies files between hosts securely. Like FTP, SFTP first
establishes a
connection with a host and then allows a remote user to browse directories,
list files, and copy
files. Unlike FTP, SFTP encrypts data before transmitting it.
Ø single
sign-on A form of authentication in which a client signs on once to
access
multiple systems or
resources.
Ø smurf
attack A threat to networked hosts in which the host is flooded with
broadcast
ping messages. A
smurf attack is a type of denial-of-service attack.
Ø social
engineering The act of manipulating personal relationships to circumvent
network security
measures and gain access to a system.
Ø SSH
(Secure Shell) A connection utility that provides authentication and encryption.
With SSH, you can
securely log on to a host, execute commands on that host, and copy
files to or from that
host. SSH encrypts data exchanged throughout the session.
Ø SSL
(Secure Sockets Layer) A method of encrypting TCP/IP
transmissions—
including Web pages
and data entered into Web forms—en route between the client and
server using public
key encryption technology.
Ø SSL
session In the context of SSL encryption, an association between the
client and
server that is
defined by an agreement on a specific set of encryption techniques. An
SSL session allows
the client and server to continue to exchange data securely as long
as the client is
still connected to the server. SSL sessions are established by the SSL
handshake protocol.
Ø stateful
firewall A firewall capable of monitoring a data stream from end to end.
Ø stateless
firewall A firewall capable only of examining packets individually.
Stateless
firewalls perform
more quickly than stateful firewalls, but are not as sophisticated.
Ø symmetric
encryption A method of encryption that requires the same key to encode
the data as is used
to decode the ciphertext.
Ø TACACS+
(Terminal Access Controller Access Control System Plus) A
Cisco
proprietary protocol
for AAA (authentication, authorization, and accounting). Like
RADIUS, TACACS+ may
use one of many authentication protocols. Unlike RADIUS,
TACACS+ relies on TCP
at the Network layer and allows for separation of the AAA
services.
Ø Temporal
Key Integrity Protocol See TKIP.
Ø Terminal
Access Controller Access Control System Plus See TACACS+.
Ø TGS
(Ticket-Granting Service) In Kerberos terminology, an application
that runs on
the KDC that issues
Ticket-Granting Tickets to clients so that they need not request a
new ticket for each
new service they want to access.
Ø TGT
(Ticket-Granting Ticket) In Kerberos terminology, a ticket that enables
a user to
be accepted as a
validated principal by multiple services.
Ø three-way
handshake An authentication process that involves three steps.
Ø ticket In
Kerberos terminology, a temporary set of credentials that a client uses to
prove
that its identity has
been validated by the authentication service.
Ø Ticket-Granting
Service See TGS.
Ø Ticket-Granting
Ticket See TGT.
Ø TKIP
(Temporal Key Integrity Protocol) An encryption key
generation and
management scheme
used by 802.11i.
Ø TLS
(Transport Layer Security) A version of SSL being standardized by
the IETF
(Internet Engineering
Task Force). With TLS, the IETF aims to create a version of SSLthat encrypts
UDP as well as TCP transmissions. TLS, which is supported by new Web
browsers, uses
slightly different encryption algorithms than SSL, but otherwise is verysimilar
to the most recent version of SSL.
Ø Transport
Layer Security See TLS.
Ø Triple
DES (3DES) The modern implementation of DES, which weaves a 56-bit key
through data three
times, each time using a different key.
Ø two-factor
authentication A process in which clients must supply two pieces of
information to verify
their identity and gain access to a system.
Ø VPN
concentrator A specialized device that authenticates VPN clients and
establishes
tunnels for VPN
connections.
Ø vulnerability A
weakness of a system, process, or architecture that could lead to
compromised
information or unauthorized access to a network.
Ø war
chalking The use of chalk to draw symbols on a sidewalk or wall within
range of
an access point. The
symbols, patterned after marks that hobos devised to indicate
hospitable places for
food or rest, indicate the access point’s SSID and whether it’s
secured.
Ø war
driving The act of driving while running a laptop configured to detect
and capture
wireless data
transmissions.
Ø WEP
(Wired Equivalent Privacy) A key encryption technique for wireless
networks
that uses keys both
to authenticate network clients and to encrypt data in transit.
Ø WEP
cracking A security exploit in which a hacker uses a program to discover a
WEP
key.
Ø Wi-Fi
Alliance An international, nonprofit organization dedicated to ensuring
the
interoperability of
802.11-capable devices.
Ø Wi-Fi
Protected Access See WPA.
