JD. Willard MCSE, MCSA, Network+

toycutnshootNetworking and Communications

Oct 27, 2013 (3 years and 9 months ago)

112 views

1


1


CIST 1601 Information Security Fundamentals

Chapter 2 Infrastructure and Connectivity

Compiled By



JD. Willard MCSE, MCSA, Network+

Attention: Accessing Videos in this document.



Videos with
blue links

are linked to Professor Messer on YouTube and
require nothing but a browser.



Videos with
red links

require that you be logged in to the Virtual Technical
College web site when you click on them to run.



To access and log in to the Virtual Technical Colleg
e web site:



To access the site type
www
.vtc.com

in the url window



Log in using the username: ATCStudent1



Enter the password: student (case sensitive)

If you should click on the demo link and you get an Access Denied it i
s because
you have not logged in to vtc.com or you need to log out and log back in.


2


2


Chapter 2 Infrastructure and Connectivity 27


Mastering TCP/IP 29

Working with the TCP/IP Suite 30

OSI Model

The
Open Systems Interconnection (OSI) model

is a theoretical way of classifying and talking about
the complex process of sending data on a network. The OSI model divides the complex task of
networking into various layers to facilitate the development of standards and to allow for interoperability
b
etween protocols and hardware components.

Network security devices and solutions are often described based on the OSI model. As you learn about
network security, you should be familiar with the networking tasks associated with each OSI model layer.
The fol
lowing table summarizes key facts about each OSI model layer.

Layer

Description and Keywords

Application

(Layer 7)

The
Application layer

integrates network functionality into the host operating system, and
enables network services. The Application layer does not include specific applications that
provide services, but rather provides the capability for services to operate on the network.

T
he Application layer is associated with the data that is generated by a service or a
protocol. A security device operating at the Application layer makes security decisions
based on the actual data within a data stream.

Presentation

(Layer 6)

The
Presentation layer

formats or "presents" data into a compatible form for receipt by the
Application layer or the destination system. Specifically, the Presentation layer ensures:



Formatting and translation of data between systems.



Negotiation of data trans
fer synta between systems, through converting character
sets to the correct format.



Encapsulation of data into message envelopes by encryption and compression.



Restoration of data by decryption and decompression.

Session


(Layer 5)

The
Session layer's

pr
imary function is managing the sessions in which data is transferred.
Functions at this layer include:



Management of multiple sessions (each client connection is called a

session
). A
server can concurrently maintain thousands of sessions.



Assignment of the

session ID number to each session to keep data streams
separate.



Set up, maintain, and tear down communication sessions.

Transport


(Layer 4)

The
Transport layer

provides a transition between the upper and lower layers of the OSI
model, making the upper
and lower layers transparent from each other. Two protocols
associated with the Transport layer are:



The Transmission Control Protocol (TCP) provides services that ensure accurate
and timely delivery of network communications between two hosts. TCP provide

the following services to ensure message delivery:

o

Sequencing of data packets

3


3


o

Flow control

o

Error checking

TCP is referred to as a

connection
-
oriented

protocol because it includes these
delivery guarantees.



The User Datagram Protocol (UDP) is similar to
TCP, but does not include
mechanisms for ensuring timely and accurate delivery. Because it has less
overhead, it offers fast communications, but at the expense of possible errors or
data loss. UDP is referred to as a

connectionless

protocol because it lack
s these
delivery guarantee mechanisms.

Network


(Layer 3)

The
Network layer

describes how data is routed across networks and on to the destination.



Protocols associated with the Network layer include IP and IPX.



The logical host address, in the form of
the IP address, is defined at the Network
layer.



Routers operate at the Network layer by reading the IP address in the packet to
make forwarding decisions.

Data Link


(Layer 2)

The
Data Link layer

defines the rules and procedures for hosts as they access
the Physical
layer.



The physical device address, in the form of the MAC address used with Ethernet, is
defined at the Data Link layer.



Network interface cards (NICs) contain the MAC address and perform functions at
the Data Link layer.



Switches operate at
the Data Link layer by reading the MAC address in a frame to
make forwarding decisions.

Physical


(Layer 1)

The
Physical layer

sets standards for sending and receiving electrical signals between
devices. Hubs operate at the physical layer because they simply forward electrical signals
out all hub ports without interpreting the meaning of those signals that are present at higher
l
ayers.









4


4


TCP/IP Model

The
TCP/IP suite

of protocols can be divided into four layers that roughly correspond to the seven layers
of the OSI Model.



Application layer



The Application layer corresponds to the Session, Presentation, and
Application
layers of the OSI model. Applications gain access to the network through this layer,
via protocols such as the File Transfer Protocol (
FTP
), Trivial File Transfer Protocol (
TFTP
),
Hypertext Transfer Protocol (
HTTP
), Simple Mail Transfer Protocol (
SMTP
), an
d Dynamic Host
Configuration Protocol (
DHCP
).



Transport layer



This layer comparable to the Transport layer of the OSI model and contains
the Transmission Control Protocol (
TCP
) and User Datagram Protocol (
UDP
), which provide flow
control, error checking,

and sequencing. All service requests use one of these protocols.



Internet layer



This layer is comparable to the Network layer of the OSI model contains the
Internet Protocol (
IP
), Internet Control Message Protocol (
ICMP
), Internet Group Message
Protocol

(
IGMP
), and Address Resolution Protocol (
ARP
). These protocols handle message
routing and host address resolution.



Network access layer (or Network Interface layer)



This layer corresponds to the functions
of the Physical and Data Link layers of the OSI
mode and is responsible for describing the
physical layout of the network and how messages are formatted and transmitted to the network
wire.



The TCP/IP model compared with the OSI model



5


5


Network Protocol


A

protocol

is a set of standards for communication between network hosts.
Protocols often provide
services, such as e
-
mail or file transfer. Most protocols are not intended to be used alone, but instead rely
on and interact with other dependent or complimentary protocols. A group of protocols that is intended to
be used together

is called a

protocol suite
.

The following table lists several major protocols.

Protocol

Characteristics

Transmission
Control Protocol
(TCP)

TCP

provides services that ensure accurate and timely delivery of network
communications between two hosts. TCP is a layer 4 (Transport layer) protocol. TCP
is

connection
-
oriented

which means that it provides a guaranteed delivery of data
between hosts throug
h the following services:



Sequencing of data packets



Flow control



Error checking

The TCP three
-
way handshake is the process used to establish a TCP session. The
steps to a TCP three
-
way handshake process are:



A host sends a SYN packet to the target host.



The target host responds to the original host with a SYN ACK packet.



The host responds to the target host with an ACK packet.

User Datagram
Protocol (UDP)

UDP

is a host
-
to
-
host protocol like TCP. However, UDP is

connectionless
, which
means that it does
not include mechanisms for ensuring timely and accurate delivery,
but uses a best effort delivery. Because it has less overhead, it offers fast
communications, but at the expense of possible errors or data loss.


Internet Protocol
(IP)

IP

is a layer 3 pr
otocol that is connectionless and relies on upper layer protocols like
TCP to ensure delivery and connection orientation.

Internetwork
Packet Exchange
(IPX)

IPX

is an older protocol used with older Novell networks. IPX has been replaced with
TCP/IP in new
er versions of NetWare. Unless you are running a version of NetWare
that does not support TCP/IP, or are using applications that rely on IPX, you should
disable IPX to eliminate attacks against IPX on your network.

Network Basic
Input/Output
System (NetBI
OS)

NetBIOS

is the term used to describe the combination of two protocols: NetBEUI and
NetBIOS.

NetBIOS is used for name resolution and registration in Windows
-
based
environments
.
Because NetBIOS is a non
-
routable protocol, it was often combined
with
TCP/IP or IPX/SPX to enable internetwork communications.



NetBIOS was used in early Windows networks.



Beginning with Windows 2000, NetBIOS is no longer required.



NetBIOS might be needed if the network includes clients running previous
versions of Windows.

Internet Control
Message
Protocol (ICMP)

ICMP

provides maintenance and reporting functions.

ICMP

is commonly used for
troubleshooting and information gathering. ICMP works closely with IP in providing
error and control information, and by allowing hosts to exchange packet status
information which helps move the packets through the internetwork. Two c
ommon
6


6


management utilities use ICMP messages to check network connectivity.



ping

is an ICMP Echo Request and once executed should initiate an Echo
Reply to the source from the target device. Ping can be used to determine
whether devices are reachable and c
an communicate across the network.



traceroute

determines how many routers (hops) are between the source and
the target and response time for each router.

ICMP also works with IP to send notices when destinations are unreachable and
when devices' buffers
overflow. ICMP messages are used to determine the route and
hops packets take through the network and whether devices can communicate across
the network.

Address
Resolution
Protocol (ARP)

ARP

provides IP address
-
to
-
MAC address name address resolution. Usi
ng ARP, a
host that knows the IP address of a host can discover the corresponding MAC
address

allowing delivery of data on the local network
.

Domain Name
System (DNS)

DNS

is a hierarchical, distributed database that maps logical host names to IP
addresses. For example, the name

www.mydomain.com

would be identified with a
specific IP address. When you use the host name of a computer (for example if you
type a URL such as

www.mydomain.com
), your computer uses the following
process to find the IP address.

1.

The host looks in its local cache to see if

it has recently resolved the host
name.

2.

If the information is not in the cache, it checks the Hosts file. The Hosts file is
a static text file that contains hostname
-
to
-
IP address mappings.

3.

If the IP address is not found, the host contacts its preferred D
NS server. If
the preferred DNS server can't be contacted, it continues contacting
additional DNS servers until one responds.

4.

The host sends the name information to the DNS server. The DNS server
then checks its cache and Hosts file. If the information is
not found, the DNS
server checks any zone files that it holds for the requested name.

5.

If the DNS server can't find the name in its zones, it forwards the request to a
root zone name server. This server returns the IP address of a DNS server
that has
information for the corresponding top
-
level domain (such as .com).

6.

The first DNS server then requests the information from the top
-
level domain
server. This server returns the address of a DNS server with the information
for the next highest domain. This p
rocess continues until a DNS server is
contacted that holds the necessary information.

7.

The DNS server places the information in its cache and returns the IP
address to the client host. The client host also places the information in its
cache and uses the I
P address to contact the desired destination device.

SNMP

SNMP

is an application
layer protocol whose purpose is to collect statistics from
and
monitoring the health of network equipment, computer equipment, UPS
, and
TCP/IP
devices.

