Sie sind auf Seite 1von 218

A study on composition of Network Security

By
tadanki.ramakrishna@yahoo.co.in
INDEX
1. Importance of Network Security Composition and Architecture. (Page 1)
2. Network urd!es"#hreats$%u!nera&i!ity$%irus$Attacks etc. (Page1')
(. )ncryption and *ecryption Security Systems.(Page +()
+. Secured and ,nsecured !ayer systems.(Page -.)
/. 0S$1AN$2AN Security System.(Page '-)
3. 4outers 5 6irewa!!s compositions.(Page 1+.)
-. %PNs$ Authori7ation and Authentication Systems.(Page 133 )
'. Network Security Po!icy$ Auditing and 8onitoring Systems.(Page 1'2)
9. Conc!usion.(Page 21/)
1
1. Importance of Network Security Composition and Architecture
It is an important responsi&i!ity of a Computer )ngineer to gi:e an answer to the ;uestion !ike...
<2hy is computer and network security important=<&ut it is crucia! for organi7ations to define
why they want to achie:e computer security to
determine how they wi!! achie:e it. It is a!so a usefu! too! to emp!oy when seeking senior
management>s authori7ation for security"re!ated e?penditures. Computer and network
security is important for the fo!!owing reasons.
1. To protect company assets(Information): 0ne of the primary goa!s of computer and
network security is the protection of company assets. ere the asset means not the
hardware and software that constitute the company>s computers and networks. #he
assets are comprised of the <information< that is sa:ing on a company>s computers
and networks. Information is a :ita! organi7ationa! asset. Network and computer
security is necessary to e:ery network with the protection$ integrity$ and a:ai!a&i!ity of
information. Information can &e defined as data that is organi7ed and accessi&!e in a
coherent and meaningfu! manner.
2. #o gain a competiti:e ad:antage@ *e:e!oping and maintaining effecti:e security
measures can pro:ide an organi7ation with a competiti:e ad:antage o:er its
competition. Network security is particu!ar!y important in the arena of Internet
financia! ser:ices and e"commerce. It can mean the difference &etween wide
acceptance of a ser:ice and a customer response. 6or e?amp!e$ how many peop!e do
you know who wou!d use a &ank>s Internet &anking system if they knew that the
system had &een successfu!!y hacked in the past= Not many. #hey wou!d go to the
competition for their Internet &anking ser:ices.
2
(. To comply with regulatory requirements and fiduciary responsibilities: Corporate
officers of e:ery company ha:e a responsi&i!ity to ensure the safety and soundness of
the organi7ation. Part of that responsi&i!ity inc!udes ensuring the continuing operation
of the organi7ation. According!y$ organi7ations that re!y on computers for their
continuing operation must de:e!op po!icies and procedures that address organi7ationa!
security re;uirements. Such po!icies and procedures are necessary not on!y to protect
company assets &ut a!so to protect the organi7ation from !ia&i!ity. 6or"profit
organi7ations must a!so protect shareho!ders> in:estments and ma?imi7e return. In
addition$ many organi7ations are su&Aect to go:ernmenta! regu!ation$ which often
stipu!ates re;uirements for the safety and security of an organi7ation. 6or e?amp!e$
most financia! institutions are su&Aect to federa! regu!ation. 6ai!ure to comp!y with
federa! guide!ines can resu!t in the sei7ure of a financia! institution &y federa!
regu!ators. In some cases$ corporate officers who ha:e not proper!y performed their
regu!atory and fiduciary responsi&i!ities are persona!!y !ia&!e for any !osses incurred
&y the financia! institution that emp!oys them.
To keep the job: 6ina!!y$ to secure one>s position within an organi7ation and to
ensure future career prospects$ it is important to put into p!ace measures that protect
organi7ationa! assets. Security shou!d &e part of e:ery network or systems
administrator>s Ao&. 6ai!ure to perform ade;uate!y can resu!t in termination.
#ermination shou!d not &e the automatic resu!t of a security fai!ure$ &ut if$ after a
thorough postmortem$ it is determined that the fai!ure was the resu!t of inade;uate
po!icies and procedures or fai!ure to comp!y with e?isting procedures$ then
management needs to step in and make some changes.
(
The Security Trinity
#he &asic three essentia!s components of the security trinity is pre:ention$ detection$ and
response$ comprise the &asis for network security. #he security trinity shou!d &e the
foundation for a!! security po!icies and measures that an organi7ation de:e!ops and dep!oys.
Prevention
#he foundation of the security trinity is pre:ention. #o pro:ide some !e:e! of security$ it is
necessary to imp!ement measures to pre:ent the e?p!oitation of :u!nera&i!ities. In de:e!oping
network security schemes$ organi7ations shou!d emphasi7e pre:entati:e measures o:er
detection and response@ It is easier$ more efficient$ and much more cost"effecti:e to pre:ent
a security &reach than to detect or respond to one. 4emem&er that it is impossi&!e to de:ise
a security scheme that wi!! pre:ent a!! :u!nera&i!ities from &eing e?p!oited$ &ut companies
shou!d ensure that their pre:entati:e measures are strong enough to discourage potentia!
crimina!s"so they go to an easier target.
Detection
0nce pre:entati:e measures are imp!emented$ procedures need to &e put in p!ace to detect
potentia! pro&!ems or security &reaches$ in the e:ent pre:entati:e measures fai!. As !ater
chapters show$ it is :ery important that pro&!ems &e detected immediate!y. #he sooner a
pro&!em is detected the easier it is to correct and c!eanup.
4
Response
0rgani7ations need to de:e!op a p!an that identifies the appropriate response to a security
&reach. #he p!an shou!d &e in writing and shou!d identify who is responsi&!e for what actions
and the :arying responses and !e:e!s of esca!ation.
6irst$ network security is not a technica! pro&!emB it is a &usiness and peop!e pro&!em. #he
techno!ogy is the easy part. #he difficu!t part is de:e!oping a security p!an that fits the
organi7ation>s &usiness operation and getting peop!e to comp!y with the p!an. Ne?t$
companies need to answer some fundamenta! ;uestions$ inc!uding the fo!!owing.
C ow do you define network security=
C ow do you determine what is an ade;uate !e:e! of security=
#o answer these ;uestions$ it is necessary to determine what youDcompany are trying to
protect either information or system. A system is a co!!ection of :arious types of networks
and architectures which predefined or conse;uent to the o&Aects of the system.
Information Security
Network security is concerned and an essentia! to a network$ with the security of company
information assets. 2e often !ose sight of the fact that it is the information and our a&i!ity to
access that information that we are rea!!y trying to protect"and not the computers and
networks. A simp!e definition for information security@
Information security E confidentia!ity F integrity F a:ai!a&i!ity F authentication
#here can &e no information security without confidentia!ityB this ensures that unauthori7ed
users do not intercept$ copy$ or rep!icate information. At the same time$ integrity is necessary
so that organi7ations ha:e enough confidence in the accuracy of the information to act upon
it. 8oreo:er$ information security re;uires organi7ations to &e a&!e to retrie:e dataB security
measures are worth!ess if organi7ations cannot gain access to the :ita! information they need
to operate when they need it.
/
6ina!!y$ information is not secure without authentication determining. whether the end user is
authori7ed to ha:e access. Among the many e!ements of information security are ensuring
ade;uate physica! securityBhiring proper personne!B de:e!oping$ and adhering to$ procedures
and po!iciesB strengthening and monitoring networks and systemsB and de:e!oping secure
app!ications. It is important to remem&er that information security is not Aust a&out
protecting assets from outside hackers. #he maAority of the time threats are interna! to an
organi7ation@ <2e ha:e found the enemy and it is us.<
Information security is a!so a&out procedures and po!icies that protect information from
accidents$ incompetence$ and natura! disasters. Such po!icies and procedures need to address
the fo!!owing@
C Gackups$ configuration contro!s$ and media contro!sB
C *isaster reco:ery and contingency p!anningB
C *ata integrity.
It is a!so important to remem&er that network security is not a&so!ute. A!! security is re!ati:e.
Network security shou!d &e thought of as a spectrum that runs from :ery unsecured to :ery
secure. #he !e:e! of security for a system or network is dependent on where it !ands a!ong
that spectrum re!ati:e to other systems. It is either more secure or !ess secure than other
systems re!ati:e to that point. #here is no such thing as an a&so!ute!y secure network or
system. Network security is a &a!ancing act that re;uires the dep!oyment of <proportionate
defenses.<
#he defenses that are dep!oyed or imp!emented shou!d &e proportionate to the threat.
0rgani7ations determine what is appropriate in se:era! ways$ descri&ed as fo!!ows.
C Ga!ancing the cost of security against the :a!ue of the assets they are protectingB
C Ga!ancing the pro&a&!e against the possi&!eB
C Ga!ancing &usiness needs against security needs.
3
0rgani7ations must determine how much it wou!d cost to ha:e each system or network
compromised"in other words$ how much it wou!d cost in do!!ars to !ose information or access
to the system or to e?perience information theft. Gy assigning a do!!ar :a!ue to the cost of
ha:ing a system or network compromised$ organi7ations can determine the upper !imit they
shou!d &e wi!!ing to pay to protect their systems. 6or many organi7ations this e?ercise is not
necessary$ &ecause the systems are the !ife&!ood of the &usiness. 2ithout them$ there is no
organi7ation. 0rgani7ations a!so need to &a!ance the cost of security against the cost of a
security &reech.
Henera!!y$ as the in:estment in security increases$ the e?pected !osses shou!d decrease.
Companies shou!d in:est no more in security than the :a!ue of the assets they are protecting.
#his is where cost &enefit ana!ysis comes into p!ay.
8oreo:er$ organi7ations must &a!ance possi&!e threats against pro&a&!e threats@ As it is
impossi&!e to defend against e:ery possi&!e type of attack$ it is necessary to determine what
types of threats or attacks ha:e the greatest pro&a&i!ity of occurring and then protect against
them.
It is a!so important to &a!ance &usiness needs with the need for security$ assessing the
operationa! impact of imp!ementing security measures. Security measures and procedures
that interfere with the operation of an organi7ation are of !itt!e :a!ue. #hose types of
measures are usua!!y ignored or circum:ented &y company personne!$ so they tend to create$
rather than p!ug$ security ho!es. 2hene:er possi&!e$ security measures shou!d comp!ement
the operationa! and &usiness needs of an organi7ation.
Risk Assessment
#he concept of risk assessment is crucia! to de:e!oping proportionate defenses. #o perform a
risk ana!ysis$ organi7ations need to understand possi&!e threats and :u!nera&i!ities. 4isk is
the pro&a&i!ity that a :u!nera&i!ity wi!! &e e?p!oited. #he &asic steps for risk assessment are
!isted as fo!!ows@
-
Identifying and prioriti7ing assetsB
Identifying :u!nera&i!itiesB
Identifying threats and their pro&a&i!itiesB
Identifying countermeasuresB
*e:e!oping a cost &enefit ana!ysisB
*e:e!oping security po!icies and procedures.
#o identify and prioriti7e information assets and to de:e!op a cost &enefit ana!ysis$ it is
he!pfu! to ask a few simp!e ;uestions such as the fo!!owing.
C 2hat do you want to safeguard=
C 2hy do you want to safeguard it=
C 2hat is its :a!ue=
C 2hat are the threats=
C 2hat are the risks=
C 2hat are the conse;uences of its !oss=
C 2hat are the :arious scenarios=
C 2hat wi!! the !oss of the information or system cost=
Prioriti7e assets and systems &y assigning a do!!ar :a!ue to the asset. #he do!!ar :a!ue can &e
the rep!acement cost$ the cost to not ha:e the asset a:ai!a&!e or the cost to the organi7ation
to ha:e the asset$ such as proprietary information$ o&tained &y a competitor. It is a!so
necessary to inc!ude more o&scure costs$ such as !oss of customer confidence. 2eed out the
pro&a&!e threats from the possi&!e. *etermine what threats are most !ike!y$ and de:e!op
measures to protect against those threats.
8
Classification of Computer Networks
#here are &asica!!y three types of networks &ased on fo!!owing....
.Based on !ransmission "ode
#.Based on $uthentication
%.Based on &eo'raphical location
(imple)
simp!e? mode$ the communication is unidirectiona!.
*alf+Duple)
In ha!f"*up!e? mode$ the communication is &idirectiona!.
,ull+Duple)
In 6u!!"*up!e? mode$ &oth stations can transmit and recei:e simu!taneous!y.
Based on !ransmission "ode
(ynchronous !ransmission
)ach &it reaches the destination with the same time de!ay after !ea:ing the source.
$synchronous !ransmission
Packets are recei:ed with :arying de!ays$ so packets can arri:e out of order. Some
packets are not recei:ed correct!y.
Based on $uthentication
Peer to Peer Connection
In peer"to"peer networks$ there are no dedicated ser:ers. No one can contro! the other
computers.
(erver Based Connection
A dedicated ser:er is optimi7ed to ser:ice re;uests from network c!ients. A ser:er can
contro! the c!ients for its ser:ices.
-
Based on &eo'raphical location
.$N /.ocal $rea Network0
Networks which co:er c!ose geographica! area
"$N /"etropolitan $rea Network0
8etropo!itan area network is an e?tension of !oca! area network to spread o:er the city.
1$N /1ide $rea Network0
2AN spread o:er the wor!d may &e spread o:er more than one city country or continent.
1$N !echnolo'y
2AN spread o:er the wor!d may &e spread o:er more than one city country or continent.
Systems in this network are connected indirect!y. Henera!!y 2AN network are s!ower
speed than 1ANIs. #he 2AN network are owned or operated &y network pro:iders. If it
is owned &y a sing!e owner then it is ca!!ed )nterprise network. 0ften these types ha:e
com&ination of more than one topo!ogy.
!opolo'y
#opo!ogy refers to physica! !ayout inc!uding computers$ ca&!es$ and other resourcesB it
determines how components communicate with each other.
#odayIs network designs are &ased on three topo!ogies@
Bus consists of series of computers connected a!ong a sing!e ca&!e segment
(tar connects computers :ia centra! connection point or hu&
Rin' connects computers to form a !oop
A!! computers$ regard!ess of topo!ogy$ communicate &y addressing data to one or more
computers and transmitting it across ca&!e as e!ectronic signa!s. *ata is &roken into packets
and sent as e!ectronic signa!s that tra:e! on the ca&!e. 0n!y the computer to which the data is
addressed accepts it.
2
Protocol
Protoco!s mean set of ru!es. It is a forma! description of message formats and the ru!es two
or more machines has fo!!ow to e?change messages. #he key e!ements of a protoco! are
synta?$semantics and timing.
(ynta)
Synta? refers to the structure or format of the data$ meaning the order in which they are
presented.
(emantics
Semantics refers to the meaning of each section of &its.
!imin'
#iming refers to when data shou!d &e sent and how fast it can &e sent.
3nternet workin' !echnolo'ies
Internet working #echno!ogies te!! how the Internet accommodating mu!tip!e under!ying
hardware techno!ogies and how they are interconnected and formed the network$ and set of
communication standard which the network used to inter operate.
#he !owercase internet means mu!tip!e networks connected together$ using a common
protoco! suite. #he uppercase Internet refers to the co!!ection of hosts around the wor!d that
can communicate with each other using #CPDIP. 2hi!e the Internet is an internet$ the re:erse
is not true.

1$N Networkin' Devices


Repeaters
A repeater is a de:ice that regenerates signa!s so that the signa! can tra:e! on addition
ca&!e segments. #hey do not trans!ate or fi!ter data. 4epeater is used to connect two
networks that use the same techno!ogy. It recei:es e:ery data packet on each network$ and
retransmits it onto the other network. #he net resu!t is that the two networks ha:e e?act!y
the same set of packets on them.
Its primary purpose is to get around !imitations in ca&!e !ength caused &y signa! !oss or
timing dispersion. 6or a repeater to function$ &oth segments which the repeater Aoins must
ha:e the same media access scheme$ protoco! and transmission techni;ue.
4epeaters can mo:e packets from one medium to another. Some mu!tiport repeaters can
connect different types of media. 4epeaters impro:e performance &y di:iding the network
into segments$ thus reducing the num&er of computers per segment.
Brid'e
Gridge is a de:ice that can Aoin two 1ANs. owe:er$ &ridge can a!so di:ide an
o:er!oaded network into separate networks$ reducing the traffic on each segment and making
each network more efficient. A &ridge can !ink un!ike physica! media such as twisted"pair and
coa?ia! )thernet. It can a!so !ink un!ike network segments such as )thernet and #oken 4ing. A
&ridge can &e insta!!ed interna!!y or if the destination address is not !isted in the routing ta&!e$
the &ridge forwards the packets to a!! segments. 8u!tip!e &ridges can &e used to com&ine
se:era! e?terna!!y. Gridges are faster than routers &ecause routers perform comp!e? functions
on each packet.
#
(witches
Switches a!!ow different nodes of a network to communicate direct!y with each other in a
smooth and efficient manner. Switches are di:ided into two types Store and 6orward and Cut
#hrough. Store and 6orward switches stores the detai!s and forwarded to the respecti:e
system. In the Cut through switches it Aust forward the detai!s to the respecti:e systems.
Routers
A router is a de:ice used to connect networks that use different architectures and
protoco!s. #hey can switch and transfer information packets across mu!tip!e networks. #his
process is ca!!ed routing. #hey can determine the &est path for sending data and fi!ters
&roadcast traffic$ to the !oca! segment. 4outers cannot !ink to remote computers. #hey can
read on!y addressed network packets. 4outers can !ink segments that use different data
packaging and media schemes.
&ateways
Hateways make communication possi&!e &etween systems that use different
communication protoco!s$ data formatting structures$ !anguages and architectures. Hateways
repackage data going from one system to another. Hateways are usua!!y dedicated ser:ers on
a network and are task"specific.
%
1$N Protocols
,rame Relay
6rame re!ay is used to connect !arge num&er of sites in the network &ecause it is
re!ati:e!y ine?pensi:e to do so. #he ser:ice pro:ider gi:es you a frame re!ay circuit and is
charged for the amount of data and the &andwidth you use as oppose to #1 circuit that
charges with a f!at month!y rate whether you use partia! &andwidth or the fu!! &andwidth
regard!ess. 6rame re!ay is a high performance 2AN protoco! that operates at the *ata 1ink
!ayer and the Physica! !ayer of the 0SI mode!.
3nte'rated (ervices Di'ital Network /3(DN0
Integrated Ser:ices *igita! Network (IS*N) is designed to run o:er e?isting te!ephone
networks. It can de!i:er end to end digita! ser:ice carrying :oice and data. IS*N operates at
0SI mode!$ physica! !ayer$ data !ink !ayer and network !ayer. It can carry mu!timedia and
graphics with a!! other :oice$ data ser:ices. IS*N supports a!! upper !ayer protoco!s and you
can choose PPP$ *1C or 1AP* as your encapsu!ation protoco!. It has two offerings$ Primary
rate which is 2(GF* channe!s. 2($ 3+ k&ps and one 3+k&ps main!y used for signa!ing. #he
other is the Gasic 4ate which has 2GF* channe!s two 3+k&ps and one 13k&ps.
At data !ink !ayer IS*N supports two protoco!sB 1APG and 1AP*. 1APG is used to
main!y transfer data from upper !ayers and has three types of frames. I"6rames carry upper
!ayer information and carries out se;uencing$ f!ow contro!$ error detection and reco:ery. S"
6rames carry contro! information for the I"frame. 1AP* pro:ides an additiona! mu!tip!e?ing
function to the upper !ayers ena&!ing num&er of network entities to operate o:er a sing!e
physica! access. )ach indi:idua! !ink procedure acts independent!y of others. #he mu!tip!e?
procedure com&ines and distri&utes the data !ink channe!s according to the address
information of the frame.
1+
*i'h .evel Data .ink Control /*D.C0
igh 1e:e! *ata 1ink Contro! (*1C) is a &it oriented data !ink !ayer frame protoco!
that has many :ersions simi!ar to 1AP$ 1APG$ and 1AP*. CISC0 routers defau!t encapsu!ation
is *1C$ &ut it is proprietary to CISC0.
Point to Point Protocol /PPP0
Point to Point Protoco! (PPP) is a *ata 1ink 1ayer protoco! that can &e used o:er ether
asynchronous (dia! up) or synchronous (IS*N) !ines. It uses 1ink Contro! Protoco! (1CP) to
&ui!d and maintain data !ink connections. Inc!uded in PPP is the authentication protoco!s$ PAP
and CAP$ and data compression. It supports IP$ IPJ$ App!e#a!k$ *)Cnet and 0SIDC1NS.
!CP43P layer $rchitecture
)ach !ayer contains !ogica! groupings of functions that pro:ide specific ser:ices for
faci!itating a communication. A function$ or a group of functions$ making up a functiona! unit
is a !ogica! entity that accepts one or more inputs (arguments) and produces a sing!e output
(:a!ue) determined &y the nature of the function. 6unctions can &e grouped in a co!!ecti:e
unit$ which is then defined as (N) !ayer ha:ing (NF1) !ayer an upper !ayer &oundary and (N"
1) !ayer as a !ower &oundary. #he N !ayer recei:es ser:ices from N"1 !ayer and pro:ides
ser:ices to NF1 !ayer.
3nternet $rchitecture
A few stand"a!one systems were co!!ected together into a network. Peop!e are com&ining
mu!tip!e networks together into an inter network$ or an internet. An internet is a co!!ection of
networks that a!! use the same protoco! suite. #he easiest way to &ui!d an internet is to
connect two or more networks with a router. #his is often a specia!"purpose hardware &o? for
connecting networks. #he fo!!owing diagram shows that two networks connected and form an
Internet.
1/
(imple 3nternet
#wo computers$ anywhere in the wor!d$ fo!!owing certain hardware$ software$ protoco!
specifications$ can communicate$ re!ia&!y e:en when not direct!y connected. 1ANs are no
!onger sca!a&!e &eyond a certain num&er of stations or geographic separation.
!CP43P layer $rchitecture
#here is no standard for !ayers in #CPDIP. Some refers as / !ayers inc!uding physica!
!ayer and some may refer four !ayers. #he four !ayered structure of #CPDIP is seen in the way
data is hand!ed as it passes down the protoco! stack from the App!ication 1ayer to the
under!ying physica! network. )ach !ayer in the stack adds contro! information to ensure
proper de!i:ery.
#his contro! information is ca!!ed a header &ecause it is p!aced in front of the data to &e
transmitted. )ach !ayer treats a!! of the information it recei:ed from the !ayer a&o:e as data
and p!aces its own header in front of that information. #he addition of de!i:ery information at
e:ery !ayer is ca!!ed encapsu!ation. 2hen data is recei:ed each !ayer strips off its header
&efore passing the data on to the !ayer a&o:e.
)ach !ayer has its own data structures and termino!ogy to descri&e that structure. In
app!ication !ayer the #CP data is ca!!ed stream where as in the ,*P it is ca!!ed message. In
the transport !ayer the data is ca!!ed segment where as in the ,*P it is ca!!ed packet. In the
Internet !ayer &oth #CP and ,*P data are ca!!ed as data grams. In the network access !ayer
&oth #CP and ,*P data are ca!!ed frame.
App!ication
#ransport
Internet
Network Access
#CPDIP !ayers
5
Network $ccess layer
#he #CPDIP Network Access !ayer can encompass the functions of a!! three !ower !ayers
of the 0SI 4eferences 8ode! (Network$ *ata 1ink and Physica!). As new hardware
techno!ogies appear new Network Access protoco!s must &e de:e!oped so that #CPDIP
networks can use the new hardware.
,unctions
Addressing scheme 6or this it pro:ide a protoco! ca!!ed Address 4eso!ution Protoco! (A4P)
defined in the 46C '23..#ransmission of IP data gram o:er )thernet network
#his specifies how IP data grams are encapsu!ated for transmission o:er )thernet
networks.
*eader 6ncapsulation
#CPDIP )ncapsu!ation
2hen an app!ication sends data using #CP$ the data is sent down the protoco! stack$
through each !ayer$ unti! it is sent as a stream of &its across the network. )ach !ayer adds
information to the data &y pretending headers (and sometimes adding trai!er information) to
the data that it recei:es. #he unit of data that #CP sends to IP is
ca!!ed a #CP segment. #he unit of data that IP sends to the network interface is ca!!ed an IP
data gram. #he stream of &its that f!ows across the )thernet is ca!!ed a frame.
3nternet layer
A!! #CPDIP communication data are f!ow through IP regard!ess of its fina! destination. It
pro:ides &asic packet de!i:ery ser:ice. #he important protoco! in this !ayer is Internet
Protoco!
7
,unction of 3nternet Protocol
*efining the datagram$ this is the &asic unit of transmission in the Internet.
*efining the Internet addressing scheme.
4outing datagrams to remote hosts
Performing fragmentation and reassem&!y of datagrams
IP is a connection!ess protoco!. IP does not e?change contro! information to esta&!ish an
end"to"end connection &efore transmitting data. It a!so ca!!ed unre!ia&!e protoco! &ecause it
contains no error detection and reco:ery code.
,ra'mentin' data'rams
*atagrams may routed through different networks. )ach type of network has a 8a?imum
#ransmission ,nit (8#,)$ which is the !argest packet that it can transfer. If the datagram
recei:ed from one network may &e too !arge to &e transmitted in a sing!e packet on a
different network. In this case$ IP modu!e in a gateway is to di:ide the datagram into sma!!er
pieces. #his process is ca!!ed fragmentation.
!ransport layer
#ransport 1ayer has two important protoco!s for connection oriented and connection !ess
ser:ices. #hey are #CP and ,*P. #CP (#ransmission Contro! Protoco!) pro:ides a connection
oriented$re!ia&!e$ &yte stream ser:ice (46C-9(). #CP is an independent$ genera! purpose
protoco! that can &e adapted for use with de!i:ery systems other than IP. A stream of '"&it
&ytes is e?changed across a #CP connection. ,*P (,ser *atagram Protoco!) is a simp!e$
unre!ia&!e$ datagram"oriented$ transport !ayer protoco! (46C-3').
$pplication .ayer
#op of the #CPDIP architecture !ayer is App!ication 1ayer. It contains co!!ection of
ser:ices. )ach ser:ice can &e identified &y their num&er ca!!ed port num&er. )ach ser:ice is
defined &y separate protoco! and has their separate 46C. )g. 6#P. #e!net
1
!. Network "urd#es$Threats%&u#nera'i#ity%&irus% Attacks etc
Gefore we &egin our discussion of threats$ :u!nera&i!ities$ and attacks$ it is important to
re:iew #CPDIP &asics and the se:en"!ayer 0SI mode!. #his re:iew is important &ecause many
of the attacks that are uti!i7ed today take ad:antage of some of the inherent :u!nera&i!ities
designed into the #CPDIP protoco! suite. #he attacks actua!!y use the functioning of #CPDIP to
defeat the protoco!.
(rotoco#s
Protoco!s are nothing more than a set of forma! ru!es or standards that are used as a &asis
for communication. Protoco!s are designed to faci!itate communications. 2e>!! use the
e?amp!e of a protoco! officer at an em&assy to descri&e how protoco!s function. #he Ao& of a
protoco! officer is to ensure proper communication &etween the em&assy and the host
country. A network protoco! functions much in the same manner$ on!y it ensures
communications &etween network de:ices. Gefore network de:ices are a&!e to e?change
data$ it is necessary for the de:ices to agree on the ru!es (protoco!) that wi!! go:ern a
communication session.
#he 0SI 4eference 8ode!
#he 0SI reference mode! is a se:en"!ayer mode! that was de:e!oped &y the Internationa!
Standards 0rgani7ation (IS0) in 19-'. #he 0SI mode! is a framework for internationa!
standards that can &e used for imp!ementing a heterogeneous computer network
architecture. #he 0SI architecture is sp!it into se:en !ayers. 6o!!owing figure i!!ustrates the
se:en !ayers of the 0SI mode!. )ach !ayer uses the !ayer immediate!y &e!ow it and pro:ides a
ser:ice to the !ayer a&o:e. In some imp!ementations a !ayer may itse!f &e composed of su&
!ayers.
19
0SI mode!.
#he physica! !ayer addresses the physica! !ink and is concerned with the signa! :o!tage$ &it
rate$ and duration. #he data !ink !ayer is concerned with the re!ia&!e transmission of data
across a physica! !ink. In other words$ getting a signa! from one end of a wire to the other
end. It hand!es f!ow contro! and error correction. #he network !ayer hand!es the routing of
data and ensures that data is forwarded to the right destination. #he transport !ayer pro:ides
end"to"end contro! and constructs the packets into which the data is p!aced to &e transmitted
or <transported< across the !ogica! circuit. #he session !ayer hand!es the session set"up with
another network node. It hand!es the initia! handshake and negotiates the f!ow of information
and termination of connections &etween nodes. #he presentation !ayer hand!es the
con:ersion of data from the session !ayer$ so that it can &e <presented< to the app!ication
!ayer in a format that the app!ication !ayer can understand. #he app!ication !ayer is the end"
user interface. #his inc!udes interfaces such as &rowsers$ :irtua! termina!s$ and 6#P
programs.
2.
TC()I( (rotoco# Suite
#CPDIP is a suite of protoco!s that can &e used to connect dissimi!ar &rands of computers and
network de:ices. #he !argest #CPDIP network is the Internet. #he Internet was de:e!oped &y
the ,.S. *0* under the auspices of the *efense Ad:anced 4esearch ProAect Agency (*A4PA)
when *0* scientists were faced with the pro&!em of !inking thousands of computers running
different operating systems. #he *efense Ad:anced 4esearch ProAect Agency (*A4PA) is a
sma!! organi7ation within the Pentagon$ &ut its impact on techno!ogy in genera! and on data
communications in particu!ar has &een huge. 6or a!! practica! purposes$ *A4PA>s programs
and funding created the Internet. Kou can think of the #CPDIP suite as the !ife&!ood of the
Internet. #he #CPDIP suite has &ecome wide!y adopted$ &ecause it is an open protoco!
standard that can &e imp!emented on any p!atform regard!ess of the manufacturer. In
addition$ it is independent of any physica! network hardware. #CPDIP can &e imp!emented on
)thernet$ J.2/$ and token ring$ among other p!atforms. A!though there are different
interpretations on how to descri&e #CPDIP within a !ayered mode!$ it is genera!!y descri&ed as
&eing composed of fewer than the se:en used in the 0SI mode!. #he #CPDIP protoco! suite
genera!!y fo!!ows a four"!ayer architecture.
#he IP portion of #CPDIP is the connection!ess network !ayer protoco!. It is sometimes ca!!ed
an <unre!ia&!e< protoco!$ meaning that IP does not esta&!ish an end"to"end connection &efore
transmitting datagrams and that it contains no error detection and reco:ery code. #he
datagram is the packet format defined &y IP. IP operates across the network and data !ink
!ayers of the 0SI mode! and re!ies on the #CP protoco! to ensure that the data reaches its
destination correct!y.
#he heart of the IP portion of #CPDIP is a concept ca!!ed the Internet address. #his is a (2"&it
num&er assigned to e:ery node on the network. IP addresses are written in a dotted decima!
format that corresponds to the (2"&it &inary address. )ach octet is assigned a num&er
&etween . and 2//. An e?amp!e of an IP address in dotted decima! format is 12.(1.'..1. #his
IP address trans!ated into a (2"&it &inary num&er is@
....11.. ...11111 .1.1.... .......1
21
An IP address is di:ided into two parts$ a network I* and a host I*$ &ut the format of these
parts depends on the c!ass of the address. #here are three main address c!asses@ c!ass A$
c!ass G$ and c!ass C. #he formats differ in the num&er of &its a!!ocated to the network I* and
host I* and are distinguished &y the first three &its of the (2 &it address.
#he #CP portion of #CPDIP comes into operation once a packet is de!i:ered to the correct
Internet address. In contrast to IP$ which is a connection!ess protoco!$ #CP is connection
oriented.
It esta&!ishes a !ogica! end"to"end connection &etween two communicating nodes or
de:ices. #CP operates at the transport !ayer of the 0SI mode! and pro:ides a :irtua! circuit
ser:ice &etween end"user app!ications$ with re!ia&!e data transfer$ which is !acking in the
datagram"oriented IP.
Software packages that fo!!ow the #CP standard run on each machine$ esta&!ish a connection
to each other$ and manage the communications e?changes. #CP pro:ides the f!ow contro!$
error detection$ and se;uencing of the dataB !ooks for responsesB and takes the appropriate
action to rep!ace missing data &!ocks.
#he end"to"end connection is esta&!ished through the e?change of contro! information. #his
e?change of information is ca!!ed a three"way handshake. #his handshake is necessary to
esta&!ish the !ogica! connection and to a!!ow the transmission of data to &egin.
In its simp!est form$ host A wou!d transmit to host G the synchronize sequence number &it
set.
#his te!!s host G that host A wishes to esta&!ish a connection and informs host G of the
starting se;uence num&er for host A. ost G sends &ack to host A an acknow!edgment and
confirms its starting se;uence num&er. ost A acknow!edges receipt of host G>s transmission
and &egins the transfer of data. 1ater$ in this chapter$ I wi!! e?p!ain how this three"way
handshake can &e e?p!oited to disrupt the operation of a system.
22
Another important #CPDIP protoco! is the user datagram protoco! (,*P). 1ike #CP$ ,*P
operates at the transport !ayer. #he maAor difference &etween #CP and ,*P is that ,*P is a
connection!ess datagram protoco!. ,*P gi:es app!ications direct access to a datagram
de!i:ery ser:ice"!ike the ser:ice IP pro:ides. #his a!!ows app!ications to e?change data with a
minimum of protoco! o:erhead. 6o!!owing figure i!!ustrates the hierarchica! re!ationship
&etween IP and #CPD,*P and the app!ications that re!y upon the protoco!s.
#CPDIP mode!.
#he ,*P protoco! is &est suited for app!ications that transmit sma!! amounts of data$ where
the process of creating connections and ensuring de!i:ery may &e greater than the work of
simp!y retransmitting the data. Another situation where ,*P wou!d &e appropriate is when an
app!ication pro:ides its own method of error checking and ensuring de!i:ery.
!*
Threats% &u#nera'i#ities% and Attacks
Now that we ha:e re:iewed some of the #CPDIP &asics$ we can proceed in our discussion of
threats$ :u!nera&i!ities$ and attacks. It is important to understand the difference &etween a
threat$ a :u!nera&i!ity$ or an attack in the conte?t of network security.
!hreats
A threat is anything that can disrupt the operation$ functioning$ integrity$ or a:ai!a&i!ity of a
network or system. #his can take any form and can &e ma!e:o!ent$ accidenta!$ or simp!y an
act of nature.
8ulnera9ilities
A :u!nera&i!ity is an inherent weakness in the design$ configuration$ imp!ementation$ or
management of a network or system that renders it suscepti&!e to a threat. %u!nera&i!ities
are what make networks suscepti&!e to information !oss and downtime. ):ery network and
system has some kind of :u!nera&i!ity.
$ttacks
An attack is a specific techni;ue used to e?p!oit a :u!nera&i!ity. 6or e?amp!e$ a threat cou!d
&e a denia! of ser:ice. A :u!nera&i!ity is in the design of the operating system$ and an attack
cou!d &e a <ping of death.< #here are two genera! categories of attacks$ passi:e and acti:e.
Passi:e attacks are :ery difficu!t to detect$ &ecause there is no o:ert acti:ity that can &e
monitored or detected. )?amp!es of passi:e attacks wou!d &e packet sniffing or traffic
ana!ysis. #hese types of attacks are designed to monitor and record traffic on the network.
#hey are usua!!y emp!oyed for gathering information that can &e used !ater in acti:e attacks.
Acti:e attacks$ as the name imp!ies$ emp!oy more o:ert actions on the network or system.
2+
As a resu!t$ they can &e easier to detect$ &ut at the same time they can &e much more
de:astating to a network. )?amp!es of this type of attack wou!d &e a denia!"of"ser:ice attack
or acti:e pro&ing of systems and networks. Networks and systems face many types of
threats. #here are :iruses$ worms$ #roAan horses$trap doors$ spoofs$ mas;uerades$ rep!ays$
password cracking$ socia! engineering$ scanning$ sniffing$ war dia!ing$ denia!"of"ser:ice
attacks$ and other protoco!"&ased attacks. It seems new types of threats are &eing de:e!oped
e:ery month. #he fo!!owing sections re:iew the genera! types of threats that network
administrators face e:ery day$ inc!uding specific descriptions of a few of the more wide!y
known attacks.
8iruses
According to Computer )conomics$ Inc. (http@DDwww.computereconomics.com)$ a computer
research and ana!ysis group$ o:er L12 &i!!ion was spent wor!dwide in 1999 as a resu!t of
computer :iruses. A :irus$ a parasitic program that cannot function independent!y$ is a
program or code fragment that is se!f"propagating. It is ca!!ed a :irus$ &ecause !ike its
&io!ogica! counterpart$ it re;uires a <host< to function. In the case of a computer :irus the
host is some other program to which the :irus attaches itse!f. A :irus is usua!!y spread &y
e?ecuting an infected program or &y sending an infected fi!e to someone e!se$ usua!!y in the
form of an e"mai! attachment. #here are se:era! :irus scanning programs a:ai!a&!e on the
market. 8ost are effecti:e against known :iruses. ,nfortunate!y$ howe:er$ they are incapa&!e
of recogni7ing and adapting to new :iruses. In genera!$ :irus scanning programs re!y on
recogni7ing the <signature< of known :iruses$ turning to a data&ase of known :irus signatures
that they use to compare against scanning resu!ts. #he program detects a :irus when a
match is found. If the data&ase is not regu!ar!y updated the :irus scanner can &ecome
o&so!ete ;uick!y. As one wou!d e?pect$ there is usua!!y some !ag time &etween the
introduction of a new :irus and a :endor updating its data&ase. In:aria&!y$ someone a!ways
has the du&ious distinction of &eing one of the ear!y :ictims of new!y re!eased :irus.
#:
1orm
A worm is a se!f"contained and independent program that is usua!!y designed to propagate or
spawn itse!f on infected systems and to seek other systems :ia a:ai!a&!e networks. #he main
difference &etween a :irus and a worm is that a :irus is not an independent program.
owe:er$ there are new &reeds of computer &ugs that are &!urring the difference &etween
:iruses and worms. #he 8e!issa :irus is an e?amp!e of this new hy&rid. In 1999 the 8e!issa
:irus attacked many users of 8icrosoft products. It was spread as an attachment$ &ut the
:irus spread as an acti:e process initiated &y the :irus. It was not a passi:e :irus passed
a!ong &y unsuspecting users. 0ne of the first and perhaps the most famous worms was the
Internet 2orm created and re!eased &y 4o&ert 8orris. In 19'3$ 8orris wrote his worm
program and re!eased it onto the Internet. #he worm>s functioning was re!ati:e!y &enign$ &ut
it sti!! had a de:astating effect on the Internet. #he worm was designed to simp!y reproduce
and infect other systems. 0nce re!eased$ the program wou!d spawn another process. #he
other process was simp!y another running copy of the program. #hen the program wou!d
search out other systems connected to the infected system and propagate itse!f onto the
other systems on the network. #he num&er of processes running grew geometrica!!y. 6igure
2.( i!!ustrates how the Internet worm grew and spread@ 0ne process spawned to &ecome two
processes. #wo processes spawned to &ecome four processes. 6our processes spawned to
&ecome eight. It didn>t take :ery !ong for the spawning processes to consume a!! the CP, and
memory resources unti! the system crashed. In addition$ each time the processes spawned
another$ the processes wou!d seek outside connections. #he worm was designed to
propagate$ seek out other systems to infect them$ and then repeat the process.
Internet worm.
Stopping the processes from growing was a simp!e matter of re&ooting the system.
owe:er$system administrators found that they wou!d re&oot their systems and get them
functioning again on!y to find them &eing reinfected &y another system on the Internet. #o
stop the worm from reinfecting systems on the network$ a!! of the systems had to &e shut
down at the same time or taken off"!ine. #he cost to c!ean up the Internet worm was
estimated to &e in the tens of mi!!ions of do!!ars. 8orris was arrested$ prosecuted$ and
con:icted for his :anda!ism.
#5
!ro;an *orses
A #roAan horse is a program or code fragment that hides inside a program and performs a
disguised function. #his type of threat gets its name from Hreek mytho!ogy and the story of
the siege of #roy. #he story te!!s of how 0dysseus and his men con;uered #roy &y hiding
within a giant wooden horse. A #roAan horse program hides within another program or
disguises itse!f as a !egitimate program. #his can &e accomp!ished &y modifying the e?isting
program or &y simp!y rep!acing the e?isting program with a new one. #he #roAan horse
program functions much the same way as the !egitimate program$ &ut usua!!y it a!so
performs some other function$ such as recording sensiti:e information or pro:iding a trap
door. An e?amp!e wou!d &e a password grabber program. A password gra&&er is a program
designed to !ook and function !ike the norma! !ogin prompt that a user sees when first
accessing a system. 6or e?amp!e$ in the screen depicted in the fo!!owing figure$ the user has
entered the username Aohn and the correct password. owe:er$ the system te!!s the user that
the !ogin is incorrect. 2hen the user tries again it works and he or she is a&!e to !og on.
#roAan horse !ogin.
2-
In this e?amp!e a #roAan horse designed to stea! passwords is actua!!y contro!!ing the
interaction. #he standard !ogin.e?e has &een rep!aced with a #roAan horse program. It !ooks
!ike the standard !ogin prompt$ &ut what is actua!!y occurring is that the first !ogin prompt is
the #roAan horse. 2hen the username and password is entered that information is recorded
and stored. #hen the #roAan horse program disp!ays the <!ogin incorrect< message and passes
the user off to the rea! !ogin program$ so that he or she can actua!!y !og on to the system.
#he user simp!y assumes that he or she mistyped the password the first time ne:er knowing
that her or his username and password ha:e Aust &een sto!en.
!rap Doors
A trap door or &ack door is an undocumented way of gaining access to a system that is &ui!t
into the system &y its designer(s). It can a!so &e a program that has &een a!tered to a!!ow
someone to gain pri:i!eged access to a system or process. #here ha:e &een numerous stories
of :endors uti!i7ing trap doors in disputes with customers.0ne e?amp!e is the story of a
consu!tant who was contracted to &ui!d a system for a company. #he consu!tant designed a
trap door into the de!i:ered system. 2hen the consu!tant and the company got into a dispute
o:er payment$ the consu!tant used the trap door to gain access to the system and disa&!e the
system. #he company was forced to pay the consu!tant to get its system turned &ack on
again.
.o'ic Bom9s
A !ogic &om& is a program or su&section of a program designed with ma!e:o!ent intent. It is
referred to as a !ogic &om&$ &ecause the program is triggered when certain !ogica! conditions
are met. #his type of attack is a!most a!ways perpetrated &y an insider with pri:i!eged access
to the network. #he perpetrator cou!d &e a programmer or a :endor that supp!ies software.
2'
As an e?amp!e$ once heard a story a&out corporation who engineered this type of attack.
Apparent!y$ the programmer had &een ha:ing some trou&!e at the company at which he
worked and was on pro&ation. 6earing that he might &e fired and with :engeance in mind$ he
added a su&routine to another program. #he su&routine was added to a program that ran
once a month and was designed to scan the company>s human resources emp!oyee data&ase
to determine if a termination date had &een !oaded for his emp!oyee record. If the su&routine
found that a termination date had &een !oaded$ then it was designed to wipe out the entire
system &y de!eting a!! fi!es on the disk dri:es. #he program ran e:ery month and so !ong as
his emp!oyee record did not ha:e a termination date then nothing wou!d happen. In other
words$ if he were not fired the program wou!d do no damage. Sure enough this ste!!ar
emp!oyee was fired$ and the ne?t time the !ogic &om& that he created ran it found a
termination date in his emp!oyee record and wiped out the system. #his is an
e?amp!e of how simp!e it can &e$ for one with pri:i!eged access to a system$ to set up this
type of attack.
Port (cannin'
1ike a &urg!ar casing a target to p!an a &reak"in$ a hacker wi!! often case a system to gather
information that can !ater &e used to attack the system. 0ne of the too!s that hackers often
use for this type of reconnaissance is a port scanner. A port scanner is a program that !istens
to we!!"known port num&ers to detect ser:ices running on a system that can &e e?p!oited to
&reak into the system. #here are se:era! port"scanning programs a:ai!a&!e on the Internet at
:arious sites. #hey are not difficu!t to find. 0rgani7ations can monitor their system !og fi!es to
detect port scanning as a pre!ude to an attack. 8ost intrusion detection software monitors for
port scanning. If you find that your system is &eing scanned you can trace the scan &ack to
its origination point and perhaps take some pre"empti:e action. owe:er$ some scanning
programs take a more stea!thy approach to scanning that is :ery difficu!t to detect. 6or
e?amp!e$ some programs use a SKN scan$ which emp!oys a SKN packet to create a ha!f"open
connection that doesn>t get
!ogged. SKN packets and ha!f"open connections wi!! &e detai!ed !ater in this chapter.
#-
(poofs
Spoofs co:er a &road category of threats. In genera! terms$ a spoof entai!s fa!sifying one>s
identity or mas;uerading as some other indi:idua! or entity to gain access to a system or
network or to gain information for some other unauthori7ed purpose. #here are many
different kinds of spoofs$ inc!uding$ among many others$ IP address spoofing$ session
highAacking$ domain name ser:ice (*NS) spoofing$ se;uence num&er spoofing$ and rep!ay
attacks.
I( Address Spoofin+
):ery de:ice on a #CPDIP network has a uni;ue IP address. #he IP address is a uni;ue
identification of the de:ice$ and no two de:ices on the network can ha:e the same IP
address.IP addresses are formatted as four decima! num&ers separated &y dots (e.g.$
1+-.(+.2'.1.(). IP address spoofing takes ad:antage of systems and networks that re!y on
the IP address of the connecting system or de:ice for authentication. 6or e?amp!e$ packet"
fi!tering routers are sometimes used to protect an interna! network from an e?terna!
untrusted network. #hese routers wi!! on!y a!!ow specified IP addresses to pass from the
e?terna! network to the interna! network. If a hacker is a&!e to determine an IP address that
is permitted access through the router$ he or she can spoof the address on the e?terna!
network to gain access to the interna! network. #he hacker in effect mas;uerades as
someone e!se.
(e<uence Num9er (poofin'
#CPDIP network connections use se;uence num&ers. #he se;uence num&ers are part of each
transmission and are e?changed with each transaction. #he se;uence num&er is &ased upon
each computer>s interna! c!ock$ and the num&er is predicta&!e &ecause it is &ased on a set
a!gorithm.
Gy monitoring a network connection$ a hacker can record the e?change of se;uence num&ers
and predict the ne?t set of se;uence num&ers. 2ith this information$ a hacker can insert
himse!f or herse!f into the network connection and$ effecti:e!y$ take o:er the connection or
insert misinformation. #he &est defense against se;uence num&er spoofing is to encrypt a
connection. )ncrypting a connection pre:ents anyone who may &e monitoring the network
from &eing a&!e to determine the se;uence num&ers or any other usefu! information.
(.