Ø Wired
Equivalent Privacy See WEP.
Ø WPA
(Wi-Fi Protected Access) A wireless security method endorsed by
the Wi-Fi
Alliance that is
considered a subset of the 802.11i standard. In WPA, authentication
follows the same
mechanism specified in 802.11i. The main difference between WPA
and 802.11i is that
WPA specifies RC4 encryption rather than AES.
Ø WPA2 The
name given to the 802.11i security standard by the Wi-Fi Alliance. The
only difference
between WPA2 and 802.11i is that WPA2 includes support for the older
WPA security method.
Ø WPA2-Enterprise An
authentication scheme for Wi-Fi networks that combines WPA2
with RADIUS.
Ø WPA
cracking A security exploit in which a hacker uses a program to discover a
WPA
key.
Ø WPA-Enterprise An
authentication scheme for Wi-Fi networks that combines WPA
with RADIUS.
Ø zero-day
exploit An exploit that takes advantage of a software vulnerability that
hasn’t
yet become public,
and is known only to the hacker who discovered it. Zero-day
exploits are
particularly dangerous, because the vulnerability is exploited before the
software developer
has the opportunity to provide a solution for it.
Review s
1. You work
for
a retailer that sells
household goods
online. The company has
decided to redesign
its network for better
security. Included
in this redesign is the addition of a
new firewall.
Assuming the firewall is
placed
between the Internet
connection and
the Web server, which
of the following should be
included in the firewall's configuration
so that customers can
still reach the Web
site?
a. Allow incoming UDP-based transmissions
to port 23.
b. Allow incoming
TCP-based transmissions
to port 80.
c. Allow outgoing TCP-based
transmissions to port
88.
d. Allow outgoing UDP-based transmissions
to port 1024.
2. Which
of the following is
the most secure password?
a. 12345ABC
b. dolphins
c. !tlzOGS557x^^L
d. A1B2C333
3. You are
alerted
that
suddenly 100% of
the resources
on your two
core routers
are being used and
no legitimate traffic can travel
into
or out of your network. What
kind of security attack are you most likely experiencing?
a. IP
spoofing
b. Brute
force attack
c.
Flashing
d.
Denial-of-service attack
4. What type of device guards against an attack
in which a hacker
modifies the IP source
address in the packets he's
issuing so that the transmission appears to belong to your
network?
a. Packet-filtering
firewall
b. Proxy server
c. NAT gateway
d. Router
5. Which
of the following devices
can
improve performance for certain applications,
in addition to
enhancing network
security?
a.
Packet-filtering firewall
b.
NAT gateway
c.
Proxy server
d.
Router
6. If a firewall does nothing more
than filter packets, at what
layer
of the OSI model does
it operate?
a. Transport
b. Network
c. Data Link
d. Session
7. Which
of the following encryption
methods provides the best security for data traveling over VPN connections?
a. PPTP
b. L2TP
c.
IPSec
d. SLIP
8. Which
of the following criteria could
a router's ACL use for
denying packets access
to a private network?
a.
Source IP address
b.
Authentication
header
c.
RTT
d.
Source MAC
address
9. Which
of the following NOS logon restrictions is most likely to
stop a hacker who
is attempting to
discover someone's
password through a brute
force or dictionary attack?
a. Total
time logged on
b. Time of day
c.
Period of time after which a password expires
d. Number of unsuccessful logon attempts
10. Which of
the following can
automatically detect and
deny network access to
a host whose traffic patterns appear suspicious?
a.
IPS
b.
NAT gateway
c.
Proxy server
d.
Router
11. If you are entering your
account
number
and password in a Web form
to check your
bank account balance online,
which of the following encryption methods are you
most likely using?
a. PGP
b. SSL
c. SSH
d. Kerberos
12.
Which of the following encryption techniques is incorporated
into
IP version 6?
a. SSH
b. SSL
c. Kerberos
d. IPSec
13.
Which of the following is one reason
WEP is less secure than
802.11i?
a. WEP is only capable
of 16-bit keys,
whereas
802.11i can use keys
up to 128 bits long.
b. WEP uses
only
one encryption method, whereas 802.11i combines two encryption methods for data in transit.
c. WEP uses
the same key for authentication and encryption every time a client
connects, whereas 802.11i assigns keys dynamically to each transmission.
d. WEP does not require clients to
specify an SSID, whereas
802.11i requires clients to specify an
SSID plus a
user name and password for the network's access server.
14.
Using a 20-bit key is
how many times more secure than
using
an 18-bit key?
a. Two times
b. Three times
c. Four times
d. Eight times
15.