It
is a protocol designed for managing complex networks. SNMP lets network
hosts exchange configuration
and status information. This information can be
gathered by management software and used to monitor and manage the network.
SNMP uses the following components:



A

manager

is the computer used to perform management tasks. The
manager queries agents and gathe
rs responses.



An

agent

is a software process that runs on managed network devices. The
agent communicates information with the manager and can send dynamic
7


7


messages to the manager.



The
MIB

is a database of host configuration information. Agents report data

to
the MIB, and the manager can then view information by requesting data from
the MIB.



A

trap

is an event configured on an agent. When the event occurs, the agent
logs details regarding the event.

SNMP version 2 added some security features, but most secu
rity comes with SNMP
version 3. SNMP version 3 adds the following:



Authentication for agents and managers



Encryption of SNMP information



Message integrity to ensure that data is not altered in transit

Note:

Running an antiquated protocol, such as NetBIOS
or IPX/SPX, on a system opens the system to
attack. Unless there is a critical reason, disable any unnecessary protocols on network devices.

IPv4 vs. IPv6 33

Be aware of the following
IPv4 address details
:



An IPv4 address is a 32
-
bit binary number represented as four octets (four 8
-
bit nu
mbers). Each
octet is separated by a period. IPv4 addresses can be represented in one of two ways:

o

Decimal (for example 131.107.2.200). In decimal notation, each octet must be between 0
and 255.

o

Binary (for example 10000011.01101011.00000010.11001000). In
binary notation, each
octet is an 8
-
character number.



To convert from binary to decimal and vice versa, memorize the decimal equivalent to the
following binary numbers:

10000000

01000000

00100000

00010000

00001000

00000100

00000010

00000001

128

64

32

16

8

4

2

1



To convert from binary, take each bit position with a 1 value and add the decimal values for that
bit together. For example, the decimal equivalent of 10010101 is: 128 + 16 + 4 + 1 = 149



The

subnet mask

is a 32
-
bit number that is associated with
each IPv4 address that identifies the
network portion of the address.

o

In binary form, the subnet mask is always a series of 1's followed by a series of 0's (1's
and 0's are never mixed in sequence in the mask). A simple mask might be
255.255.255.0.

o

In
Classless Inter
-
Domain Routing (CIDR) form, the subnet mask appears as a slash (/)
followed by the number of bits in the mask that are set to 1. A simple mask might be /24.



IPv4 addresses have a default

class
. The address class identifies the range of IPv4

addresses
and a default subnet mask used for the range. The following table shows the default address
class for each IPv4 address range.



8


8



Class

Address Range

First Octet Range

Default Subnet
Mask

CIDR
Notation

A

1.0.0.0 to
126.255.255.255

1
-
126

(00000001
--
01111110
binary)

255.0.0.0

/8

B

128.0.0.0 to
191.255.255.255

128
-
191

(10000000
--
10111111
binary)

255.255.0.0

/16

C

192.0.0.0 to
223.255.255.255

192
-
223

(11000000
--
11011111
binary)

255.255.255.0

/24

D

224.0.0.0 to
239.255.255.255

224
-
239

(11100000
--
11101111
binary)

n/a

n/a

E

240.0.0.0 to
255.255.255.255

240
-
255

(11110000
--
11111111
binary)

n/a

n/a


Subnetting splits one network into two or more, using routers to connect each subnet. Subnetting

can be
done for several reasons. If you have a Class C address and 1,000 clients, you will have to subnet the
network or use a custom subnet mask to accommodate all the hosts. The most common reason networks
are subnetted is to control network traffic by
limiting broadcast domains, which limits broadcast storms.

The current IP addressing standard, version 4, will eventually run out of unique addresses, so a new
system is being developed. It is named IP version 6 or IPv6. The IPv6 address is a 128
-
bit binar
y number.
A sample IPv6 IP address looks like: 35BC:FA77:4898:DAFC:200C:FBBC:A007:8973. The following list
describes the features of an IPv6 address:



The address is made up of 32 hexadecimal numbers organized into 8 quartets.



The quartets are separated by
colons.



Each quartet is represented as a hexadecimal number between 0 and FFFF. Each quartet
represents 16
-
bits of data (FFFF = 1111 1111 1111 1111).



Leading zeros can be omitted in each section. For example, the quartet 0284 could also be
represented by 2
84.



Addresses with consecutive zeros can be expressed more concisely by substituting a double
-
colon for the group of zeros. For example:

o

FEC0:0:0:0:78CD:1283:F398:23AB

o

FEC0::78CD:1283:F398:23AB (concise form)



If an address has more than one consecutive loc
ation where one or more quartets are all zeros,
only one location can be abbreviated. For example, FEC2:0:0:0:78CA:0:0:23AB could be
abbreviated as:

o

FEC2::78CA:0:0:23AB or

o

FEC2:0:0:0:78CA::23AB

But

not

FEC2::78CA::23AB



9


9




The 128
-
bit address contains two pa
rts:

Component

Description

Prefix

The first 64
-
bits is known as the

prefix
.

o

The 64
-
bit prefix can be divided into various parts, with each part having a
specific meaning. Parts in the prefix can identify the geographic region, the
ISP, the network, and
the subnet.

o

The

prefix length

identifies the number of bits in the relevant portion of the
prefix. To indicate the prefix length, add a slash (/) followed by the prefix
length number. Full quartets with trailing 0's in the prefix address can be
omitted (fo
r example 2001:0DB8:4898:DAFC::
/
64).

o

Because addresses are allocated based on physical location, the prefix
generally identifies the location of the host. The 64
-
bit prefix is often
referred to as the

global routing

prefix.

Interface ID

The last 64
-
bits
is the

interface ID
. This is the unique address assigned to an
interface.

o

Addresses are assigned to interfaces (network connections), not to the
host. Technically, the interface ID is

not

a host address.

o

In most cases, individual interface IDs are not assi
gned by ISPs, but are
rather generated automatically or managed by site administrators.

o

Interface IDs must be unique within a subnet, but can be the same if the
interface is on different subnets.

o

On Ethernet networks, the interface ID can be automatically
derived from
the MAC address. Using the automatic host ID simplifies administration.

To ensure the 64
-
bit interface ID is unique for every host on the network, IPv6 uses
the Extended Unique Identifier 64 (EUI
-
64) format. The following explains two
details
of the EUI
-
64 format:

o

Each host has a unique 48
-
bit hardware address called a
MAC address

(also called the
burned
-
in

address) that is assigned to each device by the
vendor. The MAC address is guaranteed to be unique through design. The
EUI
-
64 format uses the unique MAC address by:

1.

Splitting the MAC address into 24
-
bit halves

2.

Inserting 16 bits (represented by hex FFFE)

between the two
halves.

For example, a host with a MAC address of 20
-
0C
-
FB
-
BC
-
A0
-
07 will start
with the following EUI
-
64 interface ID: 200C:FB
FF
:
FE
BC:A007.

o

To be complete, EUI
-
64 format also requires setting the seventh bit in the
first byte to binary 1

(reading from left to right, this is the second hex value
in the interface ID). This bit is called the
universal/local (U/L) bit
.



When the U/L bit is set to 0, the MAC address is a burned
-
in
MAC address.



When the U/L bit is set to 1, the MAC address has

扥敮b
configured locally. EUI
-
64 requires the U/L bit to be set to 1.

10


10


Review the following examples:



200C:FBFF:FEBC:A007 (Incorrect interface ID, as the U/L bit is
still set to 0)



220C:FBFF:FEBC:A007 (Correct interface ID)



The IPv6 local loopback address for the local host is 0:0:0:0:0:0:0:1 (also identified as ::1 or
::1/128). The local loopback address is not assigned to an interface. It can be used to verify that
the TCP/IP protocol stack has been properly installed on th
e host.



IPv6 nodes have the option to include addresses that determine part or all of the route a packet
will take through the network.



IPv6 has built
-
in support for security protocols such as IPSec. (IPSec security features are
available as add
-
ons within

an IPv4 environment.)

The implementation of IPSec is mandatory
with IPv6. While it is widely implemented with IPv4, it is not a requirement.

Be aware of the following additional facts about custom subnet masks:



While
subnetting

divides a large address space into multiple subnets,

supernetting

combines
multiple smaller network addresses into a single larger network. For example, this allows multiple
Class C addresses to be combined into a single
network.



Classful

addresses are IP addresses that use the default subnet mask. They are classful
because the default subnet mask is used to identify the network and host portions of the
address.

Classless

addresses are those that use a custom mask value to

separate network and
host portions of the IP address.



Using classless addresses is made possible by a feature called Classless Inter
-
Domain Routing
(CIDR). CIDR allows for non
-
default subnet masks (variable length subnet mask or VLSM).
Routers use the fol
lowing information to identify networks:

o

The beginning network address in the range

o

The number of bits used in the subnet mask

For example, the subnet 199.70.0.0 with a mask of 255.255.0.0 is represented as 199.70.0.0/16
(with 16 being the number of 1 bits

in the subnet mask).

















11


11



Understanding Encapsulation 34


Another word for tunneling is
encapsulation
. It is the process of enclosing a communication inside
another transport medium for transmission across an unsecure or different link. In a tunneling operation,
the entire packet is encapsulated.
Encapsulation

allows a transport protocol to be sent across

the network
and utilized by the equivalent service or protocol at the receiving host.



The
figure below

shows how e
-
mail is encapsulated as it moves from the application protocols through
the transport and Internet protocols.



Each layer adds header inf
ormation as the e
-
mail moves down the layers.



After it is encapsulated, the message is sent to the server.



Transmission of the packet between the two hosts occurs through the physical connection in the
network adapter.




The encapsulation process of a
n e
-
mail message



Notice that in
t
he figure
below

the message is sent via the Internet; it could have just as easily been sent
locally.




The e
-
mail client doesn’t know how the message is delivered, and the server application doesn’t
care how the message got there.



This makes designing and implementing services such as e
-
mail possible in a global or Internet
environment.



An e
-
mail message that

an e
-
mail client sent to an e
-
mail server across the Internet



12


12


Working with Protocols and Services 35

Common Ports

Ports

are logical connections, provided by the TCP or UDP protocols at the Transport layer, for use by
protocols
in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers stored in
the header of a packet to determine what protocol incoming traffic should be directed to. Some
characteristics of ports are listed below:



Ports allow a single host
with a single IP address to run multiple network services. Each port
number identifies a distinct service.



Each host can have over 65,000 ports per IP address.



Port use is regulated by the Internet Corporation for Assigning Names and Numbers (ICANN).


