Pro Curve Network Security Student Guide

ProCurve Networking by HP
Student guide
Technical training
ProCurve Network Security

Fundamentals
Contents
Introducing the Course
Module 1: Introduction to Network Security

Audience................................................................................................................1-1
Prerequisites ..........................................................................................................1-1
Course Objectives..................................................................................................1-1
Course Modules.....................................................................................................1-4
Further Reading ....................................................................................1-4
Disclaimer..............................................................................................................1-5
Objectives ..............................................................................................................1-1
Traditional Network ..............................................................................................1-2
Internet..................................................................................................1-2
Workstations .........................................................................................1-3
Network Evolutionary Forces................................................................................1-4
Today’s Network Structure ...................................................................................1-6
Threats from Within .............................................................................1-6
Threats from Mobile Devices ...............................................................1-7
Threats from New Technology.............................................................1-7
Confronting New Threats .....................................................................1-7
Mobile Access Dangers ................................................................................1-8
Mobile Access Dangers: Temporary access .................................................1-9
Shared and Mobile Workstations..........................................................1-9
Guest Users.........................................................................................1-10
Mobile Access Dangers: Wireless access ...................................................1-11
Shared Medium...................................................................................1-11
APs......................................................................................................1-12
Multiple Users on a Single Switch Port..............................................1-12
Mobile Access Dangers: Offsite access ......................................................1-13
Increased Incidents and Velocity.........................................................................1-15
Increasing Number of Vulnerabilities ................................................1-15
Faster Attacks .....................................................................................1-16
Evolving Attacks ................................................................................1-16
Ineffectual Defenses ............................................................................................1-17
Increased Insider Attacks: Insider threat and attack statistics .............................1-18
IT Regulations: US regulations ...........................................................................1-20
IT Regulations: Worldwide regulations ..............................................................1-22
Network Security Components............................................................................1-24
Summary..............................................................................................................1-26
Rev. 6.41 i
ProCurve Networking Security Primer
Module 2—General Threats

Objectives ..............................................................................................................2-1
Attack Vector Models: External attacks................................................................2-2
Attack Intentions...................................................................................2-3
Attack Vector Models: Internal attacks.................................................................2-4
Types of Attacks....................................................................................................2-6
Social Engineering ........................................................................................2-7
Unauthorized Access.....................................................................................2-9
Reconnaissance ...........................................................................................2-11
Impersonation: Man-in-the-Middle.............................................................2-13
Impersonation: Phishing .............................................................................2-15
Malware ......................................................................................................2-17
Viruses and Worms .............................................................................................2-19
DoS ......................................................................................................................2-22
DoS: Distributed Denial of Service (DDoS)...............................................2-24
DoS: Reflected DDoS .................................................................................2-26
Summary..............................................................................................................2-28
Module 3—Security Layers Overview
Objectives ..............................................................................................................3-1
Proactive Components...........................................................................................3-2
Network Access Control Security .........................................................................3-3
Data Integrity and Privacy.....................................................................................3-5
Defensive Components..........................................................................................3-7
Device Access Security .........................................................................................3-8
Endpoint Integrity................................................................................................3-10
Comprehensive Security Solutions......................................................................3-12
Summary..............................................................................................................3-14
Module 4—Layer 1: Network Access Control Security
Objectives ..............................................................................................................4-1
Network Access Control Security: Authentication and authorization ..................4-2
Network Access Control Security: Filtering traffic...............................................4-4
Authentication Credentials ....................................................................................4-5
Single-factor Authentication: Passwords ..............................................................4-6
Shared Keys and Digital Certificates ............................................................4-7
Password Obfuscation (One-way Encryption) .....................................4-8
Shared Keys (Symmetric Encryption) ..................................................4-8
Digital Certificates (Asymmetric Encryption)......................................4-8
Two-factor Authentication ..................................................................................4-10
Tokens: Security enhancements..................................................................4-11
Non-Reproducible Credentials ...........................................................4-11
One-time Passwords (OTPs)...............................................................4-12
Tokens: Token types ...................................................................................4-13
Disconnected Tokens..........................................................................4-13
Connected Tokens ..............................................................................4-14
ii Rev. 6.41
Contents
Biometrics: Physical characteristics............................................................4-15

