A study on composition of Network Security

By

Tadanki Ramakrishna tadanki.ramakrishna@yahoo.co.in

INDEX

1. Importance of Network Security Composition and Architecture. (Page 1) 2. Network urd!es"#hreats$%u!nera&i!ity$%irus$Attacks etc. (Page1')

(. )ncryption and *ecryption Security Systems.(Page +() +. Secured and ,nsecured !ayer systems.(Page -.) /. 0S$1AN$2AN Security System.(Page '-) 3. 4outers 5 6irewa!!s compositions.(Page 1+.) -. %PNs$ Authori7ation and Authentication Systems.(Page 133 ) '. Network Security Po!icy$ Auditing and 8onitoring Systems.(Page 1'2) 9. Conc!usion.(Page 21/)

. Importance of Network Security !omposition and Architecture

It is an important responsi&i!ity of a Computer )ngineer to gi:e an answer to the ;uestion !ike... <2hy is computer and network security important=<&ut it is crucia! for organi7ations to define why they want to achie:e computer security to determine how they wi!! achie:e it. It is a!so a usefu! too! to emp!oy when seeking senior management>s authori7ation for security"re!ated e?penditures. Computer and network security is important for the fo!!owing reasons. 1. To protect company assets(Information): 0ne of the primary goa!s of computer and network security is the protection of company assets. ere the asset means not the hardware and software that constitute the company>s computers and networks. #he assets are comprised of the <information< that is sa:ing on a company>s computers and networks. Information is a :ita! organi7ationa! asset. Network and computer security is necessary to e:ery network with the protection$ integrity$ and a:ai!a&i!ity of information. Information can &e defined as data that is organi7ed and accessi&!e in a coherent and meaningfu! manner. 2. #o gain a competiti:e ad:antage@ *e:e!oping and maintaining effecti:e security measures can pro:ide an organi7ation with a competiti:e ad:antage o:er its competition. Network security is particu!ar!y important in the arena of Internet financia! ser:ices and e"commerce. It can mean the difference &etween wide acceptance of a ser:ice and a customer response. 6or e?amp!e$ how many peop!e do you know who wou!d use a &ank>s Internet &anking system if they knew that the system had &een successfu!!y hacked in the past= Not many. #hey wou!d go to the competition for their Internet &anking ser:ices.

(. To comply with regulatory requirements and fiduciary responsibilities: Corporate officers of e:ery company ha:e a responsi&i!ity to ensure the safety and soundness of the organi7ation. Part of that responsi&i!ity inc!udes ensuring the continuing operation of the organi7ation. According!y$ organi7ations that re!y on computers for their continuing operation must de:e!op po!icies and procedures that address organi7ationa! security re;uirements. Such po!icies and procedures are necessary not on!y to protect company assets &ut a!so to protect the organi7ation from !ia&i!ity. 6or"profit organi7ations must a!so protect shareho!ders> in:estments and ma?imi7e return. In addition$ many organi7ations are su&Aect to go:ernmenta! regu!ation$ which often stipu!ates re;uirements for the safety and security of an organi7ation. 6or e?amp!e$ most financia! institutions are su&Aect to federa! regu!ation. 6ai!ure to comp!y with federa! guide!ines can resu!t in the sei7ure of a financia! institution &y federa! regu!ators. In some cases$ corporate officers who ha:e not proper!y performed their regu!atory and fiduciary responsi&i!ities are persona!!y !ia&!e for any !osses incurred &y the financia! institution that emp!oys them. To keep the job: 6ina!!y$ to secure one>s position within an organi7ation and to ensure future career prospects$ it is important to put into p!ace measures that protect organi7ationa! assets. Security shou!d &e part of e:ery network or systems administrator>s Ao&. 6ai!ure to perform ade;uate!y can resu!t in termination. #ermination shou!d not &e the automatic resu!t of a security fai!ure$ &ut if$ after a thorough postmortem$ it is determined that the fai!ure was the resu!t of inade;uate po!icies and procedures or fai!ure to comp!y with e?isting procedures$ then management needs to step in and make some changes.

The Security Trinity #he &asic three essentia!s components of the security trinity is pre:ention$ detection$ and response$ comprise the &asis for network security. #he security trinity shou!d &e the foundation for a!! security po!icies and measures that an organi7ation de:e!ops and dep!oys.

Prevention #he foundation of the security trinity is pre:ention. #o pro:ide some !e:e! of security$ it is necessary to imp!ement measures to pre:ent the e?p!oitation of :u!nera&i!ities. In de:e!oping network security schemes$ organi7ations shou!d emphasi7e pre:entati:e measures o:er detection and response@ It is easier$ more efficient$ and much more cost"effecti:e to pre:ent a security &reach than to detect or respond to one. 4emem&er that it is impossi&!e to de:ise a security scheme that wi!! pre:ent a!! :u!nera&i!ities from &eing e?p!oited$ &ut companies shou!d ensure that their pre:entati:e measures are strong enough to discourage potentia! crimina!s"so they go to an easier target. Detection 0nce pre:entati:e measures are imp!emented$ procedures need to &e put in p!ace to detect potentia! pro&!ems or security &reaches$ in the e:ent pre:entati:e measures fai!. As !ater chapters show$ it is :ery important that pro&!ems &e detected immediate!y. #he sooner a pro&!em is detected the easier it is to correct and c!eanup.

4 Response 0rgani7ations need to de:e!op a p!an that identifies the appropriate response to a security &reach. #he p!an shou!d &e in writing and shou!d identify who is responsi&!e for what actions and the :arying responses and !e:e!s of esca!ation. 6irst$ network security is not a technica! pro&!emB it is a &usiness and peop!e pro&!em. #he techno!ogy is the easy part. #he difficu!t part is de:e!oping a security p!an that fits the organi7ation>s &usiness operation and getting peop!e to comp!y with the p!an. Ne?t$ companies need to answer some fundamenta! ;uestions$ inc!uding the fo!!owing. C C ow do you define network security= ow do you determine what is an ade;uate !e:e! of security=

#o answer these ;uestions$ it is necessary to determine what youDcompany are trying to protect either information or system. A system is a co!!ection of :arious types of networks and architectures which predefined or conse;uent to the o&Aects of the system. Information Security Network security is concerned and an essentia! to a network$ with the security of company information assets. 2e often !ose sight of the fact that it is the information and our a&i!ity to access that information that we are rea!!y trying to protect"and not the computers and networks. A simp!e definition for information security@ Information security E confidentia!ity F integrity F a:ai!a&i!ity F authentication #here can &e no information security without confidentia!ityB this ensures that unauthori7ed users do not intercept$ copy$ or rep!icate information. At the same time$ integrity is necessary so that organi7ations ha:e enough confidence in the accuracy of the information to act upon it. 8oreo:er$ information security re;uires organi7ations to &e a&!e to retrie:e dataB security measures are worth!ess if organi7ations cannot gain access to the :ita! information they need to operate when they need it.

6ina!!y$ information is not secure without authentication determining. whether the end user is authori7ed to ha:e access. Among the many e!ements of information security are ensuring ade;uate physica! securityBhiring proper personne!B de:e!oping$ and adhering to$ procedures and po!iciesB strengthening and monitoring networks and systemsB and de:e!oping secure app!ications. It is important to remem&er that information security is not Aust a&out protecting assets from outside hackers. #he maAority of the time threats are interna! to an organi7ation@ <2e ha:e found the enemy and it is us.< Information security is a!so a&out procedures and po!icies that protect information from accidents$ incompetence$ and natura! disasters. Such po!icies and procedures need to address the fo!!owing@ C Gackups$ configuration contro!s$ and media contro!sB C *isaster reco:ery and contingency p!anningB C *ata integrity. It is a!so important to remem&er that network security is not a&so!ute. A!! security is re!ati:e. Network security shou!d &e thought of as a spectrum that runs from :ery unsecured to :ery secure. #he !e:e! of security for a system or network is dependent on where it !ands a!ong that spectrum re!ati:e to other systems. It is either more secure or !ess secure than other systems re!ati:e to that point. #here is no such thing as an a&so!ute!y secure network or system. Network security is a &a!ancing act that re;uires the dep!oyment of <proportionate defenses.< #he defenses that are dep!oyed or imp!emented shou!d &e proportionate to the threat. 0rgani7ations determine what is appropriate in se:era! ways$ descri&ed as fo!!ows. C Ga!ancing the cost of security against the :a!ue of the assets they are protectingB C Ga!ancing the pro&a&!e against the possi&!eB C Ga!ancing &usiness needs against security needs.

3 0rgani7ations must determine how much it wou!d cost to ha:e each system or network compromised"in other words$ how much it wou!d cost in do!!ars to !ose information or access to the system or to e?perience information theft. Gy assigning a do!!ar :a!ue to the cost of ha:ing a system or network compromised$ organi7ations can determine the upper !imit they shou!d &e wi!!ing to pay to protect their systems. 6or many organi7ations this e?ercise is not necessary$ &ecause the systems are the !ife&!ood of the &usiness. 2ithout them$ there is no organi7ation. 0rgani7ations a!so need to &a!ance the cost of security against the cost of a security &reech. Henera!!y$ as the in:estment in security increases$ the e?pected !osses shou!d decrease. Companies shou!d in:est no more in security than the :a!ue of the assets they are protecting. #his is where cost &enefit ana!ysis comes into p!ay. 8oreo:er$ organi7ations must &a!ance possi&!e threats against pro&a&!e threats@ As it is impossi&!e to defend against e:ery possi&!e type of attack$ it is necessary to determine what types of threats or attacks ha:e the greatest pro&a&i!ity of occurring and then protect against them. It is a!so important to &a!ance &usiness needs with the need for security$ assessing the operationa! impact of imp!ementing security measures. Security measures and procedures that interfere with the operation of an organi7ation are of !itt!e :a!ue. #hose types of measures are usua!!y ignored or circum:ented &y company personne!$ so they tend to create$ rather than p!ug$ security ho!es. 2hene:er possi&!e$ security measures shou!d comp!ement the operationa! and &usiness needs of an organi7ation. Risk Assessment #he concept of risk assessment is crucia! to de:e!oping proportionate defenses. #o perform a risk ana!ysis$ organi7ations need to understand possi&!e threats and :u!nera&i!ities. 4isk is the pro&a&i!ity that a :u!nera&i!ity wi!! &e e?p!oited. #he &asic steps for risk assessment are !isted as fo!!ows@

Identifying and prioriti7ing assetsB Identifying :u!nera&i!itiesB Identifying threats and their pro&a&i!itiesB Identifying countermeasuresB *e:e!oping a cost &enefit ana!ysisB *e:e!oping security po!icies and procedures.

#o identify and prioriti7e information assets and to de:e!op a cost &enefit ana!ysis$ it is he!pfu! to ask a few simp!e ;uestions such as the fo!!owing. C 2hat do you want to safeguard= C 2hy do you want to safeguard it= C 2hat is its :a!ue= C 2hat are the threats= C 2hat are the risks= C 2hat are the conse;uences of its !oss= C 2hat are the :arious scenarios= C 2hat wi!! the !oss of the information or system cost= Prioriti7e assets and systems &y assigning a do!!ar :a!ue to the asset. #he do!!ar :a!ue can &e the rep!acement cost$ the cost to not ha:e the asset a:ai!a&!e or the cost to the organi7ation to ha:e the asset$ such as proprietary information$ o&tained &y a competitor. It is a!so necessary to inc!ude more o&scure costs$ such as !oss of customer confidence. 2eed out the pro&a&!e threats from the possi&!e. *etermine what threats are most !ike!y$ and de:e!op measures to protect against those threats.

Classification of Computer Networks #here are &asica!!y three types of networks &ased on fo!!owing.... 1.Based on Transmission Mode .Based on !ut"entication #.Based on $eo%rap"ical location &imple' simp!e? mode$ the communication is unidirectiona!. (alf)Duple' In ha!f"*up!e? mode$ the communication is &idirectiona!. *ull)Duple' In 6u!!"*up!e? mode$ &oth stations can transmit and recei:e simu!taneous!y. Based on Transmission Mode &+nc"ronous Transmission )ach &it reaches the destination with the same time de!ay after !ea:ing the source. !s+nc"ronous Transmission Packets are recei:ed with :arying de!ays$ so packets can arri:e out of order. Some packets are not recei:ed correct!y. Based on !ut"entication Peer to Peer Connection In peer"to"peer networks$ there are no dedicated ser:ers. No one can contro! the other computers. &erver Based Connection A dedicated ser:er is optimi7ed to ser:ice re;uests from network c!ients. A ser:er can contro! the c!ients for its ser:ices.

Based on $eo%rap"ical location -!N .-ocal !rea Network/ Networks which co:er c!ose geographica! area M!N .Metropolitan !rea Network/ 8etropo!itan area network is an e?tension of !oca! area network to spread o:er the city. 0!N .0ide !rea Network/ 2AN spread o:er the wor!d may &e spread o:er more than one city country or continent. 0!N Tec"nolo%+ 2AN spread o:er the wor!d may &e spread o:er more than one city country or continent. Systems in this network are connected indirect!y. Henera!!y 2AN network are s!ower speed than 1ANIs. #he 2AN network are owned or operated &y network pro:iders. If it is owned &y a sing!e owner then it is ca!!ed )nterprise network. 0ften these types ha:e com&ination of more than one topo!ogy. Topolo%+ #opo!ogy refers to physica! !ayout inc!uding computers$ ca&!es$ and other resourcesB it determines how components communicate with each other. #odayIs network designs are &ased on three topo!ogies@ Bus consists of series of computers connected a!ong a sing!e ca&!e segment &tar connects computers :ia centra! connection point or hu& Rin% connects computers to form a !oop A!! computers$ regard!ess of topo!ogy$ communicate &y addressing data to one or more computers and transmitting it across ca&!e as e!ectronic signa!s. *ata is &roken into packets and sent as e!ectronic signa!s that tra:e! on the ca&!e. 0n!y the computer to which the data is addressed accepts it.

11

Protocol Protoco!s mean set of ru!es. It is a forma! description of message formats and the ru!es two or more machines has fo!!ow to e?change messages. #he key e!ements of a protoco! are synta?$semantics and timing. &+nta' Synta? refers to the structure or format of the data$ meaning the order in which they are presented. &emantics Semantics refers to the meaning of each section of &its. Timin% #iming refers to when data shou!d &e sent and how fast it can &e sent.

2nternet workin% Tec"nolo%ies Internet working #echno!ogies te!! how the Internet accommodating mu!tip!e under!ying hardware techno!ogies and how they are interconnected and formed the network$ and set of communication standard which the network used to inter operate. #he !owercase internet means mu!tip!e networks connected together$ using a common protoco! suite. #he uppercase Internet refers to the co!!ection of hosts around the wor!d that can communicate with each other using #CPDIP. 2hi!e the Internet is an internet$ the re:erse is not true.

11

0!N Networkin% Devices Repeaters A repeater is a de:ice that regenerates signa!s so that the signa! can tra:e! on addition ca&!e segments. #hey do not trans!ate or fi!ter data. 4epeater is used to connect two networks that use the same techno!ogy. It recei:es e:ery data packet on each network$ and retransmits it onto the other network. #he net resu!t is that the two networks ha:e e?act!y the same set of packets on them. Its primary purpose is to get around !imitations in ca&!e !ength caused &y signa! !oss or timing dispersion. 6or a repeater to function$ &oth segments which the repeater Aoins must ha:e the same media access scheme$ protoco! and transmission techni;ue. 4epeaters can mo:e packets from one medium to another. Some mu!tiport repeaters can connect different types of media. 4epeaters impro:e performance &y di:iding the network into segments$ thus reducing the num&er of computers per segment. Brid%e Gridge is a de:ice that can Aoin two 1ANs. owe:er$ &ridge can a!so di:ide an

o:er!oaded network into separate networks$ reducing the traffic on each segment and making each network more efficient. A &ridge can !ink un!ike physica! media such as twisted"pair and coa?ia! )thernet. It can a!so !ink un!ike network segments such as )thernet and #oken 4ing. A &ridge can &e insta!!ed interna!!y or if the destination address is not !isted in the routing ta&!e$ the &ridge forwards the packets to a!! segments. 8u!tip!e &ridges can &e used to com&ine se:era! e?terna!!y. Gridges are faster than routers &ecause routers perform comp!e? functions on each packet.

&witc"es Switches a!!ow different nodes of a network to communicate direct!y with each other in a smooth and efficient manner. Switches are di:ided into two types Store and 6orward and Cut #hrough. Store and 6orward switches stores the detai!s and forwarded to the respecti:e system. In the Cut through switches it Aust forward the detai!s to the respecti:e systems. Routers A router is a de:ice used to connect networks that use different architectures and protoco!s. #hey can switch and transfer information packets across mu!tip!e networks. #his process is ca!!ed routing. #hey can determine the &est path for sending data and fi!ters &roadcast traffic$ to the !oca! segment. 4outers cannot !ink to remote computers. #hey can read on!y addressed network packets. 4outers can !ink segments that use different data packaging and media schemes. $atewa+s Hateways make communication possi&!e &etween systems that use different communication protoco!s$ data formatting structures$ !anguages and architectures. Hateways repackage data going from one system to another. Hateways are usua!!y dedicated ser:ers on a network and are task"specific.

1#

0!N Protocols *rame Rela+ 6rame re!ay is used to connect !arge num&er of sites in the network &ecause it is re!ati:e!y ine?pensi:e to do so. #he ser:ice pro:ider gi:es you a frame re!ay circuit and is charged for the amount of data and the &andwidth you use as oppose to #1 circuit that charges with a f!at month!y rate whether you use partia! &andwidth or the fu!! &andwidth regard!ess. 6rame re!ay is a high performance 2AN protoco! that operates at the *ata 1ink !ayer and the Physica! !ayer of the 0SI mode!. 2nte%rated &ervices Di%ital Network .2&DN/ Integrated Ser:ices *igita! Network (IS*N) is designed to run o:er e?isting te!ephone networks. It can de!i:er end to end digita! ser:ice carrying :oice and data. IS*N operates at 0SI mode!$ physica! !ayer$ data !ink !ayer and network !ayer. It can carry mu!timedia and graphics with a!! other :oice$ data ser:ices. IS*N supports a!! upper !ayer protoco!s and you can choose PPP$ *1C or 1AP* as your encapsu!ation protoco!. It has two offerings$ Primary rate which is 2(GF* channe!s. 2($ 3+ k&ps and one 3+k&ps main!y used for signa!ing. #he other is the Gasic 4ate which has 2GF* channe!s two 3+k&ps and one 13k&ps. At data !ink !ayer IS*N supports two protoco!sB 1APG and 1AP*. 1APG is used to main!y transfer data from upper !ayers and has three types of frames. I"6rames carry upper !ayer information and carries out se;uencing$ f!ow contro!$ error detection and reco:ery. S" 6rames carry contro! information for the I"frame. 1AP* pro:ides an additiona! mu!tip!e?ing function to the upper !ayers ena&!ing num&er of network entities to operate o:er a sing!e physica! access. )ach indi:idua! !ink procedure acts independent!y of others. #he mu!tip!e? procedure com&ines and distri&utes the data !ink channe!s according to the address information of the frame.

1+

(i%" -evel Data -ink Control .(D-C/ igh 1e:e! *ata 1ink Contro! ( *1C) is a &it oriented data !ink !ayer frame protoco! that has many :ersions simi!ar to 1AP$ 1APG$ and 1AP*. CISC0 routers defau!t encapsu!ation is *1C$ &ut it is proprietary to CISC0.

Point to Point Protocol .PPP/ Point to Point Protoco! (PPP) is a *ata 1ink 1ayer protoco! that can &e used o:er ether asynchronous (dia! up) or synchronous (IS*N) !ines. It uses 1ink Contro! Protoco! (1CP) to &ui!d and maintain data !ink connections. Inc!uded in PPP is the authentication protoco!s$ PAP and C AP$ and data compression. It supports IP$ IPJ$ App!e#a!k$ *)Cnet and 0SIDC1NS. TCP32P la+er !rc"itecture

)ach !ayer contains !ogica! groupings of functions that pro:ide specific ser:ices for faci!itating a communication. A function$ or a group of functions$ making up a functiona! unit is a !ogica! entity that accepts one or more inputs (arguments) and produces a sing!e output (:a!ue) determined &y the nature of the function. 6unctions can &e grouped in a co!!ecti:e unit$ which is then defined as (N) !ayer ha:ing (NF1) !ayer an upper !ayer &oundary and (N" 1) !ayer as a !ower &oundary. #he N !ayer recei:es ser:ices from N"1 !ayer and pro:ides ser:ices to NF1 !ayer. 2nternet !rc"itecture A few stand"a!one systems were co!!ected together into a network. Peop!e are com&ining mu!tip!e networks together into an inter network$ or an internet. An internet is a co!!ection of networks that a!! use the same protoco! suite. #he easiest way to &ui!d an internet is to connect two or more networks with a router. #his is often a specia!"purpose hardware &o? for connecting networks. #he fo!!owing diagram shows that two networks connected and form an Internet.

1/ &imple 2nternet #wo computers$ anywhere in the wor!d$ fo!!owing certain hardware$ software$ protoco! specifications$ can communicate$ re!ia&!y e:en when not direct!y connected. 1ANs are no !onger sca!a&!e &eyond a certain num&er of stations or geographic separation.

TCP32P la+er !rc"itecture #here is no standard for !ayers in #CPDIP. Some refers as / !ayers inc!uding physica! !ayer and some may refer four !ayers. #he four !ayered structure of #CPDIP is seen in the way data is hand!ed as it passes down the protoco! stack from the App!ication 1ayer to the under!ying physica! network. )ach !ayer in the stack adds contro! information to ensure proper de!i:ery. #his contro! information is ca!!ed a header &ecause it is p!aced in front of the data to &e transmitted. )ach !ayer treats a!! of the information it recei:ed from the !ayer a&o:e as data and p!aces its own header in front of that information. #he addition of de!i:ery information at e:ery !ayer is ca!!ed encapsu!ation. 2hen data is recei:ed each !ayer strips off its header &efore passing the data on to the !ayer a&o:e. )ach !ayer has its own data structures and termino!ogy to descri&e that structure. In app!ication !ayer the #CP data is ca!!ed stream where as in the ,*P it is ca!!ed message. In the transport !ayer the data is ca!!ed segment where as in the ,*P it is ca!!ed packet. In the Internet !ayer &oth #CP and ,*P data are ca!!ed as data grams. In the network access !ayer &oth #CP and ,*P data are ca!!ed frame. App!ication #ransport Internet Network Access #CPDIP !ayers

14

Network !ccess la+er #he #CPDIP Network Access !ayer can encompass the functions of a!! three !ower !ayers of the 0SI 4eferences 8ode! (Network$ *ata 1ink and Physica!). As new hardware techno!ogies appear new Network Access protoco!s must &e de:e!oped so that #CPDIP networks can use the new hardware. *unctions Addressing scheme 6or this it pro:ide a protoco! ca!!ed Address 4eso!ution Protoco! (A4P) defined in the 46C '23..#ransmission of IP data gram o:er )thernet network #his specifies how IP data grams are encapsu!ated for transmission o:er )thernet networks. (eader 5ncapsulation #CPDIP )ncapsu!ation 2hen an app!ication sends data using #CP$ the data is sent down the protoco! stack$ through each !ayer$ unti! it is sent as a stream of &its across the network. )ach !ayer adds information to the data &y pretending headers (and sometimes adding trai!er information) to the data that it recei:es. #he unit of data that #CP sends to IP is ca!!ed a #CP segment. #he unit of data that IP sends to the network interface is ca!!ed an IP data gram. #he stream of &its that f!ows across the )thernet is ca!!ed a frame. 2nternet la+er A!! #CPDIP communication data are f!ow through IP regard!ess of its fina! destination. It pro:ides &asic packet de!i:ery ser:ice. #he important protoco! in this !ayer is Internet Protoco!

16 *unction of 2nternet Protocol *efining the datagram$ this is the &asic unit of transmission in the Internet. *efining the Internet addressing scheme. 4outing datagrams to remote hosts Performing fragmentation and reassem&!y of datagrams IP is a connection!ess protoco!. IP does not e?change contro! information to esta&!ish an end"to"end connection &efore transmitting data. It a!so ca!!ed unre!ia&!e protoco! &ecause it contains no error detection and reco:ery code. *ra%mentin% data%rams *atagrams may routed through different networks. )ach type of network has a 8a?imum #ransmission ,nit (8#,)$ which is the !argest packet that it can transfer. If the datagram recei:ed from one network may &e too !arge to &e transmitted in a sing!e packet on a different network. In this case$ IP modu!e in a gateway is to di:ide the datagram into sma!!er pieces. #his process is ca!!ed fragmentation. Transport la+er #ransport 1ayer has two important protoco!s for connection oriented and connection !ess ser:ices. #hey are #CP and ,*P. #CP (#ransmission Contro! Protoco!) pro:ides a connection oriented$re!ia&!e$ &yte stream ser:ice (46C-9(). #CP is an independent$ genera! purpose protoco! that can &e adapted for use with de!i:ery systems other than IP. A stream of '"&it &ytes is e?changed across a #CP connection. ,*P (,ser *atagram Protoco!) is a simp!e$ unre!ia&!e$ datagram"oriented$ transport !ayer protoco! (46C-3').

!pplication -a+er #op of the #CPDIP architecture !ayer is App!ication 1ayer. It contains co!!ection of ser:ices. )ach ser:ice can &e identified &y their num&er ca!!ed port num&er. )ach ser:ice is defined &y separate protoco! and has their separate 46C. )g. 6#P. #e!net

"

#. Network $urd%es&Threats'(u%nera)i%ity'(irus'Attacks etc

Gefore we &egin our discussion of threats$ :u!nera&i!ities$ and attacks$ it is important to re:iew #CPDIP &asics and the se:en"!ayer 0SI mode!. #his re:iew is important &ecause many of the attacks that are uti!i7ed today take ad:antage of some of the inherent :u!nera&i!ities designed into the #CPDIP protoco! suite. #he attacks actua!!y use the functioning of #CPDIP to defeat the protoco!. *rotoco%s Protoco!s are nothing more than a set of forma! ru!es or standards that are used as a &asis for communication. Protoco!s are designed to faci!itate communications. 2e>!! use the e?amp!e of a protoco! officer at an em&assy to descri&e how protoco!s function. #he Ao& of a protoco! officer is to ensure proper communication &etween the em&assy and the host country. A network protoco! functions much in the same manner$ on!y it ensures communications &etween network de:ices. Gefore network de:ices are a&!e to e?change data$ it is necessary for the de:ices to agree on the ru!es (protoco!) that wi!! go:ern a communication session. #he 0SI 4eference 8ode! #he 0SI reference mode! is a se:en"!ayer mode! that was de:e!oped &y the Internationa! Standards 0rgani7ation (IS0) in 19-'. #he 0SI mode! is a framework for internationa! standards that can &e used for imp!ementing a heterogeneous computer network architecture. #he 0SI architecture is sp!it into se:en !ayers. 6o!!owing figure i!!ustrates the se:en !ayers of the 0SI mode!. )ach !ayer uses the !ayer immediate!y &e!ow it and pro:ides a ser:ice to the !ayer a&o:e. In some imp!ementations a !ayer may itse!f &e composed of su& !ayers.

19 0SI mode!.

#he physica! !ayer addresses the physica! !ink and is concerned with the signa! :o!tage$ &it rate$ and duration. #he data !ink !ayer is concerned with the re!ia&!e transmission of data across a physica! !ink. In other words$ getting a signa! from one end of a wire to the other end. It hand!es f!ow contro! and error correction. #he network !ayer hand!es the routing of data and ensures that data is forwarded to the right destination. #he transport !ayer pro:ides end"to"end contro! and constructs the packets into which the data is p!aced to &e transmitted or <transported< across the !ogica! circuit. #he session !ayer hand!es the session set"up with another network node. It hand!es the initia! handshake and negotiates the f!ow of information and termination of connections &etween nodes. #he presentation !ayer hand!es the con:ersion of data from the session !ayer$ so that it can &e <presented< to the app!ication !ayer in a format that the app!ication !ayer can understand. #he app!ication !ayer is the end" user interface. #his inc!udes interfaces such as &rowsers$ :irtua! termina!s$ and 6#P programs.

2. T!*+I* *rotoco% Suite #CPDIP is a suite of protoco!s that can &e used to connect dissimi!ar &rands of computers and network de:ices. #he !argest #CPDIP network is the Internet. #he Internet was de:e!oped &y the ,.S. *0* under the auspices of the *efense Ad:anced 4esearch ProAect Agency (*A4PA) when *0* scientists were faced with the pro&!em of !inking thousands of computers running different operating systems. #he *efense Ad:anced 4esearch ProAect Agency (*A4PA) is a sma!! organi7ation within the Pentagon$ &ut its impact on techno!ogy in genera! and on data communications in particu!ar has &een huge. 6or a!! practica! purposes$ *A4PA>s programs and funding created the Internet. Kou can think of the #CPDIP suite as the !ife&!ood of the Internet. #he #CPDIP suite has &ecome wide!y adopted$ &ecause it is an open protoco! standard that can &e imp!emented on any p!atform regard!ess of the manufacturer. In addition$ it is independent of any physica! network hardware. #CPDIP can &e imp!emented on )thernet$ J.2/$ and token ring$ among other p!atforms. A!though there are different interpretations on how to descri&e #CPDIP within a !ayered mode!$ it is genera!!y descri&ed as &eing composed of fewer than the se:en used in the 0SI mode!. #he #CPDIP protoco! suite genera!!y fo!!ows a four"!ayer architecture. #he IP portion of #CPDIP is the connection!ess network !ayer protoco!. It is sometimes ca!!ed an <unre!ia&!e< protoco!$ meaning that IP does not esta&!ish an end"to"end connection &efore transmitting datagrams and that it contains no error detection and reco:ery code. #he datagram is the packet format defined &y IP. IP operates across the network and data !ink !ayers of the 0SI mode! and re!ies on the #CP protoco! to ensure that the data reaches its destination correct!y. #he heart of the IP portion of #CPDIP is a concept ca!!ed the Internet address. #his is a (2"&it num&er assigned to e:ery node on the network. IP addresses are written in a dotted decima! format that corresponds to the (2"&it &inary address. )ach octet is assigned a num&er &etween . and 2//. An e?amp!e of an IP address in dotted decima! format is 12.(1.'..1. #his IP address trans!ated into a (2"&it &inary num&er is@ ....11.. ...11111 .1.1.... .......1

21

An IP address is di:ided into two parts$ a network I* and a host I*$ &ut the format of these parts depends on the c!ass of the address. #here are three main address c!asses@ c!ass A$ c!ass G$ and c!ass C. #he formats differ in the num&er of &its a!!ocated to the network I* and host I* and are distinguished &y the first three &its of the (2 &it address. #he #CP portion of #CPDIP comes into operation once a packet is de!i:ered to the correct Internet address. In contrast to IP$ which is a connection!ess protoco!$ #CP is connection oriented. It esta&!ishes a !ogica! end"to"end connection &etween two communicating nodes or de:ices. #CP operates at the transport !ayer of the 0SI mode! and pro:ides a :irtua! circuit ser:ice &etween end"user app!ications$ with re!ia&!e data transfer$ which is !acking in the datagram"oriented IP. Software packages that fo!!ow the #CP standard run on each machine$ esta&!ish a connection to each other$ and manage the communications e?changes. #CP pro:ides the f!ow contro!$ error detection$ and se;uencing of the dataB !ooks for responsesB and takes the appropriate action to rep!ace missing data &!ocks. #he end"to"end connection is esta&!ished through the e?change of contro! information. #his e?change of information is ca!!ed a three"way handshake. #his handshake is necessary to esta&!ish the !ogica! connection and to a!!ow the transmission of data to &egin. In its simp!est form$ host A wou!d transmit to host G the synchronize sequence number &it set. #his te!!s host G that host A wishes to esta&!ish a connection and informs host G of the starting se;uence num&er for host A. confirms its starting se;uence num&er. ost G sends &ack to host A an acknow!edgment and ost A acknow!edges receipt of host G>s transmission

and &egins the transfer of data. 1ater$ in this chapter$ I wi!! e?p!ain how this three"way handshake can &e e?p!oited to disrupt the operation of a system.

22

Another important #CPDIP protoco! is the user datagram protoco! (,*P). 1ike #CP$ ,*P operates at the transport !ayer. #he maAor difference &etween #CP and ,*P is that ,*P is a connection!ess datagram protoco!. ,*P gi:es app!ications direct access to a datagram de!i:ery ser:ice"!ike the ser:ice IP pro:ides. #his a!!ows app!ications to e?change data with a minimum of protoco! o:erhead. 6o!!owing figure i!!ustrates the hierarchica! re!ationship &etween IP and #CPD,*P and the app!ications that re!y upon the protoco!s. #CPDIP mode!.

#he ,*P protoco! is &est suited for app!ications that transmit sma!! amounts of data$ where the process of creating connections and ensuring de!i:ery may &e greater than the work of simp!y retransmitting the data. Another situation where ,*P wou!d &e appropriate is when an app!ication pro:ides its own method of error checking and ensuring de!i:ery.

#,

Threats' (u%nera)i%ities' and Attacks Now that we ha:e re:iewed some of the #CPDIP &asics$ we can proceed in our discussion of threats$ :u!nera&i!ities$ and attacks. It is important to understand the difference &etween a threat$ a :u!nera&i!ity$ or an attack in the conte?t of network security. T"reats A threat is anything that can disrupt the operation$ functioning$ integrity$ or a:ai!a&i!ity of a network or system. #his can take any form and can &e ma!e:o!ent$ accidenta!$ or simp!y an act of nature. 7ulnera8ilities A :u!nera&i!ity is an inherent weakness in the design$ configuration$ imp!ementation$ or management of a network or system that renders it suscepti&!e to a threat. %u!nera&i!ities are what make networks suscepti&!e to information !oss and downtime. ):ery network and system has some kind of :u!nera&i!ity. !ttacks An attack is a specific techni;ue used to e?p!oit a :u!nera&i!ity. 6or e?amp!e$ a threat cou!d &e a denia! of ser:ice. A :u!nera&i!ity is in the design of the operating system$ and an attack cou!d &e a <ping of death.< #here are two genera! categories of attacks$ passi:e and acti:e. Passi:e attacks are :ery difficu!t to detect$ &ecause there is no o:ert acti:ity that can &e monitored or detected. )?amp!es of passi:e attacks wou!d &e packet sniffing or traffic ana!ysis. #hese types of attacks are designed to monitor and record traffic on the network. #hey are usua!!y emp!oyed for gathering information that can &e used !ater in acti:e attacks. Acti:e attacks$ as the name imp!ies$ emp!oy more o:ert actions on the network or system.

2+

As a resu!t$ they can &e easier to detect$ &ut at the same time they can &e much more de:astating to a network. )?amp!es of this type of attack wou!d &e a denia!"of"ser:ice attack or acti:e pro&ing of systems and networks. Networks and systems face many types of threats. #here are :iruses$ worms$ #roAan horses$trap doors$ spoofs$ mas;uerades$ rep!ays$ password cracking$ socia! engineering$ scanning$ sniffing$ war dia!ing$ denia!"of"ser:ice attacks$ and other protoco!"&ased attacks. It seems new types of threats are &eing de:e!oped e:ery month. #he fo!!owing sections re:iew the genera! types of threats that network administrators face e:ery day$ inc!uding specific descriptions of a few of the more wide!y known attacks. 7iruses According to Computer )conomics$ Inc. (http@DDwww.computereconomics.com)$ a computer research and ana!ysis group$ o:er L12 &i!!ion was spent wor!dwide in 1999 as a resu!t of computer :iruses. A :irus$ a parasitic program that cannot function independent!y$ is a program or code fragment that is se!f"propagating. It is ca!!ed a :irus$ &ecause !ike its &io!ogica! counterpart$ it re;uires a <host< to function. In the case of a computer :irus the host is some other program to which the :irus attaches itse!f. A :irus is usua!!y spread &y e?ecuting an infected program or &y sending an infected fi!e to someone e!se$ usua!!y in the form of an e"mai! attachment. #here are se:era! :irus scanning programs a:ai!a&!e on the market. 8ost are effecti:e against known :iruses. ,nfortunate!y$ howe:er$ they are incapa&!e of recogni7ing and adapting to new :iruses. In genera!$ :irus scanning programs re!y on recogni7ing the <signature< of known :iruses$ turning to a data&ase of known :irus signatures that they use to compare against scanning resu!ts. #he program detects a :irus when a match is found. If the data&ase is not regu!ar!y updated the :irus scanner can &ecome o&so!ete ;uick!y. As one wou!d e?pect$ there is usua!!y some !ag time &etween the introduction of a new :irus and a :endor updating its data&ase. In:aria&!y$ someone a!ways has the du&ious distinction of &eing one of the ear!y :ictims of new!y re!eased :irus.

0orm A worm is a se!f"contained and independent program that is usua!!y designed to propagate or spawn itse!f on infected systems and to seek other systems :ia a:ai!a&!e networks. #he main difference &etween a :irus and a worm is that a :irus is not an independent program. owe:er$ there are new &reeds of computer &ugs that are &!urring the difference &etween :iruses and worms. #he 8e!issa :irus is an e?amp!e of this new hy&rid. In 1999 the 8e!issa :irus attacked many users of 8icrosoft products. It was spread as an attachment$ &ut the :irus spread as an acti:e process initiated &y the :irus. It was not a passi:e :irus passed a!ong &y unsuspecting users. 0ne of the first and perhaps the most famous worms was the Internet 2orm created and re!eased &y 4o&ert 8orris. In 19'3$ 8orris wrote his worm program and re!eased it onto the Internet. #he worm>s functioning was re!ati:e!y &enign$ &ut it sti!! had a de:astating effect on the Internet. #he worm was designed to simp!y reproduce and infect other systems. 0nce re!eased$ the program wou!d spawn another process. #he other process was simp!y another running copy of the program. #hen the program wou!d search out other systems connected to the infected system and propagate itse!f onto the other systems on the network. #he num&er of processes running grew geometrica!!y. 6igure 2.( i!!ustrates how the Internet worm grew and spread@ 0ne process spawned to &ecome two processes. #wo processes spawned to &ecome four processes. 6our processes spawned to &ecome eight. It didn>t take :ery !ong for the spawning processes to consume a!! the CP, and memory resources unti! the system crashed. In addition$ each time the processes spawned another$ the processes wou!d seek outside connections. #he worm was designed to propagate$ seek out other systems to infect them$ and then repeat the process. Internet worm. Stopping the processes from growing was a simp!e matter of re&ooting the system. owe:er$system administrators found that they wou!d re&oot their systems and get them functioning again on!y to find them &eing reinfected &y another system on the Internet. #o stop the worm from reinfecting systems on the network$ a!! of the systems had to &e shut down at the same time or taken off"!ine. #he cost to c!ean up the Internet worm was estimated to &e in the tens of mi!!ions of do!!ars. 8orris was arrested$ prosecuted$ and con:icted for his :anda!ism.

Tro:an (orses A #roAan horse is a program or code fragment that hides inside a program and performs a disguised function. #his type of threat gets its name from Hreek mytho!ogy and the story of the siege of #roy. #he story te!!s of how 0dysseus and his men con;uered #roy &y hiding within a giant wooden horse. A #roAan horse program hides within another program or disguises itse!f as a !egitimate program. #his can &e accomp!ished &y modifying the e?isting program or &y simp!y rep!acing the e?isting program with a new one. #he #roAan horse program functions much the same way as the !egitimate program$ &ut usua!!y it a!so performs some other function$ such as recording sensiti:e information or pro:iding a trap door. An e?amp!e wou!d &e a password grabber program. A password gra&&er is a program designed to !ook and function !ike the norma! !ogin prompt that a user sees when first accessing a system. 6or e?amp!e$ in the screen depicted in the fo!!owing figure$ the user has entered the username Aohn and the correct password. owe:er$ the system te!!s the user that the !ogin is incorrect. 2hen the user tries again it works and he or she is a&!e to !og on. #roAan horse !ogin.

2-

In this e?amp!e a #roAan horse designed to stea! passwords is actua!!y contro!!ing the interaction. #he standard !ogin.e?e has &een rep!aced with a #roAan horse program. It !ooks !ike the standard !ogin prompt$ &ut what is actua!!y occurring is that the first !ogin prompt is the #roAan horse. 2hen the username and password is entered that information is recorded and stored. #hen the #roAan horse program disp!ays the <!ogin incorrect< message and passes the user off to the rea! !ogin program$ so that he or she can actua!!y !og on to the system. #he user simp!y assumes that he or she mistyped the password the first time ne:er knowing that her or his username and password ha:e Aust &een sto!en. Trap Doors A trap door or &ack door is an undocumented way of gaining access to a system that is &ui!t into the system &y its designer(s). It can a!so &e a program that has &een a!tered to a!!ow someone to gain pri:i!eged access to a system or process. #here ha:e &een numerous stories of :endors uti!i7ing trap doors in disputes with customers.0ne e?amp!e is the story of a consu!tant who was contracted to &ui!d a system for a company. #he consu!tant designed a trap door into the de!i:ered system. 2hen the consu!tant and the company got into a dispute o:er payment$ the consu!tant used the trap door to gain access to the system and disa&!e the system. #he company was forced to pay the consu!tant to get its system turned &ack on again. -o%ic Bom8s A !ogic &om& is a program or su&section of a program designed with ma!e:o!ent intent. It is referred to as a !ogic &om&$ &ecause the program is triggered when certain !ogica! conditions are met. #his type of attack is a!most a!ways perpetrated &y an insider with pri:i!eged access to the network. #he perpetrator cou!d &e a programmer or a :endor that supp!ies software.

2'

As an e?amp!e$ once heard a story a&out corporation who engineered this type of attack. Apparent!y$ the programmer had &een ha:ing some trou&!e at the company at which he worked and was on pro&ation. 6earing that he might &e fired and with :engeance in mind$ he added a su&routine to another program. #he su&routine was added to a program that ran once a month and was designed to scan the company>s human resources emp!oyee data&ase to determine if a termination date had &een !oaded for his emp!oyee record. If the su&routine found that a termination date had &een !oaded$ then it was designed to wipe out the entire system &y de!eting a!! fi!es on the disk dri:es. #he program ran e:ery month and so !ong as his emp!oyee record did not ha:e a termination date then nothing wou!d happen. In other words$ if he were not fired the program wou!d do no damage. Sure enough this ste!!ar emp!oyee was fired$ and the ne?t time the !ogic &om& that he created ran it found a termination date in his emp!oyee record and wiped out the system. #his is an e?amp!e of how simp!e it can &e$ for one with pri:i!eged access to a system$ to set up this type of attack.

Port &cannin% 1ike a &urg!ar casing a target to p!an a &reak"in$ a hacker wi!! often case a system to gather information that can !ater &e used to attack the system. 0ne of the too!s that hackers often use for this type of reconnaissance is a port scanner. A port scanner is a program that !istens to we!!"known port num&ers to detect ser:ices running on a system that can &e e?p!oited to &reak into the system. #here are se:era! port"scanning programs a:ai!a&!e on the Internet at :arious sites. #hey are not difficu!t to find. 0rgani7ations can monitor their system !og fi!es to detect port scanning as a pre!ude to an attack. 8ost intrusion detection software monitors for port scanning. If you find that your system is &eing scanned you can trace the scan &ack to its origination point and perhaps take some pre"empti:e action. owe:er$ some scanning programs take a more stea!thy approach to scanning that is :ery difficu!t to detect. 6or e?amp!e$ some programs use a SKN scan$ which emp!oys a SKN packet to create a ha!f"open connection that doesn>t get !ogged. SKN packets and ha!f"open connections wi!! &e detai!ed !ater in this chapter.

&poofs Spoofs co:er a &road category of threats. In genera! terms$ a spoof entai!s fa!sifying one>s identity or mas;uerading as some other indi:idua! or entity to gain access to a system or network or to gain information for some other unauthori7ed purpose. #here are many different kinds of spoofs$ inc!uding$ among many others$ IP address spoofing$ session highAacking$ domain name ser:ice (*NS) spoofing$ se;uence num&er spoofing$ and rep!ay attacks. I* Address Spoofin):ery de:ice on a #CPDIP network has a uni;ue IP address. #he IP address is a uni;ue identification of the de:ice$ and no two de:ices on the network can ha:e the same IP address.IP addresses are formatted as four decima! num&ers separated &y dots (e.g.$ 1+-.(+.2'.1.(). IP address spoofing takes ad:antage of systems and networks that re!y on the IP address of the connecting system or de:ice for authentication. 6or e?amp!e$ packet" fi!tering routers are sometimes used to protect an interna! network from an e?terna! untrusted network. #hese routers wi!! on!y a!!ow specified IP addresses to pass from the e?terna! network to the interna! network. If a hacker is a&!e to determine an IP address that is permitted access through the router$ he or she can spoof the address on the e?terna! network to gain access to the interna! network. #he hacker in effect mas;uerades as someone e!se. &e;uence Num8er &poofin% #CPDIP network connections use se;uence num&ers. #he se;uence num&ers are part of each transmission and are e?changed with each transaction. #he se;uence num&er is &ased upon each computer>s interna! c!ock$ and the num&er is predicta&!e &ecause it is &ased on a set a!gorithm. Gy monitoring a network connection$ a hacker can record the e?change of se;uence num&ers and predict the ne?t set of se;uence num&ers. 2ith this information$ a hacker can insert himse!f or herse!f into the network connection and$ effecti:e!y$ take o:er the connection or insert misinformation. #he &est defense against se;uence num&er spoofing is to encrypt a connection. )ncrypting a connection pre:ents anyone who may &e monitoring the network from &eing a&!e to determine the se;uence num&ers or any other usefu! information.

(.