ICAN
N specifies three categories for ports.



Well
-
known

ports

range from 0 to 1023 and are assigned to common protocols and services.



Registered

ports

range from 1024 to 49151 and are assigned by ICANN to a specific service.



Dynamic

(also called

private

or

high
)
ports

range from 49,152 to 65,535 and can be used by
any service on an ad hoc basis. Ports are assigned when a session is established, and released
when the session ends.

The following table lists the
well
-
known ports that correspond to common Internet services
.

Port(s)

Service

20 TCP

21 TCP

File Transfer Protocol (FTP)

22 TCP and UDP

Secure Shell (SSH)

SSH File Transfer Protocol (SFTP)

Secure Copy (SCP)

23 TCP

Telnet

25 TCP

Simple Mail Transfer
Protocol (SMTP)

49 TCP and UDP

Terminal Access Controller Access
-
Control System (TACACS)

*IP protocol number 50

Encapsulating Security Payload (ESP) (used with IPSec)

*IP protocol number 51

Authenticating Header (AH) (used with IPSec)

53 TCP and UDP

Domain Name Server (DNS)

67 UDP

68 UDP

Dynamic Host Configuration Protocol (DHCP)

69 UDP

Trivial File Transfer Protocol (TFTP)

80 TCP

HyperText Transfer Protocol (HTTP)

88 TCP

Kerberos

110 TCP

Post Office Protocol (POP3)

119 TCP

Network News
Transport Protocol (NNTP)

123 UDP

Network Time Protocol (NTP)

135 TCP

137 and 138 TCP and UDP

139 TCP

Network Basic Input/Output System (NetBIOS)

13


13


143 TCP and UDP

Internet Message Access Protocol (IMAP4)

161 TCP and UDP

162 TCP and UDP

Simple Network
Management Protocol (SNMP)

389 TCP and UDP

Lightweight Directory Access Protocol (LDAP)

443 TCP and UDP

HTTP with Secure Sockets Layer (SSL/TLS) (HTTPS)

445 TCP

Windows 2000 CIFS/SMB (file access)

500 UDP

Internet Key Exchange (IKE) (used with IPSec)

636 TCP and UDP

Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

989 TCP and UDP

(
data port
)

990 TCP and UDP


(
control port
)

FTP Secure (FTPS or FTP over SSL/TLS)

1701 UDP

Layer 2 Tunneling Protocol (L2TP)

1723 TCP and UDP

Point
-
to
-
Point
Tunneling Protocol (PPTP)

1812 TCP and UDP

1813 TCP and UDP

Remote Authentication Dial In User Service (RADIUS)

3389 TCP

Remote Desktop Protocol (RDP)

*

Is not a port number, but an IP protocol number used with IPSec.

Note:

Ports listed in the table abo
ve that are higher than the well known range (0
-
1023) are newer
protocols that were released after the initial Internet protocols were established.

Be aware of the following regarding ports:



Attackers use port scanning software to identify open ports, then

focus their attacks on services
that use those ports.



Configure a firewall to open (allow) or block ports through the firewall or on a device.



As a best practice, only open the necessary ports. For example, if the server is only being used
for e
-
mail, the
n shut down ports that correspond to FTP, DNS, and HTTP (among others).



For auditing purposes, you can use a port scanner to check systems and firewalls for open ports.

o

Use

netstat
-
a

to view a list of opened ports on a system.

o

Use a port scanning tool suc
h as Nmap to scan for open ports on local and remote
systems.




14


14


TCP Three
-
Way Handshake

TCP, which is a connection
-
oriented protocol, establishes a session using a
three
-
way handshake
.

A host called a client originates this connection.


The client
sends a TCP segment, or message, to the server. This client segment includes an Initial
Sequence Number (ISN) for the connection and a window size. The server responds with a TCP segment
that contains its ISN and a value indicating its buffer, or window si
ze. The client then sends back an
acknowledgment of the server’s sequence number. After this occurs, the two systems communicate with
each other.


A server can handle many requests simultaneously. Each session has a different sequence number even
though
all sessions use the same port. All the communications in any given session use this sequence
number to keep the sessions from becoming confused.

Application Programming Interface

Application Programming Interfaces (APIs)

allow programmers to create interf
aces to the protocol.

When a programmer writes an application, they can call or use one of these APIs to:




Make the connection



Send or receive data



End the connection



Microsoft uses an API called a Windows socket (WinSock) to interface to the protocol.

It can access
either TCP or UDP. A Windows socket is the combination of the IP address and the port number
separated by a colon. For example, 190.10.5.1:80 would be a WinSock connection to HTTP.

The socket
identifies which application will respond to the
network request.



15


15


Distinguishing between Security Topologies 41


Setting Design Goals 41


It is the responsibility of the sender to ensure that proper security controls are in place.

Sending data
across an insecure network, such as the Internet, affects
confidentiality and integrity.



Confidentiality and integrity should be implemented to ensure the accuracy of the data and its
accessibility to authorized personnel.



The three core security objectives for the protection of the information assets of an o
rganization are:




Confidentiality



Integrity



Availability



These three objectives are also referred to as the
CIA triad
. Most computer attacks result in the violation
of the CIA triad.


Confidentiality


Meeting the goal of
confidentiality

is to prevent or minimize unauthorized access to
,

and disclosure of
,

data and information.

Confidentiality is the minimum level of secrecy that is maintained to protect
sensitive information from unauthorized disclosure.

In many instances, laws and regulations require
specific information confidentiality.



Confidentiality can be implemented through
:



encryption



access control data classification



security awareness



Maintaining the confidentiality of information prevents
an organization from attacks, such as shoulder
surfing and social engineering, which can lead to disclosure of confidential information and disrupt
business operations.



Lack of sufficient security controls to maintain confidentiality leads to the disclos
ure of information.



16


16


Integrity


Ensuring the
integrity

of information implies that the information is protected from unauthorized
modification and that the contents have not been altered.



To meet the goal of integrity, you must verify that information being used is accurate and hasn’t been
tampered with.



Integrity ensures the following conditions:



The data is accurate and reliable.



The data and the system are protected from unauthorized
alteration.



Attacks and user mistakes do not affect the integrity of the data and the system.


Ensuring the integrity of information implies that the information is protected from unauthorized
modification and that the contents have not been altered.

Integ
rity is coupled with accountability to ensure
that data is accurate and that a final authority exists to verify this, if needed.


Availability


To meet the goal of
availability
, you must protect data and prevent its loss. Data that can’t be accessed
is of little value. If a mishap or attack brings down a key server or database, that information won’t be
available to the people who need it. This can cause havoc in an organization
.
Availability is about
maintaining continuous operations without service disruptions.


Your job is to provide maximum availability to your users while ensuring integrity and confidentiality.

The hardest part of this process is determining the balance you

must maintain between these three
aspects to provide acceptable security for the organization’s information and resources.


*
Accountability


The final and often overlooked goal of design concerns
accountability
.

Accountability involves identifying
who
owns or is responsible for the accuracy of certain information in an organization.




Many of the resources used by an organization are shared between departments and individuals.

The department or individual that is accountable for certain information wou
ld also be responsible for
verifying accuracy in the event of a data
-
tampering incident.



You should also be able to track and monitor data changes to detect and repair the data in the event of
loss or damage. Most systems will track and store logs on sys
tem activities and data manipulation, and
they will also provide reports on problems.













17


17



Creating Security Zones 43

Security

zones

are portions of the network or system that have specific security concerns or
requirements. All devices with the
same zone have the same security access and security protection
needs. These zones are often separated by a traffic control device, such as a firewall or a router to filter
incoming and outbound traffic. For example, you can define a zone that includes all

hosts on your private
network protected from the Internet. Or you can define a zone within your network for controlled access to
specific servers that hold sensitive information.

The following table lists common zones.

Zone

Description

Intranet


An

intranet

is a private network (LAN) that employs Internet information services for
internal use only. For example, your company network might include Web servers and e
-
mail servers that are used by company employees.


An intranet belongs to and is controll
ed by the company. Intranets use the same
technologies used by the Internet.


You can think of an intranet as an Internet that doesn’t leave your company:



It’s internal to the company.



Access is limited to systems within the intranet.


Access to the
intranet is granted to trusted users inside the corporate network or to users
in remote locations.



Internet


The
Internet

is a public
global
network that includes all publicly available Web servers,
FTP servers, and other services. The Internet is
public because access is largely open to
everyone.

The Internet connects computer and individual networks.


In this environment, you should have a low level of trust in the people who use the
Internet.

You must always assume that the people visiting your
website may have bad intentions
.


18


18


Because the Internet involves such a high level of anonymity, you must always safeguard
your data with the utmost precautions



Extranet


An

extranet

is a privately
-
controlled network, distinct from, but located between

the
Internet and a private LAN. An extranet is often used to grant resource access to business
partners, suppliers and even customers outside of the organization.


Extranet connections involve connections between trustworthy organizations.

Security for
th
e extranet security zone can include a number of strategies:



Using VPN connections



Regularly auditing all services



Removing all unnecessary services



Limiting the number of services provided



Demilitarized
Zone (DMZ)

A

demilitarized zone

(DMZ)

is a buffer network (or subnet) that sits between the private
network and an untrusted network (such as the Internet).

A DMZ is a separate subnet
coming off the separate router interface. Public traffic m
ay be allowed to pass from the
external public interface to the DMZ, but it won’t be allowed to pass to the interface that
connects t
o the internal private network.



Publicly
-
accessible resources (servers) are placed on the buffer subnet.
Examples of
publicly
-
accessible resources include Web, FTP, or e
-
mail servers.



A

screening router

is the router that is most external to your network and closest
19


19


to the Internet. It uses access control lists (ACLs) to do packet filtering as a form
of security. A firew
all performing router functions would be considered a
screening router.

A
n embedded firewall

is
a firewall that is integrated into a router
.



Packet filters on the firewall allow traffic directed to the public resources inside the
DMZ. Packet filters also p
revent unauthorized traffic from reaching the private
network.

Packet filters examine each incoming (and usually outgoing) packet then
pass or discard it based on a defined list of applications or TCP or UDP port
numbers.
A packet filtering firewall only
examines the packet header information.

Only encrypted traffic poses a real problem with the effectiveness of a firewall. A
firewall cannot inspect the contents of encrypted packets.