Biometric Types..................................................................................4-15
Usefulness of Particular Biometrics ...................................................4-16
Biometrics: Process.....................................................................................4-17
Authentication Protocols .....................................................................................4-19
PAP......................................................................................................................4-20
CHAP ..................................................................................................................4-22
Initiated by Authenticator ...................................................................4-22
Hashed Passwords ..............................................................................4-22
MS-CHAP v2 ..............................................................................................4-24
Mutual Authentication ........................................................................4-24
Additional Authenticator Controls .....................................................4-24
EAP......................................................................................................................4-25
Challenge and Response .....................................................................4-25
Exchange.............................................................................................4-26
Result ..................................................................................................4-26
Selecting EAP Method................................................................................4-27
EAP Methods ..............................................................................................4-28
EAP-TLS ............................................................................................4-29
EAP-TTLS and PEAP ........................................................................4-30
AAA ....................................................................................................................4-31
Airport Analogy..................................................................................4-32
Authentication .............................................................................................4-33
Authorization ..............................................................................................4-34
Accounting ..................................................................................................4-36
RADIUS ..............................................................................................................4-37
RADIUS Authentication .............................................................................4-39
Translation ..........................................................................................4-39
Decision ..............................................................................................4-40
RADIUS Access Control ............................................................................4-41
RADIUS Accounting ..................................................................................4-43
TACACS+ ...........................................................................................................4-45
TACACS+ Authentication..........................................................................4-46
START Packets ..................................................................................4-46
REPLY Packets ..................................................................................4-47
CONTINUE Packets...........................................................................4-47
TACACS+ Authorization ...........................................................................4-48
TACACS+ Accounting ...............................................................................4-50
Authentication Methods ......................................................................................4-52
802.1X .................................................................................................................4-53
802.1X Roles...............................................................................................4-55
Supplicant ...........................................................................................4-55
Authenticator ......................................................................................4-56
Authentication Server .........................................................................4-56
Airport Analogy..................................................................................4-57
802.1X Process............................................................................................4-58
Airport Analogy..................................................................................4-59
Rev. 6.41 iii

802.1X Process: Continued.........................................................................4-60

Airport Analogy..................................................................................4-61
Web-Auth ............................................................................................................4-62
Web-Auth: Continued .................................................................................4-64
MAC-Auth...........................................................................................................4-65
MAC-Auth to a RADIUS Server ................................................................4-66
Directory Services ...............................................................................................4-68
X.500 Hierarchical Directory Structure ..............................................................4-70
Basic X.500 Communications .............................................................................4-72
X.500 Authentication ..................................................................................4-74
Distinguished Name and Password ....................................................4-74
X.509 ..................................................................................................4-75
X.500 Authorization....................................................................................4-76
LDAPv3 ......................................................................................................4-78
LDAPv3 Authentication Methods ..............................................................4-80
Simple Authentication ........................................................................4-80
Simple Authentication and Security Layer (SASL) ...........................4-81
LDAPv3 Access Controls and Operations..................................................4-83
Authentication via a Directory Service ...............................................................4-85
Authentication via a RADIUS Server and a Directory Service ..................4-86
Single Sign-on (SSO) ..........................................................................................4-87
Access Control.....................................................................................................4-90
VLANs ................................................................................................................4-91
User-Based VLANs ....................................................................................4-93
Wireless LANs (WLANs)...........................................................................4-95
ACLs....................................................................................................................4-96
User-Based ACLs .......................................................................................4-98
ProCurve Identity Driven Manager (IDM) .................................................4-99
Firewalls ............................................................................................................4-101
Packet-filtering Firewall............................................................................4-103
Advantages and Disadvantages ........................................................4-104
Circuit-level Gateway ...............................................................................4-105
Attack Checking ...............................................................................4-105
Proxy Server .....................................................................................4-106
Proxy Server (Application-level Gateway)...............................................4-107
Stateful-inspection Firewall ......................................................................4-109
Attack Checking ...............................................................................4-110
Content Filtering................................................................................................4-111
Web-based Content Filtering.............................................................................4-112
Keyword Filtering.............................................................................4-113
Cookie Filtering ................................................................................4-113
URL-based/IP Address Filtering ......................................................4-113
Port Filtering.....................................................................................4-114
Active Content Filtering ...................................................................4-114
iv Rev. 6.41
Contents
Content Filtering: Incoming email ....................................................................4-115