How many keys
are
required for
public key encryption?
a. One
b. Two
c. Four
d. None
16. You are designing
an 802.11n wireless network for a local cafe. You want the wireless
network to be available to the cafe's
customers, but not to anyone with
a wireless NIC who happens
to be in the vicinity. Which of
the following security measures require customers to enter a network
key to gain access to your
network via the access
point?
a. SSL
b. IPSec
c. TLS
d. WPA2
17.
Which of the following requires port-based
authentication?
a.
Kerberos
b. RADIUS
c. WEP
d. WPA
18.
Which of the following plays a crucial role
in the public key infrastructure?
a. IDS
b.
Certificate
authority
c. VPN concentrator
d. PGP
19.
Which of the following techniques
would prevent an FTP bounce attack?
a.
Configuring
your
firewall to deny requests to
ports
20 and 21
b.
Performing a port scan of your network using NMAP
c.
Configuring the FTP service to require a password.
d.
Restricting the size of your FTP server’s memory allocation
table
20. You have decided
to add a honeypot
to your
network.
Where on the network
would you place it?
a. On your company’s
Web
server
b. In a decoy DMZ
c. Between the access server and
RADIUS
server
d. Attached to a workgroup switch
Practice Test
1. Packet-filtering firewalls cannot distinguish between a user
who is trying to breach the firewall and a user who is authorized to do so.
a. True
b. False
2. ____ is a public key
encryption system that can verify the authenticity of an e-mail sender and
encrypt e-mail data in transmission.
a. SSL
b. PGP
c. IPSec
d. SSH
3. 802.11i is poised to
replace the less-secure WEP as the preferred means for protecting wireless
transmissions from intruders.
a. True
b. False
4. In ____, one port is configured to send a copy of all its
traffic to a second port on the switch.
a. IP
spoofing
b. port
forwarding
c. port mirroring
d. phishing
5. Many large organizations require authorized employees to wear
electronic ____, which can be programmed to allow their owner access to some,
but not all, rooms in a building.
access badges
6. To guard against the threat of information being stolen from a
decommissioned hard disk, you can run a specialized ____ program to not only
delete the hard drive's contents but also make file recovery impossible.
a. cracker
b. disk sanitizer
c. firewall
d. key
7. Network security is more often compromised "from the
inside" than from external sources.
a. True
b. False
8. HTTPS uses the TCP port number 80.
a. True
b. False
9. A(n) ____ drives the
creation of a security policy.
a. security coordinator
b. administrator
c. IT
specialist
d. security
manager
10. The combination of a
public key and a private key is known as a ____.
a. key pair
b. principal
c. RADIUS
server
d. netstat
11. When configuring WEP,
you establish a character string required to associate with the access point,
also known as the ____.
a. proxy
server
b. principal
c. network key
d. public
key server
12. In key encryption, the
scrambled data block is known as ____.
a. cleartext
b. fuzzytext
c. a
key pair
d. ciphertext
13. A firewall may allow outsiders to obtain internal IP addresses,
then use those addresses to pretend that they have authority to access your
internal network from the Internet—a process called ____.
IP spoofing
14. ____ is used with older
encryption and authentication protocols to form a new, more secure method of
connecting to networks from wireless stations.
a. EAP
b. RSA
c. SCP
d. RC4
15. More often than not, security is compromised from using the
Internet.
a. True
b. False
16. In public key encryption, data is encrypted using a single key
that only the sender and the receiver know.
a. True
b. False
17. Hackers can use programs that try a combination of your user
ID and every word in a dictionary to gain access to the network. This is known
as a(n) ____.
dictionary attack
18. In CHAP, the
authenticating device takes the first step in authentication after PPP
establishes a connection between it and the computer requesting authentication.
a. True
b. False
19. A(n) ____ is a router (or a computer installed with software
that enables it to act as a router) that examines the header of every packet of
data it receives to determine whether that type of packet is authorized to
continue to its destination.
packet-filtering firewall
20. Network administrators can test how vulnerable their servers,
routers, switches, and other devices are by using a ____, or software that
searches the node for open ports.
a. network
key
b. proxy
server
c. port scanner
d. principal
21. An IDS can react when alerted to suspicious activity.
a. True
b. False
22. WPA uses the AES encryption scheme.
a. True
b. False
23. Proxy servers manage security at the Network layer of the OSI
model.
a. True
b. False
24. Although a security policy defines who has access to the
computer room, locking the computer room is necessary to keep unauthorized
individuals out.
a. True
b. False
25. Many companies mistakenly require employees only to use a
password, and don't help them choose a good one. This oversight increases the
risk of ____.
a. war
driving
b. encryption
c. port
mirroring
d. security breaches
26. A Kerberos client, or user, is known as a(n) ____.
principal
27. A(n) ____ is a password-protected and encrypted file that
holds an individual's identification information, including a public key.
digital certificate
28. In ____, a wireless station first issues a request to the
access point. The access point functions as a proxy between the remote access
server and station until the station has successfully authenticated with a
remote access server
802.11i
29. Do not reuse passwords
after they have expired.