The DMZ is created using the following configurations:

o

A

dual
-
homed gatew
ay

is a firewall device that has two, and typically
three, network interfaces: one connected to the Internet, one connected
to the public subnet, and one connected to the private network.

o

A

screened subnet

uses two firewalls: the external firewall is
connected
to the Internet and allows access to the public resources; the internal
firewall connects the screened subnet to the private network. With a
screened subnet, if the outer firewall is compromised, the inner firewall
still protects the private netw
ork.



When designing the firewall packet filters, a common practice is to close all ports,
opening only those ports necessary for accessing the public resources inside the
DMZ.



To allow access to private resources from the Internet, use one of the following

approaches:

o

Place a VPN server inside the DMZ. Require Internet users to
authenticate to the VPN server, then allow communications from the VPN
server to the private network. Only communications coming through the
VPN server are allowed through the inner
firewall.

o

Copy resources that are accessible to Internet users to servers inside the
DMZ. Even with authentication and authorization configured, this
approach exposes those resources in the DMZ to Internet attacks.


A typical DMZ

The publicly
-
accessible servers inside the DMZ (such as Web, DNS, and e
-
mail servers)
20


20


are classified as

bastion hosts
. In a broad sense, a

bastion host

is any host that is
exposed to attack and that has been hardened (or fortified) against those attacks. T
he
bastion host is sometimes referred to as a

sacrificial host

because it is assumed that it
will be subject to attack. The term has been applied to the following types of devices:



A host that is exposed on the network and is not protected by a firewall de
vice.



The device that provides the firewall service to the screened network behind it.
Attacks must pass through the bastion host before they are allowed inside the
screened subnet.

Because the bastion hosts are particularly vulnerable to attack, use best
practice
hardening procedures to secure them. The following actions should be taken to isolate
and harden a bastion host:



Separate roles of bastion hosts by placing a single application on each server.



Fully patch your bastion host on the operating system
and on applications.



Run current versions of anti
-
virus and anti
-
spyware software.



Include a host
-
based firewall.



Uninstall any unnecessary applications or utilities.



Disable and lock down all unnecessary services and ports.



Tighten security on the registr
y and the user database.

Add IP filters.

Settings

Description

Zones

Microsoft uses security

zones

to define security levels for specific websites. Each zone
can have custom settings. Internet Explorer zones are:



The

Local intranet

zone includes
everything on the local area network. By
default, this includes every site with a UNC path, including sites available through
a proxy. You can customize the parameters that are used to automatically add
sites to the zone. In addition, you can add sites to
this zone or require server
verification (https) for all sites in the zone. By default, the zone applies medium
-
low security.



The

Trusted sites

zone has the lowest security settings of any zone. You must
manually add Web sites

to the trusted zone. You can
require https for trusted
zones.



The

Restricted sites

zone has the highest security settings. You must explicitly
add sites to the zone.



The

Internet

zone includes all sites that are not in other zones. You cannot add or
remove sites from this zone.

Zones
come with preconfigured membership and security settings. You can modify the
security settings for a zone. For each zone you can configure security settings such as:



Restrictions on running .NET programs with or without Authenticode.



Restrictions on running ActiveX controls (such as running automatically, with a
prompt, or requiring signed controls).



Restrictions on allowed file downloads.



Restrictions on submitting form data. For example, you can disable the

Submit
nonencrypted form d
ata setting

to force all form data to be encrypted.


21


21


Working with Newer Technologies 48

Virtualization
Technology

Virtualization

is the ability to install and run multiple operating systems concurrently on a single physical
machine.
Virtual environments are available to run on just about everything from servers and routers to
USB thumb drives.

Hardware vendors are rapidly embracing virtualization and developing new features to simplify
virtualization techniques.

Virtual environments are used for cost
-
cutting measures too. One well
-
equipped server can host several
virtual servers. This reduces t
he need for power and equipment.


Forensic analysts often use virtual environments to examine virtual environments that may contain
malware or as a method of viewing the environment the same way the criminal did.

Virtualization typically includes the foll
owing components:

Component

Description

Physical
machine

A

physical machine

(also known as the

host

operating system) has the actual hardware
in place on the machine, such as the hard disk drive(s), optical drive, RAM, motherboard,
etc.

Virtual
machine

A

virtual machine

(also known as the

guest

operating system) is a software
implementation of a computer that executes programs like a physical machine. The virtual
machine(s) appear to be a self
-
contained and autonomous system(s).

Virtual Hard
Disk (VHD)

A virtual hard disk (VHD)

is a file that is created within the host operating system and
that simulates a hard disk for the virtual machine.

Hypervisor

A

hypervisor

or virtual machine monitor (VMM)
is
a
thin layer of software that resides
between the

gues
t

operating system(s) and the hardware. A hypervisor allows virtual
machines to interact with the hardware without going through the host operating system.




Type 1 native

or bare
-
metal hypervisor is software that runs directly on a
hardware platform. The guest operating systems runs at the second level above
the hardware. This technique allows full guest systems to be run in a relatively
efficient manner. The guest OS is n
ot aware it is being virtualized and requires no
modification.




Type 2 or hosted

hypervisor is software that runs within an operating system
environment, and the guest operating system runs at the third level above the
hardware. The hypervisor runs as an
application or shell on another already
running operating system.

Advantages of virtualization are:

Advantage

Description

Networked

Virtual machines can be given
network

access and other network devices will consider
them to be real physical machines.



Virtual machines should have the latest service packs and patches just like a
physical machine.

22


22




Harden virtual machines just like any physical machine.

Server
consolidation

Server consolidation

allows you to move multiple physical servers onto just a few
physical servers with many virtual machines.

Physical
-
to
-
virtual migration
(P2V) is
moving an older operating system off aging hardware and moving it into a virtual
machine.

Consolidating servers
:



Requires fewer physical computers.



Reduces power consumption.



Increases physical server utilization of resources.



Increases administrative efficiency.



Aids with incompatibility issues.

Isolation

A virtual machine can be
isolated

from the physical network to allow for testing. Virtual
machines offer an environment where malware can be executed with minimal risk to
equipment and software.



Virtual machines that are isolated in this fashion are isolated from many kinds of
security
threats.




Use virtual systems to create honeypots and honeynets to attract attackers and
analyze how they are attacking the system to better protect other systems.



Secured environments should restrict the use of cookies on all Web browsers
and other Intern
et service utilities.


Applications
virtualization

Applications can be virtualized.



A virtual application appears to be local, but is really running on a different
system.



Virtualized browsers can protect the underlying physical operating system from
malw
are installation. Any malware installed from the virtual browser affects only
the browser, not the rest of the system.

Note:

Malware can also use virtualization techniques that make it difficult to detect.

Disadvantages of virtualization include:



An
attack on the host machine could compromise all guest machines operating on that host.

o

Most virtual machines run with very high privileges on the host because a virtual machine
needs access to the host’s hardware so that it can map the physical hardware in
to
virtualized hardware.



A bottleneck or failure of any hardware component that is shared between multiple guests, such
as a failure in a disk subsystem, could affect multiple virtual machines.



While administration is centralized, virtualization is a newer

technology and requires new skills,
and managing virtual servers could add complexity.

Security considerations for a virtual machine should be the same as for physical machines. For both the
host and all guest machines, be sure to:



Reduce the number of
services running.



Apply patches and updates regularly.

Virtual machine
s
are susceptible to the same issues as a
host operating system.

23


23




Install antivirus and other security software.




Implement backups or other solutions for data protection.

Virtual environments can be used to improve security by allowing unstable applications to be used in an
isolated environment and providing better disaster recovery solutions.


Segmenting virtual machines by the information they handle will keep highly sen
sitive data from being on
the same physical hardware as virtual machines used for testing or lower security applications. The
organization should have a policy in place that states that high
-
security virtual machines containing vital
information never shar
e the same hardware as virtual machines for testing.


The security concerns of virtual environments begin with the guest operating system. If a virtual machine
is compromised, an intruder can gain control of all the guest operating systems. In addition, be
cause
hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who
compromises a virtual machine to compromise the host machine, too.


Virtualized environments, if compromised, can provide access to not only the n
etwork, but also any
virtualization infrastructure. Th
is puts a lot of data at risk.

Another way to secure a virtualized environment is to use standard locked
-
down images.

Other areas that present issues for a virtualized environment and need special con
sideration are
deploying financial applications on virtualized shared hosting and secure storage on storage
-
area network
(SAN) technologies.

Security policy should address virtual environment vulnerabilities. Any technology software without a
defined busin
ess need should not be allowed on
virtual
systems.

Virtual Local Area Networks (VLANs)

Virtual local area networks (VLANs)

break a large network into smaller networks. These networks can
coexist on the same wiring and be unaware of each other. A router or other routing
-
type device would be
needed to connect these VLANs.


A
VLAN

allows you to create groups of users and systems

and segment them on the network. This
segmentation lets you hide segments of the network from other segments and thereby control access.



VLANs enable you to unite network nodes logically into the same broadcast domain regardless of their
physical attachment to the network.
VLANs provide a way to limit broadcast traffic in a switched network.

Networks can coexist on the same wiring and be un
aware of each other.



VLANs enable administrators to segment one broadcast domain into two or multiple domains, segmenting
groups of users that have similar data sensitivity levels together and thereby increasing security.



VLAN advantages include:



Redu
cing the scope of broadcasts



Improving performance and manageability



Decreased dependence on the physical topology



24


24



A typical segmented VLAN


Switches are used to create VLANs.

A router or other routing
-
type device would be needed to connect
these
VLANs.



When a switch is compromised, the attacker could next compromise the VLANs created by the switch.

Network Address Translation

Network Address Translation

(NAT)

is a method of hiding TCP/IP addresses from other networks.

A
NAT
router translates m
ultiple private addresses into the single registered IP address.



The Internet is classified as a

public

network. All devices on the public network must have a
registered IP address; this address is assigned by the ISP.



The internal network is classified as

a

private

network. All devices on the private network use
private IP addresses internally, but share the public IP address when accessing the Internet.



A NAT router associates a port number with each private IP address. Communications with the
private hos
ts from the Internet are sent to the public IP address and the associated port number.
Port assignments are made automatically by the NAT router.



The private network can use addresses in the following ranges that have been reserved for
private use (i.e.
they will not be used by hosts on the Internet):

o

10.0.0.0 to 10.255.255.255

o

172.16.0.0 to 172.31.255.255

o

192.168.0.0 to 192.168.255.255



A router running NAT modifies the source IP addresses contained within the IP packet. Private
addresses in the packet ar
e replaced with a public IP address.