Session $i-h.ackinSession highAacking is simi!ar to se;uence num&er spoofing. In this process$ a hacker takes o:er a connection session$ usua!!y &etween a c!ient user and a ser:er. #his is genera!!y done &y gaining access to a router or some other network de:ice acting as a gateway &etween the !egitimate user and the ser:er and uti!i7ing IP spoofing. Since session highAacking usua!!y re;uires the hacker to gain pri:i!eged access to a network de:ice$ the &est defense to take is to proper!y secure a!! de:ices on the network. DN& *omain Name Ser:ice (*NS) is a hierarchica! name ser:ice used with #CPDIP hosts that is distri&uted and rep!icated on ser:ers across the Internet. It is used on the Internet and on intranets for trans!ating IP addresses into host names. #he host names can &e used in ,41s. *NS can &e thought of as a !ockup ta&!e that a!!ows users to specify remote computers &y host names rather than their IP addresses. #he ad:antage of *NS is that you don>t ha:e to know the IP addresses for a!! the Internet sites to access the sites. *NS can &e configured to use a se;uence of name ser:ers$ &ased on the domains in the name &eing sought$ unti! a match is found. #he most common!y dep!oyed *NS ser:er software on the Internet is GIN*. *NS is su&Aect to se:era! different spoofs. #wo common ones are the man in the midd!e (8I8) and *NS poisoning. 4edirects$ another !ess common attack$ re!y on the manipu!ation of the domain name registry itse!f to redirect a ,41. /an in the /idd%e Attack 0/I/1 In a 8I8 attack$ a hacker inserts himse!f or herse!f &etween a c!ient program and a ser:er on a network. Gy doing so the hacker can intercept information entered &y the c!ient$ such as credit card num&ers$ passwords$ and account information. ,nder one e?ecution of this scheme$ a hacker wou!d p!ace himse!f or herse!f &etween a &rowser and a 2e& ser:er. #he 8I8 attack$ which is a!so sometimes ca!!ed 2e& spoofing$ is usua!!y achie:ed &y *NS or hyper!ink spoofing. #here are se:era! ways a hacker can !aunch a 8I8 attack.

(1

0ne way is to register a ,41 that is :ery simi!ar to an e?isting ,41. 6or e?amp!e$ a hacker cou!d register a ,41 !ike www.microsoft.com. 2hen someone who wants to go to the 8icrosoft 2e& site at www.microsoft.com mistaken!y types in www.microsoft.com they wou!d &e &rought to a 2e& site set up &y the hacker to !ook !ike the 8icrosoft 2e& site. 6o!!owing figure !!ustrates how the process works. 8I8.

#o 2e& surfers e:erything wou!d !ook norma!. #hey wou!d interact with the counterfeit 2e& site Aust as they wou!d with the rea! site. As the 2e& surfer enters in choices and information the hacker>s 2e& site can e:en pass it onto the rea! site and pass &ack to the 2e& surfer the screens that the rea! site returns. DN& Poisonin% Another method that can &e used to !aunch this attack is to compromise a *NS ser:er. 0ne method for doing so is known as *NS poisoning. *NS poisoning e?p!oits a :u!nera&i!ity in ear!y :ersions of the Gerke!ey Internet Name *aemon (GIN*). GIN*$ the most common!y dep!oyed *NS software on the Internet$ was de:e!oped for GS* ,NIJ. A network of Internet GIN* ser:ers trans!ates nati:e Internet IP addresses to the common!y used names such as www.ggu.edu for Ho!den Hate ,ni:ersity. Prior to :ersion '.1 of GIN*$ it was possi&!e to <poison< the ta&!e entries of a *NS ser:er with fa!se information. #he information cou!d inc!ude a fa!se IP address for a *NS entry in the ser:er>s ta&!e.

(2

#he resu!t cou!d &e that when someone used that *NS ser:er to <reso!:e< the ,41 name$ he or she wou!d &e directed to the incorrect IP address. Gy compromising a *NS ser:er$ a hacker can make a !egitimate ,41 point to the hacker>s 2e& site. #he 2e& surfer might enter in www.ama7on.com e?pecting to go to the Ama7on.com 2e& site to purchase a &ook. #he ,41 www.ama7on.com norma!!y points to ???.???.???.???$ &ut the hacker has compromised a *NS ser:er to point that ,41 to his or her ser:er. As a resu!t$ the 2e& surfer is &rought to the hacker>s site and not to Ama7on.com. Redirects ,nder another method of *NS attack$ hackers compromise a !ink on someone e!se>s page or set up their own page with fa!se !inks. In either case$ the !ink cou!d state that it is for a !egitimate site$ &ut in rea!ity the !ink &rings the 2e& surfer to a site set up and contro!!ed &y the hacker that !ooks !ike the site the 2e& surfer was e?pecting. If a!! other attempts fai!$ a hacker can try manipu!ating the domain name registry system origina!!y maintained &y the InterNIC. In 1999$ on at !east three occasions$ hackers were a&!e to transfer domain names or redirect Internet surfers to sites other than the ones they were attempting to access. In one case Network So!utions> own *NS entry was a!tered$ so that when users entered in the Network So!utions ,41 they were redirected to another site. In at !east three other cases hackers were a&!e to transfer ownership of domain names to other IP addresses. 0nce the ownership was transferred and the NSI data&ase a!tered$ anyone attempting to access those domains wou!d &e redirected to the new sites. In one case the domain for e?cite.com was transferred to an unsuspecting site that found itse!f inundated with the mi!!ions of hits that e?cite.com norma!!y recei:es. In other cases the ownership of the domains for the Mu M!u? M!an and another site opposed to homose?ua!ity ca!!ed godhatesfags.com were transferred. 0wnership of the Mu M!u? M!an site was transferred to a site dedicated to fighting &igotry. Ironica!!y$ the godhatesfags.com domain was transferred to a site with the domain god!o:esfags.com$ a site that went on"!ine to appea! for to!erance.

((

No indi:idua!s from the sites to which the domain were redirected were in:o!:ed with the manipu!ation of the domain name registry system. 2hen emp!oying the 8I8 attack$ a hacker>s fa!se or counterfeit site can actua!!y pass the c!ient>s re;uests onto the rea! site and return to the c!ient the re;uested pages from the rea! site. A!! the whi!e the hacker is monitoring and recording the interaction &etween the c!ient and the ser:er. #here is rea!!y no effecti:e countermeasure to 8I8. #his attack can e:en &e successfu! when encryption$ such as SS1$ is &eing emp!oyed. It on!y re;uires the hacker to o&tain a :a!id digita! certificate to !oad on his or her ser:er$ so that SS1 can &e ena&!ed. 2e& surfers need on!y to &e carefu! a&out where they are &rowsing$ confirming !inks and on!y trusting !inks from a secure and trusted site.Note that there are other methods to e?ecute a redirect or 8I8 attack. 6or e?amp!e$ certain operating systems such as 8icrosoft>s 2indows 9/$ 9'$ and 2... and Sun>s So!aris ha:e an inherent :u!nera&i!ity in their imp!ementation of the Internet Contro! 8essage Protoco (IC8P) 4outer *isco:ery Protoco! (I4*6)B IC8P is an integra! part of the #CPDIP suite protoco!s. ackers can e?p!oit this :u!nera&i!ity &y rerouting or modifying out&ound traffic as they choose. A key !imitation on an attack using this :u!nera&i!ity is that the attacker must &e on the same network as the targeted system.

Rep%ay Attack A hacker e?ecutes a rep!ay attack &y intercepting and storing a !egitimate transmission &etween two systems and retransmitting it at a !ater time. #heoretica!!y$ this attack can e:en &e successfu! against encrypted transmissions. #he &est defense to this attack is to use session keys$ check the time stamp on a!! transmissions$ and emp!oy time"dependent message digests. #his wi!! &e discussed further in.

#4

Password Crackin% Password cracking is sometimes ca!!ed a dictionary"&ased attack. Password crackers are programs that decipher password fi!es. Password"cracking programs are a:ai!a&!e for most network and computer operating systems. #hey are a&!e to decipher password fi!es &y uti!i7ing the same a!gorithm used to create the encrypted password. #hey genera!!y emp!oy a dictionary of known words or phrases$ which are a!so encrypted with the password a!gorithm. #he password crackers compare each record in the password fi!e against each record in the dictionary fi!e to find a match. 2hen a match is found$ a password is found. &niffin% Network sniffing or packet sniffing is the process of monitoring a network in an attempt to gather information that may &e usefu! in an attack. 2ith the proper too!s a hacker can monitor the network packets to o&tain passwords or IP addresses. 8any :endors manufacture hardware and software for !egitimate purposes that can &e a&used &y hackers. #he on!y comforting fact a&out these products is that hackers usua!!y can>t afford them. #hey can$ howe:er$ stea! them. #here are a!so some common uti!ities a:ai!a&!e and programs that can &e down!oaded from hacker sites such as tcpmon$ tcpdump$ or go&&!er. Network Associates> Sniffer Pro is an e?amp!e of a commercia!!y a:ai!a&!e product. Password sniffing is particu!ar!y a threat for users who !og into ,ni? systems o:er a network. #e!net or r!ogin is usua!!y emp!oyed when !ogging onto a ,ni? systems o:er a network. #e!net and r!ogin do not encrypt passwords. As a resu!t$ when a user enters in his or her password$ it is transmitted in the c!ear$ meaning anyone monitoring the network can read it. In contrast$ &oth No:e! and 2indows N# workstations encrypt passwords for transmission. #here are many too!s a:ai!a&!e to reduce the risk of packet sniffing inc!uding secure she!! (ssh) and %PNs. owe:er$ usefu! information can sti!! &e discerned from a network that is comp!ete!y encrypted. Sometimes e:en simp!e traffic ana!ysis can pro:ide usefu! information. Geing a&!e to identify the systems that ha:e the most acti:ity can &e of great :a!ue.

(/

)mp!oying network switches instead of traditiona! hu&s is another method to reduce the risk of network sniffing. #here are a!so too!s a:ai!a&!e that purport to detect unauthori7ed packet sniffers on a network. #ypica!!y$ these products detect the characteristics of a network interface card (NIC) configured for promiscuous mode$ which can &e used to packet sniff a network. owe:er$ these systems can &e countered &y simp!y cutting the send wire on the NIC>s ca&!e. Gy doing so the NIC cannot send packets onto the network. #herefore$ the sniffer detection programs wi!! not &e a&!e to detect the NIC configured for promiscuous mode. 0e8 &ite Defacement 2e& site defacements are usua!!y achie:ed &y e?p!oiting some incorrect configuration or known :u!nera&i!ity of the 2e& ser:er software$ or &y e?p!oiting some other protoco!"&ased :u!nera&i!ity of the ser:er>s operating system. An organi7ation>s &est defense against 2e& site defacement is to maintain the most recent :ersions of its 2e& ser:er software and the ser:er>s operating system. A!so$ an organi7ation shou!d ensure that its 2e& administrator is proper!y trained to insta!! and maintain the software. Some organi7ations ha:e taken more creati:e approaches to ensuring the integrity of their 2e& sites &y dep!oying network cache ser:ers that update the 2e& ser:ers. #he cache ser:er mirrors a particu!ar 2e& site and periodica!!y refreshes the 2e& ser:er with the origina! image of the system. If the 2e& site is defaced &y a hacker$ the cache ser:er wi!! o:erwrite the hackers> changes when it pushes the 2e& site refresh out to the 2e& ser:er. 0ar Dialin% 2ar dia!ing is a &rute"force method of finding a &ack door into an organi7ation>s network. It is particu!ar!y effecti:e against a perimeter defense. 8ost organi7ations ha:e te!ephone num&ers that are within a specified range and &egin with the same prefi?. 6or e?amp!e$ !et>s consider a fictitious company ca!!ed Acme Networks. A!! of the company>s te!ephone num&ers &egin with '9/B there are +$... e?tensionsB and the first e?tension is 1.... #he range of te!ephone num&ers for Acme Networks &egins at /9/"1... and ends at /9/"/.... 2ar dia!ing usua!!y emp!oys an automated dia!ing system (a program) to ca!! e:ery te!ephone num&er for the organi7ation$ searching for modem connections.

(3

#he program !ogs a te!ephone num&er whene:er it finds a modem. 1ater after the program has ca!!ed e:ery e?tension$ the hacker can re:iew the !og for modems and go &ack and attempt to &reak into the system to which the modem is connected to gain access to the network. #his method a!most a!ways works for !arge organi7ations. 2hen dea!ing with a company with se:era! thousand te!ephone num&ers$ the odds are with the hacker that some of them are connected to modems. I worked for a !arge company that hired one of the &ig consu!ting firms to test the company>s network security. #he consu!ting firm was unsuccessfu! at penetrating the corporate firewa!!. owe:er$ it emp!oyed war dia!ing and identified se:era! te!ephone num&ers that were connected to modems. 0ne of the modems was connected to a PC running PC Any 2here$ which had &een ena&!ed to a!!ow someone to dia! into the office from home. #he consu!tants were a&!e to gain access to the network &y e?p!oiting a f!aw in an ear!y :ersion of PC Any 2here that a!!owed a user to &ypass the password protection. 0nce on the network the consu!tant was a&!e to compromise a!most e:ery system it hit$ and no one detected the i!!icit acti:ity. #he one e?ception was my groupB we detected the acti:ity on the systems for which we were responsi&!e and made in;uiries into the source of the acti:ity. It was then that we were to!d that it had &een a test of the corporate network security. #he source code for war dia!ing programs may &e o&tained easi!y at many hacker sites. Some of the programs a:ai!a&!e are #one1oc$ Phone#ap$ and G!ue *eep. If you are a programmer$ you may &e interested in :iewing the code$ &ut I do not recommend using these programs. A word of warning is necessary here@ Kou shou!d a!ways &e carefu! when down!oading programs on the 2e&$ &ut when down!oading from hacker sites you need to &e especia!!y carefu!. #o understand why simp!y reread the section on #roAan horses.

#6

Denial of &ervice *enia!"of"ser:ice attacks are designed to shut down or render inopera&!e a system or network. #he goa! of the denia!"of"ser:ice attack is not to gain access or information &ut to make a network or system una:ai!a&!e for use &y other users. It is ca!!ed a denia!"of"ser:ice attack$ &ecause the end resu!t is to deny !egitimate users access to network ser:ices. Such attacks are often used to e?act re:enge or to punish some indi:idua! or entity for some percei:ed s!ight or inAustice. ,n!ike rea! hacking$ denia!"of"ser:ice attacks do not re;uire a great dea! of e?perience$ ski!!$ or inte!!igence to succeed. As a resu!t$ they are usua!!y !aunched &y nerdy$ young programmers who fancy themse!:es to &e master hackers. #here are many different types of denia!"of"ser:ice attacks. #he fo!!owing sections present four e?amp!es@ ping of death$ <synchroni7e se;uence num&er< (SKN) f!ooding$ spamming$ and smurfing. #hese are e?amp!es on!y and are not necessari!y the most fre;uent!y used forms of denia!"of"ser:ice attacks. *in- of Death #he ping"of"death attack$ with its me!odramatic name$ is an e?amp!e of how simp!e it can &e to !aunch a denia!"of"ser:ice attack once a :u!nera&i!ity has &een disco:ered. #hose who origina!!y disco:er a :u!nera&i!ity deser:e credit$ &ut it takes no great ski!! or inte!!igence to e?p!oit it. #o &etter understand how the ping of death worked or works we need to once again re:iew some #CPDIP &asics. #he ping of death e?p!oited a f!aw in many :endors> imp!ementations of IC8P. IC8P is part of the IP of #CPDIP and operates at the Internet !ayer using the IP datagram to de!i:er messagesB ping is a #CPDIP command that simp!y sends out an IP packet to a specified IP address or host name to see if there is a response from the address or host. It is often used to determine if a host is on the network or a!i:e. #he typica! ping command synta? wou!d &e

('

C ping 1+/.(+.(/./3 C or C ping www.acme.net 8any operating systems were or are :u!nera&!e to !arger"than"norma! IC8P packets. As a resu!t$ specifying a !arge packet in a ping command can cause an o:erf!ow in some systems> interna!s that can resu!t in system crashes. #he command synta? wou!d :ary depending on the operating system you were using. Ge!ow are two e?amp!es$ one for 2indows and the other for Sun So!aris. C 2indows@ ping"13//2-"s 1 hostname C So!aris@ ping "s hostname 3//2Norma!!y it re;uires a f!ood of pings to crash a system. 8oreo:er$ from firsthand e?perience I ha:e found that you are Aust as !ike!y to crash the system from which you are !aunching the attack as you are to crash the system you are targeting. Ne:erthe!ess$ the ping"of"death approach may sti!! constitute an effecti:e denia!"of"ser:ice attack. 0nce this :u!nera&i!ity was disco:ered$ most :endors issued operating system patches to e!iminate the pro&!em. S2N 3%oodinSKN f!ooding is a denia!"of"ser:ice attack that e?p!oits the three"way handshake that #CPDIP uses to esta&!ish a connection. Gasica!!y$ SKN f!ooding disa&!es a targeted system &y creating many ha!f"open connections. 6o!!owing 6igure i!!ustrates how a typica! #CPDIP connection is esta&!ished.

(9

Norma! #CPDIP handshake.

In the c!ient transmits to the ser:er the SKN &it set. #his te!!s the ser:er that the c!ient wishes to esta&!ish a connection and what the starting se;uence num&er wi!! &e for the c!ient. #he ser:er sends &ack to the c!ient an acknow!edgment (SKN"ACM) and confirms its starting se;uence num&er. #he c!ient acknow!edges (ACM) receipt of the ser:er>s transmission and &egins the transfer of data. 2ith SKN f!ooding a hacker creates many ha!f"open connections &y initiating the connections to a ser:er with the SKN num&er &it. owe:er$ the return address that is associated with the SKN wou!d not &e a :a!id address. #he ser:er wou!d send a SKN"ACM &ack to an in:a!id address that wou!d not e?ist or respond. ,sing a:ai!a&!e programs$ the hacker wou!d transmit many SKN packets with fa!se return addresses to the ser:er. #he ser:er wou!d respond to each SKN with an acknow!edgment and then sit there with the connection ha!f"open waiting for the fina! acknow!edgment to come &ack. 6o!!owing 6igure i!!ustrates how SKN f!ooding works. SKN f!ooding e?change.

+.

#he resu!t from this type of attack can &e that the system under attack may not &e a&!e to accept !egitimate incoming network connections so that users cannot !og onto the system. )ach operating system has a !imit on the num&er of connections it can accept. In addition$ the SKN f!ood may e?haust system memory$ resu!ting in a system crash. #he net resu!t is that the system is una:ai!a&!e or nonfunctiona!. 0ne countermeasure for this form of attack is to set the SKN re!e:ant timers !ow so that the system c!oses ha!f"open connections after a re!ati:e!y short period of time. 2ith the timers set !ow$ the ser:er wi!! c!ose the connections e:en whi!e the SKN f!ood attack opens more. S*A/ SPA8 is unwanted e"mai!. Anyone who has an e"mai! account has recei:ed SPA8. ,sua!!y it takes the form of a marketing so!icitation from some company trying to se!! something we don>t want or need. #o most of us it is Aust an annoyance$ &ut to a ser:er it can a!so &e used as a denia!"of"ser:ice attack. Gy inundating a targeted system with thousands of e"mai! messages$ SPA8 can eat a:ai!a&!e network &andwidth$ o:er!oad CP,s$ cause !og fi!es to grow :ery !arge$ and consume a!! a:ai!a&!e disk space on a system. ,!timate!y$ it can cause a system to crash. SPA8 can &e used as a means to !aunch an indirect attack on a third party. SPA8 messages can contain a fa!sified return address$ which may &e the !egitimate address of some innocent unsuspecting person. As a resu!t$ an innocent person$ whose address was used as the return address$ may &e spammed &y a!! the indi:idua!s targeted in the origina! SPA8. )"mai! fi!tering can pre:ent much unwanted e"mai! from getting through. ,nfortunate!y$ it fre;uent!y fi!ters out !egitimate e"mai! as we!!. Smurf Attack #he smurf attack is named after the source code emp!oyed to !aunch the attack (smurf.c). #he smurf attack emp!oys forged IC8P echo re;uest packets and the direction of those packets to IP network &roadcast addresses. #he attack issues the IC8P )C 0N4)O,)S# to the &roadcast address of another network. #he attack spoofs as the source address the IP address of the system it wishes to target. 6o!!owing 6igure i!!ustrates how a smurf attack works.

+1

Smurf attack.

2hen the systems on the network to whose &roadcast address the )C 0N4)O,)S# is sent recei:e the packet with the fa!sified source address (i.e.$ the return address)$ they respond$ f!ooding the targeted :ictim with the echo rep!ies. #his f!ood can o:erwhe!m the targeted :ictim>s network. Goth the intermediate and :ictim>s networks wi!! see degraded performance. #he attack can e:entua!!y resu!t in the in opera&i!ity of &oth networks. #here are steps that the intermediate network can take to pre:ent from &eing used in this way. #he steps inc!ude configuring network de:ices not to respond to IC8P )C 0N4)O,)S#s and disa&!ing IP directed &roadcasts from passing the network routers. #here are rea!!y no steps that the targeted :ictim can take to pre:ent this kind of attack. #he on!y defense is contacting the intermediate network to stop the )C 0N4)O,)S#s from &eing re!ayed$ once an organi7ation determines that it is the :ictim of an attack.

+2

*enia!"of"ser:ice attacks are the most difficu!t to defend against$ and$ of the possi&!e attacks$ they re;uire the !east amount of e?pertise to !aunch. In genera!$ organi7ation shou!d monitor for anoma!ous traffic patterns$ such as SKN"ACM &ut no return ACMs. Since most routers fi!ter incoming and outgoing packets$ router"&ased fi!tering is the &est defense against denia!of" ser:ice attacks. 0rgani7ations shou!d use packet fi!ters that fi!ter &ased on destination and sender address. In addition$ they shou!d a!ways use SPA8Dsend mai! fi!ters. Meep in mind there is a tradeoff with packet and mai! fi!tering. #he fi!tering that is performed to detect denia!"of"ser:ice attacks wi!! s!ow network performance$ which may frustrate an organi7ation>s end users and s!ow its app!ications. In addition$ mai! fi!tering wi!! &ounce some e"mai!s that rea!!y shou!d &e a!!owed through$ which may a!so aggra:ate end users. &earc" 5n%ines 6ina!!y$ the :arious Internet search engines can &e a great resource when !ooking for information on network and system security. #here are !itera!!y thousands of sites on the Internet that pro:ide usefu! information. #he nice thing a&out using the search engines is that you can tai!or your search to a specific topic. If you want information on 2indows N# IIS$ you don>t what to ha:e to wade through pages a&out ,ni? security or Netscape )nterprise Ser:er. #here is p!enty of information out there on the InternetB the on!y pro&!em with much of the information is that you ha:e no way of determining its ;ua!ity or the re!ia&i!ity of the source.

+(

,. Encryption and Decryption Security Systems.

#raditiona!!y$ cryptography conAures up thoughts of spies and secret codes. In rea!ity$ cryptography and encryption ha:e found &road app!ication in society. ):ery time you use an A#8 machine to get cash or a point"of"sa!e machine to make a purchase$ you are using encryption. )ncryption is the process of scram&!ing the contents of a fi!e or message to make it uninte!!igi&!e to anyone not in possession of the <key< re;uired to unscram&!e it. Ci:i!i7ations ha:e &een using :arious cryptosystems for at !east +$... years. A cryptosystem or a!gorithm is the process or procedure to turn p!ain te?t into cryptote?t. A crypto a!gorithm is a!so known as a <cipher.< #here are se:era! key e!ements that go into making an effecti:e cryptosystem. 6irst and foremost it must &e re:ersi&!e. A crypto a!gorithm is of no practica! use if once you ha:e scram&!ed your information$ you cannot unscram&!e it. #he security of the cryptosystem shou!d &e dependent on the secrecy and !ength of the key and not on the detai!s of the a!gorithm. In other words$ knowing the a!gorithm shou!d not make it significant!y easier to crack the code (restricted :ersus unrestricted). If security is dependent on keeping the a!gorithm secret$ then it is considered a <restricted< a!gorithm. It is a!so important that the a!gorithm has &een su&Aected to su&stantia! cryptoana!ysis. 0n!y those a!gorithms that ha:e &een ana!y7ed comp!ete!y and at !ength are trustworthy. #he a!gorithm shou!d contain no serious or e?p!oita&!e weakness. #heoretica!!y$ a!! a!gorithms can &e &roken &y one method or another. owe:er$ an a!gorithm shou!d not contain an inherent weakness that an attacker can easi!y e?p!oit. Ge!ow is an e?amp!e of a cipherB to scram&!e a message with this cipher$ simp!y match each !etter in a message to the first row and con:ert it into the num&er or !etter in the second row. #o unscram&!e a message$ match each !etter or num&er in a message to the corresponding num&er or !etter in the second row and con:ert it into the !etter in the first row. AGC*)6H IPM18N0PO4S#,%2JKQ IPM18N0PO4S# 12(+/3AGC*)6H

++

#o i!!ustrate how this works$ see the fo!!owing where the cipher is used to scram&!e the message <1itt!e green app!es.< C Cipher te?t@ 6CNN6/ A1// 1PP6/8B C C!ear te?t@ 1I##1) H4))N APP1)S. #his rudimentary cipher wou!d not &e effecti:e at keeping a message secret for !ong. It does not comp!y with one of the ;ua!ities of a tru!y effecti:e cipher$ where knowing the a!gorithm shou!d not make it significant!y easier to crack the code. #his is an e?amp!e of a restricted a!gorithm. In this case$ the cipher is the code. 0nce you know the cipher$ you can unscram&!e any message. Ciphers usua!!y fa!! into one of two categories@ &!ock ciphers or stream ciphers. Stream !iphers Stream cipher a!gorithms process p!ainte?t to produce a stream of cipherte?t. #he cipher inputs the p!ainte?t in a stream and outputs a stream of cipher te?t. 6o!!owing 6igure i!!ustrates the concept of the stream cipher>s function. Stream cipher

+/

Stream ciphers ha:e se:era! weaknesses. #he most crucia! shortcoming of stream ciphers is the fact that patterns in the p!ainte?t can &e ref!ected in the cipherte?t. #o i!!ustrate this weakness we can use the rudimentary cipher introduced ear!ier in the chapter. Ge!ow$ I ha:e scram&!ed the p!ainte?t message <1et us ta!k one to one< into cipherte?t to compare the two patterns@ AGC*)6H IPM18N0PO4S#,%2JKQ IPM18N0PO4S# 12(+/3AGC*)6H

C P!ainte?t@ 1et us ta!k one to one. C Cipherte?t@ 6/n om n1fe ih/ ni ih/. Patterns in the p!ainte?t are ref!ected in the cipherte?t. 2ords and !etters that are repeated in the p!ainte?t are a!so repeated in the cipherte?t. Mnowing that certain words repeat makes &reaking the code easier. In addition$ certain words in the )ng!ish !anguage appear with predicta&!e regu!arity. 1etters of the a!pha&et a!so appear in predicta&!e regu!arity. #he most common!y used !etters of the a!pha&et in the )ng!ish !anguage are )$ #$ A$ 0$ N$ and I. #he !east common!y used !etters in the )ng!ish !anguage are P$ M$ J$ O$ and Q. #he most common com&ination of !etters in the )ng!ish !anguage is <th.< As a resu!t$ if a code &reaker is a&!e to find a <t< in a code$ it doesn>t take !ong to find an <h.< It is not hard for a trained code &reaker to &reak this type of code. Another weakness of stream ciphers is that they can &e suscepti&!e to a su&stitution attack e:en without &reaking the code. #his is a type of rep!ay attack where someone can simp!y copy a section of an o!d message and insert it into a new message. Kou don>t need to &reak the code to insert the o!d section into a new message.)?amp!es of stream ciphers inc!ude the %ernam cipher$ 4i:est cipher R+ (4C+)$ and one"time pads.

45

B%ock !iphers G!ock ciphers differ from stream ciphers in that they encrypt and decrypt information in fi?ed si7e &!ocks rather than encrypting and decrypting each !etter or word indi:idua!!y. A &!ock cipher passes a &!ock of data or p!ainte?t through its a!gorithm to generate a &!ock of cipherte?t. Idea!!y$ a &!ock cipher shou!d generate cipherte?t rough!y e;ui:a!ent in si7e (in terms of num&er of &!ocks) to the c!earte?t. A cipher that generates a &!ock of cipherte?t that is significant!y !arger than the information it is trying to protect is of !itt!e practica! :a!ue. #hink a&out it in terms of network &andwidth@ If the cipherte?t &!ock was twice the si7e of the p!ainte?t$ the net effect is that your &andwidth wou!d &e cut in ha!f. #his wou!d a!so ha:e an impact on fi!es stored in an encrypted format. An unencrypted fi!e 1. 8G in si7e wou!d &e 2. 8G in si7e when encrypted. Breakin- !iphers 6or as !ong as ciphers ha:e e?isted$ there ha:e &een peop!e trying to &reak them. #here are many methods emp!oyed to &reak cipher. Some methods are ingenious. Some are sophisticated and technica! in nature$ whi!e others are more crude in nature. #he fo!!owing sections descri&e some of the more wide!y used techni;ues emp!oyed in &reaking ciphers. <nown Plainte't !ttack #his method re!ies on the code &reaker knowing in ad:ance the p!ainte?t content of a cipherte?t message. reengineers the cipher and the key used to create the cipherte?t. a:ing &oth the p!ainte?t and the cipherte?t the code &reaker

46

C"osen Plainte't !ttack #his method re!ies on the a&i!ity of the code &reaker to somehow get a chosen p!ainte?t message encrypted. *uring 2or!d 2ar II the ,nited States used a :ariation of this method to ascertain the p!ans of the Papanese na:y in the Pacific. 4ight after Pear! Pear! ar&or the ,.S. Pacific 6!eet was forced to fight what was primari!y a defensi:e war. #he ,.S. Pacific 6!eet had &een de:astated &y the Papanese surprise attack on ar&or$ and a!! that was !eft of the f!eet were three aircraft carriers and a handfu! of supporting ships. #he ,nited States had some success in &reaking the Papanese codes. #he ,.S. Na:y had determined that the Papanese were p!anning to attack a !ocation referred to in their transmissions as <A6.< #he ,nited States suspected that site A6 was 8idway Is!and. #o determine if A6 was$ in fact$ 8idway$ the ,nited States ordered that a message &e transmitted from 8idway stating that the is!and>s water condenser had &roken down. #he message was to &e sent in the c!ear so that there wou!d &e no chance that the Papanese cou!d not intercept it. Sure enough the Papanese took the &ait. A few days !ater$ the ,nited States intercepted a Papanese coded message stating that A6>s water condenser had fai!ed. 6rom that message the ,nited States knew that the Papanese were going to attack 8idway. As a resu!t$ the ,nited States was a&!e to send what was !eft of the Pacific 6!eet to 8idway where they am&ushed the Papanese carrier task force. #he ,nited States sank four of the Papanese> front!ine aircraft carriers. It was a strategic :ictory for the ,nited States in the Pacific from which the Papanese na:y ne:er reco:ered. 6rom that point on$ it was the Papanese Na:y that was forced to fight a defensi:e war.

48

Cr+ptanal+sis #echnica!!y$ any method emp!oyed to &reak a cipher or code is cryptana!ysis. owe:er$ when

I refer to cryptana!ysis I am specifica!!y ta!king a&out emp!oying mathematica! ana!ysis to &reak a code. #his method re;uires a high !e:e! of ski!! and sophistication. It is usua!!y on!y emp!oyed &y academics and go:ernments. #oday it re!ies :ery hea:i!y on the use of u!trafast super computers. Pro&a&!y the most acti:e and successfu! organi7ation in the wor!d$ dedicated to &reaking codes$ is the Nationa! Security Agency (NSA). #his is the !argest and most secret spy agency in the ,nited States. It is sometimes referred to as the Pu77!e Pa!ace$ &ecause the group spends so much time and energy on codes and cipher. #he NSA emp!oys tens of thousands of peop!e. #he on!y compara&!e organi7ation in the wor!d e:er to ha:e e?isted in terms of si7e is the former So:iet ,nion>s MHG. Gut with the &reakup of the So:iet ,nion$ the NSA is now !eft without peers. Brute *orce #he &rute force method tries e:ery possi&!e com&ination of keys or a!gorithms to &reak a cipher. *oing so can re;uire tremendous resources. ,sua!!y$ this type of attack re;uires computer assistance. If the a!gorithm is simp!e or the key is sma!!$ then the CP, resources re;uired cou!d &e pro:ided &y a simp!e PC. If the a!gorithm is sophisticated or the key is !arge$ then ad:anced computing power might &e re;uired. &ocial 5n%ineerin% #his method re!ies on &reaking a cipher &y getting someone know!edgea&!e a&out the cipher to re:ea! information on how to &reak it. Gri&ing someone$ tricking him or her into di:u!ging information$ or threatening him or her with harm can re:ea! information. 2hen the threat of harm is emp!oyed it is sometimes referred to as ru&&er"hose cryptana!ysis.

4,

=t"er T+pes of !ttacks Some other types of attacks are discussed as fo!!ows. C Substitution: #his is a type of rep!ay attack where a pre:ious message$ in part or in who!e$ is inserted into a !egitimate message. An attacker does not need to &reak the cipher for this type of attack to &e effecti:e. C Timing attacks: Some cryptosystems can &e &roken if an outsider is a&!e to accurate!y measure the time re;uired to perform the encryption and decryption of a known cipherte?t. #he known cipherte?t and the timing pro:ide enough information to deduce fi?ed e?ponents and factors of some systems. #his :u!nera&i!ity is most!y theoretica!. If an attacker has enough access to a network to &e a&!e to accurate!y measure the time re;uired to encrypt and decrypt information$ then you ha:e other and &igger pro&!ems to worry a&out. Encryption )ncryption is the process of scram&!ing the contents of a fi!e or message to make it uninte!!igi&!e to anyone not in possession of the <key< re;uired to unscram&!e the fi!e or message. #here are two types of encryption@ symmetric (pri:ateDsecret) key and asymmetric (pu&!ic) key encryption. &+mmetric <e+ 5ncr+ption 2hen most peop!e think of encryption it is symmetric key cryptosystems that they think of. Symmetric key$ a!so referred to as pri:ate key or secret key$ is &ased on a sing!e key and a!gorithm &eing shared &etween the parties who are e?changing encrypted information. #he same key &oth encrypts and decrypts messages. #his concept is i!!ustrated in 6o!!owing 6igure Symmetric key encryption.

/.

#he strength of the scheme is !arge!y dependent on the si7e of the key and on keeping it secret. Henera!!y$ the !arger the key$ the more secure the scheme. In addition$ symmetric key encryption is re!ati:e!y fast. #he main weakness of the system is that the key or a!gorithm has to &e shared. Kou can>t share the key information o:er an unsecured network without compromising the key. As a resu!t$ pri:ate key cryptosystems are not we!! suited for spontaneous communication o:er open and unsecured networks. In addition$ symmetric key pro:ides no process for authentication or nonrepudiation. 4emem&er$ nonrepudiation is the a&i!ity to pre:ent indi:idua!s or entities from denying (repudiating) that a message was sent or recei:ed or that a fi!e was accessed or a!tered$ when in fact it was. #his a&i!ity is particu!ar!y important when conducting e"commerce. Data 5ncr+ption &tandard .D5&/ *)S is one of the o!dest and most wide!y used a!gorithms. *)S was de:e!oped &y IG8 with the encouragement of the NSA. It was origina!!y dep!oyed in the mid 19-.s. *)S consists of an a!gorithm and a key. #he key is a se;uence of eight &ytes$ each containing eight &its for a 3+"&it key. Since each &yte contains one parity &it$ the key is actua!!y /3 &its in !ength. According to author Pames Gamford in his &ook The uzzle alace$ IG8 origina!!y intended to re!ease the *)S a!gorithm with a 12'"&it key$ &ut the NSA con:inced IG8 to re!ease it with the /3"&it key instead. Supposed!y this was done to make it easier for the NSA to decrypt co:ert!y intercepted massages.

/1 *)S is wide!y used in automated te!!er machine (A#8) and point"of"sa!e (P0S) networks$ so if you use an A#8 or de&it card you are using *)S. *)S has &een enhanced with the de:e!opment of trip!e *)S. of use. 2nternational Data 5ncr+ption !l%orit"m .2D5!/ I*)A is a symmetric key &!ock cipher de:e!oped at the Swiss 6edera! Institute in the ear!y 199.s. I*)A uti!i7es a 12'"&it key. Supposed!y$ it is more efficient to imp!ement in software than *)S and trip!e *)S. Since it was not de:e!oped in the ,nited States$ it is not su&Aect to ,.S. e?port restrictions. !AST #he CAS# a!gorithm supports :aria&!e key !engths$ anywhere from +. &its to 2/3 &its in !ength. CAS# uses a 3+"&it &!ock si7e$ which is the same as the *)S$ making it a suita&!e drop"in rep!acement. CAS# has &een reported to &e two to three times faster than a typica! imp!ementation of *)S and si? to nine times faster than a typica! imp!ementation of trip!e *)S. #he CAS# a!gorithm was de:e!oped &y Car!is!e Adams and Strafford #ra:ares and patented &y )ntrust #echno!ogies$ &ut a :ersion of the CAS# a!gorithm is a:ai!a&!e for free commercia! and noncommercia! use. CAS# is emp!oyed in Pretty Hood Pri:acy (PHP). Rivest Cip"er >4 .RC4/ *e:e!oped &y 4on 4i:est of 4SA fame$ 4C+ is a stream cipher that uses a :aria&!e si7e key. owe:er$ when used with a key of 12' &its it can &e :ery effecti:e. ,nti! recent!y$ the appro:ed e?port :ersion on!y used a +."&it key. 4C+ is used in Netscape Na:igator and Internet )?p!orer. owe:er$ *)S has &een &roken. It is gradua!!y &eing phased out

9 !s+mmetric <e+ 5ncr+ption 6or centuries$ a!! cryptography was &ased on the symmetric key cryptosystems. #hen in 19-3$two computer scientists$ 2hitfie!d *iffe and 8artin e!!man of Stanford ,ni:ersity$ introduced the concept of asymmetric cryptography. Asymmetric cryptography is a!so known as pu&!ic key cryptography. Pu&!ic key cryptography uses two keys as opposed to one key for a symmetric system. 2ith pu&!ic key cryptography there is a pu&!ic key and a pri:ate key. #he keys> names descri&e their function. 0ne key is kept pri:ate$ and the other key is made pu&!ic. Mnowing the pu&!ic key does not re:ea! the pri:ate key. A message encrypted &y the pri:ate key can on!y &e decrypted &y the corresponding pu&!ic key. Con:erse!y$ a message encrypted &y the pu&!ic key can on!y &e decrypted &y the pri:ate key. #his process is i!!ustrated in fo!!owing figure Asymmetric key encryption.

2ith the aid of pu&!ic key cryptography$ it is possi&!e to esta&!ish secure communications with any indi:idua! or entity when using a compati&!e software or hardware de:ice. 6or e?amp!e$ if A!ice wishes to communicate in a secure manner with Go&$ a stranger with whom she has ne:er communicated &efore$ A!ice can gi:e Go& her pu&!ic key. Go& can encrypt his outgoing transmissions to A!ice with A!ice>s pu&!ic key. A!ice can then decrypt the transmissions using her pri:ate key when she recei:es them.

/( 0n!y A!ice>s pri:ate key can decrypt a message encrypted with her pu&!ic key. If Go& transmits to A!ice his pu&!ic key$then A!ice can transmit secure encrypted data &ack to Go& that on!y Go& can decrypt. It doesn>t matter that they e?changed pu&!ic keys on an unsecured network. Mnowing an indi:idua!>s pu&!ic key te!!s you nothing a&out his or her pri:ate key. 0n!y an indi:idua!>s pri:ate key can decrypt a message encrypted with his or her pu&!ic key. #he security &reaks down if either of the parties> pri:ate keys is compromised. 2hi!e symmetric key cryptosystems are !imited to securing the pri:acy of information$ asymmetric or pu&!ic key cryptography is much more :ersati!e. Pu&!ic key cryptosystems can pro:ide a means of authentication and can support digita! certificates. 2ith digita! certificates$pu&!ic key cryptosystems can pro:ide enforcement of nonrepudiation. ,n!ike symmetric keycryptosystems$ pu&!ic key a!!ows for secure spontaneous communication o:er an open network. In addition$ it is more sca!a&!e for :ery !arge systems (tens of mi!!ions) than symmetric key cryptosystems. 2ith symmetric key cryptosystems$ the key administration for !arge networks is :ery comp!e?. *u)%ic 6ey !ryptosystems #here are three pu&!ic key a!gorithms in wide use todayS*iffie" e!!manB 4SAB and the *igita! Signature A!gorithm (*SA). #hey are descri&ed in the fo!!owing sections. Diffie)(ellman #he *iffie" e!!man a!gorithm was de:e!oped &y 2hitfie!d *iffie and 8artin e!!man at

Stanford ,ni:ersity. It was the first usa&!e pu&!ic key a!gorithm. *iffie" e!!man is &ased on the difficu!ty of computing discrete !ogarithms. It can &e used to esta&!ish a shared secret key that can &e used &y two parties for symmetric encryption. *iffie" e!!man is often used for IPS)C key management protoco!s. 6or spontaneous communications with *iffie" e!!man$ two communicating entities wou!d each generate a random num&er that is used as their pri:ate keys. #hey e?change pu&!ic keys.

/+ #hey each app!y their pri:ate keys to the other>s pu&!ic key to compute identica! :a!ues (shared secret key). #hey then use the shared secret key to encrypt and e?change information. Rivest? &"amir? !delman .R&!/ #he 4SA pu&!ic key a!gorithm was de:e!oped &y 4on 4i:est$ Adi Shamir$ and 1en Ade!man at 8I#. 4SA mu!tip!ies !arge prime num&ers together to generate keys. Its strength !ies in the fact that it is e?treme!y difficu!t to factor the product of !arge prime num&ers. #his a!gorithm is the one most often associated with pu&!ic key encryption. #he 4SA a!gorithm a!so pro:ides digita! signature capa&i!ities. I wi!! discuss digita! signatures !ater in this chapter. #hey are used in SS1 to set up sessions and with pri:acy"enhanced mai! (P)8) and PHP. Di%ital &i%nature !l%orit"m *SA was de:e!oped as part of the *igita! Signature Standard (*SS). (A more detai!ed discussion of *SS and *SA is pro:ided !ater in this chapter.) ,n!ike the *iffie" e!!man and 4SA a!gorithms$ *SA is not used for encryption &ut for digita! signatures. ! &li%"t Di%ression 6or many years it was &e!ie:ed that 2hitfie!d *iffie and 8artin were the first to de:e!op the 4SA a!gorithm. e!!man were the first to

concei:e of asymmetric cryptography and that 4on 4i:est$ Adi Shamir$ and 1en Ade!man owe:er$ it is now c!aimed that neither co!!a&orati:e was the first and that the concept of asymmetric cryptography$ the *iffie" e!!man a!gorithm$ and the 4SA a!gorithm were a!! disco:ered years ear!ier in )ng!and &y the Ho:ernment Communications ead;uarters (HC O)$ which is the Gritish e;ui:a!ent of the NSA. #he HC O c!aims that it concei:ed of the concept years &efore anyone e!se &ut ne:er re!eased information on the work for nationa! security reasons.

77 /essa-e Inte-rity #o attain a high !e:e! of confidence in the integrity of a message or data$ a process must &e put in p!ace to pre:ent or detect a!teration during transit. 0ne techni;ue emp!oyed is ca!!ed a hash function. A hash function takes a message of any !ength and computes a product :a!ue of fi?ed !ength. #he product is referred to as a <hash :a!ue.< #he !ength of the origina! message does not a!ter the !ength of the hash :a!ue. ash functions are used to ensure the integrity of a message or fi!e. ,sing the actua! message or fi!e$ a hash function computes a hash :a!ue$ which is a cryptographic checksum of the message. #his checksum can &e thought of as a fingerprint for that message. #he hash :a!ue can &e used to determine if the message or fi!e has &een a!tered since the :a!ue was origina!!y computed. ,sing e"mai! as an e?amp!e$ the hash :a!ue for a message is computed at &oth the sending and recei:ing ends. If the message is modified in anyway during transit$ the hash :a!ue computed at the recei:ing end wi!! not match the :a!ue computed at the sending end. :a!ue to o&tain information on the message. 0&:ious!y$ this wou!d represent a risk. Another re;uirement of an effecti:e one"way hash function is that the possi&i!ity of <co!!isions< is :ery !imited$ if none?istent. A co!!ision occurs when the same hash :a!ue is computed for two or more uni;ue messages. If the messages are different the hash :a!ues shou!d &e different. No two uni;ue messages shou!d compute the same hash :a!ue. MD4 8*+ was de:e!oped &y 4on 4i:est of 4SA. 8*+ is a one"way hash function that takes a message of :aria&!e !ength and produces a 12'"&it hash :a!ue or message digest. 8*+ has &een pro:en to ha:e weaknesses. Ana!ysis has shown that at !east the first two rounds of 8*+ are not one"way (there are three rounds in 8*+) and that the a!gorithm is su&Aect to co!!isions. ash functions must &e one way on!y. In other words$ there shou!d &e no way to re:erse the hash

94 MD9 8*/ was a!so created &y 4on 4i:est as an impro:ement on 8*+. 1ike 8*+$ 8*/ creates a uni;ue 12'"&it message digest :a!ue deri:ed from the contents of a message or fi!e. #his :a!ue$ which is a fingerprint of the message or fi!e content$ is used to :erify the integrity of the message>s or fi!e>s contents. If a message or fi!e is modified in any way$ e:en a sing!e &it$ the 8*/ cryptographic checksum for the message or fi!e wi!! &e different. It is considered :ery difficu!t to a!ter a message or fi!e in a way that wi!! cause 8*/ to generate the same resu!t as was o&tained for the origina! fi!e. 2hi!e 8*/ is more secure than 8*+$ it too has &een found to ha:e some weaknesses .Ana!ysis has found a co!!ision in the compression function of 8*/$ a!though not for 8*/ itse!f. Ne:erthe!ess$ this attack casts dou&ts on the whether 8*/ is tru!y a co!!ision"resistant hash a!gorithm. #he 8*/ a!gorithm is intended for digita! signature app!ications$ where a !arge fi!e must &e <compressed< in a secure manner &efore &eing encrypted with a pri:ate (secret) key under a pu&!ic"key cryptosystem such as 4SA. &ecure (as" !l%orit"m)1 .&(!)1/ S A"1 is a one"way hash a!gorithm used to create digita! signatures. S A"1 is deri:ed from S A$ which was de:e!oped in 199+ &y the NIS#. S A"1 is simi!ar to the 8*+ and 8*/ a!gorithms de:e!oped &y 4on 4i:est. S A"1 is s!ight!y s!ower than 8*+ and 8*/$ &ut it is reported to &e more secure. #he S A"1 hash function produces a 13."&it hash :a!ue or message digest. I am aware of no known cryptographic attacks against S A"1 that ha:e &een successfu!. Since it produces a 13."&it message digest it is more resistant to &rute force attacks than 8*+ and 8*/$ which produce a 12'"&it message digest.