Session "i+h,ackin+
Session highAacking is simi!ar to se;uence num&er spoofing. In this process$ a hacker takes
o:er a connection session$ usua!!y &etween a c!ient user and a ser:er. #his is genera!!y done
&y gaining access to a router or some other network de:ice acting as a gateway &etween the
!egitimate user and the ser:er and uti!i7ing IP spoofing. Since session highAacking usua!!y
re;uires the hacker to gain pri:i!eged access to a network de:ice$ the &est defense to take is
to proper!y secure a!! de:ices on the network.
DN(
*omain Name Ser:ice (*NS) is a hierarchica! name ser:ice used with #CPDIP hosts that is
distri&uted and rep!icated on ser:ers across the Internet. It is used on the Internet and on
intranets for trans!ating IP addresses into host names. #he host names can &e used in ,41s.
*NS can &e thought of as a !ockup ta&!e that a!!ows users to specify remote computers &y
host names rather than their IP addresses. #he ad:antage of *NS is that you don>t ha:e to
know the IP addresses for a!! the Internet sites to access the sites. *NS can &e configured to
use a se;uence of name ser:ers$ &ased on the domains in the name &eing sought$ unti! a
match is found. #he most common!y dep!oyed *NS ser:er software on the Internet is GIN*.
*NS is su&Aect to se:era! different spoofs. #wo common ones are the man in the midd!e
(8I8) and *NS poisoning. 4edirects$ another !ess common attack$ re!y on the manipu!ation
of the domain name registry itse!f to redirect a ,41.
-an in the -idd#e Attack .-I-/
In a 8I8 attack$ a hacker inserts himse!f or herse!f &etween a c!ient program and a ser:er on
a network. Gy doing so the hacker can intercept information entered &y the c!ient$ such as
credit card num&ers$ passwords$ and account information. ,nder one e?ecution of this
scheme$ a hacker wou!d p!ace himse!f or herse!f &etween a &rowser and a 2e& ser:er. #he
8I8 attack$ which is a!so sometimes ca!!ed 2e& spoofing$ is usua!!y achie:ed &y *NS or
hyper!ink spoofing. #here are se:era! ways a hacker can !aunch a 8I8 attack.
(1
0ne way is to register a ,41 that is :ery simi!ar to an e?isting ,41. 6or e?amp!e$ a hacker
cou!d register a ,41 !ike www.microsoft.com. 2hen someone who wants to go to the
8icrosoft 2e& site at www.microsoft.com mistaken!y types in www.microsoft.com they wou!d
&e &rought to a 2e& site set up &y the hacker to !ook !ike the 8icrosoft 2e& site. 6o!!owing
figure !!ustrates how the process works.
8I8.
#o 2e& surfers e:erything wou!d !ook norma!. #hey wou!d interact with the counterfeit 2e&
site Aust as they wou!d with the rea! site. As the 2e& surfer enters in choices and information
the hacker>s 2e& site can e:en pass it onto the rea! site and pass &ack to the 2e& surfer the
screens that the rea! site returns.
DN( Poisonin'
Another method that can &e used to !aunch this attack is to compromise a *NS ser:er. 0ne
method for doing so is known as *NS poisoning. *NS poisoning e?p!oits a :u!nera&i!ity in
ear!y :ersions of the Gerke!ey Internet Name *aemon (GIN*). GIN*$ the most common!y
dep!oyed *NS software on the Internet$ was de:e!oped for GS* ,NIJ. A network of Internet
GIN* ser:ers trans!ates nati:e Internet IP addresses to the common!y used names such as
www.ggu.edu for Ho!den Hate ,ni:ersity. Prior to :ersion '.1 of GIN*$ it was possi&!e to
<poison< the ta&!e entries of a *NS ser:er with fa!se information. #he information cou!d
inc!ude a fa!se IP address for a *NS entry in the ser:er>s ta&!e.
(2
#he resu!t cou!d &e that when someone used that *NS ser:er to <reso!:e< the ,41 name$ he
or she wou!d &e directed to the incorrect IP address. Gy compromising a *NS ser:er$ a hacker
can make a !egitimate ,41 point to the hacker>s 2e& site. #he 2e& surfer might enter in
www.ama7on.com e?pecting to go to the Ama7on.com 2e& site to purchase a &ook. #he ,41
www.ama7on.com norma!!y points to ???.???.???.???$ &ut the hacker has compromised a
*NS ser:er to point that ,41 to his or her ser:er. As a resu!t$ the 2e& surfer is &rought to
the hacker>s site and not to Ama7on.com.
Redirects
,nder another method of *NS attack$ hackers compromise a !ink on someone e!se>s page or
set up their own page with fa!se !inks. In either case$ the !ink cou!d state that it is for a
!egitimate site$ &ut in rea!ity the !ink &rings the 2e& surfer to a site set up and contro!!ed &y
the hacker that !ooks !ike the site the 2e& surfer was e?pecting.
If a!! other attempts fai!$ a hacker can try manipu!ating the domain name registry system
origina!!y maintained &y the InterNIC. In 1999$ on at !east three occasions$ hackers were a&!e
to transfer domain names or redirect Internet surfers to sites other than the ones they were
attempting to access. In one case Network So!utions> own *NS entry was a!tered$ so that
when users entered in the Network So!utions ,41 they were redirected to another site. In at
!east three other cases hackers were a&!e to transfer ownership of domain names to other IP
addresses. 0nce the ownership was transferred and the NSI data&ase a!tered$ anyone
attempting to access those domains wou!d &e redirected to the new sites. In one case the
domain for e?cite.com was transferred to an unsuspecting site that found itse!f inundated
with the mi!!ions of hits that e?cite.com norma!!y recei:es.
In other cases the ownership of the domains for the Mu M!u? M!an and another site opposed to
homose?ua!ity ca!!ed godhatesfags.com were transferred. 0wnership of the Mu M!u? M!an site
was transferred to a site dedicated to fighting &igotry. Ironica!!y$ the godhatesfags.com
domain was transferred to a site with the domain god!o:esfags.com$ a site that went on"!ine
to appea! for to!erance.
((
No indi:idua!s from the sites to which the domain were redirected were in:o!:ed with the
manipu!ation of the domain name registry system. 2hen emp!oying the 8I8 attack$ a
hacker>s fa!se or counterfeit site can actua!!y pass the c!ient>s re;uests onto the rea! site and
return to the c!ient the re;uested pages from the rea! site. A!! the whi!e the hacker is
monitoring and recording the interaction &etween the c!ient and the ser:er. #here is rea!!y no
effecti:e countermeasure to 8I8. #his attack can e:en &e successfu! when encryption$ such
as SS1$ is &eing emp!oyed. It on!y re;uires the hacker to o&tain a :a!id digita! certificate to
!oad on his or her ser:er$ so that SS1 can &e ena&!ed. 2e& surfers need on!y to &e carefu!
a&out where they are &rowsing$ confirming !inks and on!y trusting !inks from a secure and
trusted site.Note that there are other methods to e?ecute a redirect or 8I8 attack. 6or
e?amp!e$ certain operating systems such as 8icrosoft>s 2indows 9/$ 9'$ and 2... and Sun>s
So!aris ha:e an inherent :u!nera&i!ity in their imp!ementation of the Internet Contro! 8essage
Protoco (IC8P) 4outer *isco:ery Protoco! (I4*6)B IC8P is an integra! part of the #CPDIP suite
protoco!s. ackers can e?p!oit this :u!nera&i!ity &y rerouting or modifying out&ound traffic as
they choose. A key !imitation on an attack using this :u!nera&i!ity is that the attacker must &e
on the same network as the targeted system.
Rep#ay Attack
A hacker e?ecutes a rep!ay attack &y intercepting and storing a !egitimate transmission
&etween two systems and retransmitting it at a !ater time. #heoretica!!y$ this attack can e:en
&e successfu! against encrypted transmissions. #he &est defense to this attack is to use
session keys$ check the time stamp on a!! transmissions$ and emp!oy time"dependent
message digests. #his wi!! &e discussed further in.
%4
Password Crackin'
Password cracking is sometimes ca!!ed a dictionary"&ased attack. Password crackers are
programs that decipher password fi!es. Password"cracking programs are a:ai!a&!e for most
network and computer operating systems. #hey are a&!e to decipher password fi!es &y
uti!i7ing the same a!gorithm used to create the encrypted password. #hey genera!!y emp!oy a
dictionary of known words or phrases$ which are a!so encrypted with the password a!gorithm.
#he password crackers compare each record in the password fi!e against each record in the
dictionary fi!e to find a match. 2hen a match is found$ a password is found.
(niffin'
Network sniffing or packet sniffing is the process of monitoring a network in an attempt to
gather information that may &e usefu! in an attack. 2ith the proper too!s a hacker can
monitor the network packets to o&tain passwords or IP addresses. 8any :endors
manufacture hardware and software for !egitimate purposes that can &e a&used &y hackers.
#he on!y comforting fact a&out these products is that hackers usua!!y can>t afford them. #hey
can$ howe:er$ stea! them. #here are a!so some common uti!ities a:ai!a&!e and programs that
can &e down!oaded from hacker sites such as tcpmon$ tcpdump$ or go&&!er. Network
Associates> Sniffer Pro is an e?amp!e of a commercia!!y a:ai!a&!e product. Password sniffing is
particu!ar!y a threat for users who !og into ,ni? systems o:er a network. #e!net or r!ogin is
usua!!y emp!oyed when !ogging onto a ,ni? systems o:er a network. #e!net and r!ogin do not
encrypt passwords. As a resu!t$ when a user enters in his or her password$ it is transmitted in
the c!ear$ meaning anyone monitoring the network can read it. In contrast$ &oth No:e! and
2indows N# workstations encrypt passwords for transmission. #here are many too!s a:ai!a&!e
to reduce the risk of packet sniffing inc!uding secure she!! (ssh) and %PNs. owe:er$ usefu!
information can sti!! &e discerned from a network that is comp!ete!y encrypted. Sometimes
e:en simp!e traffic ana!ysis can pro:ide usefu! information. Geing a&!e to identify the systems
that ha:e the most acti:ity can &e of great :a!ue.
(/
)mp!oying network switches instead of traditiona! hu&s is another method to reduce the risk
of network sniffing. #here are a!so too!s a:ai!a&!e that purport to detect unauthori7ed packet
sniffers on a network. #ypica!!y$ these products detect the characteristics of a network
interface card (NIC) configured for promiscuous mode$ which can &e used to packet sniff a
network. owe:er$ these systems can &e countered &y simp!y cutting the send wire on the
NIC>s ca&!e. Gy doing so the NIC cannot send packets onto the network. #herefore$ the sniffer
detection programs wi!! not &e a&!e to detect the NIC configured for promiscuous mode.
1e9 (ite Defacement
2e& site defacements are usua!!y achie:ed &y e?p!oiting some incorrect configuration or
known :u!nera&i!ity of the 2e& ser:er software$ or &y e?p!oiting some other protoco!"&ased
:u!nera&i!ity of the ser:er>s operating system. An organi7ation>s &est defense against 2e&
site defacement is to maintain the most recent :ersions of its 2e& ser:er software and the
ser:er>s operating system. A!so$ an organi7ation shou!d ensure that its 2e& administrator is
proper!y trained to insta!! and maintain the software. Some organi7ations ha:e taken more
creati:e approaches to ensuring the integrity of
their 2e& sites &y dep!oying network cache ser:ers that update the 2e& ser:ers. #he cache
ser:er mirrors a particu!ar 2e& site and periodica!!y refreshes the 2e& ser:er with the
origina! image of the system. If the 2e& site is defaced &y a hacker$ the cache ser:er wi!!
o:erwrite the hackers> changes when it pushes the 2e& site refresh out to the 2e& ser:er.
1ar Dialin'
2ar dia!ing is a &rute"force method of finding a &ack door into an organi7ation>s network. It
is particu!ar!y effecti:e against a perimeter defense. 8ost organi7ations ha:e te!ephone
num&ers that are within a specified range and &egin with the same prefi?. 6or e?amp!e$ !et>s
consider a fictitious company ca!!ed Acme Networks. A!! of the company>s te!ephone
num&ers &egin with '9/B there are +$... e?tensionsB and the first e?tension is 1.... #he
range of te!ephone num&ers for Acme Networks &egins at /9/"1... and ends at /9/"/....
2ar dia!ing usua!!y emp!oys an automated dia!ing system (a program) to ca!! e:ery te!ephone
num&er for the organi7ation$ searching for modem connections.
(3
#he program !ogs a te!ephone num&er whene:er it finds a modem. 1ater after the program
has ca!!ed e:ery e?tension$ the hacker can re:iew the !og for modems and go &ack and
attempt to &reak into the system to which the modem is connected to gain access to the
network. #his method a!most a!ways works for !arge organi7ations. 2hen dea!ing with a
company with se:era! thousand te!ephone num&ers$ the odds are with the hacker that some
of them are connected to modems. I worked for a !arge company that hired one of the &ig
consu!ting firms to test the company>s network security. #he consu!ting firm was unsuccessfu!
at penetrating the corporate firewa!!. owe:er$ it emp!oyed war dia!ing and identified se:era!
te!ephone num&ers that were connected to modems. 0ne of the modems was connected to a
PC running PC Any 2here$ which had &een ena&!ed to a!!ow someone to dia! into the office
from home. #he consu!tants were a&!e to gain access to the network &y e?p!oiting a f!aw in
an ear!y :ersion of PC Any 2here that a!!owed a user to &ypass the password protection.
0nce on the network the consu!tant was a&!e to compromise a!most e:ery system it hit$ and
no one detected the i!!icit acti:ity. #he one e?ception was my groupB we detected the acti:ity
on the systems for which we were responsi&!e and made in;uiries into the source of the
acti:ity. It
was then that we were to!d that it had &een a test of the corporate network security.
#he source code for war dia!ing programs may &e o&tained easi!y at many hacker sites. Some
of the programs a:ai!a&!e are #one1oc$ Phone#ap$ and G!ue *eep. If you are a programmer$
you may &e interested in :iewing the code$ &ut I do not recommend using these programs. A
word of warning is necessary here@ Kou shou!d a!ways &e carefu! when down!oading programs
on the 2e&$ &ut when down!oading from hacker sites you need to &e especia!!y carefu!. #o
understand why simp!y reread the section on #roAan horses.
%7
Denial of (ervice
*enia!"of"ser:ice attacks are designed to shut down or render inopera&!e a system or
network. #he goa! of the denia!"of"ser:ice attack is not to gain access or information &ut to
make a network or system una:ai!a&!e for use &y other users. It is ca!!ed a denia!"of"ser:ice
attack$ &ecause the end resu!t is to deny !egitimate users access to network ser:ices. Such
attacks are often used to e?act re:enge or to punish some indi:idua! or entity for some
percei:ed s!ight or inAustice. ,n!ike rea! hacking$ denia!"of"ser:ice attacks do not re;uire a
great dea! of e?perience$ ski!!$ or inte!!igence to succeed. As a resu!t$ they are usua!!y
!aunched &y nerdy$ young programmers who fancy themse!:es to &e master hackers. #here
are many different types of denia!"of"ser:ice attacks. #he fo!!owing sections present four
e?amp!es@ ping of death$ <synchroni7e se;uence num&er< (SKN) f!ooding$ spamming$ and
smurfing. #hese are e?amp!es on!y and are not necessari!y the most fre;uent!y used forms of
denia!"of"ser:ice attacks.
(in+ of Death
#he ping"of"death attack$ with its me!odramatic name$ is an e?amp!e of how simp!e it can &e
to !aunch a denia!"of"ser:ice attack once a :u!nera&i!ity has &een disco:ered. #hose who
origina!!y disco:er a :u!nera&i!ity deser:e credit$ &ut it takes no great ski!! or inte!!igence to
e?p!oit it. #o &etter understand how the ping of death worked or works we need to once again
re:iew some #CPDIP &asics. #he ping of death e?p!oited a f!aw in many :endors>
imp!ementations of IC8P. IC8P is part of the IP of #CPDIP and operates at the Internet !ayer
using the IP datagram to de!i:er messagesB ping is a #CPDIP command that simp!y sends out
an IP packet to a specified IP address or host name to see if there is a response from the
address or host. It is often used to determine if a host is on the network or a!i:e. #he typica!
ping command synta? wou!d &e
('
C ping 1+/.(+.(/./3
C or
C ping www.acme.net
8any operating systems were or are :u!nera&!e to !arger"than"norma! IC8P packets. As a
resu!t$ specifying a !arge packet in a ping command can cause an o:erf!ow in some systems>
interna!s that can resu!t in system crashes. #he command synta? wou!d :ary depending on
the operating system you were using. Ge!ow are two e?amp!es$ one for 2indows and the
other for Sun So!aris.
C 2indows@ ping"13//2-"s 1 hostname
C So!aris@ ping "s hostname 3//2-
Norma!!y it re;uires a f!ood of pings to crash a system. 8oreo:er$ from firsthand e?perience I
ha:e found that you are Aust as !ike!y to crash the system from which you are !aunching the
attack as you are to crash the system you are targeting. Ne:erthe!ess$ the ping"of"death
approach may sti!! constitute an effecti:e denia!"of"ser:ice attack. 0nce this :u!nera&i!ity was
disco:ered$ most :endors issued operating system patches to e!iminate the pro&!em.
S0N 1#oodin+
SKN f!ooding is a denia!"of"ser:ice attack that e?p!oits the three"way handshake that #CPDIP
uses to esta&!ish a connection. Gasica!!y$ SKN f!ooding disa&!es a targeted system &y creating
many ha!f"open connections. 6o!!owing 6igure i!!ustrates how a typica! #CPDIP connection is
esta&!ished.
(9
Norma! #CPDIP handshake.
In the c!ient transmits to the ser:er the SKN &it set. #his te!!s the ser:er that the
c!ient wishes to esta&!ish a connection and what the starting se;uence num&er wi!! &e for the
c!ient. #he ser:er sends &ack to the c!ient an acknow!edgment (SKN"ACM) and confirms its
starting se;uence num&er. #he c!ient acknow!edges (ACM) receipt of the ser:er>s transmission
and &egins the transfer of data. 2ith SKN f!ooding a hacker creates many ha!f"open
connections &y initiating the connections to a ser:er with the SKN num&er &it. owe:er$ the
return address that is associated with the SKN wou!d not &e a :a!id address. #he ser:er
wou!d send a SKN"ACM &ack to an in:a!id address that wou!d not e?ist or respond. ,sing
a:ai!a&!e programs$ the hacker wou!d transmit many SKN packets with fa!se return addresses
to the ser:er. #he ser:er wou!d respond to each SKN with an acknow!edgment and then sit
there with the connection ha!f"open waiting for the fina! acknow!edgment to come &ack.
6o!!owing 6igure i!!ustrates how SKN f!ooding works.
SKN f!ooding e?change.
+.
#he resu!t from this type of attack can &e that the system under attack may not &e a&!e to
accept !egitimate incoming network connections so that users cannot !og onto the system.
)ach operating system has a !imit on the num&er of connections it can accept. In addition$
the SKN f!ood may e?haust system memory$ resu!ting in a system crash. #he net resu!t is
that the system is una:ai!a&!e or nonfunctiona!. 0ne countermeasure for this form of attack is
to set the SKN re!e:ant timers !ow so that the system c!oses ha!f"open connections after a
re!ati:e!y short period of time. 2ith the timers set !ow$ the ser:er wi!! c!ose the connections
e:en whi!e the SKN f!ood attack opens more.
S(A-
SPA8 is unwanted e"mai!. Anyone who has an e"mai! account has recei:ed SPA8. ,sua!!y it
takes the form of a marketing so!icitation from some company trying to se!! something we
don>t want or need. #o most of us it is Aust an annoyance$ &ut to a ser:er it can a!so &e used
as a denia!"of"ser:ice attack. Gy inundating a targeted system with thousands of e"mai!
messages$ SPA8 can eat a:ai!a&!e network &andwidth$ o:er!oad CP,s$ cause !og fi!es to grow
:ery !arge$ and consume a!! a:ai!a&!e disk space on a system. ,!timate!y$ it can cause a
system to crash. SPA8 can &e used as a means to !aunch an indirect attack on a third party.
SPA8 messages can contain a fa!sified return address$ which may &e the !egitimate address
of some innocent unsuspecting person. As a resu!t$ an innocent person$ whose address was
used as the return address$ may &e spammed &y a!! the indi:idua!s targeted in the origina!
SPA8. )"mai! fi!tering can pre:ent much unwanted e"mai! from getting through.
,nfortunate!y$ it fre;uent!y fi!ters out !egitimate e"mai! as we!!.
Smurf Attack
#he smurf attack is named after the source code emp!oyed to !aunch the attack (smurf.c).
#he smurf attack emp!oys forged IC8P echo re;uest packets and the direction of those
packets to IP network &roadcast addresses. #he attack issues the IC8P )C0N4)O,)S# to
the &roadcast address of another network. #he attack spoofs as the source address the IP
address of the system it wishes to target. 6o!!owing 6igure i!!ustrates how a smurf attack
works.
+1
Smurf attack.
2hen the systems on the network to whose &roadcast address the )C0N4)O,)S# is sent
recei:e the packet with the fa!sified source address (i.e.$ the return address)$ they respond$
f!ooding the targeted :ictim with the echo rep!ies. #his f!ood can o:erwhe!m the targeted
:ictim>s network. Goth the intermediate and :ictim>s networks wi!! see degraded performance.
#he attack can e:entua!!y resu!t in the in opera&i!ity of &oth networks.
#here are steps that the intermediate network can take to pre:ent from &eing used in this
way. #he steps inc!ude configuring network de:ices not to respond to IC8P )C0N4)O,)S#s
and disa&!ing IP directed &roadcasts from passing the network routers. #here are rea!!y no
steps that the targeted :ictim can take to pre:ent this kind of attack. #he on!y defense is
contacting the intermediate network to stop the )C0N4)O,)S#s from &eing re!ayed$ once
an organi7ation determines that it is the :ictim of an attack.
+2
*enia!"of"ser:ice attacks are the most difficu!t to defend against$ and$ of the possi&!e attacks$
they re;uire the !east amount of e?pertise to !aunch. In genera!$ organi7ation shou!d monitor
for anoma!ous traffic patterns$ such as SKN"ACM &ut no return ACMs. Since most routers fi!ter
incoming and outgoing packets$ router"&ased fi!tering is the &est defense against denia!of"
ser:ice attacks. 0rgani7ations shou!d use packet fi!ters that fi!ter &ased on destination and
sender address. In addition$ they shou!d a!ways use SPA8Dsend mai! fi!ters. Meep in mind
there is a tradeoff with packet and mai! fi!tering. #he fi!tering that is performed to detect
denia!"of"ser:ice attacks wi!! s!ow network performance$ which may frustrate an
organi7ation>s end users and s!ow its app!ications. In addition$ mai! fi!tering wi!! &ounce some
e"mai!s that rea!!y shou!d &e a!!owed through$ which may a!so aggra:ate end users.
(earch 6n'ines
6ina!!y$ the :arious Internet search engines can &e a great resource when !ooking for
information on network and system security. #here are !itera!!y thousands of sites on the
Internet that pro:ide usefu! information. #he nice thing a&out using the search engines is
that you can tai!or your search to a specific topic. If you want information on 2indows N#
IIS$ you don>t what to ha:e to wade through pages a&out ,ni? security or Netscape
)nterprise Ser:er. #here is p!enty of information out there on the InternetB the on!y pro&!em
with much of the information is that you ha:e no way of determining its ;ua!ity or the
re!ia&i!ity of the source.
+(
*. Encryption and Decryption Security Systems.
#raditiona!!y$ cryptography conAures up thoughts of spies and secret codes. In rea!ity$
cryptography and encryption ha:e found &road app!ication in society. ):ery time you use an
A#8 machine to get cash or a point"of"sa!e machine to make a purchase$ you are using
encryption. )ncryption is the process of scram&!ing the contents of a fi!e or message to make
it uninte!!igi&!e to anyone not in possession of the <key< re;uired to unscram&!e it.
Ci:i!i7ations ha:e &een using :arious cryptosystems for at !east +$... years. A cryptosystem
or a!gorithm is the process or procedure to turn p!ain te?t into cryptote?t. A crypto a!gorithm
is a!so known as a <cipher.< #here are se:era! key e!ements that go into making an effecti:e
cryptosystem. 6irst and foremost it must &e re:ersi&!e. A crypto a!gorithm is of no practica!
use if once you ha:e scram&!ed your information$ you cannot unscram&!e it. #he security of
the cryptosystem shou!d &e dependent on the secrecy and !ength of the key and not on the
detai!s of the a!gorithm. In other words$ knowing the a!gorithm shou!d not make it
significant!y easier to crack the code (restricted :ersus unrestricted). If security is dependent
on keeping the a!gorithm secret$ then it is considered a <restricted< a!gorithm. It is a!so
important that the a!gorithm has &een su&Aected to su&stantia! cryptoana!ysis. 0n!y those
a!gorithms that ha:e &een ana!y7ed comp!ete!y and at !ength are trustworthy. #he a!gorithm
shou!d contain no serious or e?p!oita&!e weakness. #heoretica!!y$ a!! a!gorithms can &e &roken
&y one method or another. owe:er$ an a!gorithm shou!d not contain an inherent weakness
that an attacker can easi!y e?p!oit.
Ge!ow is an e?amp!e of a cipherB to scram&!e a message with this cipher$ simp!y match each
!etter in a message to the first row and con:ert it into the num&er or !etter in the second row.
#o unscram&!e a message$ match each !etter or num&er in a message to the corresponding
num&er or !etter in the second row and con:ert it into the !etter in the first row.
A G C * ) 6 H I P M 1 8 N 0 P O 4 S # , % 2 J K Q
1 2 ( + / 3 A G C * ) 6 H I P M 1 8 N 0 P O 4 S #
++
#o i!!ustrate how this works$ see the fo!!owing where the cipher is used to scram&!e the
message <1itt!e green app!es.<
C Cipher te?t@ 6CNN6/ A1// 1PP6/8B
C C!ear te?t@ 1I##1) H4))N APP1)S.
#his rudimentary cipher wou!d not &e effecti:e at keeping a message secret for !ong. It does
not comp!y with one of the ;ua!ities of a tru!y effecti:e cipher$ where knowing the a!gorithm
shou!d not make it significant!y easier to crack the code. #his is an e?amp!e of a restricted
a!gorithm. In this case$ the cipher is the code. 0nce you know the cipher$ you can unscram&!e
any message. Ciphers usua!!y fa!! into one of two categories@ &!ock ciphers or stream ciphers.
Stream Ciphers
Stream cipher a!gorithms process p!ainte?t to produce a stream of cipherte?t. #he cipher
inputs the p!ainte?t in a stream and outputs a stream of cipher te?t. 6o!!owing 6igure
i!!ustrates the
concept of the stream cipher>s function.
Stream cipher
+/
Stream ciphers ha:e se:era! weaknesses. #he most crucia! shortcoming of stream ciphers is
the fact that patterns in the p!ainte?t can &e ref!ected in the cipherte?t. #o i!!ustrate this
weakness we can use the rudimentary cipher introduced ear!ier in the chapter. Ge!ow$ I ha:e
scram&!ed the p!ainte?t message <1et us ta!k one to one< into cipherte?t to compare the two
patterns@
A G C * ) 6 H I P M 1 8 N 0 P O 4 S # , % 2 J K Q
1 2 ( + / 3 A G C * ) 6 H I P M 1 8 N 0 P O 4 S #
C P!ainte?t@ 1et us ta!k one to one.
C Cipherte?t@ 6/n om n1fe ih/ ni ih/.
Patterns in the p!ainte?t are ref!ected in the cipherte?t. 2ords and !etters that are repeated in
the p!ainte?t are a!so repeated in the cipherte?t. Mnowing that certain words repeat makes
&reaking the code easier. In addition$ certain words in the )ng!ish !anguage appear with
predicta&!e regu!arity. 1etters of the a!pha&et a!so appear in predicta&!e regu!arity. #he most
common!y used !etters of the a!pha&et in the )ng!ish !anguage are )$ #$ A$ 0$ N$ and I. #he
!east common!y used !etters in the )ng!ish !anguage are P$ M$ J$ O$ and Q. #he most common
com&ination of !etters in the )ng!ish !anguage is <th.< As a resu!t$ if a code &reaker is a&!e to
find a <t< in a code$ it doesn>t take !ong to find an <h.< It is not hard for a trained code
&reaker to &reak this type of code.
Another weakness of stream ciphers is that they can &e suscepti&!e to a su&stitution attack
e:en without &reaking the code. #his is a type of rep!ay attack where someone can simp!y
copy a section of an o!d message and insert it into a new message. Kou don>t need to &reak
the code to insert the o!d section into a new message.)?amp!es of stream ciphers inc!ude the
%ernam cipher$ 4i:est cipher R+ (4C+)$ and one"time pads.
23
4#ock Ciphers
G!ock ciphers differ from stream ciphers in that they encrypt and decrypt information in fi?ed
si7e &!ocks rather than encrypting and decrypting each !etter or word indi:idua!!y. A &!ock
cipher passes a &!ock of data or p!ainte?t through its a!gorithm to generate a &!ock of
cipherte?t. Idea!!y$ a &!ock cipher shou!d generate cipherte?t rough!y e;ui:a!ent in si7e (in
terms of num&er of &!ocks) to the c!earte?t. A cipher that generates a &!ock of cipherte?t that
is significant!y !arger than the information it is trying to protect is of !itt!e practica! :a!ue.
#hink a&out it in terms of network &andwidth@ If the cipherte?t &!ock was twice the si7e of the
p!ainte?t$ the net effect is that your &andwidth wou!d &e cut in ha!f. #his wou!d a!so ha:e an
impact on fi!es stored in an encrypted format. An unencrypted fi!e 1. 8G in si7e wou!d &e 2.
8G in si7e when encrypted.
4reakin+ Ciphers
6or as !ong as ciphers ha:e e?isted$ there ha:e &een peop!e trying to &reak them. #here are
many methods emp!oyed to &reak cipher. Some methods are ingenious. Some are
sophisticated and technica! in nature$ whi!e others are more crude in nature. #he fo!!owing
sections descri&e some of the more wide!y used techni;ues emp!oyed in &reaking ciphers.
=nown Plainte)t $ttack
#his method re!ies on the code &reaker knowing in ad:ance the p!ainte?t content of a
cipherte?t message. a:ing &oth the p!ainte?t and the cipherte?t the code &reaker
reengineers
the cipher and the key used to create the cipherte?t.
47
Chosen Plainte)t $ttack
#his method re!ies on the a&i!ity of the code &reaker to somehow get a chosen p!ainte?t
message encrypted. *uring 2or!d 2ar II the ,nited States used a :ariation of this method to
ascertain the p!ans of the Papanese na:y in the Pacific.
4ight after Pear! ar&or the ,.S. Pacific 6!eet was forced to fight what was primari!y a
defensi:e war. #he ,.S. Pacific 6!eet had &een de:astated &y the Papanese surprise attack on
Pear! ar&or$ and a!! that was !eft of the f!eet were three aircraft carriers and a handfu! of
supporting ships.
#he ,nited States had some success in &reaking the Papanese codes. #he ,.S. Na:y had
determined that the Papanese were p!anning to attack a !ocation referred to in their
transmissions as <A6.< #he ,nited States suspected that site A6 was 8idway Is!and. #o
determine if A6 was$ in fact$ 8idway$ the ,nited States ordered that a message &e
transmitted from 8idway stating that the is!and>s water condenser had &roken down. #he
message was to &e sent in the c!ear so that there wou!d &e no chance that the Papanese
cou!d not intercept it.
Sure enough the Papanese took the &ait. A few days !ater$ the ,nited States intercepted a
Papanese coded message stating that A6>s water condenser had fai!ed.
6rom that message the ,nited States knew that the Papanese were going to attack 8idway.
As a resu!t$ the ,nited States was a&!e to send what was !eft of the Pacific 6!eet to 8idway
where they am&ushed the Papanese carrier task force. #he ,nited States sank four of the
Papanese> front!ine aircraft carriers. It was a strategic :ictory for the ,nited States in the
Pacific from which the Papanese na:y ne:er reco:ered. 6rom that point on$ it was the
Papanese Na:y that was forced to fight a defensi:e war.
48
Cryptanalysis
#echnica!!y$ any method emp!oyed to &reak a cipher or code is cryptana!ysis. owe:er$ when
I refer to cryptana!ysis I am specifica!!y ta!king a&out emp!oying mathematica! ana!ysis to
&reak a code. #his method re;uires a high !e:e! of ski!! and sophistication. It is usua!!y on!y
emp!oyed &y academics and go:ernments. #oday it re!ies :ery hea:i!y on the use of u!trafast
super computers.
Pro&a&!y the most acti:e and successfu! organi7ation in the wor!d$ dedicated to &reaking
codes$ is the Nationa! Security Agency (NSA). #his is the !argest and most secret spy agency
in the ,nited States. It is sometimes referred to as the Pu77!e Pa!ace$ &ecause the group
spends so much time and energy on codes and cipher. #he NSA emp!oys tens of thousands of
peop!e. #he on!y compara&!e organi7ation in the wor!d e:er to ha:e e?isted in terms of si7e is
the former So:iet ,nion>s MHG. Gut with the &reakup of the So:iet ,nion$ the NSA is now
!eft without peers.
Brute ,orce
#he &rute force method tries e:ery possi&!e com&ination of keys or a!gorithms to &reak a
cipher. *oing so can re;uire tremendous resources. ,sua!!y$ this type of attack re;uires
computer assistance. If the a!gorithm is simp!e or the key is sma!!$ then the CP, resources
re;uired cou!d &e pro:ided &y a simp!e PC. If the a!gorithm is sophisticated or the key is
!arge$ then ad:anced computing power might &e re;uired.
(ocial 6n'ineerin'
#his method re!ies on &reaking a cipher &y getting someone know!edgea&!e a&out the cipher
to re:ea! information on how to &reak it. Gri&ing someone$ tricking him or her into di:u!ging
information$ or threatening him or her with harm can re:ea! information. 2hen the threat of
harm is emp!oyed it is sometimes referred to as ru&&er"hose cryptana!ysis.
4-
>ther !ypes of $ttacks
Some other types of attacks are discussed as fo!!ows.
C Substitution: #his is a type of rep!ay attack where a pre:ious message$ in part or in
who!e$ is inserted into a !egitimate message. An attacker does not need to &reak the
cipher for this type of attack to &e effecti:e.
C Timing attacks: Some cryptosystems can &e &roken if an outsider is a&!e to accurate!y
measure the time re;uired to perform the encryption and decryption of a known
cipherte?t. #he known cipherte?t and the timing pro:ide enough information to
deduce fi?ed e?ponents and factors of some systems. #his :u!nera&i!ity is most!y
theoretica!. If an attacker has enough access to a network to &e a&!e to accurate!y
measure the time re;uired to encrypt and decrypt information$ then you ha:e other and
&igger pro&!ems to worry a&out.
Encryption
)ncryption is the process of scram&!ing the contents of a fi!e or message to make it
uninte!!igi&!e to anyone not in possession of the <key< re;uired to unscram&!e the fi!e or
message. #here are two types of encryption@ symmetric (pri:ateDsecret) key and asymmetric
(pu&!ic) key encryption.
(ymmetric =ey 6ncryption
2hen most peop!e think of encryption it is symmetric key cryptosystems that they think of.
Symmetric key$ a!so referred to as pri:ate key or secret key$ is &ased on a sing!e key and
a!gorithm &eing shared &etween the parties who are e?changing encrypted information. #he
same key &oth encrypts and decrypts messages. #his concept is i!!ustrated in 6o!!owing 6igure
Symmetric key encryption.
/.
#he strength of the scheme is !arge!y dependent on the si7e of the key and on keeping it
secret. Henera!!y$ the !arger the key$ the more secure the scheme. In addition$ symmetric key
encryption is re!ati:e!y fast.
#he main weakness of the system is that the key or a!gorithm has to &e shared. Kou can>t
share the key information o:er an unsecured network without compromising the key. As a
resu!t$ pri:ate key cryptosystems are not we!! suited for spontaneous communication o:er
open and unsecured networks. In addition$ symmetric key pro:ides no process for
authentication or nonrepudiation. 4emem&er$ nonrepudiation is the a&i!ity to pre:ent
indi:idua!s or entities from denying (repudiating) that a message was sent or recei:ed or that
a fi!e was accessed or a!tered$ when in fact it was. #his a&i!ity is particu!ar!y important when
conducting e"commerce.
Data 6ncryption (tandard /D6(0
*)S is one of the o!dest and most wide!y used a!gorithms. *)S was de:e!oped &y IG8 with
the encouragement of the NSA. It was origina!!y dep!oyed in the mid 19-.s. *)S consists of
an a!gorithm and a key. #he key is a se;uence of eight &ytes$ each containing eight &its for a
3+"&it key. Since each &yte contains one parity &it$ the key is actua!!y /3 &its in !ength.
According to author Pames Gamford in his &ook The uzzle alace$ IG8 origina!!y intended
to re!ease the *)S a!gorithm with a 12'"&it key$ &ut the NSA con:inced IG8 to re!ease it
with the /3"&it key instead. Supposed!y this was done to make it easier for the NSA to
decrypt co:ert!y intercepted massages.
/1
*)S is wide!y used in automated te!!er machine (A#8) and point"of"sa!e (P0S) networks$ so
if you use an A#8 or de&it card you are using *)S. *)S has &een enhanced with the
de:e!opment of trip!e *)S. owe:er$ *)S has &een &roken. It is gradua!!y &eing phased out
of use.
3nternational Data 6ncryption $l'orithm /3D6$0
I*)A is a symmetric key &!ock cipher de:e!oped at the Swiss 6edera! Institute in the ear!y
199.s. I*)A uti!i7es a 12'"&it key. Supposed!y$ it is more efficient to imp!ement in software
than *)S and trip!e *)S. Since it was not de:e!oped in the ,nited States$ it is not su&Aect to
,.S. e?port restrictions.
CAST
#he CAS# a!gorithm supports :aria&!e key !engths$ anywhere from +. &its to 2/3 &its in
!ength. CAS# uses a 3+"&it &!ock si7e$ which is the same as the *)S$ making it a suita&!e
drop"in rep!acement. CAS# has &een reported to &e two to three times faster than a typica!
imp!ementation of *)S and si? to nine times faster than a typica! imp!ementation of trip!e
*)S. #he CAS# a!gorithm was de:e!oped &y Car!is!e Adams and Strafford #ra:ares and
patented &y )ntrust #echno!ogies$ &ut a :ersion of the CAS# a!gorithm is a:ai!a&!e for free
commercia! and noncommercia! use. CAS# is emp!oyed in Pretty Hood Pri:acy (PHP).
Rivest Cipher ?4 /RC40
*e:e!oped &y 4on 4i:est of 4SA fame$ 4C+ is a stream cipher that uses a :aria&!e si7e key.
owe:er$ when used with a key of 12' &its it can &e :ery effecti:e. ,nti! recent!y$ the
appro:ed e?port :ersion on!y used a +."&it key. 4C+ is used in Netscape Na:igator and
Internet )?p!orer.
:#
$symmetric =ey 6ncryption
6or centuries$ a!! cryptography was &ased on the symmetric key cryptosystems. #hen in
19-3$two computer scientists$ 2hitfie!d *iffe and 8artin e!!man of Stanford ,ni:ersity$
introduced the concept of asymmetric cryptography. Asymmetric cryptography is a!so known
as pu&!ic key cryptography. Pu&!ic key cryptography uses two keys as opposed to one key for
a symmetric system. 2ith pu&!ic key cryptography there is a pu&!ic key and a pri:ate key.
#he keys> names descri&e their function. 0ne key is kept pri:ate$ and the other key is made
pu&!ic. Mnowing the pu&!ic key does not re:ea! the pri:ate key. A message encrypted &y the
pri:ate key can on!y &e decrypted &y the corresponding pu&!ic key. Con:erse!y$ a message
encrypted &y the pu&!ic key can on!y &e decrypted &y the pri:ate key. #his process is
i!!ustrated in fo!!owing figure
Asymmetric key encryption.
2ith the aid of pu&!ic key cryptography$ it is possi&!e to esta&!ish secure communications
with any indi:idua! or entity when using a compati&!e software or hardware de:ice. 6or
e?amp!e$ if A!ice wishes to communicate in a secure manner with Go&$ a stranger with whom
she has ne:er communicated &efore$ A!ice can gi:e Go& her pu&!ic key. Go& can encrypt his
outgoing transmissions to A!ice with A!ice>s pu&!ic key. A!ice can then decrypt the
transmissions using her pri:ate key when she recei:es them.
/(
0n!y A!ice>s pri:ate key can decrypt a message encrypted with her pu&!ic key. If Go&
transmits to A!ice his pu&!ic key$then A!ice can transmit secure encrypted data &ack to Go&
that on!y Go& can decrypt. It doesn>t matter that they e?changed pu&!ic keys on an
unsecured network. Mnowing an indi:idua!>s pu&!ic key te!!s you nothing a&out his or her
pri:ate key. 0n!y an indi:idua!>s pri:ate key can decrypt a message encrypted with his or her
pu&!ic key. #he security &reaks down if either of the parties> pri:ate keys is compromised.
2hi!e symmetric key cryptosystems are !imited to securing the pri:acy of information$
asymmetric or pu&!ic key cryptography is much more :ersati!e. Pu&!ic key cryptosystems can
pro:ide a means of authentication and can support digita! certificates. 2ith digita!
certificates$pu&!ic key cryptosystems can pro:ide enforcement of nonrepudiation. ,n!ike
symmetric keycryptosystems$ pu&!ic key a!!ows for secure spontaneous communication o:er
an open network. In addition$ it is more sca!a&!e for :ery !arge systems (tens of mi!!ions)
than symmetric key cryptosystems. 2ith symmetric key cryptosystems$ the key
administration for !arge networks is :ery comp!e?.
(u'#ic 5ey Cryptosystems
#here are three pu&!ic key a!gorithms in wide use todayS*iffie"e!!manB 4SAB and the
*igita! Signature A!gorithm (*SA). #hey are descri&ed in the fo!!owing sections.
Diffie+*ellman
#he *iffie"e!!man a!gorithm was de:e!oped &y 2hitfie!d *iffie and 8artin e!!man at
Stanford ,ni:ersity. It was the first usa&!e pu&!ic key a!gorithm. *iffie"e!!man is &ased on
the difficu!ty of computing discrete !ogarithms. It can &e used to esta&!ish a shared secret key
that can &e used &y two parties for symmetric encryption. *iffie"e!!man is often used for
IPS)C key management protoco!s.
6or spontaneous communications with *iffie"e!!man$ two communicating entities wou!d
each generate a random num&er that is used as their pri:ate keys. #hey e?change pu&!ic
keys.
/+
#hey each app!y their pri:ate keys to the other>s pu&!ic key to compute identica! :a!ues
(shared secret key). #hey then use the shared secret key to encrypt and e?change
information.
Rivest@ (hamir@ $delman /R($0
#he 4SA pu&!ic key a!gorithm was de:e!oped &y 4on 4i:est$ Adi Shamir$ and 1en Ade!man
at 8I#. 4SA mu!tip!ies !arge prime num&ers together to generate keys. Its strength !ies in the
fact that it is e?treme!y difficu!t to factor the product of !arge prime num&ers. #his a!gorithm
is the one most often associated with pu&!ic key encryption. #he 4SA a!gorithm a!so pro:ides
digita! signature capa&i!ities. I wi!! discuss digita! signatures !ater in this chapter. #hey are
used in SS1 to set up sessions and with pri:acy"enhanced mai! (P)8) and PHP.
Di'ital (i'nature $l'orithm
*SA was de:e!oped as part of the *igita! Signature Standard (*SS). (A more detai!ed
discussion of *SS and *SA is pro:ided !ater in this chapter.) ,n!ike the *iffie"e!!man and
4SA a!gorithms$ *SA is not used for encryption &ut for digita! signatures.
$ (li'ht Di'ression
6or many years it was &e!ie:ed that 2hitfie!d *iffie and 8artin e!!man were the first to
concei:e of asymmetric cryptography and that 4on 4i:est$ Adi Shamir$ and 1en Ade!man
were the first to de:e!op the 4SA a!gorithm. owe:er$ it is now c!aimed that neither
co!!a&orati:e was the first and that the concept of asymmetric cryptography$ the *iffie"
e!!man a!gorithm$ and the 4SA a!gorithm were a!! disco:ered years ear!ier in )ng!and &y
the Ho:ernment Communications ead;uarters (HCO)$ which is the Gritish e;ui:a!ent of
the NSA. #he HCO c!aims that it concei:ed of the concept years &efore anyone e!se &ut
ne:er re!eased information on the work for nationa! security reasons.
66
-essa+e Inte+rity
#o attain a high !e:e! of confidence in the integrity of a message or data$ a process must &e
put in p!ace to pre:ent or detect a!teration during transit. 0ne techni;ue emp!oyed is ca!!ed a
hash function. A hash function takes a message of any !ength and computes a product :a!ue
of fi?ed !ength. #he product is referred to as a <hash :a!ue.< #he !ength of the origina!
message does not a!ter the !ength of the hash :a!ue. ash functions are used to ensure the
integrity of a message or fi!e. ,sing the actua! message or fi!e$ a hash function computes a
hash :a!ue$ which is a cryptographic checksum of the message. #his checksum can &e
thought of as a fingerprint for that message. #he hash :a!ue can &e used to determine if the
message or fi!e has &een a!tered since the :a!ue was origina!!y computed.
,sing e"mai! as an e?amp!e$ the hash :a!ue for a message is computed at &oth the sending
and recei:ing ends. If the message is modified in anyway during transit$ the hash :a!ue
computed at the recei:ing end wi!! not match the :a!ue computed at the sending end. ash
functions must &e one way on!y. In other words$ there shou!d &e no way to re:erse the hash
:a!ue to o&tain information on the message. 0&:ious!y$ this wou!d represent a risk.
Another re;uirement of an effecti:e one"way hash function is that the possi&i!ity of
<co!!isions< is :ery !imited$ if none?istent. A co!!ision occurs when the same hash :a!ue is
computed for two or more uni;ue messages. If the messages are different the hash :a!ues
shou!d &e different. No two uni;ue messages shou!d compute the same hash :a!ue.
"D4
8*+ was de:e!oped &y 4on 4i:est of 4SA. 8*+ is a one"way hash function that takes a
message of :aria&!e !ength and produces a 12'"&it hash :a!ue or message digest. 8*+ has
&een pro:en to ha:e weaknesses. Ana!ysis has shown that at !east the first two rounds of
8*+ are not one"way (there are three rounds in 8*+) and that the a!gorithm is su&Aect to
co!!isions.
:5
"D:
8*/ was a!so created &y 4on 4i:est as an impro:ement on 8*+. 1ike 8*+$ 8*/ creates a
uni;ue 12'"&it message digest :a!ue deri:ed from the contents of a message or fi!e. #his
:a!ue$ which is a fingerprint of the message or fi!e content$ is used to :erify the integrity of
the message>s or fi!e>s contents. If a message or fi!e is modified in any way$ e:en a sing!e &it$
the 8*/ cryptographic checksum for the message or fi!e wi!! &e different. It is considered
:ery difficu!t to a!ter a message or fi!e in a way that wi!! cause 8*/ to generate the same
resu!t as was o&tained for the origina! fi!e. 2hi!e 8*/ is more secure than 8*+$ it too has
&een found to ha:e some weaknesses .Ana!ysis has found a co!!ision in the compression
function of 8*/$ a!though not for 8*/ itse!f. Ne:erthe!ess$ this attack casts dou&ts on the
whether 8*/ is tru!y a co!!ision"resistant hash a!gorithm.