Technically speaking, NAT translates one address to another. Port address translation (PAT)
associates a port number with the translated address.

o

With NAT, you would have to have a public address for each private host.
NAT would
replace each private address with a unique public address.

o

Port Address Translation (PAT),

also called
Network Address Port Translation
(NAPT)
, associates a port number with each private host. This allows multiple private
25


25


hosts to use the same
public IP address. Private IP addresses are replaced with the
public IP address and a unique port number that is associated with the host.


In addition to NAT, Port Address Translation (PAT) is possible.

Most routers that are configured with NAT are reall
y performing PAT. NAT is typically used
synonymously with PAT.


There are three types of NAT implementation:

Type

Description

Dynamic
NAT

Dynamic NAT

automatically maps internal IP addresses with a dynamic port
assignment. On the NAT device, the internal device is identified by the public
IP address and the dynamic port number. Dynamic NAT allows internal
(private) hosts to contact external (public) ho
sts but not vice versa. External
hosts cannot initiate communications with internal hosts.

Static NAT
(SNAT)

Static NAT

maps an internal IP address to a static port assignment. Static
NAT is typically used to take a server on the private network (such as a Web
server) and make it available on the Internet. External hosts contact the
internal server using the public IP addr
ess and the static port. Using a static
mapping allows external hosts to contact internal hosts.

Dynamic
and Static
NAT

Dynamic and Static NAT
, in which two IP addresses are given to the public
NAT interface (one for dynamic NAT and one for static NAT), a
llows traffic to
flow in both directions.



Because NAT changes packet headers, IPSec might not work correctly through NAT. IPSec
detects changes to packet headers as part of the security process.

26


26




NAT shouldn't be considered a form of security, although it
provides some security for the private
network because it translates or hides the private addresses. For a more secure solution,
combine NAT with packet filters or firewalls.

Tunneling


Tunneling

refers to creating a virtual dedicated secure connection between two systems or networks.

Tunneling sends private data across a public network (the Internet) by placing (encapsulating) that data
into other packets (to prevent sniffing over the public net
work).




A connection being made between two networks across the Internet. To each end of the network,
this appears to be a single connection.




Tunnels are usually secure and present themselves as extensions of both networks.

You create the tunnel be
tween the two ends by encapsulating the data in a mutually agreed upon
protocol for transmission. Tunneling protocols usually include data security as well as encryption.



Most tunnels are virtual private networks (VPNs).



Several popular standards hav
e emerged for tunneling, with the most popular being the Layer 2
Tunneling Protocol (L2TP).


Telephony


The combination of telephone technology with information technology is
telephony
.


Voice over IP (VOIP)

can be easily sniffed and is susceptible to Denial of Service attacks because it
rides on UDP. There is also the outage issue with VoIP in cases where the data network goes down and
you lose the telephony as well.


SecureLogix

markets a voice firewall, and Cisco has published a paper titled “IP Telephony Security in
Depth.


From a security standpoint, the biggest problem with VoIP and data being on the same line is that they
are then both vulnerable in the event of a PBX attack
.



27


27


Working with Business Requirements 53


Understanding Infrastructure Security 53


Infrastructure security

deals with the most basic aspect of how information flows and how work occurs
in your network and systems. This includes servers, networks, network

devices, workstations, and the
processes in place to facilitate work.


Your network is composed of a variety of media and devices that both facilitate communications and
provide security. Some of these devices (such as routers, modems, and PBX systems) pr
ovide external
connectivity from your network to other systems and networks. Some of the devices (such as CD
-
Rs,
disks, USB thumb drives, and tape) provide both internal archival storage and working storage for your
systems.


Networks are tied together using the Internet and other network technologies, thereby making them
vulnerable to any number of attacks. To provide reasonable security, you must know how these devices
work and how they provide, or fail to provide, security.


Each time you add a device, change configurations, or switch technologies, you’re potentially altering the
fundamental security capabilities of your network.


The job of a security professional is to eliminate the obvious threats, to anticipate how the
next creative
assault on your infrastructure might occur, and to be prepared to neutralize it before it happens.


A network is no more secure than its weakest node.


Working with Hardware Components 53


Network
hardware components

include physical devices
such as
routers, servers, firewalls,
workstations, and switches
. From a security perspective you must evaluate your network from the
standpoint of each and every device within it.


It cannot be overstated: The complexity of most networks makes securing them extremely complicated.

To provide reasonable security, you must evaluate every device to determine its unique strengths and
vulnerabilities.



This network has Internet
connections. Internet connections expose your network to the highest
number of external threats. These threats can come from virtually any location worldwide.


28


28



Working with Software Components 55


Hardware exists to run software. The software is intended
to make the hardware components easy to
configure and easy to support, however, that software can also make the hardware easy to bypass.



Network infrastructure includes servers and workstations running operating systems, routers, firewalls,
and dedicate
d devices that have their own communications and control programs. This situation leaves
networks open to attacks and security problems because many of these systems work independently.



Many larger organizations have built a single area for network moni
toring and administrative control of
systems called a Network Operations Center (NOC). This centralization lets you see a larger overall
picture of the network, and it lets you take actions on multiple systems or network resources if an attack is
under way
. Using a NOC makes it easier to see how an attack develops and to provide countermeasures.


NOCs are expensive and require a great deal of support: factors beyond the economy or scale of all but
the largest businesses. After a NOC is developed and implem
ented it must be constantly evaluated and
changed as needed.



Understanding the Different Network Infrastructure Devices 56


Firewalls

56

A
firewall

is a component placed on computers and networks to help eliminate undesired access by the
outside world.

Firewalls are the front line defense devices for networks that are connected to the Internet.

A firewall protects hosts on a internal private network from attackers on a external public network by:



Packet filtering



Port filtering



IP address filtering



Content filtering

A

firewall

is a device or software running on a device that inspects network
traffic and allows or blocks
traffic based on a set of rules.



A
software

firewall is a program that runs within an OS, such as Linux, Unix, or Windows. With a
software firewall, adding interfaces is as easy as adding and configuring another NIC. It is easi
er
to make configuration errors in a software firewall.



A
hardware

firewall is also referred to as an appliance firewall. Appliance firewalls are often
designed as stand
-
alone black box solutions that can be plugged in to a network and operated
with minima
l configuration and maintenance. A hardware firewall is purchased with a fixed
number of interfaces available.
Most hardware firewalls are advertised as “turn
-
key” solutions,
meaning software installation and configuration issues are minimal.
Hardware fire
walls
outperform and generally provide increased security over software firewalls.



A

network
-
based

firewall inspects traffic as it flows between networks. For example, you can
install a network
-
based firewall on the edge of your private network that connec
ts to the Internet
to protect against attacks from Internet hosts.

29


29




A

host
-
based

firewall inspects traffic received by a host. Use a host
-
based firewall to protect
against attacks when there is no network
-
based firewall, such as when you connect to the
Inte
rnet from a public location.



Firewalls use filtering

rules
, sometimes called

access control lists

(ACLs)
, to identify allowed
and blocked traffic. A
rule

identifies characteristics of the traffic, such as:

o

The interface the rule applies to

o

The direction of traffic (inbound or outbound)

o

Packet

information such as the source or destination IP address or port number

o

The action to take when the traffic matches the filter criteria



Firewalls can protect against external attacks.



Firewalls don't offer protection against all attacks (e.g., spoofed e
-
m
ail messages).



A firewall can impede network availability because it adds processing to network traffic, or might
drop network traffic when overloaded.

The following table explains different firewall types:

Type

Characteristics

Packet
filtering


A

packet

filtering firewall

makes decisions about which network traffic to allow by
examining information in the IP packet header such as source and destination addresses,
ports, and service protocols.
A packet filtering firewall is typically a router. Packets can

be
filtered based on IP addresses , ports, or protocols. They operate at the Network layer of
the OSI model. Packet
-
filtering solutions are generally considered less secure firewalls
because they still allow packets inside the network regardless of commun
ication patterns
within the session.

A packet filtering firewall:



Operates at OSI layer 3 (Network layer).



Uses access control lists (ACLs) or filter rules to control traffic.



Offers high performance because it only eamines addressing information in the
p
acket header.



Can be implemented using features that are included in most routers.




Is not very intelligent, thus it is subject to DoS and buffer overflow attacks.



Is a popular solution because it is easy to implement and maintain, has a minimal
impact
on system performance, and is fairly inepensive.

A packet filtering firewall is considered a

stateless

firewall because it examines each
packet and uses rules to accept or reject each packet without considering whether the
packet is part of a valid and ac
tive session.

Stateful

The

stateful inspection

firewall (also known as

circuit
-
level proxy

or

gateway
) makes
decisions about which traffic to allow based on virtual circuits or sessions.
A stateful

inspection firewall is a combination of all types of
firewalls. This firewall relies on algorithms
to process application layer data.

The firewall is considered

stateful

because it keeps track
of the state of a session. A stateful inspection firewall:



Operates at OSI Layer 5 (Session layer).



Keeps track of k
nown connections and sessions in a

session table

(also referred
to as a

state table
)
.



Allows only valid packets within approved sessions.



Verifies that packets are properly sequenced.



Ensures that the TCP three
-
way handshake process occurs only when
approp
riate.



Can filter traffic that uses dynamic ports because the firewall matches the session
30


30


information, and not the port numbers, for filtering.

In general, stateful

inspection firewalls are slower than packet filtering firewalls, although if
only the session state is being used for filtering, a stateful inspection firewall can be faster
after the initial session table has been created.


A stateful
-
inspection firewall

is suited for main perimeter security. Stateful
-
inspection
firewalls can thwart port scanning by closing off ports until a connection to the specific port
is requested.

Application

An
application
level

firewall

(also referred to as an application level

gateway

or

proxy
)
makes security decisions based on information contained within the data portion of a
packet.
An
application
-
level firewall does not examine the IP address and port of the data
packe
t.

An application firewall creates a virtual circuit between the firewall clients. Each
protocol has its own dedicated portion of the firewall that is concerned only with how to
properly filter that protocol’s data.

An application level gateway:



Operates a
t OSI Layer 7 (Application layer).



Examines the entire content (not just individual packets).



Understands or interfaces with the application
-
layer protocol.



Can filter based on user, group, and data such as URLs within an HTTP request.



Is the slowest form
of firewall because entire messages are reass
embled at the
Application layer.



Often these types of firewalls are implemented as a proxy server.

A

proxy server

is a device that stands as an intermediary between a secure private
network and the public
(Intern
et)
and is a specific implementation of an application level
firewall.
This type of firewall has a set of rules that the packets must pass to get in or out.