96

R2P5MD 4IP)8* is a hash function that was de:e!oped through the )uropean Community>s proAect 4IP). #here are se:era! e?tensions to 4IP)8*14IP)8*"12'$ 4IP)8*"13.$ and 4IP)8*" 2/3. )ach e?tension is a reference to the !ength of the hash :a!ue or message digest. 6or e?amp!e$ 4IP)8*"13. is a 13."&it cryptographic hash function$ designed &y *o&&ertin$ Antoon Gosse!aers$ and Gart Prenee!. Authentication #o ha:e a high !e:e! of confidence and trust in the integrity of information recei:ed o:er a network$ the transacting parties need to &e a&!e to authenticate each other>s identity. In the e?amp!e in:o!:ing A!ice and Go&$ it was demonstrated how they cou!d transmit secure information &etween each party using encryption &y e?changing pu&!ic keys. 2hi!e confidentia!ity was ensured with the use of pu&!ic key cryptography$ there was no authentication of the parties> identities. Go& may not rea!!y ha:e &een Go&. 6or that matter$ Go& doesn>t rea!!y know if A!ice was A!ice. In addition$ how does A!ice know that when she was sending her pu&!ic key to Go&$ that Pack did not intercept it and use it to send his pu&!ic key to her and mas;uerade as Go&. #o ensure secure &usiness transactions on unsecured networks !ike the Internet$ &oth parties need to &e a&!e to authenticate their identities. Authentication in a digita! setting is a process where&y the recei:er of a message can &e confident of the identity of the sender. #he !ack of secure authentication has &een a maAor o&stac!e in achie:ing widespread use of the Internet for commerce. 0ne process used to authenticate the identity of an indi:idua! or entity in:o!:es digita! signatures. ans

98 Di%ital &i%natures A digita! signature a!!ows a recei:er to authenticate (to a !imited e?tent) the identity of the sender and to :erify the integrity of the message. 6or the authentication process$ you must a!ready know the sender>s pu&!ic key$ either from prior know!edge or from some trusted third party. *igita! signatures are used to ensure message integrity and authentication. In its simp!est form$ a digita! signature is created &y using the sender>s pri:ate key to hash the entire contents of the message &eing sent to create a message digest. #he recipient uses the sender>s pu&!ic key to :erify the integrity of the message &y recreating the message digest. Gy this process you ensure the integrity of the message and authenticate the sender. 6o!!owing 6igure i!!ustrates the process. *igita! signature.

#o sign a message$ senders usua!!y append their digita! signature to the end of a message and encrypt it using the recipient>s pu&!ic key. 4ecipients decrypt the message using their own pri:ate key and :erify the sender>s identity and the message integrity &y decrypting the sender>s digita! signature using the sender>s pu&!ic key. 0nce again we wi!! use A!ice and Go& to i!!ustrate how digita! signatures work. A!ice has a pair of keys$ her pri:ate key and her pu&!ic key. She sends a message to Go& that inc!udes &oth a p!ainte?t message and a :ersion of the p!ainte?t message that has &een encrypted using her pri:ate key.

/9 #he encrypted :ersion of her te?t message is her digita! signature. Go& recei:es the message from A!ice and decrypts it using her pu&!ic key. &een a!tered and that it came from A!ice. e then compares the decrypted message to the p!ainte?t message. If they are identica!$ then he has :erified that the message has not e can authenticate that the message came from A!ice &ecause he decrypted it with A!ice>s pu&!ic key$ so it cou!d on!y ha:e &een encrypted with A!ice>s pri:ate key$ to which on!y A!ice has access. #he strengths of digita! signatures are that they are a!most impossi&!e to counterfeit and they are easi!y :erified. owe:er$ if A!ice and Go& are strangers who ha:e ne:er communicated to each other &efore$ and Go& recei:ed A!ice>s pu&!ic key$ &ut had no other means to :erify who A!ice was$ other than A!ice>s assertion that she was who she c!aimed to &e$ then the digita! signature is use!ess for authentication. It wi!! sti!! :erify that a message has arri:ed una!tered from the sender$ &ut it cannot &e used to authenticate the identity of the sender. In cases where the parties ha:e no prior know!edge of one another$ a trusted third party is re;uired to authenticate the identity of the transacting parties. Competin% &tandards #here are two competing standards for digita! signature techno!ogy. Goth systems are &ased on the Internationa! #e!ecommunications ,nion>s J./.9 standard for pu&!ic key certification. #he one that has &een around the !ongest is the 4SA *ata Security>s pu&!ic key encryption standard$ which has &ecome a de facto standard in the industry. 4SA *ata Security uses the 4SA pu&!ic key a!gorithm$ for &oth encryption and authentication$ in:ented &y 4on 4i:est$ Adi Shamir$ and 1eonard Ad!eman in 19--. #he more recent!y de:e!oped standard is the ,.S. go:ernment>s *SS$ which specifies a *SA. It was se!ected &y the Nationa! Institute of Standards and #echno!ogy (NIS#) in 199+. 8any ha:e ;uestioned the wisdom of the NIS#>s decision to se!ect *SS. Not surprising!y$ one of the most :oca! opponents has &een 4SA *ata Security and companies associated with 4SA. owe:er$ many others ha:e ;uestioned the choice of *SS. #he *SS cryptosystem is re!ati:e!y new and has not &een fu!!y tested. 6or that reason a!one$ many &e!ie:e that it is not as secure as the 4SA standard$ which has &een su&Aected to rigorous testing for the past 19 years. Some ha:e e:en ;uestioned the NIS#>s moti:es for se!ecting *SS. #he decision was

3.

made in cooperation with the NSA. #he process was secreti:e and conducted with :ery !itt!e pu&!ic participation or de&ate. Some ha:e gone so far as to suggest that *SS was se!ected &ecause the NSA has a &ack door into the system. 2hi!e the competing standards do not represent an o&stac!e to imp!ementing digita! signatures within a !arge mu!tinationa! organi7ation$ they can resu!t in the ina&i!ity to e?change digita! signatures &etween organi7ations. Di%ital Certificate *igita! signatures can &e used to :erify that a message has &een de!i:ered una!tered and to :erify the identity of the sender &y pu&!ic key. #he pro&!em with authenticating a digita! signature$ howe:er$ is that you must &e a&!e to :erify that a pu&!ic key does in fact &e!ong to the indi:idua! or entity that c!aims to ha:e sent it and that the indi:idua! or entity is in fact who or what it c!aims to &e. A digita! certificate issued &y a certification authority (CA) uti!i7ing a hierarchica! pu&!ic key infrastructure (PMI) can &e used to authenticate a sender>s identity for spontaneous$ first" time contacts. *igita! certificates pro:ide a means for secure first"time spontaneous communication. A digita! certificate pro:ides a high !e:e! of confidence in the identity of the indi:idua! or entity with which you are communicating. A digita! certificate is a means to authenticate identity. A digita! certificate is usua!!y issued &y a trustedDknown third party (CA) to &ind an indi:idua! or entity to a pu&!ic key. #he digita! certificate is digita!!y signed &y the CA with the CA>s pri:ate key. #his pro:ides independent confirmation that an indi:idua! or entity is in fact who it c!aims to &e. #he CA issues digita! certificates that :ouch for the identities of those to whom the certificates were issued. ,sing A!ice and Go& as our e?amp!e$ A!ice can send Go& her pu&!ic key. Go& wi!! &e a&!e to :erify her digita! signature using A!ice>s pu&!ic key. Hi:en such a key$ how does he :erify that it actua!!y &e!ongs to A!ice and does not rea!!y &e!ong to Pack who is mas;uerading as A!ice=

32 If he has no other means a:ai!a&!e to him$ he cannot. confidence that A!ice is who and what she c!aims to &e. A digita! certificate is a method of &inding an indi:idua! or entity to a pu&!ic key. #he certificate is digita!!y signed &y a CA pro:iding independent confirmation that indi:idua!s or entities are in fact who they c!aim to &e and that the pu&!ic key pro:ided &y them does in fact &e!ong to that party. #he CA and the CA>s pu&!ic key must &e wide!y known for the digita! certificate to &e of practica! :a!ue. #he CA>s pu&!ic key must &e wide!y known so that there is no need to authenticate the CA>s digita! signature. Kou are re!ying on the CA>s digita! signature to authenticate the certificate owner>s identity and to &ind that identity to their pu&!ic key. owe:er$ if A!ice>s pu&!ic key is

presented as part of a digita! certificate signed &y a known CA$ Go& can ha:e a high !e:e! of

)ach person>s digita! certificate cou!d contain a mini"data&ase on the owner$ which inc!udes the authori7ations$ access pri:i!eges$ and the owner>s pu&!ic key. *igita! certificates cannot &e forged and are e?pected to &e !ega!!y accepta&!e as handwritten notari7ed signatures. #he Internationa! Cham&er of Commerce is e?p!oring the creation of a <cy&ernotary$< a !awyer a&!e to demonstrate that he or she can issue certificates from a secure computer en:ironment. A digita! signature used in concert with a digita! certificate potentia!!y possesses greater !ega! authority than a handwritten signature. #he ina&i!ity to forge a digita! signature$ the fact that the digita! signature can :erify that the document has not &een a!tered since it was signed$ and the certificate :erifying the identity of the signer make a digita!!y signed document irrefuta&!e. #he signer cannot repudiate his or her signature at a !ater date.

4# -imitations of Di%ital Certificates #here are sti!! a num&er of issues that need to &e addressed$ such as how to hand!e e?pired certificatesB there is the risk that a !ong"term document cou!d &e signed with a digita! certificate with a two"year e?piration date. 2hat is the !ega!ity of the document once the digita! certificate e?pires= Another issue that needs to &e addressed is how to hand!e re:ocation of certificates. #he certificate re:ocation process is cum&ersome@ ow do you re:oke a certificate once it has

&een issued= 0nce a digita! certificate is issued$ it is :a!id unti! it e?pires. #hat is usua!!y at !east a year. No process e?ists for immediate re:ocation of a certificate shou!d it &e compromised or shou!d the CA withdraw its certification. CAs wi!! ha:e to periodica!!y issue certificate re:ocation !ists (C41). A!! participants uti!i7ing the PMI wi!! ha:e to maintain upto" date C41s. C41s wi!! e:entua!!y &ecome :ery !arge. In addition$ there are a num&er of issues concerning the !ega! responsi&i!ities and !ia&i!ities of CAs and their issuing of digita! certificates that sti!! need to &e addressed. 2hat is most crucia! to the success of the digita! certificate is the ro!e of the CA. 2ith the CA$ the trust is no !onger dependent on the indi:idua!>s or entity>s digita! signature. Instead$ the trust is transferred to the CA. !ertificate Authorities As stated pre:ious!y$ a CA is a &ody$ either pu&!ic or pri:ate$ that seeks to fi!! the need for a trusted third party in e"commerce. #he CA issues digita! certificates that :ouch for the identities of those to whom the certificates were issued. 6or this process to &e secure$ the CA>s pu&!ic key must &e trustworthy and we!!"known. 2hen I say it must &e trustworthy$ I am referring to the reputation and re!ia&i!ity of the CA as an entity. A digita! certificate issued &y <Sam>s *igita! Certificates and *e!i< wou!d !ack trustworthiness to another party on the Internet. A CA must a!so perform the necessary due di!igence to :erify that indi:idua!s or entities are in fact who they say they are$ &efore a digita! certificate is issued to an indi:idua! or entity.

3+

#he CA pu&!ic key must &e wide!y known to &e effecti:e. A digita! certificate signed &y a CA is worth!ess if you do not know the CA>s pu&!ic key or if you ha:e no independent means of :erifying that the pu&!ic key pro:ided is in fact &ound to the CA. 6or that reason$ a CA>s pu&!ic keys need to &e easi!y accessi&!e and :erifia&!e. #here wi!! &e a num&er of entities that issue digita! certificates. %eriSign$ Inc.$ which was formed &y 4SA *ata Security and se:era! other maAor corporations$ is the one main issuers. 0ther companies that issue digita! certificates inc!ude H#)$ A#5#$ and 8icrosoft. #here are many others. #he process of o&taining a digita! certificate is re!ati:e!y simp!e for any !egitimate indi:idua! or entity. 0nce again$ using A!ice and Go& for our e?amp!e$ A!ice generates her own key pair from her J./.9"comp!iant software or de:ice. She then sends the pu&!ic key to a CA with proof of who and what she is. In our e?amp!e$ A!ice sends her pu&!ic key to a CA. If the digita! certificate is for her company$ the CA might re;uest a copy of the artic!es of incorporation$ copies of the !atest financia! statements$ and other items that esta&!ish that the company is what it c!aims to &e and is in good standing. If the certificate is for A!ice persona!!y$ the CA cou!d re;uest a &irth certificate and perhaps take her fingerprints. #he :erification process is !arge!y dependent on the !e:e! of the certificate. 0nce the CA has done its due di!igence and is satisfied that A!ice is who she c!aims to &e$ the CA sends her a digita! certificate to !oad in her software or de:ice. #his certificate wi!! &e signed &y the CA with its pri:ate key. #he digita! certificate wi!! attest to the fact the CA has determined that A!ice is who she says she is and &inds to A!ice her pu&!ic key. A!ice can now present that certificate to Go& to authenticate her identity and her pu&!ic key. 2hen Go& recei:es A!ice>s signed message$ he wi!! need A!ice>s pu&!ic key to :erify her digita! signature and to ensure that the message has arri:ed una!tered. Since he a!ready knows the CA>s pu&!ic key (it wi!! &e pu&!ished e:erywhere)$ he can decrypt the digita! certificate or certify that the digita! certificate is signed &y the CA$ :erify the integrity of the certificate$ and o&tain A!ice>s pu&!ic key and then decrypt her signed message.

3/

#he need for CAs is c!ear$ &ut the duties and responsi&i!ities of the CAs are not so c!ear. #here are sti!! many issues that need to &e addressed with CAs. 8any of these are !ega!$ not technica!$ in nature@ 2hat are the CA>s responsi&i!ities when issuing digita! certificates= 2hat if the CA makes a mistake and issues one to the wrong indi:idua! or entity= CAs may &e open to tremendous !ia&i!ity shou!d that mistake resu!t in fraud or some financia! !oss. As we mo:e c!oser to paper!ess commerce and a paper!ess society$ the concept of CAs &ecomes increasing!y important. #hey wi!! ha:e a maAor impact on the future of e"commerce. #hat impact wi!! affect our day"to"day !i:es@ It means the de:e!opment of a who!e new set of &usiness re!ationships that wi!! &e necessary to function dai!y. Perhaps$ one day$ without a digita! certificate you may not &e a&!e to purchase mi!k at the corner store. 2i!! CAs &ecome the future>s credit agencies$ rating e:eryone as a good or &ad <risk<= *u)%ic 6ey Infrastructure As part of the future imp!ementation of digita! certificates$ a mo:ement is under way to de:e!op a PMI. #he infrastructure wi!! &e necessary to authenticate digita! certificates and CAs. A PMI is a hierarchica! network of CAs. A <root certificate< authority certifies su&ordinate CAs. #he hierarchy is recogni7ed as trusted &y a!! entities that trust the hierarchica! CA. Not e:ery entity needs to trust the other$ Aust the hierarchy. Some p!ans en:ision a hierarchy of CAs$ where one CA certifies the identity of the pre:ious CA. #he top !e:e! root CA in the ,nited States cou!d &e the ,.S. go:ernment. 0thers en:ision a more hori7onta! scheme of cross"certification with on!y a few !ayers. In either case$ a certificate &ased PMI can pro:ide a process to esta&!ish trust re!ationships. 6o!!owing 6igure i!!ustrates how a theoretica! PMI might &e structured.

33 #heoretica! PMI.

#he difficu!t part wi!! &e de:e!oping the standards and infrastructure for certifying digita! signatures and certificates &etween organi7ations using different schemes. At the same time$ the NIS# is working on the de:e!opment of a federa! PMI. 2hi!e there are many cha!!enges to de:e!oping a nationa! PMI$ the most daunting task wi!! &e the de:e!opment of the g!o&a! infrastructure. 2hen we discuss a g!o&a! or internationa! PMI we open a Pandora>s &o? of <nationa! security< issues. !dvanced 5ncr+ption &tandard .!5&/ 6or decades the encryption standard in the ,nited States has &een *)S. owe:er$ the *)S

a!gorithm is no !onger as secure as it once was and needs to &e rep!aced. As a resu!t$ the NIS#is in the process of se!ecting a new a!gorithm to use as the new standard into the ne?t century.#his new standard is &eing ca!!ed the Ad:anced )ncryption Standard (A)S). #he goa! of A)S is to se!ect an unc!assified$ &!ock a!gorithm that wi!! &e a:ai!a&!e wor!dwide free of roya!ty fees.

3-

As of this writing$ there are fi:e a!gorithms that ha:e &een se!ected as fina!ists for the A)S. #he fi:e fina!ists are !isted as fo!!ows. C 8A4S de:e!oped &y IG8B C 4C3$ de:e!oped &y 4SA$ which a!so de:e!oped 4C+ and 4C/B C 4iAndae! de:e!oped &y %incent 4iAmen and Poan *aemenB C Serpent de:e!oped &y 4oss Anderson$ )!i Guham$ and 1ars MnudsenB C #wofish de:e!oped &y Gruce Schneier$ Nie!s 6erguson$ Chris a!!$ Pohn Me!sey$ *oug 2hiting$ and *a:id 2agner. Incidenta!!y$ Gruce Schneier is the author of the &ook !pplied "ryptography and de:e!oper of the G!owfish &!ock a!gorithm. 0ne or more of these a!gorithms wi!! e:entua!!y &e se!ected as the A)S. and cryptana!ysis. 5lliptic)Curve Cr+pto%rap"+ .5CC/ Another up and coming de:e!opment in cryptography appears to &e e!!iptic"cur:e cryptography ()CC). )CC$ which is wide!y e?pected to &e the ne?t"generation a!gorithm$ has &een proposed for use as a pu&!ic key cryptosystem. ))C>s strength comes from the fact that it is computationa! :ery difficu!ty to so!:e the e!!iptic cur:e discrete !ogarithm pro&!em. #he appea! of )CC a!gorithms is the fact that they ho!d the possi&i!ity of offering security compara&!e to the 4SA a!gorithms using sma!!er keys. Sma!!er keys mean that !ess computation is re;uired. 1ess time and CP, resources wou!d &e re;uired to imp!ement this techno!ogy on the network. 1ess time and CP, trans!ates into !ess cost associated with using these a!gorithms. As a resu!t$ interest in these a!gorithms is keen. It has a!so &een said that )CC is more difficu!t to &reak than 4SA. 2hi!e &oth 4SA with a /12"&it key and )CC with a 9-"&it key ha:e &een &roken$ it has &een stated that the )CC a!gorithm is more difficu!t to &reak. In 1999 a team of 19/ :o!unteers in 2. countries using -+. computers took +. days to reco:er the 9-"&it )CC pri:ate key. ow !ong it wi!! remain secure wi!! !arge!y depend on the de:e!opments in the fie!ds of computer techno!ogy

3' A!though )CC ho!ds great promise$ I am not aware of any practica! imp!ementation of the techno!ogy in any product now on the market. No matter what a!gorithm you emp!oy$ it is important to &e cogni7ant of the fact that as computing power increases and &ecomes !ess e?pensi:e$ the cryptographic key si7es wi!! ha:e to increase to ensure security. Not too far in the future$ a 2$.2+"&it key wi!! not &e sufficient to ensure security. T"e -imitations of 5ncr+ption Communications are not necessari!y secure simp!y &ecause they are encrypted. It is important to remem&er that usefu! information can e:en &e discerned from encrypted communications. I !ike to use an e?amp!e from the &ook #lind $an%s #luff. In the &ook$ authors Sherry Sontag and Chistopher and Annette *rew te!! the story of ,.S. su&marine espionage during the Co!d 2ar. In the 19-.s and 19'.s$ So:iet missi!e su&s were using effecti:e cryptosystems in conAunction with sophisticated transmitters that compressed their encrypted communications into microsecond &ursts. 2hi!e the ,nited States was not a&!e to &reak the So:iet transmission code$ America was a&!e to gather a great dea! of information from the transmissions themse!:es. ,.S. ana!ysis of the transmission patterns re:ea!ed a!most as much information as the actua! content of the transmissions wou!d ha:e re:ea!ed. 6or e?amp!e$ the ,nited States was a&!e to determine that the messages were coming from So:iet su&s on their way to and from patro!. #hey were a!so a&!e to distinguish one su& from another &y s!ight :ariations in the fre;uencies of the transmissions and that the So:iet su&s sent transmissions at regu!ar points or mi!estones in their patro!s. Conse;uent!y$ the ,nited States was a&!e to determine So:iet su&s> !ocation$ when they reached their patro! sector$ the ha!fway point or a particu!ar !andmark. #he ana!ysis of the transmission patterns ena&!ed the ,nited States to track So:iet su&s on patro! without e:er &reaking the transmissions> code. It is important to understand that simp!y using encryption is no guarantee of confidentia!ity or secrecy. In addition$ studies ha:e shown that the randomness of the data for encrypted fi!es stored on media can &e used to distinguish the fi!es from other stored data. Henera!!y$ operating systems do not store data in a random manner. *ata is norma!!y stored in a manner that optimi7es retrie:a!$ space$ or speed. )ncrypted fi!es and a!gorithm keys &y their nature must &e random data.

39

As a resu!t$ when !arge encrypted fi!es and pu&!icDpri:ate key sets are stored on a disk dri:e their randomness stands out against the norma!!y organi7ed data on the dri:e. #here are programs a:ai!a&!e that purport to &e a&!e to find keys and encrypted fi!es on a disk dri:e. If true$ this cou!d potentia!!y mean that someone cou!d stea! key pairs if he or she had access to the dri:e on which the keys were stored. 8eanwhi!e$ howe:er$ it is a!so important to understand that de:e!opments in the fie!d of cryptography and digita! signature techno!ogy are the ena&!ing force &ehind the recent e?p!osion in e"commerce on the Internet. 2ithout these techno!ogies$ Internet e"commerce wou!d not &e possi&!e. As a resu!t$ those who want to participate in this new wor!d of ecommerce$ either as an entrepreneur or a consumer$ need to understand the essentia! techno!ogy that is ena&!ing its de:e!opment.

-.

4. Secured and 8nsecured %ayer systems. Mer&eros Mer&eros key e?change is a network authentication protoco! de:e!oped at 8I#. It is designed to pro:ide strong authentication for c!ientDser:er app!ications &y using a com&ination of &oth secret key and pu&!ic key cryptography. Mer&eros uti!i7es a sing!e centra! ser:er$ referred to as a trusted ser:er$ to act as a trusted third party to authenticate users and contro! access to resources on the network. #he &asic premise &ehind the Mer&eros security is that it is not possi&!e to ensure security on a!! network ser:ers. #his concept assumes that ser:er security &reaches are ine:ita&!e in a distri&uted computing en:ironment with mu!tip!e ser:ers. #he premise is that it is impossi&!e to secure a!! the ser:ers$ so one"shou!dn>t e:en attempt to. #he Mer&eros mode! proposes$ howe:er$ that it is possi&!e to tru!y secure a sing!e ser:er. #herefore$ it ho!ds that it is more secure to contro! a!! network access from one centra! secure ser:er. #he Mer&eros key e?change process is rea!!y ;uite simp!e$ &ut at the same time ;uite e!o;uent. Mer&eros ne:er transmits passwords on the network$ regard!ess of whether they are encrypted or not. Mer&eros uti!i7es cryptographic keys referred to as <tickets< to contro! access to network ser:er resources. #ickets are encrypted passes or fi!es issued &y the <trusted< ser:er to users and processes to determine access !e:e!. #here are si? types of tickets@ initia!$ in:a!id$ pre"authenticated$ renewa&!e$ forwarda&!e$ and postdated. 6igures +.1T+.3 i!!ustrate the Mer&eros key e?change process. In the fo!!owing figures 6igure +.1 the c!ient creates a re;uest to send to the Mer&eros ser:er. #he re;uest is digita!!y signed &y the c!ient using the c!ient>s own pri:ate key. In this e?amp!e the re;uest is to access the payro!! ser:er. In 6igure +.2$ the c!ient takes the digita!!y signed re;uest and encrypts it using the Mer&eros ser:er>s pu&!ic key. In 6igure +.($ the c!ient sends the digita!!y signed and encrypted re;uest to the Mer&eros ser:er.

-1 6igure +.1@ Mer&eros key e?change$ step one.

6igure +.2@ Mer&eros key e?change$ step two.

6igure +.(@ Mer&eros key e?change$ step three.

-2 #he Mer&eros ser:er decrypts the re;uest using its pri:ate key and then authenticates the originator of the re;uest &y :erifying the digita! signature of the sender. #he re;uest was digita!!y signed using the sender>s pri:ate key$ which the Mer&eros ser:er :erifies &y using the sender>s pu&!ic key. #he Mer&eros ser:er maintains a data&ase of a!! the pu&!ic keys of authori7ed users$ so it does not ha:e to re!y upon the sender or a trusted third party to :erify the sender>s pu&!ic key. If the Mer&eros ser:er does not ha:e the sender>s pu&!ic key in its data&ase$ then the digita! signature cannot &e :erified. Simi!ar!y$ if the Mer&eros ser:er does not ha:e the sender>s pu&!ic key$ then the sender is not an authori7ed user of the network$ and the re;uest wi!! &e denied. 0nce the Mer&eros ser:er recei:es the re;uest and authenticates the sender>s identity$ the ser:er :erifies that the c!ient has authori7ation to access the re;uested resource. In this e?amp!e the resource re;uested is access to the payro!! ser:er. If the Mer&eros ser:er determines that the c!ient does ha:e authori7ation to access the payro!! ser:er$ the Mer&eros ser:er sends identica! session tickets to &oth the c!ient and the payro!! ser:er. #o transmit the session ticket to the c!ient$ the Mer&eros ser:er encrypts it with the c!ient>s pu&!ic key. #o transmit the ticket to the payro!! ser:er the Mer&eros ser:er uses the payro!! ser:er>s pu&!ic key. 6igure +.+ depicts this process. 2hen the encrypted session key is recei:ed$ &oth the c!ient and the payro!! ser:er decrypt it using their respecti:e pri:ate keys.

-( 6igure +.+@ Mer&eros key e?change$ step four.

#he tickets cou!d a!so &e digita!!y signed &y the Mer&eros ser:er to a:oid the possi&i!ity of counterfeit tickets &eing sent to a c!ient or network resource. #he c!ient then sends a copy of its ticket to the payro!! ser:er. Gefore transmitting the ticket$ the c!ient encrypts the ticket using the payro!! ser:er>s pu&!ic key. 6igure +./ i!!ustrates this process. 6igure +./@ Mer&eros key e?change$ step fi:e.

-+ 2hen the payro!! ser:er recei:es the encrypted ticket from the c!ient the ser:er decrypts the ticket using the ser:er>s own pri:ate key. #he payro!! ser:er then compares the ticket that it recei:ed from the c!ient to the ticket that it recei:ed from the Mer&eros ser:er. If the c!ient>s ticket matches the ser:er>s ticket then the c!ient wi!! &e a!!owed to connect to the ser:er. If they don>t match$ the connection is refused. 6igure +.3 i!!ustrates this process. 0nce the connection is esta&!ished$ the systems can encrypt the communication using either the session key or the c!ient>s pu&!ic key$ or they can use no encryption at a!!. 6igure +.3@ Mer&eros key e?change$ step si?.

0ne ad:antage that Mer&eros has o:er other schemes$ such as using digita! certificates and a PMI$ is that re:ocation of authori7ation and authentication can &e done immediate!y. #he PMI re!ies upon C41s to remo:e authori7ation for an indi:idua! or entity. Access to network resources may not &e terminated unti! the C41 works its way through the PMI or the origina! digita! certificate e?pires. In either case$ the origina! certificate wi!! pro:ide access to network resources !ong after the time period you want access terminated. 2ith Mer&eros$ e:ery time an indi:idua! or entity re;uests access to a network resource$ the Mer&eros ser:er is ;ueried. As a resu!t$ once access is terminated at the Mer&eros ser:er$ the change is effecti:e immediate!y.

97 6er)eros: ;imitations #he primary !imitation of the Mer&eros concept is that if the Mer&eros ser:er is down$ one cannot access network resources$ since access to a!! network resources must &e authori7ed through the Mer&eros ser:er. As a resu!t$ the Mer&eros design is particu!ar!y :u!nera&!e to denia!"of"ser:ice attacks. If you target the Mer&eros ser:er you can pre:ent !egitimate users from gaining access to the network. Kou don>t e:en ha:e to comp!ete!y crash the ser:er to pre:ent others from gaining network access. Simp!y o:erwhe!ming the ser:er with re;uests or f!ooding the network with traffic wou!d &e enough to pre:ent the ser:er from responding to ;ueries. 0rgani7ations can &ui!d in &ack"up Mer&eros ser:ers into the design of their networks$ &ut doing so introduces :u!nera&i!ity into their network. Gack"up ser:ers de:iate from one of the fundamenta! princip!es of Mer&eros$ which is that it is difficu!t to pro:ide a&so!ute security for mu!tip!e ser:ers. #he Mer&eros concept re!ies on a sing!e a&so!ute!y secure ser:er. If the Mer&eros ser:er is compromised$ then the integrity of the entire system is compromised. Mer&eros a!so can &e suscepti&!e to rep!ay attacks. Someone on the network cou!d sniff and record re;uests going to and from the Mer&eros ser:er. #he transmission of tickets to network resources cou!d a!so &e copied to &e retransmitted at a !ater time as new re;uests. #his :u!nera&i!ity can &e$ and usua!!y is$ mitigated &y the use of a timestamp on tickets. #he other maAor draw&ack to the Mer&eros concept is that its sca!a&i!ity is !imited since the Mer&eros ser:er is communicated with e:ery time access to a resource is re;uested. #he more workstations and resources an organi7ation has on its network the greater its network traffic$ &ecause each re;uest to access a network resource wi!! generate mu!tip!e e?changes. As the network grows$ so too does the num&er of re;uests to the Mer&eros ser:er. In addition$ a network cou!d grow to the point where a sing!e ser:er cou!d not hand!e a!! of the re;uests to access network resources. #he ser:er wou!d e:entua!!y &ecome o:erwhe!med with re;uests. At that point$ an organi7ation wou!d either ha:e to get a greater capacity ser:er or !imit the si7e of its network. ,!timate!y$ in fact$ the organi7ation wou!d reach a point where its ser:er capacity cou!d no !onger grow. #herefore there is a !imit on how !arge a Mer&eros&ased network can grow.

-3

As a resu!t of this !ack of sca!a&i!ity$ Mer&eros is not a feasi&!e authentication so!ution for a :ery !arge network such as the Internet. ,sing a PMI with digita! certificates is much more sca!a&!e and therefore &etter suited for the Internet. 5ncr+ption on t"e 0orld 0ide 0e8

Another area where encryption has &een wide!y dep!oyed is on the Internet or the 2e& as it has come to &e known. 8uch of the Internet>s success and popu!arity !ies in the fact that it is an open g!o&a! network. At the same time$ the fact that it is open and g!o&a! makes it not :ery secure. #he uni;ue nature of the Internet makes e?changing information and transacting &usiness o:er it inherent!y dangerous. #he face!ess$ :oice!ess$ unknown entities and indi:idua!s that share the Internet may or may not &e who or what they profess to &e. In addition$ &ecause the Internet is a g!o&a! network$ it does not recogni7e nationa! &orders and !ega! Aurisdictions. As a resu!t$ the transacting parties may not &e where they say they are and may not &e su&Aect to the same !aws or regu!ations. As stated in ear!ier chapters$ for the e?change of information and for commerce to &e secure on any network$ especia!!y the Internet$ a system or process must &e put in p!ace that satisfies re;uirements for confidentia!ity$ access contro!$ authentication$ integrity$ and non repudiation. #hese re;uirements are achie:ed on the 2e& through the use of encryption and &y emp!oying digita! signature techno!ogy. #here are many e?amp!es on the 2e& of the practica! app!ication of encryption. 0ne of the most important is the SS1 protoco!.

66 &ecure &ockets -a+er SS1 was de:e!oped &y Netscape to pro:ide security when transmitting information on the Internet. Netscape recogni7ed the need to de:e!op a process that wou!d ensure confidentia!ity when entering and transmitting information on the 2e&. 2ithout such a process :ery few indi:idua!s wou!d fee! comforta&!e entering information !ike credit card num&ers on a 2e& site. Netscape recogni7ed that e"commerce on the 2e& wou!d ne:er get off the ground without consumer confidence. As a resu!t$ SS1 was de:e!oped to address the security needs of 2e& surfers. It is somewhat ironic that we re;uire such a high !e:e! of security for transactions on the 2e&. 8ost know!edgea&!e indi:idua!s wou!d ne:er enter their %isa or 8astercard num&er on a site that did not emp!oy SS1 for fear of ha:ing the information intercepted. owe:er$ those same indi:idua!s wou!d not hesitate to gi:e that same information o:er the phone to an unknown person when ordering f!owers$ nor wou!d they fear gi:ing their credit cards to a waiter at a restaurant. Consider that this in:o!:es handing a card o:er to someone you ha:e ne:er met who ine:ita&!y disappears for 1. minutes. #he risk that a credit card num&er wi!! &e sto!en in transit on the Internet is :ery sma!!. A greater risk is that the credit card num&er wi!! &e sto!en from a system on which it is stored. #hat is precise!y what happened to me@ If you recei:ed an e"mai! from my Internet ser:ice pro:ider (ISP) informing me that a computer$ which had &een sto!en from the ISP$ may ha:e contained credit card information for a num&er of its customers. #he e"mai! went on to state that it was possi&!e that the credit card information was on the sto!en machine. #he company said that the fi!e containing the credit card num&ers was encrypted$ so it did not &e!ie:e that there was any rea! risk. Ne:erthe!ess$ the firm said that it was ad:ising its customers of this incident so they cou!d take appropriate action. #he origina! transaction with the ISP in which I ga:e the company my credit card information was not o:er the Internet. It was a traditiona! !ow"tech transaction. 1ike most companies$ the ISP stored the user account information$ inc!uding credit card num&ers$ in a data&ase on a network. #hat is where the rea! risk !ies.

-'

SS1 uti!i7es &oth asymmetric and symmetric key encryption to set up and transfer data in a secure mode o:er an unsecured network. 2hen used with a &rowser c!ient$ SS1 esta&!ishes a secure connection &etween the c!ient &rowser and the ser:er. ,sua!!y$ it>s the ##P o:er SS1 ( ##PS). It sets up an encrypted tunne! &etween a &rowser and a 2e& ser:er o:er which data packets can tra:e!. No one tapping into the connection &etween the &rowser and the ser:er can decipher the information passing &etween the two. Integrity of the information is esta&!ished &y hashing a!gorithms. Confidentia!ity of the information is ensured with encryption. 6igure /.1 i!!ustrates &asica!!y how the process works. SS1 session handshake.

#o set up an SS1 session &oth sides e?change random num&ers. #he ser:er sends its pu&!ic key with a digita! certificate signed &y a recogni7ed CA attesting to the authenticity of the sender>s identity and &inding the sender to the pu&!ic key. #he ser:er a!so sends a session I*. #he &rowser c!ient creates a preNmasterNsecret key. #he c!ient &rowser encrypts the preNmasterNsecret key using the ser:er>s pu&!ic key and transmits the encrypted preNmasterNsecret key to the ser:er. #hen &oth sides generate a session key using the preNmasterNsecret and random num&ers. #he SS1 session set"up &egins with asymmetric encryption. #he ser:er presents the &rowser c!ient with its pu&!ic key$ which the c!ient uses to encrypt the preNmasterNsecret. owe:er$ once the c!ient sends the encrypted preNmasterNsecret key &ack to the ser:er$ it emp!oys a session key to esta&!ish a secure connection. #he initia! setup uses asymmetric encryption$ &ut the two parties switch o:er to symmetric encryption.

-9

#his is done &ecause symmetricencryption creates much !ess o:erhead. 1ess o:erhead means &etter throughput and a faster response time. Asymmetric cryptosystems are much more CP,"intensi:e and wou!d significant!y s!ow the e?change of information. As a resu!t$ for spontaneous e?changes$ asymmetric encryption is used initia!!y to esta&!ish a secure connection and to authenticate identities (using digita! certificates). 0nce identities are esta&!ished and pu&!ic keys are e?changed$ the communicating entities switch to symmetric encryption for efficiency. ):en with the use of symmetric encryption$ network throughput is significant!y diminished with SS1. Cryptographic processing is e?treme!y CP,"intensi:e. 2e& ser:ers that wou!d norma!!y &e a&!e to hand!e hundreds of connections may on!y &e a&!e to hand!e a fraction of that when emp!oying SS1. In 1999$ Internet &eek reported on a test of a Sun +/. ser:er and the effects of SS1. At fu!! capacity$ the ser:er cou!d hand!e a&out /.. connections per second of norma! ##P traffic. owe:er$ the same ser:er cou!d on!y hand!e a&out three connections per second when the connections emp!oyed SS1. #he fact that SS1 can ha:e such a hindering effect on network performance has to &e inc!uded in any capacity p!anning for e"commerce sites. #here are SS1 acce!erators a:ai!a&!e that can enhance the performance of 2e& ser:ers that emp!oy SS1. Products from Packard$ Compa;$Cipher$ and others offer so!utions that speed up the cryptographic processing. ,sua!!y$ these products are separate &o?es that interface with a ser:er and off"!oad the SS1 process from the ser:er>s CP,. #hey can a!so take the form of acce!erator &oards that are insta!!ed in the ser:er. ew!ett"

81 &ecure (TTP .&(TTP/ An a!ternati:e to ##PS is secure ##P (S ##P). S ##P is an e?tension of the ##P

protoco! de:e!oped &y )nterprise Integration #echno!ogies. S ##P is simi!ar in function to ##PS in that it is designed to secure transactions and messages on the 2e&. #here are$ howe:er$ se:era! differences@ SS1 is connection"oriented and operates at the transport !e:e!. SS1 creates a secure connection o:er which transactions are transmitted. S ##P$ on the other hand$ is transaction"oriented and operates at the app!ication !e:e!. )ach indi:idua! message is encrypted to &e transmitted secure!y. No secure pipe is esta&!ished &etween the parties. SS1 can &e used for other #CPDIP protoco!s such as 6#P and #)1N)#. S ##P is specifica!!y designed for ##P and not for other protoco!s. ##PS enAoys wide acceptance$ whi!e ##PS. 8ost 2e& ser:er S ##P>s use is :ery !imited. In fact$ not a!! 2e& &rowsers support S ##P. 8eanwhi!e$ &oth Netscape Na:igator and Internet )?p!orer support software supports ##PS$ and most e"commerce 2e& sites use the protoco! when o&taining

confidentia! user information. #he ser:er is usua!!y authenticated to the c!ient through a digita! certificate. #he strength of the encryption emp!oyed can &e set &y the ser:er &ut is usua!!y chosen &ased on the capa&i!ity of the c!ient &rowser. ,nti! re!ati:e!y recent!y$ there were two types of encryption emp!oyed in &rowsers$ depending on whether the &rowser wou!d &e so!d in the ,nited States or o:erseas. #he o:erseas :ersion used weak encryption$ whi!e the domestic :ersion used strong encryption. 2hen one refers to weak encryption with SS1 and &rowsers$ it usua!!y means +."&it or /3"&it encryption. Strong encryption refers to 12'"&it encryption. #he difference in strength &etween +."&it encryption and 12'"&it encryption is not Aust '' &its. In other words$ 12'"&it encryption is not Aust '' times stronger than +."&it encryption. In fact$ 12'"&it encryption is more than (..$...$...$...$...$...$...$...$... times stronger than +."&it encryption. Growsers used to emp!oy two different strengths of encryption &ecause of federa! regu!ations. #here were e?port restrictions on most software$ hardware or firmware that inc!uded encryption techno!ogy. 2hi!e the e?port restrictions ha:e &een re!a?ed somewhat$ there are sti!! significant ru!es in p!ace. #o e?port their &rowsers$ companies such as 8icrosoft and Netscape had to offer :ersions of their software that emp!oyed weak encryption. ):en with the recent changes to ,.S. !aws regu!ating the e?port of cryptographic techno!ogy many of the &rowsers insta!!ed today use weak encryption.

'1

In the past$ the domestic :ersion of Netscape>s Na:igator was capa&!e of strong encryption$ whi!e its e?port :ersion was on!y capa&!e of weak encryption. 8icrosoft did not rea!!y make any distinction &etween the domestic or e?port :ersions of Internet )?p!orer. Internet )?p!orer &y defau!t was set to weak encryptionB it was necessary to oad a patch to set it to strong encryption. 2e& ser:er software can a!so &e set to use +."&it or 12'"&it encryption. A 2e& ser:er can &e configured to reAect &rowser c!ients that use a &rowser set for weak encryption. 2e& ser:ers can a!so &e configured for strong encryption &ut sti!! &e a&!e to accept &rowsers that use weak encryption. #herefore$ there is rea!!y no reason to configure the 2e& ser:er software to defau!t to +."&it encryption. #here are se:era! ways to te!! if a site uses encryption and the strength of the encryption emp!oyed. #he things to !ook for :ary depending on whether you are using Netscape>s Na:igator or 8icrosoft>s Internet )?p!orer and which :ersion of either software you are using. Microsoft@s 2nternet 5'plorer #he fo!!owing figures i!!ustrates a 2e& page emp!oying SS1 with Internet )?p!orer /.. (I)/). #he firstindication of SS1 is that the ,41 is preceded &y ##PS instead of the norma! ##P. #he e?amp!e depicts a fictitious Internet &anking system offered &y Any Gank Corporation. #he digita! certificate is rea!$ &ut the name of the financia! institution has &een changed.

'2 I)/ emp!oying SS1.

In addition to

##PS &eing disp!ayed in the ,41$ when encryption is emp!oyed there is a!so

a c!osed !ock at the &ottom of the &rowser>s screen on the right"hand side. I ha:e circ!ed the c!osed !ock at the &ottom of the screen. Norma!!y$ the !ock is open$ which is an indication that encryption is not emp!oyed. 7iewin% Di%ital Certificates 0it" 2nternet 5'plorer Norma!!y$ to acti:ate SS1 on a 2e& ser:er$ a digita! certificate must &e insta!!ed. A digita! certificate is genera!!y o&tained from a known CA and insta!!ed on the 2e& ser:er. 2hen :isiting a 2e& site that emp!oys encryption$ it is possi&!e to :iew information on the ser:er>s digita! certificate. #o :iew this information with Internet )?p!orer$ simp!y c!ick on 6i!e and then Properties. 2hen you c!ick on the Properties option the properties window pops up. 6o!!owing 6igures i!!ustrates the properties pop"up window. %iewing the Properties window$ we can see that the connection uses SS1 (.. and 4C+ with 12' &it encryption for strong ( igh) encryption.

'(

6igure /.(@ I)/ cipher information.

8ore detai!ed information can &e o&tained on the digita! certificate &y c!icking on the certificate &utton on the properties window. #his is i!!ustrated in 6igure /.+ 6igure /.+@ I)/ signature a!gorithm.

'+ Gy c!icking on the detai!s ta&$ information can &e o&tained on the seria! num&er of the certificate$ the issuer$ and the su&Aect. It is a!so possi&!e to :iew the pu&!ic key for the certificate. 1ooking at 6igure /.+ we can see that the third fie!d !isted is the signature a!gorithm. In this case it is 4SA>s 8*/. As 6igure /./ i!!ustrates$ information on the issuer (CA) of the digita! certificate can a!so &e :iewed. 2e can see that certificate was issued &y 4SA *ata Security. In this case the 4SA certificate was issued through %eriSign. 6igure /./ a!so re:ea!s that the pu&!ic key a!gorithm emp!oyed for the initia! key e?change was the 4SA a!gorithm. #he 4SA asymmetric cryptosystem is used for the e?change of pu&!ic keys. 6igure /./@ I)/ certificate authority.

As 6igure /.3 i!!ustrates$ it is a!so possi&!e to o&tain information on the organi7ation to which the digita! certificate was issued &y c!icking on the su&Aect !ine. In this e?amp!e we can see that the digita! certificate was issued to Any Gank Corporation in San 6rancisco. 6igure /.3@ I)/ certificate owner.

7iewin% t"e 5ncr+ption &tren%t" of 259 If you don>t a!ready know the encryption strength for which your Internet )?p!orer is configured$ it is :ery easy to check. #his works for &oth Internet )?p!ore +.J (I)+) and I)/. Chances are that if you are using I)+ then you are using weak encryption. 6igure /.-$ &ased on I)/$ i!!ustrates how to check your &rowser@ Simp!y c!ick on e!p at the top of the &rowser and then c!ick on A&out Internet )?p!orer. A window wi!! pop up that !ists$ among other things$ the cipher strength. In 6igure /.-$ the cipher strength is set to 12' &its or strong encryption. #his is the strength of encryption that the &rowser is configured to hand!e.

'/ 6igure /.-@ %iewing the &rowser>s encryption strength. (8icrosoft I)/ screen shot reprinted &y permission of 8icrosoft Corporation.)