#he 8*/ a!gorithm is intended for digita! signature app!ications$ where a !arge fi!e must &e
<compressed< in a secure manner &efore &eing encrypted with a pri:ate (secret) key under a
pu&!ic"key cryptosystem such as 4SA.
(ecure *ash $l'orithm+ /(*$+0
SA"1 is a one"way hash a!gorithm used to create digita! signatures. SA"1 is deri:ed from
SA$ which was de:e!oped in 199+ &y the NIS#. SA"1 is simi!ar to the 8*+ and 8*/
a!gorithms de:e!oped &y 4on 4i:est. SA"1 is s!ight!y s!ower than 8*+ and 8*/$ &ut it is
reported to &e more secure.
#he SA"1 hash function produces a 13."&it hash :a!ue or message digest. I am aware of no
known cryptographic attacks against SA"1 that ha:e &een successfu!. Since it produces a
13."&it message digest it is more resistant to &rute force attacks than 8*+ and 8*/$ which
produce a 12'"&it message digest.
:7
R3P6"D
4IP)8* is a hash function that was de:e!oped through the )uropean Community>s proAect
4IP). #here are se:era! e?tensions to 4IP)8*14IP)8*"12'$ 4IP)8*"13.$ and 4IP)8*"
2/3. )ach e?tension is a reference to the !ength of the hash :a!ue or message digest. 6or
e?amp!e$ 4IP)8*"13. is a 13."&it cryptographic hash function$ designed &y ans
*o&&ertin$ Antoon Gosse!aers$ and Gart Prenee!.
Authentication
#o ha:e a high !e:e! of confidence and trust in the integrity of information recei:ed o:er a
network$ the transacting parties need to &e a&!e to authenticate each other>s identity. In the
e?amp!e in:o!:ing A!ice and Go&$ it was demonstrated how they cou!d transmit secure
information &etween each party using encryption &y e?changing pu&!ic keys. 2hi!e
confidentia!ity was ensured with the use of pu&!ic key cryptography$ there was no
authentication of the parties> identities. Go& may not rea!!y ha:e &een Go&. 6or that matter$
Go& doesn>t rea!!y know if A!ice was A!ice. In addition$ how does A!ice know that when she
was sending her pu&!ic key to Go&$ that Pack did not intercept it and use it to send his pu&!ic
key to her and mas;uerade as Go&. #o ensure secure &usiness transactions on unsecured
networks !ike the Internet$ &oth parties need to &e a&!e to authenticate their identities.
Authentication in a digita! setting is a process where&y the recei:er of a message can &e
confident of the identity of the sender. #he !ack of secure authentication has &een a maAor
o&stac!e in achie:ing widespread use of the Internet for commerce. 0ne process used to
authenticate the identity of an indi:idua! or entity in:o!:es digita! signatures.
:8
Di'ital (i'natures
A digita! signature a!!ows a recei:er to authenticate (to a !imited e?tent) the identity of the
sender and to :erify the integrity of the message. 6or the authentication process$ you must
a!ready know the sender>s pu&!ic key$ either from prior know!edge or from some trusted third
party. *igita! signatures are used to ensure message integrity and authentication. In its
simp!est form$ a digita! signature is created &y using the sender>s pri:ate key to hash the
entire contents of the message &eing sent to create a message digest. #he recipient uses the
sender>s pu&!ic key to :erify the integrity of the message &y recreating the message digest.
Gy this process you ensure the integrity of the message and authenticate the sender.
6o!!owing 6igure i!!ustrates the process.
*igita! signature.
#o sign a message$ senders usua!!y append their digita! signature to the end of a message
and
encrypt it using the recipient>s pu&!ic key. 4ecipients decrypt the message using their own
pri:ate key and :erify the sender>s identity and the message integrity &y decrypting the
sender>s digita! signature using the sender>s pu&!ic key.
0nce again we wi!! use A!ice and Go& to i!!ustrate how digita! signatures work. A!ice has a
pair of keys$ her pri:ate key and her pu&!ic key. She sends a message to Go& that inc!udes
&oth a p!ainte?t message and a :ersion of the p!ainte?t message that has &een encrypted
using her pri:ate key.
/9
#he encrypted :ersion of her te?t message is her digita! signature. Go& recei:es the message
from A!ice and decrypts it using her pu&!ic key. e then compares the decrypted message to
the p!ainte?t message. If they are identica!$ then he has :erified that the message has not
&een a!tered and that it came from A!ice. e can authenticate that the message came from
A!ice &ecause he decrypted it with A!ice>s pu&!ic key$ so it cou!d on!y ha:e &een encrypted
with A!ice>s pri:ate key$ to which on!y A!ice has access.
#he strengths of digita! signatures are that they are a!most impossi&!e to counterfeit and they
are easi!y :erified. owe:er$ if A!ice and Go& are strangers who ha:e ne:er communicated to
each other &efore$ and Go& recei:ed A!ice>s pu&!ic key$ &ut had no other means to :erify who
A!ice was$ other than A!ice>s assertion that she was who she c!aimed to &e$ then the digita!
signature is use!ess for authentication. It wi!! sti!! :erify that a message has arri:ed una!tered
from the sender$ &ut it cannot &e used to authenticate the identity of the sender. In cases
where the parties ha:e no prior know!edge of one another$ a trusted third party is re;uired to
authenticate the identity of the transacting parties.
Competin' (tandards
#here are two competing standards for digita! signature techno!ogy. Goth systems are &ased
on the Internationa! #e!ecommunications ,nion>s J./.9 standard for pu&!ic key certification.
#he one that has &een around the !ongest is the 4SA *ata Security>s pu&!ic key encryption
standard$ which has &ecome a de facto standard in the industry. 4SA *ata Security uses the
4SA pu&!ic key a!gorithm$ for &oth encryption and authentication$ in:ented &y 4on 4i:est$
Adi Shamir$ and 1eonard Ad!eman in 19--. #he more recent!y de:e!oped standard is the ,.S.
go:ernment>s *SS$ which specifies a *SA. It was se!ected &y the Nationa! Institute of
Standards and #echno!ogy (NIS#) in 199+.
8any ha:e ;uestioned the wisdom of the NIS#>s decision to se!ect *SS. Not surprising!y$ one
of the most :oca! opponents has &een 4SA *ata Security and companies associated with
4SA. owe:er$ many others ha:e ;uestioned the choice of *SS. #he *SS cryptosystem is
re!ati:e!y new and has not &een fu!!y tested. 6or that reason a!one$ many &e!ie:e that it is not
as secure as the 4SA standard$ which has &een su&Aected to rigorous testing for the past 19
years. Some ha:e e:en ;uestioned the NIS#>s moti:es for se!ecting *SS. #he decision was
3.
made in cooperation with the NSA. #he process was secreti:e and conducted with :ery !itt!e
pu&!ic participation or de&ate. Some ha:e gone so far as to suggest that *SS was se!ected
&ecause the NSA has a &ack door into the system. 2hi!e the competing standards do not
represent an o&stac!e to imp!ementing digita! signatures within a !arge mu!tinationa!
organi7ation$ they can resu!t in the ina&i!ity to e?change digita! signatures &etween
organi7ations.
Di'ital Certificate
*igita! signatures can &e used to :erify that a message has &een de!i:ered una!tered and to
:erify the identity of the sender &y pu&!ic key. #he pro&!em with authenticating a digita!
signature$ howe:er$ is that you must &e a&!e to :erify that a pu&!ic key does in fact &e!ong to
the indi:idua! or entity that c!aims to ha:e sent it and that the indi:idua! or entity is in fact
who or what it c!aims to &e.
A digita! certificate issued &y a certification authority (CA) uti!i7ing a hierarchica! pu&!ic key
infrastructure (PMI) can &e used to authenticate a sender>s identity for spontaneous$ first"
time contacts. *igita! certificates pro:ide a means for secure first"time spontaneous
communication. A digita! certificate pro:ides a high !e:e! of confidence in the identity of the
indi:idua! or entity with which you are communicating. A digita! certificate is a means to
authenticate identity.
A digita! certificate is usua!!y issued &y a trustedDknown third party (CA) to &ind an indi:idua!
or entity to a pu&!ic key. #he digita! certificate is digita!!y signed &y the CA with the CA>s
pri:ate key. #his pro:ides independent confirmation that an indi:idua! or entity is in fact who
it c!aims to &e. #he CA issues digita! certificates that :ouch for the identities of those to
whom the certificates were issued.
,sing A!ice and Go& as our e?amp!e$ A!ice can send Go& her pu&!ic key. Go& wi!! &e a&!e to
:erify her digita! signature using A!ice>s pu&!ic key. Hi:en such a key$ how does he :erify that
it actua!!y &e!ongs to A!ice and does not rea!!y &e!ong to Pack who is mas;uerading as A!ice=
32
If he has no other means a:ai!a&!e to him$ he cannot. owe:er$ if A!ice>s pu&!ic key is
presented as part of a digita! certificate signed &y a known CA$ Go& can ha:e a high !e:e! of
confidence that A!ice is who and what she c!aims to &e.
A digita! certificate is a method of &inding an indi:idua! or entity to a pu&!ic key. #he
certificate is digita!!y signed &y a CA pro:iding independent confirmation that indi:idua!s or
entities are in fact who they c!aim to &e and that the pu&!ic key pro:ided &y them does in fact
&e!ong to that party. #he CA and the CA>s pu&!ic key must &e wide!y known for the digita!
certificate to &e of practica! :a!ue. #he CA>s pu&!ic key must &e wide!y known so that there is
no need to authenticate the CA>s digita! signature. Kou are re!ying on the CA>s digita!
signature to authenticate the certificate owner>s identity and to &ind that identity to their
pu&!ic key.
)ach person>s digita! certificate cou!d contain a mini"data&ase on the owner$ which inc!udes
the authori7ations$ access pri:i!eges$ and the owner>s pu&!ic key. *igita! certificates cannot &e
forged and are e?pected to &e !ega!!y accepta&!e as handwritten notari7ed signatures. #he
Internationa! Cham&er of Commerce is e?p!oring the creation of a <cy&ernotary$< a !awyer
a&!e to demonstrate that he or she can issue certificates from a secure computer
en:ironment.
A digita! signature used in concert with a digita! certificate potentia!!y possesses greater !ega!
authority than a handwritten signature. #he ina&i!ity to forge a digita! signature$ the fact that
the digita! signature can :erify that the document has not &een a!tered since it was signed$
and the certificate :erifying the identity of the signer make a digita!!y signed document
irrefuta&!e. #he signer cannot repudiate his or her signature at a !ater date.
5%
.imitations of Di'ital Certificates
#here are sti!! a num&er of issues that need to &e addressed$ such as how to hand!e e?pired
certificatesB there is the risk that a !ong"term document cou!d &e signed with a digita!
certificate with a two"year e?piration date. 2hat is the !ega!ity of the document once the
digita! certificate e?pires= Another issue that needs to &e addressed is how to hand!e
re:ocation of certificates.
#he certificate re:ocation process is cum&ersome@ ow do you re:oke a certificate once it has
&een issued= 0nce a digita! certificate is issued$ it is :a!id unti! it e?pires. #hat is usua!!y at
!east a year. No process e?ists for immediate re:ocation of a certificate shou!d it &e
compromised or shou!d the CA withdraw its certification. CAs wi!! ha:e to periodica!!y issue
certificate re:ocation !ists (C41). A!! participants uti!i7ing the PMI wi!! ha:e to maintain upto"
date C41s. C41s wi!! e:entua!!y &ecome :ery !arge. In addition$ there are a num&er of
issues concerning the !ega! responsi&i!ities and !ia&i!ities of CAs and their issuing of digita!
certificates that sti!! need to &e addressed.
2hat is most crucia! to the success of the digita! certificate is the ro!e of the CA. 2ith the
CA$ the trust is no !onger dependent on the indi:idua!>s or entity>s digita! signature. Instead$
the trust is transferred to the CA.
Certificate Authorities
As stated pre:ious!y$ a CA is a &ody$ either pu&!ic or pri:ate$ that seeks to fi!! the need for a
trusted third party in e"commerce. #he CA issues digita! certificates that :ouch for the
identities of those to whom the certificates were issued. 6or this process to &e secure$ the
CA>s pu&!ic key must &e trustworthy and we!!"known. 2hen I say it must &e trustworthy$ I am
referring to the reputation and re!ia&i!ity of the CA as an entity. A digita! certificate issued &y
<Sam>s *igita! Certificates and *e!i< wou!d !ack trustworthiness to another party on the
Internet. A CA must a!so perform the necessary due di!igence to :erify that indi:idua!s or
entities are in fact who they say they are$ &efore a digita! certificate is issued to an indi:idua!
or entity.
3+
#he CA pu&!ic key must &e wide!y known to &e effecti:e. A digita! certificate
signed &y a CA is worth!ess if you do not know the CA>s pu&!ic key or if you ha:e no
independent means of :erifying that the pu&!ic key pro:ided is in fact &ound to the CA. 6or
that reason$ a CA>s pu&!ic keys need to &e easi!y accessi&!e and :erifia&!e.
#here wi!! &e a num&er of entities that issue digita! certificates. %eriSign$ Inc.$ which was
formed &y 4SA *ata Security and se:era! other maAor corporations$ is the one main issuers.
0ther companies that issue digita! certificates inc!ude H#)$ A#5#$ and 8icrosoft. #here are
many others. #he process of o&taining a digita! certificate is re!ati:e!y simp!e for any
!egitimate indi:idua! or entity.
0nce again$ using A!ice and Go& for our e?amp!e$ A!ice generates her own key pair from her
J./.9"comp!iant software or de:ice. She then sends the pu&!ic key to a CA with proof of who
and what she is. In our e?amp!e$ A!ice sends her pu&!ic key to a CA. If the digita! certificate is
for her company$ the CA might re;uest a copy of the artic!es of incorporation$ copies of the
!atest financia! statements$ and other items that esta&!ish that the company is what it c!aims
to &e and is in good standing. If the certificate is for A!ice persona!!y$ the CA cou!d re;uest a
&irth certificate and perhaps take her fingerprints. #he :erification process is !arge!y
dependent on the !e:e! of the certificate. 0nce the CA has done its due di!igence and is
satisfied that A!ice is who she c!aims to &e$ the CA sends her a digita! certificate to !oad in her
software or de:ice. #his certificate wi!! &e signed &y the CA with its pri:ate key. #he digita!
certificate wi!! attest to the fact the CA has determined that A!ice is who she says she is and
&inds to A!ice her pu&!ic key. A!ice can now present that certificate to Go& to authenticate her
identity and her pu&!ic key. 2hen Go& recei:es A!ice>s signed message$ he wi!! need A!ice>s
pu&!ic key to :erify her digita! signature and to ensure that the message has arri:ed
una!tered. Since he a!ready knows the CA>s pu&!ic key (it wi!! &e pu&!ished e:erywhere)$ he
can decrypt the digita! certificate or certify that the digita! certificate is signed &y the CA$
:erify the integrity of the certificate$ and o&tain A!ice>s pu&!ic key and then decrypt her signed
message.
3/
#he need for CAs is c!ear$ &ut the duties and responsi&i!ities of the CAs are not so c!ear.
#here are sti!! many issues that need to &e addressed with CAs. 8any of these are !ega!$ not
technica!$ in nature@ 2hat are the CA>s responsi&i!ities when issuing digita! certificates= 2hat
if the CA makes a mistake and issues one to the wrong indi:idua! or entity= CAs may &e open
to tremendous !ia&i!ity shou!d that mistake resu!t in fraud or some financia! !oss.
As we mo:e c!oser to paper!ess commerce and a paper!ess society$ the concept of CAs
&ecomes increasing!y important. #hey wi!! ha:e a maAor impact on the future of e"commerce.
#hat impact wi!! affect our day"to"day !i:es@ It means the de:e!opment of a who!e new set of
&usiness re!ationships that wi!! &e necessary to function dai!y. Perhaps$ one day$ without a
digita! certificate you may not &e a&!e to purchase mi!k at the corner store. 2i!! CAs &ecome
the future>s credit agencies$ rating e:eryone as a good or &ad <risk<=
(u'#ic 5ey Infrastructure
As part of the future imp!ementation of digita! certificates$ a mo:ement is under way to
de:e!op a PMI. #he infrastructure wi!! &e necessary to authenticate digita! certificates and
CAs. A PMI is a hierarchica! network of CAs. A <root certificate< authority certifies
su&ordinate CAs. #he hierarchy is recogni7ed as trusted &y a!! entities that trust the
hierarchica! CA. Not e:ery entity needs to trust the other$ Aust the hierarchy. Some p!ans
en:ision a hierarchy of CAs$ where one CA certifies the identity of the pre:ious CA. #he top
!e:e! root CA in the ,nited States cou!d &e the ,.S. go:ernment. 0thers en:ision a more
hori7onta! scheme of cross"certification with on!y a few !ayers. In either case$ a certificate
&ased PMI can pro:ide a process to esta&!ish trust re!ationships. 6o!!owing 6igure i!!ustrates
how a theoretica! PMI might &e structured.
33
#heoretica! PMI.
#he difficu!t part wi!! &e de:e!oping the standards and infrastructure for certifying digita!
signatures and certificates &etween organi7ations using different schemes. At the same time$
the NIS# is working on the de:e!opment of a federa! PMI. 2hi!e there are many cha!!enges to
de:e!oping a nationa! PMI$ the most daunting task wi!! &e the de:e!opment of the g!o&a!
infrastructure. 2hen we discuss a g!o&a! or internationa! PMI we open a Pandora>s &o? of
<nationa! security< issues.
$dvanced 6ncryption (tandard /$6(0
6or decades the encryption standard in the ,nited States has &een *)S. owe:er$ the *)S
a!gorithm is no !onger as secure as it once was and needs to &e rep!aced. As a resu!t$ the
NIS#is in the process of se!ecting a new a!gorithm to use as the new standard into the ne?t
century.#his new standard is &eing ca!!ed the Ad:anced )ncryption Standard (A)S). #he goa!
of A)S is to se!ect an unc!assified$ &!ock a!gorithm that wi!! &e a:ai!a&!e wor!dwide free of
roya!ty fees.
3-
As of this writing$ there are fi:e a!gorithms that ha:e &een se!ected as fina!ists for the A)S.
#he fi:e fina!ists are !isted as fo!!ows.
C 8A4S de:e!oped &y IG8B
C 4C3$ de:e!oped &y 4SA$ which a!so de:e!oped 4C+ and 4C/B
C 4iAndae! de:e!oped &y %incent 4iAmen and Poan *aemenB
C Serpent de:e!oped &y 4oss Anderson$ )!i Guham$ and 1ars MnudsenB
C #wofish de:e!oped &y Gruce Schneier$ Nie!s 6erguson$ Chris a!!$ Pohn Me!sey$ *oug
2hiting$ and *a:id 2agner. Incidenta!!y$ Gruce Schneier is the author of the &ook
!pplied "ryptography and de:e!oper of the G!owfish &!ock a!gorithm.
0ne or more of these a!gorithms wi!! e:entua!!y &e se!ected as the A)S. ow !ong it wi!!
remain secure wi!! !arge!y depend on the de:e!opments in the fie!ds of computer techno!ogy
and cryptana!ysis.
6lliptic+Curve Crypto'raphy /6CC0
Another up and coming de:e!opment in cryptography appears to &e e!!iptic"cur:e
cryptography ()CC). )CC$ which is wide!y e?pected to &e the ne?t"generation a!gorithm$ has
&een proposed for use as a pu&!ic key cryptosystem. ))C>s strength comes from the fact that
it is computationa! :ery difficu!ty to so!:e the e!!iptic cur:e discrete !ogarithm pro&!em.
#he appea! of )CC a!gorithms is the fact that they ho!d the possi&i!ity of offering security
compara&!e to the 4SA a!gorithms using sma!!er keys. Sma!!er keys mean that !ess
computation is re;uired. 1ess time and CP, resources wou!d &e re;uired to imp!ement this
techno!ogy on the network. 1ess time and CP, trans!ates into !ess cost associated with using
these a!gorithms. As a resu!t$ interest in these a!gorithms is keen.
It has a!so &een said that )CC is more difficu!t to &reak than 4SA. 2hi!e &oth 4SA with a
/12"&it key and )CC with a 9-"&it key ha:e &een &roken$ it has &een stated that the )CC
a!gorithm is more difficu!t to &reak. In 1999 a team of 19/ :o!unteers in 2. countries using
-+. computers took +. days to reco:er the 9-"&it )CC pri:ate key.
3'
A!though )CC ho!ds great promise$ I am not aware of any practica! imp!ementation of the
techno!ogy in any product now on the market. No matter what a!gorithm you emp!oy$ it is
important to &e cogni7ant of the fact that as computing power increases and &ecomes !ess
e?pensi:e$ the cryptographic key si7es wi!! ha:e to increase to ensure security. Not too far in
the future$ a 2$.2+"&it key wi!! not &e sufficient to ensure security.
!he .imitations of 6ncryption
Communications are not necessari!y secure simp!y &ecause they are encrypted. It is
important to remem&er that usefu! information can e:en &e discerned from encrypted
communications. I !ike to use an e?amp!e from the &ook #lind $an%s #luff. In the &ook$
authors Sherry Sontag and Chistopher and Annette *rew te!! the story of ,.S. su&marine
espionage during the Co!d 2ar. In the 19-.s and 19'.s$ So:iet missi!e su&s were using
effecti:e cryptosystems in conAunction with sophisticated transmitters that compressed their
encrypted communications into microsecond &ursts. 2hi!e the ,nited States was not a&!e to
&reak the So:iet transmission code$ America was a&!e to gather a great dea! of information
from the transmissions themse!:es. ,.S. ana!ysis of the transmission patterns re:ea!ed
a!most as much information as the actua! content of the transmissions wou!d ha:e re:ea!ed.
6or e?amp!e$ the ,nited States was a&!e to determine that the messages were coming from
So:iet su&s on their way to and from patro!. #hey were a!so a&!e to distinguish one su& from
another &y s!ight :ariations in the fre;uencies of the transmissions and that the So:iet su&s
sent transmissions at regu!ar points or mi!estones in their patro!s. Conse;uent!y$ the ,nited
States was a&!e to determine So:iet su&s> !ocation$ when they reached their patro! sector$ the
ha!fway point or a particu!ar !andmark. #he ana!ysis of the transmission patterns ena&!ed the
,nited States to track So:iet su&s on patro! without e:er &reaking the transmissions> code. It
is important to understand that simp!y using encryption is no guarantee of confidentia!ity or
secrecy. In addition$ studies ha:e shown that the randomness of the data for encrypted fi!es
stored on media can &e used to distinguish the fi!es from other stored data. Henera!!y$
operating systems do not store data in a random manner. *ata is norma!!y stored in a
manner that optimi7es retrie:a!$ space$ or speed. )ncrypted fi!es and a!gorithm keys &y their
nature must &e random data.
39
As a resu!t$ when !arge encrypted fi!es and pu&!icDpri:ate key sets are stored on a disk
dri:e their randomness stands out against the norma!!y organi7ed data on the dri:e. #here
are programs a:ai!a&!e that purport to &e a&!e to find keys and encrypted fi!es on a disk
dri:e. If true$ this cou!d potentia!!y mean that someone cou!d stea! key pairs if he or she had
access to the dri:e on which the keys were stored.
8eanwhi!e$ howe:er$ it is a!so important to understand that de:e!opments in the fie!d of
cryptography and digita! signature techno!ogy are the ena&!ing force &ehind the recent
e?p!osion in e"commerce on the Internet. 2ithout these techno!ogies$ Internet e"commerce
wou!d not &e possi&!e. As a resu!t$ those who want to participate in this new wor!d of
ecommerce$ either as an entrepreneur or a consumer$ need to understand the essentia!
techno!ogy that is ena&!ing its de:e!opment.
-.
2. Secured and 7nsecured #ayer systems.
Mer&eros
Mer&eros key e?change is a network authentication protoco! de:e!oped at 8I#. It is designed
to pro:ide strong authentication for c!ientDser:er app!ications &y using a com&ination of &oth
secret key and pu&!ic key cryptography. Mer&eros uti!i7es a sing!e centra! ser:er$ referred to
as a trusted ser:er$ to act as a trusted third party to authenticate users and contro! access to
resources on the network. #he &asic premise &ehind the Mer&eros security is that it is not
possi&!e to ensure security on a!! network ser:ers. #his concept assumes that ser:er security
&reaches are ine:ita&!e in a distri&uted computing en:ironment with mu!tip!e ser:ers. #he
premise is that it is impossi&!e to secure a!! the ser:ers$ so one"shou!dn>t e:en attempt to.
#he Mer&eros mode! proposes$ howe:er$ that it is possi&!e to tru!y secure a sing!e ser:er.
#herefore$ it ho!ds that it is more secure to contro! a!! network access from one centra! secure
ser:er.
#he Mer&eros key e?change process is rea!!y ;uite simp!e$ &ut at the same time ;uite
e!o;uent. Mer&eros ne:er transmits passwords on the network$ regard!ess of whether they
are encrypted or not. Mer&eros uti!i7es cryptographic keys referred to as <tickets< to contro!
access to network ser:er resources. #ickets are encrypted passes or fi!es issued &y the
<trusted< ser:er to users and processes to determine access !e:e!. #here are si? types of
tickets@ initia!$ in:a!id$ pre"authenticated$ renewa&!e$ forwarda&!e$ and postdated. 6igures
+.1T+.3 i!!ustrate the Mer&eros key e?change process.
In the fo!!owing figures 6igure +.1 the c!ient creates a re;uest to send to the Mer&eros
ser:er. #he re;uest is digita!!y signed &y the c!ient using the c!ient>s own pri:ate key. In this
e?amp!e the re;uest is to access the payro!! ser:er. In 6igure +.2$ the c!ient takes the
digita!!y signed re;uest and encrypts it using the Mer&eros ser:er>s pu&!ic key. In 6igure +.($
the c!ient sends the digita!!y signed and encrypted re;uest to the Mer&eros ser:er.
-1
6igure +.1@ Mer&eros key e?change$ step one.
6igure +.2@ Mer&eros key e?change$ step two.
6igure +.(@ Mer&eros key e?change$ step three.
-2
#he Mer&eros ser:er decrypts the re;uest using its pri:ate key and then authenticates the
originator of the re;uest &y :erifying the digita! signature of the sender. #he re;uest was
digita!!y signed using the sender>s pri:ate key$ which the Mer&eros ser:er :erifies &y using the
sender>s pu&!ic key.
#he Mer&eros ser:er maintains a data&ase of a!! the pu&!ic keys of authori7ed users$ so it
does not ha:e to re!y upon the sender or a trusted third party to :erify the sender>s pu&!ic
key. If the Mer&eros ser:er does not ha:e the sender>s pu&!ic key in its data&ase$ then the
digita! signature cannot &e :erified. Simi!ar!y$ if the Mer&eros ser:er does not ha:e the
sender>s pu&!ic key$ then the sender is not an authori7ed user of the network$ and the
re;uest wi!! &e denied.
0nce the Mer&eros ser:er recei:es the re;uest and authenticates the sender>s identity$ the
ser:er :erifies that the c!ient has authori7ation to access the re;uested resource. In this
e?amp!e the resource re;uested is access to the payro!! ser:er.
If the Mer&eros ser:er determines that the c!ient does ha:e authori7ation to access the
payro!! ser:er$ the Mer&eros ser:er sends identica! session tickets to &oth the c!ient and the
payro!! ser:er. #o transmit the session ticket to the c!ient$ the Mer&eros ser:er encrypts it with
the c!ient>s pu&!ic key. #o transmit the ticket to the payro!! ser:er the Mer&eros ser:er uses
the payro!! ser:er>s pu&!ic key. 6igure +.+ depicts this process. 2hen the encrypted session
key is recei:ed$ &oth the c!ient and the payro!! ser:er decrypt it using their respecti:e pri:ate
keys.
-(
6igure +.+@ Mer&eros key e?change$ step four.
#he tickets cou!d a!so &e digita!!y signed &y the Mer&eros ser:er to a:oid the possi&i!ity of
counterfeit tickets &eing sent to a c!ient or network resource.
#he c!ient then sends a copy of its ticket to the payro!! ser:er. Gefore transmitting the ticket$
the c!ient encrypts the ticket using the payro!! ser:er>s pu&!ic key. 6igure +./ i!!ustrates this
process.
6igure +./@ Mer&eros key e?change$ step fi:e.
-+
2hen the payro!! ser:er recei:es the encrypted ticket from the c!ient the ser:er decrypts the
ticket using the ser:er>s own pri:ate key. #he payro!! ser:er then compares the ticket that it
recei:ed from the c!ient to the ticket that it recei:ed from the Mer&eros ser:er. If the c!ient>s
ticket matches the ser:er>s ticket then the c!ient wi!! &e a!!owed to connect to the ser:er. If
they don>t match$ the connection is refused. 6igure +.3 i!!ustrates this process. 0nce the
connection is esta&!ished$ the systems can encrypt the communication using either the
session
key or the c!ient>s pu&!ic key$ or they can use no encryption at a!!.
6igure +.3@ Mer&eros key e?change$ step si?.
0ne ad:antage that Mer&eros has o:er other schemes$ such as using digita! certificates and a
PMI$ is that re:ocation of authori7ation and authentication can &e done immediate!y. #he PMI
re!ies upon C41s to remo:e authori7ation for an indi:idua! or entity. Access to network
resources may not &e terminated unti! the C41 works its way through the PMI or the origina!
digita! certificate e?pires. In either case$ the origina! certificate wi!! pro:ide access to network
resources !ong after the time period you want access terminated. 2ith Mer&eros$ e:ery time
an indi:idua! or entity re;uests access to a network resource$ the Mer&eros ser:er is ;ueried.
As a resu!t$ once access is terminated at the Mer&eros ser:er$ the change is effecti:e
immediate!y.
86
5er'eros9 :imitations
#he primary !imitation of the Mer&eros concept is that if the Mer&eros ser:er is down$ one
cannot access network resources$ since access to a!! network resources must &e authori7ed
through the Mer&eros ser:er. As a resu!t$ the Mer&eros design is particu!ar!y :u!nera&!e to
denia!"of"ser:ice attacks. If you target the Mer&eros ser:er you can pre:ent !egitimate users
from gaining access to the network. Kou don>t e:en ha:e to comp!ete!y crash the ser:er to
pre:ent others from gaining network access. Simp!y o:erwhe!ming the ser:er with re;uests
or f!ooding the network with traffic wou!d &e enough to pre:ent the ser:er from responding to
;ueries.
0rgani7ations can &ui!d in &ack"up Mer&eros ser:ers into the design of their networks$ &ut
doing so introduces :u!nera&i!ity into their network. Gack"up ser:ers de:iate from one of the
fundamenta! princip!es of Mer&eros$ which is that it is difficu!t to pro:ide a&so!ute security for
mu!tip!e ser:ers. #he Mer&eros concept re!ies on a sing!e a&so!ute!y secure ser:er. If the
Mer&eros ser:er is compromised$ then the integrity of the entire system is compromised.
Mer&eros a!so can &e suscepti&!e to rep!ay attacks. Someone on the network cou!d sniff and
record re;uests going to and from the Mer&eros ser:er. #he transmission of tickets to network
resources cou!d a!so &e copied to &e retransmitted at a !ater time as new re;uests. #his
:u!nera&i!ity can &e$ and usua!!y is$ mitigated &y the use of a timestamp on tickets.
#he other maAor draw&ack to the Mer&eros concept is that its sca!a&i!ity is !imited since the
Mer&eros ser:er is communicated with e:ery time access to a resource is re;uested. #he
more workstations and resources an organi7ation has on its network the greater its network
traffic$ &ecause each re;uest to access a network resource wi!! generate mu!tip!e e?changes.
As the network grows$ so too does the num&er of re;uests to the Mer&eros ser:er.
In addition$ a network cou!d grow to the point where a sing!e ser:er cou!d not hand!e a!! of
the re;uests to access network resources. #he ser:er wou!d e:entua!!y &ecome o:erwhe!med
with re;uests. At that point$ an organi7ation wou!d either ha:e to get a greater capacity
ser:er or !imit the si7e of its network. ,!timate!y$ in fact$ the organi7ation wou!d reach a point
where its ser:er capacity cou!d no !onger grow. #herefore there is a !imit on how !arge a
Mer&eros&ased network can grow.
-3
As a resu!t of this !ack of sca!a&i!ity$ Mer&eros is not a feasi&!e authentication so!ution for a
:ery !arge network such as the Internet. ,sing a PMI with digita! certificates is much more
sca!a&!e and therefore &etter suited for the Internet.
6ncryption on the 1orld 1ide 1e9
Another area where encryption has &een wide!y dep!oyed is on the Internet or the 2e& as it
has come to &e known. 8uch of the Internet>s success and popu!arity !ies in the fact that it is
an open g!o&a! network. At the same time$ the fact that it is open and g!o&a! makes it not
:ery secure. #he uni;ue nature of the Internet makes e?changing information and
transacting &usiness o:er it inherent!y dangerous. #he face!ess$ :oice!ess$ unknown entities
and indi:idua!s that share the Internet may or may not &e who or what they profess to &e. In
addition$ &ecause the Internet is a g!o&a! network$ it does not recogni7e nationa! &orders and
!ega! Aurisdictions. As a resu!t$ the transacting parties may not &e where they say they are
and may not &e su&Aect to the same !aws or regu!ations.
As stated in ear!ier chapters$ for the e?change of information and for commerce to &e secure
on any network$ especia!!y the Internet$ a system or process must &e put in p!ace that
satisfies re;uirements for confidentia!ity$ access contro!$ authentication$ integrity$ and non
repudiation.
#hese re;uirements are achie:ed on the 2e& through the use of encryption and &y emp!oying
digita! signature techno!ogy. #here are many e?amp!es on the 2e& of the practica! app!ication
of encryption. 0ne of the most important is the SS1 protoco!.
77
(ecure (ockets .ayer
SS1 was de:e!oped &y Netscape to pro:ide security when transmitting information on the
Internet. Netscape recogni7ed the need to de:e!op a process that wou!d ensure
confidentia!ity when entering and transmitting information on the 2e&. 2ithout such a
process :ery few indi:idua!s wou!d fee! comforta&!e entering information !ike credit card
num&ers on a 2e& site. Netscape recogni7ed that e"commerce on the 2e& wou!d ne:er get
off the ground without consumer confidence. As a resu!t$ SS1 was de:e!oped to address the
security needs of 2e& surfers. It is somewhat ironic that we re;uire such a high !e:e! of
security for transactions on the 2e&.
8ost know!edgea&!e indi:idua!s wou!d ne:er enter their %isa or 8astercard num&er on a site
that did not emp!oy SS1 for fear of ha:ing the information intercepted. owe:er$ those same
indi:idua!s wou!d not hesitate to gi:e that same information o:er the phone to an unknown
person when ordering f!owers$ nor wou!d they fear gi:ing their credit cards to a waiter at a
restaurant. Consider that this in:o!:es handing a card o:er to someone you ha:e ne:er met
who ine:ita&!y disappears for 1. minutes.
#he risk that a credit card num&er wi!! &e sto!en in transit on the Internet is :ery sma!!. A
greater risk is that the credit card num&er wi!! &e sto!en from a system on which it is stored.
#hat is precise!y what happened to me@ If you recei:ed an e"mai! from my Internet
ser:ice pro:ider (ISP) informing me that a computer$ which had &een sto!en from the ISP$
may ha:e contained credit card information for a num&er of its customers. #he e"mai! went
on to state that it was possi&!e that the credit card information was on the sto!en machine.
#he company said that the fi!e containing the credit card num&ers was encrypted$ so it did
not &e!ie:e that there was any rea! risk. Ne:erthe!ess$ the firm said that it was ad:ising its
customers of this incident so they cou!d take appropriate action. #he origina! transaction with
the ISP in which I ga:e the company my credit card information was not o:er the Internet. It
was a traditiona! !ow"tech transaction. 1ike most companies$ the ISP stored the user account
information$ inc!uding credit card num&ers$ in a data&ase on a network. #hat is where the
rea! risk !ies.
-'
SS1 uti!i7es &oth asymmetric and symmetric key encryption to set up and transfer data in a
secure mode o:er an unsecured network. 2hen used with a &rowser c!ient$ SS1 esta&!ishes a
secure connection &etween the c!ient &rowser and the ser:er. ,sua!!y$ it>s the ##P o:er SS1
(##PS). It sets up an encrypted tunne! &etween a &rowser and a 2e& ser:er o:er which
data packets can tra:e!. No one tapping into the connection &etween the &rowser and the
ser:er can decipher the information passing &etween the two. Integrity of the information is
esta&!ished &y hashing a!gorithms. Confidentia!ity of the information is ensured with
encryption. 6igure
/.1 i!!ustrates &asica!!y how the process works.
SS1 session handshake.
#o set up an SS1 session &oth sides e?change random num&ers. #he ser:er sends its pu&!ic
key with a digita! certificate signed &y a recogni7ed CA attesting to the authenticity of the
sender>s identity and &inding the sender to the pu&!ic key. #he ser:er a!so sends a session I*.
#he &rowser c!ient creates a preNmasterNsecret key. #he c!ient &rowser encrypts the
preNmasterNsecret key using the ser:er>s pu&!ic key and transmits the encrypted
preNmasterNsecret key to the ser:er. #hen &oth sides generate a session key using the
preNmasterNsecret and random num&ers.
#he SS1 session set"up &egins with asymmetric encryption. #he ser:er presents the &rowser
c!ient with its pu&!ic key$ which the c!ient uses to encrypt the preNmasterNsecret. owe:er$
once the c!ient sends the encrypted preNmasterNsecret key &ack to the ser:er$ it emp!oys a
session key to esta&!ish a secure connection. #he initia! setup uses asymmetric encryption$
&ut the two parties switch o:er to symmetric encryption.
-9
#his is done &ecause symmetricencryption creates much !ess o:erhead. 1ess o:erhead means
&etter throughput and a faster response time. Asymmetric cryptosystems are much more
CP,"intensi:e and wou!d significant!y s!ow the e?change of information. As a resu!t$ for
spontaneous e?changes$ asymmetric encryption is used initia!!y to esta&!ish a secure
connection and to authenticate identities (using digita! certificates). 0nce identities are
esta&!ished and pu&!ic keys are e?changed$ the communicating entities switch to symmetric
encryption for efficiency.
):en with the use of symmetric encryption$ network throughput is significant!y diminished
with SS1. Cryptographic processing is e?treme!y CP,"intensi:e. 2e& ser:ers that wou!d
norma!!y &e a&!e to hand!e hundreds of connections may on!y &e a&!e to hand!e a fraction of
that when emp!oying SS1. In 1999$ Internet &eek reported on a test of a Sun +/. ser:er and
the effects of SS1. At fu!! capacity$ the ser:er cou!d hand!e a&out /.. connections per second
of norma! ##P traffic. owe:er$ the same ser:er cou!d on!y hand!e a&out three connections
per second when the connections emp!oyed SS1.
#he fact that SS1 can ha:e such a hindering effect on network performance has to &e
inc!uded in any capacity p!anning for e"commerce sites. #here are SS1 acce!erators a:ai!a&!e
that can enhance the performance of 2e& ser:ers that emp!oy SS1. Products from ew!ett"
Packard$ Compa;$Cipher$ and others offer so!utions that speed up the cryptographic
processing.
,sua!!y$ these products are separate &o?es that interface with a ser:er and off"!oad the SS1
process from the ser:er>s CP,. #hey can a!so take the form of acce!erator &oards that are
insta!!ed in the ser:er.
82
(ecure *!!P /(*!!P0
An a!ternati:e to ##PS is secure ##P (S##P). S##P is an e?tension of the ##P
protoco! de:e!oped &y )nterprise Integration #echno!ogies. S##P is simi!ar in function to
##PS in that it is designed to secure transactions and messages on the 2e&. #here are$
howe:er$ se:era! differences@ SS1 is connection"oriented and operates at the transport !e:e!.
SS1 creates a secure connection o:er which transactions are transmitted. S##P$ on the other
hand$ is transaction"oriented and operates at the app!ication !e:e!. )ach indi:idua! message is
encrypted to &e transmitted secure!y. No secure pipe is esta&!ished &etween the parties. SS1
can &e used for other #CPDIP protoco!s such as 6#P and #)1N)#. S##P is specifica!!y
designed for ##P and not for other protoco!s. ##PS enAoys wide acceptance$ whi!e
S##P>s use is :ery !imited. In fact$ not a!! 2e& &rowsers support S##P.
8eanwhi!e$ &oth Netscape Na:igator and Internet )?p!orer support ##PS. 8ost 2e& ser:er
software supports ##PS$ and most e"commerce 2e& sites use the protoco! when o&taining
confidentia! user information. #he ser:er is usua!!y authenticated to the c!ient through a
digita! certificate. #he strength of the encryption emp!oyed can &e set &y the ser:er &ut is
usua!!y chosen &ased on the capa&i!ity of the c!ient &rowser. ,nti! re!ati:e!y recent!y$ there
were two types of encryption emp!oyed in &rowsers$ depending on whether the &rowser
wou!d &e so!d in the ,nited States or o:erseas. #he o:erseas :ersion used weak encryption$
whi!e the domestic :ersion used strong encryption. 2hen one refers to weak encryption with
SS1 and &rowsers$ it usua!!y means +."&it or /3"&it encryption. Strong encryption refers to
12'"&it encryption. #he difference in strength &etween +."&it encryption and 12'"&it
encryption is not Aust '' &its. In other words$ 12'"&it encryption is not Aust '' times stronger
than +."&it encryption. In fact$ 12'"&it encryption is more than
(..$...$...$...$...$...$...$...$... times stronger than +."&it encryption.
Growsers used to emp!oy two different strengths of encryption &ecause of federa! regu!ations.
#here were e?port restrictions on most software$ hardware or firmware that inc!uded
encryption techno!ogy. 2hi!e the e?port restrictions ha:e &een re!a?ed somewhat$ there are
sti!! significant ru!es in p!ace. #o e?port their &rowsers$ companies such as 8icrosoft and
Netscape had to offer :ersions of their software that emp!oyed weak encryption. ):en with
the recent changes to ,.S. !aws regu!ating the e?port of cryptographic techno!ogy many of
the &rowsers insta!!ed today use weak encryption.
'1
In the past$ the domestic :ersion of Netscape>s Na:igator was capa&!e of strong encryption$
whi!e its e?port :ersion was on!y capa&!e of weak encryption. 8icrosoft did not rea!!y make
any distinction &etween the domestic or e?port :ersions of Internet )?p!orer. Internet
)?p!orer &y defau!t was set to weak encryptionB it was necessary to oad a patch to set it to
strong encryption.
2e& ser:er software can a!so &e set to use +."&it or 12'"&it encryption. A 2e& ser:er can &e
configured to reAect &rowser c!ients that use a &rowser set for weak encryption. 2e& ser:ers
can a!so &e configured for strong encryption &ut sti!! &e a&!e to accept &rowsers that use
weak encryption. #herefore$ there is rea!!y no reason to configure the 2e& ser:er software to
defau!t to +."&it encryption.
#here are se:era! ways to te!! if a site uses encryption and the strength of the encryption
emp!oyed. #he things to !ook for :ary depending on whether you are using Netscape>s
Na:igator or 8icrosoft>s Internet )?p!orer and which :ersion of either software you are using.
"icrosoftAs 3nternet 6)plorer
#he fo!!owing figures i!!ustrates a 2e& page emp!oying SS1 with Internet )?p!orer /.. (I)/).
#he firstindication of SS1 is that the ,41 is preceded &y ##PS instead of the norma! ##P.
#he e?amp!e depicts a fictitious Internet &anking system offered &y Any Gank Corporation.
#he digita! certificate is rea!$ &ut the name of the financia! institution has &een changed.
'2
I)/ emp!oying SS1.
In addition to ##PS &eing disp!ayed in the ,41$ when encryption is emp!oyed there is a!so
a c!osed !ock at the &ottom of the &rowser>s screen on the right"hand side. I ha:e circ!ed the
c!osed !ock at the &ottom of the screen. Norma!!y$ the !ock is open$ which is an indication that
encryption is not emp!oyed.
8iewin' Di'ital Certificates 1ith 3nternet 6)plorer
Norma!!y$ to acti:ate SS1 on a 2e& ser:er$ a digita! certificate must &e insta!!ed. A digita!
certificate is genera!!y o&tained from a known CA and insta!!ed on the 2e& ser:er. 2hen
:isiting a 2e& site that emp!oys encryption$ it is possi&!e to :iew information on the ser:er>s
digita! certificate. #o :iew this information with Internet )?p!orer$ simp!y c!ick on 6i!e and
then Properties. 2hen you c!ick on the Properties option the properties window pops up.
6o!!owing 6igures i!!ustrates the properties pop"up window. %iewing the Properties window$
we can see that the connection uses SS1 (.. and 4C+ with 12' &it encryption for strong
(igh)
encryption.
'(
6igure /.(@ I)/ cipher information.
8ore detai!ed information can &e o&tained on the digita! certificate &y c!icking on the
certificate &utton on the properties window. #his is i!!ustrated in 6igure /.+
6igure /.+@ I)/ signature a!gorithm.
'+
Gy c!icking on the detai!s ta&$ information can &e o&tained on the seria! num&er of the
certificate$ the issuer$ and the su&Aect. It is a!so possi&!e to :iew the pu&!ic key for the
certificate. 1ooking at 6igure /.+ we can see that the third fie!d !isted is the signature
a!gorithm. In this case it is 4SA>s 8*/.
As 6igure /./ i!!ustrates$ information on the issuer (CA) of the digita! certificate can a!so &e
:iewed. 2e can see that certificate was issued &y 4SA *ata Security. In this case the 4SA
certificate was issued through %eriSign. 6igure /./ a!so re:ea!s that the pu&!ic key a!gorithm
emp!oyed for the initia! key e?change was the 4SA a!gorithm. #he 4SA asymmetric
cryptosystem is used for the e?change of pu&!ic keys.
6igure /./@ I)/ certificate authority.
As 6igure /.3 i!!ustrates$ it is a!so possi&!e to o&tain information on the organi7ation to which
the digita! certificate was issued &y c!icking on the su&Aect !ine. In this e?amp!e we can see
that the digita! certificate was issued to Any Gank Corporation in San 6rancisco.
6igure /.3@ I)/ certificate owner.
8iewin' the 6ncryption (tren'th of 36:
If you don>t a!ready know the encryption strength for which your Internet )?p!orer is
configured$ it is :ery easy to check. #his works for &oth Internet )?p!ore +.J (I)+) and I)/.
Chances are that if you are using I)+ then you are using weak encryption. 6igure /.-$ &ased
on I)/$ i!!ustrates how to check your &rowser@ Simp!y c!ick on e!p at the top of the &rowser
and then c!ick on A&out Internet )?p!orer. A window wi!! pop up that !ists$ among other
things$ the cipher strength. In 6igure /.-$ the cipher strength is set to 12' &its or strong
encryption. #his is the strength of encryption that the &rowser is configured to hand!e.
'/
6igure /.-@ %iewing the &rowser>s encryption strength. (8icrosoft I)/ screen shot reprinted
&y permission of 8icrosoft Corporation.)