With a proxy, every packet is stopped and inspected at the firewall which causes a break
between th
e client and the source server.
A proxy firewall hides a packet’s IP address

(NAT)

before sending it through another network. The primary security feature of a proxy
firewall is that it hides the client information. It is the only computer on a network tha
t
communicates with mistrusted computers.

An application
-
level proxy firewall is detrimental
to network performance because it requires more processing per packet.
Proxies can be
configured to:



Control both inbound and outbound traffic.



Increase
performance by caching heavily accessed content. Content is retrieved
from the proxy cache instead of being retrieved from the original server.



Filter content.



Shield or hide a private network.



Restrict access by user or by specific Web sites.



Allows inspe
ction of encrypted packets such as SSL inspection.

31


31



A proxy firewall blocking network access from external networks


A proxy firewall typically uses two network interface cards (NICs). This type of firewall is referred to as a
dual
-
homed firewall.



Dual
-
homed

computers have two NICs installed, each connected to a separate network.

One interface connects to the public

network, usually the Internet.

The other interface connects to the
private network.




A dual
-
homed firewall segregating two network
s from each other



The forwarding and routing function should be disabled on the firewall to ensure that network segregation
occurs.


Be aware of the following for managing firewalls:



When designing firewall packet filters, a common practice is to close
all ports, opening only those
ports necessary for accessing the resources behind the firewall.



If a host cannot communicate on the network, or if specific types of traffic (such as ICMP or
Remote Desktop connection) don't work on a host, check the host fir
ewall settings to make sure
that the traffic type is allowed.



Firewalls typically create log entries when packets are blocked by firewall rules. You can examine
these logs to help troubleshoot communication problems or to identify potential attacks (such a
s
Denial of Service attacks).

32


32


Firewalls and DMZs


Firewalls

can be used to create
demilitarized zones (DMZs)
.

A DMZ is a network segment placed
between an internal (private) network and an external (public) network, such as the Internet.


Typically, either one or two firewalls are used to create a DMZ.


A DMZ implemented with one firewall connected to a public network, a private network and a DMZ
segment is cheaper to implement than a DMZ implemented with two firewalls.



A DMZ with a firewall on each end is typically more secure than a single
-
firewall DMZ.
Most organizations
deploy, at a minimum, two firewalls.


The first firewall is placed in front of the DMZ to allow requests destined for servers in the DMZ or to route
requests to an authentication proxy.



33


33



The second firewall is placed to allow outbound requests. All initial necessary connections are located

on
the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance
and enhanced security, even though its database resides inside the company intranet.


The main objective for the placement of firewalls is to allow only t
raffic that the organization deems
necessary and provide notification of suspicious behavior.



Hubs 61


Device

Description

Hub

A

hub

is the central connecting point of a physical star, logical bus topology. Hubs simply repeat
incoming frames without
examining the MAC address in the frame and send it to every host
connected to the hub.



Hubs do not provide data isolation between endpoint ports.



Because frames are repeated out all hub ports, sniffers can be used to collect sensitive
information by captur
ing traffic that flows through the hubs.





All devices connected to a hub share the available bandwidth.



Collisions are a natural consequence of the shared medium. As the number of devices
connected to the hub increases, so does the number of collisions. A
s the number of
devices increases, the performance also drops.



For security and performance, replace hubs with switches whenever possible.


Modems 62


A
modem

is a hardware device that connects the digital signals from a computer to the analog telephone
line. It allows these signals to be transmitted longer distances than are possible with digital signals.


The word "modem" is an amalgam of the words "modulato
r" and "demodulator," which are the two
functions that occur during transmission.


Modems present a unique set of challenges from a security perspective.


Leaving modems open for incoming calls with little to no authentication for users dialing in can be
a clear
security vulnerability in the network. For example, war
-
dialing attacks take advantage of this situation.
War
-
dialing is the process by which an automated software application is used to dial numbers in a given
range to determine whether any of the

numbers are serviced by modems that accept dial
-
in requests.


Setting the callback features to have the modem call the user back at a preset number and using
encryption and firewall solutions will help keep the environment safe from attacks.


Monitor comp
uters that have modems to check whether they have been compromised

Check for software updates for computers that have modems.

Remove all unnecessary modems from computers.






34


34


Remote Access Services 62


Remote access

servers (RAS)

allow clients to use dial
-
up connections and network technologies to
access servers and internal networks. RAS connections are achieved through dial
-
up DSL, VPNs, cable
modems and ISDN.




A RAS connection between a remote workstation and a Windows serve
r


Client systems with a modem can connect using normal dial
-
up connections to a properly equipped
remote
-
access service server, which functions as a gateway through which the remote user may access
local resources or gain connectivity to the Internet.


Th
e RAS environment is vulnerable to public PBX infrastructure vulnerabilities, RAS software bugs, buffer
overflows, and social engineering. You should apply vendor security patches as soon as they are
available to protect against RAS software bugs. Social e
ngineering and the public PBX infrastructure is a
common method used by intruders to access your RAS environment.


Typical methods of securing remote access servers:



Implementing a strong authentication method or two
-
factor authentication



Limiting which us
ers are allowed to dial
-
in and limiting the dial
-
in hours



Implementing account lockout and strict password policies



Implementing a real
-
time alerting system


Allowing dial
-
in only and forcing callback to a preset number are strategies for securing remote
access
servers (RAS).












35


35


Routers 63


Device

Description

Router

A

router

is a
layer 3 device that routes and forwards information between different IP subnets.
Routers receive packets, read their headers to find IP addressing information, and send them on
to their correct destination on the network or Internet.



Routers can be used t
o connect dissimilar networks.



Routers forward packets through an internetwork by maintaining routing information in a
database called a

routing table
.

Routing tables contain information about known hosts
on both sides of the router.

o

Static routing

require
s that entries in the routing table be configured manually.
When changes occur to the network, static entries must be added or removed.

o

A

dynamic routing

protocol

allows routers to automatically share their routing
table entries. Dynamic routing protocols
include RIP, OSPF, BGP, IGRP, EIGRP,
and IS
-
IS.



A router can have an

access control list

(ACL)

that allows or blocks packets based on
information contained in the packet (such as IP address or port).



Routers do not pass broadcasts
, by default
.



Routers, in conjunction with a CSU/DSU are also used to translate LAN to WAN framing. Such
routers are referred to as border routers. Border routers decide who can come in and under what
conditions.


Routers can also be connected internally to other
routers, effectively creating autonomous

zones.
Dividing internal networks into two or more subnets is a common use for routers. This type of
connection keeps local network traffic off the network backbone and provides additional security
internally.


Rout
ers establish routing tables. A router contains information about the networks connected to it
and where to send requests if the destination is unknown. These tables grow as connections are
made through the router.


Routers communicate routing information
using three standard protocols:



Routing Information Protocol (RIP)

is a simple protocol that is part of the TCP/IP
protocol suite. Routers that use RIP routinely broadcast the status and routing
information of known routers. RIP also attempts to find rout
es between systems using
the smallest number of hops or connections.

36


36




Border Gateway Protocol (BGP)

allows groups of routers to share routing information.




Open Shortest Path First (OSPF)

allows routing information to be updated faster than
with RIP.


Route
rs are the first line of defense and should therefore be configured to forward only traffic that
is authorized by the network administrator.
Routers can be configured in many instances to act
as packet
-
filtering firewalls.
Access entries can be specified
to allow only authorized traffic and
deny unauthorized traffic.

When configured properly, they can prevent unauthorized ports from
being opened.


Methods for securing routers:



Routers should be kept in locked rooms



You should use complex passwords for
administrative consoles



Routers should be kept current with the latest available vendor security patches



Configure access list entries to prevent unauthorized connections and routing of traffic



Use monitoring equipment to protect connection points and devi
ces


Switches 65


Device

Description

Switch

A

switch

is a multiport device that performs filtering based on MAC addresses. Switches:



Are more secure

than hubs because switches only send communication to the
destination device, not to all the devices on the switch like a hub.



Y
ou can use
a switch
to prevent a computer on the network from promiscuously sniffing
the packets of other
computers on the same

subnetwork.
Only packets destined for the
computer on a particular port of a switch can be seen (assuming the ports aren’t shared).

A
ny port
is

able to see only traffic destined for it and broadcasts, eliminating the
promiscuity.



Switches create virtual c
ircuits between systems in a network. These virtual circuits are
somewhat private and reduce network traffic when used. Virtual circuits are more difficult
to examine with network monitors. Only packets destined for the computer on a particular
port of a s
witch can be seen.



Pass broadcasts to all ports. This is a disadvantage from a security perspective because
it allows sniffers to capture data in broadcasts.



Offer guaranteed bandwidth to each switch port, eliminating collisions when a single
device is con
nected to a switch port and improving data availability.



Can make additional forwarding decisions based on the MAC address. For example, a
switch can be configured to prevent unauthorized devices from sending frames through a
port.


Methods for securing
switches:



Switches should be kept in locked rooms

37


37


o

Physical access control to the networking closet is critical to protect switched
networks against any exposed supervisory ports that can be exploited by an
attacker.



You should use complex passwords for
administrative consoles



Use monitoring equipment to protect connection points and device available vendor
security patches




Load Balancers 66

A
load balancer

can be implemented as a software or hardware solution, and is usually associated with
a device

a router, a firewall, NAT, and so on. As the name implies, it is used to shift a load from one
device to another.

Load Balancing

is a technique that disperses a workload between two or more computers or resources
to achieve optimal resource utilization, throughput, or response time. The primary goal of
load balancing

is to improve performance by configuring multiple devices to respond as one. Load balancing also
provides fault tolerance if the load balancing
mechanism is able to detect when a specific farm member is
unavailable, automatically distributing new requests to the available members. Load balancing methods
with virtualization include:



Resource pooling

creates shared logical pools of CPU and memory re
sources of many physical
machines within the hypervisor to guarantee a level of resources for specific virtual machines.



Workload balancing

distributes a workload (i.e., the total requests made by users and
applications of a system) across multiple compute
rs or a computer cluster to achieve optimal
resource utilization, maximize throughput, minimize response time, and avoid overload.


Telecom/PBX Systems 66

Telephony

is the process of combining
telephone technology with information technology.



Traditional telephone access uses the Public Switched Telephone Network (PSTN) to make
analog phone calls over the Plain Old Telephone System (POTS) wiring. The PSTN is a circuit
-
switched network that estab
lishes a dedicated path between the two calling devices. Use the
following methods to send digital data through POTS lines:

o

Use a modem to send digital data through the PSTN.

o

Use ISDN to use the existing POTS lines to connect to a digital network.

o

Use DSL
to use the existing POTS lines to connect to the Internet.