True
False
Chapter Test
1. In general, information is ____________________ if it could be
used by other parties to impair an organization’s functioning, decrease
customers’ confidence, cause a financial loss, damage an organization’s status,
or give a significant advantage to a competitor.
confidential
2. A ____ firewall is a
router (or a computer installed with software that enables it to act as a
router) that examines the header of every packet of data it receives to
determine whether that type of packet is authorized to continue to its
destination.
a. selective
b. packet-filtering
c. proxy
d. gateway
3. ____ is a method of
encrypting TCP/IP transmissions above the network layer.
a. SSL
b. PAP
c. PGP
d. IPSec
4. ____ is a social
engineering practice in which a person attempts to glean access or
authentication information by posing as someone who needs that information.
a. Hacking
b. Cracking
c. War
driving
d. Phishing
5. ____ protocols are the
rules that computers follow to accomplish authentication.
a. Authority
b. Availability
c. Access
d. Authentication
6. RADIUS and TACACS belong to a category of protocols known as
AAA (____).
a. access,
authorization, and accounting
b. authentication,
authorization, and authority
c. authentication,
authorization, and access
d. authentication, authorization, and
accounting
7. A(n) ____ is a password-protected and encrypted file that holds
an individual’s identification information, including a public key.
a. authentication
file
b. access
control list
c. digital certificate
d. authentication
certificate
8. The use of certificate authorities to associate public keys
with certain users is known as ____.
a. PGP
b. PKI
c. IPSec
d. SSL
9. A ____ attack occurs when an Internet chat user sends commands
to a victim’s machine that causes the screen to fill with garbage characters
and requires the victim to terminate their chat sessions.
a. phishing
b. denial-of-service
c. war
driving
d. flashing
10. A(n) ____________________ identifies an organization’s
security risks, levels of authority, designated security coordinator and team members,
responsibilities for each team member, and responsibilities for each employee.
security policy
11. The combination of a public key and a private key is known as
a ____.
a. key
lock
b. key
frame
c. key pair
d. key
set
12. ____ software searches
a node for open ports.
a. Port scanner
b. Authentication
c. Phishing
d. Sniffing
13. Encryption is the last means of defense against data theft.
a. True
b. False
14. A ____ attack occurs
when a hacker tries numerous possible character combinations to find the key
that will decrypt encrypted data.
a. flashing
b. dictionary
c. brute force
d. denial-of-service
15. In ____, both computers
verify the credentials of the other.
a. mutual
access
b. mutual
verification
c. mutual authentication
d. mutual
authorization
16. Human errors, ignorance, and omissions cause more than half of
all security breaches sustained by networks.
a. True
b. False
17. ____________________ is the use of an
algorithm to scramble data into a format that can be read only by reversing the algorithm.
Encryption
18. A ____ main function is to examine packets and determine where
to direct them based on their Network layer addressing information.
a. router’s
b. proxy
server’s
c. switch’s
d. gateway’s
19. A(n) ____________________ is a thorough examination of each
aspect of the network to determine how it might be compromised.
posture assessment
20. In a ____ attack, a person redirects or captures secure
transmissions as they occur.
a. war
driving
b. man-in-the-middle
c. phishing
d. denial-of
service
21. A NOS that contains a “backdoor” is an example of a risk
associated with ____.
a. Internet
access
b. protocols and software
c. people
d. transmission
and hardware
22. A ____ attack occurs when a hacker uses programs that try a
combination of a user ID and every word in a dictionary to gain access to the
network.
a. brute
force
b. denial-of-service
c. flashing
d. dictionary
23. Network security is more often compromised “from the inside”
than from external sources.
a. True
b. False
24. A VPN ____
authenticates VPN clients and establishes tunnels for VPN connections.
a. concentrator
b. router
c. service
d. certificate
authority
25. A security policy should state exactly which hardware,
software, architecture, or protocols will be used to ensure security.
a. True
b. False