Downloadin' a Pro'ram 1ith an 3nvalid Certificate
A security warning message that disp!ays when a user attempts to down!oad a program that
does not contain a :a!id Authenticode signature or a digita! certificate from a recogni7ed CA.
#his te!!s the end user down!oading the program that theprogram does not contain a
certificate that :erifies that the software program is genuine. As a resu!t$ the end user shou!d
&e carefu! &efore proceeding &ecause he or she cou!d &e
down!oading a ma!icious program.
6o!!owing 6igure shows@ Authenticode. (Screen shot reprinted &y permission from 8icrosoft
Corporation.)
Internet )?p!orer warns that it cannot authenticate the identity of the source of the program$
either &ecause the signature is not recogni7ed or &ecause there is no signature. In other
words$ the program has a certificate that cannot &e :erified. As such$ the software represent
a potentia! danger to the end user>s computer and network.
'3
#he custom of signing programs or app!ets is not yet uni:ersa!!y practiced. owe:er$ it is
another good e?amp!e of how cryptographic techno!ogy in genera! and digita! signature
techno!ogy in particu!ar is &eing emp!oyed on the 2e&. *igita! certificates and digita!
signature techno!ogy are ;uick!y &ecoming a u&i;uitous part of the 222. 0ther e?amp!es of
how cryptography is &eing app!ied on networks.
8
6.;S%:AN%<AN Security System
;peratin+ System =uide#ines
Network security &egins at the indi:idua! system !e:e!. As the saying goes$ a chain is on!y as
strong as its weakest !ink$ and a network is nothing more than a chain of systems. As a
resu!t$for a network to ha:e a high !e:e! of security$ a!! of the systems on the network must
&e proper!y administered and monitored.
%ery few organi7ations ade;uate!y administer and monitor systems that reside on the interna!
network. #his defense"in"depth approach re;uires more of a commitment to security than
most organi7ations are wi!!ing to make. Mey to a defense in depth is the dep!oyment of a
mu!titiered strategy to network and system security. Instead$ most organi7ations choose to
emp!oy a perimeter defense. #his approach re!ies on hardened &order systems$ usua!!y
firewa!!s and routers$ that are designed to monitor and contro! traffic &etween an interna!
trusted network and an e?terna! untrusted network. #he assumption is that the perimeter or
&order systems wi!! secure the interna! systems. #here are a num&er of pro&!ems with the
perimeter defense. 6irst$ if an organi7ation>s &order systems are e:er compromised and
penetrated$ the entire interna! network cou!d &e open to attack. ardening the interna!
systems can he!p to decrease the amount of damage from the &reach of a perimeter system.
At the :ery !east$ ade;uate monitoring of the interna! systems may at !east detect a &reach
from the outside.
In addition$ e:ery organi7ation that uses computers faces the threat of hacking from
indi:idua!s within the organi7ation. )mp!oyees with ma!icious intent who want to o&tain
information such as emp!oyee sa!aries or :iew other emp!oyees> fi!es are a!so a threat to an
organi7ation>s computers and networks.
''
Critica! systems shou!d &e configured to monitor !ogins$ fai!ed !ogins$ and a!! network
acti:ity. 8ost e:ery computer and N0S has uti!ities for monitoring this kind of acti:ity.
,NIJ in particu!ar can &e configured to record a!! sorts of acti:ity that can &e re:iewed for
security purposes. 6or e?amp!e$ a!most e:ery :ersion of ,NIJ a!!ows you to monitor !ogins
through the wtmp fi!e and records fai!ed !ogin attempts.
0ne simp!e security measure an organi7ation can emp!oy for ,NIJ systems is to re:iew the
fai!ed !ogin !og fi!e on a dai!y &asis. #his !og disp!ays e:ery fai!ed attempt to !og into the
system. #his can a!ert a company to the first indications of someone pro&ing its system.
*epending on the :ersion of ,NIJ$ an organi7ation may e:en &e a&!e to determine whether
the attempted !ogin was o:er the network$ and it can e:en disp!ay the IP address from which
the connection originated.
Some system administrators ;uestion the wisdom of using the fai!ed"!ogin !og fi!e feature.
#hey &e!ie:e that the !og fi!e may inad:ertent!y record the password for an account$ if the
account name and password are entered out of se;uence. 2hi!e in theory this is a possi&i!ity$
in practice I ha:e ne:er known it to &e an issue.
2hen re:iewing the fai!ed !ogin !og fi!e$ if there are mu!tip!e entries for a sing!e account$ it
may &e an indication that something is wrong and shou!d &e in:estigated. If there are
unfami!iar IP addresses attempting to connect to the system$ then this shou!d a!so &e
in:estigated. Goth of these acti:ities cou!d &e indications that someone is pro&ing a system.
Another usefu! ,NIJ !og is the su!og. 8ost :ersions of ,NIJ record fai!ed attempts to
spawn another process and switch to another user with the <su< command. #his is recorded
in the su!og !og fi!e. )ntries in this !og fi!e may &e the resu!t of someone pro&ing a system
and attempting to gain pri:i!eged access. Any entry in this !og shou!d &e traced to determine
if it is !egitimate or not. #here are accounts that wi!! ha:e !egitimate reasons for using the su
command. 6or e?amp!e$ the operator>s or administrator>s accounts may fre;uent!y perform su
to root. If$ howe:er$ the !og shows someone attempting to su to root who shou!d not &e
attempting such a function$ an organi7ation shou!d in:estigate the occurrence.
'9
Another !og that can &e usefu! is the wtmp !og. #his fi!e records information for e:ery account
that !ogs in and out of a system. It gi:es the time and duration of the !ogin. 6or most
:ersions of ,NIJ$ an organi7ation can a!so determine whether the connection was from a tty$
te!net$ or r!ogin connection or was an ftp connection. In addition$ it can distinguish te!net and
r!ogin connections from ftp connections &y the de:ice type. #he wtmp fi!e is stored in a &inary
format. As a resu!t$ it is necessary to use the <!ast< command to disp!ay its contents. A simp!e
re:iew of this fi!e$ on a dai!y &asis$ can turn up anoma!ous &eha:iorSfor instance$ an ftp
connection from an account that shou!dn>t &e using ftp or accounts !ogging in at odd hours.
Since these !ogs reside on the system>s !oca! disk dri:e$ it is possi&!e for someone to a!ter the
fi!es. It is recommended that hardcopy printouts of the !ogs &e generated dai!y to &e
re:iewed and stored. #he !og fi!es shou!d a!so &e c!eared dai!y or week!y. #here are a coup!e
of reasons for doing this. 6irst$ it reduces the risk of the fi!es &eing a!tered. Second$ in the
e:ent the system is e:er compromised it may &e necessary to refer to the hardcopy printouts
to he!p in determining e?act!y when the system was first compromised. #he process of
printing and c!earing the fi!es can &e automated re!ati:e!y easi!y.
2indows N# Ser:er a!so offers the capa&i!ity to monitor :arious e:ents uti!i7ing the ):ent
%iewer. 2indows N# Ser:er records e:ents that affect system components$ security$ and
app!ications. #he system !og records e:ents that affect dri:ers$ printers$ hardware and other
components. #he app!ication !og records e:ents that affect the software and fi!es. #he
security !og records e:ents such as fai!ed !ogins and changes to user rights or audit po!icies.
An organi7ation can :iew a!! e:ents at once or fi!ter on!y for one component.
#he 2indows N# auditing feature records which resources were accessed$ who accessed
them$ and what action was attempted. #he ):ent %iewer a!so shows whether the attempt
was successfu!.
6o!!owing 6igures from -.1 i!!ustrates the ):ent %iewer with a fi!tered :iew of security
e:ents.In 6igure -.1$ the security e:ents disp!ayed are fai!ed !ogins. An organi7ation can
o&tain detai!ed information a&out a particu!ar e:ent in the security !og &y dou&!e"c!icking on
that e:ent.
9.
6igure -.1@ 2indows N# ):ent %iewer.
6igure -.2 shows the detai!ed information for the se!ected e:ent. In 6igure -.2$ we can see
that someone attempted to !ogin to the system with the username *)GGI). #he !ogin fai!ed
either &ecause the username did not e?ist or due to an incorrect password.
6igure -.2@ 2indows N# ):ent %iewer.
91
A!! the measures descri&ed a&o:e comprise a first step to securing and monitoring a system.
#hese rudimentary steps can he!p to identify when a system is &eing pro&ed. 0ther measures
shou!d a!so &e taken to safeguard and firewa!! systems. #here are se:era! too!s a:ai!a&!e that
enhance an administrator>s a&i!ity to monitor his or her system. Some of the a:ai!a&!e too!s
are discussed at the end of this chapter$ and Chapter 1/ descri&es others.
0rgani7ations need to determine what measures are necessary for their system$ &ased upon
their en:ironment. #hese measures are no su&stitute for a firewa!!$ &ut ha:ing a firewa!! is no
e?cuse not to monitor a system. If a system or systems are in an en:ironment where the
network is potentia!!y hosti!e$ then additiona! measures are most certain!y in order. ):en if a
system sits on a secure or trusted network or &ehind a firewa!!$ it is necessary to secure and
monitor the system. Network security &egins at the indi:idua! system !e:e!. An organi7ation
has no idea whether the ne?t system administrator down the !ine is doing his or her Ao&
proper!y. In fact$ emp!oyees cou!d &e hanging dia!"up connections off of the system without
proper security measures. 4emem&er$ a network is on!y as secure as the indi:idua! systems
on that network.
Passwords
#he first measure of a system>s security is how effecti:e it is in authenticating and identifying
its users. #here are three &asic schemes for identification and authentication@ something you
know$ something you ha:e$ or something you are. #he most common!y emp!oyed scheme is
<something you know$< and the most wide!y imp!emented :ariation of this scheme is the use
of passwords.
Passwords are used &y most e:ery system or network as the first and usua!!y on!y means of
identification and authentication. ):en though passwords are the most wide!y dep!oyed
scheme of authentication$ they are perhaps the weakest !ink in any system security scheme.
owe:er$ there are a num&er of measures an organi7ation can take to !essen the risks
associated with the use of passwords@ 0&:ious!y$ passwords shou!d ne:er &e shared &etween
end users or emp!oyees.
92
According!y$ e:ery organi7ation shou!d ha:e a po!icy that c!ear!y states the users>
responsi&i!ity to maintain password secrecy and the conse;uences for fai!ing to do so.
8eanwhi!e$ howe:er$ peop!e too often use passwords that are too short andDor too easy to
guess or decipher$ or they simp!y ne:er change them. #here are programs known as
<crackers< that are easi!y o&tained from the Internet that can &e run on most systems to
decipher the passwords in the password fi!e.
):en if a password is encrypted for transmission &etween a c!ient and a ser:er$ it can &e
captured and retransmitted at a !ater time as part of a <rep!ay attack.< Countermeasures for
this inc!ude one"time passwords$ tokens$ or schemes such as Mer&eros.
#here are four genera! types of attacks on system passwords@
C Grute forceB
C *ictionary"&asedB
C Password sniffingB
C Socia! engineering.
Brute ,orce
Grute"force attacks attempt to &reach systems &y trying e:ery possi&!e com&ination of !etter
and num&er ti!! a match is found that pro:ides access to the system. A &rute"force attack is
most effecti:e if passwords are short in !ength and the passwords are on!y !etters or on!y
num&ers$ not a com&ination of &oth. #he !onger the password the more effort it takes to
attempt e:ery possi&!e com&ination. 8aking a password a mi? of !etters$ num&ers$ and
specia! characters increases the difficu!ty e?ponentia!!y.
9(
Dictionary+Based
*ictionary"&ased attacks are much more effecti:e then the &rute"force approach. 8any
operating systems maintain a password fi!e. #his password fi!e is a data&ase of usernames
and passwords. #he passwords are a!most a!ways stored in the password fi!e in an encrypted
format. *ictionary"&ased attacks actua!!y uti!i7e programs that compare the encrypted
passwords in the password fi!e to encrypted words in a dictionary fi!e. 2hen a match is
found$ a password is found. 0&:ious!y$ the dictionary"&ased method is most effecti:e against
passwords that are common or known words$ names$ or terms. Some systems try to get
around this pro&!em &y not ha:ing a password fi!e or not storing passwords. 2indows N# for
instance does not store passwords in a password fi!e. Instead N# stores the hashed :a!ues of
the passwords. owe:er$ password cracking programs e?ist for a!! computer and N0Ss.
Password (niffin'
Network sniffing or packet sniffing is the process of monitoring a network to gather
information that may &e usefu! in an attack. 0ne of the things that can &e
o&ser:ed through network sniffing is passwords. 2ith the proper too!s$ a hacker can monitor
the network packets to o&tain passwords or IP addresses.
Password sniffing is particu!ar!y a threat for users who !og into a system o:er a network using
te!net$ r!ogin$ ftp$ or a termina! emu!ator. 6or e?amp!e$ when a user !ogs into a ,NIJ system
o:er a network using te!net$ the password is transmitted to the system as c!earte?t. #he
system passes the c!earte?t password through the password encryption a!gorithm and
compares it to the :a!ue stored in the password fi!e. If they match$ then the user is
authenticated and a!!owed access to the system.
Henera!!y$ programs$ such as te!net$ r!ogin$ and termina! emu!ators do not encrypt passwords
entered at !ogin for transmission to the system. As a resu!t$ when a user enters his or her
password$ it is transmitted in the c!ear$ meaning anyone monitoring the network with a sniffer
can read the password.
9+
#here are se:era! different network sniffer programs a:ai!a&!e. Some are commercia!
products$ and some are freeware. 6igure -.( is an e?amp!e of Network Associates> Sniffer Pro
software. Sniffer Pro is a commercia! software product that is typica!!y used to monitor and
diagnose pro&!ems with network perform. In 6igure -.($ the system with the Sniffer Pro
software is on a sma!! test network with two other systems to demonstrate network sniffing.
6or demonstration purposes$ a te!net session is initiated from one system to the another.
6igure -.( i!!ustrates how Sniffer Pro can capture the IP addresses of the two systems and
the
fact that the connection is a te!net session.
6igure -.(@ NAI>s Sniffer Pro.
6igure -.+ shows the detai! information on the session. In 6igure -.+$ the captured account
username and password are !isted in the <!ast user name< section. In this case$ the account is
<root$< and the password is <secret"password.< If I were a hacker$ I cou!d potentia!!y capture
this information and gain pri:i!eged access to the system.
6igure -.+@ NAI>s Sniffer Pro.
Sniffer Pro$ !ike most network sniffers$ has the a&i!ity to store a!! captured information to a
!og fi!e. As a resu!t$ a hacker cou!d start up the network sniffer and !ea:e it running for hours
or days. e or she cou!d then retrie:e the !og fi!e and scan a!! captured network acti:ity at
!eisure.
#he risk associated with te!net and ftp is not Aust confined to ,NIJ. #hese uti!ities can a!so &e
used to connect to a 2indows N# or 2... ser:er. owe:er$ they are most often used in the
,NIJ arena. #he 2indows graphica! user interface$ with its c!ick and drag capa&i!ities$
makes uti!ities$ such as te!net and ftp$ !arge!y superf!uous. owe:er$ e:en 2indows and
No:e!! passwords can &e :u!nera&!e if they are captured &y someone using a packet sniffer.
2hen a user !ogs into 2indows N# the password is hashed at the workstation &efore &eing
transmitted to a ser:er. 2indows N# emp!oys 8*+ as the hashing a!gorithm. 2hen the
2indows N# ser:er recei:es the hashed :a!ue$ the ser:er compares it to the :a!ue stored in
the hash fi!e. A cha!!enge"response protoco! is used to :erify the password entered at the
c!ient. If they match$ the user is then authenticated and a!!owed access to the system or
network.
A user !ogging into a 2indows N# ser:er typica!!y sends his or her username and domain
name across the network in c!earte?t. Someone on the network with a sniffer can potentia!!y
capture the c!earte?t and the cha!!enge"response. If it can &e captured then the cha!!enge
response can potentia!!y re:ea! the hashed :a!ue of the user>s password. #he hash :a!ue can
then &e su&Aected to a dictionary"&ased attack.
9/
2indows N# does a!!ow for optiona! authentication protoco!s$ such as N# 1AN 8anager
(N#18). N#18 is the primary authentication protoco! emp!oyed &y N#. 6or 2indows 2...$
8icrosoft has rep!aced N#18 with Mer&eros as the primary security protoco! for access to
resources within or across 2indows 2... ser:er domains. owe:er$ Mer&eros can on!y &e
used &etween 2indows 2... systems. A!! other 2indows c!ients must sti!! use N#18. In
addition$ 8icrosoft has &een critici7ed for using proprietary data formats in its
imp!ementation of Mer&eros.
2ith No:e!!$ the process is as fo!!ows@ 2hen a user !ogs into Netware$ the workstation
recei:es a session key from the ser:er. #he workstation encrypts the password using a
com&ination of session key and a user I* &efore transmitting it to the ser:er. #he ser:er
recei:es the encrypted password$ decrypts the password$ and authenticates the end user.
Someone on the network with a packet sniffer cou!d potentia!!y capture the encrypted
password in transit. It cou!d then &e su&Aected to a dictionary"&ased attack. #he 2indows N#
and No:e!! Netware schemes that protect passwords in transit make it more difficu!t to o&tain
passwordsS&ut not impossi&!e.
(assword Sniffin+ Countermeasures
#here are se:era! steps that an organi7ation can take to reduce or e!iminate the risks
associated with network packet sniffers. 0ne is to use network switches instead of network
hu&s. Switches can &e used to segment a network and create :irtua! 1ANs (%1ANs)$ which
di:ide a switch into network segments that cannot see each other>s packets.
Another approach is to use a program !ike SS$ a ,NIJ program designed to pro:ide strong
authentication and secure communications o:er an unsecured network. SS is designed to &e
used in p!ace of other programs such as te!net$ r!ogin$ rsh$ and rcp. SS communications can
&e encrypted using I*)A$ *)S$ (*)S$ or 4C+. )ncryption keys are e?changed using 4SA key
e?change. SS can protect against IP spoofing$ IP source routing$ *NS spoofing$ and
interception of c!earte?t passwords and other data &y intermediate hosts. SS can &e
purchased from :arious sources or down!oaded at no charge from a num&er of sites on the
2e&.
93
Another countermeasure to password sniffing is to use one"time passwords. #here are
se:era! different one"time password schemes. #he most wide!y imp!emented scheme emp!oys
smart cards or token cards.
0ne of the &est known products is 4SA>s SecurI*$ which uses a time"&ased token card (see
6igure -./). #he card disp!ays a num&er that is synchroni7ed with a !ogin ser:er. #o access a
system emp!oying SecurI*$ it is necessary to enter the synchroni7ed num&er. #he num&er
changes constant!y and is ne:er the same twice.
6igure -./@ SecurI*.
9-
0ther smart card products emp!oy a cha!!engeDresponse scheme. 2hen you attempt to !ogin$
the system issues a cha!!enge. #he user enters the cha!!enge into a card that the user keepsB
this card then disp!ays the appropriate response. Su&se;uent!y$ the user enters that response
from the card into the system to gain access to the system. Goth the cha!!enge and response
are ne:er the same twice$ so it does not matter if the response is sniffed and captured on the
network. #he cha!!enge and response are on!y app!ica&!e at that moment and wi!! ne:er &e
used again.
Password &uidelines
Passwords shou!d &e at !east eight a!phanumeric and specia! sym&o! characters in !ength and
shou!d not &e known words or names that can &e found in a dictionary. ,sers shou!d &e
restricted from using a!! num&ers or a!! !etters in a password.
#he ma?imum num&er of times any sing!e character can &e repeated in a password shou!d &e
restricted to three. #his is to pre:ent someone from using a password that is a!! one word or
!etter$ such as aaaaaaaa or 22222222. If possi&!e$ users shou!d &e re;uired to use at !east si?
distinct characters in an eight"character password. Some systems a!!ow you to assign a mask
that dictates the password format.
0ther things to a:oid using as passwords inc!ude te!ephone num&ers$ !icense p!ates$ and
&irthdates. 2hene:er possi&!e inc!ude specia! sym&o!s (U5VRWL) in passwords.
System contro!s shou!d &e configured to restrict users from using the same password more
than once or at !east set the system so that (3 weeks must pass &efore a user can reuse a
password. If possi&!e$ the contro!s shou!d a!so &e configured to re;uire that eight to ten new
passwords &e used &efore an indi:idua! can reuse an o!d password again.
Passwords shou!d ha:e a minimum and ma?imum !ife. #he minimum !ife shou!d &e a few
days to a week. #he ma?imum !ife shou!d &e +/ days. A!! system and network accounts
shou!d &e forced to change their passwords at !east e:ery +/ days. Passwords shou!d ha:e a
minimum !ife to pre:ent some"one from changing an account>s password enough times in a
sing!e day to get around the restriction on using the same password more than once. #he
minimum wi!! a!so pre:ent a hacker from changing an account>s password$ then changing it
&ack to the origina! password$ to a:oid detection.
9'
Passwords must ne:er &e the same as the account username. Nor shou!d a password &e
something associated with the account username (i.e.$ username E system$ password E
manager). Kears ago I worked on *igita! );uipment Corporation (*)C) %AJD%8S systems.
A!! %AJ systems had two specia! account usernames$ one was ca!!ed <system< and the other
was ca!!ed <fie!d.< #he <system< account was intended to &e used &y the system
administrator$ and the <fie!d< account was intended to &e used &y *)C fie!d ser:ice
technicians. At more than one site at which I worked the <system< account had the password
<manager< or <administrator$< and the <fie!d< account had the password <ser:ice.< Gack then
it was not uncommon to find those usernames and passwords &eing used on many of the %AJ
systems insta!!ed.
Some systems can generate passwords that consist of a random com&ination of !etters and
num&ers. System"generated passwords are usua!!y not suscepti&!e to dictionary attacks.
owe:er$ speaking from persona! e?perience$ I do not recommend system"generated
passwords. System"generated passwords are difficu!t to remem&er$ which causes users to
write them down$ there&y creating a security ho!e rather than p!ugging one. If the password
is not se!ected &y the end user$ it has no meaning and nothing to make it easi!y remem&ered.
2hen end users cannot remem&er passwords$ they write them down on those !itt!e ye!!ow
stickies and stick them on their computers or monitorsSeither that or they ca!! the I# he!p
desk e:ery other day and ask for a new password.
8ost systems store passwords in an encrypted format. 8ost :ersions of ,NIJ a!so support
the use of shadow password fi!es. Shadow password fi!es add an e?tra !e:e! of security &y
keeping the encrypted passwords in a separate fi!e from the <passwd< fi!e. #he shadow
password fi!e can on!y &e accessed &y <root$< and not norma!$ system users.
It has &een my e?perience that it is sometimes necessary to share a password for a
pri:i!eged account with someone outside the organi7ation.
99
,sua!!y$ it is necessary when a :endor is insta!!ing a system or pro:iding support. In these
circumstances$ I recommend that you change the password for the pri:i!eged account to
something innocuous$ so the :endor can !og into the system to work$ &ut then change the
password again immediate!y when the :endor has finished its work. Indi:idua!s outside of the
organi7ation shou!d ne:er ha:e passwords to pri:i!eged accounts.
8any systems$ when first insta!!ed$ ha:e system account usernames with preset passwords
or no passwords at a!!. If these account usernames are not needed they shou!d &e de!eted. If
the accounts are re;uired$ then reset the passwords.
$ccess Control
0nce a system identifies and authenticates an account as ha:ing !egitimate access to the
system$ the end user is a!!owed to !og in. 0nce the user is !ogged into the system$ the user is
gi:en authori7ation to access system resources$ such as fi!es. #he authori7ation can &e
thought of as access pri:i!eges. #he discretionary pri:i!eges can &e defined &y an access
contro! !ist (AC1). An AC1 is the mechanism that restricts or grants access to a system>s
resources. )ach system resource or o&Aect has an AC1$ which !ists the users or entities that
can access that resource. )ach entry within the AC1 defines the access rights for the entry to
the resource. In other words$ access rights wi!! dictate such rights as whether the user or
entity has read$ write$ or de!ete access to the resource. An AC1 specifies the pri:i!ege !e:e!
re;uired to access a system resource. #he AC1 specifies the permission !e:e! that must &e
granted$ with respect to a protected resource$ to access the resource. It is stating the
o&:ious to say that an organi7ation shou!d use some method that contro!s emp!oyee access
to its systems and networks. #his can inc!ude some kind of menu system or
some mechanism for monitoring and contro!!ing access !e:e!s to data and app!ications. AC1s
shou!d &e assigned for the network and indi:idua! systems. ):en 2indows"&ased
c!ientDser:er app!ications are designed with &ack"end methods of contro!!ing access to the
:arious functions.
22
Permissions
8ost computers and N0Ss emp!oy the concept of <permissions< for contro!!ing access.
Permissions specify what operations different users can perform on specific fi!es and
directories. ):ery user is assigned a !e:e! of access to each directory and fi!e. ):ery user and
fi!e are assigned to a group. Hroups can &e specified in the AC1. 4ather than ha:ing separate
entries for indi:idua!s of a common group$ a sing!e entry for the group in the AC1 can specify
the permissions for a!! the indi:idua!s. 2ith most systems there are at !east three or four
!e:e!s of permission@
C 'ead: An end user assigned this access !e:e!$ either to a fi!e or a directory$ has the a&i!ity
to read and :iew the contents and properties.
C &rite: An end user assigned this access !e:e!$ either to a fi!e or a directory$ has the
a&i!ity to write to or a!ter a fi!e or create fi!es in the directory and in some cases a!ter
the access rights to a directory or fi!es in the directory.
C ()ecute: #his pri:i!ege$ when granted$ a!!ows the end user to e?ecute programs in a
gi:en directory.
C *elete: #his access right a!!ows the end user to de!ete a fi!e$ directory$ or fi!es in a
directory.
2ith most computer and N0Ss fi!e access is di:ided into three !e:e!s that depend on the
group to which the user &e!ongs@ owner$ group$ and pu&!ic or wor!d. (In addition$ each
<group< is assigned access !e:e!s to particu!ar resources.) #hese !e:e!s are descri&ed as
fo!!ows.
C +wner: #his group refers to the owner of a fi!e or resource. #he owner is designated
either &y :irtue of ha:ing created the resource or &y &eing gi:en$ or taking ownership
of$ the resource. #he owner of a particu!ar resource usua!!y has read$ write$ e?ecute$
and de!ete rights to the resource$ &ut that is not a!ways the case. It is not uncommon
for an owner of a resource to accidenta!!y remo:e a!! of his or her access rights to a
resource. #his can &e done &y remo:ing a!! permissions from the fi!e or &y transferring
ownership of the fi!e to someone e!se. ,sua!!y$ when this occurs the user cannot get
the rights &ack without assistance from a system administrator.
1.1
C ,roup: #his group refers to users that share a common &ond$ such as working in the
same department. 6or e?amp!e$ a!! users in human resources wou!d ha:e a group
&ond. #he users within the human resources group can &e assigned read$ write$
e?ecute$ or de!ete access to a particu!ar fi!e. #he AC1 for the particu!ar resource cou!d
specify that a!! indi:idua!s in the human resources group are assigned read$ write$
e?ecute$ and de!ete permission. 0ther groups cou!d &e e?c!uded from ha:ing any
permissions or cou!d &e gi:en !imited access$ perhaps read on!y.
C &orld or public: #his group refers to the access !e:e! that e:eryone has to a resource.
2ith 2indows this group is designated as (-erybody. #he wor!d can &e assigned read$
write$ e?ecute$ or de!ete access to a particu!ar resource$ such as a fi!e or directory$ &ut
it is usua!!y restricted to read access for security reasons. 6re;uent!y$ resources on a
network such as printers or a shared directory a:ai!a&!e to a!! users wi!! ha:e !imited
access !e:e!s assigned to the wor!d or pu&!ic group. Printers in particu!ar re;uire some
!e:e! of access to send print Ao&s to the resource. Kou Aust need to ensure that the
access !e:e!s are on!y those needed to function. Kou shou!d &e carefu! a&out gi:ing the
wor!d or pu&!ic group <de!ete< !e:e! access to any resource. 6or e?amp!e$ if you gi:e
the wor!d de!ete access to a network printer$ then anyone can de!ete that resource
either accidenta!!y or ma!icious!y.
In contrast$ ,NIJ uses on!y three permissions. #hey are read$ write$ and e?ecute. 6o!!owing
i!!ustrates the assigned fi!e permissions with a ,NIJ fi!e systemB the access rights are
disp!ayed in the co!umn on the far !eft"hand side$ whi!e the fi!e name is in the co!umn on the
far right"hand side.
1.2
,NIJ fi!e permissions.
#he permissions in the !eft"hand co!umn consists of 1. !etters or dashes("). #he
first character in the co!umn indicates the fi!e type. If the !ine &egins with a <d< then it is a
directory$ whi!e an <!< indicates a !ink. If the !ine &egins with a <"< then it is a standard fi!e.
#he ne?t nine characters indicate the access rights for the three categories or groups of
owner$
group$ and other. <0ther< is the ,NIJ e;ui:a!ent of wor!d or pu&!ic. #he first three characters
indicate the access rights for the category owner. In 6igure -.3 the first !ine shows that the
fi!e
#CPN24AP.#A4 has the access rights of <rw"rw"rw".< #hose nine characters are the access
rights assigned to the three categories of owner$ group$ and other. A!! three groups ha:e read
(r) and write (w) access$ &ut not e?ecute. Ne?t 6igure i!!ustrates an e?amp!e of pri:i!ege
rights where the group owner has read and write accessB group has read and e?ecute accessB
another on!y has read access.
1.(
Hroup access pri:i!eges.
8icrosoft>s 2indows N# a!so emp!oys AC1 and the concept of groups. 6igure -.' i!!ustrates
the ,ser 8anager uti!ity in N#. %arious accounts$ such as Administrator$ Huest (that shou!d
&e de!eted)$ Pohn$ and other defau!t accounts are !isted in the top ha!f of the screen. In the
&ottom ha!f of the screen$ the :arious groups are !isted. #hey inc!ude Administrators and
Power ,sers. It cou!d a!so inc!ude groups such as human resources and accounting.
2indows N# ser:er user manager.
1.+
6o!!owing 6igure i!!ustrates the access rights that are assigned to the network resource %011.
#he &o? in the !ower right"hand corner shows how the access rights can &e refined &y either
remo:ing e:eryone a!! together or &y assigning a more restricted access !e:e! such as read or
change.
2indows N# access contro!s.
Access contro!$ permissions$ and groups are important concepts to understand &ecause they
are important too!s for contro!!ing end users> access to system resources. 2hen used in
conAunction with effecti:e group assignment$ access rights can &e an effecti:e security
measure. ,nfortunate!y$ access rights are fre;uent!y o:er!ooked or ignored$ and group
assignments usua!!y entai! nothing more than assigning a!! users to a sing!e group. As a
resu!t$the access rights to critica! system fi!es fre;uent!y !ea:e the system :u!nera&!e to &eing
compromised.
2:
"odems
8odems connected to systems on the network are perhaps the sing!e greatest source of
security :u!nera&i!ity in most organi7ations> network infrastructure. 8any organi7ations
imp!ement comprehensi:e security measures to protect the company>s network on!y to ha:e
the measures undone &y a modem connected to a system that was connected to the
network.
#he ru!e shou!d &e$ if the system is on the network then there is no modem attached. 0n!y
stand"a!one systems shou!d &e set up with modems. Putting a modem on a system
connected to a network that resides inside a firewa!! is !ike putting a dead&o!t on the front
door$ whi!e !ea:ing the &ack door wide open. A system connected to the corporate network
shou!d ne:er &e a!!owed to dia! into another network such as the Internet without security
precautions. It creates an unprotected gateway &etween the corporate network and the
Internet through which it is possi&!e for a hacker to gain access. It is a!so a method through
which someone can perform an unauthori7ed transfer of fi!es$ &oth in and out. If you want to
&e a&!e to monitor the f!ow of information$ then a!! traffic shou!d &e re;uired to go through a
firewa!!.
If it is a&so!ute!y necessary to insta!! modems on systems connected to the corporate
network$ then c!ose!y monitor a!! acti:ity on those modems. It is possi&!e to configure most
operating systems to !og acti:ity for the modem ports. #he report !og for the modem ports
shou!d &e re:iewed dai!y to ensure that any connections to the port is for !egitimate reasons.
0rgani7ations with remote users that ha:e to pro:ide dia!"in access shou!d consider using
security modems with dia!"&ack capa&i!ity or a secure I* scheme. At the :ery !east$ they
shou!d not !ea:e the modem connected a!! the time. #hey shou!d on!y connect it when it is
actua!!y &eing used and unp!ug it when the work is comp!eted. Gusiness re;uirements wi!!
rea!!y dictate what an organi7ation can and cannot do. A company with end users that re;uire
remote access do not ha:e the option of !ea:ing modems unp!ugged.
1.3
Sma!! shops with on!y a few modems shou!d find it fair!y simp!e to monitor and secure their
modems. 0n the other hand$ for operations with :ery !arge networks or ISPs$ monitoring
modems is much more pro&!ematic. #here are programs or systems a:ai!a&!e that actua!!y
detect modems on the network. #hese systems :ary in their effecti:eness and can &e
dependent on the type of network and how it is configured.
#o a !imited e?tent$ companies can contro! modem connections if they emp!oy a digita! PGJ
te!ephone system. 8odem connections simp!y wi!! not work through a digita! PGJ$ and
refraining from insta!!ing any ana!og circuits e!iminates much of the risk. owe:er$ most
organi7ations ha:e ana!og circuits insta!!ed for fa? machines$ which can &e used &y a modem.
In addition$ ce!!u!ar techno!ogy can a!!ow a user to comp!ete!y &ypass the company PGJ.
#he :u!nera&i!ities associated with modems connected to a corporate network i!!ustrate why it
is so important to harden e:ery system on the network. 6irewa!!s are too easi!y circum:ented
to &e the so!e source of security for the interna! network.
3nformation $vaila9ility
0ne of the key components of information security is <a:ai!a&i!ity.< #his refers to the a&i!ity
to access the information on a network or system when it is needed. Not on!y must the data
&e accessi&!e$ &ut it must a!so &e time!y and accurate. 0ne of the &est ways to ensure
a:ai!a&i!ity is through data redundancy. *ata redundancy can &e achie:ed in different ways.
)ach method pro:ides a :arying degree of redundancy and &ackup. In addition$ each method
has different re;uirements in terms of reco:ery time shou!d it &e necessary to resort to
&ackups. *ifferent methods of pro:iding data redundancy inc!ude disk mirroring$ redundant
array of independent (or ine?pensi:e) disks (4AI*)$ data streaming$ hot &ackup$ and tota!
redundancySdescri&ed as fo!!ows.
C *isk mirroring: *isk mirroring is a rather generic term for the process of dup!icating
data from one hard disk to another hard disk. 8irrored dri:es operate in tandem$
constant!y storing and updating the same fi!es on each hard disk. Shou!d one disk fai!$
the fi!e ser:er issues an a!ert and continues operating on the other disk.
1.-
#he norma! procedure in the case of a mirrored disk fai!ure is to &ring the ser:er down at the
ear!iest opportunity and rep!ace the damaged disk. #he system wi!! automatica!!y copy
the redundant data on the fi!e ser:er to the new disk. #he mirrored disks can &e
configured with a shared contro!!er or with separate contro!!ers. 0&:ious!y$ the
configuration with separate contro!!ers pro:ides more redundancy. 6or organi7ations
whose systems operate on a 2+X- schedu!e$ disk mirroring a!so enhances the a&i!ity to
perform &ackups. 2ith most operating systems$ open fi!es can not &e &acked up$
&ecause they are open and &eing updated &y another process. As a resu!t$ if you
&ackup a system on which fi!es are &eing updated$ you wi!! get an incomp!ete &ackup.
*isk mirroring pro:ides two sets of identica! fi!es on separate disks. As a resu!t$ when
it performs a &ackup$ an organi7ation has the a&i!ity to <&reak< the mirror to &ack up
one fu!! set of disks. #his$ in effect$ stops the mirror process for the mirror disks. #he
!i:e fi!es on the <mirrored< disk wi!! continue to &e updated &y transactions and
processes. #he fi!es on the <mirror< disk wi!! &e static$ &ecause the mirror process has
&een &roken. As a resu!t$ it is possi&!e to get a comp!ete &ackup of the mirror dri:es.
2hen the &ackup process is comp!ete$ you simp!y reinitiate the mirror process$ and it
wi!! update the mirror disks with the changes that ha:e occurred on the mirrored disks
whi!e the &ackup was taking p!ace.
C '!I*: 4AI* is a category of disk dri:es that emp!oys two or more dri:es in
com&ination for fau!t to!erance and performance. 4AI* disk dri:es are used
fre;uent!y on ser:ers. #here are a num&er of different 4AI* !e:e!s with the most
common &eing .$ ($ and /@ o 1e:e! . performs data striping$ or spreading out &!ocks of each
fi!e across mu!tip!e disks. 2hi!e this can impro:e performance it does not pro:ide
redundancy or fau!t to!erance.
o 1e:e! 1 is disk mirroring as descri&ed a&o:e.
o 1e:e! ( is &asica!!y the same as !e:e! . &ut with redundancy.
o 1e:e! / performs data striping at the &yte !e:e! with error correction$ which
pro:ides enhanced performance and re!ia&!e fau!t to!erance.
1.'
C Streaming: Gefore 4AI* and disk mirroring &ecame genera!!y a:ai!a&!e$ certain
operating systems offered the feature of streaming. *isk dri:es were !ess re!ia&!e years
&ack$ or at !east they seemed to &e !ess re!ia&!e. Gy comparison$ today>s disk dri:es are
much more re!ia&!e and ha:e a !onger mean time &etween fai!ures. Kears ago it was
not uncommon to ha:e a disk dri:e fai! without warning. In this en:ironment
streaming was emp!oyed. Streaming is the process of writing transactions to another
media at the same time the transactions update the data fi!es. 0ne common
imp!ementation is to write the transactions to tape. As transactions take p!ace and
update data&ase fi!es on the disk dri:e$ they are simu!taneous!y written to tape.
If a disk dri:e crashed in the midd!e of the day$ you cou!d restore from the pre:ious
night>s &ackup and then Aust update the fi!es with the day>s transactions that had &een
streamed to tape. Streaming ga:e system administrators a process that reco:ered a!!
data$ e:en if a disk dri:e crashed during processing. owe:er$ the streaming process
creates a !ot of o:erhead in terms of CP, and ID0 on a system. #his additiona! &urden
cou!d rea!!y affect system performance.
C /ot backup: ot &ackup is a techni;ue used to pro:ide for the ongoing operation of a
1AN shou!d a fi!e ser:er fai!. In this techni;ue$ two fi!e ser:ers operate in tandem.
*ata is dup!icated on the hard disks of the two ser:ers. In effect$ this is !ike disk
mirroring &ut across two ser:ers instead of one ser:er. If one ser:er fai!s$ the other
ser:er automatica!!y assumes a!! 1AN operations without any outage &eing apparent to
the user of the 1AN. #he ser:ers can &e immediate!y adAacent to one another or may
&e thousands of mi!es apart.
It is not uncommon for organi7ations to maintain entire!y redundant data centers. 6or
e?amp!e$ many !arge financia! institutions maintain dup!icate data centers. Se:era!
!arge financia! institutions in Ca!ifornia maintain one center in northern Ca!ifornia and
another in southern Ca!ifornia$ with &oth centers &eing connected together &y :ery
high"capacity$ high"speed circuits. #his is on!y prudent considering Ca!ifornia>s
propensity for earth;uakes. In some instances this redundancy is ref!ected in the
financia! institution>s A#8 network. #wo A#8s sitting side &y side may &e connected
to different data centers.
1>?
7sefu# Too#s
#here is a wea!th of usefu! too!s a:ai!a&!e that assist in tightening operating system security
and enhancing the genera! operation of most systems. 8any of these too!s are a:ai!a&!e free
of charge and can &e down!oaded from the Internet. ,nfortunate!y$ most a!! of them are for
,NIJ"&ased systems. #his is !arge!y due to ,NIJ>s history as an open operating system used
e?tensi:e!y in the academic community. A !ist of some of the too!s a:ai!a&!e on the Internet
fo!!ows@
C "omputer +racle and assword System ("+S): C0PS was written &y *an 6armer at
Purdue ,ni:ersity. C0PS is a co!!ection of too!s that can &e used to check for
common configuration pro&!ems on ,NIJ systems. C0PS checks for items such as
weak passwords$ anonymous ftp$ or Aust tftp$ and inappropriate permissions. C0PS
detai!s its findings in reports that an administrator can use to strengthen a system>s
security.
C Security !dministrator%s Tool for !nalyzing 0etworks (S!T!0): #he SA#AN too! is
designed to he!p system administrators recogni7e se:era! common networking"re!ated
security pro&!ems. SA#AN identifies and generates a report on pro&!ems a!ong with
information that e?p!ains each pro&!em$ the possi&!e conse;uences of the pro&!em$ and
how to fi? it. #he maAor difference &etween C0PS and SA#AN is that SA#AN
concentrates on specific network configuration issues$ whi!e C0PS is more concerned
with host specific issues. SA#AN can &e down!oaded from :arious sites$ inc!uding
CIAC.
C Security !dministrator%s Integrated 0etwork Tool (S!I0T): An updated and enhanced
:ersion of SA#AN that is designed to assess the security of computer networks$
SAIN# can &e down!oaded at http@DDwww.wwdsi.comDsaint.
C TIT!0: Created &y Grad Powe!! of Sun 8icrosystems$ #I#AN is simi!ar to C0PS in
that it is a co!!ection of scripts that are designed to strengthen a system>s security. #he
maAor difference &etween C0PS and #I#AN is that #I#AN works at a !ower !e:e! in
the operating system fi?ing configuration errors$ whi!e C0PS checks for pro&!ems
such as fi!e permissions and weak passwords. #I#AN wi!! not on!y report on findings$
it wi!! actua!!y correct pro&!ems. 1ike C0PS and SA#AN$ #I#AN checks for different
aspects of security. #hese programs are not mutua!!y e?c!usi:eB running one of the
programs does not di!ute the &enefit of running the other.
11.
C TI,(': Simi!ar to C0PS in that it is a set of scripts that check a system>s
configuration. owe:er$ it is considered easier to configure and use than C0PS.
#IH)4 was origina!!y de:e!oped at #e?as A58 for checking ,NIJ system security.
#IH)4 is a:ai!a&!e at :arious sites$ inc!uding Purdue ,ni:ersity>s C0AS# site and
CIAC.
C T"&rapper: A ,NIJ network security monitoring program that fi!ters access &ased
upon IP addresses to the :arious inetd"in:oked ser:ices. #his program a!!ows for the
monitoring and contro! of connections :ia tftp$ e?ec$ ftp$ rsh$ te!net$ r!ogin$ and finger.
Access can &e contro!!ed at &oth the user and ser:ice !e:e!. It can &e :ery effecti:e in
pro:iding an additiona! !e:e! of security to the systems on a network. #CP2rapper is
a:ai!a&!e at a num&er of sites$ inc!uding the CIAC site. I high!y recommend this
program for securing ,NIJ systems.
C Tripwire: A fi!e integrity"monitoring program de:e!oped in 1992 at Purdue
,ni:ersity. #he uti!ity compares a specific set of fi!es against information stored in a
data&ase from pre:ious runs of the program. #he data&ase maintains a checksum
representation or fingerprint of the contents of each directory and fi!e. #he data&ase
a!so contains information that a!!ows an organi7ation to :erify the access permissions$
ownership$ groups$ and other information that wou!d &e pertinent to the integrity of the
fi!e system. Any differences that the #ripwire program finds &etween the current run
and the pre:ious runs are f!agged and !ogged. #ripwire can &e run against system fi!es
to identify any changes in critica! system fi!es. If #ripwire is run on a regu!ar &asis$ a
system administrator can &e re!ati:e!y certain that the integrity of system fi!es is
maintained and remains free from unauthori7ed modifications. #here is an open source
:ersion of #ripwire$ which can &e found at :arious 2e& sites inc!uding CIAC>s. #here
is a!so a commercia! :ersion that can &e purchased at http@DDwww.tripwire.com.
Again$ I must caution the reader a&out down!oading fi!es from the Internet. ):en if you are
down!oading fi!es from a known and trusted 2e& site such as CIAC or the C)4#
Coordination Center$ -erify the source code. 6or e?amp!e$ in spring 1999 there were security
ad:isory &u!!etins circu!ated warning of a copy of #CP2rapper that contained a #roAan horse.
If an unsuspecting system administrator insta!!ed the a!tered :ersion of #CP2rapper on his or
her system$ the system wou!d &e :u!nera&!e to attack. #he tainted :ersion of #CP2rapper
111
:AN Security
:AN =uide#ines
It is often difficu!t to distinguish where the indi:idua! ser:er ends and the network &egins.
Some N0Ss can &e configured so that the end user !ogs into a domain to access network
resources. 6or other N0Ss the user !ogs into a ser:er. In the case of the !atter$ the ser:er is
the network. As a resu!t$ system security can a!so pertain to 1AND2AN security. Certain!y the
discussion co:ering guide!ines for passwords can &e app!ied direct!y to network
authentication. Con:erse!y$ much of what wi!! &e co:ered in this chapter can a!so &e app!ied
to system security.
Contro##in+ End 7ser Access
Creating an account and assigning a password are on!y sma!! parts of gi:ing someone access
to the network. A network administrator a!so has to determine other account parameters
such as when an end user can access the network$ what groups the user is associated with$
what fi!es he or she can access$ and !imitations on network and ser:er resources.
Concurrent .o'ins
Consideration shou!d &e gi:en to restricting concurrent !ogins for end users. In other words$
users shou!d not &e a!!owed concurrent sign"on pri:i!eges. 0nce an end user has !ogged into
a network they shou!d not &e a&!e to !ogin somewhere e!se without first !ogging out from
where they origina!!y !ogged in. #he on!y e?ception to this ru!e shou!d &e the 1AN
administrator and his or her &ackup. 2hi!e I recogni7e that this cou!d cause operationa!
pro&!ems for some users$ there are se:era! reasons for !imiting concurrent sign"ons. 6irst$ it
sa:es network resources$ such as memory and !icenses. It can a!so pre:ent the unauthori7ed
use of an account$ so !ong as the user is !ogged in. It a!so pre:ents the user from forgetting
to !og out.
112
2hen you a!!ow concurrent sign"ons$ the end users often !ose track of where they are !ogged
in and forget to sign off e:erywhere. ,sers can !ea:e themse!:es !ogged into the network on
a workstation without e:en rea!i7ing it. #hey open a window of :u!nera&i!ity to the network
and themse!:es when they !ea:e accounts signed on.
0ne so!ution to this pro&!em is to imp!ement a process that automatica!!y !ogs off inacti:e
users. #here are a!so systems that free7e a workstation or !ock a key&oard on an inacti:e
session$ after a specified period of time. #o re!ease the key&oard !ock the user must enter a
password.