Downloadin% a Pro%ram 0it" an 2nvalid Certificate A security warning message that disp!ays when a user attempts to down!oad a program that does not contain a :a!id Authenticode signature or a digita! certificate from a recogni7ed CA. #his te!!s the end user down!oading the program that theprogram does not contain a certificate that :erifies that the software program is genuine. As a resu!t$ the end user shou!d &e carefu! &efore proceeding &ecause he or she cou!d &e down!oading a ma!icious program. 6o!!owing 6igure shows@ Authenticode. (Screen shot reprinted &y permission from 8icrosoft Corporation.)

Internet )?p!orer warns that it cannot authenticate the identity of the source of the program$ either &ecause the signature is not recogni7ed or &ecause there is no signature. In other words$ the program has a certificate that cannot &e :erified. As such$ the software represent a potentia! danger to the end user>s computer and network.

'3 #he custom of signing programs or app!ets is not yet uni:ersa!!y practiced. owe:er$ it is

another good e?amp!e of how cryptographic techno!ogy in genera! and digita! signature techno!ogy in particu!ar is &eing emp!oyed on the 2e&. *igita! certificates and digita! signature techno!ogy are ;uick!y &ecoming a u&i;uitous part of the 222. 0ther e?amp!es of how cryptography is &eing app!ied on networks.

"9

7.<S';AN'=AN Security System

<peratin- System >uide%ines Network security &egins at the indi:idua! system !e:e!. As the saying goes$ a chain is on!y as strong as its weakest !ink$ and a network is nothing more than a chain of systems. As a resu!t$for a network to ha:e a high !e:e! of security$ a!! of the systems on the network must &e proper!y administered and monitored. %ery few organi7ations ade;uate!y administer and monitor systems that reside on the interna! network. #his defense"in"depth approach re;uires more of a commitment to security than most organi7ations are wi!!ing to make. Mey to a defense in depth is the dep!oyment of a mu!titiered strategy to network and system security. Instead$ most organi7ations choose to emp!oy a perimeter defense. #his approach re!ies on hardened &order systems$ usua!!y firewa!!s and routers$ that are designed to monitor and contro! traffic &etween an interna! trusted network and an e?terna! untrusted network. #he assumption is that the perimeter or &order systems wi!! secure the interna! systems. #here are a num&er of pro&!ems with the perimeter defense. 6irst$ if an organi7ation>s &order systems are e:er compromised and penetrated$ the entire interna! network cou!d &e open to attack. ardening the interna! systems can he!p to decrease the amount of damage from the &reach of a perimeter system. At the :ery !east$ ade;uate monitoring of the interna! systems may at !east detect a &reach from the outside. In addition$ e:ery organi7ation that uses computers faces the threat of hacking from indi:idua!s within the organi7ation. )mp!oyees with ma!icious intent who want to o&tain information such as emp!oyee sa!aries or :iew other emp!oyees> fi!es are a!so a threat to an organi7ation>s computers and networks.

''

Critica! systems shou!d &e configured to monitor !ogins$ fai!ed !ogins$ and a!! network acti:ity. 8ost e:ery computer and N0S has uti!ities for monitoring this kind of acti:ity. ,NIJ in particu!ar can &e configured to record a!! sorts of acti:ity that can &e re:iewed for security purposes. 6or e?amp!e$ a!most e:ery :ersion of ,NIJ a!!ows you to monitor !ogins through the wtmp fi!e and records fai!ed !ogin attempts. 0ne simp!e security measure an organi7ation can emp!oy for ,NIJ systems is to re:iew the fai!ed !ogin !og fi!e on a dai!y &asis. #his !og disp!ays e:ery fai!ed attempt to !og into the system. #his can a!ert a company to the first indications of someone pro&ing its system. *epending on the :ersion of ,NIJ$ an organi7ation may e:en &e a&!e to determine whether the attempted !ogin was o:er the network$ and it can e:en disp!ay the IP address from which the connection originated. Some system administrators ;uestion the wisdom of using the fai!ed"!ogin !og fi!e feature. #hey &e!ie:e that the !og fi!e may inad:ertent!y record the password for an account$ if the account name and password are entered out of se;uence. 2hi!e in theory this is a possi&i!ity$ in practice I ha:e ne:er known it to &e an issue. 2hen re:iewing the fai!ed !ogin !og fi!e$ if there are mu!tip!e entries for a sing!e account$ it may &e an indication that something is wrong and shou!d &e in:estigated. If there are unfami!iar IP addresses attempting to connect to the system$ then this shou!d a!so &e in:estigated. Goth of these acti:ities cou!d &e indications that someone is pro&ing a system. Another usefu! ,NIJ !og is the su!og. 8ost :ersions of ,NIJ record fai!ed attempts to spawn another process and switch to another user with the <su< command. #his is recorded in the su!og !og fi!e. )ntries in this !og fi!e may &e the resu!t of someone pro&ing a system and attempting to gain pri:i!eged access. Any entry in this !og shou!d &e traced to determine if it is !egitimate or not. #here are accounts that wi!! ha:e !egitimate reasons for using the su command. 6or e?amp!e$ the operator>s or administrator>s accounts may fre;uent!y perform su to root. If$ howe:er$ the !og shows someone attempting to su to root who shou!d not &e attempting such a function$ an organi7ation shou!d in:estigate the occurrence.

'9

Another !og that can &e usefu! is the wtmp !og. #his fi!e records information for e:ery account that !ogs in and out of a system. It gi:es the time and duration of the !ogin. 6or most :ersions of ,NIJ$ an organi7ation can a!so determine whether the connection was from a tty$ te!net$ or r!ogin connection or was an ftp connection. In addition$ it can distinguish te!net and r!ogin connections from ftp connections &y the de:ice type. #he wtmp fi!e is stored in a &inary format. As a resu!t$ it is necessary to use the <!ast< command to disp!ay its contents. A simp!e re:iew of this fi!e$ on a dai!y &asis$ can turn up anoma!ous &eha:iorSfor instance$ an ftp connection from an account that shou!dn>t &e using ftp or accounts !ogging in at odd hours. Since these !ogs reside on the system>s !oca! disk dri:e$ it is possi&!e for someone to a!ter the fi!es. It is recommended that hardcopy printouts of the !ogs &e generated dai!y to &e re:iewed and stored. #he !og fi!es shou!d a!so &e c!eared dai!y or week!y. #here are a coup!e of reasons for doing this. 6irst$ it reduces the risk of the fi!es &eing a!tered. Second$ in the e:ent the system is e:er compromised it may &e necessary to refer to the hardcopy printouts to he!p in determining e?act!y when the system was first compromised. #he process of printing and c!earing the fi!es can &e automated re!ati:e!y easi!y. 2indows N# Ser:er a!so offers the capa&i!ity to monitor :arious e:ents uti!i7ing the ):ent %iewer. 2indows N# Ser:er records e:ents that affect system components$ security$ and app!ications. #he system !og records e:ents that affect dri:ers$ printers$ hardware and other components. #he app!ication !og records e:ents that affect the software and fi!es. #he security !og records e:ents such as fai!ed !ogins and changes to user rights or audit po!icies. An organi7ation can :iew a!! e:ents at once or fi!ter on!y for one component. #he 2indows N# auditing feature records which resources were accessed$ who accessed them$ and what action was attempted. #he ):ent %iewer a!so shows whether the attempt was successfu!. 6o!!owing 6igures from -.1 i!!ustrates the ):ent %iewer with a fi!tered :iew of security e:ents.In 6igure -.1$ the security e:ents disp!ayed are fai!ed !ogins. An organi7ation can o&tain detai!ed information a&out a particu!ar e:ent in the security !og &y dou&!e"c!icking on that e:ent.

9. 6igure -.1@ 2indows N# ):ent %iewer.

6igure -.2 shows the detai!ed information for the se!ected e:ent. In 6igure -.2$ we can see that someone attempted to !ogin to the system with the username *)GGI). #he !ogin fai!ed either &ecause the username did not e?ist or due to an incorrect password. 6igure -.2@ 2indows N# ):ent %iewer.

91

A!! the measures descri&ed a&o:e comprise a first step to securing and monitoring a system. #hese rudimentary steps can he!p to identify when a system is &eing pro&ed. 0ther measures shou!d a!so &e taken to safeguard and firewa!! systems. #here are se:era! too!s a:ai!a&!e that enhance an administrator>s a&i!ity to monitor his or her system. Some of the a:ai!a&!e too!s are discussed at the end of this chapter$ and Chapter 1/ descri&es others. 0rgani7ations need to determine what measures are necessary for their system$ &ased upon their en:ironment. #hese measures are no su&stitute for a firewa!!$ &ut ha:ing a firewa!! is no e?cuse not to monitor a system. If a system or systems are in an en:ironment where the network is potentia!!y hosti!e$ then additiona! measures are most certain!y in order. ):en if a system sits on a secure or trusted network or &ehind a firewa!!$ it is necessary to secure and monitor the system. Network security &egins at the indi:idua! system !e:e!. An organi7ation has no idea whether the ne?t system administrator down the !ine is doing his or her Ao& proper!y. In fact$ emp!oyees cou!d &e hanging dia!"up connections off of the system without proper security measures. 4emem&er$ a network is on!y as secure as the indi:idua! systems on that network. Passwords #he first measure of a system>s security is how effecti:e it is in authenticating and identifying its users. #here are three &asic schemes for identification and authentication@ something you know$ something you ha:e$ or something you are. #he most common!y emp!oyed scheme is <something you know$< and the most wide!y imp!emented :ariation of this scheme is the use of passwords. Passwords are used &y most e:ery system or network as the first and usua!!y on!y means of identification and authentication. ):en though passwords are the most wide!y dep!oyed scheme of authentication$ they are perhaps the weakest !ink in any system security scheme. owe:er$ there are a num&er of measures an organi7ation can take to !essen the risks associated with the use of passwords@ 0&:ious!y$ passwords shou!d ne:er &e shared &etween end users or emp!oyees.

92

According!y$ e:ery organi7ation shou!d ha:e a po!icy that c!ear!y states the users> responsi&i!ity to maintain password secrecy and the conse;uences for fai!ing to do so. 8eanwhi!e$ howe:er$ peop!e too often use passwords that are too short andDor too easy to guess or decipher$ or they simp!y ne:er change them. #here are programs known as <crackers< that are easi!y o&tained from the Internet that can &e run on most systems to decipher the passwords in the password fi!e. ):en if a password is encrypted for transmission &etween a c!ient and a ser:er$ it can &e captured and retransmitted at a !ater time as part of a <rep!ay attack.< Countermeasures for this inc!ude one"time passwords$ tokens$ or schemes such as Mer&eros. #here are four genera! types of attacks on system passwords@ C Grute forceB C *ictionary"&asedB C Password sniffingB C Socia! engineering. Brute *orce Grute"force attacks attempt to &reach systems &y trying e:ery possi&!e com&ination of !etter and num&er ti!! a match is found that pro:ides access to the system. A &rute"force attack is most effecti:e if passwords are short in !ength and the passwords are on!y !etters or on!y num&ers$ not a com&ination of &oth. #he !onger the password the more effort it takes to attempt e:ery possi&!e com&ination. 8aking a password a mi? of !etters$ num&ers$ and specia! characters increases the difficu!ty e?ponentia!!y.

9(

Dictionar+)Based *ictionary"&ased attacks are much more effecti:e then the &rute"force approach. 8any operating systems maintain a password fi!e. #his password fi!e is a data&ase of usernames and passwords. #he passwords are a!most a!ways stored in the password fi!e in an encrypted format. *ictionary"&ased attacks actua!!y uti!i7e programs that compare the encrypted passwords in the password fi!e to encrypted words in a dictionary fi!e. 2hen a match is found$ a password is found. 0&:ious!y$ the dictionary"&ased method is most effecti:e against passwords that are common or known words$ names$ or terms. Some systems try to get around this pro&!em &y not ha:ing a password fi!e or not storing passwords. 2indows N# for instance does not store passwords in a password fi!e. Instead N# stores the hashed :a!ues of the passwords. owe:er$ password cracking programs e?ist for a!! computer and N0Ss.

Password &niffin% Network sniffing or packet sniffing is the process of monitoring a network to gather information that may &e usefu! in an attack. 0ne of the things that can &e o&ser:ed through network sniffing is passwords. 2ith the proper too!s$ a hacker can monitor the network packets to o&tain passwords or IP addresses. Password sniffing is particu!ar!y a threat for users who !og into a system o:er a network using te!net$ r!ogin$ ftp$ or a termina! emu!ator. 6or e?amp!e$ when a user !ogs into a ,NIJ system o:er a network using te!net$ the password is transmitted to the system as c!earte?t. #he system passes the c!earte?t password through the password encryption a!gorithm and compares it to the :a!ue stored in the password fi!e. If they match$ then the user is authenticated and a!!owed access to the system. Henera!!y$ programs$ such as te!net$ r!ogin$ and termina! emu!ators do not encrypt passwords entered at !ogin for transmission to the system. As a resu!t$ when a user enters his or her password$ it is transmitted in the c!ear$ meaning anyone monitoring the network with a sniffer can read the password.

9+

#here are se:era! different network sniffer programs a:ai!a&!e. Some are commercia! products$ and some are freeware. 6igure -.( is an e?amp!e of Network Associates> Sniffer Pro software. Sniffer Pro is a commercia! software product that is typica!!y used to monitor and diagnose pro&!ems with network perform. In 6igure -.($ the system with the Sniffer Pro software is on a sma!! test network with two other systems to demonstrate network sniffing. 6or demonstration purposes$ a te!net session is initiated from one system to the another. 6igure -.( i!!ustrates how Sniffer Pro can capture the IP addresses of the two systems and the fact that the connection is a te!net session. 6igure -.(@ NAI>s Sniffer Pro.

6igure -.+ shows the detai! information on the session. In 6igure -.+$ the captured account username and password are !isted in the <!ast user name< section. In this case$ the account is <root$< and the password is <secret"password.< If I were a hacker$ I cou!d potentia!!y capture this information and gain pri:i!eged access to the system. 6igure -.+@ NAI>s Sniffer Pro.

Sniffer Pro$ !ike most network sniffers$ has the a&i!ity to store a!! captured information to a !og fi!e. As a resu!t$ a hacker cou!d start up the network sniffer and !ea:e it running for hours or days. !eisure. #he risk associated with te!net and ftp is not Aust confined to ,NIJ. #hese uti!ities can a!so &e used to connect to a 2indows N# or 2... ser:er. owe:er$ they are most often used in the owe:er$ e:en 2indows and ,NIJ arena. #he 2indows graphica! user interface$ with its c!ick and drag capa&i!ities$ makes uti!ities$ such as te!net and ftp$ !arge!y superf!uous. No:e!! passwords can &e :u!nera&!e if they are captured &y someone using a packet sniffer. 2hen a user !ogs into 2indows N# the password is hashed at the workstation &efore &eing transmitted to a ser:er. 2indows N# emp!oys 8*+ as the hashing a!gorithm. 2hen the 2indows N# ser:er recei:es the hashed :a!ue$ the ser:er compares it to the :a!ue stored in the hash fi!e. A cha!!enge"response protoco! is used to :erify the password entered at the c!ient. If they match$ the user is then authenticated and a!!owed access to the system or network. A user !ogging into a 2indows N# ser:er typica!!y sends his or her username and domain name across the network in c!earte?t. Someone on the network with a sniffer can potentia!!y capture the c!earte?t and the cha!!enge"response. If it can &e captured then the cha!!enge response can potentia!!y re:ea! the hashed :a!ue of the user>s password. #he hash :a!ue can then &e su&Aected to a dictionary"&ased attack. e or she cou!d then retrie:e the !og fi!e and scan a!! captured network acti:ity at

9/

2indows N# does a!!ow for optiona! authentication protoco!s$ such as N# 1AN 8anager (N#18). N#18 is the primary authentication protoco! emp!oyed &y N#. 6or 2indows 2...$ 8icrosoft has rep!aced N#18 with Mer&eros as the primary security protoco! for access to resources within or across 2indows 2... ser:er domains. owe:er$ Mer&eros can on!y &e used &etween 2indows 2... systems. A!! other 2indows c!ients must sti!! use N#18. In addition$ 8icrosoft has &een critici7ed for using proprietary data formats in its imp!ementation of Mer&eros. 2ith No:e!!$ the process is as fo!!ows@ 2hen a user !ogs into Netware$ the workstation recei:es a session key from the ser:er. #he workstation encrypts the password using a com&ination of session key and a user I* &efore transmitting it to the ser:er. #he ser:er recei:es the encrypted password$ decrypts the password$ and authenticates the end user. Someone on the network with a packet sniffer cou!d potentia!!y capture the encrypted password in transit. It cou!d then &e su&Aected to a dictionary"&ased attack. #he 2indows N# and No:e!! Netware schemes that protect passwords in transit make it more difficu!t to o&tain passwordsS&ut not impossi&!e. *assword Sniffin- !ountermeasures #here are se:era! steps that an organi7ation can take to reduce or e!iminate the risks associated with network packet sniffers. 0ne is to use network switches instead of network hu&s. Switches can &e used to segment a network and create :irtua! 1ANs (%1ANs)$ which di:ide a switch into network segments that cannot see each other>s packets. Another approach is to use a program !ike SS $ a ,NIJ program designed to pro:ide strong authentication and secure communications o:er an unsecured network. SS used in p!ace of other programs such as te!net$ r!ogin$ rsh$ and rcp. SS e?change. SS is designed to &e communications can

&e encrypted using I*)A$ *)S$ (*)S$ or 4C+. )ncryption keys are e?changed using 4SA key can protect against IP spoofing$ IP source routing$ *NS spoofing$ and can &e interception of c!earte?t passwords and other data &y intermediate hosts. SS 2e&.

purchased from :arious sources or down!oaded at no charge from a num&er of sites on the

93

Another countermeasure to password sniffing is to use one"time passwords. #here are se:era! different one"time password schemes. #he most wide!y imp!emented scheme emp!oys smart cards or token cards. 0ne of the &est known products is 4SA>s SecurI*$ which uses a time"&ased token card (see 6igure -./). #he card disp!ays a num&er that is synchroni7ed with a !ogin ser:er. #o access a system emp!oying SecurI*$ it is necessary to enter the synchroni7ed num&er. #he num&er changes constant!y and is ne:er the same twice. 6igure -./@ SecurI*.

90ther smart card products emp!oy a cha!!engeDresponse scheme. 2hen you attempt to !ogin$ the system issues a cha!!enge. #he user enters the cha!!enge into a card that the user keepsB this card then disp!ays the appropriate response. Su&se;uent!y$ the user enters that response from the card into the system to gain access to the system. Goth the cha!!enge and response are ne:er the same twice$ so it does not matter if the response is sniffed and captured on the network. #he cha!!enge and response are on!y app!ica&!e at that moment and wi!! ne:er &e used again. Password $uidelines Passwords shou!d &e at !east eight a!phanumeric and specia! sym&o! characters in !ength and shou!d not &e known words or names that can &e found in a dictionary. ,sers shou!d &e restricted from using a!! num&ers or a!! !etters in a password. #he ma?imum num&er of times any sing!e character can &e repeated in a password shou!d &e restricted to three. #his is to pre:ent someone from using a password that is a!! one word or !etter$ such as aaaaaaaa or 22222222. If possi&!e$ users shou!d &e re;uired to use at !east si? distinct characters in an eight"character password. Some systems a!!ow you to assign a mask that dictates the password format. 0ther things to a:oid using as passwords inc!ude te!ephone num&ers$ !icense p!ates$ and &irthdates. 2hene:er possi&!e inc!ude specia! sym&o!s (U5VRWL) in passwords. System contro!s shou!d &e configured to restrict users from using the same password more than once or at !east set the system so that (3 weeks must pass &efore a user can reuse a password. If possi&!e$ the contro!s shou!d a!so &e configured to re;uire that eight to ten new passwords &e used &efore an indi:idua! can reuse an o!d password again. Passwords shou!d ha:e a minimum and ma?imum !ife. #he minimum !ife shou!d &e a few days to a week. #he ma?imum !ife shou!d &e +/ days. A!! system and network accounts shou!d &e forced to change their passwords at !east e:ery +/ days. Passwords shou!d ha:e a minimum !ife to pre:ent some"one from changing an account>s password enough times in a sing!e day to get around the restriction on using the same password more than once. #he minimum wi!! a!so pre:ent a hacker from changing an account>s password$ then changing it &ack to the origina! password$ to a:oid detection.

9'

Passwords must ne:er &e the same as the account username. Nor shou!d a password &e something associated with the account username (i.e.$ username E system$ password E manager). Kears ago I worked on *igita! );uipment Corporation (*)C) %AJD%8S systems. A!! %AJ systems had two specia! account usernames$ one was ca!!ed <system< and the other was ca!!ed <fie!d.< #he <system< account was intended to &e used &y the system administrator$ and the <fie!d< account was intended to &e used &y *)C fie!d ser:ice technicians. At more than one site at which I worked the <system< account had the password <manager< or <administrator$< and the <fie!d< account had the password <ser:ice.< Gack then it was not uncommon to find those usernames and passwords &eing used on many of the %AJ systems insta!!ed. Some systems can generate passwords that consist of a random com&ination of !etters and num&ers. System"generated passwords are usua!!y not suscepti&!e to dictionary attacks. owe:er$ speaking from persona! e?perience$ I do not recommend system"generated passwords. System"generated passwords are difficu!t to remem&er$ which causes users to write them down$ there&y creating a security ho!e rather than p!ugging one. If the password is not se!ected &y the end user$ it has no meaning and nothing to make it easi!y remem&ered. 2hen end users cannot remem&er passwords$ they write them down on those !itt!e ye!!ow stickies and stick them on their computers or monitorsSeither that or they ca!! the I# he!p desk e:ery other day and ask for a new password. 8ost systems store passwords in an encrypted format. 8ost :ersions of ,NIJ a!so support the use of shadow password fi!es. Shadow password fi!es add an e?tra !e:e! of security &y keeping the encrypted passwords in a separate fi!e from the <passwd< fi!e. #he shadow password fi!e can on!y &e accessed &y <root$< and not norma!$ system users. It has &een my e?perience that it is sometimes necessary to share a password for a pri:i!eged account with someone outside the organi7ation.

99

,sua!!y$ it is necessary when a :endor is insta!!ing a system or pro:iding support. In these circumstances$ I recommend that you change the password for the pri:i!eged account to something innocuous$ so the :endor can !og into the system to work$ &ut then change the password again immediate!y when the :endor has finished its work. Indi:idua!s outside of the organi7ation shou!d ne:er ha:e passwords to pri:i!eged accounts. 8any systems$ when first insta!!ed$ ha:e system account usernames with preset passwords or no passwords at a!!. If these account usernames are not needed they shou!d &e de!eted. If the accounts are re;uired$ then reset the passwords. !ccess Control 0nce a system identifies and authenticates an account as ha:ing !egitimate access to the system$ the end user is a!!owed to !og in. 0nce the user is !ogged into the system$ the user is gi:en authori7ation to access system resources$ such as fi!es. #he authori7ation can &e thought of as access pri:i!eges. #he discretionary pri:i!eges can &e defined &y an access contro! !ist (AC1). An AC1 is the mechanism that restricts or grants access to a system>s resources. )ach system resource or o&Aect has an AC1$ which !ists the users or entities that can access that resource. )ach entry within the AC1 defines the access rights for the entry to the resource. In other words$ access rights wi!! dictate such rights as whether the user or entity has read$ write$ or de!ete access to the resource. An AC1 specifies the pri:i!ege !e:e! re;uired to access a system resource. #he AC1 specifies the permission !e:e! that must &e granted$ with respect to a protected resource$ to access the resource. It is stating the o&:ious to say that an organi7ation shou!d use some method that contro!s emp!oyee access to its systems and networks. #his can inc!ude some kind of menu system or some mechanism for monitoring and contro!!ing access !e:e!s to data and app!ications. AC1s shou!d &e assigned for the network and indi:idua! systems. ):en 2indows"&ased c!ientDser:er app!ications are designed with &ack"end methods of contro!!ing access to the :arious functions.

111 Permissions 8ost computers and N0Ss emp!oy the concept of <permissions< for contro!!ing access. Permissions specify what operations different users can perform on specific fi!es and directories. ):ery user is assigned a !e:e! of access to each directory and fi!e. ):ery user and fi!e are assigned to a group. Hroups can &e specified in the AC1. 4ather than ha:ing separate entries for indi:idua!s of a common group$ a sing!e entry for the group in the AC1 can specify the permissions for a!! the indi:idua!s. 2ith most systems there are at !east three or four !e:e!s of permission@ C 'ead: An end user assigned this access !e:e!$ either to a fi!e or a directory$ has the a&i!ity to read and :iew the contents and properties. C &rite: An end user assigned this access !e:e!$ either to a fi!e or a directory$ has the a&i!ity to write to or a!ter a fi!e or create fi!es in the directory and in some cases a!ter the access rights to a directory or fi!es in the directory. C ()ecute: #his pri:i!ege$ when granted$ a!!ows the end user to e?ecute programs in a gi:en directory. C *elete: #his access right a!!ows the end user to de!ete a fi!e$ directory$ or fi!es in a directory. 2ith most computer and N0Ss fi!e access is di:ided into three !e:e!s that depend on the group to which the user &e!ongs@ owner$ group$ and pu&!ic or wor!d. (In addition$ each <group< is assigned access !e:e!s to particu!ar resources.) #hese !e:e!s are descri&ed as fo!!ows. C +wner: #his group refers to the owner of a fi!e or resource. #he owner is designated either &y :irtue of ha:ing created the resource or &y &eing gi:en$ or taking ownership of$ the resource. #he owner of a particu!ar resource usua!!y has read$ write$ e?ecute$ and de!ete rights to the resource$ &ut that is not a!ways the case. It is not uncommon for an owner of a resource to accidenta!!y remo:e a!! of his or her access rights to a resource. #his can &e done &y remo:ing a!! permissions from the fi!e or &y transferring ownership of the fi!e to someone e!se. ,sua!!y$ when this occurs the user cannot get the rights &ack without assistance from a system administrator.

1.1

C ,roup: #his group refers to users that share a common &ond$ such as working in the same department. 6or e?amp!e$ a!! users in human resources wou!d ha:e a group &ond. #he users within the human resources group can &e assigned read$ write$ e?ecute$ or de!ete access to a particu!ar fi!e. #he AC1 for the particu!ar resource cou!d specify that a!! indi:idua!s in the human resources group are assigned read$ write$ e?ecute$ and de!ete permission. 0ther groups cou!d &e e?c!uded from ha:ing any permissions or cou!d &e gi:en !imited access$ perhaps read on!y. C &orld or public: #his group refers to the access !e:e! that e:eryone has to a resource. 2ith 2indows this group is designated as (-erybody. #he wor!d can &e assigned read$ write$ e?ecute$ or de!ete access to a particu!ar resource$ such as a fi!e or directory$ &ut it is usua!!y restricted to read access for security reasons. 6re;uent!y$ resources on a network such as printers or a shared directory a:ai!a&!e to a!! users wi!! ha:e !imited access !e:e!s assigned to the wor!d or pu&!ic group. Printers in particu!ar re;uire some !e:e! of access to send print Ao&s to the resource. Kou Aust need to ensure that the access !e:e!s are on!y those needed to function. Kou shou!d &e carefu! a&out gi:ing the wor!d or pu&!ic group <de!ete< !e:e! access to any resource. 6or e?amp!e$ if you gi:e the wor!d de!ete access to a network printer$ then anyone can de!ete that resource either accidenta!!y or ma!icious!y. In contrast$ ,NIJ uses on!y three permissions. #hey are read$ write$ and e?ecute. 6o!!owing i!!ustrates the assigned fi!e permissions with a ,NIJ fi!e systemB the access rights are disp!ayed in the co!umn on the far !eft"hand side$ whi!e the fi!e name is in the co!umn on the far right"hand side.

1.2 ,NIJ fi!e permissions.

#he permissions in the !eft"hand co!umn consists of 1. !etters or dashes("). #he first character in the co!umn indicates the fi!e type. If the !ine &egins with a <d< then it is a directory$ whi!e an <!< indicates a !ink. If the !ine &egins with a <"< then it is a standard fi!e. #he ne?t nine characters indicate the access rights for the three categories or groups of owner$ group$ and other. <0ther< is the ,NIJ e;ui:a!ent of wor!d or pu&!ic. #he first three characters indicate the access rights for the category owner. In 6igure -.3 the first !ine shows that the fi!e #CPN24AP.#A4 has the access rights of <rw"rw"rw".< #hose nine characters are the access rights assigned to the three categories of owner$ group$ and other. A!! three groups ha:e read (r) and write (w) access$ &ut not e?ecute. Ne?t 6igure i!!ustrates an e?amp!e of pri:i!ege rights where the group owner has read and write accessB group has read and e?ecute accessB another on!y has read access.

1.( Hroup access pri:i!eges.

8icrosoft>s 2indows N# a!so emp!oys AC1 and the concept of groups. 6igure -.' i!!ustrates the ,ser 8anager uti!ity in N#. %arious accounts$ such as Administrator$ Huest (that shou!d &e de!eted)$ Pohn$ and other defau!t accounts are !isted in the top ha!f of the screen. In the &ottom ha!f of the screen$ the :arious groups are !isted. #hey inc!ude Administrators and Power ,sers. It cou!d a!so inc!ude groups such as human resources and accounting. 2indows N# ser:er user manager.

1.+

6o!!owing 6igure i!!ustrates the access rights that are assigned to the network resource %011. #he &o? in the !ower right"hand corner shows how the access rights can &e refined &y either remo:ing e:eryone a!! together or &y assigning a more restricted access !e:e! such as read or change. 2indows N# access contro!s.

Access contro!$ permissions$ and groups are important concepts to understand &ecause they are important too!s for contro!!ing end users> access to system resources. 2hen used in conAunction with effecti:e group assignment$ access rights can &e an effecti:e security measure. ,nfortunate!y$ access rights are fre;uent!y o:er!ooked or ignored$ and group assignments usua!!y entai! nothing more than assigning a!! users to a sing!e group. As a resu!t$the access rights to critica! system fi!es fre;uent!y !ea:e the system :u!nera&!e to &eing compromised.

119

Modems 8odems connected to systems on the network are perhaps the sing!e greatest source of security :u!nera&i!ity in most organi7ations> network infrastructure. 8any organi7ations imp!ement comprehensi:e security measures to protect the company>s network on!y to ha:e the measures undone &y a modem connected to a system that was connected to the network. #he ru!e shou!d &e$ if the system is on the network then there is no modem attached. 0n!y stand"a!one systems shou!d &e set up with modems. Putting a modem on a system connected to a network that resides inside a firewa!! is !ike putting a dead&o!t on the front door$ whi!e !ea:ing the &ack door wide open. A system connected to the corporate network shou!d ne:er &e a!!owed to dia! into another network such as the Internet without security precautions. It creates an unprotected gateway &etween the corporate network and the Internet through which it is possi&!e for a hacker to gain access. It is a!so a method through which someone can perform an unauthori7ed transfer of fi!es$ &oth in and out. If you want to &e a&!e to monitor the f!ow of information$ then a!! traffic shou!d &e re;uired to go through a firewa!!. If it is a&so!ute!y necessary to insta!! modems on systems connected to the corporate network$ then c!ose!y monitor a!! acti:ity on those modems. It is possi&!e to configure most operating systems to !og acti:ity for the modem ports. #he report !og for the modem ports shou!d &e re:iewed dai!y to ensure that any connections to the port is for !egitimate reasons. 0rgani7ations with remote users that ha:e to pro:ide dia!"in access shou!d consider using security modems with dia!"&ack capa&i!ity or a secure I* scheme. At the :ery !east$ they shou!d not !ea:e the modem connected a!! the time. #hey shou!d on!y connect it when it is actua!!y &eing used and unp!ug it when the work is comp!eted. Gusiness re;uirements wi!! rea!!y dictate what an organi7ation can and cannot do. A company with end users that re;uire remote access do not ha:e the option of !ea:ing modems unp!ugged.

1.3 Sma!! shops with on!y a few modems shou!d find it fair!y simp!e to monitor and secure their modems. 0n the other hand$ for operations with :ery !arge networks or ISPs$ monitoring modems is much more pro&!ematic. #here are programs or systems a:ai!a&!e that actua!!y detect modems on the network. #hese systems :ary in their effecti:eness and can &e dependent on the type of network and how it is configured. #o a !imited e?tent$ companies can contro! modem connections if they emp!oy a digita! PGJ te!ephone system. 8odem connections simp!y wi!! not work through a digita! PGJ$ and refraining from insta!!ing any ana!og circuits e!iminates much of the risk. owe:er$ most organi7ations ha:e ana!og circuits insta!!ed for fa? machines$ which can &e used &y a modem. In addition$ ce!!u!ar techno!ogy can a!!ow a user to comp!ete!y &ypass the company PGJ. #he :u!nera&i!ities associated with modems connected to a corporate network i!!ustrate why it is so important to harden e:ery system on the network. 6irewa!!s are too easi!y circum:ented to &e the so!e source of security for the interna! network. 2nformation !vaila8ilit+ 0ne of the key components of information security is <a:ai!a&i!ity.< #his refers to the a&i!ity to access the information on a network or system when it is needed. Not on!y must the data &e accessi&!e$ &ut it must a!so &e time!y and accurate. 0ne of the &est ways to ensure a:ai!a&i!ity is through data redundancy. *ata redundancy can &e achie:ed in different ways. )ach method pro:ides a :arying degree of redundancy and &ackup. In addition$ each method has different re;uirements in terms of reco:ery time shou!d it &e necessary to resort to &ackups. *ifferent methods of pro:iding data redundancy inc!ude disk mirroring$ redundant array of independent (or ine?pensi:e) disks (4AI*)$ data streaming$ hot &ackup$ and tota! redundancySdescri&ed as fo!!ows. C *isk mirroring: *isk mirroring is a rather generic term for the process of dup!icating data from one hard disk to another hard disk. 8irrored dri:es operate in tandem$ constant!y storing and updating the same fi!es on each hard disk. Shou!d one disk fai!$ the fi!e ser:er issues an a!ert and continues operating on the other disk.

1.-

#he norma! procedure in the case of a mirrored disk fai!ure is to &ring the ser:er down at the ear!iest opportunity and rep!ace the damaged disk. #he system wi!! automatica!!y copy the redundant data on the fi!e ser:er to the new disk. #he mirrored disks can &e configured with a shared contro!!er or with separate contro!!ers. 0&:ious!y$ the configuration with separate contro!!ers pro:ides more redundancy. 6or organi7ations whose systems operate on a 2+X- schedu!e$ disk mirroring a!so enhances the a&i!ity to perform &ackups. 2ith most operating systems$ open fi!es can not &e &acked up$ &ecause they are open and &eing updated &y another process. As a resu!t$ if you &ackup a system on which fi!es are &eing updated$ you wi!! get an incomp!ete &ackup. *isk mirroring pro:ides two sets of identica! fi!es on separate disks. As a resu!t$ when it performs a &ackup$ an organi7ation has the a&i!ity to <&reak< the mirror to &ack up one fu!! set of disks. #his$ in effect$ stops the mirror process for the mirror disks. #he !i:e fi!es on the <mirrored< disk wi!! continue to &e updated &y transactions and processes. #he fi!es on the <mirror< disk wi!! &e static$ &ecause the mirror process has &een &roken. As a resu!t$ it is possi&!e to get a comp!ete &ackup of the mirror dri:es. 2hen the &ackup process is comp!ete$ you simp!y reinitiate the mirror process$ and it wi!! update the mirror disks with the changes that ha:e occurred on the mirrored disks whi!e the &ackup was taking p!ace. C '!I*: 4AI* is a category of disk dri:es that emp!oys two or more dri:es in com&ination for fau!t to!erance and performance. 4AI* disk dri:es are used fre;uent!y on ser:ers. #here are a num&er of different 4AI* !e:e!s with the most common &eing .$ ($ and /@ o 1e:e! . performs data striping$ or spreading out &!ocks of each fi!e across mu!tip!e disks. 2hi!e this can impro:e performance it does not pro:ide redundancy or fau!t to!erance. o 1e:e! 1 is disk mirroring as descri&ed a&o:e. o 1e:e! ( is &asica!!y the same as !e:e! . &ut with redundancy. o 1e:e! / performs data striping at the &yte !e:e! with error correction$ which pro:ides enhanced performance and re!ia&!e fau!t to!erance.

1.' C Streaming: Gefore 4AI* and disk mirroring &ecame genera!!y a:ai!a&!e$ certain operating systems offered the feature of streaming. *isk dri:es were !ess re!ia&!e years &ack$ or at !east they seemed to &e !ess re!ia&!e. Gy comparison$ today>s disk dri:es are much more re!ia&!e and ha:e a !onger mean time &etween fai!ures. Kears ago it was not uncommon to ha:e a disk dri:e fai! without warning. In this en:ironment streaming was emp!oyed. Streaming is the process of writing transactions to another media at the same time the transactions update the data fi!es. 0ne common imp!ementation is to write the transactions to tape. As transactions take p!ace and update data&ase fi!es on the disk dri:e$ they are simu!taneous!y written to tape. If a disk dri:e crashed in the midd!e of the day$ you cou!d restore from the pre:ious night>s &ackup and then Aust update the fi!es with the day>s transactions that had &een streamed to tape. Streaming ga:e system administrators a process that reco:ered a!! data$ e:en if a disk dri:e crashed during processing. cou!d rea!!y affect system performance. C /ot backup: ot &ackup is a techni;ue used to pro:ide for the ongoing operation of a owe:er$ the streaming process creates a !ot of o:erhead in terms of CP, and ID0 on a system. #his additiona! &urden

1AN shou!d a fi!e ser:er fai!. In this techni;ue$ two fi!e ser:ers operate in tandem. *ata is dup!icated on the hard disks of the two ser:ers. In effect$ this is !ike disk mirroring &ut across two ser:ers instead of one ser:er. If one ser:er fai!s$ the other ser:er automatica!!y assumes a!! 1AN operations without any outage &eing apparent to the user of the 1AN. #he ser:ers can &e immediate!y adAacent to one another or may &e thousands of mi!es apart. It is not uncommon for organi7ations to maintain entire!y redundant data centers. 6or e?amp!e$ many !arge financia! institutions maintain dup!icate data centers. Se:era! !arge financia! institutions in Ca!ifornia maintain one center in northern Ca!ifornia and another in southern Ca!ifornia$ with &oth centers &eing connected together &y :ery high"capacity$ high"speed circuits. #his is on!y prudent considering Ca!ifornia>s propensity for earth;uakes. In some instances this redundancy is ref!ected in the financia! institution>s A#8 network. #wo A#8s sitting side &y side may &e connected to different data centers.

?@ 8sefu% Too%s #here is a wea!th of usefu! too!s a:ai!a&!e that assist in tightening operating system security and enhancing the genera! operation of most systems. 8any of these too!s are a:ai!a&!e free of charge and can &e down!oaded from the Internet. ,nfortunate!y$ most a!! of them are for ,NIJ"&ased systems. #his is !arge!y due to ,NIJ>s history as an open operating system used e?tensi:e!y in the academic community. A !ist of some of the too!s a:ai!a&!e on the Internet fo!!ows@ C "omputer +racle and assword System ("+ S): C0PS was written &y *an 6armer at Purdue ,ni:ersity. C0PS is a co!!ection of too!s that can &e used to check for common configuration pro&!ems on ,NIJ systems. C0PS checks for items such as weak passwords$ anonymous ftp$ or Aust tftp$ and inappropriate permissions. C0PS detai!s its findings in reports that an administrator can use to strengthen a system>s security. C Security !dministrator%s Tool for !nalyzing 0etworks (S!T!0): #he SA#AN too! is designed to he!p system administrators recogni7e se:era! common networking"re!ated security pro&!ems. SA#AN identifies and generates a report on pro&!ems a!ong with information that e?p!ains each pro&!em$ the possi&!e conse;uences of the pro&!em$ and how to fi? it. #he maAor difference &etween C0PS and SA#AN is that SA#AN concentrates on specific network configuration issues$ whi!e C0PS is more concerned with host specific issues. SA#AN can &e down!oaded from :arious sites$ inc!uding CIAC. C Security !dministrator%s Integrated 0etwork Tool (S!I0T): An updated and enhanced :ersion of SA#AN that is designed to assess the security of computer networks$ SAIN# can &e down!oaded at http@DDwww.wwdsi.comDsaint. C TIT!0: Created &y Grad Powe!! of Sun 8icrosystems$ #I#AN is simi!ar to C0PS in that it is a co!!ection of scripts that are designed to strengthen a system>s security. #he maAor difference &etween C0PS and #I#AN is that #I#AN works at a !ower !e:e! in the operating system fi?ing configuration errors$ whi!e C0PS checks for pro&!ems such as fi!e permissions and weak passwords. #I#AN wi!! not on!y report on findings$ it wi!! actua!!y correct pro&!ems. 1ike C0PS and SA#AN$ #I#AN checks for different aspects of security. #hese programs are not mutua!!y e?c!usi:eB running one of the programs does not di!ute the &enefit of running the other.

11.

C TI,(': Simi!ar to C0PS in that it is a set of scripts that check a system>s configuration. owe:er$ it is considered easier to configure and use than C0PS. #IH)4 was origina!!y de:e!oped at #e?as A58 for checking ,NIJ system security. #IH)4 is a:ai!a&!e at :arious sites$ inc!uding Purdue ,ni:ersity>s C0AS# site and CIAC. C T" &rapper: A ,NIJ network security monitoring program that fi!ters access &ased upon IP addresses to the :arious inetd"in:oked ser:ices. #his program a!!ows for the monitoring and contro! of connections :ia tftp$ e?ec$ ftp$ rsh$ te!net$ r!ogin$ and finger. Access can &e contro!!ed at &oth the user and ser:ice !e:e!. It can &e :ery effecti:e in pro:iding an additiona! !e:e! of security to the systems on a network. #CP2rapper is a:ai!a&!e at a num&er of sites$ inc!uding the CIAC site. I high!y recommend this program for securing ,NIJ systems. C Tripwire: A fi!e integrity"monitoring program de:e!oped in 1992 at Purdue ,ni:ersity. #he uti!ity compares a specific set of fi!es against information stored in a data&ase from pre:ious runs of the program. #he data&ase maintains a checksum representation or fingerprint of the contents of each directory and fi!e. #he data&ase a!so contains information that a!!ows an organi7ation to :erify the access permissions$ ownership$ groups$ and other information that wou!d &e pertinent to the integrity of the fi!e system. Any differences that the #ripwire program finds &etween the current run and the pre:ious runs are f!agged and !ogged. #ripwire can &e run against system fi!es to identify any changes in critica! system fi!es. If #ripwire is run on a regu!ar &asis$ a system administrator can &e re!ati:e!y certain that the integrity of system fi!es is maintained and remains free from unauthori7ed modifications. #here is an open source :ersion of #ripwire$ which can &e found at :arious 2e& sites inc!uding CIAC>s. #here is a!so a commercia! :ersion that can &e purchased at http@DDwww.tripwire.com. Again$ I must caution the reader a&out down!oading fi!es from the Internet. ):en if you are down!oading fi!es from a known and trusted 2e& site such as CIAC or the C)4# Coordination Center$ -erify the source code. 6or e?amp!e$ in spring 1999 there were security ad:isory &u!!etins circu!ated warning of a copy of #CP2rapper that contained a #roAan horse. If an unsuspecting system administrator insta!!ed the a!tered :ersion of #CP2rapper on his or her system$ the system wou!d &e :u!nera&!e to attack. #he tainted :ersion of #CP2rapper

111

;AN Security ;AN >uide%ines It is often difficu!t to distinguish where the indi:idua! ser:er ends and the network &egins. Some N0Ss can &e configured so that the end user !ogs into a domain to access network resources. 6or other N0Ss the user !ogs into a ser:er. In the case of the !atter$ the ser:er is the network. As a resu!t$ system security can a!so pertain to 1AND2AN security. Certain!y the discussion co:ering guide!ines for passwords can &e app!ied direct!y to network authentication. Con:erse!y$ much of what wi!! &e co:ered in this chapter can a!so &e app!ied to system security. !ontro%%in- End 8ser Access Creating an account and assigning a password are on!y sma!! parts of gi:ing someone access to the network. A network administrator a!so has to determine other account parameters such as when an end user can access the network$ what groups the user is associated with$ what fi!es he or she can access$ and !imitations on network and ser:er resources. Concurrent -o%ins Consideration shou!d &e gi:en to restricting concurrent !ogins for end users. In other words$ users shou!d not &e a!!owed concurrent sign"on pri:i!eges. 0nce an end user has !ogged into a network they shou!d not &e a&!e to !ogin somewhere e!se without first !ogging out from where they origina!!y !ogged in. #he on!y e?ception to this ru!e shou!d &e the 1AN administrator and his or her &ackup. 2hi!e I recogni7e that this cou!d cause operationa! pro&!ems for some users$ there are se:era! reasons for !imiting concurrent sign"ons. 6irst$ it sa:es network resources$ such as memory and !icenses. It can a!so pre:ent the unauthori7ed use of an account$ so !ong as the user is !ogged in. It a!so pre:ents the user from forgetting to !og out.

112 2hen you a!!ow concurrent sign"ons$ the end users often !ose track of where they are !ogged in and forget to sign off e:erywhere. ,sers can !ea:e themse!:es !ogged into the network on a workstation without e:en rea!i7ing it. #hey open a window of :u!nera&i!ity to the network and themse!:es when they !ea:e accounts signed on. 0ne so!ution to this pro&!em is to imp!ement a process that automatica!!y !ogs off inacti:e users. #here are a!so systems that free7e a workstation or !ock a key&oard on an inacti:e session$ after a specified period of time. #o re!ease the key&oard !ock the user must enter a password. Certain operating systems pro:ide some !imited capa&i!ities to !ock inacti:e systems. 6or e?amp!e$ 8S 2indows screen sa:ers can &e configured so that they re;uire a password. #his isn>t the most secure so!ution$ &ut it can &e &etter than nothing at a!!. #he main draw&ack to this so!ution is that there is no a&i!ity for a system administrator to o:erride the password protection. #hird"party packages usua!!y offer &etter so!utions. #here are systems a:ai!a&!e for most e:ery network or computer operating system. #he systems for c!ientDser:er workstations usua!!y operate :ery different!y than those that are designed for termina! sessions. 2ith a workstation the process runs in memory. 2hen there is no acti:ity for a specified period of time$ the process may run a time"out program that re;uires the password of an authori7ed user to reacti:ate the workstation. 2hen using a termina! session for an operating system such as ,ni? or %8S$ the time"out process is usua!!y part of a menu system$ or it may operate at the app!ication !e:e!. As a resu!t$ if you are not in the particu!ar menu system or app!ication$ &ut functioning at the operating system !e:e!$ the time"out process wi!! not work. #here are programs a:ai!a&!e that run in ,ni?$ %8S$ and other midrange operating systems that search for id!e user processes at the operating systems !e:e! and <ki!!< them. #he programs are designed to terminate processes that ha:e &een id!e for a specified period of time. owe:er$ organi7ations run the risk of upsetting end users when they emp!oy one of these programs.