Virus Detection.................................................................................4-115
Spam Filtering ..................................................................................4-116
Image Filtering..................................................................................4-117
Content Filtering: Outgoing email ............................................................4-118
Email Security Policies.....................................................................4-118
Encryption.........................................................................................4-119
Summary............................................................................................................4-120
Module 5—Layer 2: Data Integrity and Privacy
Objectives ..............................................................................................................5-1
Data Integrity.........................................................................................................5-2
Encryption Techniques..........................................................................................5-4
Encryption Algorithms ..........................................................................................5-5
Exclusive Or ..........................................................................................................5-6
Encryption .............................................................................................................5-8
Decryption .............................................................................................................5-9
Algorithms...........................................................................................................5-10
Hash Functions ....................................................................................................5-11
Keyed-hash Message Authentication Code (HMAC) ........................5-12
Algorithm Security ..............................................................................................5-13
Key Management.................................................................................................5-15
Symmetric Key Scheme ......................................................................................5-16
How the Symmetric Key Scheme Works ...........................................5-16
Asymmetric Key Scheme ....................................................................................5-17
How the Asymmetric Key Scheme Works.........................................5-17
Key Distribution Centers.....................................................................................5-19
How KDC Shared Secret Assignments Work ....................................5-19
Diffie-Hellman Exchange....................................................................................5-20
How the Diffie-Hellman Exchange Works.........................................5-20
Public Key Authentication ..................................................................................5-22
Digital Certificates...............................................................................................5-23
Certificate Authorities (CAs) ..............................................................................5-25
Digital Signatures ................................................................................................5-27
Certificate Validation ..........................................................................................5-28
VPNs....................................................................................................................5-30
Tunnels ................................................................................................................5-31
VPNs....................................................................................................................5-33
IPsec ....................................................................................................................5-35
IPsec IKE.............................................................................................................5-37
IPsec AH and ESP ...............................................................................................5-39
SSL VPNs............................................................................................................5-41
IPv6 Security Enhancements...............................................................................5-42
IPv6 IPsec............................................................................................................5-43
IPv6 Header Length.............................................................................................5-44
IPv6 Privacy Extensions......................................................................................5-45
Wireless Security.................................................................................................5-46
Rev. 6.41 v
Wireless Encryption ............................................................................................5-47

Wired Equivalent Privacy (WEP).......................................................5-48
WPA ....................................................................................................................5-50
TKIP ....................................................................................................................5-52
WPA2 ..................................................................................................................5-54
CCMP ..................................................................................................................5-55
MACsec...............................................................................................................5-56
MACsec...............................................................................................................5-57
Stored Data Security............................................................................................5-59
Change Auditing..................................................................................................5-60
Honeypots and Honeynets...................................................................................5-61
Honeypots ...........................................................................................5-61
Honeynets ...........................................................................................5-62
Summary..............................................................................................................5-63
Module 6—Layer 3: Device Access Security
Objectives ..............................................................................................................6-1
Managed Devices ..................................................................................................6-2
Local Access..........................................................................................................6-4
Console Access.....................................................................................6-4
Access Rooms.......................................................................................6-5
Disabled Physical Access Portals .........................................................6-5
Passwords .............................................................................................6-5
Remote Access: Local user database.....................................................................6-6
Passwords .............................................................................................6-6
Local User Database .............................................................................6-7
Management VLAN .............................................................................6-7
Remote Access: Authentication using a local server ............................................6-8
Remote Access: SSH...........................................................................................6-10
Telnet ..................................................................................................6-10
SSH Version 2 (SSH v2) ....................................................................6-11
Remote Access: SSL ...........................................................................................6-12
HTTP ..................................................................................................6-12
SSL .....................................................................................................6-12
HTTPS ................................................................................................6-13
Secure File Transfer: SFTP .................................................................................6-15
File Transfer Protocol .........................................................................6-15
Secure Copy Protocol (SCP) ..............................................................6-16
Secure File Transfer Protocol (SFTP) ................................................6-16
SNMP Version 3..................................................................................................6-17
SNMP version 3 (SNMPv3) Security Enhancements ........................6-19
Summary..............................................................................................................6-20
vi Rev. 6.41
Contents
Module 7—Layer 4: Endpoint Integrity