Certain operating systems pro:ide some !imited capa&i!ities to !ock inacti:e systems. 6or
e?amp!e$ 8S 2indows screen sa:ers can &e configured so that they re;uire a password. #his
isn>t the most secure so!ution$ &ut it can &e &etter than nothing at a!!. #he main draw&ack to
this so!ution is that there is no a&i!ity for a system administrator to o:erride the password
protection. #hird"party packages usua!!y offer &etter so!utions. #here are systems a:ai!a&!e
for most e:ery network or computer operating system. #he systems for c!ientDser:er
workstations usua!!y operate :ery different!y than those that are designed for termina!
sessions. 2ith a workstation the process runs in memory. 2hen there is no acti:ity for a
specified period of time$ the process may run a time"out program that re;uires the password
of an authori7ed user to reacti:ate the workstation. 2hen using a termina! session for an
operating system such as ,ni? or %8S$ the time"out process is usua!!y part of a menu
system$ or it may operate at the app!ication !e:e!. As a resu!t$ if you are not in the particu!ar
menu system or app!ication$ &ut functioning at the operating system !e:e!$ the time"out
process wi!! not work.
#here are programs a:ai!a&!e that run in ,ni?$ %8S$ and other midrange operating systems
that search for id!e user processes at the operating systems !e:e! and <ki!!< them. #he
programs are designed to terminate processes that ha:e &een id!e for a specified period of
time. owe:er$ organi7ations run the risk of upsetting end users when they emp!oy one of
these programs.
%
$vaila9le Disk (pace
It is important to !imit the amount of disk space a!!ocated to each end user. Hi:ing users
un!imited disk space may end up re;uiring the purchase of additiona! disk capacity. I ha:e
seen situations where users crashed ser:ers &ecause their accounts did not restrict the
amount of disk space the user was a!!owed. In one instance$ a user was running a report that
spoo!ed a massi:e fi!e to disk. #he resu!t was that a!! the a:ai!a&!e space was consumed$ and
the ser:er crashed. ,sers shou!d a!so &e encouraged to c!ean up their directories on a regu!ar
&asis.
I recogni7e that the comparati:e cost for disk dri:es continues to drop to where the cost per
mega&yte is nomina!$ &ut disk dri:es sti!! need to &e &acked up. #hat process entai!s time and
personne!$ which can increase your operating costs. 2hy go through the added e?pensi:e of
&acking up fi!es need!ess!y when they can Aust as easi!y &e de!eted=
Restrictions to .ocation or 1orkstation
Consideration shou!d &e gi:en to restricting$ to a specific workstation$ end users who are
authori7ed to enter sensiti:e transactions or who perform particu!ar!y sensiti:e andDor
confidentia! work. It is prefera&!e to !ocate the station in a restricted area. 0&:ious!y$ access
to the ser:er itse!f shou!d &e restricted to the 1AN administrator and hisDher &ackup.
!ime4Day Restrictions
Consideration shou!d &e gi:en to restricting end user access to &usiness hours on!y$ especia!!y
for those emp!oyees who are authori7ed to access and use sensiti:e andDor confidentia! data.
If an emp!oyee does not norma!!y work in the e:enings and on the weekends$ then the
a&i!ity to access the network shou!d &e restricted for that time period. 8ost e:ery operating
system and N0S has the capa&i!ity to restrict an account>s access to specific time periods.
$ccess to Directories and !rustee Ri'hts
,sers shou!d on!y &e gi:en access rights to directories they need to function. If a user needs
temporary access to a directory$ the access rights shou!d &e remo:ed when they are no
!onger needed. ,sers shou!d on!y &e gi:en the trustee rights they need to do their Ao&. 0nce
a right is no !onger re;uired$ remo:e it right away. #rustee rights shou!d &e audited
periodica!!y.
4
,ile $ttri9utes
6i!e"access attri&utes$ such as read$ write$ e?ecute$ and de!ete$ shou!d &e granted &ased on
need. In addition$ fi!es containing confidentia! or sensiti:e information shou!d &e restricted to
a minimum num&er of users. 6i!e attri&utes for e?ecuta&!es shou!d &e restricted. )nd users
shou!d on!y ha:e read access to those fi!es that are needed to function. Particu!ar attention
shou!d &e paid to operating system e?ecuta&!es. If fi!e attri&utes for e?ecuta&!e fi!es are not
restricted$ the e?ecuta&!e fi!es can &e modified. 2ith !oose!y defined fi!e attri&utes$ important
e?ecuta&!e fi!es can &e changed or rep!aced with #roAan horse programs.
>ther Privile'es
Network commands and e?ecuta&!e shou!d &e restricted to administrators$ auditors$ and
security personne!. 2ith certain operating systems$ such as 2indows N#$ consider renaming
the administrator account to something e!se. #hat way a potentia! hacker won>t know the
name of the pri:i!eged account.
0ne of the things that e:ery system administrator fears most is a hacker gaining pri:i!eged
administrati:e access to a system o:er the network. Pri:i!eged accounts such as
administrator for N# or root for ,ni? shou!d not &e a!!owed to !ogin o:er the network.
Network access to the administrati:e account can &e restricted in different ways for different
operating systems. Some operating systems offer tremendous f!e?i&i!ity to contro! the access
of pri:i!eged accounts.
6or e?amp!e$ AIJ$ IG8>s :ersion of ,NIJ$ offers some of the &est f!e?i&i!ity I>:e e:er seen
&ui!t into an operating system. AIJ>s design makes it :ery easy for e:en the no:ice
administrator to pre:ent a hacker from gaining access to the ,NIJ <root< account. #his is
done through the AIJ System 8anagement Interface #oo! (S8I#) uti!ity. S8I# a!!ows users
to perform system administration and management commands without ha:ing to know the
command !ine synta?. ,sing the S8I# interface$ which is a hierarchy of menus$ information
is entered into se:era! options. #he dia!og then e?ecutes a she!! script to perform the system
management function. 2ith S8I#$ organi7ations can assign attri&utes that contro! the
en:ironment for a particu!ar account when it !ogs into the system.
11/
2indows N#
,ser 4ights Po!icy screen that can &e found under the ,ser 8anager menu. #his screen
a!!ows you to contro! whether an account can access a system o:er the network.
2indows N# administrator account.
A&o:e 6igure disp!ays the ,ser 4ights Po!icy pop"up window$ which shows that <access this
computer from network< is disp!ayed in the <right< &o? and that the administrati:e account is
high!ighted. #o restrict the a&i!ity to !og into the administrati:e account o:er the network$ you
simp!y high!ight the administrati:e account and c!ick on the <remo:e< &utton.
5
Remove 3nactive $ccounts
0rgani7ations shou!d re:iew network user accounts on a regu!ar &ases and de!ete any
accounts that are no !onger re;uired. Accounts for users or emp!oyees no !onger with the
organi7ation shou!d &e de!eted. 6irms shou!d a!so de!ete inacti:e accounts$ remo:ing or
disa&!ing username accounts that ha:e not &een accessed in the !ast three to si? months.
ackers fre;uent!y try to e?p!oit inacti:e accounts for the initia! &reak into a system or as a
means to gain access to a network again. #hey know they can a!ter an inacti:e account$ &y
changing the password$ for e?amp!e$ without fear of the change &eing detected &y the user
of the account.
In addition$ guest accounts shou!d &e remo:ed and anonymous 6#P shou!d &e disa&!ed. 2ith
N# or Netware$ organi7ations shou!d &e carefu! a&out the access pri:i!eges they gi:e to a
guest account set up on their 1AN. 2hen the ser:er is first &rought up$ de!ete the guest
account from the group e:eryone and make specific trustee assignments to the guest
account.
#he guest account shou!d not ha:e the same pri:i!eges as norma! accounts.
(in'le (i'n+>n
Present!y$ e:ery morning I enter in mu!tip!e usernames and passwords to gain access to the
:arious networks$ systems$ and app!ications that I need in order to perform my Ao&. I ha:e a
password for the N# domain$ a password for the No:e!! ser:er$ different passwords for
different ,NIJ systems$ a password for my e"mai!$ and passwords for :arious app!ications.
#hose guide!ines a!so app!y to the
password creation for network passwords. owe:er$ ha:ing so many passwords can &e
confusing to end users and$ as we ha:e discussed$ can actua!!y create :u!nera&i!ities$ &ecause
the on!y way the end user can remem&er the passwords is to write them down. 0ne
a!ternati:e to using mu!tip!e passwords is the use of a sing!e sign"on (SS0).
2ith an SS0 system users are on!y re;uired to authenticate themse!:es once. 0nce users
ha:e authenticated themse!:es the SS0 system hand!es the management and access to other
network resources$ such as ser:ers$ fi!es$ and app!ications.
11-
#he SS0 can &e achie:ed using se:era! different approaches. 2e ha:e a!ready discussed one
such system in some detai!@ Mer&eros. 2ith Mer&eros users authenticate themse!:es once$
and access to a!! network resources is contro!!ed &y the Mer&eros ser:er$ which issues tickets
or tokens. Another approach to SS0 that we ha:e a!ready discussed is to emp!oy a pu&!ic key
infrastructure that emp!oys digita! certificates to authenticate end users and determine
network access. 0ther approaches inc!ude metadirectories or distri&uted computing
en:ironments (*C)s).
#he foundation for metadirectories is rooted in the !ightweight directory access protoco!
(1*AP). 1*AP is a <!ightweight< or thin :ersion of the J./.. directory access protoco!.
8etadirectories can &e used to synchroni7e passwords and user attri&utes among different
N0S directories. *C) is an 0pen Systems 6oundation (0S6) 0SI"&ased specification that
addresses distri&uted system security in a mu!ti:endor en:ironment. It is simi!ar to Mer&eros
and designed to make it easier to authenticate users &etween different :endors> systems.
8etadirectories$ 1*AP$ and *C) are discussed in detai! !ater in this chapter.
Some SS0 systems use password caching$ screen scraping$ or scripting interfaces$ as
opposed to token"&ased systems such as Mer&eros. #he password"caching approach stores
the password and passes it from one app!ication interface to the ne?t. #he screen"scraping
approach uses characters that wou!d otherwise &e disp!ayed on a termina! screen. Screen
scraping programs enter in the characters that the end user wou!d type in at the termina!.
#hey$ in effect$ simu!ate the typing action of the end user. Scripting interfaces function much
in the same manner as screen scraping.
An SS0 system can a!!ow users to centra!i7e access and administration for end users$
systems$ and app!ications. #his is certain!y more efficient than ha:ing to add a new user into
each indi:idua! system andDor app!ication. A SS0 a!so simp!ifies the authentication process
for the end user. )nd users on!y ha:e to authenticate themse!:es once to access a!! of the
resources a:ai!a&!e to them. #he authentication process can emp!oy any com&ination of the
three &asic schemes@ something you know$ something you ha:e$ or something your are.
owe:er$ a SS0 can ha:e draw&acks.
11'
If the authentication is compromised (i.e.$ a password is sto!en)$ then a!! resources a:ai!a&!e
to the end user are :u!nera&!e. In addition$ you need to &e cogni7ant of whether there are
&ackups to the SS0 in the e:ent the system is down. If you reca!!$ with Mer&eros$ if the
Mer&eros ser:er is down then network resources are una:ai!a&!e.
#here are se:era! SS0 systems on the market from which you can choose. #here are systems
a:ai!a&!e for IG8$ No:e!!$ A?ent$ and Computer Associates Aust to name a few. #here are
many others out there and they a!! emp!oy different approaches and emphasi7e different
aspects of SS0. Some emphasi7e centra! administrationB others emphasi7e security$ whi!e sti!!
others emphasi7e simp!ifying the process for the end user. If you are interested in a SS0
system$ I suggest you do a !ot of research &efore imp!ementing one.
(o#icy$4ased Network -ana+ement
0ne too! to consider if you wish to emp!oy sing!e sign"on capa&i!ities is a po!icy"&ased
management approach. #he po!icy"&ased network management approach is &ecoming
increasing popu!ar for organi7ations with medium to !arge networks. #his is especia!!y true
with the recent re!ease of 2indows 2... with its Acti:e *irectory Ser:ices (A*S).
8any organi7ations are finding it increasing!y difficu!t to manage networks that incorporate
hundreds if not thousands of nodes distri&uted o:er a !arge geographic area. Po!icy"&ased
network management is the process of &ringing together the properties of :arious network
resources under a centra! administrati:e contro!. #here are se:era! goa!s of a po!icy"&ased
management system. #he first is to simp!ify the network management process. Another is to
ensure the security and integrity of the network through centra!i7ed management of the
distri&uted network resources. Po!icy"&ased management is a!so concerned with the
a:ai!a&i!ity of network resources. Po!icy"&ased management ensures that critica! network
traffic recei:es the necessary resources. #his is achie:ed &y the use of po!icies that prioriti7e
network traffic$ so that a critica! &usiness app!ication doesn>t ha:e to compete for network
&andwidth with an emp!oyee surfing the Internet for stock ;uotes. Po!icy"&ased management
is often imp!emented for ;ua!ity"of"ser:ice o&Aecti:es.
119
6rom a security perspecti:e$ po!icy"&ased management can pro:ide the a&i!ity to conso!idate
po!icy information for network resources. #his inc!udes AC1s$ ownership$ and a:ai!a&i!ity.
0ne of the key e!ements of po!icy"&ased management is the concept of directory ser:ices.
A directory can &e thought of as a comprehensi:e !isting of o&Aects. In its most &asic form$ a
directory is a repository of information a&out o&Aects$ such as user accounts$ p!aces$ and
things. A typica! network imp!ementation contains o&Aect resources$ !ike printers$
app!ications$ data&ases$ user accounts$ and ser:ers. 6or a network$ a directory is essentia!!y
a data&ase that stores information on a!! the network resources$ which inc!udes network
de:ices$ users$ groups$ :o!umes$ and passwords. #he &asic function of directory ser:ices is
the a&i!ity to !ocate$ name$ and communicate with a!! of those network resources. *irectories
are rea!!y Aust repositories of information com&ined with access methods and re!ated ser:ices.
):ery N0S imp!ements some form of directory ser:ices. N0Ss ha:e a!ways had some form
of directory system for accessing and managing resources. If they didn>t$ network resources
wou!d &e inaccessi&!e. owe:er$ the different N0Ss ha:e stored directory information in a
:ariety of proprietary formats. #his has &een a maAor o&stac!e to the :arious N0Ss &eing a&!e
to share directory ser:ice information.
In the !ate 19'.s$ the J./.. *irectory Access Protoco! (*AP) standard was de:e!oped in an
effort to create and integrate a uni:ersa! directory ser:ice. #he 0SI"&ased protoco!
specification pro:ided c!ient app!ications with a way to access and e?change the directory
information. It was an effort to tie together the disparate and proprietary directory ser:ices.
#he *C) specification was an outgrowth of J./... ,nfortunate!y$ since &oth J./.. and *C)
were &oth 0SI"&ased they ne:er rea!!y e?perienced wide acceptance. 1ike 0SI$ they were
cum&ersome and mono!ithic in there approach. #hey were e?amp!es of a &ad imp!ementation
of a good idea.
A more recent de:e!opment is the 1*AP$ a s!immed"down :ersion of the J./.. *AP. 1*AP
focuses on on!y the protoco!s that c!ient app!ications use to access the directory and does not
inc!ude a!! of the o:erhead associated with J./... 1*AP represents the !east common
denominator of directory ser:ices information. 1*AP is supported in numerous c!ient
app!ications and offers a common way to !ook up information from an J./.. directory or any
directory that supports the 1*AP standard.
12.
#here are some security issues with ear!y :ersions of 1*AP in that they emp!oyed a c!earte?t
password authentication mechanism. #he risks associated with a c!earte?t password are
o&:ious. 1*AP :ersion ( inc!udes an e?tension for #ransport 1ayer Security (#1S)$ which
specifies a security scheme uti!i7ing SS1 techno!ogy. #his mitigates the risk associated with
the transmission of a c!earte?t password.
#here are a num&er of directory ser:ices networking products on the market. Some are
J./.."andDor 1*AP"comp!iant$ and some are not. Some are fading techno!ogy$ and some are
rising stars. 6or e?amp!e$ there is Ganyan>s Street #a!k$ Sun>s NIS (Network Information
Ser:ice)$ and IG8>s imp!ementation of *C). #hese fa!! under the category of fading products$
which use o!der techno!ogy.
0ther products inc!ude No:e!! *irectory Ser:ices (N*S)$ Netscape>s *irectory Ser:er$ and
8icrosoft>s Acti:e *irectory. A!! three of these products support the 1*AP specification.
Netscape is present!y on!y a margina! p!ayer in the directory ser:ices war. As such it may &e
too !ate for it to &ui!d momentum for its product. N*S$ which is the most mature and
pro&a&!y the most ro&ust of the three$ pro:ides a repository for information a&out users$
passwords$ groups$ ser:ers$ :o!umes$ and app!ications. In many ways$ No:e!! is pinning its
future as a company on N*S$ which is &eing adopted &y many :endors and is the most
wide!y imp!emented network directory ser:ice. #here are :ersions of N*S for Netware$ Sun
So!aris and other :arieties of ,ni? and 1inu?$ and IG8>s ASD+.. operating system. N*S wi!!
a!so interface with 8icrosoft>s Acti:e *irectory. In addition$ Cisco wi!! support N*S in its
Internet working 0perating System (I0S) software for routers and switches. Cisco is a!so
committed to supporting 8icrosoft>s Acti:e *irectory in its I0S.
Acti:e *irectory has on!y recent!y &een re!eased$ and as a resu!t$ it has a num&er of &ugs to
work out. No:e!! faced simi!ar pro&!ems when it first re!eased N*S. 8icrosoft>s Acti:e
*irectory does support 1*AP. owe:er$ with the e?ception of Cisco>s I0S$ there has not
&een a rush &y other :endors to imp!ement Acti:e *irectory.
121
#he products !isted a&o:e are &y no means an e?hausti:e !ist of the a:ai!a&!e network system
directory products. #hese products offer the a&i!ity to !ink :arious directory ser:ices together
to :arying degrees$ &ut none offers the a&i!ity to hand!e dissimi!ar and disconnected
directories enterprise"wide from one end of an organi7ation to the other. A re!ati:e!y new
concept to emerge in recent years is that of the metadirectory. #he term metadirectory
ser:ices refers to a category of enterprise director too!s that integrate e?isting disconnected
directories. 8etadirectories accomp!ish this &y surmounting the technica! and process issues
associated with integrating dissimi!ar and unre!ated systems and architectures.
2hi!e No:e!! and 8icrosoft &oth tout their directory systems as metadirectories$ they are in
fact <network system< directories on!y. It is true that they !ink to other directories through
1*AP$ &ut they don>t rea!!y fit the definition of a metadirectorySprimari!y &ecause the
systems that are !inked together are simi!ar and$ whi!e they address technica! issues$ they do
not address process management.
#he appea! of metadirectories is that they offer the a&i!ity to share information that is
common to a!! other su&directories$ regard!ess of the p!atform or architecture. In addition to
reducing the cost of management$ this a!so assures data integrity across an entire enterprise.
#he idea! metadirectory !ets an administrator make a change in one directory and ha:e that
updated or propagated throughout a!! system and app!ication directories. A metadirectory wi!!
u!timate!y pro:ide this centra!i7ed approach$ whi!e !etting the owners of information maintain
contro! o:er their own directories.
As an e?amp!e$ when a company uti!i7ing a metadirectory system hires a new emp!oyee$ the
information for the new emp!oyee wou!d &e entered into the human resource management
system (48S)$ and that wou!d propagate to other directory ser:ices creating a network
!ogin$ an e"mai! account$ and access to :arious app!ications. ):en the organi7ation>s PGJ$
&ui!ding security system$ and parking space a!!ocation wou!d &e synchroni7ed &y the
metadirectoryB in fact$ a!! of the enterprise>s directories wou!d &e synchroni7ed. #he
information is entered !oca!!y$ &ut the access !e:e! for each system is contro!!ed centra!!y &y
the metadirectory.
122
*ue to their hierarchica! nature$ directories are :ery efficient at pro:iding ;uick answers to
;ueries. #his makes directories we!!"suited in a po!icy"&ased management scenario. owe:er$
directories are &y no means the on!y choice. A data&ase structure is an appropriate
a!ternati:e under certain circumstances. A data&ase architecture does ha:e inherent
sca!a&i!ity !imitations. In addition$ there are ad:antages to the synchroni7ation process with
directories o:er the rep!ication process that is re;uired when emp!oying data&ases.
4ep!ication re;uires a much higher !e:e! of uniformity and integration &etween ser:ers. 6or
the rep!ication of the data&ase to &e successfu!$ it is a!so necessary for ser:ers &e a&!e to
interface much more tight!y. #his imp!ies that a higher !e:e! of trust &etween ser:ers is
re;uired$ which can ha:e security imp!ications. Gy contrast$ the synchroni7ation process is
more in !ine with performing a fi!e e?port. #he ser:er simp!y dumps a f!at fi!e.
0ne of the !ike!y app!ications for directory ser:ices wi!! &e in the area of network security
management and the storing of digita! certificates. 8any o&ser:ers see directory ser:ices in
genera! and metadirectories in particu!ar as a means to manage an organi7ation>s pu&!ic key
infrastructure.

owe:er$ to &e effecti:e the digita! certificates need a distri&ution process. A metadirectory
offers this capa&i!ity. 0ne company$ #e?as Instruments$ is present!y using an J./..D1*AP
directory to store J./.9 certificates. 2hi!e po!icy"&ased management can ha:e ad:antages it
a!so ho!ds risks. 2hen 2indows 2... was first re!eased there was much de&ate a&out the
security of Acti:e *irectory. 2hen uti!i7ing Acti:e *irectory Ser:ices$ there are dangers
associated with !oose!y defined po!icies or the granting of &road administrati:e pri:i!eges to
managers and administrators$ which can resu!t in gaping ho!es in an organi7ation>s network
security. At the :ery !east it can resu!t in potentia! e?posure of confidentia! information. *ue
to the design of Acti:e *irectory$ administrators who ha:e &een restricted from accessing
particu!ar network o&Aects can actua!!y take ownership of the restricted o&Aects with a few
c!icks of a mouse. 8icrosoft>s response to the f!aw was to recommend that mu!tip!e domains
&e imp!emented with Acti:e *irectory$ which defeats the purpose of imp!ementing the
directory ser:ice. It is amusing to note that 8icrosoft>s initia! response to the f!aw was to ca!!
it a <feature< of Acti:e *irectory.
12(
owe:er$ Acti:e *irectory is not a!one in containing risks associated with !oose!y defined
po!icies. #he same danger is associated with any po!icy"&ased system and can resu!t from
poor!y defined or imp!emented po!icies. 2ith Acti:e *irectory$ the risk is heightened &y the
concern that organi7ations wi!! attempt to imp!ement it with the same &road pri:i!eges that
they had imp!emented N# domains. Acti:e *irectory and N# domains are two entire!y
different systems with different approaches to security and imp!ementing them in the same
manner can ha:e disastrous resu!ts.
Se+mentin+ :AN Traffic
)thernet is the most common!y imp!emented 1AN protoco!. 2ith the )thernet protoco!$ any
de:ice on a network segment can monitor communications &etween any other de:ice on that
same network segment. 2hene:er possi&!e$ organi7ations shou!d segment their networks for
&oth security and performance purposes. Segmenting networks pre:ents packets from
tra:ersing the entire network. Network segmentation is a process of separating a !arge
network into se:era! sma!!er networks. #his can &e accomp!ished &y grouping associated
users together on a hu& or simi!ar network de:ice. A hu& is a network de:ice with mu!tip!e
ports into which other network de:ices are p!ugged. A hu& acts as a conduit for packets
tra:e!ing from one de:ice to another. 2hen a packet arri:es at one port$ it is copied to the
other ports$ so that a!! segments of the 1AN can see a!! packets.
#here is a performance ad:antage to this approach$ due to the fact that the packets stay
within a segment and do not tra:erse the entire network. #he network segmentation reduces
traffic on the entire network and reduces the physica! distance a packet must tra:e!. #he
security comes from the fact that it is necessary to ha:e physica! access to a segment to sniff
the specific segment packets. 2ithout network segmentation a!! network traffic is a:ai!a&!e to
a network sniffer.
As an a!ternati:e to standard hu&s$ consider using )thernet switches$ a!so ca!!ed switching
hu&s. Switching hu&s are emp!oyed for switched )thernet. Switched )thernet pro:ides the
same throughput as standard )thernet (1. 8&ps) or 6ast )thernet (1.. 8&ps) &ut uses what
is referred to as microsegmentation. Switched )thernet esta&!ishes :irtua! dedicated
connections &etween de:ices.
12+
#he ad:antaged to Switched )thernet is that the dedicated connection
restricts who can see the traffic. #his impro:es network throughput$ &ecause the packets are
on!y forwarded to the re;uired port and not to a!! ports. #his can &e accomp!ished &e
rep!acing traditiona! )thernet hu&s with )thernet switches. #he trade"off is that )thernet
switches are more e?pensi:e than the traditiona! )thernet hu&.
"oneypot Systems
0ne techni;ue that many administrators emp!oy is the use of <honeypot< systems. oneypots
are decoy or !ure systems. #hey are &asica!!y deception systems that contain phony ser:ices$
fi!es$ and app!ications designed to emu!ate we!!"known ho!es with the goa! of entrapping
hackers. #hey are designed to attract hackers$ hence the name <honeypot.< #he honeypot is
intended to make hackers &e!ie:e that they ha:e disco:ered a rea! system. #he system is
designed to !ure a hacker into a <safe< network or ser:er that impersonates important
app!ications or information. 2hen the hacker enters the honeypot the trap is sprung and the
a!arm is sounded. 6or it to work proper!y$ the system has to &e interesting enough to occupy
the hacker !ong enough so that a security administrator can trace the hacker.
oneypots are usua!!y dep!oyed in conAunction with I*Ss. As a resu!t$ companies !ike Cisco
and Network Associates offer them as part of their I*S products. Network Associates>
Cy&erCop Sting actua!!y simu!ates an entire network with mu!tip!e routers and host systems.
2hat !ooks !ike an entire network is actua!!y the Cy&erCop software running on a sing!e
workstation. #he software is designed to monitor and report any acti:ity to the simu!ated
de:ices on the fictitious network. #he *eception #oo!Mit re;uires a C compi!er.
It a!so re;uires that the system on which you wish to run it a!so &e running #CP2 rapper.
1!6
Static I( Addresses &ersus Dynamic "ost Confi+uration (rotoco#
.D"C(/
*CP ena&!es network administrators to centra!!y manage and automate the assignment of
IP addresses for an organi7ation>s network. #his means that a computer with a *CP c!ient
can dynamica!!y o&tain an IP address from a remote ser:er (*CP ser:er). )ach time a
workstation !ogs into the network it is assigned an IP address. An a!ternati:e wou!d &e to use
preassigned static IP addresses that each system wou!d &e indi:idua!!y configured to use.
8any organi7ations that dep!oy #CPDIP for interna! corporate networks a!so use *CP for IP
address assignment as opposed to using static IP addresses. #his is especia!!y true if the
organi7ation>s network has many nodes.
#he maAor ad:antages of *CP inc!ude simp!icity of configuration for the c!ients$ more
efficient assignment of IP addresses$ and ease of administration. 2ith *CP administrators
don>t ha:e to &other configuring each indi:idua! workstation with the :arious IP addresses$
&ecause *CP wi!! do that automatica!!y when the end user &oots up on the network. Since
the IP address assignment is dynamic and temporary$ administrators no !onger need to worry
a&out tracking what IP addresses ha:e &een assigned and which IP addresses are &ecoming
a:ai!a&!e due to retired systems. In addition$ *CP is idea! when there are more nodes or
systems than IP addresses.
#he maAor disad:antage of *CP is that the assignment of IP addresses is temporary. 6rom a
security standpoint this can make system identification difficu!t. I ha:e worked in
en:ironments where *CP was emp!oyed on the corporate network. At one organi7ation
where I was emp!oyed a!! &usiness units e?cept my particu!ar work unit used *CP. 8y
work unit emp!oyed static IP addresses. 2e did this to use IP addresses to contro! and
monitor access to our centra! systems. )mp!oying static IP addresses made it easier to
identify foreign
123
IP addresses attempting to access our systems. 2hen our !og fi!es indicated that an
unauthori7ed IP address had attempted to access our systems we cou!d rare!y track down the
cu!prit$ &ecause *CP was emp!oyed. #he en:ironment was a !arge network with tens of
thousands of nodes$ with many su&nets spread out o:er a :ery !arge geographic area. #he
&est we cou!d do was narrow it down to a particu!ar &ui!ding or sometimes a particu!ar f!oor
in a &ui!ding at a particu!ar faci!ity.
#here are other a!ternati:es to *CP$ such as 4e:erse Address 4eso!ution Protoco! (4A4P)
or Gootstrap Protoco! (G00#P)$ that essentia!!y function the same way. #hese protoco!s are
a!most none?istent in the corporate en:ironment$ &ut you may find them emp!oyed in an
academic en:ironment.
If you work in an en:ironment that emp!oys *CP on the network$ you need to take it into
consideration. #his is particu!ar!y true if you do any fi!tering &ased on IP address. #he
fi!tering can take p!ace at the router$ through a protoco! fi!ter !ike #CP2rapper$ or e:en at the
app!ication !e:e!. It is possi&!e to assign a range of IP addresses to a group using *CP$ so if
you are !imiting access &ased on IP addresses it does not necessari!y re;uire that you use
static addressesSAust p!an according!y
"edia and Protocols
Network -edia
):ery network$ regard!ess of the protoco!$ must operate o:er some media. #here are se:era!
options from which to choose when se!ecting the most appropriate media for an
organi7ation>s network needs. #oo often security is gi:en !itt!e consideration when se!ecting
the media for a network design. #here are different types of physica! media a:ai!a&!e with
:arious characteristics. #he term unguided may &e somewhat of a
misnomer. 2ith the e?ception of radio"&ased wire!ess$ no network media is tru!y unguided.
8icrowa:e$ infrared$ and sate!!ite$ whi!e not confined to the path of a physica! media$ are
certain!y guided. 8edia can a!so &e categori7ed as terrestria! and nonterrestria!. Copper and
fi&er are terrestria! in that tehy are usua!!y underground or physica!!y anchored to terra firma
in one manner or another. 8icrowa:e and sate!!ite are nonterrestria! in that they are not
&ound &y the same physica! !imitations.
12-
It is :ery easy to tap &oth S#P and ,#P ca&!ing. In some cases it is not e:en necessary for
physica! contact to occur with the tap for it to &e effecti:e. #his is &ecause there is residua!
e!ectromagnetic emanation from the ca&!e as the signa! tra:erses its !ength. Sensiti:e de:ices
can detect and interpret the minute :ariations in the emanation.
#wisted pair is a!so suscepti&!e to e!ectromagnetic interference. #his is particu!ar!y true of
unshie!ded twisted pair. )!ectromagnetic interference can reduce network performance. If the
interference is strong enough it can effecti:e!y disrupt the operation of a network.
Coa@ia# Ca'#e
Coa?ia! ca&!e consists of a copper core of so!id or strand wire surrounded &y an e?terna!
sheathing of wo:en copper &raid or meta!!ic foi!. #he ca&!e deri:es its name coa?ia!$ or coa?
for short$ from the fact that the &raided sheathing and the core ha:e the same a?is.
#here are two types of coa?ia! ca&!e$ thick coa? and thin coa?. #hick coa? ca&!e was used in
the first )thernet networks. #hick coa? is a&out as thick as a garden hose and is usua!!y
ye!!ow in co!or. #here is a!so thin coa? ca&!e$ sometimes ca!!ed <thinnet.< #hin coa? is
usua!!y &!ack and is a&out the thickness of a penci!.
1ike twisted pair$ coa? ca&!e is suscepti&!e to tapping$ and the tap does not e:en need to
make physica! contact with the ca&!e. owe:er$ it is !ess suscepti&!e to e!ectromagnetic
interference$ as a resu!t of the sheathing.
*ue to the fact that a!! copper ca&!es radiate e!ectromagnetic energy$ they are re!ati:e!y easy
to tap. In the &ook #lind $an%s #luff$ authors Sherry Sontag and Chistopher and Annette
*rew te!! the story of how ,.S. su&marines were a&!e to tap So:iet communications ca&!es.
#hese ca&!es were within So:iet territoria! waters in what the So:iets thought were secure
areas. #he taps were performed during the 19-.s and 19'.s &y p!acing a de:ice on the
ca&!es. #he resu!t was an inte!!igence go!d mine.
1!
1i'er
6i&er"optic ca&!e is made of g!ass and carries !aser or 1)*"generated !ight impu!ses. #his
!ight contains digiti7ed data that can &e rapid!y transmitted hundreds of mi!es. 6i&er"optic
ca&!e can send information much faster than e?isting copper"&ased ca&!e and can a!so carry
considera&!y more information than copper ca&!e.
6i&er"optic ca&!e offers se:era! other ad:antages o:er traditiona! copper ca&!e. It has superior
transmission ;ua!ity and is immune to e!ectromagnetic interference. 6i&er"optic ca&!e is a!so
much sma!!er and !ighter than copper wire. #here are two types of fi&er ca&!e for networks$
mu!timode and sing!e"mode.
6i&er is the most secure of a!! the ca&!e media$ &ecause it is :ery difficu!t to tap. ,n!ike
copper ca&!e$ tapping a fi&er ca&!e re;uires in:asi:e measures$ since the !ight tra:erses the
ca&!e in a focused !inear &eam and does not radiate. #apping a fi&er ca&!e usua!!y re;uires
that
one cut the ca&!e and insert a specia! de:ice. As a resu!t$ any attempt to tap a fi&er ca&!e
wou!d &e detected immediate!y$ &ecause it wou!d interrupt the &eam. owe:er$ it has &een
reported that if you can get physica! access to an optica! fi&er and &end it at a sufficient ang!e
you can actua!!y tap the signa! without in:asi:e measures.
-icrowaAe
8icrowa:e communications are used for !ine"of"sight transmissions. 1ine"of"sight
transmissions re;uire an uno&structed :iew &etween de:ices. 8icrowa:es operate at the high
end of the radio fre;uency spectrum. 8icrowa:e communications can &e intercepted in the
!ine of sight of the transmission. In addition$ microwa:es penetrate physica! structures such
as wa!!s. As a resu!t$ encryption shou!d &e emp!oyed when transmitting sensiti:e data with
microwa:e techno!ogy.
It has &een said that during the Co!d 2ar$ in days when re!ations &etween the ,nited States
and the So:iet ,nion were fraught with intrigue$ the So:iets a!ways &ui!t their em&assies on
the highest geographic point they cou!d find$ so that they cou!d intercept microwa:e
transmissions. Con:erse!y$ the So:iets ne:er !et the ,nited States &ui!d its 8oscow em&assy
129
on high ground. It has &een reported that the So:iets a!so &om&arded the ,.S. em&assy with
microwa:es to Aam any microwa:e !istening de:ices insta!!ed in the em&assy.
8icrowa:e communications are a!so suscepti&!e to interference and are re!ati:e!y easy to
disrupt through a denia!"of"ser:ice attack. ):en natura! phenomena such as rain$ heat
therma!s on a hot day$ or fog can disrupt microwa:e transmissions.
Speaking from persona! e?perience$ I can te!! you that microwa:e transmissions can &e
unre!ia&!e on :ery hot days. At a company at which I worked$ we used microwa:e
transmissions to connect to our &ranch offices. 0n hot sunny days the microwa:e
communications with one particu!ar office often went down. 0ur te!ecommunications
e;uipment wou!d kick into dia! &ackup mode. I a!ways attri&uted this pro&!em to the fact that
there were a num&er of !arge &!ack aspha!t surfaces &etween the two microwa:e towers. 0n
hot days the &!ack aspha!t wou!d heat up and fi!! the air &etween the two towers with heat
therma!s. 1ucki!y$ we didn>t e?perience too many :ery hot days.
Infrared
Infrared communications uti!i7es noncoherent infrared !ight. Infrared is a!so a !ine"of"sight
medium$ &ut it is re!ati:e!y secure since infrared !ight does not penetrate so!id o&Aects$ such
as
wa!!s. As a resu!t$ it is not necessary to worry a&out infrared transmissions going &eyond the
confines of your office. #o function$ the network transcei:ers must actua!!y &e in the !ine of
sight of each other with no o&struction. owe:er$ it is possi&!e to &ounce infrared
transmissions off of a white or !ight!y co!ored o&Aect$ such as a wa!!.
Sate##ite Re#ay
Since sate!!ite communications can &e easi!y intercepted$ they shou!d &e considered not
secure. As such$ measures shou!d &e$ and usua!!y are$ taken to encrypt data for transmission
and to authenticate the origin of indi:idua! transmissions.
1(.
2hi!e copper media has risks associated with it$ due to the fact it radiates energy$ unguided
media has e:en more risks. It is important to remem&er that when trying to sniff a network
ha!f the &att!e is getting the tap on the network. As a resu!t$ unguided or nonterrestria! media
is not as secure as guided media. 2ith guided media you need to ha:e some physica! access
to p!ace the tap. 2ith unguided media$ it is on!y necessary to &e in the !ine of sight to
intercept the transmission.
1ireless /.$N0
8ost of the wire!ess 1AN products on the market today are &ased on the I))) '.2.11&
standard. #his is a re!ati:e!y new standard. 2ire!ess 1ANs offer !imited mo&i!ity$ &ut their
main appea! is that they do not re;uire the ca&!ing that traditiona! )thernet 1ANs emp!oy.
#his makes them particu!ar!y attracti:e to sma!! and new offices. owe:er$ they genera!!y do
not ha:e the throughput of standard )thernet.
#here are two &asic components of a wire!ess 1AN. #he first is an access point$ which is a
de:ice that is usua!!y connected to a standard wired 1AN$ usua!!y through a hu&. #he second
component is a wire!ess 1AN adapter that is connected to the PC. #he 1AN adapter
communicates with the access point$ usua!!y through radio"&ased transmissions.
8ost of the products on the market ha:e a ma?imum operationa! range of 1..T(.. ft. #he
ma?imum throughput is 11 8&ps$ a!though most operate at speeds significant!y !ess than
that.
#he '.2.11& radio standard operates at the 2.+ H7 fre;uency &and !e:e!. 6or media access
contro! (8AC) the '.2.11& standard has specified three different options$ fre;uency hopping
spread spectrum (6SS)$ direct se;uence spread spectrum (*SSS)$ and infrared. #he 8AC is
part of the I))) '.2.J standard that specifies the !ink !ayer. #he 8AC is the media"specific
access contro! protoco! that dea!s with e!ectrica! signa!s and inc!udes token ring$ )thernet$
and CS8ADC*.
1(1
#here are a num&er of security issues in:o!:ed with radio"&ased wire!ess 1ANs. 6irst$ the 2.+"
H7 &and is su&Aect to interference. Common app!iances$ such as microwa:e o:ens and
cord!ess phones$ operate at the same fre;uency. In addition$ &ecause the transmissions are
radio"&ased they can &e intercepted &y anyone with the proper recei:er. 2hen products were
first re!eased$ most manufacturers argued that spread"spectrum techno!ogy effecti:e!y
masked radio signa!s or that emp!oying fre;uency hopping made it difficu!t$ if not impossi&!e$
to !ock onto a signa!$ so interception was not a risk. owe:er$ this approach re!ies on security
&y o&scurity$ which is not a recommended mode! for network security.
An optiona! component of the '.2.11& standard is wired e;ui:a!ent pri:acy (2)P). 2)P
adds encrypted communications &etween the wire!ess 1AN c!ient and the access point. 8ost
of the more recent products inc!ude 2)P as a standard feature.
2hi!e interception of communications with wire!ess 1ANs is a risk$ e:en greater is the risk
associated with some unauthori7ed person gaining access to the 1AN. Anyone within a
coup!e of hundred feet of the access point de:ice has the potentia! to tap into the network. In
an office &ui!ding en:ironment that means most anyone on the same f!oor$ the f!oors a&o:e
and &e!ow$ someone out on the street in a car$ or e:en in the ne?t &ui!ding o:er. Since the
access is radio communication$ there is no need to make a physica! connection. #o minimi7e
this risk$ most wire!ess 1AN products use some method to authenticate c!ients. ,sua!!y they
emp!oy an I* or security code. It is strong!y recommended that organi7ations uti!i7e this kind
of feature if they are p!anning on dep!oying a wire!ess 1AN. owe:er$ I suspect some :ery
smart hacker wi!! e:entua!!y de:ise a way to spoof these I* or security codes. 2ire!ess 1AN
products on the market today inc!ude offerings from (Com$ Aironet"Cisco$ Compa;$ and
1ucent.
1ireless /1$N0
#he ne?t &ig thing in 2AN networking techno!ogy wi!! &e wire!ess networking. I e?pect that
o:er the ne?t 1. years wire!ess networks wi!! &e the fastest growing segment in terms of new
insta!!ations. I am !umping se:era! techno!ogies into this category. Persona! Communications
Ser:ice (PCS) is usua!!y the techno!ogy most often referred to when ta!king a&out wire!ess
2AN networking. #hree different digita! techno!ogies make up PCS. #hey are Code *i:ision
8u!tip!e Access (C*8A) IS"9/$ #ime *i:ision 8u!tip!e Access (#*8A) IS"1(3$ and H!o&a!
1(2
System for 8o&i!e communications (HS8) 19... #here is a!so Ce!!u!ar *igita! Packet *ata
(C*P*) techno!ogy that is emp!oyed for handhe!d de:ices. In addition$ there are ana!og
options$ such as 6re;uency *i:ision 8u!tip!e Access (6*8A) techno!ogy. #here se:era! are
other de:e!oping and competing techno!ogies out there as we!!.
#he appea! of wire!ess is o&:ious. #he a&i!ity to use a !aptop to send data$ e"mai!$ or fa?
whi!e
away from the office can enhance producti:ity. 8any peop!e are using it Aust to &e a&!e to
surf the 2e& whi!e on the road. At the same time$ wire!ess techno!ogy can reduce the
necessity to in:est in physica! network infrastructure (ca&!ing)$ there&y reducing o:era!!
costs. owe:er$ the risks associated with wire!ess techno!ogy is e:en greater than with
traditiona! unguided media. 2ire!ess differs from traditiona! unguided media$ such as
microwa:e$ in that it radiates in a!! directions. As a resu!t$ it doesn>t e:en re;uire one to &e in
the !ine of site to intercept a transmission. Present!y$ there are se:era! consortiums working
to enhance wire!ess techno!ogy security.
#he under!ying app!ication and the sensiti:ity of the information wi!! dictate the security
re;uirements when emp!oying wire!ess techno!ogy. At a minimum it is recommended that
some form of encryption &e emp!oyed.
(#enum Ca'#in+ and Risers
4egard!ess of the type of ca&!e you choose to dep!oy for your 1AN$ you need to consider how
the ca&!e is actua!!y insta!!ed. #his is particu!ar!y true for organi7ations that are in mu!tenant
premises with shared faci!ities. 8ost organi7ations fa!! into this category$ since few are !arge
enough or aff!uent enough to ha:e their own &ui!ding. 2hen insta!!ing ca&!e in &ui!dings with
other tenants and shared faci!ities$ it is necessary to consider the security imp!ications of
running ca&!e in p!enum areas and up &ui!ding risers.
#he p!enum area is the e?posed area a&o:e suspended cei!ings$ through which can &e pu!!ed
ca&!e that houses conduit$ pipes$ cei!ing supports$ and air ducts. Ca&!e pu!!ed in these areas
is referred to as p!enum ca&!e$ &ecause it must meet specified code re;uirements for
f!amma&i!ity and smoke discharge. If the ca&!e does not meet the re;uirements$ it can>t &e
pu!!ed in p!enum areas.
1((
A &ui!ding>s design !arge!y dictates how ca&!e is insta!!ed. Idea!!y$ ca&!es shou!d &e insta!!ed
uti!i7ing some form of trench system that is designed for the hori7onta! distri&ution of ca&!es
on each f!oor. 6o!!owing 6igure depicts how the trench system is used to house ca&!es for
transport across a f!oor. ,ti!i7ing a trench system ensures that the ca&!es are ne:er e?posed
to the f!oor &e!ow$ which e?poses them to possi&!e risk.
6!oor trench system.
In most office &ui!dings that emp!oy a trench system$ the trenches crisscross the f!oor or
radiate out from a centra! c!oset. 6o!!owing 6igure depicts a cross"section of a trench system$
which i!!ustrates how a trench system a!!ows ca&!es to &e pu!!ed without protruding into the
p!enum area in the f!oor &e!ow.

1(+
6!oor trench system and p!enum.
Gy contrast$ &ui!dings without trench systems often re;uire &oring ho!es through the f!oor in
order to achie:e the hori7onta! distri&ution of ca&!es. #his can resu!t in network ca&!es &eing
e?posed in the p!enum area in the f!oor direct!y &e!ow. 6o!!owing 6igure cross"section
e?amp!e of a &ui!ding that does not emp!oy a trench system. #he network ca&!e protrudes
into the f!oor &e!ow and a&o:e the suspended cei!ing.
1(/
P!enum ca&!e.
#he risk associated with ha:ing network ca&!es e?posed to the f!oor &e!ow is that they can &e
tapped. At the :ery !east$ you run the risk of ha:ing the ca&!es cut &y e?posing them in this
manner. #he risk is compounded if the f!oor &e!ow is occupied &y another organi7ation. Some
organi7ations uti!i7e pressuri7ed conduit to minimi7e this risk. #he conduit is fi!!ed with
pressuri7ed gas and is monitored &y a pressure a!arm. If the conduit is penetrated the
pressure drops$ and an a!arm is triggered. owe:er$ as stated pre:ious!y$ in:asi:e measures
are not a!ways re;uired to tap copper ca&!es. P!acing the tap near the ca&!es can work if the
tapping e;uipment is sensiti:e enough. #he pressuri7ed conduit wou!d &e more effecti:e in
protecting fi&er"optic ca&!e since fi&er does re;uire in:asi:e measures to tap it.
1*3
<ANs
2ANs are usua!!y used to connect geographica!!y dispersed offices. Gasica!!y$ a 2AN
connects a!! of an organi7ation>s 1ANs$ so that they can share information and resources.
#here are many options a:ai!a&!e to connect an organi7ation>s offices into a 2AN..
2AN imp!ementations can &e di:ided into two :ery &road categories.
0ne approach uti!i7es point"to"point dedicated !ines and the other uses packet"switched
techno!ogy o:er a shared network.
Dedicated .ease .ines
A dedicated !eased !ine$ sometimes referred to as a dedicated or !eased circuit or a :irtua!
pri:ate !ine$ is usua!!y a specia!!y conditioned point"to"point circuit that connects two
!ocations. owe:er$ a !ease !ine can &e mu!tipoint circuit as we!!.
A dedicated circuit is o&tained from a carrier or ser:ice pro:ider for the e?c!usi:e use &y the
customer and is used to connect two sites that are geographica!!y distant from each other.
)?amp!es of dedicated !ease !ines can inc!ude /3M circuits. IS*N$ fractiona! #1s in 3+M
increments$ or fu!! #1 (1./+"8&ps) and up.
A dedicated 2AN connection typica!!y uses a sing!e circuit to connect two !ocations. 6igure
9./ i!!ustrates a 2AN uti!i7ing sing!e circuit connections. #ypica!!y for each !ocation added to
the network it is necessary to add a circuit.
6igure 9./@ Point"to"point circuit.
1(-
As !ong as dedicated connections use terrestria! circuits and guided media$ they are re!ati:e!y
secure$ since the dedicated !ease !ines are pro:ided for the e?c!usi:e use of the customer. #he
maAor security concern is from the ser:ice pro:ider itse!f or if the carrier uses other carriers
to pro:ide the ser:ice.