11# !vaila8le Disk &pace It is important to !imit the amount of disk space a!!ocated to each end user. Hi:ing users un!imited disk space may end up re;uiring the purchase of additiona! disk capacity. I ha:e seen situations where users crashed ser:ers &ecause their accounts did not restrict the amount of disk space the user was a!!owed. In one instance$ a user was running a report that spoo!ed a massi:e fi!e to disk. #he resu!t was that a!! the a:ai!a&!e space was consumed$ and the ser:er crashed. ,sers shou!d a!so &e encouraged to c!ean up their directories on a regu!ar &asis. I recogni7e that the comparati:e cost for disk dri:es continues to drop to where the cost per mega&yte is nomina!$ &ut disk dri:es sti!! need to &e &acked up. #hat process entai!s time and personne!$ which can increase your operating costs. 2hy go through the added e?pensi:e of &acking up fi!es need!ess!y when they can Aust as easi!y &e de!eted= Restrictions to -ocation or 0orkstation Consideration shou!d &e gi:en to restricting$ to a specific workstation$ end users who are authori7ed to enter sensiti:e transactions or who perform particu!ar!y sensiti:e andDor confidentia! work. It is prefera&!e to !ocate the station in a restricted area. 0&:ious!y$ access to the ser:er itse!f shou!d &e restricted to the 1AN administrator and hisDher &ackup. Time3Da+ Restrictions Consideration shou!d &e gi:en to restricting end user access to &usiness hours on!y$ especia!!y for those emp!oyees who are authori7ed to access and use sensiti:e andDor confidentia! data. If an emp!oyee does not norma!!y work in the e:enings and on the weekends$ then the a&i!ity to access the network shou!d &e restricted for that time period. 8ost e:ery operating system and N0S has the capa&i!ity to restrict an account>s access to specific time periods. !ccess to Directories and Trustee Ri%"ts ,sers shou!d on!y &e gi:en access rights to directories they need to function. If a user needs temporary access to a directory$ the access rights shou!d &e remo:ed when they are no !onger needed. ,sers shou!d on!y &e gi:en the trustee rights they need to do their Ao&. 0nce a right is no !onger re;uired$ remo:e it right away. #rustee rights shou!d &e audited periodica!!y.

114 *ile !ttri8utes 6i!e"access attri&utes$ such as read$ write$ e?ecute$ and de!ete$ shou!d &e granted &ased on need. In addition$ fi!es containing confidentia! or sensiti:e information shou!d &e restricted to a minimum num&er of users. 6i!e attri&utes for e?ecuta&!es shou!d &e restricted. )nd users shou!d on!y ha:e read access to those fi!es that are needed to function. Particu!ar attention shou!d &e paid to operating system e?ecuta&!es. If fi!e attri&utes for e?ecuta&!e fi!es are not restricted$ the e?ecuta&!e fi!es can &e modified. 2ith !oose!y defined fi!e attri&utes$ important e?ecuta&!e fi!es can &e changed or rep!aced with #roAan horse programs. =t"er Privile%es Network commands and e?ecuta&!e shou!d &e restricted to administrators$ auditors$ and security personne!. 2ith certain operating systems$ such as 2indows N#$ consider renaming the administrator account to something e!se. #hat way a potentia! hacker won>t know the name of the pri:i!eged account. 0ne of the things that e:ery system administrator fears most is a hacker gaining pri:i!eged administrati:e access to a system o:er the network. Pri:i!eged accounts such as administrator for N# or root for ,ni? shou!d not &e a!!owed to !ogin o:er the network. Network access to the administrati:e account can &e restricted in different ways for different operating systems. Some operating systems offer tremendous f!e?i&i!ity to contro! the access of pri:i!eged accounts. 6or e?amp!e$ AIJ$ IG8>s :ersion of ,NIJ$ offers some of the &est f!e?i&i!ity I>:e e:er seen &ui!t into an operating system. AIJ>s design makes it :ery easy for e:en the no:ice administrator to pre:ent a hacker from gaining access to the ,NIJ <root< account. #his is done through the AIJ System 8anagement Interface #oo! (S8I#) uti!ity. S8I# a!!ows users to perform system administration and management commands without ha:ing to know the command !ine synta?. ,sing the S8I# interface$ which is a hierarchy of menus$ information is entered into se:era! options. #he dia!og then e?ecutes a she!! script to perform the system management function. 2ith S8I#$ organi7ations can assign attri&utes that contro! the en:ironment for a particu!ar account when it !ogs into the system.

11/

2indows N# ,ser 4ights Po!icy screen that can &e found under the ,ser 8anager menu. #his screen a!!ows you to contro! whether an account can access a system o:er the network. 2indows N# administrator account.

A&o:e 6igure disp!ays the ,ser 4ights Po!icy pop"up window$ which shows that <access this computer from network< is disp!ayed in the <right< &o? and that the administrati:e account is high!ighted. #o restrict the a&i!ity to !og into the administrati:e account o:er the network$ you simp!y high!ight the administrati:e account and c!ick on the <remo:e< &utton.

114 Remove 2nactive !ccounts 0rgani7ations shou!d re:iew network user accounts on a regu!ar &ases and de!ete any accounts that are no !onger re;uired. Accounts for users or emp!oyees no !onger with the organi7ation shou!d &e de!eted. 6irms shou!d a!so de!ete inacti:e accounts$ remo:ing or disa&!ing username accounts that ha:e not &een accessed in the !ast three to si? months. ackers fre;uent!y try to e?p!oit inacti:e accounts for the initia! &reak into a system or as a means to gain access to a network again. #hey know they can a!ter an inacti:e account$ &y changing the password$ for e?amp!e$ without fear of the change &eing detected &y the user of the account. In addition$ guest accounts shou!d &e remo:ed and anonymous 6#P shou!d &e disa&!ed. 2ith N# or Netware$ organi7ations shou!d &e carefu! a&out the access pri:i!eges they gi:e to a guest account set up on their 1AN. 2hen the ser:er is first &rought up$ de!ete the guest account from the group e:eryone and make specific trustee assignments to the guest account. #he guest account shou!d not ha:e the same pri:i!eges as norma! accounts. &in%le &i%n)=n Present!y$ e:ery morning I enter in mu!tip!e usernames and passwords to gain access to the :arious networks$ systems$ and app!ications that I need in order to perform my Ao&. I ha:e a password for the N# domain$ a password for the No:e!! ser:er$ different passwords for different ,NIJ systems$ a password for my e"mai!$ and passwords for :arious app!ications. #hose guide!ines a!so app!y to the password creation for network passwords. owe:er$ ha:ing so many passwords can &e confusing to end users and$ as we ha:e discussed$ can actua!!y create :u!nera&i!ities$ &ecause the on!y way the end user can remem&er the passwords is to write them down. 0ne a!ternati:e to using mu!tip!e passwords is the use of a sing!e sign"on (SS0). 2ith an SS0 system users are on!y re;uired to authenticate themse!:es once. 0nce users ha:e authenticated themse!:es the SS0 system hand!es the management and access to other network resources$ such as ser:ers$ fi!es$ and app!ications.

11-

#he SS0 can &e achie:ed using se:era! different approaches. 2e ha:e a!ready discussed one such system in some detai!@ Mer&eros. 2ith Mer&eros users authenticate themse!:es once$ and access to a!! network resources is contro!!ed &y the Mer&eros ser:er$ which issues tickets or tokens. Another approach to SS0 that we ha:e a!ready discussed is to emp!oy a pu&!ic key infrastructure that emp!oys digita! certificates to authenticate end users and determine network access. 0ther approaches inc!ude metadirectories or distri&uted computing en:ironments (*C)s). #he foundation for metadirectories is rooted in the !ightweight directory access protoco! (1*AP). 1*AP is a <!ightweight< or thin :ersion of the J./.. directory access protoco!. 8etadirectories can &e used to synchroni7e passwords and user attri&utes among different N0S directories. *C) is an 0pen Systems 6oundation (0S6) 0SI"&ased specification that addresses distri&uted system security in a mu!ti:endor en:ironment. It is simi!ar to Mer&eros and designed to make it easier to authenticate users &etween different :endors> systems. 8etadirectories$ 1*AP$ and *C) are discussed in detai! !ater in this chapter. Some SS0 systems use password caching$ screen scraping$ or scripting interfaces$ as opposed to token"&ased systems such as Mer&eros. #he password"caching approach stores the password and passes it from one app!ication interface to the ne?t. #he screen"scraping approach uses characters that wou!d otherwise &e disp!ayed on a termina! screen. Screen scraping programs enter in the characters that the end user wou!d type in at the termina!. #hey$ in effect$ simu!ate the typing action of the end user. Scripting interfaces function much in the same manner as screen scraping. An SS0 system can a!!ow users to centra!i7e access and administration for end users$ systems$ and app!ications. #his is certain!y more efficient than ha:ing to add a new user into each indi:idua! system andDor app!ication. A SS0 a!so simp!ifies the authentication process for the end user. )nd users on!y ha:e to authenticate themse!:es once to access a!! of the resources a:ai!a&!e to them. #he authentication process can emp!oy any com&ination of the three &asic schemes@ something you know$ something you ha:e$ or something your are. owe:er$ a SS0 can ha:e draw&acks.

11'

If the authentication is compromised (i.e.$ a password is sto!en)$ then a!! resources a:ai!a&!e to the end user are :u!nera&!e. In addition$ you need to &e cogni7ant of whether there are &ackups to the SS0 in the e:ent the system is down. If you reca!!$ with Mer&eros$ if the Mer&eros ser:er is down then network resources are una:ai!a&!e. #here are se:era! SS0 systems on the market from which you can choose. #here are systems a:ai!a&!e for IG8$ No:e!!$ A?ent$ and Computer Associates Aust to name a few. #here are many others out there and they a!! emp!oy different approaches and emphasi7e different aspects of SS0. Some emphasi7e centra! administrationB others emphasi7e security$ whi!e sti!! others emphasi7e simp!ifying the process for the end user. If you are interested in a SS0 system$ I suggest you do a !ot of research &efore imp!ementing one. *o%icy&Based Network /ana-ement 0ne too! to consider if you wish to emp!oy sing!e sign"on capa&i!ities is a po!icy"&ased management approach. #he po!icy"&ased network management approach is &ecoming increasing popu!ar for organi7ations with medium to !arge networks. #his is especia!!y true with the recent re!ease of 2indows 2... with its Acti:e *irectory Ser:ices (A*S). 8any organi7ations are finding it increasing!y difficu!t to manage networks that incorporate hundreds if not thousands of nodes distri&uted o:er a !arge geographic area. Po!icy"&ased network management is the process of &ringing together the properties of :arious network resources under a centra! administrati:e contro!. #here are se:era! goa!s of a po!icy"&ased management system. #he first is to simp!ify the network management process. Another is to ensure the security and integrity of the network through centra!i7ed management of the distri&uted network resources. Po!icy"&ased management is a!so concerned with the a:ai!a&i!ity of network resources. Po!icy"&ased management ensures that critica! network traffic recei:es the necessary resources. #his is achie:ed &y the use of po!icies that prioriti7e network traffic$ so that a critica! &usiness app!ication doesn>t ha:e to compete for network &andwidth with an emp!oyee surfing the Internet for stock ;uotes. Po!icy"&ased management is often imp!emented for ;ua!ity"of"ser:ice o&Aecti:es.

119

6rom a security perspecti:e$ po!icy"&ased management can pro:ide the a&i!ity to conso!idate po!icy information for network resources. #his inc!udes AC1s$ ownership$ and a:ai!a&i!ity. 0ne of the key e!ements of po!icy"&ased management is the concept of directory ser:ices. A directory can &e thought of as a comprehensi:e !isting of o&Aects. In its most &asic form$ a directory is a repository of information a&out o&Aects$ such as user accounts$ p!aces$ and things. A typica! network imp!ementation contains o&Aect resources$ !ike printers$ app!ications$ data&ases$ user accounts$ and ser:ers. 6or a network$ a directory is essentia!!y a data&ase that stores information on a!! the network resources$ which inc!udes network de:ices$ users$ groups$ :o!umes$ and passwords. #he &asic function of directory ser:ices is the a&i!ity to !ocate$ name$ and communicate with a!! of those network resources. *irectories are rea!!y Aust repositories of information com&ined with access methods and re!ated ser:ices. ):ery N0S imp!ements some form of directory ser:ices. N0Ss ha:e a!ways had some form of directory system for accessing and managing resources. If they didn>t$ network resources wou!d &e inaccessi&!e. owe:er$ the different N0Ss ha:e stored directory information in a :ariety of proprietary formats. #his has &een a maAor o&stac!e to the :arious N0Ss &eing a&!e to share directory ser:ice information. In the !ate 19'.s$ the J./.. *irectory Access Protoco! (*AP) standard was de:e!oped in an effort to create and integrate a uni:ersa! directory ser:ice. #he 0SI"&ased protoco! specification pro:ided c!ient app!ications with a way to access and e?change the directory information. It was an effort to tie together the disparate and proprietary directory ser:ices. #he *C) specification was an outgrowth of J./... ,nfortunate!y$ since &oth J./.. and *C) were &oth 0SI"&ased they ne:er rea!!y e?perienced wide acceptance. 1ike 0SI$ they were cum&ersome and mono!ithic in there approach. #hey were e?amp!es of a &ad imp!ementation of a good idea. A more recent de:e!opment is the 1*AP$ a s!immed"down :ersion of the J./.. *AP. 1*AP focuses on on!y the protoco!s that c!ient app!ications use to access the directory and does not inc!ude a!! of the o:erhead associated with J./... 1*AP represents the !east common denominator of directory ser:ices information. 1*AP is supported in numerous c!ient app!ications and offers a common way to !ook up information from an J./.. directory or any directory that supports the 1*AP standard.

12. #here are some security issues with ear!y :ersions of 1*AP in that they emp!oyed a c!earte?t password authentication mechanism. #he risks associated with a c!earte?t password are o&:ious. 1*AP :ersion ( inc!udes an e?tension for #ransport 1ayer Security (#1S)$ which specifies a security scheme uti!i7ing SS1 techno!ogy. #his mitigates the risk associated with the transmission of a c!earte?t password. #here are a num&er of directory ser:ices networking products on the market. Some are J./.."andDor 1*AP"comp!iant$ and some are not. Some are fading techno!ogy$ and some are rising stars. 6or e?amp!e$ there is Ganyan>s Street #a!k$ Sun>s NIS (Network Information Ser:ice)$ and IG8>s imp!ementation of *C). #hese fa!! under the category of fading products$ which use o!der techno!ogy. 0ther products inc!ude No:e!! *irectory Ser:ices (N*S)$ Netscape>s *irectory Ser:er$ and 8icrosoft>s Acti:e *irectory. A!! three of these products support the 1*AP specification. Netscape is present!y on!y a margina! p!ayer in the directory ser:ices war. As such it may &e too !ate for it to &ui!d momentum for its product. N*S$ which is the most mature and pro&a&!y the most ro&ust of the three$ pro:ides a repository for information a&out users$ passwords$ groups$ ser:ers$ :o!umes$ and app!ications. In many ways$ No:e!! is pinning its future as a company on N*S$ which is &eing adopted &y many :endors and is the most wide!y imp!emented network directory ser:ice. #here are :ersions of N*S for Netware$ Sun So!aris and other :arieties of ,ni? and 1inu?$ and IG8>s ASD+.. operating system. N*S wi!! a!so interface with 8icrosoft>s Acti:e *irectory. In addition$ Cisco wi!! support N*S in its Internet working 0perating System (I0S) software for routers and switches. Cisco is a!so committed to supporting 8icrosoft>s Acti:e *irectory in its I0S. Acti:e *irectory has on!y recent!y &een re!eased$ and as a resu!t$ it has a num&er of &ugs to work out. No:e!! faced simi!ar pro&!ems when it first re!eased N*S. 8icrosoft>s Acti:e *irectory does support 1*AP. owe:er$ with the e?ception of Cisco>s I0S$ there has not &een a rush &y other :endors to imp!ement Acti:e *irectory.

121 #he products !isted a&o:e are &y no means an e?hausti:e !ist of the a:ai!a&!e network system directory products. #hese products offer the a&i!ity to !ink :arious directory ser:ices together to :arying degrees$ &ut none offers the a&i!ity to hand!e dissimi!ar and disconnected directories enterprise"wide from one end of an organi7ation to the other. A re!ati:e!y new concept to emerge in recent years is that of the metadirectory. #he term metadirectory ser:ices refers to a category of enterprise director too!s that integrate e?isting disconnected directories. 8etadirectories accomp!ish this &y surmounting the technica! and process issues associated with integrating dissimi!ar and unre!ated systems and architectures. 2hi!e No:e!! and 8icrosoft &oth tout their directory systems as metadirectories$ they are in fact <network system< directories on!y. It is true that they !ink to other directories through 1*AP$ &ut they don>t rea!!y fit the definition of a metadirectorySprimari!y &ecause the systems that are !inked together are simi!ar and$ whi!e they address technica! issues$ they do not address process management. #he appea! of metadirectories is that they offer the a&i!ity to share information that is common to a!! other su&directories$ regard!ess of the p!atform or architecture. In addition to reducing the cost of management$ this a!so assures data integrity across an entire enterprise. #he idea! metadirectory !ets an administrator make a change in one directory and ha:e that updated or propagated throughout a!! system and app!ication directories. A metadirectory wi!! u!timate!y pro:ide this centra!i7ed approach$ whi!e !etting the owners of information maintain contro! o:er their own directories. As an e?amp!e$ when a company uti!i7ing a metadirectory system hires a new emp!oyee$ the information for the new emp!oyee wou!d &e entered into the human resource management system ( 48S)$ and that wou!d propagate to other directory ser:ices creating a network !ogin$ an e"mai! account$ and access to :arious app!ications. ):en the organi7ation>s PGJ$ &ui!ding security system$ and parking space a!!ocation wou!d &e synchroni7ed &y the metadirectoryB in fact$ a!! of the enterprise>s directories wou!d &e synchroni7ed. #he information is entered !oca!!y$ &ut the access !e:e! for each system is contro!!ed centra!!y &y the metadirectory.

122 *ue to their hierarchica! nature$ directories are :ery efficient at pro:iding ;uick answers to ;ueries. #his makes directories we!!"suited in a po!icy"&ased management scenario. directories are &y no means the on!y choice. A data&ase structure is an appropriate a!ternati:e under certain circumstances. A data&ase architecture does ha:e inherent sca!a&i!ity !imitations. In addition$ there are ad:antages to the synchroni7ation process with directories o:er the rep!ication process that is re;uired when emp!oying data&ases. 4ep!ication re;uires a much higher !e:e! of uniformity and integration &etween ser:ers. 6or the rep!ication of the data&ase to &e successfu!$ it is a!so necessary for ser:ers &e a&!e to interface much more tight!y. #his imp!ies that a higher !e:e! of trust &etween ser:ers is re;uired$ which can ha:e security imp!ications. Gy contrast$ the synchroni7ation process is more in !ine with performing a fi!e e?port. #he ser:er simp!y dumps a f!at fi!e. 0ne of the !ike!y app!ications for directory ser:ices wi!! &e in the area of network security management and the storing of digita! certificates. 8any o&ser:ers see directory ser:ices in genera! and metadirectories in particu!ar as a means to manage an organi7ation>s pu&!ic key infrastructure. owe:er$ to &e effecti:e the digita! certificates need a distri&ution process. A metadirectory offers this capa&i!ity. 0ne company$ #e?as Instruments$ is present!y using an J./..D1*AP directory to store J./.9 certificates. 2hi!e po!icy"&ased management can ha:e ad:antages it a!so ho!ds risks. 2hen 2indows 2... was first re!eased there was much de&ate a&out the security of Acti:e *irectory. 2hen uti!i7ing Acti:e *irectory Ser:ices$ there are dangers associated with !oose!y defined po!icies or the granting of &road administrati:e pri:i!eges to managers and administrators$ which can resu!t in gaping ho!es in an organi7ation>s network security. At the :ery !east it can resu!t in potentia! e?posure of confidentia! information. *ue to the design of Acti:e *irectory$ administrators who ha:e &een restricted from accessing particu!ar network o&Aects can actua!!y take ownership of the restricted o&Aects with a few c!icks of a mouse. 8icrosoft>s response to the f!aw was to recommend that mu!tip!e domains &e imp!emented with Acti:e *irectory$ which defeats the purpose of imp!ementing the directory ser:ice. It is amusing to note that 8icrosoft>s initia! response to the f!aw was to ca!! it a <feature< of Acti:e *irectory. owe:er$

12( owe:er$ Acti:e *irectory is not a!one in containing risks associated with !oose!y defined po!icies. #he same danger is associated with any po!icy"&ased system and can resu!t from poor!y defined or imp!emented po!icies. 2ith Acti:e *irectory$ the risk is heightened &y the concern that organi7ations wi!! attempt to imp!ement it with the same &road pri:i!eges that they had imp!emented N# domains. Acti:e *irectory and N# domains are two entire!y different systems with different approaches to security and imp!ementing them in the same manner can ha:e disastrous resu!ts. Se-mentin- ;AN Traffic )thernet is the most common!y imp!emented 1AN protoco!. 2ith the )thernet protoco!$ any de:ice on a network segment can monitor communications &etween any other de:ice on that same network segment. 2hene:er possi&!e$ organi7ations shou!d segment their networks for &oth security and performance purposes. Segmenting networks pre:ents packets from tra:ersing the entire network. Network segmentation is a process of separating a !arge network into se:era! sma!!er networks. #his can &e accomp!ished &y grouping associated users together on a hu& or simi!ar network de:ice. A hu& is a network de:ice with mu!tip!e ports into which other network de:ices are p!ugged. A hu& acts as a conduit for packets tra:e!ing from one de:ice to another. 2hen a packet arri:es at one port$ it is copied to the other ports$ so that a!! segments of the 1AN can see a!! packets. #here is a performance ad:antage to this approach$ due to the fact that the packets stay within a segment and do not tra:erse the entire network. #he network segmentation reduces traffic on the entire network and reduces the physica! distance a packet must tra:e!. #he security comes from the fact that it is necessary to ha:e physica! access to a segment to sniff the specific segment packets. 2ithout network segmentation a!! network traffic is a:ai!a&!e to a network sniffer. As an a!ternati:e to standard hu&s$ consider using )thernet switches$ a!so ca!!ed switching hu&s. Switching hu&s are emp!oyed for switched )thernet. Switched )thernet pro:ides the same throughput as standard )thernet (1. 8&ps) or 6ast )thernet (1.. 8&ps) &ut uses what is referred to as microsegmentation. Switched )thernet esta&!ishes :irtua! dedicated connections &etween de:ices.

12+ #he ad:antaged to Switched )thernet is that the dedicated connection restricts who can see the traffic. #his impro:es network throughput$ &ecause the packets are on!y forwarded to the re;uired port and not to a!! ports. #his can &e accomp!ished &e rep!acing traditiona! )thernet hu&s with )thernet switches. #he trade"off is that )thernet switches are more e?pensi:e than the traditiona! )thernet hu&. $oneypot Systems 0ne techni;ue that many administrators emp!oy is the use of <honeypot< systems. oneypots

are decoy or !ure systems. #hey are &asica!!y deception systems that contain phony ser:ices$ fi!es$ and app!ications designed to emu!ate we!!"known ho!es with the goa! of entrapping hackers. #hey are designed to attract hackers$ hence the name <honeypot.< #he honeypot is intended to make hackers &e!ie:e that they ha:e disco:ered a rea! system. #he system is designed to !ure a hacker into a <safe< network or ser:er that impersonates important app!ications or information. 2hen the hacker enters the honeypot the trap is sprung and the a!arm is sounded. 6or it to work proper!y$ the system has to &e interesting enough to occupy the hacker !ong enough so that a security administrator can trace the hacker. oneypots are usua!!y dep!oyed in conAunction with I*Ss. As a resu!t$ companies !ike Cisco and Network Associates offer them as part of their I*S products. Network Associates> Cy&erCop Sting actua!!y simu!ates an entire network with mu!tip!e routers and host systems. 2hat !ooks !ike an entire network is actua!!y the Cy&erCop software running on a sing!e workstation. #he software is designed to monitor and report any acti:ity to the simu!ated de:ices on the fictitious network. #he *eception #oo!Mit re;uires a C compi!er. It a!so re;uires that the system on which you wish to run it a!so &e running #CP2 rapper.

#7

Static I* Addresses (ersus Dynamic $ost !onfi-uration *rotoco% 0D$!*1 * CP ena&!es network administrators to centra!!y manage and automate the assignment of IP addresses for an organi7ation>s network. #his means that a computer with a * CP c!ient can dynamica!!y o&tain an IP address from a remote ser:er (* CP ser:er). )ach time a workstation !ogs into the network it is assigned an IP address. An a!ternati:e wou!d &e to use preassigned static IP addresses that each system wou!d &e indi:idua!!y configured to use. 8any organi7ations that dep!oy #CPDIP for interna! corporate networks a!so use * CP for IP address assignment as opposed to using static IP addresses. #his is especia!!y true if the organi7ation>s network has many nodes. #he maAor ad:antages of * CP inc!ude simp!icity of configuration for the c!ients$ more efficient assignment of IP addresses$ and ease of administration. 2ith * CP administrators don>t ha:e to &other configuring each indi:idua! workstation with the :arious IP addresses$ &ecause * CP wi!! do that automatica!!y when the end user &oots up on the network. Since the IP address assignment is dynamic and temporary$ administrators no !onger need to worry a&out tracking what IP addresses ha:e &een assigned and which IP addresses are &ecoming a:ai!a&!e due to retired systems. In addition$ * CP is idea! when there are more nodes or systems than IP addresses. #he maAor disad:antage of * CP is that the assignment of IP addresses is temporary. 6rom a security standpoint this can make system identification difficu!t. I ha:e worked in en:ironments where * CP was emp!oyed on the corporate network. At one organi7ation where I was emp!oyed a!! &usiness units e?cept my particu!ar work unit used * CP. 8y work unit emp!oyed static IP addresses. 2e did this to use IP addresses to contro! and monitor access to our centra! systems. )mp!oying static IP addresses made it easier to identify foreign

123 IP addresses attempting to access our systems. 2hen our !og fi!es indicated that an unauthori7ed IP address had attempted to access our systems we cou!d rare!y track down the cu!prit$ &ecause * CP was emp!oyed. #he en:ironment was a !arge network with tens of thousands of nodes$ with many su&nets spread out o:er a :ery !arge geographic area. #he &est we cou!d do was narrow it down to a particu!ar &ui!ding or sometimes a particu!ar f!oor in a &ui!ding at a particu!ar faci!ity. #here are other a!ternati:es to * CP$ such as 4e:erse Address 4eso!ution Protoco! (4A4P) or Gootstrap Protoco! (G00#P)$ that essentia!!y function the same way. #hese protoco!s are a!most none?istent in the corporate en:ironment$ &ut you may find them emp!oyed in an academic en:ironment. If you work in an en:ironment that emp!oys * CP on the network$ you need to take it into consideration. #his is particu!ar!y true if you do any fi!tering &ased on IP address. #he fi!tering can take p!ace at the router$ through a protoco! fi!ter !ike #CP2rapper$ or e:en at the app!ication !e:e!. It is possi&!e to assign a range of IP addresses to a group using * CP$ so if you are !imiting access &ased on IP addresses it does not necessari!y re;uire that you use static addressesSAust p!an according!y Media and Protocols Network /edia ):ery network$ regard!ess of the protoco!$ must operate o:er some media. #here are se:era! options from which to choose when se!ecting the most appropriate media for an organi7ation>s network needs. #oo often security is gi:en !itt!e consideration when se!ecting the media for a network design. #here are different types of physica! media a:ai!a&!e with :arious characteristics. #he term unguided may &e somewhat of a misnomer. 2ith the e?ception of radio"&ased wire!ess$ no network media is tru!y unguided. 8icrowa:e$ infrared$ and sate!!ite$ whi!e not confined to the path of a physica! media$ are certain!y guided. 8edia can a!so &e categori7ed as terrestria! and nonterrestria!. Copper and fi&er are terrestria! in that tehy are usua!!y underground or physica!!y anchored to terra firma in one manner or another. 8icrowa:e and sate!!ite are nonterrestria! in that they are not &ound &y the same physica! !imitations.

12-

It is :ery easy to tap &oth S#P and ,#P ca&!ing. In some cases it is not e:en necessary for physica! contact to occur with the tap for it to &e effecti:e. #his is &ecause there is residua! e!ectromagnetic emanation from the ca&!e as the signa! tra:erses its !ength. Sensiti:e de:ices can detect and interpret the minute :ariations in the emanation. #wisted pair is a!so suscepti&!e to e!ectromagnetic interference. #his is particu!ar!y true of unshie!ded twisted pair. )!ectromagnetic interference can reduce network performance. If the interference is strong enough it can effecti:e!y disrupt the operation of a network. !oaAia% !a)%e Coa?ia! ca&!e consists of a copper core of so!id or strand wire surrounded &y an e?terna! sheathing of wo:en copper &raid or meta!!ic foi!. #he ca&!e deri:es its name coa?ia!$ or coa? for short$ from the fact that the &raided sheathing and the core ha:e the same a?is. #here are two types of coa?ia! ca&!e$ thick coa? and thin coa?. #hick coa? ca&!e was used in the first )thernet networks. #hick coa? is a&out as thick as a garden hose and is usua!!y ye!!ow in co!or. #here is a!so thin coa? ca&!e$ sometimes ca!!ed <thinnet.< #hin coa? is usua!!y &!ack and is a&out the thickness of a penci!. 1ike twisted pair$ coa? ca&!e is suscepti&!e to tapping$ and the tap does not e:en need to make physica! contact with the ca&!e. owe:er$ it is !ess suscepti&!e to e!ectromagnetic interference$ as a resu!t of the sheathing. *ue to the fact that a!! copper ca&!es radiate e!ectromagnetic energy$ they are re!ati:e!y easy to tap. In the &ook #lind $an%s #luff$ authors Sherry Sontag and Chistopher and Annette *rew te!! the story of how ,.S. su&marines were a&!e to tap So:iet communications ca&!es. #hese ca&!es were within So:iet territoria! waters in what the So:iets thought were secure areas. #he taps were performed during the 19-.s and 19'.s &y p!acing a de:ice on the ca&!es. #he resu!t was an inte!!igence go!d mine.

#"

3i)er 6i&er"optic ca&!e is made of g!ass and carries !aser or 1)*"generated !ight impu!ses. #his !ight contains digiti7ed data that can &e rapid!y transmitted hundreds of mi!es. 6i&er"optic ca&!e can send information much faster than e?isting copper"&ased ca&!e and can a!so carry considera&!y more information than copper ca&!e. 6i&er"optic ca&!e offers se:era! other ad:antages o:er traditiona! copper ca&!e. It has superior transmission ;ua!ity and is immune to e!ectromagnetic interference. 6i&er"optic ca&!e is a!so much sma!!er and !ighter than copper wire. #here are two types of fi&er ca&!e for networks$ mu!timode and sing!e"mode. 6i&er is the most secure of a!! the ca&!e media$ &ecause it is :ery difficu!t to tap. ,n!ike copper ca&!e$ tapping a fi&er ca&!e re;uires in:asi:e measures$ since the !ight tra:erses the ca&!e in a focused !inear &eam and does not radiate. #apping a fi&er ca&!e usua!!y re;uires that one cut the ca&!e and insert a specia! de:ice. As a resu!t$ any attempt to tap a fi&er ca&!e wou!d &e detected immediate!y$ &ecause it wou!d interrupt the &eam. you can actua!!y tap the signa! without in:asi:e measures. /icrowaBe 8icrowa:e communications are used for !ine"of"sight transmissions. 1ine"of"sight transmissions re;uire an uno&structed :iew &etween de:ices. 8icrowa:es operate at the high end of the radio fre;uency spectrum. 8icrowa:e communications can &e intercepted in the !ine of sight of the transmission. In addition$ microwa:es penetrate physica! structures such as wa!!s. As a resu!t$ encryption shou!d &e emp!oyed when transmitting sensiti:e data with microwa:e techno!ogy. It has &een said that during the Co!d 2ar$ in days when re!ations &etween the ,nited States and the So:iet ,nion were fraught with intrigue$ the So:iets a!ways &ui!t their em&assies on the highest geographic point they cou!d find$ so that they cou!d intercept microwa:e transmissions. Con:erse!y$ the So:iets ne:er !et the ,nited States &ui!d its 8oscow em&assy owe:er$ it has &een reported that if you can get physica! access to an optica! fi&er and &end it at a sufficient ang!e

129 on high ground. It has &een reported that the So:iets a!so &om&arded the ,.S. em&assy with microwa:es to Aam any microwa:e !istening de:ices insta!!ed in the em&assy. 8icrowa:e communications are a!so suscepti&!e to interference and are re!ati:e!y easy to disrupt through a denia!"of"ser:ice attack. ):en natura! phenomena such as rain$ heat therma!s on a hot day$ or fog can disrupt microwa:e transmissions. Speaking from persona! e?perience$ I can te!! you that microwa:e transmissions can &e unre!ia&!e on :ery hot days. At a company at which I worked$ we used microwa:e transmissions to connect to our &ranch offices. 0n hot sunny days the microwa:e communications with one particu!ar office often went down. 0ur te!ecommunications e;uipment wou!d kick into dia! &ackup mode. I a!ways attri&uted this pro&!em to the fact that there were a num&er of !arge &!ack aspha!t surfaces &etween the two microwa:e towers. 0n hot days the &!ack aspha!t wou!d heat up and fi!! the air &etween the two towers with heat therma!s. 1ucki!y$ we didn>t e?perience too many :ery hot days. Infrared Infrared communications uti!i7es noncoherent infrared !ight. Infrared is a!so a !ine"of"sight medium$ &ut it is re!ati:e!y secure since infrared !ight does not penetrate so!id o&Aects$ such as wa!!s. As a resu!t$ it is not necessary to worry a&out infrared transmissions going &eyond the confines of your office. #o function$ the network transcei:ers must actua!!y &e in the !ine of sight of each other with no o&struction. owe:er$ it is possi&!e to &ounce infrared transmissions off of a white or !ight!y co!ored o&Aect$ such as a wa!!. Sate%%ite Re%ay Since sate!!ite communications can &e easi!y intercepted$ they shou!d &e considered not secure. As such$ measures shou!d &e$ and usua!!y are$ taken to encrypt data for transmission and to authenticate the origin of indi:idua! transmissions.

1(. 2hi!e copper media has risks associated with it$ due to the fact it radiates energy$ unguided media has e:en more risks. It is important to remem&er that when trying to sniff a network ha!f the &att!e is getting the tap on the network. As a resu!t$ unguided or nonterrestria! media is not as secure as guided media. 2ith guided media you need to ha:e some physica! access to p!ace the tap. 2ith unguided media$ it is on!y necessary to &e in the !ine of sight to intercept the transmission.

0ireless .-!N/ 8ost of the wire!ess 1AN products on the market today are &ased on the I))) '.2.11& standard. #his is a re!ati:e!y new standard. 2ire!ess 1ANs offer !imited mo&i!ity$ &ut their main appea! is that they do not re;uire the ca&!ing that traditiona! )thernet 1ANs emp!oy. #his makes them particu!ar!y attracti:e to sma!! and new offices. not ha:e the throughput of standard )thernet. #here are two &asic components of a wire!ess 1AN. #he first is an access point$ which is a de:ice that is usua!!y connected to a standard wired 1AN$ usua!!y through a hu&. #he second component is a wire!ess 1AN adapter that is connected to the PC. #he 1AN adapter communicates with the access point$ usua!!y through radio"&ased transmissions. 8ost of the products on the market ha:e a ma?imum operationa! range of 1..T(.. ft. #he ma?imum throughput is 11 8&ps$ a!though most operate at speeds significant!y !ess than that. #he '.2.11& radio standard operates at the 2.+ H 7 fre;uency &and !e:e!. 6or media access contro! (8AC) the '.2.11& standard has specified three different options$ fre;uency hopping spread spectrum (6 SS)$ direct se;uence spread spectrum (*SSS)$ and infrared. #he 8AC is part of the I))) '.2.J standard that specifies the !ink !ayer. #he 8AC is the media"specific access contro! protoco! that dea!s with e!ectrica! signa!s and inc!udes token ring$ )thernet$ and CS8ADC*. owe:er$ they genera!!y do

1(1 #here are a num&er of security issues in:o!:ed with radio"&ased wire!ess 1ANs. 6irst$ the 2.+" H 7 &and is su&Aect to interference. Common app!iances$ such as microwa:e o:ens and cord!ess phones$ operate at the same fre;uency. In addition$ &ecause the transmissions are radio"&ased they can &e intercepted &y anyone with the proper recei:er. 2hen products were first re!eased$ most manufacturers argued that spread"spectrum techno!ogy effecti:e!y masked radio signa!s or that emp!oying fre;uency hopping made it difficu!t$ if not impossi&!e$ to !ock onto a signa!$ so interception was not a risk. owe:er$ this approach re!ies on security &y o&scurity$ which is not a recommended mode! for network security. An optiona! component of the '.2.11& standard is wired e;ui:a!ent pri:acy (2)P). 2)P adds encrypted communications &etween the wire!ess 1AN c!ient and the access point. 8ost of the more recent products inc!ude 2)P as a standard feature. 2hi!e interception of communications with wire!ess 1ANs is a risk$ e:en greater is the risk associated with some unauthori7ed person gaining access to the 1AN. Anyone within a coup!e of hundred feet of the access point de:ice has the potentia! to tap into the network. In an office &ui!ding en:ironment that means most anyone on the same f!oor$ the f!oors a&o:e and &e!ow$ someone out on the street in a car$ or e:en in the ne?t &ui!ding o:er. Since the access is radio communication$ there is no need to make a physica! connection. #o minimi7e this risk$ most wire!ess 1AN products use some method to authenticate c!ients. ,sua!!y they emp!oy an I* or security code. It is strong!y recommended that organi7ations uti!i7e this kind of feature if they are p!anning on dep!oying a wire!ess 1AN. owe:er$ I suspect some :ery smart hacker wi!! e:entua!!y de:ise a way to spoof these I* or security codes. 2ire!ess 1AN products on the market today inc!ude offerings from (Com$ Aironet"Cisco$ Compa;$ and 1ucent. 0ireless .0!N/ #he ne?t &ig thing in 2AN networking techno!ogy wi!! &e wire!ess networking. I e?pect that o:er the ne?t 1. years wire!ess networks wi!! &e the fastest growing segment in terms of new insta!!ations. I am !umping se:era! techno!ogies into this category. Persona! Communications Ser:ice (PCS) is usua!!y the techno!ogy most often referred to when ta!king a&out wire!ess 2AN networking. #hree different digita! techno!ogies make up PCS. #hey are Code *i:ision 8u!tip!e Access (C*8A) IS"9/$ #ime *i:ision 8u!tip!e Access (#*8A) IS"1(3$ and H!o&a!

1(2 System for 8o&i!e communications (HS8) 19... #here is a!so Ce!!u!ar *igita! Packet *ata (C*P*) techno!ogy that is emp!oyed for handhe!d de:ices. In addition$ there are ana!og options$ such as 6re;uency *i:ision 8u!tip!e Access (6*8A) techno!ogy. #here se:era! are other de:e!oping and competing techno!ogies out there as we!!. #he appea! of wire!ess is o&:ious. #he a&i!ity to use a !aptop to send data$ e"mai!$ or fa? whi!e away from the office can enhance producti:ity. 8any peop!e are using it Aust to &e a&!e to surf the 2e& whi!e on the road. At the same time$ wire!ess techno!ogy can reduce the necessity to in:est in physica! network infrastructure (ca&!ing)$ there&y reducing o:era!! costs. owe:er$ the risks associated with wire!ess techno!ogy is e:en greater than with traditiona! unguided media. 2ire!ess differs from traditiona! unguided media$ such as microwa:e$ in that it radiates in a!! directions. As a resu!t$ it doesn>t e:en re;uire one to &e in the !ine of site to intercept a transmission. Present!y$ there are se:era! consortiums working to enhance wire!ess techno!ogy security. #he under!ying app!ication and the sensiti:ity of the information wi!! dictate the security re;uirements when emp!oying wire!ess techno!ogy. At a minimum it is recommended that some form of encryption &e emp!oyed. *%enum !a)%in- and Risers 4egard!ess of the type of ca&!e you choose to dep!oy for your 1AN$ you need to consider how the ca&!e is actua!!y insta!!ed. #his is particu!ar!y true for organi7ations that are in mu!tenant premises with shared faci!ities. 8ost organi7ations fa!! into this category$ since few are !arge enough or aff!uent enough to ha:e their own &ui!ding. 2hen insta!!ing ca&!e in &ui!dings with other tenants and shared faci!ities$ it is necessary to consider the security imp!ications of running ca&!e in p!enum areas and up &ui!ding risers. #he p!enum area is the e?posed area a&o:e suspended cei!ings$ through which can &e pu!!ed ca&!e that houses conduit$ pipes$ cei!ing supports$ and air ducts. Ca&!e pu!!ed in these areas is referred to as p!enum ca&!e$ &ecause it must meet specified code re;uirements for f!amma&i!ity and smoke discharge. If the ca&!e does not meet the re;uirements$ it can>t &e pu!!ed in p!enum areas.

1((

A &ui!ding>s design !arge!y dictates how ca&!e is insta!!ed. Idea!!y$ ca&!es shou!d &e insta!!ed uti!i7ing some form of trench system that is designed for the hori7onta! distri&ution of ca&!es on each f!oor. 6o!!owing 6igure depicts how the trench system is used to house ca&!es for transport across a f!oor. ,ti!i7ing a trench system ensures that the ca&!es are ne:er e?posed to the f!oor &e!ow$ which e?poses them to possi&!e risk.

6!oor trench system.

In most office &ui!dings that emp!oy a trench system$ the trenches crisscross the f!oor or radiate out from a centra! c!oset. 6o!!owing 6igure depicts a cross"section of a trench system$ which i!!ustrates how a trench system a!!ows ca&!es to &e pu!!ed without protruding into the p!enum area in the f!oor &e!ow.

1(+

6!oor trench system and p!enum.

Gy contrast$ &ui!dings without trench systems often re;uire &oring ho!es through the f!oor in order to achie:e the hori7onta! distri&ution of ca&!es. #his can resu!t in network ca&!es &eing e?posed in the p!enum area in the f!oor direct!y &e!ow. 6o!!owing 6igure cross"section e?amp!e of a &ui!ding that does not emp!oy a trench system. #he network ca&!e protrudes into the f!oor &e!ow and a&o:e the suspended cei!ing.

1(/ P!enum ca&!e.

#he risk associated with ha:ing network ca&!es e?posed to the f!oor &e!ow is that they can &e tapped. At the :ery !east$ you run the risk of ha:ing the ca&!es cut &y e?posing them in this manner. #he risk is compounded if the f!oor &e!ow is occupied &y another organi7ation. Some organi7ations uti!i7e pressuri7ed conduit to minimi7e this risk. #he conduit is fi!!ed with pressuri7ed gas and is monitored &y a pressure a!arm. If the conduit is penetrated the pressure drops$ and an a!arm is triggered. owe:er$ as stated pre:ious!y$ in:asi:e measures are not a!ways re;uired to tap copper ca&!es. P!acing the tap near the ca&!es can work if the tapping e;uipment is sensiti:e enough. #he pressuri7ed conduit wou!d &e more effecti:e in protecting fi&er"optic ca&!e since fi&er does re;uire in:asi:e measures to tap it.

,5 =ANs 2ANs are usua!!y used to connect geographica!!y dispersed offices. Gasica!!y$ a 2AN connects a!! of an organi7ation>s 1ANs$ so that they can share information and resources. #here are many options a:ai!a&!e to connect an organi7ation>s offices into a 2AN.. 2AN imp!ementations can &e di:ided into two :ery &road categories. 0ne approach uti!i7es point"to"point dedicated !ines and the other uses packet"switched techno!ogy o:er a shared network. Dedicated -ease -ines A dedicated !eased !ine$ sometimes referred to as a dedicated or !eased circuit or a :irtua! pri:ate !ine$ is usua!!y a specia!!y conditioned point"to"point circuit that connects two !ocations. owe:er$ a !ease !ine can &e mu!tipoint circuit as we!!. A dedicated circuit is o&tained from a carrier or ser:ice pro:ider for the e?c!usi:e use &y the customer and is used to connect two sites that are geographica!!y distant from each other. )?amp!es of dedicated !ease !ines can inc!ude /3M circuits. IS*N$ fractiona! #1s in 3+M increments$ or fu!! #1 (1./+"8&ps) and up. A dedicated 2AN connection typica!!y uses a sing!e circuit to connect two !ocations. 6igure 9./ i!!ustrates a 2AN uti!i7ing sing!e circuit connections. #ypica!!y for each !ocation added to the network it is necessary to add a circuit. 6igure 9./@ Point"to"point circuit.