The Internet is a packet
-
switched network that uses IP. With packet switching, data is divided into
packets, with each packet potentially taking a different route to the destination.

When managing
telephony

solutions, be aware of the following.

Technology

Description

Private Branch
Exchange
(PBX)

The
Private Branch Exchange (PBX)

is a telephone exchange that serves a private
organization and connects the organization to the PSTN. A PBX allows a company to
use telephone extensions within an organization, and still access outside organizations
because the PBX connects to the public PSTN.


38


38


Many modern PBX (private branch exchange) systems integrate voice and data onto a
single data connection to your phone service provider. In some cases, this allows an
overall reduction in cost of operations. T
hese connections are made using existing
network connections such as a T1 or T3 network.


Threats to a PBX system include:



2600 club

refers to emitting the 2600 kHz frequency which authorizes long
-
distance calls (without payment).



Emulation devices

are
electronic devices that emulate tones or sounds that
authorize long distance phone calls.



Eavesdropping

is unauthorized monitoring of your phone system.



Inbound fax exposure

happens when sensitive data is left in an outbound
paper tray for all to view.



Tol
l charge abuse

is the unauthorized use of an organization's communication
system for long distance or other toll
-
related communication.



Unauthorized access

to voicemail is an attacker listening to voicemail
communications of personnel within the organizati
on.

The following actions can be completed to secure the PBX:



Provide physical security to avoid tampering and tapping.



Change any default passwords and provide strong authentication by
implementing strong password policies.



Secure any ports for remote acc
ess.



Turn maintenance features off until needed.



Audit phone logs to identify unauthorized phone calls and use patterns.



Remove all modems from internal computers.


Many modern
PBX (private branch exchange)

systems integrate voice and data onto a single
data
connection to your phone service provider. These connections are made using existing network
connections such as a T1 or T3 network.




A modern digital PBX system integrating voice and data onto a single network connection


39


39


Voice over IP
(VoIP)

Voice over IP (VoIP)

is a fully digital solution using an Internet connection to make
phone calls. The voice data is digitized, converted into packets, and sent over an IP
packet
-
switched network provided by the Internet Service Provider (ISP). VoIP can
pr
ovide convenience in having

fewer lines to deal with and possibly lower costs for your
telephone calls.

Security issues with VoIP include:



Lack of encryption support.



Voice calls are far more susceptible to attacks of:

o

Eavesdropping

o

Interception of voice d
ata

o

Man
-
in
-
the
-
middle attacks

o

Harvesting customer lists and information

o

Hacking into voice mail systems



Voice traffic is time sensitive, meaning that delays in delivery can affect the
availability and usability of VoIP. VoIP implements
Quality of Service (
QoS)

measures to ensure timely delivery of voice traffic.

PGP can be used to provide encryption of Internet phone calls.

Phone attackers (also known as

phreakers
) exploit vulnerabilities in telephone equipment and computer
systems related to telephone net
works. The following table defines common phone exploitation attacks:

Attack

Description

Cramming

Cramming

entails the application of charges to a phone bill for services which were not
authorized or ordered by the consumer. Cramming can also include
additional charges for
phone usage that were not originally disclosed to the consumer.

Slamming

Slamming

entails unauthorized or fraudulent changes being made to a subscriber's
telephone service or DSL Internet service. This is most commonly done by compa
nies who
are trying to steal business from their competitors.

War
dialing

War dialing

or

demon dialing

is an attack in which attackers dial every phone number in a
certain range hoping to find a number with a backdoor modem to exploit. In war dialing:



The

attacker first tries built
-
in security accounts and passwords for the modem.



If necessary, the attacker then uses a brute force attack, similar to a dictionary attack,
dialing every possible password in an attack to crack the system.



The attacker tries to

find vulnerabilities in the system to eploit.

Countermeasures for war dialing or demon dialing are:



Remove all modems from internal computers.



Disable maintenance modems or require strong authentication before allowing remote
maintenance.




40


40


As cellular

phones become increasing more common, phone attackers are focusing their efforts on
cellular phones. The following table defines common cell phone exploitation attacks:

Attack

Description

Cloning

Cloning

entails creating an identical cell phone and using

someone's services without
authorization.

Sniffing

Sniffing

is the act of intercepting cell phone signals.

Tumbling

Tumbling

entails cycling through the phone numbers and Electronic Serial Numbers (ESNs)
found on an analog cell phone to find a
legitimate pair or setting.


To protect a PBX from hacker attacks:



Make sure the PBX is in a secure area



Limit the number of entry points



Change default passwords



Only allow authorized maintenance



Remote PBX administration should require user names and pa
sswords



The telephone number used to remotely administer a PBX should be unlisted



Block all toll numbers and limit long
-
distance calling



Implement a PBX password change and audit policy


Many times, hackers can gain access to the phone system via social
engineering because this device is
usually serviced through a remote maintenance port.


Virtual Private Networks

68


A
virtual private network (VPN)

is a network that uses encryption to allow IP traffic to travel securely
over the TCP/IP network. A VPN is used primarily to support secured communications over an untrusted
network

such as the I
nternet
.



VPNs work by using a

tunneling

protocol that encrypts packet contents and wraps them in an
unencrypted packet.




The three primary tunneling protocols are PPTP (Point
-
to
-
Point Tunneling Protocol), L2TP (Layer
2 Tunneling Protocol) and L2F (Layer 2
Forwarding protocol).



Tunneling requires three protocols:

o

The carrier protocol, such as IP.

o

The encapsulating security protocol.

o

The passenger protocol (the data that is being transmitted).



Tunnel endpoints are devices that can encrypt and decrypt packets.

When you create a VPN, you
establish a security association between the two tunnel endpoints. These endpoints create a
secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets
and decrypt the packet contents.



Routers
use the unencrypted packet headers to deliver the packet to the destination device.
Intermediate routers along the path cannot (and do not) read the encrypted packet contents.



VPN connections provide a mechanism for the creation of a secured “tunnel” throu
gh a public
network such as the Internet using a tunneling protocol, such as L2TP or PPTP.



These connections are not guaranteed to be secure unless, and an encryption system, such as
IPSec, is used.

41


41




VPN Server in Front of the Firewall




For the
Internet interface on the VPN server, configure the input and output filters using the
Routing and Remote Access snap
-
in.


With the VPN server in front of the firewall attached to the Internet you need to add packet filters to the
Internet interface that o
nly allow VPN traffic to and from the IP address of the VPN server's interface on
the Internet.


For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall,
which employs its filters to allow the traffic to be forwarded to intranet resources.

42


42



Because the only traffic that is crossing the VPN server is
traffic generated by authenticated VPN clients,
firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet
resources.


Because the only Internet traffic allowed on the intranet must go through the VPN server, this

approach
also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non
-
VPN Internet
users.



VPN Server
b
ehind the Firewall





For the Internet interface on the firewall, input and output filters need to be configured
using the
firewall's configuration software.


More commonly, the firewall is connected to the Internet and the VPN server is another intranet resource
connected to a DMZ. The VPN server has an interface on the DMZ and an interface on the intranet.


In this

approach, the firewall must be configured with input and output filters on its Internet interface to
allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can
allow the passing of traffic to Web servers, F
TP servers, and other types of servers on the DMZ.


The firewall does not have the encryption keys for each VPN connection so it can only filter on the
plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. No
problem, because the VPN connection requires an authentication process that prevents unauthorized
access beyond the VPN server.


When you deploy a VPN gateway in its own DMZ behind the external firewall, you receive the following
benefits:



The firewall can

protect the VPN gateway



The firewall can inspect plain text from the VPN



Internet connectivity does not depend on the VPN gateway


In this deployment, the following drawbacks are experienced:



The firewall will need special routes to the VPN gateway config
ured



Roaming client support is hard to achieve





43


43


Web Security Gateway 69


A
web security
gateway

can be thought of as a proxy server with web protection software built in.


Web protection can range from a standard virus scanner on incoming packets to also monitoring outgoing
user traffic for red flags.


Potential red flags the gateway can
detect/prohibit include:



Inappropriate content



Trying to establish a peer
-
to
-
peer connection with a file
-
sharing site



Instant messaging



Unauthorized tunneling


You can configure most web security gateways to block known HTTP/HTML exploits, strip ActiveX
tags,
strip Java applets, and block/strip cookies.


Spam Filters 69


Spam filters

can be added to catch unwanted email and filter it out before it gets delivered internally.
They can
help mitigate the risk of a phishing attack propagated by e
-
mail
.


The fi
ltering is done based on rules that are established:



Block email coming from certain IP addresses



Block email that contains particular words in the subject line


Spam filters can scan both incoming and outgoing messages and thus act as a quick identifier
of internal
PCs that may have contracted a virus.


A number of vendors make
all
-
in
-
one devices that combine spam filters

with firewalls, load balancers,
and a number of other services.


Understanding R
emote Access 70

Remote access

allows a host to connect remotely to a private server or a network to access resources
on that server or network. Remote access connections are typically used to connect remotely to servers
at your office, but can also describe the type of connections use
d to connect to an Internet Service
Provider (ISP) for Internet access. A remote access server (RAS) is a server configured to allow remote
access connections.

Using Point
-
to
-
Point Protocol 70


Point
-
to
-
Point Protocol PPP

offers multiple protocol support including AppleTalk, IPX, and DECnet, and
is widely used today as a transport protocol for dial
-
up connections.


PPP is a protocol for communicating between two points using a serial interface, provides service at layer
2
of the OSI model. PPP can handle both synchronous and asynchronous connections.


PPP provides no security
,
and all activities are unsecure
. PPP is primarily intended for dial
-
up
connections and should never be used for VPN connections.


PPP works with POT
S, Integrated Services Digital Network (ISDN), and other faster connections such as
T1.


44


44




PPP using a single B channel on an ISDN connection. In the case of ISDN, PPP would normally
use one 64Kbps B channel for transmission.



PPP does not provide data security, but it does provide authentication using
Challenge Handshake
Authentication Protocol (CHAP)
. CHAP can be used to provide on
-
demand authentication within an
ongoing data transmission.


A dial
-
up connection using PPP works

well because it isn’t common for an attacker to tap a phone line.
You should make sure all your PPP connections use secure channels, dedicated connections, or dial
-
up
connections.