Packet+(witched Networks
An a!ternati:e to dedicated circuits is packet"switching networks. Packet switching refers to
protoco!s in which messages are di:ided into packets &efore they are sent. )ach packet is
then transmitted indi:idua!!y and can e:en fo!!ow different routes to its destination. 0nce a!!
the packets that make up a message arri:e at the destination$ they are recompi!ed into the
origina! message.
8ost modern 2AN protoco!s$ inc!uding #CPDIP$ J.2/$ and frame re!ay$ are &ased on
packetswitching techno!ogies. In contrast$ norma! te!ephone ser:ice is &ased on a circuit"
switching techno!ogy$ in which a dedicated !ine is a!!ocated for transmission &etween two
parties. Circuit switching is idea! when data must &e transmitted ;uick!y and must arri:e in
the same order in which it>s sent. #his is the case with most rea!"time data$ such as !i:e audio
and :ideo.
Packet switching is more efficient and ro&ust for data that can withstand some de!ays in
transmission$ such as e"mai! messages and 2e& pages$ a!though now e:en protoco!s such as
frame re!ay and #CPDIP are &eing used for :oice and :ideo transmission.
#ypica!!y$ a packet"switched 2AN is a shared network !ike the Internet. ):en if you are using
a ser:ice pro:ider>s pri:ate frame re!ay network you are using a network shared &y many of
the ser:ice pro:ider>s customers. According!y$ concerns a&out the interception of data or
protection of systems shou!d &e much greater in this en:ironment.
1('
Packet"switched c!oud.
B.#:
J.2/ is one of the most wide!y used packet"switched protoco!s$ particu!ar!y outside of North
America. J.2/ uti!i7es error detection and correction and is a connection"oriented ser:ice$
which insures that packets are transmitted in order. J.2/ was de:e!oped &ack in the 19-.s
when circuit performance was notorious!y noisy. As a resu!t$ communications needed the
error detection and correction that J.2/ pro:ides.
J.2/ uti!i7es switched :irtua! circuits (S%Cs) and permanent :irtua! circuits (P%Cs). S%Cs
work much !ike te!ephone ca!!s in that a connection is esta&!ished$ information is transferred$
and then the connection is re!eased. A P%C is simi!ar to a !eased !ine in that the connection is
permanent!y in p!ace.
In the ,nited States$ J.2/ has !arge!y &een usurped &y other protoco!s such as frame re!ay
that are more efficient and pro:ide greater throughput. #he newer protoco!s are a&!e to
pro:ide the greater throughput &ecause they don>t ha:e the o:erhead that is associated with
J.2/>s error detection and correction. #his is !arge!y due to the fact that the digita! circuits
used today are much more re!ia&!e and !ess noisy than circuits used 2. or (. years ago. As a
resu!t$ error detection and correction are not needed. J.2/ is used e?tensi:e!y o:erseas
&ecause the ;ua!ity of circuits in some countries is not as good as in the ,nited States and
other industria!i7ed nations. owe:er$ in the ,nited States$ J.2/ is sti!! used e?tensi:e!y in
A#8 and P0S networks.
%-
,rame Relay
6rame re!ay is a wide!y imp!emented packet"switching protoco! that offers an a!ternati:e to
:irtua! pri:ate !ines or !eased !ines. It is used primari!y for connecting geographica!!y
dispersed offices on a 2AN. Since it is a packet"switching protoco!$ it is not we!!"suited for
:oice communications$ so it is used primari!y for data.
1ike J.2/$ frame re!ay is a:ai!a&!e in two f!a:ors$ P%C and S%C. A P%C is a fi?ed point"topoint
circuit that ensures a!! packets take the same path. A S%C does not use a predefined
pathB it uses whate:er path is a:ai!a&!e.
6rame rep!ay is an ine?pensi:e a!ternati:e to !eased !ine networks. In addition$ it has the
ad:antage o:er a %PN on the Internet in that it can offer a committed information rate (CI4)$
which guarantees network performance. 8eanwhi!e$ the performance of an Internet"&ased
%PN is su&Aect to the :o!ume of traffic accessing the Internet. Chapter 11 discusses %PNs in
more detai!.
Redundancy and $lternative Connections
0ne !ast consideration with 2ANs is redundancy in communications. #he concern here is
with the a!ternati:es when the primary connection to the outside wor!d goes down.
6ortunate!y$ there are numerous ways to &ui!d redundancy into a 2AN or at !east to inc!ude a
secondary means of communicationB simp!y p!an according!y.
1+.
3. Routers B 1irewa##s compositions.
Routers and SN-(
Router Issues
0ne cannot discuss network security without at !east touching on routers. 4outers are a
critica! e!ement of &oth the Internet and corporate network infrastructures. #hey contro! the
f!ow of data packets on a network and determine the &est way to reach the appropriate
destination. 0n corporate networks$ they are often used to separate network segments. In
addition$ &order routers are often the first"!ine of defense in firewa!! configurations and are a
key component of most %PNs.
4outers are network de:ices that operate at the network !ayer (!ayer () of the 0SI mode! that
are emp!oyed to connect two or more networks. #hey ser:e three primary purposes. 6irst$
they route network traffic &ased on predetermined ru!es or routing ta&!es. Second$ they
segment frames for transmission &etween 1ANs. 6or e?amp!e$ they can frame 1."8&ps
)thernet 1AN frames for transmission on a 13"8&ps token ring 1AN or a frame re!ay
connection 2AN.
#hird$ routers pro:ide the a&i!ity to deny or &!ock unauthori7ed traffic. #his can &e
accomp!ished through fi!tering commands that !imit certain protoco!s (i.e.$ http$ ftp$ snmp) or
&y emp!oying access !ists that contro! the IP addresses that are a!!owed through.
Gasic router configuration.
):en though routers are u&i;uitous$ they tend to &e o:er!ooked when security measures are
de:e!oped. No security measures can &e considered to &e comprehensi:e un!ess they inc!ude
contro! and management of routers.
4
Risks
It is important to understand that routers are su&Aect to many of the same risks associated
with computers. In fact$ the first routers were actua!!y modified computers. A router has an
operating system that needs to &e configured and$ !ike any 0S$ that can &e su&Aect to &ugs.
Pust as with computers$ proper password contro!s are critica! to router security. 4outers
shou!d not run unnecessary ser:ices or protoco!s. 4outers can &e effected &y denia!"of"
ser:ice attacks. #hey need to &e monitored$ Aust !ike computers.
ow we!! the router is configured and maintained is critica! to the a:ai!a&i!ity of the network.
In many ways an incorrect!y configured router is an e:en greater risk than an incorrect!y
configured computer. An incorrect!y configured computer usua!!y on!y affects !oca! users of
the system. An incorrect!y configured router can affect e:eryone on the network. As an
e?amp!e of the possi&!e se:ere conse;uences that can resu!t from incorrect!y modifying
routing ta&!es$ in 199- a maAor portion of the Internet was practica!!y shut down &y the
incorrect routing ta&!es of a sma!! &ack&one ser:ice pro:ider. #he ser:ice pro:ider had sent
incorrect routing ta&!es to other &ack&one pro:iders that essentia!!y sent a!! network traffic to
the sma!! pro:ider. #he pro&!em took three hours to reso!:e$ during which time it is estimated
that (.T+.W of Internet traffic was !ost. It can ha:e a cripp!ing effect on one>s network if a
hacker is a&!e to gain pri:i!eged access to your routers. A simp!e denia!"of"ser:ice attack
!aunched against a router can cripp!e a network.
Cisco 3>(
#he dominant p!ayer in networking today is Cisco Systems. #hey ha:e appro?imate!y '.T
9.W of the market for routers$ switches$ and hu&s. #he :ast maAority of routers on corporate
networks and on the Internet are Cisco products. #o i!!ustrate how simi!ar routers and ser:ers
are when it comes to security we can use Cisco>s I0S.
1+2
I0S is the operating system that Cisco routers run. An e?amp!e of one of the concerns that
I0S shares with computer operating systems is the concept of the &anner or message of the
day. I0S can &e configured with a &anner. Pust as with a ser:er$ you run the risk of pro:iding
information in a &anner that cou!d &e usefu! to a hacker. 0f course$ this shou!d &e a:oided.
Cisco>s I0S supports mu!tip!e password !e:e!s and encrypted passwords. owe:er$ the defau!t
at insta!!ation is not to encrypt the password. #his is important &ecause if the password is not
encrypted it is reada&!e in the configuration fi!e if you do a <show startup< or <show run.< In
addition$ it is a common practice to store router configuration fi!es on network tfpt ser:ers.
#his is done so that the network administrator can update the non":o!ati!e 4A8 (N%4A8)
on the router from the copy of the configuration fi!e on tftp ser:er. 6or e?amp!e$ an
administrator may use the configuration fi!e on the tftp ser:er to re!oad a <c!ean<
configuration fi!e onto a router if he or she gar&!ed the e?isting fi!e in N%4A8. A tftp ser:er
is designed to faci!itate access and as such is notorious!y easy to hack (see &e!ow). As a
resu!t$ if the password were stored in the configuration fi!e in an unencrypted format$ it wou!d
not &e too difficu!t for someone to :iew the fi!e and o&tain the password. In addition to the
risk of password disc!osure associated with using a tftp ser:er$ you a!so run the risk of
unauthori7ed modifications &eing made to the configuration fi!e stored on the tftp ser:er.
#ri:ia! 6i!e #ransfer Protoco! (tftp) is considered not secure$ &ecause it doesn>t re;uire
password authentication. If a host runs the tftp ser:ice without restricting the access in some
manner$ an attacker can read and write fi!es anywhere on the system. 6or e?amp!e$ it is
possi&!e to o&tain the password fi!e from a system run the tftp ser:ice. #he steps are !isted as
fo!!ows@
L tftp anyhost (I address or alias)
tftpY getDetcDpasswdDtmpDpasswd.
tftpY ;uit
Henera!!y$ it is a :ery &ad idea for any ser:er to run the tftp daemon. #his protoco! is an
e?amp!e of an unnecessary ser:ice that a computer shou!d not run.
):en if the password is secure!y encrypted$ there are programs a:ai!a&!e to decrypt Cisco
!ogin and ena&!e passwords from a Cisco configuration fi!e or to sniff the password on the
network. #hese programs are easy to find.
1+(
6or e?amp!e$ at the So!ar 2inds 2e& site
(http@DDwww.so!arwinds.net) it is possi&!e to down!oad a program that can decrypt
Ciscoena&!e passwords. #he program is a:ai!a&!e for 2indows 9/$ 9'$ N#$ and 2... and wi!!
decrypt series - non"S)C4)# passwords. Ge!ow 6igure shows how simp!e the program is to
use. Simp!y enter in the encrypted password and out pops the decrypted password.
So!ar2inds> 4outer Password *ecrypt. (Source: So!ar2inds.Net. 4eprinted with
permission.)
So!ar2inds a!so offers a too! that a!!ows you to reset the ena&!e password for a Cisco router
and change any Cisco configuration parameter :ia SN8P. 2hi!e this too! has !egitimate uses$
it can a!so &e used as a too! for hacking.
Cisco *isco:ery Protoco! (C*P) is an e?amp!e of a protoco! that shou!d &e disa&!ed on most
routers. C*P protoco! makes it :ery easy for hackers to gather information a&out routers on
the network. #he C*P protoco! &roadcasts p!atform and protoco! information to other de:ices
on the network. #his information can &e usefu! to any potentia! hacker. Gy defau!t$ C*P is
ena&!ed on a router and its interfaces when I0S is insta!!ed. It shou!d &e disa&!ed un!ess
there is a specific purpose for running it.
#his is not meant to &e a !esson on the configuration and commands for Cisco I0S &ut is
simp!y offered as an i!!ustration of the simi!arities &etween ser:ers and routers. Ser:ers are
norma!!y protected &ehind firewa!!s on the interna! network$ whi!e routers$ due to their
uni;ue function$ are often e?posed to the outside wor!d.
1++
Cisco (ecure 3nte'rated (oftware /(3(0
0ne of the optiona! offerings from Cisco is their Secure Integrated Software (SIS). #his
option$ which was former!y ca!!ed the I0S firewa!! feature set$ does not come with the
purchase of &asic I0S. #he package is a minor p!enitude of usefu! enhancements to I0S that
can &e used to secure a &order router and pro:ide secure connections o:er the Internet. 6or
a re!ati:e!y minor incrementa! cost$ a Cisco router can &e configured to pro:ide firewa!! and
rudimentary I*S capa&i!ities. #he firewa!! capa&i!ities inc!ude state inspection and
app!ication"&ased fi!tering. #he I*S is rudimentary in that on!y specific attack signatures are
recogni7ed$ and there is no rea!"time notification. #he Cisco SIS package a!so pro:ides a %PN
so!ution that supports IPSec and 12#P. #he %PN software comes with c!ient software that can
&e insta!!ed on a PC workstation to interface with a router. 2e ha:e found the Cisco SIS
package to &e ro&ust in terms of feature and functiona!ity. It is an effecti:e initia! tier in a
mu!titiered defense.
(imple Network "ana'ement Protocol /(N"P0
*ue to the security pro&!ems inherent in its origina! design$ SN8P is a!so considered to &e an
acronym for <security>s not my pro&!em.< SN8P was de:e!oped to a!!ow for the remote
monitoring and management of network de:ices. ,nfortunate!y$ hackers can e?p!oit those
same faci!ities for monitoring and managing network de:ices to gain access to a network. #he
SN8P standard was de:e!oped &y the I)#6 a&out 1. years ago in an effort to de:e!op a
sing!e management ser:er protoco! that cou!d manage a!! network de:ices regard!ess of the
make of the network de:ice. SN8P a!so pro:ides the a&i!ity to o&tain statistica! information
on the performance of an SN8P network de:ice. 6or e?amp!e$ network administrators can
use SN8P to get information on num&er of &ytes in and out of a particu!ar de:ice.
#he graph in the &e!ow e?amp!e of the type of information that can &e gathered
emp!oying one of the many monitoring too!s that are designed to &e used in conAunction with
SN8P. In this e?amp!e$ I am using 8u!ti 4outer #raffic Hrapher (84#H) to graph the data
from a router.
1+/
Network acti:ity graph.
84#H communicates with the routers using SN8P and can &e uti!i7ed to monitor the traffic
!oad on routers. 84#H reads the traffic counters on the routers and !ogs the traffic data.
84#H a!so generates #81 pages containing HI6 images$ which pro:ide a :isua!
representation of the traffic. 84#H was de:e!oped &y #o&ias 0etiker and *a:e 4and
uti!i7ing Per! and C and is a:ai!a&!e for down!oad at the ,41 http@DDwww.mrtg.org. #his is an
e?amp!e of the re!ati:e!y innocuous information that can &e o&tained through SN8P.
SN8P pro:ides the capa&i!ity to manage a network de:ice through what is ca!!ed an agent.
Any SN8P"managed de:iceSwhether it is a router$ hu&$ ser:er$ or printerSmust ha:e an
SN8P agent that the SN8P ser:er monitors and ;ueries.
2hen SN8P was first de:e!oped$ no consideration was gi:en to security. As a resu!t$ SN8P
can &e a :ery usefu! too! for a hacker attempting to compromise a network de:ice. SN8P
:ersion 2 (SN8P:2) is a !itt!e more secure$ &ut many insta!!ations are sti!! running the ear!ier
:ersion. SN8P :ersion ( (SN8P:() is under de:e!opment and is supposeed to pro:ide e:en
more security.
SN8P>s authentication is :ery weak and not :ery secure. Kou ha:e to ask yourse!f what the
designers were thinking when they came up with the process. SN8P uses passwords ca!!ed
community strings or community names for the authentication process. It>s the standard
<something you know< or password authentication. owe:er$ the community string passes on
the network in the c!ear. In other words$ the community string is transmitted unencrypted as
c!earte?t. #his :u!nera&i!ity can potentia!!y a!!ow a hacker to compromise a de:ice and gain
pri:i!eged access to the de:ice. A sniffer on the network can easi!y intercept the community
string in transit. #his is an e?amp!e of a :u!nera&i!ity whose source is poor design.
1+3
#o make matters worse$ e:ery SN8P re;uest and response contains the community string.
#he fact that it is transmitted so often makes it :ery easy to sniff on the network. #his is
e:en worse than the c!earte?t password :u!nera&i!ity associated with !ogging into a system
o:er a network using te!net$ r!ogin$ or a termina! emu!ator. ):en with te!net or r!ogin the
password on!y passes in the c!ear once when you first !og into a system. 2ith SN8P the
community string is transmitted e:ery time a re;uest is sent to the de:ice.
#here are too!s that are easi!y o&tained that a!!ow hackers to gather SN8P information on the
network. SN8P Sniff is an SN8P packet sniffer that wi!! !isten on a network and intercept
any SN8P:1 and SN8P:2 information that passes &y. #his can &e :ery usefu! for gathering
information a&out de:ices on the network$ inc!uding community strings.
If a hacker captures the community string he or she can modify or de!ete router
configurations$ change routing ta&!es$ crash your network$ or open up the entire network to
the outside. If SN8P network de:ices are not proper!y configured$ it is re!ati:e!y easy for
hackers to o&tain information on the de:ices. #his inc!udes routers and information in routing
ta&!es. In addition$ with SN8P :ersions 2 and ( management ser:ers and agents tend to &e
proprietary$ so you need a specific :endor>s software to manage that :endor>s de:icesB this
resu!ts in !imited interopera&i!ity.
If you ha:e to emp!oy SN8P then &e sure to use access !ists on routers and !imit
managea&i!ity to se!ected IP addresses. 2hi!e this is not foo!proof it does pro:ide some
measure of protection. In addition$ you shou!d ne:er use the defau!t community string that
comes standard with a router. It is ama7ing the num&er of insta!!ations that ha:e SN8P
running when they don>t need the protoco!. 0ften the error is compounded &y using the
defau!t or <pu&!ic< password.
*etecting or disco:ering de:ices on a network configured with the defau!t SN8P password is
a straightforward process. Kou can wa!k the IP addresses manua!!y$ testing each node>s
response. #here are a!so too!s a:ai!a&!e to automate and speed up the process. 6or 8ac users
there is SN8P 2atcher. SN8P 2atcher can &e used to ;uery network de:ices for
information a&out their configuration$ acti:ity and errors. SN8P 2atcher is a freeware
program from *artmouth Co!!ege.
1+-
Another too! that a!!ows you to scan a range of IP addresses !ooking for de:ices running
SN8P is So!ar2inds> SN8PSweep. 2ith this too! you on!y need to specify a range of IP
addresses$ and the program wi!! check each node to determine if it is configured for SN8P
and if it is using the defau!t community string. 6igure 1..+ shows an e?amp!e of the resu!ts of
an SN8P scan that I performed on a sma!! network that I ha:e at home using SN8PSweep.
In the e?amp!e on!y one of the systems named N#S)4%)4 has SN8P configured with the
defau!t or pu&!ic community string. Kou can te!! that &y the fact that the system N#S)4%)4
disp!ays information on the system name$ machine type$ and description. If it weren>t
configured with the pu&!ic community string then it wou!dn>t ha:e returned the detai!ed
information to the ;uery.
So!ar2inds> SN8PSweep. (Source: So!ar2inds.Net. 4eprinted with
permission.)
6igure 1../ i!!ustrates the additiona! information that can &e o&tained through SN8PSweep
with a few c!icks to the mouse.
So!ar2inds> SN8PSweep.
1+'
,irewalls
6irewa!!s are a fundamenta! component of any perimeter defense. Contrary to popu!ar &e!ief$
a firewa!! is usua!!y not a sing!e systemB it is actua!!y a co!!ection of components. A firewa!! is
usua!!y p!aced &etween two networks to act as a gateway. #he principa! re;uirements of an
effecti:e firewa!! are descri&ed as fo!!ows.
It must act as a door through which a!! traffic must pass (incoming and outgoing).
It must a!!ow on!y authori7ed traffic to pass.
It must &e immune to penetration or compromise.
In its &asic form$ a firewa!! acts to pre:ent unauthori7ed network traffic originating from an
untrusted network from accessing protected interna! network. #he origin of term <firewa!!<
deri:es from construction :ernacu!ar for a wa!! that must &e a&!e to withstand fire for a
prescri&ed period of time. In construction$ the purpose of the firewa!! is to pro:ide enough
time so that peop!e can either escape or e?tinguish the fire. An Internet firewa!! has to &e
a&!e to withstand a !ot of heat$ Aust !ike its namesake in construction.
I!!ustration of firewa!! concept.
As a ru!e of thum&$ an organi7ation shou!d ne:er connect the company>s network or systems
to an e?terna! network$ such as the Internet$ without a firewa!!"un!ess it doesn>t care if those
systems or network get trashed. A firewa!! is a com&ination of hardware and software that
protects the company>s network and computers from possi&!e intrusion &y hackers from the
e?terna! network.
1+9
2hen imp!ementing security measures to protect an interna! network from an untrusted
e?terna! network you ha:e to make sure the measures you ha:e taken are an ade;uate
response to the percei:ed threat. Some companies &e!ie:e that simp!y p!acing a router$ that
is performing packet or protoco! fi!tering$ &etween the interna! and e?terna! networks is
sufficient protection. In genera!$ this is not ade;uate protection. It is far too easy to
circum:ent router"fi!tering systems. In addition$ the traditiona! router was not rea!!y designed
for protecting networks. #hey were designed to <route< network traffic. ):en though many of
the newer routers are much more sophisticated in their capa&i!ity to protect a network$ I
wou!d sti!! think twice &efore re!ying on a router a!one to protect my interna! network from an
e?terna! untrusted network.
6irewa!!s Pros
6irewa!!s are genera! good at keeping unwanted and unauthori7ed traffic from passing (in or
out). #hey are a!so an efficient method of pro:iding Internet access to interna! users. A
firewa!! can pro:ide NA# for systems or networks that don>t ha:e an IP address. #hey can
(sometimes) monitor for and notify you of attacks and network pro&!ems. At the :ery !east$
firewa!!s are effecti:e at maintaining !ogs of a!! acti:ity that pass through$ connections to$ or
attempts to connect to the system. #hese !ogs can &e used to identify a&norma! e:ents.
6irewa!!s Cons
0ne of the draw&acks of a firewa!! is that it represents a sing!e point of fai!ure. It is the high
tech e;ui:a!ent of putting a!! your eggs in one &asket. If you make a mistake configuring the
components of your firewa!! you may &e a!!owing unauthori7ed users through. It takes
know!edge$ e?perience$ and ski!! to configure a firewa!!. In addition$ if the firewa!! goes
down$ your connection to the outside network is down. A denia!"of"ser:ice attack that
effecti:e!y shuts down your firewa!! shuts down your network connection to the outside
wor!d. At the :ery !east$ a firewa!! tends to degrade network performance &etween the
outside network and the inside network. #his is &ecause a firewa!! e?amines traffic going in
and outB this process of e?amination takes time$ which can s!ow network throughput.
6irewa!!s are a!so not ;uite as smart as wou!d &e desira&!e.
1/.
As a resu!t$ they can on!y contro! and monitor traffic so far. #hey wi!! sti!! a!!ow some things
through that can hurt you$ and they can stop some things that you do want to pass through.
A firewa!! &y itse!f does not assure a secure network. A firewa!! is on!y a too!. 6irewa!!s need
to &e configured proper!y$ and they need to &e monitored. %igi!ance on the watch is sti!!
re;uired. 8any organi7ations assume that if their network is &ehind a firewa!! they on!y ha:e
to monitor the firewa!! and not &e concerned a&out the systems sitting on the inside network$
or they assume that if their network is not connected to the Internet$ they don>t need to &e
concerned a&out hackers. Nothing cou!d &e further from rea!ity.
6irewa!!s are of no use tracking acti:ity on the interna! network. 2hi!e a firewa!! does make it
somewhat more difficu!t for someone from the outside to get in$ the maAority of attacks on
corporate systems come from the inside"not from the outside. Sometimes the &iggest threat
to an organi7ation>s systems and networks is from its own emp!oyees. Critica! systems shou!d
&e configured to monitor !ogins$ fai!ed !ogins$ and a!! network acti:ity. 8ost e:ery computer
and N0S has uti!ities for monitoring this kind of acti:ity. 6or e?amp!e$ 2indows N# Ser:er has
the ):ent %iewer. 8ost :ersions of ,ni? a!!ow you to monitor !ogins through the wtmp fi!e
and record fai!ed !ogin attempts. ,ni?$ in particu!ar$ can &e configured to record a!! sorts of
acti:ity that can &e re:iewed for security purposes.
In addition to the threat from within an organi7ation$ firewa!!s can &e circum:ented &y
outsiders$ so it is important that critica! systems &e configured to monitor network and !ogin
acti:ity. If the firewa!!"as your first !ine of defense"fai!s$ then intrusions might &e detected in
the !ogs of the indi:idua! systems.
2hen de:e!oping firewa!! access po!icies$ there are two genera! approaches that can &e
emp!oyed. #he first is to deny anything that is not e?p!icit!y a!!owed. #he second is to a!!ow
that which is not e?p!icit!y denied. 0&:ious!y$ the first approach is the more secure.
1/1
#ypes of 6irewa!!s
6irewa!!s can &e categori7ed in se:era! different ways. #hey can &e categori7ed &y the !ayer
of the 0SI mode! at which they operate$ &y the techno!ogy they imp!ement$ or &y the genera!
approach they emp!oy. 2hen using the different approaches emp!oyed &y firewa!!s$ you can
separate them into two different categories$ fi!tering firewa!!s and pro?y firewa!!s. 8any
firewa!! imp!ementations use a com&ination of &oth approaches.
2hen categori7ing firewa!!s &ased on the !e:e! of the 0SI mode! at which they operate$ there
are three &asic types of firewa!!s@
C Network !e:e!B
C App!ication !e:e! (pro?y ser:er)B
C Circuit !e:e! (pro?y ser:er).
Network 1e:e! 6irewa!!s
A network !e:e! firewa!! operates at the network !e:e! of the 0SI mode!$ hence the name
network !e:e! firewa!!. A network !e:e! firewa!! is usua!!y a screening router or specia!!y
modified computer that <fi!ters< or <screens< each incoming packet to determine whether to
pass it on through to the network. Network !e:e! firewa!!s typica!!y emp!oy one of two
different fi!tering approaches@
C Static packet fi!teringB
C *ynamic packet fi!teringDstatefu! inspection.
Static Packet 6i!tering
A static packet fi!tering firewa!! emp!oys a process of fi!tering incoming and outgoing packets
to deny or authori7e access. #he criteria to deny or authori7e access can &e &ased on the
network address of the packet and other ru!es as defined &y the network administrator. #he
most wide!y emp!oyed static packet fi!tering firewa!! is the common router. #he fi!tering ru!es
emp!oyed to determine whether to deny or authori7e a packet are non"dynamic. In other
words$ they don>t change. #he ru!es are static$ hence the name static packet fi!tering firewa!!.
1/2
Statefu! InspectionD*ynamic Packet 6i!tering
Statefu! inspection a!so occurs at the network !e:e! of the 0SI mode!. A statefu! inspection
packet fi!tering firewa!! a!so fi!ters packets$ &ut it can modify the ru!es according to need. #he
ru!es are <dynamic< in that they can change$ as conditions re;uire. 6or e?amp!e$ a statefu!
inspection firewa!! remem&ers outgoing packets and permits any corresponding incoming
packet responses to pass through. It on!y a!!ows in traffic that is a response to a re;uest that
originated from the inside network.
Pro?y Ser:ers
App!ication !e:e! and circuit !e:e! firewa!!s are two different imp!ementations of a pro?y
ser:er. A pro?y ser:er <stands in< for &oth the c!ient and a ser:er during a connection. A
pro?y ser:er acts as the <man in the midd!e$< so that there is no direct contact &etween a
c!ient on an interna! network and a ser:er on an untrusted network.
#echnica!!y$ the pro?y is not the firewa!!. #he pro?y runs on the fire"wa!!. #his is an
important distinction. #he firewa!! stops the traffic from f!owing through$ whi!e the pro?y
a!!ows the contro!!ed access. #he pro?y is on!y a software so!ution to a!!ow communication
&etween two networks in a contro!!ed manner.
App!ication 1e:e! Pro?y
App!ication !e:e! pro?y firewa!!s are sometimes referred to as app!ication !e:e! gateways.
#his is &ecause the purpose they ser:e is to pro:ide a gateway &etween a trusted and
untrusted network through which information can pass. An app!ication !e:e! pro?y operates at
the connection !e:e! through interacti:e pro?ies that contro! the esta&!ishment of connections.
#ypica!!y$ the pro?y a!so authenticates the user and authori7es the source and destination
addresses and permits or denies the protoco!. #o function$ the ser:er re;uires pro?ies for
each protoco! (i.e.$ 6#P$ ##P$ and te!net). #he app!ication !e:e! pro?y must know the
particu!ar app!ication for which it is pro:iding the ser:ice. #here are generic pro?ies a:ai!a&!e
that can &e emp!oyed for o&scure protoco!s$ &ut uti!i7ing them can ha:e a detrimenta! effect
on throughput. #o optimi7e performance$ pro?ies specifica!!y designed for the :arious
protoco!s shou!d &e emp!oyed.
1/(
Circuit 1e:e! Pro?y
A circuit !e:e! pro?y functions &y creating a <circuit< &etween a c!ient and a ser:er without
interpreting the nature or su&stance of the re;uest. #o function$ a circuit !e:e! pro?y re;uires
that a c!ient system run a specia! c!ient software. 0ne of the most wide!y used circuit ser:ices
is S0CMS$ which is discussed a&o:e.
Packet 6i!ters %ersus Pro?ies
Henera!!y speaking$ packet"fi!tering firewa!!s tend to pro:ide &etter performance$ in terms of
throughput$ than pro?y firewa!!s. #hat on!y makes sense if you think a&out how the two differ
in their functioning. Packet fi!ters simp!y inspect the packets and pass them through$ whi!e
pro?y firewa!!s re;uire much more setup and o:erhead. In genera!$ pro?y firewa!!s tend to
pro:ide &etter protection than packet fi!ters. owe:er$ I am sure there are many indi:idua!s
and :endors who wou!d take e?ception to &oth of the pre:ious statements. In terms of
protoco!s$ genera! network !e:e! firewa!!s are more effecti:e at hand!ing protoco!s such as
te!net and S8#P$ whi!e pro?y firewa!!s are &etter at protoco!s such as 6#P and ##P.
6irewa!! Configurations
#here is no one way of imp!ementing a firewa!!. #here are many different ways to dep!oy the
components that comprise a firewa!!. #here is !itt!e difference whether the approach
emp!oyed uses packet fi!tering or pro?ies. 8any organi7ations use a com&ination of packet
fi!tering and pro?ies in their firewa!! configuration. #he most wide!y imp!emented
architectures are !isted as fo!!ows@
C Screening routersB
C Gastion hostsB
C *ua!"homed hostsB
C Screened hostsB
C Screened su&nets.
1/+
#he architectures !isted a&o:e are genera! concepts$ and they are neither a!!"inc!usi:e nor
mutua!!y e?c!usi:e. #hey are e?amp!es that I use to i!!ustrate the practica! app!ication of the
theory.
Screening 4outer
#he screening router is pro&a&!y the simp!est approach you can use for firewa!!ing your
network. If you are connecting your company network to the Internet you wi!! pro&a&!y need
the router anyway. ,sua!!y$ the router is supp!ied &y your ISP. 4outers can pro:ide a cheap
and usefu! !e:e! of security &y a!!owing you to fi!ter connections &ased on the IP address and
the protoco!. 8ost router software comes standard with the a&i!ity to fi!ter traffic. #here are
a!so pu&!ic domain software packages a:ai!a&!e on the Internet that ena&!e you to create your
own router.
0ne popu!ar freeware is IP6i!ter. IP6i!ter runs on se:era! :ersions of ,NIJ and can gi:e a
host system IP"fi!tering capa&i!ities. #he source code can &e down!oaded from a num&er of
!ocations. 0ne site is the ,ni:ersity of Austra!ia at http@DDcoom&s.anu.edu.auDZa:a!onDipfi!ter.
htm!. Another !ow"cost a!ternati:e for PC"&ased systems is *raw&ridge. *raw&ridge can
con:ert most PCs with two network cards into a packet"fi!tering router. #o find a copy to
down!oad simp!y use one of the many Internet search engines. Pust &e sure of the re!ia&i!ity
of the site from which you choose to down!oad.
Gasica!!y$ the router e?amines each packet as it attempts to pass through. #his e?amination
can occur for &oth incoming and outgoing packets. Gased upon the ru!es !oaded in the router$
it either passes the packet on through or drops it. Screening routers are sometimes referred
to as &order routers &ecause they sit on the &order separating two or more networks.
1//
Screening router function.
A screening router is not sufficient to protect an organi7ation>s network connected to the
Internet. As stated &efore$ routers are designed to route traffic$ not to &e firewa!!s.
Gastion ost
A &astion host is somewhat more comp!icated than a screening router. In architectura! terms$
a &astion is the outer part of a cast!e. It is usua!!y a part of the cast!e that sticks out e?posed
and is used to defend the cast!e. In the mo:ies$ the &astion is the part of the cast!e from
which they wou!d pour the &oi!ing oi! down onto the so!diers who were !aying siege to the
cast!e.A &astion host gets its name from the fact that it is the part of the network that sticks
out e?posed and is used to defend the network. A &astion host is the outer defense of a
network that does not a!!ow traffic to pass.
2ith a &astion host you genera!!y want to run a stripped"down :ersion of the operating
system$ regard!ess of the operating system. If possi&!e$ you shou!d modify the system kerne!
to remo:e uti!ities and functions that are not needed. 0n!y those ser:ices that are needed
shou!d &e run$ and a!! other e?ecuta&!e and ser:ices shou!d &e remo:ed. Gy doing so you
reduce your e?posure to certain operating system :u!nera&i!ities. 6or e?amp!e$ if you don>t
need ftp or ping on your &astion host$ then don>t ha:e them running. If you !ea:e the :arious
uti!ities functioning$ they wi!! &e used &y hackers.
1/3
In genera!$ IP routing shou!d &e disa&!ed on a &astion host. It is not uncommon for interna!
users to actua!!y !og into the &astion host to access the outside network. #here are$ of
course$risks associated with that approach in that unauthori7ed indi:idua!s may &e a&!e to
compromise a username and password. As a resu!t$ it is :ery important that systems on the
interna! network shou!d not trust the &astion host.
Since the &astion host is the system that is most accessi&!e to the out"side wor!d$ you shou!d
monitor it constant!y and &e prepared for the fact that it may &e compromised. In today>s
en:ironment$ a &astion host &y itse!f is not enough. 0ther measures$ such as a screening
router$ shou!d &e p!aced &etween the &astion host and the interna! network. 6igure 12.(
i!!ustrates the concept of a &astion host.
Gastion host.
*ua!"omed ost
1/-
#he maAor :u!nera&i!ity of dua!"homed hosts can &e the administration. It is easy to make
mistakes configuring such a system and that can create ho!es in the system that a!!ow
unauthori7ed traffic through.
Pro?y Ser:er
A <pro?y< is a su&stitute or a surrogate for something e!se. 2ith a firewa!!$ a pro?y is a
program that acts as a su&stitute for another program. A pro?y ser:er is designed to pre:ent
a connection from one entity direct!y connecting to another entity. Instead$ the connection is
stopped at the firewa!!$ and a pro?y app!ication is forwarded. At no time are the two entities
in direct contact. In effect$ the pro?y firewa!! is identica! to the man"in"the"midd!e attack
descri&ed in Chapter 2. owe:er$ in this case the pro?y ser:er is protecting the entities on
the interna! network.
A pro?y ser:er can &e configured se:era! ways. 6or e?amp!e$ it can run on a simp!e &astion
host or a dua!"homed host. It is important to remem&er that the pro?y is not the firewa!!. #he
firewa!! security is pro:ided &y the &astion host or the dua!"homed host. #he pro?y operates
on a host that has IP forwarding disa&!ed and &!ocks a!! traffic from passing. #he pro?y is
actua!!y a mechanism designed to a!!ow traffic through in a contro!!ed manner.
*ua!"homed host pro?y ser:er.
1/'
Screened ost
Another option is to dep!oy a screened host. 6igure 12.3 i!!ustrates a screened host. 2ith this
configuration$ the host is the on!y part of the firewa!! direct!y connected to the interna!
network. #he host is protected &y a screening router that pro:ides packet fi!tering. #he router
wi!! on!y a!!ow certain types of connections or traffic through to the &astion host. #he router is
configured so that the on!y system on the interna! network from which it wi!! accept
connections is the &astion host. #his setup can &e configured so that the host is the on!y
system on the interna! network to which the router and outside systems can esta&!ish a
connection or see.
Screened host.
#he section of the network &etween the screening router and the host is referred to as the
<demi!itari7ed 7one< (*8Q). #he term deri:es from the &uffer 7one that separates North
Morea and South Morea. In Morea$ the *8Q is a no"man>s !and that is intended to separate
the &e!!igerent parties. It pro:ides an added measure of security. 2ith firewa!!s the *8Q
pro:ides the same function. #he *8Q is neither part of the interna! nor e?terna! network.
Henera!!y$ the *8Q is a &uffer 7one &etween the screening router and the &astion host.
1/9
Henera!!y speaking$ a screened host pro:ides a greater !e:e! of protection to the interna!
network than does a dua!"homed host a!one. A dua!"homed host represents a sing!e point of
fai!ure$ whereas a screened host uses a two"tiered approach.
Screened Su&net
2ith a screened host configuration$ if a hacker manages to get through the screening router
and is a&!e to compromise the &astion host$ there is nothing to stop the hacker from
compromising the rest of the network. #hat risk is mitigated with a screened su&net.
A screened su&net adds an additiona! router$ so that it sandwiches a &astion host &etween
two routers that separate the interna! network from the outside network. #his esta&!ishes a
separate su&network that acts as a &arrier &etween the interna! and e?terna! networks. #his
separate su&net is a &uffer that acts as a *8Q that pro:ides additiona! protection for the
interna! network.
Screened su&net configuration.
2ith a screened su&net$ the e?terior or &order router communicates on!y with the outside
network and the &astion host on the su&net. #he e?terior router is ne:er a!!owed to
communicate direct!y with the interior router or the interior network. #he interior router
communicates on!y with the interior network and the &astion host. #he two routers ne:er
direct!y communicate with each other.
13.
In this configuration$ &oth routers perform packet fi!tering. #he &astion host has IP routing
disa&!ed and runs pro?y ser:ices. 2ith this type of configuration$ the e?terna! router is
fre;uent!y pro:ided &y ISPs.
4estricting ,sers Access to the Internet
2hen discussing the functiona!ity of firewa!!s most peop!e usua!!y concern themse!:es with
how we!! firewa!!s keep peop!e from getting into the company network. owe:er$ one of the
most important functions firewa!!s pro:ide is restricting inside users from getting out.
A firewa!! can &e setup to restrict interna! users from accessing particu!ar sights on the
Internet or from accessing the Internet at a!!. 6irewa!!s can restrict access &ased on the ,41
or the content of the 2e& sight. 0ne such program is Secure Computing>s Smart6i!ter
software.
Smart6i!ter is not a firewa!! in itse!fB it is a software product that can work as part of a
firewa!!. 4emem&er that a firewa!! is a co!!ection of components that work together. (#his is
not a recommendation of the software$ &ut simp!y an e?amp!e of one of the products out on
the market) 2ith Smart6i!ter$ end users> Internet access is contro!!ed through a data&ase of
,41s. #he Smart6i!ter software contains more than 1$...$... non&usiness"re!ated ,41s. It
a!so pro:ides the a&i!ity to down!oad updates to the data&ase. In addition$ the data&ase can
&e customi7ed &y each organi7ation.
6irewa!! Products
#here are so many a:ai!a&!e firewa!! products on the market and the companies merge or
change so fre;uent!y that it does not make sense to try to !ist them here"they might &e
o&so!ete &y time of pu&!ication. 8any &rands of routers pro:ide firewa!!ing capa&i!ities and
&ui!t"in %PN capa&i!ities. #here are$ of course$ ,NIJ"&ased$ N#"&ased$ and e:en 8ac"&ased
firewa!!s. In addition$ there are products with proprietary operating systems and specia!
dedicated firewa!! de:ices. 0ne popu!ar e?amp!e is the Cisco PIJ &o?.
131
6or sma!! offices or the home connection$ there are a!so many <Internet"in"a"&o?< products
on the market today that offer a simp!e to use configuration interface. #hese Internet
app!iances can &e mu!tifunction systems that offer firewa!! capa&i!ities and simp!ify the
process of connecting to the Internet. A:ai!a&!e products inc!ude the 2hist!e InterPet$ the
Co&a!t Ou&e$ 6reeHate 0neHate$ and the 2ind*ance Gree7e. #hese systems can pro:ide a
mi? of e"mai! ser:ices$ 6#P ser:er capa&i!ity$ NA#$*CP$*NS$ and e:en %PN.
Henera!!y$ these systems range in price from a&out L1$... to L($.... Some come with &ui!t"
in routers$ and some do not. If you are considering one of these systems$ you need to take
into account whether or not you wi!! ha:e to purchase a router.
6irewa!! A!ternati:es
6or those who don>t ha:e a !ot of money to spend$ there are some ine?pensi:e a!ternati:es to
purchasing a firewa!!. Some of these are descri&ed in the fo!!owing sections.
#IS 6irewa!! #oo!kit
0ne we!!"known a!ternati:e to &uying a firewa!! is to use #rusted Information System>s (#IS)
firewa!! too!kit. #he #IS #oo!kit was de:e!oped &y 8arcus 4anum$ whi!e at #IS. 4anum$
who is we!!"known in the network security fie!d$ was a!so the architect of se:era! other
firewa!! products$ inc!uding the #IS Haunt!et firewa!!. 2hi!e the too!kit was de:e!oped
se:era! years ago$ it is sti!! wide!y used. #he #IS too!kit is a set of &asic pro?ies that pro:ide
the most common!y re;uired functiona!ity for a firewa!!. #he source code is a:ai!a&!e to
down!oad$ &ut there are some restrictions$ and #IS re;uires that you register a copy for
down!oad. It is a!so a:ai!a&!e at other sites (a!though I>m not sure if those sites are !ega!).
#he #IS too!kit information and down!oad is a:ai!a&!e from #IS at the ,41
http@DDwww.tis.comDresearchDsoftware. #he #IS too!kit can run on 1inu?$ which can a!so &e
down!oaded. Since the too!kit and 1inu? are a:ai!a&!e on the Internet$ a!! you wou!d need is a
powerfu! Pentium"&ased system to &ui!d a re!ati:e!y ine?pensi:e firewa!!. owe:er$ this is
not a task for &eginners. #he way you configure the too!kit determines the !e:e! of security. It
is not a simp!e <p!ug it in and it works< process. #he insta!!er has to know what he or she is
doing and what he or she wishes to achie:e.
132
Gecause the #IS too!kit has &een around for so !ong there is a !ot of information a&out it
a:ai!a&!e on the Internet and a fair!y !arge user community. #here is e:en a 2e& site
dedicated to pro:iding and sharing information a&out the #IS too!kit. #he ,41 is
appropriate!y http@DDwww.fwtk.org$ and it is depicted in the 6igure
#IS too!kit 2e& site. (Source@ http@DDwww.fwtk.org. 4eprinted with permission.)
1ike the #IS too!kit$ &oth the Puniper and 6reestone firewa!!s re;uire that you know what you
are doing. Gui!ding a firewa!! re;uires know!edge and e?perience. If you don>t ha:e the
know!edge and e?perience$ then consider a commercia! product"and$ e:en then$ I wou!d sti!!
recommend you get some he!p or ad:ise first.
Connecting critica! networks and systems to the Internet is a Ao& for proper!y trained
personne!$ not amateurs$ nor is it the type of circumstance where an organi7ation can a!!ow
the staff to !earn on the Ao& or grow into the position. #he possi&i!ity of an attack is too great$
and the potentia! harm to an organi7ation is too high.
13(
If an organi7ation does not ha:e know!edgea&!e staff$ mistakes can &e made in the setup and
configuration of any firewa!! system. In fact$ many successfu! hacking attacks ha:e &een
attri&uted to incorrect!y configured firewa!!s and routers.
It is a!so important that firewa!!s &e monitored and that those monitoring them know what
they are !ooking at when re:iewing !ogs and reports. Mnow!edgea&!e and e?perienced
personne! are crucia! to &eing a&!e to recogni7e and detect attempts to compromise a
network or systems.
0rgani7ations that don>t ha:e the personne! resources necessary for this type of position
shou!d consider outsourcing the responsi&i!ity for a firewa!!. Companies such as A#5#$
)?odus$ and ,,N)# offer managed firewa!! ser:ices. #his type of arrangement has worked
:ery we!! for some companies. Ge warned though that with this type of arrangement you are
p!acing a great dea! of trust in the hands of the company se!ected to function as the firewa!!.
Kou are trusting their technica! ski!!s and the re!ia&i!ity of their personne!. According!y$ you
need to &e sure of the company with which you are doing &usiness. ):en if you choose to
outsource the firewa!! function$ I wou!d recommend taking additiona! measures to harden
your interna! systems.
It is somewhat ironic that some organi7ations wou!d ne:er think of outsourcing the
responsi&i!ity for their firewa!! &ecause of security concerns$ whi!e they don>t hesitate to
outsource the entire organi7ation>s computer operations or 2AN management to reduce
operating e?penses. 2here is the !ogic in that thinking=
Persona! 6irewa!!s
#he rise in popu!arity of &road&and access from home$ such as ca&!e modems$ and the
introduction of ?*S1 techno!ogy has resu!ted in the de:e!opment of a new c!ass of firewa!!$
the persona! firewa!!. Ca&!e and ?*S1 with their <a!ways on< techno!ogy offer increased
speed &ut with increased risks. #hese risks$ which are discussed in Chapter 9$ offer new
cha!!enges to the home user on the Internet. #he greatest risk is the fact that with
techno!ogies
13+
such as ca&!e and J*S1$ hackers can gain access to a 2e& surfer>s system. Persona! firewa!!s
were de:e!oped to mitigate this risk.
Persona! firewa!!s are software products that act to safeguard an end user>s computer on the
Internet &y monitoring attempts to access or pro&e his or her system. 6or instance$ if a
hacker attempts to <ping< or <finger< a computer running one of these persona! firewa!!s the
command is denied and the end user is notified of the attempt. #he :arious persona! firewa!!s
can monitor for specific ports$ protoco!s$ IP addresses$ and ,41s. Some a!so pro:ide :irus
detection capa&i!ities and content fi!tering for 2e& sites.
8any of the a:ai!a&!e persona! firewa!!s pro:ide the a&i!ity to configure the software to a!!ow
or deny connections &ased upon a specific set of ru!es. 6or e?amp!es$ one can !oad in a
specific group of IP addresses$ so that when an unauthori7ed IP address attempts to connect
to a system emp!oying one of these software products$ the system denies the connection and
notifies the end user. 0nce notified$ the end user can take appropriate action.