1(As !ong as dedicated connections use terrestria! circuits and guided media$ they are re!ati:e!y secure$ since the dedicated !ease !ines are pro:ided for the e?c!usi:e use of the customer. #he maAor security concern is from the ser:ice pro:ider itse!f or if the carrier uses other carriers to pro:ide the ser:ice. Packet)&witc"ed Networks An a!ternati:e to dedicated circuits is packet"switching networks. Packet switching refers to protoco!s in which messages are di:ided into packets &efore they are sent. )ach packet is then transmitted indi:idua!!y and can e:en fo!!ow different routes to its destination. 0nce a!! the packets that make up a message arri:e at the destination$ they are recompi!ed into the origina! message. 8ost modern 2AN protoco!s$ inc!uding #CPDIP$ J.2/$ and frame re!ay$ are &ased on packetswitching techno!ogies. In contrast$ norma! te!ephone ser:ice is &ased on a circuit" switching techno!ogy$ in which a dedicated !ine is a!!ocated for transmission &etween two parties. Circuit switching is idea! when data must &e transmitted ;uick!y and must arri:e in the same order in which it>s sent. #his is the case with most rea!"time data$ such as !i:e audio and :ideo. Packet switching is more efficient and ro&ust for data that can withstand some de!ays in transmission$ such as e"mai! messages and 2e& pages$ a!though now e:en protoco!s such as frame re!ay and #CPDIP are &eing used for :oice and :ideo transmission. #ypica!!y$ a packet"switched 2AN is a shared network !ike the Internet. ):en if you are using a ser:ice pro:ider>s pri:ate frame re!ay network you are using a network shared &y many of the ser:ice pro:ider>s customers. According!y$ concerns a&out the interception of data or protection of systems shou!d &e much greater in this en:ironment.

1(' Packet"switched c!oud.

A. 9 J.2/ is one of the most wide!y used packet"switched protoco!s$ particu!ar!y outside of North America. J.2/ uti!i7es error detection and correction and is a connection"oriented ser:ice$ which insures that packets are transmitted in order. J.2/ was de:e!oped &ack in the 19-.s when circuit performance was notorious!y noisy. As a resu!t$ communications needed the error detection and correction that J.2/ pro:ides. J.2/ uti!i7es switched :irtua! circuits (S%Cs) and permanent :irtua! circuits (P%Cs). S%Cs work much !ike te!ephone ca!!s in that a connection is esta&!ished$ information is transferred$ and then the connection is re!eased. A P%C is simi!ar to a !eased !ine in that the connection is permanent!y in p!ace. In the ,nited States$ J.2/ has !arge!y &een usurped &y other protoco!s such as frame re!ay that are more efficient and pro:ide greater throughput. #he newer protoco!s are a&!e to pro:ide the greater throughput &ecause they don>t ha:e the o:erhead that is associated with J.2/>s error detection and correction. #his is !arge!y due to the fact that the digita! circuits used today are much more re!ia&!e and !ess noisy than circuits used 2. or (. years ago. As a resu!t$ error detection and correction are not needed. J.2/ is used e?tensi:e!y o:erseas &ecause the ;ua!ity of circuits in some countries is not as good as in the ,nited States and other industria!i7ed nations. A#8 and P0S networks. owe:er$ in the ,nited States$ J.2/ is sti!! used e?tensi:e!y in

1#,

*rame Rela+ 6rame re!ay is a wide!y imp!emented packet"switching protoco! that offers an a!ternati:e to :irtua! pri:ate !ines or !eased !ines. It is used primari!y for connecting geographica!!y dispersed offices on a 2AN. Since it is a packet"switching protoco!$ it is not we!!"suited for :oice communications$ so it is used primari!y for data. 1ike J.2/$ frame re!ay is a:ai!a&!e in two f!a:ors$ P%C and S%C. A P%C is a fi?ed point"topoint circuit that ensures a!! packets take the same path. A S%C does not use a predefined pathB it uses whate:er path is a:ai!a&!e. 6rame rep!ay is an ine?pensi:e a!ternati:e to !eased !ine networks. In addition$ it has the ad:antage o:er a %PN on the Internet in that it can offer a committed information rate (CI4)$ which guarantees network performance. 8eanwhi!e$ the performance of an Internet"&ased %PN is su&Aect to the :o!ume of traffic accessing the Internet. Chapter 11 discusses %PNs in more detai!. Redundanc+ and !lternative Connections 0ne !ast consideration with 2ANs is redundancy in communications. #he concern here is with the a!ternati:es when the primary connection to the outside wor!d goes down. 6ortunate!y$ there are numerous ways to &ui!d redundancy into a 2AN or at !east to inc!ude a secondary means of communicationB simp!y p!an according!y.

1+. 5. Routers C 3irewa%%s compositions. Routers and SN/* Router Issues 0ne cannot discuss network security without at !east touching on routers. 4outers are a critica! e!ement of &oth the Internet and corporate network infrastructures. #hey contro! the f!ow of data packets on a network and determine the &est way to reach the appropriate destination. 0n corporate networks$ they are often used to separate network segments. In addition$ &order routers are often the first"!ine of defense in firewa!! configurations and are a key component of most %PNs. 4outers are network de:ices that operate at the network !ayer (!ayer () of the 0SI mode! that are emp!oyed to connect two or more networks. #hey ser:e three primary purposes. 6irst$ they route network traffic &ased on predetermined ru!es or routing ta&!es. Second$ they segment frames for transmission &etween 1ANs. 6or e?amp!e$ they can frame 1."8&ps )thernet 1AN frames for transmission on a 13"8&ps token ring 1AN or a frame re!ay connection 2AN. #hird$ routers pro:ide the a&i!ity to deny or &!ock unauthori7ed traffic. #his can &e accomp!ished through fi!tering commands that !imit certain protoco!s (i.e.$ http$ ftp$ snmp) or &y emp!oying access !ists that contro! the IP addresses that are a!!owed through. Gasic router configuration.

):en though routers are u&i;uitous$ they tend to &e o:er!ooked when security measures are de:e!oped. No security measures can &e considered to &e comprehensi:e un!ess they inc!ude contro! and management of routers.

141

Risks It is important to understand that routers are su&Aect to many of the same risks associated with computers. In fact$ the first routers were actua!!y modified computers. A router has an operating system that needs to &e configured and$ !ike any 0S$ that can &e su&Aect to &ugs. Pust as with computers$ proper password contro!s are critica! to router security. 4outers shou!d not run unnecessary ser:ices or protoco!s. 4outers can &e effected &y denia!"of" ser:ice attacks. #hey need to &e monitored$ Aust !ike computers. ow we!! the router is configured and maintained is critica! to the a:ai!a&i!ity of the network. In many ways an incorrect!y configured router is an e:en greater risk than an incorrect!y configured computer. An incorrect!y configured computer usua!!y on!y affects !oca! users of the system. An incorrect!y configured router can affect e:eryone on the network. As an e?amp!e of the possi&!e se:ere conse;uences that can resu!t from incorrect!y modifying routing ta&!es$ in 199- a maAor portion of the Internet was practica!!y shut down &y the incorrect routing ta&!es of a sma!! &ack&one ser:ice pro:ider. #he ser:ice pro:ider had sent incorrect routing ta&!es to other &ack&one pro:iders that essentia!!y sent a!! network traffic to the sma!! pro:ider. #he pro&!em took three hours to reso!:e$ during which time it is estimated that (.T+.W of Internet traffic was !ost. It can ha:e a cripp!ing effect on one>s network if a hacker is a&!e to gain pri:i!eged access to your routers. A simp!e denia!"of"ser:ice attack !aunched against a router can cripp!e a network. Cisco 2=& #he dominant p!ayer in networking today is Cisco Systems. #hey ha:e appro?imate!y '.T 9.W of the market for routers$ switches$ and hu&s. #he :ast maAority of routers on corporate networks and on the Internet are Cisco products. #o i!!ustrate how simi!ar routers and ser:ers are when it comes to security we can use Cisco>s I0S.

1+2

I0S is the operating system that Cisco routers run. An e?amp!e of one of the concerns that I0S shares with computer operating systems is the concept of the &anner or message of the day. I0S can &e configured with a &anner. Pust as with a ser:er$ you run the risk of pro:iding information in a &anner that cou!d &e usefu! to a hacker. 0f course$ this shou!d &e a:oided. Cisco>s I0S supports mu!tip!e password !e:e!s and encrypted passwords. owe:er$ the defau!t at insta!!ation is not to encrypt the password. #his is important &ecause if the password is not encrypted it is reada&!e in the configuration fi!e if you do a <show startup< or <show run.< In addition$ it is a common practice to store router configuration fi!es on network tfpt ser:ers. #his is done so that the network administrator can update the non":o!ati!e 4A8 (N%4A8) on the router from the copy of the configuration fi!e on tftp ser:er. 6or e?amp!e$ an administrator may use the configuration fi!e on the tftp ser:er to re!oad a <c!ean< configuration fi!e onto a router if he or she gar&!ed the e?isting fi!e in N%4A8. A tftp ser:er is designed to faci!itate access and as such is notorious!y easy to hack (see &e!ow). As a resu!t$ if the password were stored in the configuration fi!e in an unencrypted format$ it wou!d not &e too difficu!t for someone to :iew the fi!e and o&tain the password. In addition to the risk of password disc!osure associated with using a tftp ser:er$ you a!so run the risk of unauthori7ed modifications &eing made to the configuration fi!e stored on the tftp ser:er. #ri:ia! 6i!e #ransfer Protoco! (tftp) is considered not secure$ &ecause it doesn>t re;uire password authentication. If a host runs the tftp ser:ice without restricting the access in some manner$ an attacker can read and write fi!es anywhere on the system. 6or e?amp!e$ it is possi&!e to o&tain the password fi!e from a system run the tftp ser:ice. #he steps are !isted as fo!!ows@ L tftp anyhost (I address or alias) tftpY getDetcDpasswdDtmpDpasswd. tftpY ;uit Henera!!y$ it is a :ery &ad idea for any ser:er to run the tftp daemon. #his protoco! is an e?amp!e of an unnecessary ser:ice that a computer shou!d not run. ):en if the password is secure!y encrypted$ there are programs a:ai!a&!e to decrypt Cisco !ogin and ena&!e passwords from a Cisco configuration fi!e or to sniff the password on the network. #hese programs are easy to find.

1+(

6or e?amp!e$ at the So!ar 2inds 2e& site (http@DDwww.so!arwinds.net) it is possi&!e to down!oad a program that can decrypt Ciscoena&!e passwords. #he program is a:ai!a&!e for 2indows 9/$ 9'$ N#$ and 2... and wi!! decrypt series - non"S)C4)# passwords. Ge!ow 6igure shows how simp!e the program is to use. Simp!y enter in the encrypted password and out pops the decrypted password. So!ar2inds> 4outer Password *ecrypt. (Source: So!ar2inds.Net. 4eprinted with permission.)

So!ar2inds a!so offers a too! that a!!ows you to reset the ena&!e password for a Cisco router and change any Cisco configuration parameter :ia SN8P. 2hi!e this too! has !egitimate uses$ it can a!so &e used as a too! for hacking. Cisco *isco:ery Protoco! (C*P) is an e?amp!e of a protoco! that shou!d &e disa&!ed on most routers. C*P protoco! makes it :ery easy for hackers to gather information a&out routers on the network. #he C*P protoco! &roadcasts p!atform and protoco! information to other de:ices on the network. #his information can &e usefu! to any potentia! hacker. Gy defau!t$ C*P is ena&!ed on a router and its interfaces when I0S is insta!!ed. It shou!d &e disa&!ed un!ess there is a specific purpose for running it. #his is not meant to &e a !esson on the configuration and commands for Cisco I0S &ut is simp!y offered as an i!!ustration of the simi!arities &etween ser:ers and routers. Ser:ers are norma!!y protected &ehind firewa!!s on the interna! network$ whi!e routers$ due to their uni;ue function$ are often e?posed to the outside wor!d.

1++

Cisco &ecure 2nte%rated &oftware .&2&/ 0ne of the optiona! offerings from Cisco is their Secure Integrated Software (SIS). #his option$ which was former!y ca!!ed the I0S firewa!! feature set$ does not come with the purchase of &asic I0S. #he package is a minor p!enitude of usefu! enhancements to I0S that can &e used to secure a &order router and pro:ide secure connections o:er the Internet. 6or a re!ati:e!y minor incrementa! cost$ a Cisco router can &e configured to pro:ide firewa!! and rudimentary I*S capa&i!ities. #he firewa!! capa&i!ities inc!ude state inspection and app!ication"&ased fi!tering. #he I*S is rudimentary in that on!y specific attack signatures are recogni7ed$ and there is no rea!"time notification. #he Cisco SIS package a!so pro:ides a %PN so!ution that supports IPSec and 12#P. #he %PN software comes with c!ient software that can &e insta!!ed on a PC workstation to interface with a router. 2e ha:e found the Cisco SIS package to &e ro&ust in terms of feature and functiona!ity. It is an effecti:e initia! tier in a mu!titiered defense.

&imple Network Mana%ement Protocol .&NMP/ *ue to the security pro&!ems inherent in its origina! design$ SN8P is a!so considered to &e an acronym for <security>s not my pro&!em.< SN8P was de:e!oped to a!!ow for the remote monitoring and management of network de:ices. ,nfortunate!y$ hackers can e?p!oit those same faci!ities for monitoring and managing network de:ices to gain access to a network. #he SN8P standard was de:e!oped &y the I)#6 a&out 1. years ago in an effort to de:e!op a sing!e management ser:er protoco! that cou!d manage a!! network de:ices regard!ess of the make of the network de:ice. SN8P a!so pro:ides the a&i!ity to o&tain statistica! information on the performance of an SN8P network de:ice. 6or e?amp!e$ network administrators can use SN8P to get information on num&er of &ytes in and out of a particu!ar de:ice. #he graph in the &e!ow e?amp!e of the type of information that can &e gathered emp!oying one of the many monitoring too!s that are designed to &e used in conAunction with SN8P. In this e?amp!e$ I am using 8u!ti 4outer #raffic Hrapher (84#H) to graph the data from a router.

1+/

Network acti:ity graph.

84#H communicates with the routers using SN8P and can &e uti!i7ed to monitor the traffic !oad on routers. 84#H reads the traffic counters on the routers and !ogs the traffic data. 84#H a!so generates #81 pages containing HI6 images$ which pro:ide a :isua! representation of the traffic. 84#H was de:e!oped &y #o&ias 0etiker and *a:e 4and uti!i7ing Per! and C and is a:ai!a&!e for down!oad at the ,41 http@DDwww.mrtg.org. #his is an e?amp!e of the re!ati:e!y innocuous information that can &e o&tained through SN8P. SN8P pro:ides the capa&i!ity to manage a network de:ice through what is ca!!ed an agent. Any SN8P"managed de:iceSwhether it is a router$ hu&$ ser:er$ or printerSmust ha:e an SN8P agent that the SN8P ser:er monitors and ;ueries. 2hen SN8P was first de:e!oped$ no consideration was gi:en to security. As a resu!t$ SN8P can &e a :ery usefu! too! for a hacker attempting to compromise a network de:ice. SN8P :ersion 2 (SN8P:2) is a !itt!e more secure$ &ut many insta!!ations are sti!! running the ear!ier :ersion. SN8P :ersion ( (SN8P:() is under de:e!opment and is supposeed to pro:ide e:en more security. SN8P>s authentication is :ery weak and not :ery secure. Kou ha:e to ask yourse!f what the designers were thinking when they came up with the process. SN8P uses passwords ca!!ed community strings or community names for the authentication process. It>s the standard <something you know< or password authentication. owe:er$ the community string passes on the network in the c!ear. In other words$ the community string is transmitted unencrypted as c!earte?t. #his :u!nera&i!ity can potentia!!y a!!ow a hacker to compromise a de:ice and gain pri:i!eged access to the de:ice. A sniffer on the network can easi!y intercept the community string in transit. #his is an e?amp!e of a :u!nera&i!ity whose source is poor design.

1+3

#o make matters worse$ e:ery SN8P re;uest and response contains the community string. #he fact that it is transmitted so often makes it :ery easy to sniff on the network. #his is e:en worse than the c!earte?t password :u!nera&i!ity associated with !ogging into a system o:er a network using te!net$ r!ogin$ or a termina! emu!ator. ):en with te!net or r!ogin the password on!y passes in the c!ear once when you first !og into a system. 2ith SN8P the community string is transmitted e:ery time a re;uest is sent to the de:ice. #here are too!s that are easi!y o&tained that a!!ow hackers to gather SN8P information on the network. SN8P Sniff is an SN8P packet sniffer that wi!! !isten on a network and intercept any SN8P:1 and SN8P:2 information that passes &y. #his can &e :ery usefu! for gathering information a&out de:ices on the network$ inc!uding community strings. If a hacker captures the community string he or she can modify or de!ete router configurations$ change routing ta&!es$ crash your network$ or open up the entire network to the outside. If SN8P network de:ices are not proper!y configured$ it is re!ati:e!y easy for hackers to o&tain information on the de:ices. #his inc!udes routers and information in routing ta&!es. In addition$ with SN8P :ersions 2 and ( management ser:ers and agents tend to &e proprietary$ so you need a specific :endor>s software to manage that :endor>s de:icesB this resu!ts in !imited interopera&i!ity. If you ha:e to emp!oy SN8P then &e sure to use access !ists on routers and !imit managea&i!ity to se!ected IP addresses. 2hi!e this is not foo!proof it does pro:ide some measure of protection. In addition$ you shou!d ne:er use the defau!t community string that comes standard with a router. It is ama7ing the num&er of insta!!ations that ha:e SN8P running when they don>t need the protoco!. 0ften the error is compounded &y using the defau!t or <pu&!ic< password. *etecting or disco:ering de:ices on a network configured with the defau!t SN8P password is a straightforward process. Kou can wa!k the IP addresses manua!!y$ testing each node>s response. #here are a!so too!s a:ai!a&!e to automate and speed up the process. 6or 8ac users there is SN8P 2atcher. SN8P 2atcher can &e used to ;uery network de:ices for information a&out their configuration$ acti:ity and errors. SN8P 2atcher is a freeware program from *artmouth Co!!ege.

1+Another too! that a!!ows you to scan a range of IP addresses !ooking for de:ices running SN8P is So!ar2inds> SN8PSweep. 2ith this too! you on!y need to specify a range of IP addresses$ and the program wi!! check each node to determine if it is configured for SN8P and if it is using the defau!t community string. 6igure 1..+ shows an e?amp!e of the resu!ts of an SN8P scan that I performed on a sma!! network that I ha:e at home using SN8PSweep. In the e?amp!e on!y one of the systems named N#S)4%)4 has SN8P configured with the defau!t or pu&!ic community string. Kou can te!! that &y the fact that the system N#S)4%)4 disp!ays information on the system name$ machine type$ and description. If it weren>t configured with the pu&!ic community string then it wou!dn>t ha:e returned the detai!ed information to the ;uery. So!ar2inds> SN8PSweep. (Source: So!ar2inds.Net. 4eprinted with permission.)

6igure 1../ i!!ustrates the additiona! information that can &e o&tained through SN8PSweep

with a few c!icks to the mouse. So!ar2inds> SN8PSweep.

1+'

*irewalls
6irewa!!s are a fundamenta! component of any perimeter defense. Contrary to popu!ar &e!ief$ a firewa!! is usua!!y not a sing!e systemB it is actua!!y a co!!ection of components. A firewa!! is usua!!y p!aced &etween two networks to act as a gateway. #he principa! re;uirements of an effecti:e firewa!! are descri&ed as fo!!ows. It must act as a door through which a!! traffic must pass (incoming and outgoing). It must a!!ow on!y authori7ed traffic to pass. It must &e immune to penetration or compromise.

In its &asic form$ a firewa!! acts to pre:ent unauthori7ed network traffic originating from an untrusted network from accessing protected interna! network. #he origin of term <firewa!!< deri:es from construction :ernacu!ar for a wa!! that must &e a&!e to withstand fire for a prescri&ed period of time. In construction$ the purpose of the firewa!! is to pro:ide enough time so that peop!e can either escape or e?tinguish the fire. An Internet firewa!! has to &e a&!e to withstand a !ot of heat$ Aust !ike its namesake in construction. I!!ustration of firewa!! concept.

As a ru!e of thum&$ an organi7ation shou!d ne:er connect the company>s network or systems to an e?terna! network$ such as the Internet$ without a firewa!!"un!ess it doesn>t care if those systems or network get trashed. A firewa!! is a com&ination of hardware and software that protects the company>s network and computers from possi&!e intrusion &y hackers from the e?terna! network. 1+9

2hen imp!ementing security measures to protect an interna! network from an untrusted e?terna! network you ha:e to make sure the measures you ha:e taken are an ade;uate response to the percei:ed threat. Some companies &e!ie:e that simp!y p!acing a router$ that is performing packet or protoco! fi!tering$ &etween the interna! and e?terna! networks is sufficient protection. In genera!$ this is not ade;uate protection. It is far too easy to circum:ent router"fi!tering systems. In addition$ the traditiona! router was not rea!!y designed for protecting networks. #hey were designed to <route< network traffic. ):en though many of the newer routers are much more sophisticated in their capa&i!ity to protect a network$ I wou!d sti!! think twice &efore re!ying on a router a!one to protect my interna! network from an e?terna! untrusted network. 6irewa!!s Pros 6irewa!!s are genera! good at keeping unwanted and unauthori7ed traffic from passing (in or out). #hey are a!so an efficient method of pro:iding Internet access to interna! users. A firewa!! can pro:ide NA# for systems or networks that don>t ha:e an IP address. #hey can (sometimes) monitor for and notify you of attacks and network pro&!ems. At the :ery !east$ firewa!!s are effecti:e at maintaining !ogs of a!! acti:ity that pass through$ connections to$ or attempts to connect to the system. #hese !ogs can &e used to identify a&norma! e:ents. 6irewa!!s Cons 0ne of the draw&acks of a firewa!! is that it represents a sing!e point of fai!ure. It is the high tech e;ui:a!ent of putting a!! your eggs in one &asket. If you make a mistake configuring the components of your firewa!! you may &e a!!owing unauthori7ed users through. It takes know!edge$ e?perience$ and ski!! to configure a firewa!!. In addition$ if the firewa!! goes down$ your connection to the outside network is down. A denia!"of"ser:ice attack that effecti:e!y shuts down your firewa!! shuts down your network connection to the outside wor!d. At the :ery !east$ a firewa!! tends to degrade network performance &etween the outside network and the inside network. #his is &ecause a firewa!! e?amines traffic going in and outB this process of e?amination takes time$ which can s!ow network throughput. 6irewa!!s are a!so not ;uite as smart as wou!d &e desira&!e. 1/.

As a resu!t$ they can on!y contro! and monitor traffic so far. #hey wi!! sti!! a!!ow some things through that can hurt you$ and they can stop some things that you do want to pass through. A firewa!! &y itse!f does not assure a secure network. A firewa!! is on!y a too!. 6irewa!!s need to &e configured proper!y$ and they need to &e monitored. %igi!ance on the watch is sti!! re;uired. 8any organi7ations assume that if their network is &ehind a firewa!! they on!y ha:e to monitor the firewa!! and not &e concerned a&out the systems sitting on the inside network$ or they assume that if their network is not connected to the Internet$ they don>t need to &e concerned a&out hackers. Nothing cou!d &e further from rea!ity. 6irewa!!s are of no use tracking acti:ity on the interna! network. 2hi!e a firewa!! does make it somewhat more difficu!t for someone from the outside to get in$ the maAority of attacks on corporate systems come from the inside"not from the outside. Sometimes the &iggest threat to an organi7ation>s systems and networks is from its own emp!oyees. Critica! systems shou!d &e configured to monitor !ogins$ fai!ed !ogins$ and a!! network acti:ity. 8ost e:ery computer and N0S has uti!ities for monitoring this kind of acti:ity. 6or e?amp!e$ 2indows N# Ser:er has the ):ent %iewer. 8ost :ersions of ,ni? a!!ow you to monitor !ogins through the wtmp fi!e and record fai!ed !ogin attempts. ,ni?$ in particu!ar$ can &e configured to record a!! sorts of acti:ity that can &e re:iewed for security purposes. In addition to the threat from within an organi7ation$ firewa!!s can &e circum:ented &y outsiders$ so it is important that critica! systems &e configured to monitor network and !ogin acti:ity. If the firewa!!"as your first !ine of defense"fai!s$ then intrusions might &e detected in the !ogs of the indi:idua! systems. 2hen de:e!oping firewa!! access po!icies$ there are two genera! approaches that can &e emp!oyed. #he first is to deny anything that is not e?p!icit!y a!!owed. #he second is to a!!ow that which is not e?p!icit!y denied. 0&:ious!y$ the first approach is the more secure.

1/1

#ypes of 6irewa!!s 6irewa!!s can &e categori7ed in se:era! different ways. #hey can &e categori7ed &y the !ayer of the 0SI mode! at which they operate$ &y the techno!ogy they imp!ement$ or &y the genera! approach they emp!oy. 2hen using the different approaches emp!oyed &y firewa!!s$ you can separate them into two different categories$ fi!tering firewa!!s and pro?y firewa!!s. 8any firewa!! imp!ementations use a com&ination of &oth approaches. 2hen categori7ing firewa!!s &ased on the !e:e! of the 0SI mode! at which they operate$ there are three &asic types of firewa!!s@ C Network !e:e!B C App!ication !e:e! (pro?y ser:er)B C Circuit !e:e! (pro?y ser:er). Network 1e:e! 6irewa!!s A network !e:e! firewa!! operates at the network !e:e! of the 0SI mode!$ hence the name network !e:e! firewa!!. A network !e:e! firewa!! is usua!!y a screening router or specia!!y modified computer that <fi!ters< or <screens< each incoming packet to determine whether to pass it on through to the network. Network !e:e! firewa!!s typica!!y emp!oy one of two different fi!tering approaches@ C Static packet fi!teringB C *ynamic packet fi!teringDstatefu! inspection. Static Packet 6i!tering A static packet fi!tering firewa!! emp!oys a process of fi!tering incoming and outgoing packets to deny or authori7e access. #he criteria to deny or authori7e access can &e &ased on the network address of the packet and other ru!es as defined &y the network administrator. #he most wide!y emp!oyed static packet fi!tering firewa!! is the common router. #he fi!tering ru!es emp!oyed to determine whether to deny or authori7e a packet are non"dynamic. In other words$ they don>t change. #he ru!es are static$ hence the name static packet fi!tering firewa!!.

1/2

Statefu! InspectionD*ynamic Packet 6i!tering Statefu! inspection a!so occurs at the network !e:e! of the 0SI mode!. A statefu! inspection packet fi!tering firewa!! a!so fi!ters packets$ &ut it can modify the ru!es according to need. #he ru!es are <dynamic< in that they can change$ as conditions re;uire. 6or e?amp!e$ a statefu! inspection firewa!! remem&ers outgoing packets and permits any corresponding incoming packet responses to pass through. It on!y a!!ows in traffic that is a response to a re;uest that originated from the inside network. Pro?y Ser:ers App!ication !e:e! and circuit !e:e! firewa!!s are two different imp!ementations of a pro?y ser:er. A pro?y ser:er <stands in< for &oth the c!ient and a ser:er during a connection. A pro?y ser:er acts as the <man in the midd!e$< so that there is no direct contact &etween a c!ient on an interna! network and a ser:er on an untrusted network. #echnica!!y$ the pro?y is not the firewa!!. #he pro?y runs on the fire"wa!!. #his is an important distinction. #he firewa!! stops the traffic from f!owing through$ whi!e the pro?y a!!ows the contro!!ed access. #he pro?y is on!y a software so!ution to a!!ow communication &etween two networks in a contro!!ed manner. App!ication 1e:e! Pro?y App!ication !e:e! pro?y firewa!!s are sometimes referred to as app!ication !e:e! gateways. #his is &ecause the purpose they ser:e is to pro:ide a gateway &etween a trusted and untrusted network through which information can pass. An app!ication !e:e! pro?y operates at the connection !e:e! through interacti:e pro?ies that contro! the esta&!ishment of connections. #ypica!!y$ the pro?y a!so authenticates the user and authori7es the source and destination addresses and permits or denies the protoco!. #o function$ the ser:er re;uires pro?ies for each protoco! (i.e.$ 6#P$ ##P$ and te!net). #he app!ication !e:e! pro?y must know the particu!ar app!ication for which it is pro:iding the ser:ice. #here are generic pro?ies a:ai!a&!e that can &e emp!oyed for o&scure protoco!s$ &ut uti!i7ing them can ha:e a detrimenta! effect on throughput. #o optimi7e performance$ pro?ies specifica!!y designed for the :arious protoco!s shou!d &e emp!oyed. 1/(

Circuit 1e:e! Pro?y A circuit !e:e! pro?y functions &y creating a <circuit< &etween a c!ient and a ser:er without interpreting the nature or su&stance of the re;uest. #o function$ a circuit !e:e! pro?y re;uires that a c!ient system run a specia! c!ient software. 0ne of the most wide!y used circuit ser:ices is S0CMS$ which is discussed a&o:e. Packet 6i!ters %ersus Pro?ies Henera!!y speaking$ packet"fi!tering firewa!!s tend to pro:ide &etter performance$ in terms of throughput$ than pro?y firewa!!s. #hat on!y makes sense if you think a&out how the two differ in their functioning. Packet fi!ters simp!y inspect the packets and pass them through$ whi!e pro?y firewa!!s re;uire much more setup and o:erhead. In genera!$ pro?y firewa!!s tend to pro:ide &etter protection than packet fi!ters. owe:er$ I am sure there are many indi:idua!s and :endors who wou!d take e?ception to &oth of the pre:ious statements. In terms of protoco!s$ genera! network !e:e! firewa!!s are more effecti:e at hand!ing protoco!s such as te!net and S8#P$ whi!e pro?y firewa!!s are &etter at protoco!s such as 6#P and 6irewa!! Configurations #here is no one way of imp!ementing a firewa!!. #here are many different ways to dep!oy the components that comprise a firewa!!. #here is !itt!e difference whether the approach emp!oyed uses packet fi!tering or pro?ies. 8any organi7ations use a com&ination of packet fi!tering and pro?ies in their firewa!! configuration. #he most wide!y imp!emented architectures are !isted as fo!!ows@ C Screening routersB C Gastion hostsB C *ua!"homed hostsB C Screened hostsB C Screened su&nets. ##P.

1/+

#he architectures !isted a&o:e are genera! concepts$ and they are neither a!!"inc!usi:e nor mutua!!y e?c!usi:e. #hey are e?amp!es that I use to i!!ustrate the practica! app!ication of the theory. Screening 4outer #he screening router is pro&a&!y the simp!est approach you can use for firewa!!ing your network. If you are connecting your company network to the Internet you wi!! pro&a&!y need the router anyway. ,sua!!y$ the router is supp!ied &y your ISP. 4outers can pro:ide a cheap and usefu! !e:e! of security &y a!!owing you to fi!ter connections &ased on the IP address and the protoco!. 8ost router software comes standard with the a&i!ity to fi!ter traffic. #here are a!so pu&!ic domain software packages a:ai!a&!e on the Internet that ena&!e you to create your own router. 0ne popu!ar freeware is IP6i!ter. IP6i!ter runs on se:era! :ersions of ,NIJ and can gi:e a host system IP"fi!tering capa&i!ities. #he source code can &e down!oaded from a num&er of !ocations. 0ne site is the ,ni:ersity of Austra!ia at http@DDcoom&s.anu.edu.auDZa:a!onDipfi!ter. htm!. Another !ow"cost a!ternati:e for PC"&ased systems is *raw&ridge. *raw&ridge can con:ert most PCs with two network cards into a packet"fi!tering router. #o find a copy to down!oad simp!y use one of the many Internet search engines. Pust &e sure of the re!ia&i!ity of the site from which you choose to down!oad. Gasica!!y$ the router e?amines each packet as it attempts to pass through. #his e?amination can occur for &oth incoming and outgoing packets. Gased upon the ru!es !oaded in the router$ it either passes the packet on through or drops it. Screening routers are sometimes referred to as &order routers &ecause they sit on the &order separating two or more networks.

1//

Screening router function.

A screening router is not sufficient to protect an organi7ation>s network connected to the Internet. As stated &efore$ routers are designed to route traffic$ not to &e firewa!!s. Gastion ost

A &astion host is somewhat more comp!icated than a screening router. In architectura! terms$ a &astion is the outer part of a cast!e. It is usua!!y a part of the cast!e that sticks out e?posed and is used to defend the cast!e. In the mo:ies$ the &astion is the part of the cast!e from which they wou!d pour the &oi!ing oi! down onto the so!diers who were !aying siege to the cast!e.A &astion host gets its name from the fact that it is the part of the network that sticks out e?posed and is used to defend the network. A &astion host is the outer defense of a network that does not a!!ow traffic to pass. 2ith a &astion host you genera!!y want to run a stripped"down :ersion of the operating system$ regard!ess of the operating system. If possi&!e$ you shou!d modify the system kerne! to remo:e uti!ities and functions that are not needed. 0n!y those ser:ices that are needed shou!d &e run$ and a!! other e?ecuta&!e and ser:ices shou!d &e remo:ed. Gy doing so you reduce your e?posure to certain operating system :u!nera&i!ities. 6or e?amp!e$ if you don>t need ftp or ping on your &astion host$ then don>t ha:e them running. If you !ea:e the :arious uti!ities functioning$ they wi!! &e used &y hackers.

1/3

In genera!$ IP routing shou!d &e disa&!ed on a &astion host. It is not uncommon for interna! users to actua!!y !og into the &astion host to access the outside network. #here are$ of course$risks associated with that approach in that unauthori7ed indi:idua!s may &e a&!e to compromise a username and password. As a resu!t$ it is :ery important that systems on the interna! network shou!d not trust the &astion host. Since the &astion host is the system that is most accessi&!e to the out"side wor!d$ you shou!d monitor it constant!y and &e prepared for the fact that it may &e compromised. In today>s en:ironment$ a &astion host &y itse!f is not enough. 0ther measures$ such as a screening router$ shou!d &e p!aced &etween the &astion host and the interna! network. 6igure 12.( i!!ustrates the concept of a &astion host. Gastion host.

*ua!" omed

ost

1/-

#he maAor :u!nera&i!ity of dua!"homed hosts can &e the administration. It is easy to make mistakes configuring such a system and that can create ho!es in the system that a!!ow unauthori7ed traffic through. Pro?y Ser:er A <pro?y< is a su&stitute or a surrogate for something e!se. 2ith a firewa!!$ a pro?y is a program that acts as a su&stitute for another program. A pro?y ser:er is designed to pre:ent a connection from one entity direct!y connecting to another entity. Instead$ the connection is stopped at the firewa!!$ and a pro?y app!ication is forwarded. At no time are the two entities in direct contact. In effect$ the pro?y firewa!! is identica! to the man"in"the"midd!e attack descri&ed in Chapter 2. the interna! network. A pro?y ser:er can &e configured se:era! ways. 6or e?amp!e$ it can run on a simp!e &astion host or a dua!"homed host. It is important to remem&er that the pro?y is not the firewa!!. #he firewa!! security is pro:ided &y the &astion host or the dua!"homed host. #he pro?y operates on a host that has IP forwarding disa&!ed and &!ocks a!! traffic from passing. #he pro?y is actua!!y a mechanism designed to a!!ow traffic through in a contro!!ed manner. *ua!"homed host pro?y ser:er. owe:er$ in this case the pro?y ser:er is protecting the entities on

1/'

Screened

ost

Another option is to dep!oy a screened host. 6igure 12.3 i!!ustrates a screened host. 2ith this configuration$ the host is the on!y part of the firewa!! direct!y connected to the interna! network. #he host is protected &y a screening router that pro:ides packet fi!tering. #he router wi!! on!y a!!ow certain types of connections or traffic through to the &astion host. #he router is configured so that the on!y system on the interna! network from which it wi!! accept connections is the &astion host. #his setup can &e configured so that the host is the on!y system on the interna! network to which the router and outside systems can esta&!ish a connection or see. Screened host.

#he section of the network &etween the screening router and the host is referred to as the <demi!itari7ed 7one< (*8Q). #he term deri:es from the &uffer 7one that separates North Morea and South Morea. In Morea$ the *8Q is a no"man>s !and that is intended to separate the &e!!igerent parties. It pro:ides an added measure of security. 2ith firewa!!s the *8Q pro:ides the same function. #he *8Q is neither part of the interna! nor e?terna! network. Henera!!y$ the *8Q is a &uffer 7one &etween the screening router and the &astion host.

1/9

Henera!!y speaking$ a screened host pro:ides a greater !e:e! of protection to the interna! network than does a dua!"homed host a!one. A dua!"homed host represents a sing!e point of fai!ure$ whereas a screened host uses a two"tiered approach. Screened Su&net 2ith a screened host configuration$ if a hacker manages to get through the screening router and is a&!e to compromise the &astion host$ there is nothing to stop the hacker from compromising the rest of the network. #hat risk is mitigated with a screened su&net. A screened su&net adds an additiona! router$ so that it sandwiches a &astion host &etween two routers that separate the interna! network from the outside network. #his esta&!ishes a separate su&network that acts as a &arrier &etween the interna! and e?terna! networks. #his separate su&net is a &uffer that acts as a *8Q that pro:ides additiona! protection for the interna! network. Screened su&net configuration.

2ith a screened su&net$ the e?terior or &order router communicates on!y with the outside network and the &astion host on the su&net. #he e?terior router is ne:er a!!owed to communicate direct!y with the interior router or the interior network. #he interior router communicates on!y with the interior network and the &astion host. #he two routers ne:er direct!y communicate with each other.

13.

In this configuration$ &oth routers perform packet fi!tering. #he &astion host has IP routing disa&!ed and runs pro?y ser:ices. 2ith this type of configuration$ the e?terna! router is fre;uent!y pro:ided &y ISPs. 4estricting ,sers Access to the Internet 2hen discussing the functiona!ity of firewa!!s most peop!e usua!!y concern themse!:es with how we!! firewa!!s keep peop!e from getting into the company network. owe:er$ one of the most important functions firewa!!s pro:ide is restricting inside users from getting out. A firewa!! can &e setup to restrict interna! users from accessing particu!ar sights on the Internet or from accessing the Internet at a!!. 6irewa!!s can restrict access &ased on the ,41 or the content of the 2e& sight. 0ne such program is Secure Computing>s Smart6i!ter software. Smart6i!ter is not a firewa!! in itse!fB it is a software product that can work as part of a firewa!!. 4emem&er that a firewa!! is a co!!ection of components that work together. (#his is not a recommendation of the software$ &ut simp!y an e?amp!e of one of the products out on the market) 2ith Smart6i!ter$ end users> Internet access is contro!!ed through a data&ase of ,41s. #he Smart6i!ter software contains more than 1$...$... non&usiness"re!ated ,41s. It a!so pro:ides the a&i!ity to down!oad updates to the data&ase. In addition$ the data&ase can &e customi7ed &y each organi7ation. 6irewa!! Products #here are so many a:ai!a&!e firewa!! products on the market and the companies merge or change so fre;uent!y that it does not make sense to try to !ist them here"they might &e o&so!ete &y time of pu&!ication. 8any &rands of routers pro:ide firewa!!ing capa&i!ities and &ui!t"in %PN capa&i!ities. #here are$ of course$ ,NIJ"&ased$ N#"&ased$ and e:en 8ac"&ased firewa!!s. In addition$ there are products with proprietary operating systems and specia! dedicated firewa!! de:ices. 0ne popu!ar e?amp!e is the Cisco PIJ &o?.

131

6or sma!! offices or the home connection$ there are a!so many <Internet"in"a"&o?< products on the market today that offer a simp!e to use configuration interface. #hese Internet app!iances can &e mu!tifunction systems that offer firewa!! capa&i!ities and simp!ify the process of connecting to the Internet. A:ai!a&!e products inc!ude the 2hist!e InterPet$ the Co&a!t Ou&e$ 6reeHate 0neHate$ and the 2ind*ance Gree7e. #hese systems can pro:ide a mi? of e"mai! ser:ices$ 6#P ser:er capa&i!ity$ NA#$* CP$*NS$ and e:en %PN. Henera!!y$ these systems range in price from a&out L1$... to L($.... Some come with &ui!t" in routers$ and some do not. If you are considering one of these systems$ you need to take into account whether or not you wi!! ha:e to purchase a router. 6irewa!! A!ternati:es 6or those who don>t ha:e a !ot of money to spend$ there are some ine?pensi:e a!ternati:es to purchasing a firewa!!. Some of these are descri&ed in the fo!!owing sections. #IS 6irewa!! #oo!kit 0ne we!!"known a!ternati:e to &uying a firewa!! is to use #rusted Information System>s (#IS) firewa!! too!kit. #he #IS #oo!kit was de:e!oped &y 8arcus 4anum$ whi!e at #IS. 4anum$ who is we!!"known in the network security fie!d$ was a!so the architect of se:era! other firewa!! products$ inc!uding the #IS Haunt!et firewa!!. 2hi!e the too!kit was de:e!oped se:era! years ago$ it is sti!! wide!y used. #he #IS too!kit is a set of &asic pro?ies that pro:ide the most common!y re;uired functiona!ity for a firewa!!. #he source code is a:ai!a&!e to down!oad$ &ut there are some restrictions$ and #IS re;uires that you register a copy for down!oad. It is a!so a:ai!a&!e at other sites (a!though I>m not sure if those sites are !ega!). #he #IS too!kit information and down!oad is a:ai!a&!e from #IS at the ,41 http@DDwww.tis.comDresearchDsoftware. #he #IS too!kit can run on 1inu?$ which can a!so &e down!oaded. Since the too!kit and 1inu? are a:ai!a&!e on the Internet$ a!! you wou!d need is a powerfu! Pentium"&ased system to &ui!d a re!ati:e!y ine?pensi:e firewa!!. owe:er$ this is not a task for &eginners. #he way you configure the too!kit determines the !e:e! of security. It is not a simp!e <p!ug it in and it works< process. #he insta!!er has to know what he or she is doing and what he or she wishes to achie:e. 132

Gecause the #IS too!kit has &een around for so !ong there is a !ot of information a&out it a:ai!a&!e on the Internet and a fair!y !arge user community. #here is e:en a 2e& site dedicated to pro:iding and sharing information a&out the #IS too!kit. #he ,41 is appropriate!y http@DDwww.fwtk.org$ and it is depicted in the 6igure #IS too!kit 2e& site. (Source@ http@DDwww.fwtk.org. 4eprinted with permission.)

1ike the #IS too!kit$ &oth the Puniper and 6reestone firewa!!s re;uire that you know what you are doing. Gui!ding a firewa!! re;uires know!edge and e?perience. If you don>t ha:e the know!edge and e?perience$ then consider a commercia! product"and$ e:en then$ I wou!d sti!! recommend you get some he!p or ad:ise first. Connecting critica! networks and systems to the Internet is a Ao& for proper!y trained personne!$ not amateurs$ nor is it the type of circumstance where an organi7ation can a!!ow the staff to !earn on the Ao& or grow into the position. #he possi&i!ity of an attack is too great$ and the potentia! harm to an organi7ation is too high.

13(

If an organi7ation does not ha:e know!edgea&!e staff$ mistakes can &e made in the setup and configuration of any firewa!! system. In fact$ many successfu! hacking attacks ha:e &een attri&uted to incorrect!y configured firewa!!s and routers. It is a!so important that firewa!!s &e monitored and that those monitoring them know what they are !ooking at when re:iewing !ogs and reports. Mnow!edgea&!e and e?perienced personne! are crucia! to &eing a&!e to recogni7e and detect attempts to compromise a network or systems. 0rgani7ations that don>t ha:e the personne! resources necessary for this type of position shou!d consider outsourcing the responsi&i!ity for a firewa!!. Companies such as A#5#$ )?odus$ and ,,N)# offer managed firewa!! ser:ices. #his type of arrangement has worked :ery we!! for some companies. Ge warned though that with this type of arrangement you are p!acing a great dea! of trust in the hands of the company se!ected to function as the firewa!!. Kou are trusting their technica! ski!!s and the re!ia&i!ity of their personne!. According!y$ you need to &e sure of the company with which you are doing &usiness. ):en if you choose to outsource the firewa!! function$ I wou!d recommend taking additiona! measures to harden your interna! systems. It is somewhat ironic that some organi7ations wou!d ne:er think of outsourcing the responsi&i!ity for their firewa!! &ecause of security concerns$ whi!e they don>t hesitate to outsource the entire organi7ation>s computer operations or 2AN management to reduce operating e?penses. 2here is the !ogic in that thinking= Persona! 6irewa!!s #he rise in popu!arity of &road&and access from home$ such as ca&!e modems$ and the introduction of ?*S1 techno!ogy has resu!ted in the de:e!opment of a new c!ass of firewa!!$ the persona! firewa!!. Ca&!e and ?*S1 with their <a!ways on< techno!ogy offer increased speed &ut with increased risks. #hese risks$ which are discussed in Chapter 9$ offer new cha!!enges to the home user on the Internet. #he greatest risk is the fact that with techno!ogies 13+

such as ca&!e and J*S1$ hackers can gain access to a 2e& surfer>s system. Persona! firewa!!s were de:e!oped to mitigate this risk. Persona! firewa!!s are software products that act to safeguard an end user>s computer on the Internet &y monitoring attempts to access or pro&e his or her system. 6or instance$ if a hacker attempts to <ping< or <finger< a computer running one of these persona! firewa!!s the command is denied and the end user is notified of the attempt. #he :arious persona! firewa!!s can monitor for specific ports$ protoco!s$ IP addresses$ and ,41s. Some a!so pro:ide :irus detection capa&i!ities and content fi!tering for 2e& sites. 8any of the a:ai!a&!e persona! firewa!!s pro:ide the a&i!ity to configure the software to a!!ow or deny connections &ased upon a specific set of ru!es. 6or e?amp!es$ one can !oad in a specific group of IP addresses$ so that when an unauthori7ed IP address attempts to connect to a system emp!oying one of these software products$ the system denies the connection and notifies the end user. 0nce notified$ the end user can take appropriate action. #here are se:era! products on the market that offer persona! firewa!! capa&i!ities. Symantec>s Norton Internet Security 2...$ 8cAfee>s Persona! 6irewa!! and Software Gui!ders> PC Secure are three e?amp!es. #here are a!so some :ery good free systems a:ai!a&!e for down!oad on the Internet. 0ne option is A!addin Mnow!edge Systems> eSafe program$ which pro:ides :irus protection$ content fi!tering and persona! firewa!! capa&i!ities. 6igure 12.9 shows the configuration desktop of eSafe. eSafe pro:ides the capa&i!ity to a!!ow or deny traffic &ased on port$ protoco!$ IP address or ,41.