Remote Access

The following process is used to establish a remote access co
nnection.

Process

Description

Connection

As a first step, clients must establish a connection to the remote access server. The
connection process includes establishing the physical connection along with agreeing on
communication parameters. For remote
access, there are two main connection types:



A dialup connection requires both the client and the RAS server to have a modem
and the remote connection is made through the
Public Switched Telephone
Network (PSTN)
. Dialup uses two common connection protocols
:

o

Serial Line Internet Protocol (SLIP)

is an older protocol that offers little
security. It is mainly used now for compatibility with systems that are not
capable of supporting another protocol.

o

Point
-
to
-
Point Protocol (PPP)

supports the negotiation of com
pression,
authentication, and encryption. PPP does not provide these services, but
rather provides a method for devices to agree on additional services to be
used for the connection.



A virtual private network (VPN) remote access connection uses the Interne
t to
connect securely to the remote access server. VPNs work by using a

tunneling

protocol that encrypts packet contents and wraps them in an
unencrypted packet. VPNs can be implemented in the following ways:

o

With a

site
-
to
-
site

VPN, routers on the edge of

each site establish a VPN
with the router at the other location. Data from hosts within the site is
encrypted before being sent to the other site. With this configuration,
individual hosts are unaware of the VPN.

o

With a

remote access

VPN, a server on the
edge of a network (called a
VPN

concentrator
) is configured to accept VPN connections from
individual hosts. Hosts that are allowed to connect using the VPN
connection are granted access to resources o
n the VPN server or the
45


45


private network.

Authentication

Authentication

is the process of proving identity. The authentication protocol is
negotiated during the connection parameter phase. After devices agree on the
authentication protocol to use, the logo
n credentials are exchanged and logon is allowed
or denied. Common protocols used for remote access authentication include:



Password Authentication Protocol (PAP)

sends passwords in clear text.



Challenge Handshake Authentication Protocol (CHAP)

uses a
chal
lenge/response (three
-
way handshake) mechanism to protect passwords.
CHAP ensures that the same client or system exists throughout a communication
session by repeatedly and randomly re
-
testing the validated system.



Microsoft Challenge Handshake Authenticat
ion Protocol (MS
-
CHAP)

is
Microsoft's version of CHAP.

o

MS
-
CHAP encrypts the shared secret on each system so that it is not
saved in plain text.

o

MS
-
CHAP v2 allows for

mutual authentication
, where the server
authenticates to the client. Mutual authentication

helps to prevent man
-
in
-
the
-
middle attacks and server impersonation.



Extensible Authentication Protocol (EAP)

allows the client and server to
negotiate the characteristics of authentication. When a connection is established,
the client and server negotiat
e the authentication type that will be used, based on
the allowed or required authentication types configured on each device.

Both CHAP and MS
-
CHAP are used for username and password authentication, while
EAP allows authentication using a variety of method
s including passwords, certificates,
and smart cards.

Authorization

Authorization

is the process of identifying the resources that a user can access over the
remote access connection. Authorization can restrict access based on:



Time of day



Type of connection (e.g. PPP or PPPoE, wired or wireless)



Location of the resource (i.e. restrict access to specific servers)

Authorization is controlled through the use of network policies (remote access policies) as
well as access control lists.

Accounting

Accounting

is an activity that tracks or logs the use of the remote access connection.
Accounting is often used by ISPs to bill for services based on time or the amount of data
downloaded.

Be aware of the following with remote access.



Remote Ac
cess Service (RAS) is the service a remote access server uses to control access for
remote access clients. Clients might be restricted to access only resources on the remote access
server, or might be allowed access to resources on other hosts on the priva
te network.



Both the remote access server and the client computers must be configured to use or accept the
same connection parameters. During the connection phase, the devices negotiate the protocols
that will be used. If the allowed protocols do not match, the connec
tion will be refused.



Remote access policies identify allowed users and other required connection parameters.



In a small implementation, user accounts and remote access policies are defined on the remote
access server.

46


46




When using a directory service, yo
u can configure the remote access server to look up user
account information on the directory service server.



If you have multiple remote access servers, you must define user accounts and policies on each
remote access server.



Use an AAA server to centra
lize authentication, authorization, and accounting for multiple remote
access servers. Connection requests from remote clients are received by the remote access
server and forwarded to the AAA server to be approved or denied. Policies defined on the AAA
se
rver apply to all clients connected to all remote access servers.


Two common AAA server solutions include:

Solution

Description

Remote
Authentication
Dial
-
In User
Service
(RADIUS)

RADIUS

is used by Microsoft servers for centralized remote access
administration. RADIUS:

o

Combines authentication and authorization using policies to
grant access.

o

Uses UDP.

o

Encrypts only the password.

o

Often uses vendor
-
specific extensions. RADIUS solutions
from
different vendors might not be compatible.

When configuring a RADIUS solution, configure a single server as a
RADIUS server. Then configure all remote access servers as RADIUS
clients.

Terminal
Access
Controller
Access
-
Control
System Plus
(TACACS+)

TACACS+

was originally developed by Cisco for centralized remote
access administration. TACACS+:

o

Provides three protocols, one each for authentication,
authorization, and accounting. This allows each service to be
provided by a different server.

o

Uses TC
P.

o

Encrypts the entire packet contents.

o

Supports more protocol suites than RADIUS.












47


47


Working with Tunneling Protocols 71



The following table compares the common VPN tunneling protocols.

Protocol

Description

Point
-
to
-
Point
Tunneling
Protocol
(PPTP)

PPTP

was one of the first VPN protocols and was developed by Microsoft
.
PPTP
encapsulates and encrypts PPP packets. This makes PPTP a favorite low
-
end protocol
for networks. The negotiation between the two ends of a PPTP connection is done
in the
clear. Once the negotiation is performed, the channel is encrypted
.

PPTP:



S
upports encapsulation in a single point
-

-
point environment.



Uses standard authentication protocols, such as Challenge Handshake
Authentication Protocol (CHAP) or Password
Authentication Protocol (PAP).



Supports TCP/IP only.



Encapsulates other LAN protocols and carries the data securely over an IP
network.



Uses Microsoft's MPPE for data encryption.



Is supported by most operating systems and servers.



Uses TCP port 1723.

Layer 2
Forwarding
(L2F)

L2F

was created by Cisco as a method of creating tunnels primarily for dial
-
up
connections. L2F is similar in capability to PPP and should not be used over WANs. L2F
does provide authentication, but it does not provide encryption
.
L2F
:



Operates at the Data Link layer (layer 2).



Offers mutual authentication.



Does not encrypt data.



Merged with PPTP to create L2TP.

Layer Two
Tunneling
Protocol (L2TP)

L2TP

is a tunneling protocol that can be used between LANs.
Relatively recently,
Microsoft and Cisco agreed to combine their respective tunneling protocols into one
protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of PPTP and L2F.
L2TP is primarily a point
-
to
-
point protocol. L2TP supports multiple network protocols a
nd
can be used in networks besides TCP/IP. L2TP works over IPX, SNA, and IP.

L2TP isn’t
48


48


secure, and you should use IPSec with it to provide data security.

L2TP:



Operates at the Data Link layer (layer 2).



Supports multiple protocols (not just IP).



Uses
IPSec for encryption. Combining L2TP with IPSec (called L2TP/IPSec)
provides:

o

Per packet data origin authentication (non
-
repudiation)

o

Replay protection

o

Data confidentiality



Is not supported by older operating systems.



Uses TCP port 1701 and UDP port 500.

Secure Shell

Secure Shell (SSH)

is a type of tunneling protocol that allows access to remote systems
in a secure manner.


SSH was originally designed for UNIX systems. SSH is a program that allows
con
nections to be secured by encrypting the session between the client and the server.
SSH also provides security equivalent programs such as Telnet, FTP, and many of the
other communications
-
oriented programs under UNIX.


SSH transmits both authentication in
formation and data securely during terminal
connections with UNIX computers. SSH uses port 22.


Internet
Protocol
Security
(IPSec)

IPSec

can be used in conjunction with L2TP or by itself as a VPN solution.

IPSec is a
protocol that can be used to digitally sign headers and to encrypt and encapsulate
packets. IPSec provides both authentication and encryption, and is regarded as one of
the st
rongest security standards.
IPSec includes two protocols that provide different
features.



Authentication Header (AH)

provides authentication features.
When AH
protocol is used, IPSec digitally signs packet headers
.

Use AH to enable
authentication with IPSe
c.



Encapsulating Security Payload (ESP)

provides data encryption. Use ESP to
encrypt data.

Note:

If you use only AH, data is

not

encrypted.

IPSec provides network security for tunneling protocols.
IPSec

has two modes of
operation, based on the relationship of the communicating devices to each other:



Transport

mode

is used only when the data portion needs to be encrypted over
owner
-
controlled networks like the LAN.

W
hen transport mode is used, packets
are

not encapsulated.

The packet data

(
payload
)

is protected, but the header is
left intact, allowing intermediary devices (such as routers) to examine the packet
header and use the information in routing packets.



Tunnel

mode

is used for link
-
to
-
link communic
ations.
When tunnel mode is
used, packets are encapsulated within other packets
.
Both the
payload

and the
header are encrypted.

Tunneling mode is used for VPNing over an unsecured
public network

IPSec can be used to secure communications such as:

49


49




Host
-
to
-
host communications within a LAN.



VPN communications through the Internet, either by itself or in conjunction with
the L2TP VPN protocol.



Any traffic supported by the IP protocol including Web, e
-
mail, Telnet, file
transfer, and SNMP traffic as wel
l as countless others.

Be aware of the following additional characteristics of IPSec:



IPSec functions at the Network layer (layer 3) of the OSI model.



IPSec uses either digital certificates or pre
-
shared keys.



IPSec generally can't be used when a NAT proxy

is deployed.

Secure Sockets
Layer (SSL)

The
SSL

protocol has long been used to secure traffic generated by other IP protocols
such as HTTP, FTP, and e
-
mail. SSL can also be used as a VPN solution, typically in a
remote access scenario. SSL:



Authenticates

the server to the client using public key cryptography and digital
certificates.



Encrypts the entire communication session.



Uses port 443, a port that is often already opened in most firewalls.

Implementations that use SSL for VPN tunneling include Micros
oft's SSTP and Cisco's
SSL VPN.

You should be aware that ports must be opened in firewalls to allow VPN protocols. For this reason, using
SSL for the VPN often works through firewalls when other solutions do not. In addition, some NAT
solutions do not wor
k well with VPN connections.