#here are se:era! products on the market that offer persona! firewa!! capa&i!ities. Symantec>s
Norton Internet Security 2...$ 8cAfee>s Persona! 6irewa!! and Software Gui!ders> PC Secure
are three e?amp!es. #here are a!so some :ery good free systems a:ai!a&!e for down!oad on
the Internet. 0ne option is A!addin Mnow!edge Systems> eSafe program$ which pro:ides :irus
protection$ content fi!tering and persona! firewa!! capa&i!ities. 6igure 12.9 shows the
configuration desktop of eSafe. eSafe pro:ides the capa&i!ity to a!!ow or deny traffic &ased on
port$ protoco!$ IP address or ,41.
13/
#he configuration desktop of eSafe. (Source@ A!addin Mnow!edge Systems.
4eprinted with permission.)
133
8. &(Ns% AuthoriCation and Authentication Systems
&irtua# (riAate Networks
Encryption on the Network
A %PN is another e?amp!e of a wide!y imp!emented use of encryption to secure connections
on an untrusted network. Gefore going into a detai!ed discussion of %PNs$ we need to co:er
some &asic concepts re!ated to encrypting a network connection. #o &egin$ when using
encryption to secure a connection &etween two or more systems$ it can genera!!y &e hand!ed
in one of two ways@ node"to"node or end"to"end.
Node+to+Node 6ncryption
Node"to"node encryption is a!so referred to as !ink"to"!ink encryption. 4eferring to the 0SI
mode!$ the data !ink !ayer is concerned with node"to"node or !ink"to"!ink connections. As a
resu!t$ if you encrypt the packet at the data !ink !ayer$ it must &e decrypted &y the data !ink
!ayer recipient &efore passing it up to the network !ayer to determine how to forward the
packet. 2hen encrypting at the data !ink !ayer$ a packet has to &e decrypted and re"
encrypted for each node"to"node hop a!ong the route. Node"to"node encryption operating at
the data !ink !ayer re;uires compati&!e de:ices$ sharing a protoco!$ and a key management
process for e:ery de:ice on the network.
13-
Node"to"node encryption.
If the de:ices on the network are not compati&!e$ they wi!! not &e a&!e to re!ay the packets
they recei:e. #his is an issue that must &e considered$ &ecause if the network is !arge$
management re;uirements wi!! &e significant.
6nd+to+6nd 6ncryption
As an a!ternati:e$ end"to"end encryption operates at the upper !ayers of the 0SI mode!s and
can encapsu!ate data into standard network protoco!s. As a resu!t$ no specia! considerations
are necessary for the intermediate hops a!ong the network. #he encryption and decryption of
the encapsu!ated data is done at either end of the connection.
13'
6igure 11.2@ )nd"to"end encryption.
owe:er$ a consideration with end"to"end encryption is that the further up the protoco! stack
you mo:e the encryption$ the more information you may &e pro:iding a potentia!
ea:esdropper. As you wi!! see$ as you mo:e the encryption higher up the protoco! stack$ more
information is re:ea!ed a&out the sender$ the recipient$ and the nature of the data.
5-
6ncrypt
#he !e:e! of security achie:ed differs depending on where the encryption takes p!ace. #he
!e:e! of security re;uired shou!d dictate where your encryption is performed. 4eferring again
to the 0SI mode! if you encrypt at the network !ayer (!ayer ()$ information
identifying the de:ices or machines can &e intercepted. 6or instance$ information on the IP
addresses of the source and destination can &e monitored. #his information can &e used for
network traffic ana!ysis. As we ha:e discussed$ network traffic ana!ysis in itse!f can pro:ide a
wea!th of information that can &e uti!i7ed &y indi:idua!s or entities sniffing the network.
If the encryption takes p!ace further up the protoco! stack at the transport !ayer (!ayer +)
then someone ea:esdropping on the communications can te!! which port you are
communicating with on the recipient system. 6rom that information$ ea:esdroppers can
surmise what protoco! you are using.
6or e?amp!e$ if you are communicating with port 131$ then you are most !ike!y using SN8P
for network management. If you are communicating with port 2/ then you are pro&a&!y using
S8#P for e"mai!. Mnowing the protoco!s that are running on a de:ice or system can &e used
to p!an an attack.
A #CPDIP port is a !ogica! connection to a ser:er that usua!!y hand!es a specific ser:ice or
protoco!. #CPDIP network ser:ers often pro:ide a :ariety of ser:ices or protoco!s such as
SN8P$ ##P$ or S8#P. )ach of the a:ai!a&!e ser:ices <!istens< for an outside connection on
a particu!ar port num&er or uses a specified port num&er.
#he port num&ers range from 1 to 3/$/(/$ with the pri:i!eged ports ending at 1$.2+.
Nonpri:i!eged ports range from 1$.2/ to 3/$/(/. Sometimes the port num&ers are disp!ayed
at the end of a ,41. 6or e?amp!e http@DDwww.someur!.com@'1. In this e?amp!e the ser:er is
using port '1 for the particu!ar ,41 address. It indicates the port num&er that the #CPDIP
connection is using on the 2e& ser:er.
1-.
At the app!ication !ayer (!ayer -) e:en more information is a:ai!a&!e. If e"mai! is encrypted
and transmitted at this !e:e! it may &e secure from disc!osure and modification$ &ut anyone
monitoring the transmission wi!! know you sent e"mai!$ to whom you sent it$ and where. As a
resu!t$ when imp!ementing encryption on a network you ha:e to determine where you need
the encryption to take p!ace and what is an ade;uate !e:e! of security &ased upon the
sensiti:ity of the data.
&irtua# (riAate Networks .&(Ns/
A %PN is a means of transporting traffic in a secure manner o:er an unsecured network. A
%PN usua!!y achie:es this &y emp!oying some com&ination of encryption$ authentication$ and
tunne!ing. <#unne!ing< (sometimes ca!!ed encapsu!ation) refers to the process of
encapsu!ating or em&edding one network protoco! to &e carried within the packets of a
second network.
#here are se:era! different imp!ementations of %PN protoco!s. #here are at !east fi:e
genera!!y recogni7ed %PN protoco! <standards.< I use the word standard here somewhat
!oose!y. #here are a!so se:era! proprietary products a:ai!a&!e on the market. #he four most
common!y emp!oyed protoco!s are !isted as fo!!ows@
C Point"to"Point #unne!ing Protoco! (PP#P)B
C 1ayer 2 #unne!ing Protoco! (12#P)B
C Internet Protoco! Security (IPSec)B
C S0CMS.
PP!P
PP#P is a tunne!ing protoco! supported &y 8icrosoft for connecting 2indows N# c!ients and
ser:ers o:er remote access ser:ices (4ASs). PP#P is one of the more wide!y imp!emented
%PN protoco!s if for no other reason than it was one of the ear!iest. PP#P operates at the data
!ink !ayer (!ayer 2) of the 0SI mode! and can &e used to create a %PN &etween computers
running the 2indows operating system.
1-1
PP#P is &asica!!y an e?tension of the Point"to"Point Protoco! (PPP)$ the Internet standard for
transmitting network !ayer datagrams (i.e.$ IP packets) o:er seria! point"to"point !inks and is
used &y #CPDIP routers and PCs to send packets o:er dia!"up and !eased"!ine connections.
PPP was de:e!oped as a rep!acement for Seria! 1ine Internet Protoco! (S1IP). 2hen you dia!
into an ISP>s dia!"up ser:ice you are using a PPP dia!er to connect to the ISP.
PP#P does not pro:ide the actua! encryption. Instead the encryption for the PP#P tunne! is
pro:ided through 8icrosoft>s Point"to"Point encryption. 8icrosoft Cha!!enge andshake
Authentication Protoco! (CAP) is the preferred setting for c!ients supporting 8icrosoft
encryption. CAP actua!!y uses 4SA>s 8*+ a!gorithm to ensure integrity and the 4C+
a!gorithm for confidentia!ity of the data.
#o esta&!ish a connection$ the CAP ser:er sends a uni;ue random cha!!enge to the c!ient.
#he cha!!enge is used &y the c!ient to encrypt the c!ient>s password. #he password is then
returned to the ser:er to !ogin the c!ient.
PP#P has &een su&mitted to the I)#6 for standardi7ation. It is current!y a:ai!a&!e on!y on
networks ser:ed &y 2indows N#$ 9'$ and 1inu?.
Sniffer programs are a:ai!a&!e at hacker sites$ such as http@DD1.pht.com$ that they c!aim wi!!
sniff PP#P authentication and output the cha!!enge and password hashes. A!so a:ai!a&!e are
programs that purport to e?p!oit a f!aw in 8S"CAP to get the password hashes without the
o:erhead of cracking the cha!!engeDresponse.
PP#P is not secure &ecause 8*+ has &een &roken$ and the hashing a!gorithm has &een
pro:en not to &e one"way. owe:er$ when transmitting on an open network PP#P is :ast!y
superior than using nothing at a!!.
.#!P
12#P is an I)#6 standard that com&ines features from Cisco>s 1ayer"#wo 6orwarding (126)
protoco! and 8icrosoft>s PP#P. Since 12#P>s &asis is PP#P$ it too is an e?tension to the PPP.
As its name imp!ies$ 12#P operates at the data !ink !ayer (!ayer 2). As such$ it is used for
node"to"node communications. #o function across the network from end"to"end$ a!! network
de:ices or nodes must &e 12#P"comp!iant.
7#
3P(ec
IPSec$ a set of protoco!s under de:e!opment &y the I)#6 to support secure e?change of
packets at the IP !ayer$ is uti!i7ed to imp!ement %PNs on the Internet and intranets. IPSec
operates at the network !ayer (!ayer () and supports two modes$ transport mode and tunne!
mode.
3P(ec !ransport "ode
#ransport mode encrypts on!y the data or information portion (pay!oad) of each IP packetB it
!ea:es the header untouched. #ransport mode pro:ides end"to"end encryption since the
header information is untouched. As a resu!t$ no specia! setup is re;uired for the network
de:ices. #ransport mode is usua!!y used for secure communications &etween hosts. 2ith
transport mode$ someone sniffing the network wi!! not &e a&!e to decipher the encrypted
pay!oad. owe:er$ since the header information is not encrypted$ sniffers wi!! &e a&!e ana!y7e
traffic patterns.
3P(ec !unnel "ode
#unne! mode encrypts the entire packet$ &oth the header and the pay!oad. #he recei:ing
de:ice must &e IPSec"comp!iant to &e a&!e to decrypt each packet$ interpret it$ and then
reencrypt it &efore forwarding it onto the appropriate destination. As such$ it is a node"to"nod
encryption protoco!. owe:er$ tunne! mode safeguards against traffic ana!ysis since someone
sniffing the network can on!y determine the tunne! endpoints and not the true source and
destination of the tunne!ed packets.
#he sending and recei:ing de:ices e?change a pu&!ic key information using a protoco! known
as Internet Security Association and Mey 8anagement Protoco!D0ak!ey (ISAM8PD0ak!ey).
#his protoco! ena&!es the recei:er to o&tain a pu&!ic key and authenticate the sender using
the sender>s digita! certificates. #unne! mode is considered more secure than transport mode$
since it concea!s or encapsu!ate the IP contro! information.
7%
(>C=(
S0CMS is an accepted I)#6 protoco! standard that is designed for hand!ing #CP traffic
through a pro?y ser:er. Current!y$ there are two imp!ementation of the S0CMS protoco! in
use$ S0CMS :ersion + (S0CMS+) and S0CMS :ersion / (S0CMS/).
As one wou!d e?pect$ S0CMS/ is the most recent :ersion. #he maAor difference &etween the
two :ersions is that S0CMS/ pro:ides additiona! security through authentication. N)C is a
maAor proponent of S0CMS/ and has one of the most wide!y imp!emented S0CMS/"&ased
products. S0CMS/ is compati&!e with most #CP app!ications. It a!so pro:ides rudimentary
firewa!! capa&i!ities$ &ecause it authenticates incoming and outgoing packets and can pro:ide
network address trans!ation (NA#). NA# is a process that hides the IP addresses of systems
on the interna! network from the e?terna! network.
3mplementation
#here are :arious approaches that one can take when imp!ementing a %PN so!ution on the
Internet. #he configuration can &e router"to"router$ ser:er"to"ser:er$ ser:er"to"router$
workstation"to"ser:er$ or workstation"to"router. 0ne !ow"cost approach might &e to use to
2indows N# ser:ers emp!oying PP#P with ?*S1$ frame re!ay$ or fractiona! #1. Ge!ow 6igure
i!!ustrates this approach emp!oying ?*S1 with the minimum hardware configuration.
Additiona! routers$ firewa!!s and I*S wou!d &e re;uired to protected the indi:idua! systems
and pre:ent unauthori7ed access to the network.
1-+
PP#P %PN.
2e>:e actua!!y used the Cisco package discussed in Chapter 1. to connect sma!! &ranch
offices to a centra! office o:er ?*S1. As an e?amp!e$ a one"person office !ocated se:era!
thousand mi!es away from the centra! head;uarters was connected using Cisco>s %PN
software. 6igure 11./ i!!ustrates the configuration insta!!ed to connect the &ranch office.
6igure 11./@ C!ient"to"router %PN.
#he c!ient %PN software was insta!!ed on a workstation at the &ranch office. #he c!ient %PN
software uses (*)S for encrypting the data portion of the IP packet. #he %PN c!ient
interfaces with the %PN software on the Cisco router. Since on!y the data portion of the IP
packet is encrypted$ the %PN is an end"to"end connection$ as i!!ustrated in 6igure 11./.
In the actua! insta!!ation the ?*S1 modems$ which are actua!!y routers$ perform IP fi!tering$
as does the Cisco router. #he Cisco router performs other firewa!! functions as we!!$ such as
protoco! fi!tering. #he router a!so has an I*S insta!!ed and performs NA# to mask the IP
addresses of the interna! network. In addition$ the gateway ser:er on the interna! network
performs IP and protoco! fi!tering and is running I*S software. 6ina!!y$ the c!ient workstation
runs a persona! firewa!!DI*S software.
1-/
It is important to recogni7e that there are :u!nera&i!ities within this configuration. 6or
e?amp!e$ it can &e su&Aect to IP spoofing. owe:er$ to &e successfu!$ spoofing wou!d re;uire
know!edge of the interna! network addressing scheme and :igi!ant monitoring and I*S wou!d
detect the initia! attempts.
#he maAor rationa! for dep!oying this type of configuration is cost. #he cost to dep!oy an
Internet %PN using ?*S1 is perhaps one"third the cost of using frame re!ay. 2hen compared
to a point"to"point #1 circuit$ the sa:ings is e:en greater. In the a&o:e e?amp!e$ the maAor
incrementa! e?pense was the Cisco router and software package. 2e cou!d ha:e Aust as easi!y
put another router at the &ranch office. In fact$ this wou!d ha:e pro:ided additiona! security
and administrati:e features. owe:er$ we chose not to do so &ecause of cost.
Identification and Authentication
#hey are !isted as fo!!ows.
C Something you knowB
C Something you ha:eB
C Something you are.
Henera!!y$ when we ta!k a&out a process of identification and authentication that re!ies on
<something you know< we are ta!king a&out a system that emp!oys passwords. Passwords
ha:e many draw&acks@ 2hi!e passwords are ine?pensi:e to imp!ement and easy to esta&!ish$
they are e?pensi:e and cum&ersome to maintain. Speaking from persona! e?perience$
pro&a&!y /.W of a!! ca!!s hand!ed &y he!p desks are users who ha:e
forgotten one password or another and are !ocked out of a system. According to Hartner
Hroup$ an I# consu!tant current!y !ocated in Stamford C#$ !arge organi7ations spend more
than L(+. per year$ per user$ on resetting passwords. #hat represents a significant cost to a
!arge organi7ation. If an organi7ation has tens of thousands of emp!oyees$ then the cost of
password maintenance runs in the mi!!ions of do!!ars each year.
Henera!!y$ the something you ha:e that pro:ides the identification and
authentication is a token card$ smart card$ or some kind of e!ectronic &adge. 2hi!e these
schemes can pro:ide superior security when compared to the typica! password process$ the
de:ices can &e !ost or sto!en.
75
Biometric 3dentification and $uthentication
2hen we ta!k a&out an identification and authentication scheme that re!ies on <something
you are$< we mean &iometrics. Giometric authentication is the process of using some physica!
characteristic$ trait$ aspect of physica! &eing$ or &eha:ior to authenticate one>s identity. #he
most common!y known e?amp!e is the process of emp!oying fingerprints to identify an
indi:idua!. 6or years go:ernment agencies !ike the 6GI ha:e &een using finger prints to
identify indi:idua!s and perform &ackground checks.
Giometric authentication usua!!y fits into one of two genera! categories. #he first is physica!
characteristic recognition (PC4)$ which re!ies upon a physica! characteristic such as a
fingerprint$ retina or iris scan$ :oiceprint$ or facia! geometry for identification and
authentication.
#he second category is &eha:iora! characteristic recognition (GC4). GC4 re!ies on a
&eha:iora! characteristics such as how a person types at a key&oard$ writes$ or signs his or
her name. In genera!$ PC4 is much more wide!y imp!emented than GC4.
2ith most &iometric authentication there is usua!!y a registration process. #his entai!s the
process of registering or enro!!ing some physica! trait such as a fingerprint$ :oiceprint$ or
retina scan. *uring the registration process a temp!ate for the trait &eing registered is
created.
#he temp!ate is typica!!y a mathematica! representation of the physica! trait.
#he temp!ate is then stored in some fashion (usua!!y in a data&ase in an encrypted format) to
&e retrie:ed at a !ater time for comparison to the user>s actua! physica! characteristics to
authenticate the wou!d"&e user>s identity.
1et>s say that the &iometric system is used to identify and authenticate users of a network.
2hen the user wants access to the network$ he or she scans the physica! trait again
(fingerprint$ retina$ etc.). #hen the same process used to create the temp!ate is used to
create a mathematica! representation of the physica! trait$ either at the reader or the ser:er.
It is then compared to the temp!ate that is stored on the ser:er or station. If the two match$
then the end user is gi:en access to the network.
1--
#his is Aust an appro?imation of the process. I>m sure indi:idua! :endors> processes wi!! :ary
according to the system design.
Biometric 3dentification Relia9ility
2hen considering a &iometric authentication system$ there are two critica! characteristics
that you shou!d re:iew &efore dep!oying any system. #hey are !isted as fo!!ows.
C 6a!se acceptance rate (6A4)B
C 6a!se reAection rate (644).
#he 6A4 is the rate at which a system incorrect!y accepts or recogni7es a wou!d"&e user as
authori7ed to access the system when in fact he or she are not. In other words$ how often
does the system !et someone in that it shou!d keep out= 8ost manufacturers of &iometric
authentication de:ices !ist the 6A4 for their products. If not$ you shou!d &e a&!e to re;uest it
from the manufacturer. %ery often the 6A4 is !isted as a percentage.
#he 6A4 for any &iometric identification and authentication system shou!d &e c!ose!y
scrutini7ed. A manufacturer may !ist a 6A4 that appears to &e :ery sma!!$ &ut the num&ers
can &e decei:ing. 6or e?amp!e$ a 6A4 of on!y 1W means that one time out of 1.. a system
wi!! incorrect!y accept an unauthori7ed user. #hat fa!se acceptance rate percentage is much
too high. A 6A4 of 1W means that if a hacker makes 1.. attempts he or she wi!! &e
successfu! at !east one time. ):en a 6A4 of ..1W is too high to &e accepta&!e. #hat means
that one in 1.$... attempts wi!! &e incorrect!y accepted. #hose odds are much more in fa:or
of a hacker when compared to the odds of the hacker guessing a password eight characters
in !ength.
6or e?amp!e$ e:en if you e?c!ude the 23 !etters of the a!pha&et and a!! specia! characters and
use on!y num&ers for an eight"digit password$ you wou!d sti!! ha:e o:er 99$999$999
passwords. #hat means there is !ess than a 1 in 99$999$999 chance of accessing the system
&y guessing the password. owe:er$ with a &iometric identification system with a ..1W 6A4
there is a 1 in 1.$... chance of accessing the system &y mistake.
1-'
Another important characteristic of any &iometric identification and authentication system is
the 644$ the rate at which a system incorrect!y reAects a !egitimate user. 2hi!e it is not as
critica! as 6A4$ the 644 is important to the successfu! dep!oyment of any &iometric
authentication system. If the 644 of a system is too high$ it can cause end"user frustration.
#he frustration can !ead users to circum:ent proper authentication procedures to a:oid the
&iometric system. It can u!timate!y create security ho!es or !ead to the system &eing
scrapped.
2hen e:a!uating any &iometric authentication scheme you need to take into account how it
wi!! hand!e the natura! changes peop!e e?perience. #his is particu!ar!y true for PC4 &iometric
systems. 6or e?amp!e$ suppose your system emp!oys face recognition and you ha:e a person
who had a &eard &ut decides to sha:e it. 2i!! he then &e !ocked out of the system= As peop!e
age$ their physica! characteristics can change. 2hate:er system is emp!oyed needs to &e a&!e
to update a temp!ate with the su&t!e changes that natura!!y occur e:ery time it authenticates
the wou!d"&e user.
#o &e tru!y effecti:e$ any &iometric system must a!so &e sophisticated enough to detect fraud.
In other words$ it has to &e :ery hard to foo!. As a resu!t$ the under!ying techno!ogy used for
any system has to &e mu!titiered. 6or e?amp!e$ a system emp!oying on!y optica! imaging for
fingerprints$ face recognition$ or hand geometry may not &e a&!e to detect !ifted or faked
characteristics if the owner is deceased. #he more sophisticated systems !ook at se:era!
e!ements of a physica! characteristics. 6or e?amp!e$ a hand reader may not on!y compare the
hand geometry &ut wi!! a!so check temperature and e:en check for &!ood pressure. #his
mu!titiered approach makes it much more difficu!t to foo! a system with something !ike a
p!aster cast of a hand.
Backup $uthentication
An effecti:e &iometric system needs to &e a&!e to hand!e temporary physio!ogica! changes. If
you are emp!oying fingerprints for authentication$ what happens if an end user &ad!y &urns
his or her fingers= 2hat happens if someone &reaks his or her hand$ and your system is
&ased on hand geometry= Someone with a cast on his or her hand wi!! &e una&!e to gain
access through the hand reader.
1-9
Kou need to consider the &ackup methods to authenticate users in the e:ent the &iometrics
fai!. Kou a!so need to consider how easy it is to acti:ate the &ackup authentication method.
Kou cou!d find yourse!f !ocked out without an a!ternate authentication method. If you ha:e a
&ackup method$ such as a password$ what>s to stop someone from using it a!! the time$ or
what>s to stop someone from compromising the &ackup process and circum:enting the
&iometric system a!together= A &iometric system that can &e circum:ented is worth!ess.
2hat>s the point of going through the time$ trou&!e$ and e?pense of insta!!ing a &iometric
identification and authentication scheme to protect your network on!y to ha:e someone with
a password &reak in and compromise the network=
6nvironmental Conditions
Another e!ement that must &e considered &efore imp!ementing a &iometric authentication
system is the en:ironment in which it wi!! operate. 2ater$ noise$ moisture$ and dirt can
ad:erse!y impact the operation of some &iometric authentication systems. A factory f!oor
where workers get their hands dirty with grease or where the conditions are :ery wet wou!d
not &e the &est en:ironment to insta!! a fingerprint reader or hand reader. A fingerprint
reader or hand scanner wou!d &e e;ua!!y ineffectua! in an en:ironment where workers wear
g!o:es.
Simi!ar!y$ a retina scanner or face geometry reader wou!d not &e ad:ised in an en:ironment
in which indi:idua!s must wear protecti:e eyewear or masks. In addition$ :oiceprint readers
wou!d not work we!! in noisy en:ironments. #hese types of issues ha:e to &e considered
&efore dep!oying &iometric systems.
82
Cser $cceptance
#o achie:e a successfu! dep!oyment of a &iometric authentication system$ it is important to
gauge user acceptance of the techno!ogy &eing used. ,sers may &e uncomforta&!e with retina
scanners and find recording of fingerprints an in:asion of pri:acy. Consider how in:asi:e the
techno!ogy wi!! &e and whether users wi!! accept it &efore imp!ementing it. As one wou!d
e?pect$ the more in:asi:e the techno!ogy &eing dep!oyed the more uncomforta&!e the end
users &ecome. 2hi!e retina"scanning techno!ogy may &e more re!ia&!e than fingerprint
readers$ end users are a!most a!ways more comforta&!e with the fingerprint readers.
Another issue that needs to &e considered &efore dep!oying a system is genera! hygiene. #his
is more of an issue with &iometric de:ices that are used to authenticate emp!oyees at a
centra! !ocation$ such as a main entrance to a restricted faci!ity. It may sound funny$ &ut what
&etter way to pass germs to a!! your emp!oyees than to ha:e each and e:eryone of them
touch a hand scanner= A!! it wou!d take is for one emp!oyee to get a co!d to ha:e it spread to
e:eryone.
2ou!d you want to touch a hand scanner or fingerprint reader knowing that the person who
used it &efore you has a &ad co!d=
0f course$ the same ha7ard is associated with other$ more mundane o&Aects$ such as
doorkno&s and e!e:ator &uttons. owe:er$ it is ine:ita&!e that user>s suspicions of a &iometric
system wi!! &e greater when first introduced.
(ecurity of the Biometric (ystem
Another critica! factor with &iometric identification and authentication systems is how it
hand!es communication and storage. Kou ha:e to !ook at how a particu!ar system is
imp!emented. 6or e?amp!e$ if it is dep!oyed on a 1AN$ does the &iometric identification
system communicate with a ser:er for authentication= If it does$ then security in the
communications &etween the reader and the host ser:er is :ery important &ecause &iometric
systems can &e suscepti&!e to rep!ay attacks. Can the communication &e tapped= Is the
communication encrypted= ):en if it is encrypted$ what>s to stop someone from using a
rep!ay attack=
1'1
6or e?amp!e$ A!ice identifies herse!f to the network using a fingerprint reader on her
key&oard. #he mathematica! representation of her fingerprint is sent to the ser:er for
identification and authentication. owe:er$ Go& has p!aced a sniffer on the network and has
captured the mathematica! representation of the fingerprint in transit to the ser:er. Now Go&
has that information and can transmit it to the ser:er at anytime and gain access to the
network as A!ice. ):en if the transmission were encrypted Go& wou!d sti!! &e a&!e to capture
and copy it to &e transmitted at a !ater time. 0f course$ there are many ways that a :endor
can a:oid this pro&!em. 0ne method wou!d &e to use some timestamp in an encryption
a!gorithm. Another method wou!d &e to store the temp!ate on the !oca! system. owe:er$ that
wou!d on!y work for end users with workstations with !oca! storage. In addition$ storing the
temp!ate on a !oca! hard dri:e wou!d introduce other security issues.
If the temp!ates are stored on a ser:er you a!so need to consider how they are stored and
the security emp!oyed to pre:ent them from &eing compromised. #hese are the types of
issues that an administrator needs to take into account &efore dep!oying any &iometric
identification and authentication system.
3nteropera9ility
Another issue that is much more difficu!t to reso!:e and I &e!ie:e wi!! &e around for a whi!e is
the fact that there is no interopera&i!ity &etween &iometric systems. ):ery sing!e product on
the market is proprietary. It is a!so difficu!t to find a product that has operating system
interopera&i!ity. As a resu!t$ if you work for a !arge organi7ation$ you wi!! &e hard pressed to
find a system that can &e dep!oyed across the entire enterprise.
1'2
. Network Security (o#icy% Auditin+ and -onitorin+ Systems.
Policies and Procedures
6or most organi7ations$ network and system security po!icies and procedures ser:e the
purpose of ensuring information security. #hey achie:e this &y defining what constitutes
information security$ why it is important$ and how to maintain it. In addition$ the po!icies and
procedures define the accepta&!e !e:e!s of information security. Gefore you can do so$
howe:er$ you must first put in p!ace a process that ena&!es you to determine what is an
ade;uate !e:e! of security for any gi:en organi7ation.
#he e!ements of information security inc!ude confidentia!ity$ integrity$ a:ai!a&i!ity$
authentication$ and access contro!. A!! fi:e e!ements need to &e addressed &y whate:er
po!icies and procedures are imp!emented to address information security. In genera! terms$
security po!icies are the set of ru!es and procedures that regu!ate how an organi7ation
manages$ uses$ protects$ and distri&utes a!! information that direct!y or indirect!y pertains to
that organi7ation.
Policies 8ersus Procedures
Po!icies shou!d a!ways &e de:e!oped &efore procedures. #he de:e!opment of procedures
shou!d f!ow from the po!icies. Po!icies shou!d &e concerned with what assets to protect and
why they need to &e protected. #hey are genera!!y &road in their scope and are designed to
set the tone and direction. In genera!$ they can &e thought of as the documents that spe!! out
the what and why of information security for an organi7ation. Procedures$ on the other hand$
must &e much more precise and detai!ed. Procedures shou!d &e concerned with the specific
measures necessary to protect the organi7ation>s assets. #hey can &e thought of as the
documents that spe!! the who1 when$ and how of information security within an organi7ation.
8%
3nformation (ecurity Policy >9;ectives
#here are :arious reasons for an organi7ation to de:e!op network and system security
po!icies and procedures. Some are o&:ious$ whi!e others are not so o&:ious. Some reasons
concern the direct &enefit that an organi7ation gains from ha:ing po!icies and procedures$
such as pre:enting or detecting fraud or deterring hackers. 0ther &enefits are indirect in that
the po!icies protect the organi7ation from potentia! !ia&i!ity or sa:e it from possi&!e
em&arrassment. Ge!ow I ha:e !isted some of the o&Aecti:es genera!!y associated with network
security po!icies.
C $anaging risk: #he primary goa! of any po!icy concerning network and system
security is to manage risk. It is a!most impossi&!e to comp!ete!y secure an
organi7ation>s information assets. As a resu!t$ an organi7ation needs to identify the
risks that its faces and de:e!op measures to minimi7e the impact of those risks.
C (nsuring business continuity: #he ongoing operation of the organi7ation shou!d &e a
fundamenta! goa! of the po!icies de:e!oped &y any organi7ation. It is interesting to
note how many organi7ations> po!icies tend to spe!! out what cannot &e done in great
detai! &ut do a :ery poor Ao& of addressing what must &e done to ensure the operation
of the organi7ation. 0rgani7ationa! po!icies and procedures shou!d ensure &usiness
resumption &y out!ining the appropriate actions necessary in response to an incident or
disaster.
C *efining responsibilities1 e)pectations1 and acceptable beha-iors: 6or any po!icy or
procedure to &e effecti:e$ those indi:idua!s su&Aect to the po!icy or procedure must
understand what is re;uired of them to comp!y. Comp!iance to a po!icy cannot &e
achie:ed without reaching an understanding of what constitutes comp!iance. In
addition$ emp!oyees need to understand their responsi&i!ities and how their
responsi&i!ities may :ary depending on the circumstances.
1'+
C *ischarging fiduciary duty and complying with any regulatory requirements: 8ost
organi7ations are su&Aect to ru!es or regu!ations go:erning the responsi&i!ity of the
corporate officers and regu!ating the operation of the organi7ation. If a company is
pu&!ic!y traded$ the corporate officers ha:e a fiduciary duty to ensure the financia!
soundness of the organi7ation. If they fai! in that duty they can &e he!d persona!!y
!ia&!e for the !osses incurred. 8ost e:ery organi7ation is re;uired to adhere to certain
standards when it comes to accounting records and &ookkeeping. 8any organi7ations
are a!so su&Aect to federa!$ state$ or !oca! regu!ations that re;uire certain measures &e
taken to protect the assets of the organi7ation. 8any organi7ations are su&Aect to ru!es
and regu!ations regarding the protection and disc!osure of information pertaining to
emp!oyees and customers. #his is certain!y true in the financia! and hea!th sectors. 6or
many organi7ations$ the a&sence of proper po!icies and procedures is considered
automatic noncomp!iance.
C rotecting the organization from liability: #he po!icies and procedures de:e!oped &y
an organi7ation are often re;uired to protect it from !ia&i!ity. In some cases$ the
e?istence of the po!icies and procedures are essentia! to demonstrate that an
organi7ation did not appro:e of an end user>s actions or that an emp!oyee was or was
not acting with the authori7ation of the organi7ation.
C (nsuring information integrity and confidentiality: A key component of information
security is protecting an organi7ation>s information assets. )nsuring the integrity and
confidentia!ity of an organi7ation>s information is fundamenta! to that goa!. 2ithout
information integrity$ an organi7ation cannot make sound &usiness decisions. 2ithout
information confidentia!ity$ an organi7ation wi!! !ose its competiti:e edge through the
!oss of proprietary information regarding products$ customers$ and e:en partners and
supp!iers.
8:
Developin' (ecurity Policies
6or an organi7ation>s information security po!icies and procedures to achie:e the stated
o&Aecti:es$ it is essentia! that certain e!ements &e inc!uded in the po!icies and procedures.
#hese e!ements can &e thought of as key measures for the success for an organi7ation>s
po!icy
and procedures. #he e!ements are the stepping stones in the de:e!opment process. #hey are
!isted as fo!!ows@
C Identifying the organi7ation>s assetsB
C *efining the risks@
C *efining how information assets are to &e managedB
C *efining how information assets are to &e accessed and what process wi!! &e used for
authenticationB
C *efining c!ear!y and in detai! what does and does not constitute appropriate use of
company owned e!ectronic media and ser:icesB
C C!ear!y defining what kind of information may &e accessed and distri&uted and &y
what meansB
C *efining what contro!s are to &e put in p!aceB
C Notifying users of monitoring and auditing procedures$ information disc!osure$ and
conse;uences for noncomp!ianceB
C Identifying those responsi&!e for security enforcement and how po!icies and
procedures wi!! &e enforcedB
C *e:e!oping steps to &e taken in the e:ent of noncomp!iance with po!icy$ a security
&reach$ or a disaster.
#he first step is to determine responsi&i!ity for information security po!icy de:e!opment. #oo
often$ the I# unit is gi:en so!e responsi&i!ity for this task. owe:er$ if the po!icies and
procedures are to &e comprehensi:e$ it wi!! re;uire the acti:e participation of a!! &usiness
units. *e:e!opment of information security po!icies must &e a co!!a&orati:e effort &etween the
I# unit and the other &usiness units within an organi7ation. Any po!icy or procedure
imp!emented without the acti:e participation and <&uy"in< of other &usiness units faces an
uphi!! &att!e.
1'3
organi7ation at risk.
Consider the fo!!owing e?amp!e@ A student in one of my c!asses recounted a story indicati:e
of the :a!ue that most companies p!ace on information security. #he student worked for a
!arge software company that marketed a we!!"known data&ase. *uring a cyc!ica! downturn in
&usiness$ the company went through a round of what was euphemistica!!y ca!!ed <rightsi7ing.<
2hi!e most &usiness units e?perienced moderate cuts in personne!$ the information security
and the &usiness resumption p!anning groups were de:astated. )ssentia!!y$ &oth units were
disso!:ed$ and a!! personne! were !aid off. 0&:ious!y$ the company did not see information
security and &usiness resumption as a critica! &usiness acti:ity.
As another e?amp!e$ at a company where I once worked$ I su&mitted to senior management
a recommendation that the company de:e!op a po!icy to address <prete?t ca!!ing.< Prete?t
ca!!ing is a widespread practice used &y information &rokers to gain information on
indi:idua!s from unsuspecting companies. Henera!!y$ an information &roker poses as someone
or some entity that is re!ated to or associated with the indi:idua! with whom the targeted
company does &usiness. #he targeted company cou!d &e a hospita!$ a financia! institution$ an
insurance company$ or e:en a schoo! or go:ernment agency. #he information &roker usua!!y
gets a !itt!e &it of information from each contact. #he information gathered is cumu!ati:e.
2ith each contact the information &roker gets more information$ which in turn can &e used to
gain e:en more. 8any companies are &eing hit &y prete?t ca!!ing. ):en though the
information &roker !ies and misrepresents himse!f or herse!f to the targeted company$ this
practice is not i!!ega!. Companies are unwitting!y gi:ing out information on their emp!oyees$
customers$ and c!ients. It is not on!y &ad for the customer$ &ut it is &ad for &usiness. In
addition$ a company cou!d find itse!f !ia&!e for how that information is used. It certain!y
wou!d not insti!! customer confidence to know that a company was gi:ing out customer
information to anyone who ca!!s. 6or that reason$ I recommended that a po!icy and procedure
&e de:e!oped to address prete?t ca!!ing.
1'-
Specifica!!y$ my recommendation was that the company shou!d de:e!op a genera! information
pri:acy po!icy. Part of the imp!ementation of that po!icy wou!d inc!ude a training program to
educate our staff on how to identify prete?t ca!!s. I argued that it wou!d pro:ide our company
with a competiti:e ad:antage in that we cou!d state to our customers that their information
was safer with us than with our competitors. In addition$ it wou!d protect the company from
possi&!e !ia&i!ity. 6ina!!y$ it wou!d pro:ide the company with a response to customers who
contacted us with re;uests for information on how we hand!ed this type of occurrence. Senior
management thought it was a good idea &ut not a high priority$ and that is where it ended.
No one wanted to in:est the time to de:e!op the po!icy. 2ithout the acti:e support of senior
management$ it wou!d ha:e &een impossi&!e to de:e!op a po!icy and attempt to impose it on
the other &usiness units.
1. Identifying and prioriti7ing assetsB
2. Identifying :u!nera&i!itiesB
(. Identifying threats and their pro&a&i!itiesB
+. Identifying countermeasuresB
/. *e:e!oping a cost"&enefit ana!ysisB
3. *e:e!oping security po!icies.
#he first step is to identify and prioriti7e assets and systems and then identify the
:u!nera&i!ities associated with those assets. 2hen assessing :u!nera&i!ities and the risks
associated with them$ it is important to weed out the possi&!e threats from the pro&a&!e
ones.
#he process shou!d &e one of determining what threats are most !ike!y and de:e!oping
po!icies that address those threats and issues.It is :ery important that the po!icies and
procedures imp!emented within any organi7ation shou!d &e rea! wor!d"&ased. In other words$
the po!icies and procedures shou!d e?ist for the purpose of enhancing a pree?isting process or
function. As such$ they shou!d take into account the constraints of the rea! wor!d and not try
to achie:e the ape? of security.
1''
6or e?amp!e$ it wou!d &e o:erki!! to re;uire a!! e"mai! to &e encrypted. Kou shou!d not re;uire
passwords to &e changed e:ery week or re;uire them to &e 1/ a!phanumeric characters in
!ength. 2hi!e it might &e :ery secure$ it wou!d not &e !ogica! to imp!ement a hand scanner for
&iometric identification in an en:ironment$ such as a <c!ean room$< where technicians wear
specia! suits$ inc!uding g!o:es.
As a ru!e$ security po!icies and procedures that interfere with the operation of an organi7ation
are of !itt!e :a!ue. #hose types of measures are usua!!y ignored or circum:ented &y company
personne!$ so they tend to create security ho!es rather than p!ug them. If you make a process
too arduous or annoying$ peop!e wi!! ignore it. If you make the process of gaining access to a
room too difficu!t$ peop!e wi!! prop open the door. If you make passwords too hard to
remem&er$ peop!e wi!! write them down. A!! security measures (not Aust security po!icies)$
whene:er possi&!e$ shou!d comp!ement the operationa! and &usiness needs of an
organi7ation.
#he steps in:o!:ed in information security po!icy imp!ementation are fair!y straightforward@
1. *e:e!oping a written security po!icies and procedures manua!B
2. *e:e!oping an end user awareness and education programB
(. *e:e!oping a process for po!icy enforcement and procedure imp!ementationB
+. *e:e!oping a process for the periodic re:iew and updating of po!icies and procedures.
Policy and Procedure "anuals
6or a security po!icy to &e practica!$ it must &e documented. #he p!an must a!so &e made
a:ai!a&!e as a reference to a!! those su&Aect to the po!icy. #he po!icy and procedure manua!s
need to &e kept current and updated with any necessary changes. 8odifications to systems$
personne!$ &usiness priorities$ and other en:ironmenta! factors must &e ref!ected in the p!an.
#hat means regu!ar and fre;uent re:iews of the po!icy.
8-
Policy ,ormat
#here are many different ways in which one can format the po!icies. #he type of format is
re!ati:e!y unimportant as !ong as the po!icy is understanda&!e and achie:es the desired
resu!ts. #he most important thing is that po!icies are forma!i7ed and documented in some
way. A po!icy shou!d inc!ude$ at a minimum$ the fo!!owing e!ements.
C olicy statement: #his section shou!d state the genera! po!icy$ what the po!icy says$
and what it entai!s. #his section can &e as short as a sing!e sentence or as !ong as a
page. If it goes &eyond a page$ perhaps you are attempting to co:er in a sing!e po!icy
issues that shou!d &e co:ered &y more than one po!icy.
C urpose: #his section shou!d state why the po!icy is needed. )?amp!es of the purpose
for a po!icy cou!d inc!ude something to the effect that the po!icy is to protect the
company or emp!oyees$ ensure the continued operation of the organi7ation$ or protect
the financia! hea!th of the company.
C Scope: #his section shou!d co:er how far the po!icy e?tends. #he scope shou!d spe!!
out the circumstances under which the po!icy app!ies. It can a!so inc!ude the time
frame$ specific hardware or software$ andDor e:ents under which the po!icy is
effecti:e.
C "ompliance with policy: #his section shou!d inc!ude a detai!ed e?p!anation of what
does and does not constitute comp!iance with the po!icy. #he section can inc!ude
e?amp!es$ &ut &e carefu! to word it in such a way that it a!!ows you to inc!ude
instances that may not &e !isted in your e?amp!es. #he section shou!d inc!ude wording
to the effect <e)amples include1 but are not limited to 2.< Geing too specific in detai!
may make the definition too narrow.
C enalties3consequences: #his section shou!d e?p!ain the conse;uences for
noncomp!iance with the po!icy. Specific punishments associated with noncomp!iance
shou!d &e !isted. If the conse;uences for noncomp!iance can inc!ude termination$ then
it shou!d &e c!ear!y spe!!ed out in this section of the po!icy. #his section ser:es as a
warning to emp!oyees and can protect an organi7ation in the e:ent that it finds itse!f in
court as a resu!t of terminating an emp!oyee for non"comp!iance with a po!icy. #he
fact that the organi7ation had c!ear!y warned a!! emp!oyees of the conse;uences can
diminish any argument that an emp!oyee may ha:e for termination without cause.
-2
Policy $wareness and 6ducation
A po!icy is of no :a!ue if no one knows what it states. )nd users and personne! must
understand management>s e?pectations and their responsi&i!ities in regard to comp!ying with
an organi7ation>s po!icies. )nd users and emp!oyees must a!so understand the conse;uences
for noncomp!iance. #his aspect is :ery important for protecting the organi7ation if !itigation
resu!ts from noncomp!iance.
#he e?istence of a po!icy may &e re;uired to take puniti:e action against end users or
emp!oyees who ha:e acted in an unaccepta&!e manner. 0rgani7ations that don>t ha:e a po!icy
c!ear!y defining unaccepta&!e &eha:ior may ha:e no recourse.
a:ing a po!icy in p!ace that prohi&its certain types of &eha:ior can a!so sa:e an organi7ation
from !ia&i!ity for the actions of its end users or emp!oyees. #he a&sence of a forma! po!icy and
an awareness process may make it difficu!t to ho!d an emp!oyee accounta&!e in the e:ent
some inappropriate &eha:ior on the part of the emp!oyee is disco:ered. 2ith a written po!icy$
an organi7ation can demonstrate that any derogatory actions taken &y an end user or
emp!oyee
were not in comp!iance with accepted &eha:ior and were therefore not condoned &y the
organi7ation.
0rgani7ations shou!d consider o&taining written acknow!edgment from end users and
emp!oyees stating that they ha:e read and understand the organi7ation>s information security
po!icy. #his cou!d &e done as part of the genera! orientation for new!y hired personne! or as
part of the registration of new end users.
Policy 6nforcement
Comp!iance with po!icies needs to &e enforced. #he on!y way to ensure comp!iance is through
monitoring and auditing. #hose responsi&!e for enforcing the I# security po!icies must ha:e
the support of senior management. If an organi7ation>s I# security po!icy is to &e successfu!$
it a!so needs the support of a!! &usiness units within the organi7ation.
1?1
Security (o#icy Su++estions
4emem&er that the maAor emphasis of a!! po!icies and procedures is to pre:ent <&ad things<
from happening. It doesn>t matter whether the &ad thing is a mistake$ disaster$ or misdeed.
2e!!"designed po!icies and procedures are f!e?i&!e enough to address most <pro&a&!e<
threats. #hat is why risk ana!ysis is such an import part of the process.
Po!icies and procedures shou!d a!so assume that the pre:entati:e measures wi!! occasiona!!y
fai!. As a resu!t$ they shou!d inc!ude steps to detect <&ad things.< It is particu!ar!y important
that the procedures spe!! out in detai! what steps are to &e taken in the e:ent that a!! other
measures ha:e fai!ed to pre:ent some <&ad thing< from occurring. In other words$ it shou!d
detai! how the organi7ation responds to an incident.
C IdentificationB
C AuthenticationB
C Access contro! (authori7ation)B
C A:ai!a&i!ityB
C Confidentia!ity (secrecy)B
C Integrity (accuracy)B
C Accounta&i!ity.
At the same time$ you need to incorporate a!! of the :arious e!ements of security into a!!
aspects of the operation of an organi7ation and to address a!! pro&a&i!ities. #his inc!udes
procedures to address physica! security and natura! disasters as we!! as hardware and
software security. Kou a!so need to address media contro!s and communication security. 8ost
important!y$ you need to address the human :aria&!e in your procedures in an effort to
minimi7e temptation and stupidity and ensure comp!iance.
#he framework re;uired to ade;uate!y address the needs of a particu!ar organi7ation wi!!
!arge!y depend on the type of organi7ation. 1arge corporations re;uire e?tensi:e po!icies that
co:er a!! the possi&i!ities$ whi!e most sma!! organi7ations$ which may use techno!ogy to a
more !imited e?tent"or at !east ha:e !ess of it"wi!! re;uire a much !ess e?tensi:e set of
po!icies.
192
*o not use a pound when an ounce wi!! do the Ao&. 0:er!y comp!icated or detai!ed po!icies
tend to create pro&!ems and are often ignored. Po!icies shou!d &e simp!e to understand and
remem&er. #he !e:e! of detai! for each organi7ation wi!! :ary$ &ut the fo!!owing sections
pro:ide some &asic suggestions.
Cse of Company+>wned 6lectronic "edia and (ervices
2ith the ad:ent of new techno!ogies$ organi7ations are finding themse!:es re!ying
increasing!y on e!ectronic modes of communication and information storage. 8ost emp!oyees
in an organi7ation ha:e access to one or more forms of e!ectronic media or ser:ice. #hey
inc!ude &ut are not confined to the fo!!owing@
C Computers (PCs$ workstations$ minicomputers$ and mainframes)B
C )"mai!B
C #e!ephones and :oice mai!B
C 6a? machinesB
C 1ANs$ intranets$ and the 2e&.
):ery organi7ation that uses e!ectronic media and ser:ices shou!d ha:e a po!icy that c!ear!y
defines the accepta&!e use of these media and ser:ices as company property. #he po!icies
shou!d not on!y e?ist to protect the organi7ation &ut a!so to protect the emp!oyees of the
organi7ation. #he po!icy shou!d specify the accepta&!e persona! use of company"owned I#
faci!ities and ser:ices. #he po!icy shou!d a!so co:er when it is necessary to o&tain
management>s permission and the process to do so. #his po!icy shou!d co:er a!! techno!ogies
that cou!d &e e?p!oited to recei:e and distri&ute information. Company systems and networks
shou!d not &e used to generate or distri&ute materia! that is i!!ega! or immora! or that
contra:enes the princip!es of the corporation. Such a po!icy ensures that appropriate
measures are enacted to protect company assets and to educate emp!oyees of their
responsi&i!ities.