13/

#he configuration desktop of eSafe. (Source@ A!addin Mnow!edge Systems. 4eprinted with permission.)

133

9. (*Ns' AuthoriDation and Authentication Systems

(irtua% *riBate Networks Encryption on the Network A %PN is another e?amp!e of a wide!y imp!emented use of encryption to secure connections on an untrusted network. Gefore going into a detai!ed discussion of %PNs$ we need to co:er some &asic concepts re!ated to encrypting a network connection. #o &egin$ when using encryption to secure a connection &etween two or more systems$ it can genera!!y &e hand!ed in one of two ways@ node"to"node or end"to"end. Node)to)Node 5ncr+ption Node"to"node encryption is a!so referred to as !ink"to"!ink encryption. 4eferring to the 0SI mode!$ the data !ink !ayer is concerned with node"to"node or !ink"to"!ink connections. As a resu!t$ if you encrypt the packet at the data !ink !ayer$ it must &e decrypted &y the data !ink !ayer recipient &efore passing it up to the network !ayer to determine how to forward the packet. 2hen encrypting at the data !ink !ayer$ a packet has to &e decrypted and re" encrypted for each node"to"node hop a!ong the route. Node"to"node encryption operating at the data !ink !ayer re;uires compati&!e de:ices$ sharing a protoco!$ and a key management process for e:ery de:ice on the network.

13-

Node"to"node encryption.

If the de:ices on the network are not compati&!e$ they wi!! not &e a&!e to re!ay the packets they recei:e. #his is an issue that must &e considered$ &ecause if the network is !arge$ management re;uirements wi!! &e significant. 5nd)to)5nd 5ncr+ption As an a!ternati:e$ end"to"end encryption operates at the upper !ayers of the 0SI mode!s and can encapsu!ate data into standard network protoco!s. As a resu!t$ no specia! considerations are necessary for the intermediate hops a!ong the network. #he encryption and decryption of the encapsu!ated data is done at either end of the connection. 13'

6igure 11.2@ )nd"to"end encryption.

owe:er$ a consideration with end"to"end encryption is that the further up the protoco! stack you mo:e the encryption$ the more information you may &e pro:iding a potentia! ea:esdropper. As you wi!! see$ as you mo:e the encryption higher up the protoco! stack$ more information is re:ea!ed a&out the sender$ the recipient$ and the nature of the data.

14,

5ncr+pt #he !e:e! of security achie:ed differs depending on where the encryption takes p!ace. #he !e:e! of security re;uired shou!d dictate where your encryption is performed. 4eferring again to the 0SI mode! if you encrypt at the network !ayer (!ayer ()$ information identifying the de:ices or machines can &e intercepted. 6or instance$ information on the IP addresses of the source and destination can &e monitored. #his information can &e used for network traffic ana!ysis. As we ha:e discussed$ network traffic ana!ysis in itse!f can pro:ide a wea!th of information that can &e uti!i7ed &y indi:idua!s or entities sniffing the network. If the encryption takes p!ace further up the protoco! stack at the transport !ayer (!ayer +) then someone ea:esdropping on the communications can te!! which port you are communicating with on the recipient system. 6rom that information$ ea:esdroppers can surmise what protoco! you are using. 6or e?amp!e$ if you are communicating with port 131$ then you are most !ike!y using SN8P for network management. If you are communicating with port 2/ then you are pro&a&!y using S8#P for e"mai!. Mnowing the protoco!s that are running on a de:ice or system can &e used to p!an an attack. A #CPDIP port is a !ogica! connection to a ser:er that usua!!y hand!es a specific ser:ice or protoco!. #CPDIP network ser:ers often pro:ide a :ariety of ser:ices or protoco!s such as SN8P$ ##P$ or S8#P. )ach of the a:ai!a&!e ser:ices <!istens< for an outside connection on a particu!ar port num&er or uses a specified port num&er. #he port num&ers range from 1 to 3/$/(/$ with the pri:i!eged ports ending at 1$.2+. Nonpri:i!eged ports range from 1$.2/ to 3/$/(/. Sometimes the port num&ers are disp!ayed at the end of a ,41. 6or e?amp!e http@DDwww.someur!.com@'1. In this e?amp!e the ser:er is using port '1 for the particu!ar ,41 address. It indicates the port num&er that the #CPDIP connection is using on the 2e& ser:er.

1-.

At the app!ication !ayer (!ayer -) e:en more information is a:ai!a&!e. If e"mai! is encrypted and transmitted at this !e:e! it may &e secure from disc!osure and modification$ &ut anyone monitoring the transmission wi!! know you sent e"mai!$ to whom you sent it$ and where. As a resu!t$ when imp!ementing encryption on a network you ha:e to determine where you need the encryption to take p!ace and what is an ade;uate !e:e! of security &ased upon the sensiti:ity of the data. (irtua% *riBate Networks 0(*Ns1 A %PN is a means of transporting traffic in a secure manner o:er an unsecured network. A %PN usua!!y achie:es this &y emp!oying some com&ination of encryption$ authentication$ and tunne!ing. <#unne!ing< (sometimes ca!!ed encapsu!ation) refers to the process of encapsu!ating or em&edding one network protoco! to &e carried within the packets of a second network. #here are se:era! different imp!ementations of %PN protoco!s. #here are at !east fi:e genera!!y recogni7ed %PN protoco! <standards.< I use the word standard here somewhat !oose!y. #here are a!so se:era! proprietary products a:ai!a&!e on the market. #he four most common!y emp!oyed protoco!s are !isted as fo!!ows@ C Point"to"Point #unne!ing Protoco! (PP#P)B C 1ayer 2 #unne!ing Protoco! (12#P)B C Internet Protoco! Security (IPSec)B C S0CMS. PPTP PP#P is a tunne!ing protoco! supported &y 8icrosoft for connecting 2indows N# c!ients and ser:ers o:er remote access ser:ices (4ASs). PP#P is one of the more wide!y imp!emented %PN protoco!s if for no other reason than it was one of the ear!iest. PP#P operates at the data !ink !ayer (!ayer 2) of the 0SI mode! and can &e used to create a %PN &etween computers running the 2indows operating system.

1-1

PP#P is &asica!!y an e?tension of the Point"to"Point Protoco! (PPP)$ the Internet standard for transmitting network !ayer datagrams (i.e.$ IP packets) o:er seria! point"to"point !inks and is used &y #CPDIP routers and PCs to send packets o:er dia!"up and !eased"!ine connections. PPP was de:e!oped as a rep!acement for Seria! 1ine Internet Protoco! (S1IP). 2hen you dia! into an ISP>s dia!"up ser:ice you are using a PPP dia!er to connect to the ISP. PP#P does not pro:ide the actua! encryption. Instead the encryption for the PP#P tunne! is pro:ided through 8icrosoft>s Point"to"Point encryption. 8icrosoft Cha!!enge andshake Authentication Protoco! (C AP) is the preferred setting for c!ients supporting 8icrosoft encryption. C AP actua!!y uses 4SA>s 8*+ a!gorithm to ensure integrity and the 4C+ a!gorithm for confidentia!ity of the data. #o esta&!ish a connection$ the C AP ser:er sends a uni;ue random cha!!enge to the c!ient. #he cha!!enge is used &y the c!ient to encrypt the c!ient>s password. #he password is then returned to the ser:er to !ogin the c!ient. PP#P has &een su&mitted to the I)#6 for standardi7ation. It is current!y a:ai!a&!e on!y on networks ser:ed &y 2indows N#$ 9'$ and 1inu?. Sniffer programs are a:ai!a&!e at hacker sites$ such as http@DD1.pht.com$ that they c!aim wi!! sniff PP#P authentication and output the cha!!enge and password hashes. A!so a:ai!a&!e are programs that purport to e?p!oit a f!aw in 8S"C AP to get the password hashes without the o:erhead of cracking the cha!!engeDresponse. PP#P is not secure &ecause 8*+ has &een &roken$ and the hashing a!gorithm has &een pro:en not to &e one"way. owe:er$ when transmitting on an open network PP#P is :ast!y superior than using nothing at a!!. - TP 12#P is an I)#6 standard that com&ines features from Cisco>s 1ayer"#wo 6orwarding (126) protoco! and 8icrosoft>s PP#P. Since 12#P>s &asis is PP#P$ it too is an e?tension to the PPP. As its name imp!ies$ 12#P operates at the data !ink !ayer (!ayer 2). As such$ it is used for node"to"node communications. #o function across the network from end"to"end$ a!! network de:ices or nodes must &e 12#P"comp!iant. 16

2P&ec IPSec$ a set of protoco!s under de:e!opment &y the I)#6 to support secure e?change of packets at the IP !ayer$ is uti!i7ed to imp!ement %PNs on the Internet and intranets. IPSec operates at the network !ayer (!ayer () and supports two modes$ transport mode and tunne! mode. 2P&ec Transport Mode #ransport mode encrypts on!y the data or information portion (pay!oad) of each IP packetB it !ea:es the header untouched. #ransport mode pro:ides end"to"end encryption since the header information is untouched. As a resu!t$ no specia! setup is re;uired for the network de:ices. #ransport mode is usua!!y used for secure communications &etween hosts. 2ith transport mode$ someone sniffing the network wi!! not &e a&!e to decipher the encrypted pay!oad. owe:er$ since the header information is not encrypted$ sniffers wi!! &e a&!e ana!y7e traffic patterns. 2P&ec Tunnel Mode #unne! mode encrypts the entire packet$ &oth the header and the pay!oad. #he recei:ing de:ice must &e IPSec"comp!iant to &e a&!e to decrypt each packet$ interpret it$ and then reencrypt it &efore forwarding it onto the appropriate destination. As such$ it is a node"to"nod encryption protoco!. owe:er$ tunne! mode safeguards against traffic ana!ysis since someone sniffing the network can on!y determine the tunne! endpoints and not the true source and destination of the tunne!ed packets. #he sending and recei:ing de:ices e?change a pu&!ic key information using a protoco! known as Internet Security Association and Mey 8anagement Protoco!D0ak!ey (ISAM8PD0ak!ey). #his protoco! ena&!es the recei:er to o&tain a pu&!ic key and authenticate the sender using the sender>s digita! certificates. #unne! mode is considered more secure than transport mode$ since it concea!s or encapsu!ate the IP contro! information.

16#

&=C<& S0CMS is an accepted I)#6 protoco! standard that is designed for hand!ing #CP traffic through a pro?y ser:er. Current!y$ there are two imp!ementation of the S0CMS protoco! in use$ S0CMS :ersion + (S0CMS+) and S0CMS :ersion / (S0CMS/). As one wou!d e?pect$ S0CMS/ is the most recent :ersion. #he maAor difference &etween the two :ersions is that S0CMS/ pro:ides additiona! security through authentication. N)C is a maAor proponent of S0CMS/ and has one of the most wide!y imp!emented S0CMS/"&ased products. S0CMS/ is compati&!e with most #CP app!ications. It a!so pro:ides rudimentary firewa!! capa&i!ities$ &ecause it authenticates incoming and outgoing packets and can pro:ide network address trans!ation (NA#). NA# is a process that hides the IP addresses of systems on the interna! network from the e?terna! network. 2mplementation #here are :arious approaches that one can take when imp!ementing a %PN so!ution on the Internet. #he configuration can &e router"to"router$ ser:er"to"ser:er$ ser:er"to"router$ workstation"to"ser:er$ or workstation"to"router. 0ne !ow"cost approach might &e to use to 2indows N# ser:ers emp!oying PP#P with ?*S1$ frame re!ay$ or fractiona! #1. Ge!ow 6igure i!!ustrates this approach emp!oying ?*S1 with the minimum hardware configuration. Additiona! routers$ firewa!!s and I*S wou!d &e re;uired to protected the indi:idua! systems and pre:ent unauthori7ed access to the network.

1-+

PP#P %PN.

2e>:e actua!!y used the Cisco package discussed in Chapter 1. to connect sma!! &ranch offices to a centra! office o:er ?*S1. As an e?amp!e$ a one"person office !ocated se:era! thousand mi!es away from the centra! head;uarters was connected using Cisco>s %PN software. 6igure 11./ i!!ustrates the configuration insta!!ed to connect the &ranch office. 6igure 11./@ C!ient"to"router %PN.

#he c!ient %PN software was insta!!ed on a workstation at the &ranch office. #he c!ient %PN software uses (*)S for encrypting the data portion of the IP packet. #he %PN c!ient interfaces with the %PN software on the Cisco router. Since on!y the data portion of the IP packet is encrypted$ the %PN is an end"to"end connection$ as i!!ustrated in 6igure 11./. In the actua! insta!!ation the ?*S1 modems$ which are actua!!y routers$ perform IP fi!tering$ as does the Cisco router. #he Cisco router performs other firewa!! functions as we!!$ such as protoco! fi!tering. #he router a!so has an I*S insta!!ed and performs NA# to mask the IP addresses of the interna! network. In addition$ the gateway ser:er on the interna! network performs IP and protoco! fi!tering and is running I*S software. 6ina!!y$ the c!ient workstation runs a persona! firewa!!DI*S software. 1-/

It is important to recogni7e that there are :u!nera&i!ities within this configuration. 6or e?amp!e$ it can &e su&Aect to IP spoofing. detect the initia! attempts. #he maAor rationa! for dep!oying this type of configuration is cost. #he cost to dep!oy an Internet %PN using ?*S1 is perhaps one"third the cost of using frame re!ay. 2hen compared to a point"to"point #1 circuit$ the sa:ings is e:en greater. In the a&o:e e?amp!e$ the maAor incrementa! e?pense was the Cisco router and software package. 2e cou!d ha:e Aust as easi!y put another router at the &ranch office. In fact$ this wou!d ha:e pro:ided additiona! security and administrati:e features. owe:er$ we chose not to do so &ecause of cost. owe:er$ to &e successfu!$ spoofing wou!d re;uire know!edge of the interna! network addressing scheme and :igi!ant monitoring and I*S wou!d

Identification and Authentication #hey are !isted as fo!!ows. C Something you knowB C Something you ha:eB C Something you are. Henera!!y$ when we ta!k a&out a process of identification and authentication that re!ies on <something you know< we are ta!king a&out a system that emp!oys passwords. Passwords ha:e many draw&acks@ 2hi!e passwords are ine?pensi:e to imp!ement and easy to esta&!ish$ they are e?pensi:e and cum&ersome to maintain. Speaking from persona! e?perience$ pro&a&!y /.W of a!! ca!!s hand!ed &y he!p desks are users who ha:e forgotten one password or another and are !ocked out of a system. According to Hartner Hroup$ an I# consu!tant current!y !ocated in Stamford C#$ !arge organi7ations spend more than L(+. per year$ per user$ on resetting passwords. #hat represents a significant cost to a !arge organi7ation. If an organi7ation has tens of thousands of emp!oyees$ then the cost of password maintenance runs in the mi!!ions of do!!ars each year. Henera!!y$ the something you ha:e that pro:ides the identification and authentication is a token card$ smart card$ or some kind of e!ectronic &adge. 2hi!e these schemes can pro:ide superior security when compared to the typica! password process$ the de:ices can &e !ost or sto!en. 164

Biometric 2dentification and !ut"entication 2hen we ta!k a&out an identification and authentication scheme that re!ies on <something you are$< we mean &iometrics. Giometric authentication is the process of using some physica! characteristic$ trait$ aspect of physica! &eing$ or &eha:ior to authenticate one>s identity. #he most common!y known e?amp!e is the process of emp!oying fingerprints to identify an indi:idua!. 6or years go:ernment agencies !ike the 6GI ha:e &een using finger prints to identify indi:idua!s and perform &ackground checks. Giometric authentication usua!!y fits into one of two genera! categories. #he first is physica! characteristic recognition (PC4)$ which re!ies upon a physica! characteristic such as a fingerprint$ retina or iris scan$ :oiceprint$ or facia! geometry for identification and authentication. #he second category is &eha:iora! characteristic recognition (GC4). GC4 re!ies on a &eha:iora! characteristics such as how a person types at a key&oard$ writes$ or signs his or her name. In genera!$ PC4 is much more wide!y imp!emented than GC4. 2ith most &iometric authentication there is usua!!y a registration process. #his entai!s the process of registering or enro!!ing some physica! trait such as a fingerprint$ :oiceprint$ or retina scan. *uring the registration process a temp!ate for the trait &eing registered is created. #he temp!ate is typica!!y a mathematica! representation of the physica! trait. #he temp!ate is then stored in some fashion (usua!!y in a data&ase in an encrypted format) to &e retrie:ed at a !ater time for comparison to the user>s actua! physica! characteristics to authenticate the wou!d"&e user>s identity. 1et>s say that the &iometric system is used to identify and authenticate users of a network. 2hen the user wants access to the network$ he or she scans the physica! trait again (fingerprint$ retina$ etc.). #hen the same process used to create the temp!ate is used to create a mathematica! representation of the physica! trait$ either at the reader or the ser:er. It is then compared to the temp!ate that is stored on the ser:er or station. If the two match$ then the end user is gi:en access to the network. 1--

#his is Aust an appro?imation of the process. I>m sure indi:idua! :endors> processes wi!! :ary according to the system design. Biometric 2dentification Relia8ilit+ 2hen considering a &iometric authentication system$ there are two critica! characteristics that you shou!d re:iew &efore dep!oying any system. #hey are !isted as fo!!ows. C 6a!se acceptance rate (6A4)B C 6a!se reAection rate (644). #he 6A4 is the rate at which a system incorrect!y accepts or recogni7es a wou!d"&e user as authori7ed to access the system when in fact he or she are not. In other words$ how often does the system !et someone in that it shou!d keep out= 8ost manufacturers of &iometric authentication de:ices !ist the 6A4 for their products. If not$ you shou!d &e a&!e to re;uest it from the manufacturer. %ery often the 6A4 is !isted as a percentage. #he 6A4 for any &iometric identification and authentication system shou!d &e c!ose!y scrutini7ed. A manufacturer may !ist a 6A4 that appears to &e :ery sma!!$ &ut the num&ers can &e decei:ing. 6or e?amp!e$ a 6A4 of on!y 1W means that one time out of 1.. a system wi!! incorrect!y accept an unauthori7ed user. #hat fa!se acceptance rate percentage is much too high. A 6A4 of 1W means that if a hacker makes 1.. attempts he or she wi!! &e successfu! at !east one time. ):en a 6A4 of ..1W is too high to &e accepta&!e. #hat means that one in 1.$... attempts wi!! &e incorrect!y accepted. #hose odds are much more in fa:or of a hacker when compared to the odds of the hacker guessing a password eight characters in !ength. 6or e?amp!e$ e:en if you e?c!ude the 23 !etters of the a!pha&et and a!! specia! characters and use on!y num&ers for an eight"digit password$ you wou!d sti!! ha:e o:er 99$999$999 passwords. #hat means there is !ess than a 1 in 99$999$999 chance of accessing the system &y guessing the password. owe:er$ with a &iometric identification system with a ..1W 6A4 there is a 1 in 1.$... chance of accessing the system &y mistake.

1-'

Another important characteristic of any &iometric identification and authentication system is the 644$ the rate at which a system incorrect!y reAects a !egitimate user. 2hi!e it is not as critica! as 6A4$ the 644 is important to the successfu! dep!oyment of any &iometric authentication system. If the 644 of a system is too high$ it can cause end"user frustration. #he frustration can !ead users to circum:ent proper authentication procedures to a:oid the &iometric system. It can u!timate!y create security ho!es or !ead to the system &eing scrapped. 2hen e:a!uating any &iometric authentication scheme you need to take into account how it wi!! hand!e the natura! changes peop!e e?perience. #his is particu!ar!y true for PC4 &iometric systems. 6or e?amp!e$ suppose your system emp!oys face recognition and you ha:e a person who had a &eard &ut decides to sha:e it. 2i!! he then &e !ocked out of the system= As peop!e age$ their physica! characteristics can change. 2hate:er system is emp!oyed needs to &e a&!e to update a temp!ate with the su&t!e changes that natura!!y occur e:ery time it authenticates the wou!d"&e user. #o &e tru!y effecti:e$ any &iometric system must a!so &e sophisticated enough to detect fraud. In other words$ it has to &e :ery hard to foo!. As a resu!t$ the under!ying techno!ogy used for any system has to &e mu!titiered. 6or e?amp!e$ a system emp!oying on!y optica! imaging for fingerprints$ face recognition$ or hand geometry may not &e a&!e to detect !ifted or faked characteristics if the owner is deceased. #he more sophisticated systems !ook at se:era! e!ements of a physica! characteristics. 6or e?amp!e$ a hand reader may not on!y compare the hand geometry &ut wi!! a!so check temperature and e:en check for &!ood pressure. #his mu!titiered approach makes it much more difficu!t to foo! a system with something !ike a p!aster cast of a hand. Backup !ut"entication An effecti:e &iometric system needs to &e a&!e to hand!e temporary physio!ogica! changes. If you are emp!oying fingerprints for authentication$ what happens if an end user &ad!y &urns his or her fingers= 2hat happens if someone &reaks his or her hand$ and your system is &ased on hand geometry= Someone with a cast on his or her hand wi!! &e una&!e to gain access through the hand reader. 1-9

Kou need to consider the &ackup methods to authenticate users in the e:ent the &iometrics fai!. Kou a!so need to consider how easy it is to acti:ate the &ackup authentication method. Kou cou!d find yourse!f !ocked out without an a!ternate authentication method. If you ha:e a &ackup method$ such as a password$ what>s to stop someone from using it a!! the time$ or what>s to stop someone from compromising the &ackup process and circum:enting the &iometric system a!together= A &iometric system that can &e circum:ented is worth!ess. 2hat>s the point of going through the time$ trou&!e$ and e?pense of insta!!ing a &iometric identification and authentication scheme to protect your network on!y to ha:e someone with a password &reak in and compromise the network= 5nvironmental Conditions Another e!ement that must &e considered &efore imp!ementing a &iometric authentication system is the en:ironment in which it wi!! operate. 2ater$ noise$ moisture$ and dirt can ad:erse!y impact the operation of some &iometric authentication systems. A factory f!oor where workers get their hands dirty with grease or where the conditions are :ery wet wou!d not &e the &est en:ironment to insta!! a fingerprint reader or hand reader. A fingerprint reader or hand scanner wou!d &e e;ua!!y ineffectua! in an en:ironment where workers wear g!o:es. Simi!ar!y$ a retina scanner or face geometry reader wou!d not &e ad:ised in an en:ironment in which indi:idua!s must wear protecti:e eyewear or masks. In addition$ :oiceprint readers wou!d not work we!! in noisy en:ironments. #hese types of issues ha:e to &e considered &efore dep!oying &iometric systems.

181

Bser !cceptance #o achie:e a successfu! dep!oyment of a &iometric authentication system$ it is important to gauge user acceptance of the techno!ogy &eing used. ,sers may &e uncomforta&!e with retina scanners and find recording of fingerprints an in:asion of pri:acy. Consider how in:asi:e the techno!ogy wi!! &e and whether users wi!! accept it &efore imp!ementing it. As one wou!d e?pect$ the more in:asi:e the techno!ogy &eing dep!oyed the more uncomforta&!e the end users &ecome. 2hi!e retina"scanning techno!ogy may &e more re!ia&!e than fingerprint readers$ end users are a!most a!ways more comforta&!e with the fingerprint readers. Another issue that needs to &e considered &efore dep!oying a system is genera! hygiene. #his is more of an issue with &iometric de:ices that are used to authenticate emp!oyees at a centra! !ocation$ such as a main entrance to a restricted faci!ity. It may sound funny$ &ut what &etter way to pass germs to a!! your emp!oyees than to ha:e each and e:eryone of them touch a hand scanner= A!! it wou!d take is for one emp!oyee to get a co!d to ha:e it spread to e:eryone. 2ou!d you want to touch a hand scanner or fingerprint reader knowing that the person who used it &efore you has a &ad co!d= 0f course$ the same ha7ard is associated with other$ more mundane o&Aects$ such as doorkno&s and e!e:ator &uttons. owe:er$ it is ine:ita&!e that user>s suspicions of a &iometric system wi!! &e greater when first introduced. &ecurit+ of t"e Biometric &+stem Another critica! factor with &iometric identification and authentication systems is how it hand!es communication and storage. Kou ha:e to !ook at how a particu!ar system is imp!emented. 6or e?amp!e$ if it is dep!oyed on a 1AN$ does the &iometric identification system communicate with a ser:er for authentication= If it does$ then security in the communications &etween the reader and the host ser:er is :ery important &ecause &iometric systems can &e suscepti&!e to rep!ay attacks. Can the communication &e tapped= Is the communication encrypted= ):en if it is encrypted$ what>s to stop someone from using a rep!ay attack= 1'1

6or e?amp!e$ A!ice identifies herse!f to the network using a fingerprint reader on her key&oard. #he mathematica! representation of her fingerprint is sent to the ser:er for identification and authentication. owe:er$ Go& has p!aced a sniffer on the network and has captured the mathematica! representation of the fingerprint in transit to the ser:er. Now Go& has that information and can transmit it to the ser:er at anytime and gain access to the network as A!ice. ):en if the transmission were encrypted Go& wou!d sti!! &e a&!e to capture and copy it to &e transmitted at a !ater time. 0f course$ there are many ways that a :endor can a:oid this pro&!em. 0ne method wou!d &e to use some timestamp in an encryption a!gorithm. Another method wou!d &e to store the temp!ate on the !oca! system. temp!ate on a !oca! hard dri:e wou!d introduce other security issues. If the temp!ates are stored on a ser:er you a!so need to consider how they are stored and the security emp!oyed to pre:ent them from &eing compromised. #hese are the types of issues that an administrator needs to take into account &efore dep!oying any &iometric identification and authentication system. 2nteropera8ilit+ Another issue that is much more difficu!t to reso!:e and I &e!ie:e wi!! &e around for a whi!e is the fact that there is no interopera&i!ity &etween &iometric systems. ):ery sing!e product on the market is proprietary. It is a!so difficu!t to find a product that has operating system interopera&i!ity. As a resu!t$ if you work for a !arge organi7ation$ you wi!! &e hard pressed to find a system that can &e dep!oyed across the entire enterprise. owe:er$ that wou!d on!y work for end users with workstations with !oca! storage. In addition$ storing the

1'2

". Network Security *o%icy' Auditin- and /onitorin- Systems.

Policies and Procedures 6or most organi7ations$ network and system security po!icies and procedures ser:e the purpose of ensuring information security. #hey achie:e this &y defining what constitutes information security$ why it is important$ and how to maintain it. In addition$ the po!icies and procedures define the accepta&!e !e:e!s of information security. Gefore you can do so$ howe:er$ you must first put in p!ace a process that ena&!es you to determine what is an ade;uate !e:e! of security for any gi:en organi7ation. #he e!ements of information security inc!ude confidentia!ity$ integrity$ a:ai!a&i!ity$ authentication$ and access contro!. A!! fi:e e!ements need to &e addressed &y whate:er po!icies and procedures are imp!emented to address information security. In genera! terms$ security po!icies are the set of ru!es and procedures that regu!ate how an organi7ation manages$ uses$ protects$ and distri&utes a!! information that direct!y or indirect!y pertains to that organi7ation. Policies 7ersus Procedures Po!icies shou!d a!ways &e de:e!oped &efore procedures. #he de:e!opment of procedures shou!d f!ow from the po!icies. Po!icies shou!d &e concerned with what assets to protect and why they need to &e protected. #hey are genera!!y &road in their scope and are designed to set the tone and direction. In genera!$ they can &e thought of as the documents that spe!! out the what and why of information security for an organi7ation. Procedures$ on the other hand$ must &e much more precise and detai!ed. Procedures shou!d &e concerned with the specific measures necessary to protect the organi7ation>s assets. #hey can &e thought of as the documents that spe!! the who1 when$ and how of information security within an organi7ation.

18#

2nformation &ecurit+ Polic+ =8:ectives #here are :arious reasons for an organi7ation to de:e!op network and system security po!icies and procedures. Some are o&:ious$ whi!e others are not so o&:ious. Some reasons concern the direct &enefit that an organi7ation gains from ha:ing po!icies and procedures$ such as pre:enting or detecting fraud or deterring hackers. 0ther &enefits are indirect in that the po!icies protect the organi7ation from potentia! !ia&i!ity or sa:e it from possi&!e em&arrassment. Ge!ow I ha:e !isted some of the o&Aecti:es genera!!y associated with network security po!icies. C $anaging risk: #he primary goa! of any po!icy concerning network and system security is to manage risk. It is a!most impossi&!e to comp!ete!y secure an organi7ation>s information assets. As a resu!t$ an organi7ation needs to identify the risks that its faces and de:e!op measures to minimi7e the impact of those risks. C (nsuring business continuity: #he ongoing operation of the organi7ation shou!d &e a fundamenta! goa! of the po!icies de:e!oped &y any organi7ation. It is interesting to note how many organi7ations> po!icies tend to spe!! out what cannot &e done in great detai! &ut do a :ery poor Ao& of addressing what must &e done to ensure the operation of the organi7ation. 0rgani7ationa! po!icies and procedures shou!d ensure &usiness resumption &y out!ining the appropriate actions necessary in response to an incident or disaster. C *efining responsibilities1 e)pectations1 and acceptable beha-iors: 6or any po!icy or procedure to &e effecti:e$ those indi:idua!s su&Aect to the po!icy or procedure must understand what is re;uired of them to comp!y. Comp!iance to a po!icy cannot &e achie:ed without reaching an understanding of what constitutes comp!iance. In addition$ emp!oyees need to understand their responsi&i!ities and how their responsi&i!ities may :ary depending on the circumstances.

1'+

C *ischarging fiduciary duty and complying with any regulatory requirements: 8ost organi7ations are su&Aect to ru!es or regu!ations go:erning the responsi&i!ity of the corporate officers and regu!ating the operation of the organi7ation. If a company is pu&!ic!y traded$ the corporate officers ha:e a fiduciary duty to ensure the financia! soundness of the organi7ation. If they fai! in that duty they can &e he!d persona!!y !ia&!e for the !osses incurred. 8ost e:ery organi7ation is re;uired to adhere to certain standards when it comes to accounting records and &ookkeeping. 8any organi7ations are a!so su&Aect to federa!$ state$ or !oca! regu!ations that re;uire certain measures &e taken to protect the assets of the organi7ation. 8any organi7ations are su&Aect to ru!es and regu!ations regarding the protection and disc!osure of information pertaining to emp!oyees and customers. #his is certain!y true in the financia! and hea!th sectors. 6or many organi7ations$ the a&sence of proper po!icies and procedures is considered automatic noncomp!iance.

C rotecting the organization from liability: #he po!icies and procedures de:e!oped &y an organi7ation are often re;uired to protect it from !ia&i!ity. In some cases$ the e?istence of the po!icies and procedures are essentia! to demonstrate that an organi7ation did not appro:e of an end user>s actions or that an emp!oyee was or was not acting with the authori7ation of the organi7ation. C (nsuring information integrity and confidentiality: A key component of information security is protecting an organi7ation>s information assets. )nsuring the integrity and confidentia!ity of an organi7ation>s information is fundamenta! to that goa!. 2ithout information integrity$ an organi7ation cannot make sound &usiness decisions. 2ithout information confidentia!ity$ an organi7ation wi!! !ose its competiti:e edge through the !oss of proprietary information regarding products$ customers$ and e:en partners and supp!iers.

189

Developin% &ecurit+ Policies 6or an organi7ation>s information security po!icies and procedures to achie:e the stated o&Aecti:es$ it is essentia! that certain e!ements &e inc!uded in the po!icies and procedures. #hese e!ements can &e thought of as key measures for the success for an organi7ation>s po!icy and procedures. #he e!ements are the stepping stones in the de:e!opment process. #hey are !isted as fo!!ows@ C Identifying the organi7ation>s assetsB C *efining the risks@ C *efining how information assets are to &e managedB C *efining how information assets are to &e accessed and what process wi!! &e used for authenticationB C *efining c!ear!y and in detai! what does and does not constitute appropriate use of company owned e!ectronic media and ser:icesB C C!ear!y defining what kind of information may &e accessed and distri&uted and &y what meansB C *efining what contro!s are to &e put in p!aceB C Notifying users of monitoring and auditing procedures$ information disc!osure$ and conse;uences for noncomp!ianceB C Identifying those responsi&!e for security enforcement and how po!icies and procedures wi!! &e enforcedB C *e:e!oping steps to &e taken in the e:ent of noncomp!iance with po!icy$ a security &reach$ or a disaster. #he first step is to determine responsi&i!ity for information security po!icy de:e!opment. #oo often$ the I# unit is gi:en so!e responsi&i!ity for this task. owe:er$ if the po!icies and procedures are to &e comprehensi:e$ it wi!! re;uire the acti:e participation of a!! &usiness units. *e:e!opment of information security po!icies must &e a co!!a&orati:e effort &etween the I# unit and the other &usiness units within an organi7ation. Any po!icy or procedure imp!emented without the acti:e participation and <&uy"in< of other &usiness units faces an uphi!! &att!e. 1'3

organi7ation at risk. Consider the fo!!owing e?amp!e@ A student in one of my c!asses recounted a story indicati:e of the :a!ue that most companies p!ace on information security. #he student worked for a !arge software company that marketed a we!!"known data&ase. *uring a cyc!ica! downturn in &usiness$ the company went through a round of what was euphemistica!!y ca!!ed <rightsi7ing.< 2hi!e most &usiness units e?perienced moderate cuts in personne!$ the information security and the &usiness resumption p!anning groups were de:astated. )ssentia!!y$ &oth units were disso!:ed$ and a!! personne! were !aid off. 0&:ious!y$ the company did not see information security and &usiness resumption as a critica! &usiness acti:ity. As another e?amp!e$ at a company where I once worked$ I su&mitted to senior management a recommendation that the company de:e!op a po!icy to address <prete?t ca!!ing.< Prete?t ca!!ing is a widespread practice used &y information &rokers to gain information on indi:idua!s from unsuspecting companies. Henera!!y$ an information &roker poses as someone or some entity that is re!ated to or associated with the indi:idua! with whom the targeted company does &usiness. #he targeted company cou!d &e a hospita!$ a financia! institution$ an insurance company$ or e:en a schoo! or go:ernment agency. #he information &roker usua!!y gets a !itt!e &it of information from each contact. #he information gathered is cumu!ati:e. 2ith each contact the information &roker gets more information$ which in turn can &e used to gain e:en more. 8any companies are &eing hit &y prete?t ca!!ing. ):en though the information &roker !ies and misrepresents himse!f or herse!f to the targeted company$ this practice is not i!!ega!. Companies are unwitting!y gi:ing out information on their emp!oyees$ customers$ and c!ients. It is not on!y &ad for the customer$ &ut it is &ad for &usiness. In addition$ a company cou!d find itse!f !ia&!e for how that information is used. It certain!y wou!d not insti!! customer confidence to know that a company was gi:ing out customer information to anyone who ca!!s. 6or that reason$ I recommended that a po!icy and procedure &e de:e!oped to address prete?t ca!!ing.

1'-

Specifica!!y$ my recommendation was that the company shou!d de:e!op a genera! information pri:acy po!icy. Part of the imp!ementation of that po!icy wou!d inc!ude a training program to educate our staff on how to identify prete?t ca!!s. I argued that it wou!d pro:ide our company with a competiti:e ad:antage in that we cou!d state to our customers that their information was safer with us than with our competitors. In addition$ it wou!d protect the company from possi&!e !ia&i!ity. 6ina!!y$ it wou!d pro:ide the company with a response to customers who contacted us with re;uests for information on how we hand!ed this type of occurrence. Senior management thought it was a good idea &ut not a high priority$ and that is where it ended. No one wanted to in:est the time to de:e!op the po!icy. 2ithout the acti:e support of senior management$ it wou!d ha:e &een impossi&!e to de:e!op a po!icy and attempt to impose it on the other &usiness units.

1. Identifying and prioriti7ing assetsB 2. Identifying :u!nera&i!itiesB (. Identifying threats and their pro&a&i!itiesB +. Identifying countermeasuresB /. *e:e!oping a cost"&enefit ana!ysisB 3. *e:e!oping security po!icies. #he first step is to identify and prioriti7e assets and systems and then identify the :u!nera&i!ities associated with those assets. 2hen assessing :u!nera&i!ities and the risks associated with them$ it is important to weed out the possi&!e threats from the pro&a&!e ones. #he process shou!d &e one of determining what threats are most !ike!y and de:e!oping po!icies that address those threats and issues.It is :ery important that the po!icies and procedures imp!emented within any organi7ation shou!d &e rea! wor!d"&ased. In other words$ the po!icies and procedures shou!d e?ist for the purpose of enhancing a pree?isting process or function. As such$ they shou!d take into account the constraints of the rea! wor!d and not try to achie:e the ape? of security. 1''

6or e?amp!e$ it wou!d &e o:erki!! to re;uire a!! e"mai! to &e encrypted. Kou shou!d not re;uire passwords to &e changed e:ery week or re;uire them to &e 1/ a!phanumeric characters in !ength. 2hi!e it might &e :ery secure$ it wou!d not &e !ogica! to imp!ement a hand scanner for &iometric identification in an en:ironment$ such as a <c!ean room$< where technicians wear specia! suits$ inc!uding g!o:es. As a ru!e$ security po!icies and procedures that interfere with the operation of an organi7ation are of !itt!e :a!ue. #hose types of measures are usua!!y ignored or circum:ented &y company personne!$ so they tend to create security ho!es rather than p!ug them. If you make a process too arduous or annoying$ peop!e wi!! ignore it. If you make the process of gaining access to a room too difficu!t$ peop!e wi!! prop open the door. If you make passwords too hard to remem&er$ peop!e wi!! write them down. A!! security measures (not Aust security po!icies)$ whene:er possi&!e$ shou!d comp!ement the operationa! and &usiness needs of an organi7ation. #he steps in:o!:ed in information security po!icy imp!ementation are fair!y straightforward@ 1. *e:e!oping a written security po!icies and procedures manua!B 2. *e:e!oping an end user awareness and education programB (. *e:e!oping a process for po!icy enforcement and procedure imp!ementationB +. *e:e!oping a process for the periodic re:iew and updating of po!icies and procedures. Polic+ and Procedure Manuals 6or a security po!icy to &e practica!$ it must &e documented. #he p!an must a!so &e made a:ai!a&!e as a reference to a!! those su&Aect to the po!icy. #he po!icy and procedure manua!s need to &e kept current and updated with any necessary changes. 8odifications to systems$ personne!$ &usiness priorities$ and other en:ironmenta! factors must &e ref!ected in the p!an. #hat means regu!ar and fre;uent re:iews of the po!icy.

18,

Polic+ *ormat #here are many different ways in which one can format the po!icies. #he type of format is re!ati:e!y unimportant as !ong as the po!icy is understanda&!e and achie:es the desired resu!ts. #he most important thing is that po!icies are forma!i7ed and documented in some way. A po!icy shou!d inc!ude$ at a minimum$ the fo!!owing e!ements. C olicy statement: #his section shou!d state the genera! po!icy$ what the po!icy says$ and what it entai!s. #his section can &e as short as a sing!e sentence or as !ong as a page. If it goes &eyond a page$ perhaps you are attempting to co:er in a sing!e po!icy issues that shou!d &e co:ered &y more than one po!icy. C urpose: #his section shou!d state why the po!icy is needed. )?amp!es of the purpose for a po!icy cou!d inc!ude something to the effect that the po!icy is to protect the company or emp!oyees$ ensure the continued operation of the organi7ation$ or protect the financia! hea!th of the company. C Scope: #his section shou!d co:er how far the po!icy e?tends. #he scope shou!d spe!! out the circumstances under which the po!icy app!ies. It can a!so inc!ude the time frame$ specific hardware or software$ andDor e:ents under which the po!icy is effecti:e. C "ompliance with policy: #his section shou!d inc!ude a detai!ed e?p!anation of what does and does not constitute comp!iance with the po!icy. #he section can inc!ude e?amp!es$ &ut &e carefu! to word it in such a way that it a!!ows you to inc!ude instances that may not &e !isted in your e?amp!es. #he section shou!d inc!ude wording to the effect <e)amples include1 but are not limited to 2.< Geing too specific in detai! may make the definition too narrow. C enalties3consequences: #his section shou!d e?p!ain the conse;uences for noncomp!iance with the po!icy. Specific punishments associated with noncomp!iance shou!d &e !isted. If the conse;uences for noncomp!iance can inc!ude termination$ then it shou!d &e c!ear!y spe!!ed out in this section of the po!icy. #his section ser:es as a warning to emp!oyees and can protect an organi7ation in the e:ent that it finds itse!f in court as a resu!t of terminating an emp!oyee for non"comp!iance with a po!icy. #he fact that the organi7ation had c!ear!y warned a!! emp!oyees of the conse;uences can diminish any argument that an emp!oyee may ha:e for termination without cause. 1,1

Polic+ !wareness and 5ducation A po!icy is of no :a!ue if no one knows what it states. )nd users and personne! must understand management>s e?pectations and their responsi&i!ities in regard to comp!ying with an organi7ation>s po!icies. )nd users and emp!oyees must a!so understand the conse;uences for noncomp!iance. #his aspect is :ery important for protecting the organi7ation if !itigation resu!ts from noncomp!iance. #he e?istence of a po!icy may &e re;uired to take puniti:e action against end users or emp!oyees who ha:e acted in an unaccepta&!e manner. 0rgani7ations that don>t ha:e a po!icy c!ear!y defining unaccepta&!e &eha:ior may ha:e no recourse. a:ing a po!icy in p!ace that prohi&its certain types of &eha:ior can a!so sa:e an organi7ation from !ia&i!ity for the actions of its end users or emp!oyees. #he a&sence of a forma! po!icy and an awareness process may make it difficu!t to ho!d an emp!oyee accounta&!e in the e:ent some inappropriate &eha:ior on the part of the emp!oyee is disco:ered. 2ith a written po!icy$ an organi7ation can demonstrate that any derogatory actions taken &y an end user or emp!oyee were not in comp!iance with accepted &eha:ior and were therefore not condoned &y the organi7ation. 0rgani7ations shou!d consider o&taining written acknow!edgment from end users and emp!oyees stating that they ha:e read and understand the organi7ation>s information security po!icy. #his cou!d &e done as part of the genera! orientation for new!y hired personne! or as part of the registration of new end users. Polic+ 5nforcement Comp!iance with po!icies needs to &e enforced. #he on!y way to ensure comp!iance is through monitoring and auditing. #hose responsi&!e for enforcing the I# security po!icies must ha:e the support of senior management. If an organi7ation>s I# security po!icy is to &e successfu!$ it a!so needs the support of a!! &usiness units within the organi7ation.

Security *o%icy Su--estions 4emem&er that the maAor emphasis of a!! po!icies and procedures is to pre:ent <&ad things< from happening. It doesn>t matter whether the &ad thing is a mistake$ disaster$ or misdeed. 2e!!"designed po!icies and procedures are f!e?i&!e enough to address most <pro&a&!e< threats. #hat is why risk ana!ysis is such an import part of the process. Po!icies and procedures shou!d a!so assume that the pre:entati:e measures wi!! occasiona!!y fai!. As a resu!t$ they shou!d inc!ude steps to detect <&ad things.< It is particu!ar!y important that the procedures spe!! out in detai! what steps are to &e taken in the e:ent that a!! other measures ha:e fai!ed to pre:ent some <&ad thing< from occurring. In other words$ it shou!d detai! how the organi7ation responds to an incident. C IdentificationB C AuthenticationB C Access contro! (authori7ation)B C A:ai!a&i!ityB C Confidentia!ity (secrecy)B C Integrity (accuracy)B C Accounta&i!ity. At the same time$ you need to incorporate a!! of the :arious e!ements of security into a!! aspects of the operation of an organi7ation and to address a!! pro&a&i!ities. #his inc!udes procedures to address physica! security and natura! disasters as we!! as hardware and software security. Kou a!so need to address media contro!s and communication security. 8ost important!y$ you need to address the human :aria&!e in your procedures in an effort to minimi7e temptation and stupidity and ensure comp!iance. #he framework re;uired to ade;uate!y address the needs of a particu!ar organi7ation wi!! !arge!y depend on the type of organi7ation. 1arge corporations re;uire e?tensi:e po!icies that co:er a!! the possi&i!ities$ whi!e most sma!! organi7ations$ which may use techno!ogy to a more !imited e?tent"or at !east ha:e !ess of it"wi!! re;uire a much !ess e?tensi:e set of po!icies. 192

*o not use a pound when an ounce wi!! do the Ao&. 0:er!y comp!icated or detai!ed po!icies tend to create pro&!ems and are often ignored. Po!icies shou!d &e simp!e to understand and remem&er. #he !e:e! of detai! for each organi7ation wi!! :ary$ &ut the fo!!owing sections pro:ide some &asic suggestions. Bse of Compan+)=wned 5lectronic Media and &ervices 2ith the ad:ent of new techno!ogies$ organi7ations are finding themse!:es re!ying increasing!y on e!ectronic modes of communication and information storage. 8ost emp!oyees in an organi7ation ha:e access to one or more forms of e!ectronic media or ser:ice. #hey inc!ude &ut are not confined to the fo!!owing@ C Computers (PCs$ workstations$ minicomputers$ and mainframes)B C )"mai!B C #e!ephones and :oice mai!B C 6a? machinesB C 1ANs$ intranets$ and the 2e&. ):ery organi7ation that uses e!ectronic media and ser:ices shou!d ha:e a po!icy that c!ear!y defines the accepta&!e use of these media and ser:ices as company property. #he po!icies shou!d not on!y e?ist to protect the organi7ation &ut a!so to protect the emp!oyees of the organi7ation. #he po!icy shou!d specify the accepta&!e persona! use of company"owned I# faci!ities and ser:ices. #he po!icy shou!d a!so co:er when it is necessary to o&tain management>s permission and the process to do so. #his po!icy shou!d co:er a!! techno!ogies that cou!d &e e?p!oited to recei:e and distri&ute information. Company systems and networks shou!d not &e used to generate or distri&ute materia! that is i!!ega! or immora! or that contra:enes the princip!es of the corporation. Such a po!icy ensures that appropriate measures are enacted to protect company assets and to educate emp!oyees of their responsi&i!ities. 0ften$ an organi7ation fee!s that de:e!oping a po!icy on the use of e"mai! is a!! that is re;uired. If the po!icy is to &e tru!y effecti:e$ it must encompass more than Aust e"mai!. 2hen it comes to de:e!oping such a po!icy$ organi7ations can run the entire gamut from :ery 19(

!i&era! in their approach and !oose!y defined to :ery narrow definitions of what is accepta&!e use of company property with se:ere !imitations on persona! use. )ach organi7ation is different and the approach$ and the phi!osophy that is &rought to the task of de:e!oping a po!icy wi!! :ary great!y from company to company. 0"at Does t"e Polic+ CoverC It is :ery important that emp!oyees or end users understand what techno!ogies or kinds of techno!ogies the po!icy co:ers. According!y$ organi7ations need to e?p!ain what the company>s e!ectronic media and ser:ices are and what they entai!. It is to their &enefit and the &enefit of their emp!oyees that they understand that the po!icy co:ers more than Aust e"mai!. 0"ose Propert+ 2s itC A po!icy shou!d state in c!ear terms that the e!ectronic media and ser:ices are company property$ not the emp!oyee>s persona! property. 6or e?amp!e$ emp!oyees :ery often &ecome possessi:e a&out their PCs. #hey fee! as if the PCs are their persona! property and that no one has the right to access their PCs without first o&taining their (the emp!oyees>) permission. It shou!d &e made c!ear that at any time$ authori7ed personne! may re:iew fi!es on company owned PCs$ e"mai!$ or :oice mai!. #his is not spying. Companies are$ at times$ o&!igated to perform such re:iews to determine$ among other things$ whether there has &een a &reach of security$ :io!ation of company po!icy$ or misuse of any company"owned media or ser:ices. )mp!oyees shou!d &e to!d that the company reser:es the right to perform these re:iews without prior notification of the emp!oyees. 8ake it c!ear to the emp!oyees that if they don>t want the company to see something$ they shou!d not store it on company owned property.