0ften$ an organi7ation fee!s that de:e!oping a po!icy on the use of e"mai! is a!! that is
re;uired. If the po!icy is to &e tru!y effecti:e$ it must encompass more than Aust e"mai!.
2hen it comes to de:e!oping such a po!icy$ organi7ations can run the entire gamut from :ery
19(
!i&era! in their approach and !oose!y defined to :ery narrow definitions of what is accepta&!e
use of company property with se:ere !imitations on persona! use. )ach organi7ation is
different and the approach$ and the phi!osophy that is &rought to the task of de:e!oping a
po!icy wi!! :ary great!y from company to company.
1hat Does the Policy CoverD
It is :ery important that emp!oyees or end users understand what techno!ogies or kinds of
techno!ogies the po!icy co:ers. According!y$ organi7ations need to e?p!ain what the
company>s e!ectronic media and ser:ices are and what they entai!. It is to their &enefit and
the
&enefit of their emp!oyees that they understand that the po!icy co:ers more than Aust e"mai!.
1hose Property 3s itD
A po!icy shou!d state in c!ear terms that the e!ectronic media and ser:ices are company
property$ not the emp!oyee>s persona! property. 6or e?amp!e$ emp!oyees :ery often &ecome
possessi:e a&out their PCs. #hey fee! as if the PCs are their persona! property and that no
one
has the right to access their PCs without first o&taining their (the emp!oyees>) permission. It
shou!d &e made c!ear that at any time$ authori7ed personne! may re:iew fi!es on company
owned
PCs$ e"mai!$ or :oice mai!. #his is not spying. Companies are$ at times$ o&!igated to
perform such re:iews to determine$ among other things$ whether there has &een a &reach of
security$ :io!ation of company po!icy$ or misuse of any company"owned media or ser:ices.
)mp!oyees shou!d &e to!d that the company reser:es the right to perform these re:iews
without prior notification of the emp!oyees. 8ake it c!ear to the emp!oyees that if they don>t
want the company to see something$ they shou!d not store it on company owned property.
-4
1hat 3s $ccepta9le CseD
An organi7ation has to determine for itse!f whether it wi!! a!!ow e!ectronic media and ser:ices
to &e used for non"company"re!ated purposes. #he most reasona&!e approach is to a!!ow
!imited$ occasiona! use for persona!$ non&usiness purposes (as is the case with persona!
phone ca!!s). It is a!so important that po!icies &e consistent with one another. It does not
make sense for a po!icy to for&id the use of company e"mai! for persona! reasons whi!e
comp!ete!y ignoring persona! phone ca!!s$ :oicemai!$ and fa?es. 2hate:er an organi7ation
decides$ the decision needs to &e re!ayed to the emp!oyees in c!ear terms that spe!! out what
the conse;uences are for :io!ating the po!icy.
An organi7ation shou!d a!so protect itse!f &y stating in writing that it is prohi&ited to use any
of the company>s e!ectronic ser:ices for any purposes that :io!ate state or federa! !aws. #his
inc!udes re;uiring comp!iance with a!! copyright !aws. If the company de:e!ops software$
then the po!icy shou!d a!so co:er patents$ trademarks$ and inte!!ectua! property.
In addition$ a po!icy shou!d prohi&it the use of company"owned e!ectronic ser:ices to
transmit$ recei:e$ or store information or data of a harassing or discriminatory nature or that
is derogatory to any group or indi:idua!. #he po!icy shou!d a!so prohi&it any emp!oyee from
using the company>s e!ectronic ser:ices to transmit$ recei:e$ or store information or data that
is o&scene or pornographic or that is defamatory or threatening in nature. #his not on!y
protects the organi7ationB it protects the emp!oyees as we!!.
*ackin'
#he po!icy shou!d a!so prohi&it attempts &y emp!oyees or end users to <hack< other systems.
It shou!d &e made c!ear that attempts to hack or access information without authori7ation wi!!
not &e to!erated &y an organi7ation$ and there shou!d &e se:ere conse;uences for doing so.
#his po!icy shou!d not on!y app!y to attempts to hacking company"owned systemsB it shou!d
a!so app!y to the hacking of outside systems using company"owned or "!eased systems or
ser:ices. In addition$ the po!icy shou!d define the emp!oyees> responsi&i!ity to ensure that
their !ogins and passwords remain confidentia! and the steps that they are re;uired to take if
they suspect that their passwords ha:e &een compromised. It shou!d &e made c!ear that
these steps are not optiona! or suggested &ut are a re;uired part of their Ao& function and
that fai!ure to comp!y with the po!icy can resu!t in ad:erse conse;uences.
-:
CnauthoriEed (oftware
8any organi7ations emp!oy a cookie cutter approach to dep!oying desktop systems. ):eryone
gets the same image of a specific suite of authori7ed software. 2hi!e this can &e aggra:ating
to the end users$ it is a sound management practice. At the :ery !east$ this approach reduces
the costs associated with the insta!!ation of desktop systems. #his is particu!ar!y true when
emp!oying a package such as 8icrosoft>s System 8anagement Ser:er (S8S)$ which
essentia!!y pushes an image onto the desktop from the ser:er. #his approach can a!so reduce
an organi7ation>s support costs &y reducing the num&er of app!ications that the he!p desk
supports.
In genera!$ it is a good security practice to ha:e a po!icy that prohi&its end users from
insta!!ing software on their desktop systems without authori7ation from the I# group. #his can
pre:ent ma!icious programs from &eing introduced to the network. 2hen it comes to
insta!!ing software on ser:ers$ there shou!d not on!y &e a po!icy in p!ace that &ars such
acti:ity$ &ut the access contro! mechanisms shou!d &e in p!ace to pre:ent such acti:ity.
In many en:ironments$ it may &e prudent to imp!ement measures that pre:ent end users
from
insta!!ing software on their systems or in any way a!tering their desktop configuration. 6or
e?amp!e$ 2indows N# desktop systems can &e insta!!ed with the !oca! configuration
capa&i!ity disa&!ed. Some programs designed to secure the desktop$ such as 6u!! Armor$
6ortres 1.1$ and 6oo! Proof$ can &e insta!!ed with 2indows (.J$ 9/$ and 9'. #hese systems
pro:ide some !e:e! of protection$ &ut they can &e circum:ented and$ in some cases$ may
actua!!y pose risks.
6+"ail
)mp!oyees shou!d &e made aware of the fact that e"mai! is not a secure media. #here is no
guarantee that e"mai! wi!! remain pri:ate. #hey shou!d a!so &e made aware of the fact that
emai! transmitted on the Internet is particu!ar!y :u!nera&!e to interception and disc!osure. As
such$ information of an e?treme!y sensiti:e or confidentia! nature shou!d not &e transmitted
on the Internet un!ess the message is encrypted.
193
):ery organi7ation shou!d reser:e the right to re:iew and disc!ose any emp!oyee>s e"mai!
recei:ed or transmitted on or from company"owned e!ectronic media or ser:ices. It shou!d &e
made c!ear to e:ery emp!oyee that this re:iew and disc!osure can &e done without o&taining
the emp!oyee>s prior consent. #his is not <&ig &rother$< it is common sense. A company has
the right to protect itse!f. #here ha:e &een a num&er of cases in the news media where the
improper acti:ities of an emp!oyee ha:e !anded an emp!oyer in court. #he improper acti:ities
were !ater found to &e detai!ed in the company e"mai!. As a resu!t$ the company cou!d &e
found !i&e! for the emp!oyee>s acti:ities.
#he resu!ts of a "omputerworld sur:ey regarding e"mai! monitoring pu&!ished in the
maga7ine>s 0cto&er 1999 issue stated that (1W of the sur:ey respondents had insta!!ed
software that a!!owed for the acti:e monitoring of e"mai! and that another 21W were p!anning
on insta!!ing software with that capa&i!ity. Products such as 8ai!wa!! from 0mni;uad$
8I8)sweeper from Content #echno!ogies$ and 28A 8essaging 8anager from 4e"Soft
pro:ide administrators with the a&i!ity to scan end users> e"mai! for key words. #hese
programs can scan &oth the e"mai! su&Aect and &ody for ;uestiona&!e$ o&scene$ a&usi:e$ or
i!!icit content.
3dentification
Any po!icy co:ering the accepta&!e use of company"owned e!ectronic media and ser:ices
shou!d a!so dea! with the issues of identity authentication and impersonation. )mp!oyees
shou!d &e cautioned a&out re!ying on the stated identity of the sender of e"mai! or any other
type of transmission. )"mai! messages in particu!ar can easi!y &e forged. Any po!icy shou!d
a!so prohi&it emp!oyees from any attempt to hide their identity or to fa!se!y represent
themse!:es or attempt to represent themse!:es as someone e!se$ when transmitting$
recei:ing$or storing e"mai! or other e!ectronic communications.
-7
3nformation Privacy
It is important that acti:e steps &e taken &y a!! emp!oyees to ensure that information pri:acy
is maintained. Corporate information pertaining to customers$ emp!oyees$ and company
proAects and products shou!d &e re:iewed to determine their !e:e! of sensiti:ity. #his is
important from &oth a &usiness and regu!atory perspecti:e. *isc!osure of sensiti:e
information can he!p competitors and scare away customers. In addition$ a corporation may
a!so &e su&Aect to regu!atory re;uirements go:erning the disc!osure of information. 2e& sites
catering to chi!dren are su&Aect to the Chi!dren>s 0n!ine Pri:acy Protection Act$ which is
enforced &y the 6edera! #rade Commission (6#C). Papan and most of the )uropean nations
ha:e much stricter regu!ations than the ,nited States go:erning the disc!osure and sharing of
personne! information &y companies. As a resu!t$ a genera! po!icy is recommended. #he po!icy
shou!d out!ine the re;uirements go:erning the actions of the organi7ation for information
pri:acy.
6ina!!y$ the po!icy of organi7ations that ha:e emp!oyees who fre;uent!y present at
conferences or who are offered speaking engagements shou!d co:er what can and cannot &e
disc!osed &y the emp!oyee in his or her presentation. #he po!icy can go so far as to inc!ude
some type of re:iew process &y the management of the materia! &eing presented. #his is to
ensure that no sensiti:e proprietary or customer information is inad:ertent!y disc!osed.
3nformation and Data "ana'ement
*epending on the en:ironment in which you operate$ you may want to consider c!assifying
and prioriti7ing information &y its !e:e! of importance or sensiti:ity. Corresponding!y$ the
nature of the data wi!! dictate the measures necessary to protect it. *etermination of access
!e:e!s shou!d a!so &e dictated &y the sensiti:ity of the information or data.
Any po!icy shou!d a!so define where information shou!d reside and how it is to &e mo:ed$
transported$ or transmitted. #he !e:e! of importance and sensiti:ity shou!d &e taken into
account when these definitions are de:e!oped. 6or e?amp!e$ an organi7ation may want to
for&id information of critica! importance from &eing copied to remo:a&!e media such as
f!oppies or tapes.
19'
Information and data are :a!ua&!e corporate assets and must &e protected. *ata can &e
defined as raw information$ or information can &e defined as meaningfu! data that has &een
organi7ed in a coherent manner that a!!ows for the re!ia&!e retrie:a! of data e!ements. 0ne of
the key components for the protection of information is to assign ownership. A po!icy on
ownership shou!d out!ine the responsi&i!ities of the information guardian and the re!ationship
with the custodian of the data.
Po!icies are a!so necessary to address the proacti:e management of information and data.
Po!icies must address the a:ai!a&i!ity of the data and ensure that the appropriate contro!s are
in p!ace and uti!i7ed. *e:e!opment of these po!icies shou!d entai! the ana!ysis of the risks and
the esta&!ishment of appropriate c!assification and authori7ation standards for the data.
Information and data integrity is not Aust concerned with protecting information content.
Integrity must a!so address the accuracy of the data e!ements. A po!icy concerning data
integrity shou!d identify the re;uirements for secure data storage and mechanisms for the
&ackup of data$ and the re;uirements for the procedures to preser:e and test the accuracy of
the data. In the appropriate en:ironment$ data integrity a!so inc!udes data entry standards to
ensure that information is entered in a consistent and uniform format.
#o ensure data integrity$ a po!icy shou!d &e enacted go:erning proper procedures to protect
against the potentia! threat from computer :iruses. #he po!icy shou!d co:er re;uirements for
:irus scans and copying fi!es from outside sources to company"owned systems.
Information and data management po!icies shou!d a!so state that a!! fi!es that reside on
company"owned de:ices or media$ such as PCs$ remo:a&!e disks$ and tapes$ are the property
of the company. As such$ the po!icy shou!d prohi&it emp!oyees from remo:ing company
information from the premises without authori7ation. #his po!icy$ whi!e difficu!t to enforce$
may &e a usefu! !ega!ity to ha:e in p!ace. In addition$ as a precaution$ a company shou!d
reser:e the right to e?amine$ access$ use$ and disc!ose any or a!! information or data$
transmitted$ recei:ed$ or stored on any e!ectronic media$ de:ice$ or ser:ice owned or paid for
&y the company.
--
(ystems $dministration
0ne of the &iggest cha!!enges in de:ising proper security procedures is determining how to
dea! with the contro! and monitoring of the administrators of the organi7ation>s :arious
systems. 6or e?amp!e$ many organi7ations operate in an en:ironment where an indi:idua! or
indi:idua!s ha:e access to or responsi&i!ity for a!! aspects of system administration. #he
organi7ation may ha:e a sma!! I# unit where using de!ineation of responsi&i!ity and
segregation of duties as a contro! procedure is not practica!. ow do you segregate duties
when there is on!y one person in the department=
owe:er$ whene:er possi&!e$ segregation of duties shou!d &e imp!emented. #he indi:idua! or
indi:idua!s responsi&!e for the day"to"day administration shou!d not a!so &e the indi:idua! or
indi:idua!s responsi&!e for creating new accounts. In addition$ the indi:idua! or indi:idua!s
who create new accounts shou!d not &e responsi&!e for determining the !e:e! of access gi:en
to those accounts. A!! new accounts shou!d &e re:iewed &y an indi:idua! not responsi&!e for
creating accounts. If possi&!e$ a distinction shou!d &e made &etween system administration
and security administration. System administration functions shou!d &e audited at !east
annua!!y.
A!! system changes and dai!y Ao&s performed &y administrators and operators shou!d &e
recorded in a !og or schedu!e and shou!d &e re:iewed dai!y. A!! system &ackups shou!d &e
recorded and !ogged and the !ogs re:iewed and retained. Gackups shou!d a!so &e tested
periodica!!y$ at !east week!y. A!! security access changes shou!d &e documented$ re:iewed$
and fi!ed. A po!icy wi!! a!so stipu!ate the records retention schedu!e and destruction of !ogs$
schedu!es$ and other documentation.
In addition$ systems shou!d &e c!assified according to their confidentia!ity and critica!ity to
the operation of the organi7ation to determine appropriate security measures. System
c!assification is a!so re;uired for disaster reco:ery p!anning.
System auditing and :a!idation shou!d &e addressed in some manner through po!icies. #hey
can either &e incorporated into e?isting po!ices or &e in a separate po!icy. Chapter 1/
discusses auditing in more detai!.
#22
Remote Network $ccess
8any organi7ations ha:e re;uirements for remote network access. Sa!es staff$ fie!d
engineers$
and e:en de!i:ery personne! and dri:ers often re;uire access to an organi7ation>s network. In
addition$ with the growth in te!ecommuting$ many emp!oyees are now working from home$
rather than coming into the office. As a resu!t$ more emp!oyees re;uire access to the
company>s systems from outside the corporate network. Any remote access to the corporate
network shou!d &e tight!y contro!!ed and su&Aect to stringent security measures. A po!icy for
remote access shou!d address issues associated with authentication and access contro!. At a
minimum$ the po!icy shou!d re;uire any connection to uti!i7e some kind of secure I*
procedure. 4efer to the discussion in Chapter - regarding modems for more detai!.
Another consideration is third"party access to the corporate network. 8any organi7ations
ha:e :endors$ partners$ customers$ or Aoint :entures that re;uire access to the corporate
network. Po!icies need to &e de:e!oped to ensure that proper contro!s are imp!emented$
maintained$ and monitored for a!! third"party access to an organi7ation>s network.
Reportin' Noncompliance
6re;uent!y$ organi7ations educate emp!oyees and end users on their responsi&i!ity to report
noncomp!iance &ut ne:er put in p!ace a mechanism to pro:ide that capa&i!ity. #here are times
when an emp!oyee may not fee! comforta&!e reporting an incident of noncomp!iance. If the
noncomp!iance in:o!:es a super:isor$ systems administrator$ or rea! crimina! acti:ity the
indi:idua! may &e apprehensi:e to report the occurrence for fear of reprisa!. In this type of
circumstance you need to &e a&!e to pro:ide a way to report issues of noncomp!iance
anonymous!y. Consider setting up a hot!ine for reporting such matters. #o ensure the ca!!er>s
anonymity$ consider using an outside ser:ice or third party for this function.
#2
$uditin'@ "onitorin'@ and 3ntrusion Detection
<hat Is an AuditD
#raditiona!!y$ an audit is an independent re:iew of a gi:en su&Aect. Its purpose is to report on
conformance to re;uired standards. 0ne of the functions that an )*P audit ser:es is to :erify
comp!iance to company po!icies and to ensure that re;uired security procedures and practices
are &eing fo!!owed. In addition$ an )*P audit usua!!y entai!s the process of monitoring and
ana!y7ing systems$ networks$ and end"user acti:ity.
In addition to re:iewing comp!iance to po!icies and procedures$ an audit is concerned with
risk assessment. An )*P audit assesses the risks to and associated with systems and
networks to determine if the e?isting contro!s are ade;uate to protect the organi7ation>s
assets. Some of the areas that a security audit wou!d re:iew inc!ude the fo!!owing.
C )nsuring that desk manua!s and procedures are up to dateB
C )nsuring proper segregation of duties with proper re:iews of workB
C )nsuring that ade;uate physica! contro!s are in p!aceB
C )nsuring that user authentication contro!s are ade;uateB
C )nsuring that audit trai!s are maintainedB
C )nsuring that disaster reco:eryD&usiness resumption p!ans are in p!ace and tested
regu!ar!yB
C )nsuring proper contro!s for app!ication de:e!opment and imp!ementationB
C )nsuring that data integrity is monitored and maintainedB
C )nsuring that genera! po!icies and procedures are fo!!owed.
An audit can &e an opportunity to :a!idate an organi7ation>s security po!icies and can pro:ide
I# with a chance to ha:e an outside party test the security measures that ha:e &een
imp!emented. It is not uncommon to emp!oy a <tiger team< or <white hat hackers$< as they
are sometimes ca!!ed$ to test security measures. #hese are network security e?perts who test
system and network defenses &y attempting to <hack< into them. #his hacking is done with
the know!edge and consent of the organi7ation that owns the network or systems that they
are attempting to penetrate. Such indi:idua!s are usua!!y hired consu!tants$ &ut some
organi7ations emp!oy interna! staff for tiger teams.
2.2
If an organi7ation does &usiness through a partner or a third party$ then the organi7ation>s I#
unit may need to audit that partner>s or third party>s security measures. #his is particu!ar!y
true if an organi7ation uses a porta!$ or ASP :endor to pro:ide Internet"ena&!ed or
&randed Internet ser:ices to customers. It wou!d &e e?treme!y risky for an organi7ation to
enter into an agreement with an ASP without first certifying a!! aspects of the ASP>s computer
operation$ inc!uding security. 2hen using a ASP ser:ice$ a company can find
itse!f the indirect :ictim of a denia!"of"ser:ice attack directed at another su&scri&er of the
ser:ice.
As mentioned a&o:e$ there are many areas re:iewed during an audit. Conse;uent!y$ for !arge
insta!!ations$ it may &e necessary to categori7e the functions and audit the functions
separate!y. 6or e?amp!e$ the functions can &e categori7ed under the fo!!owing headings@
C 0perationa! auditsB
C System auditsB
C Acti:ity and usage audits.
0perationa! security audits seek to ensure that proper contro!s ha:e &een esta&!ished to
identify de:iations from esta&!ished standards and po!icies. #his type of audit is designed to
mitigate :u!nera&i!ities introduced &y poor management.
#here are se:era! o&Aecti:es for system security auditing. #he first is to :a!idate the system
configuration. System security audits a!so seek to ana!y7e the system configuration to
mitigate :u!nera&i!ities introduced &y the fau!ty imp!ementation of a system$ network$ or
app!ication.
#he types of things a system audit re:iews or !ooks for inc!udes$ among other things@
C !ccounts without passwords: It happens more often than you wou!d think.
C !dherence to and enforcement of password policies: ow easy is it to crack the
passwords=
C Shared accounts: Are there accounts to which more than one person has the
password=
C *ormant accounts: #hese accounts are often used &y hackers and shou!d &e de!eted.
C 4iles with no owner: #hese fi!es are open to a&use$ &ecause anyone can take
possession of them.
2.(
C 4iles with inappropriate access rights: #hese fi!es are a!so open to a&use. It is :ery
important that critica! system fi!es ha:e the proper access rights.
C Separation of duties: Is there a process of checks and &a!ances in p!ace with proper
re:iews$ or does one or two indi:idua!s ha:e a!! the contro!s=
):en a secure system that is proper!y configured is :u!nera&!e to attack$ and auditing
pro:ides an e?ce!!ent way of determining whether and how such attacks may take p!ace.
Another reason for a system security audit is to monitor for attempted pro&es$ attacks$ and
other unusua! occurrences. Auditing a system can a!so assist in setting &ase!ines for system
usage$ which are used to identify a&norma! acti:ity.
System monitoring re!ies hea:i!y on system audit !ogs or e:ent !ogs. Henera! system !og fi!es
record particu!ar e:ents inc!uding the fo!!owing@
C 1ogins or attempted !oginsB
C 1ogoutsB
C 4emote system accessB
C 6i!e opens$ c!oses$ renames$ and de!etionsB
C Changes in pri:i!eges or security attri&utesB
C Changes in access contro! !e:e!s.
#hese !og fi!es are usua!!y maintained on the ser:er>s or system>s !oca! disk dri:es and as
such are :u!nera&!e to a!teration. It is genera!!y a good practice to either mo:e the !og fi!es to
another ser:er on a dai!y &asis or simp!y print out the pertinent !og entries to ensure a
hardcopy record that can not &e a!tered.
#here are se:era! software too!s a:ai!a&!e to aid in the process of auditing a system. #wo of
the &est known open source freeware programs are C0PS and SA#AN$ which are discussed
#here are a!so a num&er of commercia! products a:ai!a&!e from :endors such as
Internet Security Systems (ISS)$ Secure Networks$ Cisco$ and Netecti:e$ Aust to name a few.
#he key to an acti:ity and usage audit is the esta&!ishment of &ase!ine metrics to assist in
identifying potentia! security pro&!ems. System acti:ity audits seek to ana!y7e de:iations
from the norma! patterns of usage and other unusua! acti:ities. Gase!ine metrics shou!d &e
esta&!ished to assist in identifying potentia! security pro&!ems.
2.+
$udit "istakes
Idea!!y$ an audit shou!d &e seen as an opportunity to impro:e processes. ,nfortunate!y$ the
rea!ity is sometimes one of finger"pointing and recrimination. Gased on persona! e?perience$
some of the more common mistakes that contri&ute to a difficu!t )*P audit are descri&ed as
fo!!ows@
C 0ot consulting with IT in the scheduling or planning process: Nothing wi!! ensure a
difficu!t )*P audit !ike schedu!ing one during a period when the I# di:ision is
stretched to the !imit working on proAects. #his resu!ts in the I# di:ision fee!ing
imposed upon and resentfu! of the untime!y intrusion. #he I# di:ision>s resources may
a!ready &e stretched to the &reaking point when they start getting re;uests to pro:ide
a!! sorts of information and reports for the auditors. 0n the other hand$ the auditors
fee! that I# is not cooperating$ &ecause I# is not responding in a time!y manner to the
re;uests for information. #his makes for strained re!ationships and a!most ensures that
a process that shou!d &e one of open communications &ecomes painfu! and difficu!t.
C !uditors not properly trained to perform an (* audit: I>:e &een in:o!:ed in )*P
audits where the auditors did not ha:e the technica! &ackground necessary to
ade;uate!y perform the audit. In these instances the resu!ts were mi?ed. In some cases$
the auditors simp!y accepted e:erything they were to!d &y the I# group to &e factua!
and accurate. #here was no process of independent :erification. 2hi!e this might
make the process easier on the I# group$ it is not a true audit and does not ser:e the
needs of the organi7ation as a who!e. In other cases I>:e seen the !ack of technica!
know!edge on the part of auditors make then insecure a&out information with which
they are pro:ided. In some cases I>:e seen it &order on paranoia. Since the auditors had
no way of independent!y :erifying information with which they were pro:ided$ they
dou&ted e:erything.
C 5ea-ing it up to IT to enforce unilateral changes within the organization: It is not
unusua! for deficiencies in procedures to &e identified$ o:er which the I# unit has no
contro!. 6or instance$ access !e:e!s within app!ications may &e administered &y the I#
unit$ &ut those who determine the actua! !e:e! of access may reside within other
2./
&usiness unit. As an e?amp!e$ the u!timate authority as to who has what access to the
48S is the director of human resources. #he I# group supports the 48S package$
&ut it is human resources who owns it$ and it is they who determine who wi!! ha:e
access to what information. 0n more than one occasion$ I ha:e seen audit findings in a
fina! report regarding issues o:er which I# had no contro! or say in the process.
owe:er$ the items were sti!! cited as deficiencies in the audit. #he I# group is !eft to
correct the deficiency$ o:er the o&Aections of another &usiness group.
C *oing it by the book: Auditors sometimes fai! to recogni7e one of the cardina! ru!es of
network security$ which is that security measures and procedures that interfere with
the operation of an organi7ation are of !itt!e :a!ue. #hose types of measures are usua!!y
ignored or circum:ented &y company personne!$ so they tend to create security ho!es
rather than p!ug them. 2hene:er possi&!e$ security measures shou!d comp!iment the
operationa! and &usiness needs of an organi7ation. Some auditors ha:e a tendency to
site any de:iation from standard recommended practices$ e:en if the de:iation makes
sense operationa!!y for an organi7ation. Security is a &a!ancing processS&a!ancing the
security needs with the &usiness needs and the pro&a&!e with the possi&!e. #oo often
auditors concentrate on the possi&!e and not the pro&a&!e.
C !udit report does a hatchet job on IT: It is not uncommon for the fina! audit report to
&e unnecessari!y harsh on the I# unit. #his is often a resu!t of the mistakes !isted
a&o:e. 8isunderstandings$ !ack of communication$ and genera! distrust often !ead to
harsh findings. #his is :ery unfortunate$ since the security audit is actua!!y an
opportunity to test$ !earn$ and impro:e an organi7ation>s security. As such$ it shou!d &e
we!comed$ &ut too often it is met with dread. #he I# unit and the audit group need to
work together in de:e!oping the fina! report$ so that it is comprehensi:e and practica!.
It needs to &e comprehensi:e in that no area is g!ossed o:er. It needs to &e practica! in
that no audit recommendations shou!d constrict or interfere with the operation of the
organi7ation.
2.3
C 5ack of management support to implement audit recommendations: #he surest way to
ensure that an audit is a fai!ure is for management to fai! to support the
imp!ementation of the audit recommendations. 8anagement support is critica! when
imp!ementing po!icy changes$ particu!ar!y when those changes meet with resistance.
In some cases it may simp!y &e a matter of management not a!!ocating the resources
necessary to imp!ement the recommendations. 8ost organi7ations ha:e proAects with
dead!ines and commitments that e?isted &efore the audit. Imp!ementing the audit
recommendations is a!ways something that is gi:en !ow priority. ,!timate!y$ the
recommendations are ne:er imp!emented$ and the same findings are usua!!y cited at
the ne?t audit.
Deficiencies of !raditional $udit !echni<ues
#he unfortunate rea!ity is that it is not possi&!e to &ui!d a comp!ete!y secure system or
network. Procedures are sometimes ignored. Passwords are :u!nera&!e$ and techno!ogies fai!
or are su&:erted. ):en in an en:ironment where e:erything functions according to p!an$ the
systems are sti!! :u!nera&!e to a&use &y pri:i!eged insiders$ such as system administrators.
#he u!timate goa! of a network security scheme is to pre:ent successfu! attacks on a network.
#raditiona!!y$ the primary too! for ensuring network security has &een the firewa!!. owe:er$
firewa!!s are a!most use!ess for monitoring acti:ity on the interna! network. 0rgani7ations are
&eginning to recogni7e the need to audit or monitor their interna! networks simp!y &ecause
the maAority of a!! attacks and !osses in:o!:e insiders.
2hi!e traditiona! security audits may identify weakness in security measures or e:en e?pose
security &reaches$ it is usua!!y after the fact. Audit too!s$ such as C0PS or SA#AN$ wi!! on!y
identify weaknesses in the configuration or imp!ementation of systems or networks. Neither
one of these approaches identifies pro&!ems as they occurB instead$ they are concerned with
residua! risk. #raditiona!!y$ the residua! risk was deemed accepta&!e to the operation of the
organi7ation$ so that an audit was on!y re;uired periodica!!y. In today>s Internet"connected
en:ironment the paradigm of residua! risk is no !onger :a!id. As a resu!t$ more proacti:e
methods are re;uired to audit or monitor networks and systems. #oday there are new too!s
a:ai!a&!e that pro:ide administrators with the a&i!ity to monitor network and system security
on"!ine in rea! time.
#27
3ntrusion Detection
Competent system administrators ha:e a!ways monitored their systems for intrusions. #he
process usua!!y entai!ed re:iewing !ogs on a dai!y &asis. Intrusions were sufficient!y rare that
after"the"fact re:iews were usua!!y ade;uate to address any possi&!e pro&!ems.
,nfortunate!y$
times ha:e changed drastica!!y. After"the"fact re:iews are no !onger ade;uateB rea!"time or
near rea!"time responses to intrusions are necessary. In addition$ the :o!ume of acti:ity on
the networks today dwarfs what was the norm 1.T1/ years ago. As a resu!t$ it is not
human!y possi&!e to re:iew the amount of information in today>s !og fi!es without some
automated process. 2ithout the automation of the re:iew and monitoring process$ it cou!d &e
weeks &efore a system administrator knows a&out an intrusion to his or her system.
In genera! terms an <intrusion< can &e defined as an unauthori7ed attempt or achie:ement to
access$ a!ter$ render una:ai!a&!e$ or destroy information on a system or the system itse!f.
Gasica!!y$ an intrusion is some&ody attempting to &reak into or misuse a system. Some
o&ser:ers differentiate misuse and intrusion. #he term intrusion is usua!!y used in reference
to attacks that originate from outside an organi7ation. 8isuse is usua!!y used to descri&e an
attack that originates from the interna! network. owe:er$ not e:eryone makes this
differentiation.
Intrusion detection is the art of detecting unauthori7ed$ inappropriate$ or anoma!ous acti:ity.
#he art of intrusion detection has &een practiced &y system and network administrators for
years. owe:er$ intrusion detection has recent!y recei:ed more attention in the media !arge!y
due to the fact that so many companies are now marketing I*Ss. Supposed!y$ these new
I*Ss can identify attacks in progress$ generate rea!"time a!erts$ and e:en !aunch
countermeasures or reconfigure routers or firewa!!s to counter an attack.
3ntrusion Detection (ystems /3D(s0
I*Ss act much !ike security guards or sentries. #hey constant!y scan network traffic or host
audit !ogs. 2hi!e the present &atch of I*S products pro:ide usefu! too!s to augment an
organi7ation>s network security$ it is necessary to get past the marketing hype to e:a!uate a
system>s effecti:eness. Present!y$ no sing!e system pro:ides tru!y effecti:e end"to"end
2.'
intrusion detection capa&i!ity. In addition$ I*Ss are not a new concept. In Chapter -$ we
discussed the #CP2rapper$ a ,NIJ"&ased freeware I*S that has &een around for many years.
Henera!!y$ I*Ss fa!! into one of two categories@
C Network"&ased I*SsB
C ost"&ased I*Ss.
2hi!e there are merits to &oth approaches neither method &y itse!f is sufficient to monitor a!!
threats. As a resu!t$ the current trend in the industry is to com&ine the two approaches.
"ost$4ased Intrusion Detection Systems
ost"&ased products reside on the host and are capa&!e of automatica!!y monitoring and
denying ser:ices if suspicious acti:ity is detected. #hey monitor acti:ity on the indi:idua!
host as opposed to monitoring acti:ity on the network. ost"&ased I*Ss sti!! re!y on system
audit !ogs$ much the same way system administrators do$ &ut I*Ss automate the process.
#ypica!!y a host"&ased I*S monitors system$ e:ent$ and security !ogs on 2indows N# and the
sys!og fi!e for ,NIJ. #he host"&ased I*S uses system !og fi!es and the system>s own auditing
agents to monitor the system.
#here are a coup!e of approaches that host"&ased intrusion detection software can emp!oy.
0ne is to emp!oy a wrapper$ !ike #CP2rapper. #his approach wraps the :arious host network
ser:ices in an e?tra !ayer or she!! that interprets network packet re;uests to the :arious
ser:ices. #he other approach emp!oys agents that run as separate processes and monitor the
re;uests to host. Goth approaches are effecti:e at detecting anoma!ous acti:ity or misuse of
host systems.
0ne ad:antage to host"&ased agents is that they can monitor changes to critica! system fi!es
and changes in user pri:i!eges. 2hen a key system fi!e changes$ the I*S compares the fi!es
properties with known attack signatures to see if there is a match. 0ne popu!ar method for
detecting intrusions in:o!:es :erifying key system fi!es and e?ecuta&!es :ia checksums at
regu!ar inter:a!s for une?pected changes. 6or e?amp!e$ Chapter - discusses using 8*/ to
monitor changes to system fi!es and the #ripwire I*S$ which a!so pro:ides this function. #he
first time one of these systems is run$ it generates a snapshot of the fi!e attri&utes$ inc!uding
fi!e si7es and access rights. #his information is stored in a data&ase. )ach su&se;uent run of
2.9
the I*S compares the attri&utes of the fi!es on the disk to the attri&utes stored in its
data&ase.
If the attri&utes ha:e changed then an a!arm is sounded. Some host"&ased I*Ss monitor #CP
port acti:ity and notify system administrators when specific ports are accessed or scanned.
#hey can a!so monitor and record when physica! ports are accessed. #his can &e usefu! if the
port has a modem connected to it. Perhaps the &iggest draw&ack to host"&ased I*Ss$ such as
#CP2rapper and #ripwire$ is that the intrusion detection process is not rea!"time. ost"&ased
intrusion detection programs$ regard!ess of whether they use some wrapper or agent$
genera!!y identify intrusion attempts after they ha:e &een attempted or succeeded. #he !ag
&etween the intrusion and its disco:ery can &e su&stantia!. Gy then it can &e too !ate. #his is
a weakness with host"&ased I*Ss in genera!. Another genera! weakness with host"&ased
I*Ss$ !ike #CP2rapper and #ripwire$ is that they don>t ha:e any capa&i!ity to proacti:e!y react
to an intrusion. Nor do they a!!ow the system administrator to &e proacti:e.
Another draw&ack to the host"&ased approach is that to secure the entire network$ it is
necessary to !oad the I*S on e:ery computer. owe:er$ this aspect of host"&ased I*Ss can
a!so &e a &enefit. If you on!y desire to monitor one system$ the cost of host"&ased I*Ss is
often !ower than those for their network"&ased counterparts.
Network$4ased Intrusion Detection Systems
Netwrok"&ased I*S products run on the network and monitor acti:ity ana!y7ing patterns and
reporting on suspicious acti:ity. A network"&ased I*S usua!!y emp!oys a dedicated network
ser:er or de:ice with a network adapter configured for promiscuous mode to monitor and
ana!y7e a!! traffic in rea! time as it tra:e!s across the network. #he network"&ased I*S
monitors packets on the network wire and attempts to discern the !egitimate traffic from the
ma!icious. Some :endors state that a dedicated ser:er is not necessary for the functioning of
their network"&ased I*S. owe:er$ in rea!ity it wou!d not &e ad:isa&!e to run an I*S on a
genera!"purpose app!ication ser:er. 2ou!d you want your network>s I*S running on the
company>s payro!! ser:er=2hen compared to host"&ased I*Ss$ network"&ased I*Ss ha:e
ad:antages and disad:antages.
21.
*epending on the system$ a network"&ased I*S may &e !ess e?pensi:e to imp!ement. #his is
due to the fact that a network"&ased I*S is operating system"independent and is not
re;uired to &e !oaded on a!! hosts on a network to &e effecti:e.
In addition$ host"&ased I*Ss wi!! miss many network"&ased attacks. ost"&ased I*Ss do not
e?amine packet headers$ so they cannot detect denia!"of"ser:ice attacks. Network"&ased
I*Ss are a!so much more stea!thy than host"&ased I*Ss. 2ith a host"&ased I*S$ if the
system is compromised a hacker can readi!y see if there is an I*S present. It wou!d &e :ery
difficu!t to determine if a network"&ased I*S was on a network simp!y &y e?amining the wire.
A&out the on!y thing a hacker cou!d determine is that there is a de:ice on the network
running in promiscuous mode. A network"&ased I*S can a!so pro:ide superior contro!s on
e:ent !ogs.
2ith many host"&ased I*Ss$ the audit !ogs reside on the system !oca!!y. As a resu!t$ if the
system is compromised$ a hacker can manipu!ate the !og fi!es to hide his or her tracks.
Another weakness of network"&ased I*Ss is the fact that they &ecome !ess effecti:e as
network traffic increases. #hey work :ery we!! on an empty network$ &ut as the num&er of
packets increase$ their effecti:eness decreases to the point where they cannot identify any
intrusions. #his is a maAor weakness considering today>s high transaction :o!ume and the
growth of fast )thernet and switched )thernet.
5now#ed+e$4ased Intrusion Detection Systems
#here are two genera! approaches emp!oyed for identifying hosti!e intrusions. 0ne is
know!edge"&ased$ and the other is statistica!"&ased. #he two approaches are :ery different
and emp!oy different techno!ogies.
8ost of the I*Ss dep!oyed today are know!edge"&ased. Mnow!edge"&ased I*Ss are
sometimes referred to as misuse detection systems$ e?pert systems$ or mode!" or signature
&ased I*Ss.
211
Mnow!edge"&ased I*Ss re!y on the a&i!ity to recogni7e known attacks. A know!edge"&ased
I*S recogni7es known intrusion scenarios and attack patterns. #he know!edge"&ased I*S
re!ies on a data&ase of attack <signatures< or <patterns< that can &e changed for different
systems. 6or e?amp!e$ a host"&ased$ know!edge"&ased I*S may monitor keystrokes for
attack patterns. #he I*S has a data&ase of known keystroke patterns that are known to &e a
threat.
Mnow!edge"&ased I*Ss emp!oy many different techni;ues to identify intrusion patterns or
signatures. 6or a host"&ased$ know!edge"&ased I*S the process can in:o!:e monitoring
keystrokes$ re:iewing fi!es for changes and monitoring ports. #he re:iew of fi!es can function
much the same way as a :irus scanner on a PC. #he scan searches for known patterns or
changes that ha:e &een made to critica! fi!es since the !ast scan. String signatures !ook for
te?t strings that indicates a possi&!e attack. An e?amp!e of a string that might raise a red f!ag
for a ,NIJ system wou!d &e someone e?amining the contents of the password fi!e or hosts
fi!e using <cat Dpasswd< or <cat Dhosts.< Kou shou!d a!ways &e suspicious of someone who
wants to e?amine the password fi!e or re:iew what other hosts are on the network. 2hen
monitoring ports$ a host"&ased$ know!edge"&ased I*S can compare audit !ogs to the
signatures of common techni;ues. As an e?amp!e$ a significant num&er of fai!ed #CP
connections to we!! known ports may &e an indication that someone is scanning ports$ or a
!arge num&er of unacknow!edged SKN"ACM packets is pro&a&!y an indication that the system
is under a SKN f!ooding attack.
A network"&ased$ know!edge"&ased I*S e?amines packets on the network. Packets are
considered suspect if they match a known signature$ string$ or pattern. A network"&ased$
know!edge"&ased I*S can e?amine the protoco! stack for suspicious in:a!id or fragmented
packets that :io!ate the #CPDIP protoco!. #he ping"of"death with its o:ersi7ed IC8P packets
wou!d &e an e?amp!e of a known signature. A network"&ased$ know!edge"&ased I*S can a!so
e?amine packet headers for dangerous or i!!ogica! com&inations in packet headers. Another
we!!"known header signature is a #CP packet with &oth the SKN and 6IN f!ags set$ signifying
that the originator wishes to start and stop a connection at the same time. #his can &e an
indication that a system is &eing pro&ed &y an intruder.
212
Mnow!edge"&ased systems that emp!oy pattern matching simp!y trans!ate known intrusions
into patterns that are then matched against the system or network acti:ity. #he I*S attempts
to match acti:ity to the patterns representing intrusion scenarios. #he I*S monitors the
acti:ity$ accumu!ating more and more e:idence for an intrusion attempt unti! a thresho!d is
crossed. #he &asic approach under!ying pattern matching is that if it !ooks !ike a duck$ wa!ks
!ike a duck$ and ;uacks !ike a duck$ then it must &e a duck. owe:er$ for pattern matching to
work the patterns must &e easi!y recogni7a&!e$ and they must &e distinguishing. In other
words$ they must not !ook !ike any other norma! or !egitimate acti:ity.
#he ad:antages of know!edge"&ased I*Ss is that they usua!!y ha:e !ow fa!se a!arm rates. #his
is due to the fact that they usua!!y watch for :ery specific signatures$ strings$ and patterns.
In addition$ &ecause they watch for specific e:ents they are a&!e to report with some detai!
and certainty on the threat &eing faced$ which makes it easier to determine the appropriate
course of action.
#he maAor disad:antage to know!edge"&ased I*Ss is that they are on!y effecti:e against
threats with which they are a!ready fami!iar. As a resu!t$ they are use!ess against new
techni;ues for which they ha:e no signature or pattern in the know!edge &ase. In addition$ it
is not a simp!e matter to create a signature or pattern for an attack. It is not easy to
trans!ate known attack scenarios into patterns that can &e used &y a know!edge"&ased I*S.
It re;uires
keeping the I*S up"to"date with new :u!nera&i!ities and en:ironments. 6urther$ it re;uires
time"consuming ana!ysis of each new :u!nera&i!ity to update the I*S>s know!edge &ase. As a
resu!t$ :endors don>t update their data&ases as often as they shou!d.
Another common weakness of know!edge"&ased I*Ss is that they are ineffecti:e against
passi:e attacks$ such as network sniffing and wiretaps. #hey are a!so ineffecti:e against IP or
se;uence num&er spoofing$ *NS"&ased attacks$ session hiAacking$ and redirects. In addition$
a know!edge"&ased I*S wi!! not detect the fraudu!ent or ma!icious acti:ity of a pri:i!eged
insider if the acti:ity does not match a known pattern or signature. #his is particu!ar!y true if
the acti:ity is performed through an app!ication. 6or e?amp!e$ fraudu!ent!y transferring funds
from one account to another wi!! not &e f!agged$ since it wou!d &e within the norma!
parameters of the system. Some of the &etter known network"&ased I*S products are from
AJ)N#$ Cisco$ and Internet Security Systems (ISS).
!1*
!12
Defense 3n+Depth $pproach
1ike a firewa!!$ an I*S shou!d &e seen as Aust one more too! in a defense indepth approach.
Security measures shou!d &e mu!titiered$ and I*Ss can ser:e as another !ayer of security.
Gefore you dep!oy an I*S$ howe:er$ make sure that you weigh the pros and cons and &e sure
that the :endor you pick has the system that &est meets your needs. Some of the pros of
I*Ss
are !isted as fo!!ows@
C Can detect some a&uses and intrusionsB
C Can identify where attacks are occurringB
C Can &e usefu! for co!!ecting e:idenceB
C Can a!ert administrators that someone is pro&ingB
C Can take correcti:e action against certain types of a&uses or intrusions.
Some I*S cons are !isted as fo!!ows@
C 8isses many types of a&uses and intrusionsB
C *o not work we!! no high"speed or hea:y":o!ume networksB
C Henerates fa!se a!arms.
An I*S can add depth to your o:era!! security$ he!ping to identify possi&!e intrusions and
a&uses$ &ut an I*S &y itse!f does not ensure security. I*Ss ha:e a !ong way to go &efore they
are as effecti:e as much of the marketing hype wou!d ha:e you &e!ie:e. Network"&ased I*Ss>
ina&i!ity to function effecti:e!y on noisy$ high"speed$ or high":o!ume networks is Aust one
e?amp!e of the !imitations that I*Ss ha:e to o:ercome &efore they &ecome tru!y effecti:e.
):en when they are functioning correct!y$ a!! I*Ss sti!! miss many specific and harmfu! types
of attacks. #he most effecti:e approach to intrusion detection is to use a com&ination of
network"&ased and host"&ased detection.
21/
9. Conc!usion
2ith the a&o:e detai!ed discussion on the Network and Security$ it is c!ear that the
Network Security is ine:ita&!e whi!e esta&!ish a network. It is e:en p!ays a :ita! ro!e in
the !oca! networks a!so. A user enters into the internet$ hisDher system wi!! &e part of
se:era! secured and unsecured networks. 6or the sake indi:idua! node$ we are insta!!ing
se:era! security software. If it is &ig network it is ine:ita&!e to esta&!ish a perfect
[network security system\ &y composition of a!! a&o:e discussed points. Now a days$
on!ine ser:ices are increasing in a!! parts of our day to day !ife. %arious networks are
contro!!ing our officia! and non officia! data with or without our permission. #he data
security and network security is a cha!!enge now. #o o:ercome this cha!!enge perfect
network security is the so!ution.
4eferences
1. [ Internetworking with #CPDIP Princip!es$ Protoco!s$ and Architecture %o!ume I\$
*oug!as ). Comer$ Prentice a!! of India P:t. 1td$
2. [Computer Networks\$ Andrew S. #anen&aum$ Prentice a!! of India P:t. 1td.
(. [Introduction to *ata Communications and Networking\$ Gehrou7 6orou7an$ 8cHra;"
i!!
+. [8CS) Networking )ssentia!s Study Huide\$ *uncan Anderson$ #ata 8cHraw"i!!
5. Network Security@ Mnow It A!! Pames G. *. Poshi " 2..'
6. Network security "#erry *. Pardoe$ Hordon Snyder
7. Assessing Network Security "Me:in 1am$ *a:id 1eG!anc$ Gen Smith " 2..9
8. Computer Network Security "Poseph 8igga Mi77a " 2../
9. Network security with 0penSS1 "Pohn %iega$ 8att 8essier$ Pravir Chandra
10. Network Security Po!icies and Procedures "*oug!as 2. 6rye " 2..3

Das könnte Ihnen auch gefallen