1,4

0"at 2s !ccepta8le BseC An organi7ation has to determine for itse!f whether it wi!! a!!ow e!ectronic media and ser:ices to &e used for non"company"re!ated purposes. #he most reasona&!e approach is to a!!ow !imited$ occasiona! use for persona!$ non&usiness purposes (as is the case with persona! phone ca!!s). It is a!so important that po!icies &e consistent with one another. It does not make sense for a po!icy to for&id the use of company e"mai! for persona! reasons whi!e comp!ete!y ignoring persona! phone ca!!s$ :oicemai!$ and fa?es. 2hate:er an organi7ation decides$ the decision needs to &e re!ayed to the emp!oyees in c!ear terms that spe!! out what the conse;uences are for :io!ating the po!icy. An organi7ation shou!d a!so protect itse!f &y stating in writing that it is prohi&ited to use any of the company>s e!ectronic ser:ices for any purposes that :io!ate state or federa! !aws. #his inc!udes re;uiring comp!iance with a!! copyright !aws. If the company de:e!ops software$ then the po!icy shou!d a!so co:er patents$ trademarks$ and inte!!ectua! property. In addition$ a po!icy shou!d prohi&it the use of company"owned e!ectronic ser:ices to transmit$ recei:e$ or store information or data of a harassing or discriminatory nature or that is derogatory to any group or indi:idua!. #he po!icy shou!d a!so prohi&it any emp!oyee from using the company>s e!ectronic ser:ices to transmit$ recei:e$ or store information or data that is o&scene or pornographic or that is defamatory or threatening in nature. #his not on!y protects the organi7ationB it protects the emp!oyees as we!!. (ackin% #he po!icy shou!d a!so prohi&it attempts &y emp!oyees or end users to <hack< other systems. It shou!d &e made c!ear that attempts to hack or access information without authori7ation wi!! not &e to!erated &y an organi7ation$ and there shou!d &e se:ere conse;uences for doing so. #his po!icy shou!d not on!y app!y to attempts to hacking company"owned systemsB it shou!d a!so app!y to the hacking of outside systems using company"owned or "!eased systems or ser:ices. In addition$ the po!icy shou!d define the emp!oyees> responsi&i!ity to ensure that their !ogins and passwords remain confidentia! and the steps that they are re;uired to take if they suspect that their passwords ha:e &een compromised. It shou!d &e made c!ear that these steps are not optiona! or suggested &ut are a re;uired part of their Ao& function and that fai!ure to comp!y with the po!icy can resu!t in ad:erse conse;uences. 1,9

Bnaut"oriDed &oftware 8any organi7ations emp!oy a cookie cutter approach to dep!oying desktop systems. ):eryone gets the same image of a specific suite of authori7ed software. 2hi!e this can &e aggra:ating to the end users$ it is a sound management practice. At the :ery !east$ this approach reduces the costs associated with the insta!!ation of desktop systems. #his is particu!ar!y true when emp!oying a package such as 8icrosoft>s System 8anagement Ser:er (S8S)$ which essentia!!y pushes an image onto the desktop from the ser:er. #his approach can a!so reduce an organi7ation>s support costs &y reducing the num&er of app!ications that the he!p desk supports. In genera!$ it is a good security practice to ha:e a po!icy that prohi&its end users from insta!!ing software on their desktop systems without authori7ation from the I# group. #his can pre:ent ma!icious programs from &eing introduced to the network. 2hen it comes to insta!!ing software on ser:ers$ there shou!d not on!y &e a po!icy in p!ace that &ars such acti:ity$ &ut the access contro! mechanisms shou!d &e in p!ace to pre:ent such acti:ity. In many en:ironments$ it may &e prudent to imp!ement measures that pre:ent end users from insta!!ing software on their systems or in any way a!tering their desktop configuration. 6or e?amp!e$ 2indows N# desktop systems can &e insta!!ed with the !oca! configuration capa&i!ity disa&!ed. Some programs designed to secure the desktop$ such as 6u!! Armor$ 6ortres 1.1$ and 6oo! Proof$ can &e insta!!ed with 2indows (.J$ 9/$ and 9'. #hese systems pro:ide some !e:e! of protection$ &ut they can &e circum:ented and$ in some cases$ may actua!!y pose risks. 5)Mail )mp!oyees shou!d &e made aware of the fact that e"mai! is not a secure media. #here is no guarantee that e"mai! wi!! remain pri:ate. #hey shou!d a!so &e made aware of the fact that emai! transmitted on the Internet is particu!ar!y :u!nera&!e to interception and disc!osure. As such$ information of an e?treme!y sensiti:e or confidentia! nature shou!d not &e transmitted on the Internet un!ess the message is encrypted.

193

):ery organi7ation shou!d reser:e the right to re:iew and disc!ose any emp!oyee>s e"mai! recei:ed or transmitted on or from company"owned e!ectronic media or ser:ices. It shou!d &e made c!ear to e:ery emp!oyee that this re:iew and disc!osure can &e done without o&taining the emp!oyee>s prior consent. #his is not <&ig &rother$< it is common sense. A company has the right to protect itse!f. #here ha:e &een a num&er of cases in the news media where the improper acti:ities of an emp!oyee ha:e !anded an emp!oyer in court. #he improper acti:ities were !ater found to &e detai!ed in the company e"mai!. As a resu!t$ the company cou!d &e found !i&e! for the emp!oyee>s acti:ities. #he resu!ts of a "omputerworld sur:ey regarding e"mai! monitoring pu&!ished in the maga7ine>s 0cto&er 1999 issue stated that (1W of the sur:ey respondents had insta!!ed software that a!!owed for the acti:e monitoring of e"mai! and that another 21W were p!anning on insta!!ing software with that capa&i!ity. Products such as 8ai!wa!! from 0mni;uad$ 8I8)sweeper from Content #echno!ogies$ and 28A 8essaging 8anager from 4e"Soft pro:ide administrators with the a&i!ity to scan end users> e"mai! for key words. #hese programs can scan &oth the e"mai! su&Aect and &ody for ;uestiona&!e$ o&scene$ a&usi:e$ or i!!icit content. 2dentification Any po!icy co:ering the accepta&!e use of company"owned e!ectronic media and ser:ices shou!d a!so dea! with the issues of identity authentication and impersonation. )mp!oyees shou!d &e cautioned a&out re!ying on the stated identity of the sender of e"mai! or any other type of transmission. )"mai! messages in particu!ar can easi!y &e forged. Any po!icy shou!d a!so prohi&it emp!oyees from any attempt to hide their identity or to fa!se!y represent themse!:es or attempt to represent themse!:es as someone e!se$ when transmitting$ recei:ing$or storing e"mai! or other e!ectronic communications.

1,6

2nformation Privac+ It is important that acti:e steps &e taken &y a!! emp!oyees to ensure that information pri:acy is maintained. Corporate information pertaining to customers$ emp!oyees$ and company proAects and products shou!d &e re:iewed to determine their !e:e! of sensiti:ity. #his is important from &oth a &usiness and regu!atory perspecti:e. *isc!osure of sensiti:e information can he!p competitors and scare away customers. In addition$ a corporation may a!so &e su&Aect to regu!atory re;uirements go:erning the disc!osure of information. 2e& sites catering to chi!dren are su&Aect to the Chi!dren>s 0n!ine Pri:acy Protection Act$ which is enforced &y the 6edera! #rade Commission (6#C). Papan and most of the )uropean nations ha:e much stricter regu!ations than the ,nited States go:erning the disc!osure and sharing of personne! information &y companies. As a resu!t$ a genera! po!icy is recommended. #he po!icy shou!d out!ine the re;uirements go:erning the actions of the organi7ation for information pri:acy. 6ina!!y$ the po!icy of organi7ations that ha:e emp!oyees who fre;uent!y present at conferences or who are offered speaking engagements shou!d co:er what can and cannot &e disc!osed &y the emp!oyee in his or her presentation. #he po!icy can go so far as to inc!ude some type of re:iew process &y the management of the materia! &eing presented. #his is to ensure that no sensiti:e proprietary or customer information is inad:ertent!y disc!osed. 2nformation and Data Mana%ement *epending on the en:ironment in which you operate$ you may want to consider c!assifying and prioriti7ing information &y its !e:e! of importance or sensiti:ity. Corresponding!y$ the nature of the data wi!! dictate the measures necessary to protect it. *etermination of access !e:e!s shou!d a!so &e dictated &y the sensiti:ity of the information or data. Any po!icy shou!d a!so define where information shou!d reside and how it is to &e mo:ed$ transported$ or transmitted. #he !e:e! of importance and sensiti:ity shou!d &e taken into account when these definitions are de:e!oped. 6or e?amp!e$ an organi7ation may want to for&id information of critica! importance from &eing copied to remo:a&!e media such as f!oppies or tapes.

19'

Information and data are :a!ua&!e corporate assets and must &e protected. *ata can &e defined as raw information$ or information can &e defined as meaningfu! data that has &een organi7ed in a coherent manner that a!!ows for the re!ia&!e retrie:a! of data e!ements. 0ne of the key components for the protection of information is to assign ownership. A po!icy on ownership shou!d out!ine the responsi&i!ities of the information guardian and the re!ationship with the custodian of the data. Po!icies are a!so necessary to address the proacti:e management of information and data. Po!icies must address the a:ai!a&i!ity of the data and ensure that the appropriate contro!s are in p!ace and uti!i7ed. *e:e!opment of these po!icies shou!d entai! the ana!ysis of the risks and the esta&!ishment of appropriate c!assification and authori7ation standards for the data. Information and data integrity is not Aust concerned with protecting information content. Integrity must a!so address the accuracy of the data e!ements. A po!icy concerning data integrity shou!d identify the re;uirements for secure data storage and mechanisms for the &ackup of data$ and the re;uirements for the procedures to preser:e and test the accuracy of the data. In the appropriate en:ironment$ data integrity a!so inc!udes data entry standards to ensure that information is entered in a consistent and uniform format. #o ensure data integrity$ a po!icy shou!d &e enacted go:erning proper procedures to protect against the potentia! threat from computer :iruses. #he po!icy shou!d co:er re;uirements for :irus scans and copying fi!es from outside sources to company"owned systems. Information and data management po!icies shou!d a!so state that a!! fi!es that reside on company"owned de:ices or media$ such as PCs$ remo:a&!e disks$ and tapes$ are the property of the company. As such$ the po!icy shou!d prohi&it emp!oyees from remo:ing company information from the premises without authori7ation. #his po!icy$ whi!e difficu!t to enforce$ may &e a usefu! !ega!ity to ha:e in p!ace. In addition$ as a precaution$ a company shou!d reser:e the right to e?amine$ access$ use$ and disc!ose any or a!! information or data$ transmitted$ recei:ed$ or stored on any e!ectronic media$ de:ice$ or ser:ice owned or paid for &y the company.

1,,

&+stems !dministration 0ne of the &iggest cha!!enges in de:ising proper security procedures is determining how to dea! with the contro! and monitoring of the administrators of the organi7ation>s :arious systems. 6or e?amp!e$ many organi7ations operate in an en:ironment where an indi:idua! or indi:idua!s ha:e access to or responsi&i!ity for a!! aspects of system administration. #he organi7ation may ha:e a sma!! I# unit where using de!ineation of responsi&i!ity and segregation of duties as a contro! procedure is not practica!. when there is on!y one person in the department= owe:er$ whene:er possi&!e$ segregation of duties shou!d &e imp!emented. #he indi:idua! or indi:idua!s responsi&!e for the day"to"day administration shou!d not a!so &e the indi:idua! or indi:idua!s responsi&!e for creating new accounts. In addition$ the indi:idua! or indi:idua!s who create new accounts shou!d not &e responsi&!e for determining the !e:e! of access gi:en to those accounts. A!! new accounts shou!d &e re:iewed &y an indi:idua! not responsi&!e for creating accounts. If possi&!e$ a distinction shou!d &e made &etween system administration and security administration. System administration functions shou!d &e audited at !east annua!!y. A!! system changes and dai!y Ao&s performed &y administrators and operators shou!d &e recorded in a !og or schedu!e and shou!d &e re:iewed dai!y. A!! system &ackups shou!d &e recorded and !ogged and the !ogs re:iewed and retained. Gackups shou!d a!so &e tested periodica!!y$ at !east week!y. A!! security access changes shou!d &e documented$ re:iewed$ and fi!ed. A po!icy wi!! a!so stipu!ate the records retention schedu!e and destruction of !ogs$ schedu!es$ and other documentation. In addition$ systems shou!d &e c!assified according to their confidentia!ity and critica!ity to the operation of the organi7ation to determine appropriate security measures. System c!assification is a!so re;uired for disaster reco:ery p!anning. System auditing and :a!idation shou!d &e addressed in some manner through po!icies. #hey can either &e incorporated into e?isting po!ices or &e in a separate po!icy. Chapter 1/ discusses auditing in more detai!. ow do you segregate duties

11

Remote Network !ccess 8any organi7ations ha:e re;uirements for remote network access. Sa!es staff$ fie!d engineers$ and e:en de!i:ery personne! and dri:ers often re;uire access to an organi7ation>s network. In addition$ with the growth in te!ecommuting$ many emp!oyees are now working from home$ rather than coming into the office. As a resu!t$ more emp!oyees re;uire access to the company>s systems from outside the corporate network. Any remote access to the corporate network shou!d &e tight!y contro!!ed and su&Aect to stringent security measures. A po!icy for remote access shou!d address issues associated with authentication and access contro!. At a minimum$ the po!icy shou!d re;uire any connection to uti!i7e some kind of secure I* procedure. 4efer to the discussion in Chapter - regarding modems for more detai!. Another consideration is third"party access to the corporate network. 8any organi7ations ha:e :endors$ partners$ customers$ or Aoint :entures that re;uire access to the corporate network. Po!icies need to &e de:e!oped to ensure that proper contro!s are imp!emented$ maintained$ and monitored for a!! third"party access to an organi7ation>s network. Reportin% Noncompliance 6re;uent!y$ organi7ations educate emp!oyees and end users on their responsi&i!ity to report noncomp!iance &ut ne:er put in p!ace a mechanism to pro:ide that capa&i!ity. #here are times when an emp!oyee may not fee! comforta&!e reporting an incident of noncomp!iance. If the noncomp!iance in:o!:es a super:isor$ systems administrator$ or rea! crimina! acti:ity the indi:idua! may &e apprehensi:e to report the occurrence for fear of reprisa!. In this type of circumstance you need to &e a&!e to pro:ide a way to report issues of noncomp!iance anonymous!y. Consider setting up a hot!ine for reporting such matters. #o ensure the ca!!er>s anonymity$ consider using an outside ser:ice or third party for this function.

11

!uditin%? Monitorin%? and 2ntrusion Detection =hat Is an AuditE #raditiona!!y$ an audit is an independent re:iew of a gi:en su&Aect. Its purpose is to report on conformance to re;uired standards. 0ne of the functions that an )*P audit ser:es is to :erify comp!iance to company po!icies and to ensure that re;uired security procedures and practices are &eing fo!!owed. In addition$ an )*P audit usua!!y entai!s the process of monitoring and ana!y7ing systems$ networks$ and end"user acti:ity. In addition to re:iewing comp!iance to po!icies and procedures$ an audit is concerned with risk assessment. An )*P audit assesses the risks to and associated with systems and networks to determine if the e?isting contro!s are ade;uate to protect the organi7ation>s assets. Some of the areas that a security audit wou!d re:iew inc!ude the fo!!owing. C )nsuring that desk manua!s and procedures are up to dateB C )nsuring proper segregation of duties with proper re:iews of workB C )nsuring that ade;uate physica! contro!s are in p!aceB C )nsuring that user authentication contro!s are ade;uateB C )nsuring that audit trai!s are maintainedB C )nsuring that disaster reco:eryD&usiness resumption p!ans are in p!ace and tested regu!ar!yB C )nsuring proper contro!s for app!ication de:e!opment and imp!ementationB C )nsuring that data integrity is monitored and maintainedB C )nsuring that genera! po!icies and procedures are fo!!owed. An audit can &e an opportunity to :a!idate an organi7ation>s security po!icies and can pro:ide I# with a chance to ha:e an outside party test the security measures that ha:e &een imp!emented. It is not uncommon to emp!oy a <tiger team< or <white hat hackers$< as they are sometimes ca!!ed$ to test security measures. #hese are network security e?perts who test system and network defenses &y attempting to <hack< into them. #his hacking is done with the know!edge and consent of the organi7ation that owns the network or systems that they are attempting to penetrate. Such indi:idua!s are usua!!y hired consu!tants$ &ut some organi7ations emp!oy interna! staff for tiger teams. 2.2

If an organi7ation does &usiness through a partner or a third party$ then the organi7ation>s I# unit may need to audit that partner>s or third party>s security measures. #his is particu!ar!y true if an organi7ation uses a porta!$ or ASP :endor to pro:ide Internet"ena&!ed or &randed Internet ser:ices to customers. It wou!d &e e?treme!y risky for an organi7ation to enter into an agreement with an ASP without first certifying a!! aspects of the ASP>s computer operation$ inc!uding security. 2hen using a ASP ser:ice$ a company can find itse!f the indirect :ictim of a denia!"of"ser:ice attack directed at another su&scri&er of the ser:ice. As mentioned a&o:e$ there are many areas re:iewed during an audit. Conse;uent!y$ for !arge insta!!ations$ it may &e necessary to categori7e the functions and audit the functions separate!y. 6or e?amp!e$ the functions can &e categori7ed under the fo!!owing headings@ C 0perationa! auditsB C System auditsB C Acti:ity and usage audits. 0perationa! security audits seek to ensure that proper contro!s ha:e &een esta&!ished to identify de:iations from esta&!ished standards and po!icies. #his type of audit is designed to mitigate :u!nera&i!ities introduced &y poor management. #here are se:era! o&Aecti:es for system security auditing. #he first is to :a!idate the system configuration. System security audits a!so seek to ana!y7e the system configuration to mitigate :u!nera&i!ities introduced &y the fau!ty imp!ementation of a system$ network$ or app!ication. #he types of things a system audit re:iews or !ooks for inc!udes$ among other things@ C !ccounts without passwords: It happens more often than you wou!d think. C !dherence to and enforcement of password policies: passwords= C Shared accounts: Are there accounts to which more than one person has the password= C *ormant accounts: #hese accounts are often used &y hackers and shou!d &e de!eted. C 4iles with no owner: #hese fi!es are open to a&use$ &ecause anyone can take possession of them. 2.( ow easy is it to crack the

C 4iles with inappropriate access rights: #hese fi!es are a!so open to a&use. It is :ery important that critica! system fi!es ha:e the proper access rights. C Separation of duties: Is there a process of checks and &a!ances in p!ace with proper re:iews$ or does one or two indi:idua!s ha:e a!! the contro!s= ):en a secure system that is proper!y configured is :u!nera&!e to attack$ and auditing pro:ides an e?ce!!ent way of determining whether and how such attacks may take p!ace. Another reason for a system security audit is to monitor for attempted pro&es$ attacks$ and other unusua! occurrences. Auditing a system can a!so assist in setting &ase!ines for system usage$ which are used to identify a&norma! acti:ity. System monitoring re!ies hea:i!y on system audit !ogs or e:ent !ogs. Henera! system !og fi!es record particu!ar e:ents inc!uding the fo!!owing@ C 1ogins or attempted !oginsB C 1ogoutsB C 4emote system accessB C 6i!e opens$ c!oses$ renames$ and de!etionsB C Changes in pri:i!eges or security attri&utesB C Changes in access contro! !e:e!s. #hese !og fi!es are usua!!y maintained on the ser:er>s or system>s !oca! disk dri:es and as such are :u!nera&!e to a!teration. It is genera!!y a good practice to either mo:e the !og fi!es to another ser:er on a dai!y &asis or simp!y print out the pertinent !og entries to ensure a hardcopy record that can not &e a!tered. #here are se:era! software too!s a:ai!a&!e to aid in the process of auditing a system. #wo of the &est known open source freeware programs are C0PS and SA#AN$ which are discussed #here are a!so a num&er of commercia! products a:ai!a&!e from :endors such as Internet Security Systems (ISS)$ Secure Networks$ Cisco$ and Netecti:e$ Aust to name a few. #he key to an acti:ity and usage audit is the esta&!ishment of &ase!ine metrics to assist in identifying potentia! security pro&!ems. System acti:ity audits seek to ana!y7e de:iations from the norma! patterns of usage and other unusua! acti:ities. Gase!ine metrics shou!d &e esta&!ished to assist in identifying potentia! security pro&!ems. 2.+

!udit Mistakes Idea!!y$ an audit shou!d &e seen as an opportunity to impro:e processes. ,nfortunate!y$ the rea!ity is sometimes one of finger"pointing and recrimination. Gased on persona! e?perience$ some of the more common mistakes that contri&ute to a difficu!t )*P audit are descri&ed as fo!!ows@ C 0ot consulting with IT in the scheduling or planning process: Nothing wi!! ensure a difficu!t )*P audit !ike schedu!ing one during a period when the I# di:ision is stretched to the !imit working on proAects. #his resu!ts in the I# di:ision fee!ing imposed upon and resentfu! of the untime!y intrusion. #he I# di:ision>s resources may a!ready &e stretched to the &reaking point when they start getting re;uests to pro:ide a!! sorts of information and reports for the auditors. 0n the other hand$ the auditors fee! that I# is not cooperating$ &ecause I# is not responding in a time!y manner to the re;uests for information. #his makes for strained re!ationships and a!most ensures that a process that shou!d &e one of open communications &ecomes painfu! and difficu!t. C !uditors not properly trained to perform an (* audit: I>:e &een in:o!:ed in )*P audits where the auditors did not ha:e the technica! &ackground necessary to ade;uate!y perform the audit. In these instances the resu!ts were mi?ed. In some cases$ the auditors simp!y accepted e:erything they were to!d &y the I# group to &e factua! and accurate. #here was no process of independent :erification. 2hi!e this might make the process easier on the I# group$ it is not a true audit and does not ser:e the needs of the organi7ation as a who!e. In other cases I>:e seen the !ack of technica! know!edge on the part of auditors make then insecure a&out information with which they are pro:ided. In some cases I>:e seen it &order on paranoia. Since the auditors had no way of independent!y :erifying information with which they were pro:ided$ they dou&ted e:erything. C 5ea-ing it up to IT to enforce unilateral changes within the organization: It is not unusua! for deficiencies in procedures to &e identified$ o:er which the I# unit has no contro!. 6or instance$ access !e:e!s within app!ications may &e administered &y the I# unit$ &ut those who determine the actua! !e:e! of access may reside within other 2./

&usiness unit. As an e?amp!e$ the u!timate authority as to who has what access to the 48S is the director of human resources. #he I# group supports the 48S package$ &ut it is human resources who owns it$ and it is they who determine who wi!! ha:e access to what information. 0n more than one occasion$ I ha:e seen audit findings in a fina! report regarding issues o:er which I# had no contro! or say in the process. owe:er$ the items were sti!! cited as deficiencies in the audit. #he I# group is !eft to correct the deficiency$ o:er the o&Aections of another &usiness group. C *oing it by the book: Auditors sometimes fai! to recogni7e one of the cardina! ru!es of network security$ which is that security measures and procedures that interfere with the operation of an organi7ation are of !itt!e :a!ue. #hose types of measures are usua!!y ignored or circum:ented &y company personne!$ so they tend to create security ho!es rather than p!ug them. 2hene:er possi&!e$ security measures shou!d comp!iment the operationa! and &usiness needs of an organi7ation. Some auditors ha:e a tendency to site any de:iation from standard recommended practices$ e:en if the de:iation makes sense operationa!!y for an organi7ation. Security is a &a!ancing processS&a!ancing the security needs with the &usiness needs and the pro&a&!e with the possi&!e. #oo often auditors concentrate on the possi&!e and not the pro&a&!e. C !udit report does a hatchet job on IT: It is not uncommon for the fina! audit report to &e unnecessari!y harsh on the I# unit. #his is often a resu!t of the mistakes !isted a&o:e. 8isunderstandings$ !ack of communication$ and genera! distrust often !ead to harsh findings. #his is :ery unfortunate$ since the security audit is actua!!y an opportunity to test$ !earn$ and impro:e an organi7ation>s security. As such$ it shou!d &e we!comed$ &ut too often it is met with dread. #he I# unit and the audit group need to work together in de:e!oping the fina! report$ so that it is comprehensi:e and practica!. It needs to &e comprehensi:e in that no area is g!ossed o:er. It needs to &e practica! in that no audit recommendations shou!d constrict or interfere with the operation of the organi7ation.

2.3

C 5ack of management support to implement audit recommendations: #he surest way to ensure that an audit is a fai!ure is for management to fai! to support the imp!ementation of the audit recommendations. 8anagement support is critica! when imp!ementing po!icy changes$ particu!ar!y when those changes meet with resistance. In some cases it may simp!y &e a matter of management not a!!ocating the resources necessary to imp!ement the recommendations. 8ost organi7ations ha:e proAects with dead!ines and commitments that e?isted &efore the audit. Imp!ementing the audit recommendations is a!ways something that is gi:en !ow priority. ,!timate!y$ the recommendations are ne:er imp!emented$ and the same findings are usua!!y cited at the ne?t audit. Deficiencies of Traditional !udit Tec"ni;ues #he unfortunate rea!ity is that it is not possi&!e to &ui!d a comp!ete!y secure system or network. Procedures are sometimes ignored. Passwords are :u!nera&!e$ and techno!ogies fai! or are su&:erted. ):en in an en:ironment where e:erything functions according to p!an$ the systems are sti!! :u!nera&!e to a&use &y pri:i!eged insiders$ such as system administrators. #he u!timate goa! of a network security scheme is to pre:ent successfu! attacks on a network. #raditiona!!y$ the primary too! for ensuring network security has &een the firewa!!. owe:er$ firewa!!s are a!most use!ess for monitoring acti:ity on the interna! network. 0rgani7ations are &eginning to recogni7e the need to audit or monitor their interna! networks simp!y &ecause the maAority of a!! attacks and !osses in:o!:e insiders. 2hi!e traditiona! security audits may identify weakness in security measures or e:en e?pose security &reaches$ it is usua!!y after the fact. Audit too!s$ such as C0PS or SA#AN$ wi!! on!y identify weaknesses in the configuration or imp!ementation of systems or networks. Neither one of these approaches identifies pro&!ems as they occurB instead$ they are concerned with residua! risk. #raditiona!!y$ the residua! risk was deemed accepta&!e to the operation of the organi7ation$ so that an audit was on!y re;uired periodica!!y. In today>s Internet"connected en:ironment the paradigm of residua! risk is no !onger :a!id. As a resu!t$ more proacti:e methods are re;uired to audit or monitor networks and systems. #oday there are new too!s a:ai!a&!e that pro:ide administrators with the a&i!ity to monitor network and system security on"!ine in rea! time. 16

2ntrusion Detection Competent system administrators ha:e a!ways monitored their systems for intrusions. #he process usua!!y entai!ed re:iewing !ogs on a dai!y &asis. Intrusions were sufficient!y rare that after"the"fact re:iews were usua!!y ade;uate to address any possi&!e pro&!ems. ,nfortunate!y$ times ha:e changed drastica!!y. After"the"fact re:iews are no !onger ade;uateB rea!"time or near rea!"time responses to intrusions are necessary. In addition$ the :o!ume of acti:ity on the networks today dwarfs what was the norm 1.T1/ years ago. As a resu!t$ it is not human!y possi&!e to re:iew the amount of information in today>s !og fi!es without some automated process. 2ithout the automation of the re:iew and monitoring process$ it cou!d &e weeks &efore a system administrator knows a&out an intrusion to his or her system. In genera! terms an <intrusion< can &e defined as an unauthori7ed attempt or achie:ement to access$ a!ter$ render una:ai!a&!e$ or destroy information on a system or the system itse!f. Gasica!!y$ an intrusion is some&ody attempting to &reak into or misuse a system. Some o&ser:ers differentiate misuse and intrusion. #he term intrusion is usua!!y used in reference to attacks that originate from outside an organi7ation. 8isuse is usua!!y used to descri&e an attack that originates from the interna! network. differentiation. Intrusion detection is the art of detecting unauthori7ed$ inappropriate$ or anoma!ous acti:ity. #he art of intrusion detection has &een practiced &y system and network administrators for years. owe:er$ intrusion detection has recent!y recei:ed more attention in the media !arge!y due to the fact that so many companies are now marketing I*Ss. Supposed!y$ these new I*Ss can identify attacks in progress$ generate rea!"time a!erts$ and e:en !aunch countermeasures or reconfigure routers or firewa!!s to counter an attack. 2ntrusion Detection &+stems .2D&s/ I*Ss act much !ike security guards or sentries. #hey constant!y scan network traffic or host audit !ogs. 2hi!e the present &atch of I*S products pro:ide usefu! too!s to augment an organi7ation>s network security$ it is necessary to get past the marketing hype to e:a!uate a system>s effecti:eness. Present!y$ no sing!e system pro:ides tru!y effecti:e end"to"end 2.' owe:er$ not e:eryone makes this

intrusion detection capa&i!ity. In addition$ I*Ss are not a new concept. In Chapter -$ we discussed the #CP2rapper$ a ,NIJ"&ased freeware I*S that has &een around for many years. Henera!!y$ I*Ss fa!! into one of two categories@ C Network"&ased I*SsB C ost"&ased I*Ss. 2hi!e there are merits to &oth approaches neither method &y itse!f is sufficient to monitor a!! threats. As a resu!t$ the current trend in the industry is to com&ine the two approaches. $ost&Based Intrusion Detection Systems ost"&ased products reside on the host and are capa&!e of automatica!!y monitoring and denying ser:ices if suspicious acti:ity is detected. #hey monitor acti:ity on the indi:idua! host as opposed to monitoring acti:ity on the network. ost"&ased I*Ss sti!! re!y on system audit !ogs$ much the same way system administrators do$ &ut I*Ss automate the process. #ypica!!y a host"&ased I*S monitors system$ e:ent$ and security !ogs on 2indows N# and the sys!og fi!e for ,NIJ. #he host"&ased I*S uses system !og fi!es and the system>s own auditing agents to monitor the system. #here are a coup!e of approaches that host"&ased intrusion detection software can emp!oy. 0ne is to emp!oy a wrapper$ !ike #CP2rapper. #his approach wraps the :arious host network ser:ices in an e?tra !ayer or she!! that interprets network packet re;uests to the :arious ser:ices. #he other approach emp!oys agents that run as separate processes and monitor the re;uests to host. Goth approaches are effecti:e at detecting anoma!ous acti:ity or misuse of host systems. 0ne ad:antage to host"&ased agents is that they can monitor changes to critica! system fi!es and changes in user pri:i!eges. 2hen a key system fi!e changes$ the I*S compares the fi!es properties with known attack signatures to see if there is a match. 0ne popu!ar method for detecting intrusions in:o!:es :erifying key system fi!es and e?ecuta&!es :ia checksums at regu!ar inter:a!s for une?pected changes. 6or e?amp!e$ Chapter - discusses using 8*/ to monitor changes to system fi!es and the #ripwire I*S$ which a!so pro:ides this function. #he first time one of these systems is run$ it generates a snapshot of the fi!e attri&utes$ inc!uding fi!e si7es and access rights. #his information is stored in a data&ase. )ach su&se;uent run of 2.9

the I*S compares the attri&utes of the fi!es on the disk to the attri&utes stored in its data&ase. If the attri&utes ha:e changed then an a!arm is sounded. Some host"&ased I*Ss monitor #CP port acti:ity and notify system administrators when specific ports are accessed or scanned. #hey can a!so monitor and record when physica! ports are accessed. #his can &e usefu! if the port has a modem connected to it. Perhaps the &iggest draw&ack to host"&ased I*Ss$ such as #CP2rapper and #ripwire$ is that the intrusion detection process is not rea!"time. ost"&ased intrusion detection programs$ regard!ess of whether they use some wrapper or agent$ genera!!y identify intrusion attempts after they ha:e &een attempted or succeeded. #he !ag &etween the intrusion and its disco:ery can &e su&stantia!. Gy then it can &e too !ate. #his is a weakness with host"&ased I*Ss in genera!. Another genera! weakness with host"&ased I*Ss$ !ike #CP2rapper and #ripwire$ is that they don>t ha:e any capa&i!ity to proacti:e!y react to an intrusion. Nor do they a!!ow the system administrator to &e proacti:e. Another draw&ack to the host"&ased approach is that to secure the entire network$ it is necessary to !oad the I*S on e:ery computer. owe:er$ this aspect of host"&ased I*Ss can a!so &e a &enefit. If you on!y desire to monitor one system$ the cost of host"&ased I*Ss is often !ower than those for their network"&ased counterparts. Network&Based Intrusion Detection Systems Netwrok"&ased I*S products run on the network and monitor acti:ity ana!y7ing patterns and reporting on suspicious acti:ity. A network"&ased I*S usua!!y emp!oys a dedicated network ser:er or de:ice with a network adapter configured for promiscuous mode to monitor and ana!y7e a!! traffic in rea! time as it tra:e!s across the network. #he network"&ased I*S monitors packets on the network wire and attempts to discern the !egitimate traffic from the ma!icious. Some :endors state that a dedicated ser:er is not necessary for the functioning of their network"&ased I*S. owe:er$ in rea!ity it wou!d not &e ad:isa&!e to run an I*S on a genera!"purpose app!ication ser:er. 2ou!d you want your network>s I*S running on the company>s payro!! ser:er=2hen compared to host"&ased I*Ss$ network"&ased I*Ss ha:e ad:antages and disad:antages. 21.

*epending on the system$ a network"&ased I*S may &e !ess e?pensi:e to imp!ement. #his is due to the fact that a network"&ased I*S is operating system"independent and is not re;uired to &e !oaded on a!! hosts on a network to &e effecti:e. In addition$ host"&ased I*Ss wi!! miss many network"&ased attacks. ost"&ased I*Ss do not

e?amine packet headers$ so they cannot detect denia!"of"ser:ice attacks. Network"&ased I*Ss are a!so much more stea!thy than host"&ased I*Ss. 2ith a host"&ased I*S$ if the system is compromised a hacker can readi!y see if there is an I*S present. It wou!d &e :ery difficu!t to determine if a network"&ased I*S was on a network simp!y &y e?amining the wire. A&out the on!y thing a hacker cou!d determine is that there is a de:ice on the network running in promiscuous mode. A network"&ased I*S can a!so pro:ide superior contro!s on e:ent !ogs. 2ith many host"&ased I*Ss$ the audit !ogs reside on the system !oca!!y. As a resu!t$ if the system is compromised$ a hacker can manipu!ate the !og fi!es to hide his or her tracks. Another weakness of network"&ased I*Ss is the fact that they &ecome !ess effecti:e as network traffic increases. #hey work :ery we!! on an empty network$ &ut as the num&er of packets increase$ their effecti:eness decreases to the point where they cannot identify any intrusions. #his is a maAor weakness considering today>s high transaction :o!ume and the growth of fast )thernet and switched )thernet. 6now%ed-e&Based Intrusion Detection Systems #here are two genera! approaches emp!oyed for identifying hosti!e intrusions. 0ne is know!edge"&ased$ and the other is statistica!"&ased. #he two approaches are :ery different and emp!oy different techno!ogies. 8ost of the I*Ss dep!oyed today are know!edge"&ased. Mnow!edge"&ased I*Ss are sometimes referred to as misuse detection systems$ e?pert systems$ or mode!" or signature &ased I*Ss.

211

Mnow!edge"&ased I*Ss re!y on the a&i!ity to recogni7e known attacks. A know!edge"&ased I*S recogni7es known intrusion scenarios and attack patterns. #he know!edge"&ased I*S re!ies on a data&ase of attack <signatures< or <patterns< that can &e changed for different systems. 6or e?amp!e$ a host"&ased$ know!edge"&ased I*S may monitor keystrokes for attack patterns. #he I*S has a data&ase of known keystroke patterns that are known to &e a threat. Mnow!edge"&ased I*Ss emp!oy many different techni;ues to identify intrusion patterns or signatures. 6or a host"&ased$ know!edge"&ased I*S the process can in:o!:e monitoring keystrokes$ re:iewing fi!es for changes and monitoring ports. #he re:iew of fi!es can function much the same way as a :irus scanner on a PC. #he scan searches for known patterns or changes that ha:e &een made to critica! fi!es since the !ast scan. String signatures !ook for te?t strings that indicates a possi&!e attack. An e?amp!e of a string that might raise a red f!ag for a ,NIJ system wou!d &e someone e?amining the contents of the password fi!e or hosts fi!e using <cat Dpasswd< or <cat Dhosts.< Kou shou!d a!ways &e suspicious of someone who wants to e?amine the password fi!e or re:iew what other hosts are on the network. 2hen monitoring ports$ a host"&ased$ know!edge"&ased I*S can compare audit !ogs to the signatures of common techni;ues. As an e?amp!e$ a significant num&er of fai!ed #CP connections to we!! known ports may &e an indication that someone is scanning ports$ or a !arge num&er of unacknow!edged SKN"ACM packets is pro&a&!y an indication that the system is under a SKN f!ooding attack. A network"&ased$ know!edge"&ased I*S e?amines packets on the network. Packets are considered suspect if they match a known signature$ string$ or pattern. A network"&ased$ know!edge"&ased I*S can e?amine the protoco! stack for suspicious in:a!id or fragmented packets that :io!ate the #CPDIP protoco!. #he ping"of"death with its o:ersi7ed IC8P packets wou!d &e an e?amp!e of a known signature. A network"&ased$ know!edge"&ased I*S can a!so e?amine packet headers for dangerous or i!!ogica! com&inations in packet headers. Another we!!"known header signature is a #CP packet with &oth the SKN and 6IN f!ags set$ signifying that the originator wishes to start and stop a connection at the same time. #his can &e an indication that a system is &eing pro&ed &y an intruder.

212

Mnow!edge"&ased systems that emp!oy pattern matching simp!y trans!ate known intrusions into patterns that are then matched against the system or network acti:ity. #he I*S attempts to match acti:ity to the patterns representing intrusion scenarios. #he I*S monitors the acti:ity$ accumu!ating more and more e:idence for an intrusion attempt unti! a thresho!d is crossed. #he &asic approach under!ying pattern matching is that if it !ooks !ike a duck$ wa!ks !ike a duck$ and ;uacks !ike a duck$ then it must &e a duck. owe:er$ for pattern matching to work the patterns must &e easi!y recogni7a&!e$ and they must &e distinguishing. In other words$ they must not !ook !ike any other norma! or !egitimate acti:ity. #he ad:antages of know!edge"&ased I*Ss is that they usua!!y ha:e !ow fa!se a!arm rates. #his is due to the fact that they usua!!y watch for :ery specific signatures$ strings$ and patterns. In addition$ &ecause they watch for specific e:ents they are a&!e to report with some detai! and certainty on the threat &eing faced$ which makes it easier to determine the appropriate course of action. #he maAor disad:antage to know!edge"&ased I*Ss is that they are on!y effecti:e against threats with which they are a!ready fami!iar. As a resu!t$ they are use!ess against new techni;ues for which they ha:e no signature or pattern in the know!edge &ase. In addition$ it is not a simp!e matter to create a signature or pattern for an attack. It is not easy to trans!ate known attack scenarios into patterns that can &e used &y a know!edge"&ased I*S. It re;uires keeping the I*S up"to"date with new :u!nera&i!ities and en:ironments. 6urther$ it re;uires time"consuming ana!ysis of each new :u!nera&i!ity to update the I*S>s know!edge &ase. As a resu!t$ :endors don>t update their data&ases as often as they shou!d. Another common weakness of know!edge"&ased I*Ss is that they are ineffecti:e against passi:e attacks$ such as network sniffing and wiretaps. #hey are a!so ineffecti:e against IP or se;uence num&er spoofing$ *NS"&ased attacks$ session hiAacking$ and redirects. In addition$ a know!edge"&ased I*S wi!! not detect the fraudu!ent or ma!icious acti:ity of a pri:i!eged insider if the acti:ity does not match a known pattern or signature. #his is particu!ar!y true if the acti:ity is performed through an app!ication. 6or e?amp!e$ fraudu!ent!y transferring funds from one account to another wi!! not &e f!agged$ since it wou!d &e within the norma! parameters of the system. Some of the &etter known network"&ased I*S products are from AJ)N#$ Cisco$ and Internet Security Systems (ISS). # ,

# 4 Defense 2n)Dept" !pproac" 1ike a firewa!!$ an I*S shou!d &e seen as Aust one more too! in a defense indepth approach. Security measures shou!d &e mu!titiered$ and I*Ss can ser:e as another !ayer of security. Gefore you dep!oy an I*S$ howe:er$ make sure that you weigh the pros and cons and &e sure that the :endor you pick has the system that &est meets your needs. Some of the pros of I*Ss are !isted as fo!!ows@ C Can detect some a&uses and intrusionsB C Can identify where attacks are occurringB C Can &e usefu! for co!!ecting e:idenceB C Can a!ert administrators that someone is pro&ingB C Can take correcti:e action against certain types of a&uses or intrusions. Some I*S cons are !isted as fo!!ows@ C 8isses many types of a&uses and intrusionsB C *o not work we!! no high"speed or hea:y":o!ume networksB C Henerates fa!se a!arms. An I*S can add depth to your o:era!! security$ he!ping to identify possi&!e intrusions and a&uses$ &ut an I*S &y itse!f does not ensure security. I*Ss ha:e a !ong way to go &efore they are as effecti:e as much of the marketing hype wou!d ha:e you &e!ie:e. Network"&ased I*Ss> ina&i!ity to function effecti:e!y on noisy$ high"speed$ or high":o!ume networks is Aust one e?amp!e of the !imitations that I*Ss ha:e to o:ercome &efore they &ecome tru!y effecti:e. ):en when they are functioning correct!y$ a!! I*Ss sti!! miss many specific and harmfu! types of attacks. #he most effecti:e approach to intrusion detection is to use a com&ination of network"&ased and host"&ased detection.

21/

9. Conc!usion

2ith the a&o:e detai!ed discussion on the Network and Security$ it is c!ear that the Network Security is ine:ita&!e whi!e esta&!ish a network. It is e:en p!ays a :ita! ro!e in the !oca! networks a!so. A user enters into the internet$ hisDher system wi!! &e part of se:era! secured and unsecured networks. 6or the sake indi:idua! node$ we are insta!!ing se:era! security software. If it is &ig network it is ine:ita&!e to esta&!ish a perfect [network security system\ &y composition of a!! a&o:e discussed points. Now a days$ on!ine ser:ices are increasing in a!! parts of our day to day !ife. %arious networks are contro!!ing our officia! and non officia! data with or without our permission. #he data security and network security is a cha!!enge now. #o o:ercome this cha!!enge perfect network security is the so!ution.

4eferences 1. [ Internetworking with #CPDIP Princip!es$ Protoco!s$ and Architecture %o!ume I\$ *oug!as ). Comer$ Prentice a!! of India P:t. 1td$ 2. [Computer Networks\$ Andrew S. #anen&aum$ Prentice a!! of India P:t. 1td. (. [Introduction to *ata Communications and Networking\$ Gehrou7 6orou7an$ 8cHra;" i!! +. [8CS) Networking )ssentia!s Study Huide\$ *uncan Anderson$ #ata 8cHraw" i!! 5. Network Security@ Mnow It A!! Pames G. *. Poshi " 2..' 6. Network security "#erry *. Pardoe$ Hordon Snyder 7. Assessing Network Security "Me:in 1am$ *a:id 1eG!anc$ Gen Smith " 2..9 8. Computer Network Security "Poseph 8igga Mi77a " 2../ 9. Network security with 0penSS1 "Pohn %iega$ 8att 8essier$ Pravir Chandra 10. Network Security Po!icies and Procedures "*oug!as 2. 6rye " 2..3