Objectives ..............................................................................................................7-1
Network Endpoints................................................................................................7-2
Antivirus Software.................................................................................................7-4
Infection Detection Methods ................................................................7-5
Infection Management ..........................................................................7-6
Personal Firewalls .................................................................................................7-7
Sandboxes............................................................................................................7-10
Software Patches .................................................................................................7-12
Web Browser Security.........................................................................................7-14
Caching ...............................................................................................7-14
Cookies ...............................................................................................7-15
Security Compliance Monitoring ........................................................................7-16
Agent-based Solutions: Permanent......................................................................7-18
Agent-based Solutions: Transient ...............................................................7-20
Agentless Solutions .............................................................................................7-22
Combined Solutions ............................................................................................7-24
Trusted Network Connect (TNC)........................................................................7-26
Dealing with Non-compliant Endpoints..............................................................7-29
Summary..............................................................................................................7-31
Module 8—Comprehensive Security Solutions
Objectives ..............................................................................................................8-1
Comprehensive Solutions......................................................................................8-2
Network Device Features ......................................................................................8-4
BPDU Blocking.....................................................................................................8-6
Overview of RSTP................................................................................8-6
Vulnerabilities of RSTP........................................................................8-7
Protections for RSTP Vulnerabilities ...................................................8-8
DHCP Protection ...................................................................................................8-9
DHCP Vulnerabilities...........................................................................8-9
Protections for DHCP Vulnerabilities ................................................8-10
Dynamic ARP Protection ....................................................................................8-11
ARP Vulnerabilities............................................................................8-11
Protections for ARP Vulnerabilities ...................................................8-12
SNMP Throttle ....................................................................................................8-13
Virus Throttle™ Software Operation ..................................................................8-14
IDS.......................................................................................................................8-16
Intrusion Detection ..............................................................................................8-17
Detection Components ........................................................................................8-19
NIDS....................................................................................................................8-21
TAPs ....................................................................................................................8-23
Port Mirroring......................................................................................................8-25
Remote Mirroring ...............................................................................8-26
Traffic Profiling...................................................................................................8-27
Flow-based..........................................................................................8-28
Sample-based......................................................................................8-28
Traffic Profiling Benefits....................................................................8-29
Rev. 6.41 vii
HIDS....................................................................................................................8-30
Hybrid IDS Solutions ..........................................................................................8-32
Pattern-based Detection.......................................................................................8-33
Rule-based Detection..........................................................................8-33
Signature-based Detection ..................................................................8-34
Disadvantages of Pattern-based Detection .........................................8-34
Anomaly-based Detection ...................................................................................8-35
Network Behavior-based Anomaly Detection (NBAD).....................8-36
Active Response ..................................................................................................8-38
IPS .......................................................................................................................8-39
Content-based Detection .....................................................................................8-44
Rate-based Detection...........................................................................................8-45
Incident Databases...............................................................................................8-47
UTM ....................................................................................................................8-48
Wireless IDS/IPS.................................................................................................8-51
Summary..............................................................................................................8-56
Glossary
viii Rev. 6.41

Introducing the Course
The ProCurve Network Security Fundamentals course provides a basic

introduction to the methods and technologies that are used to secure a network.
This course introduces both a four-layer approach to network security and the
technologies that are used to secure each layer. In particular, the course discusses
authentication technologies, access control protocols, encryption and hash function
technologies, software solutions, and comprehensive security solutions.
Audience
This course is designed for network administrators, network engineers, and
technology professionals who need to learn about threats to network security and
the technologies and methods used to secure networks from attacks and intrusions.
Prerequisites
Before taking this class, students should complete the HP ProCurve Networking
Primer or have a basic understanding of network architecture. Other recommended
courses are:
Internet Routing Fundamentals 5.21 or later
Mobility 4.31 or later
For more information about HP ProCurve training, visit
http://www.hp.com/go/procurvetraining.
Course Objectives
After completing this course, students should be able to:
Explain how the traditional network is evolving to fit today’s business needs
Explain the threats that face the evolving network and why a traditional
network security approach is not sufficient for today’s threats
Describe the common regulatory statutes and layered security solutions that,
if properly implemented, will strengthen your company’s network security
Understand attack vectors
Recognize and understand:
• Attacks that gain confidential information by manipulating the users
• Attacks that force unauthorized access into your network
• Attacks that search your network to discover vulnerabilities that can be
exploited
• Attacks where an attacker impersonates a legitimate network access device
Rev. 6.41 Overview – 1

• Attacks that install malicious software without the knowledge or

consent of the device administrator
• Attacks that infect a network with viruses and worms
• Attacks that inundate a network with traffic to prevent legitimate users
from accessing network resources
Explain proactive and defensive security components that are used to protect
your network
Describe the Network Access Control Security layer and give examples of
methods for controlling access to your network
Describe the Data Integrity and Privacy layer and methods used to keep
network data secure
Identify the Device Access Security layer and explain why device access
must be secured
Identify the Endpoint Integrity layer and explain why endpoint devices must
be protected
Give examples of security solutions that cover more than one network
protection layer
List advantages and disadvantages for several types of authentication
credentials
Describe authentication protocols, outlining in particular the Extensible
Authentication Protocol (EAP) process
Describe the Authentication, Authorization, and Accounting (AAA)
framework
Explain the roles of supplicant, authenticator, and authentication server in
802.1X authentication
List several types of access controls and explain how a network device
applies them to a user
Identify other ways of filtering network traffic, including firewalls and
content filtering
Explain how encryption secures data
Describe encryption key management technologies
Identify hash functions and how they are used to secure data
Explain how digital certificates are created and used to ensure data security
Describe virtual private networks (VPNs) and how they are used to ensure
data security
Identify IPv6 security standards that improve the security of forwarded data
Describe wireless encryption standards
Overview – 2 Rev. 6.41

Overview
Explain how change auditing, honeypots, and hard drive encryption can be
used to protect stored data
Explain how to use a local user database to secure managed devices
Describe how remote authentication can also be used to protect network
backbone devices
Show how the Secure Shell (SSH) protocol secures communication between
an endpoint and a managed device
Explain how the Secure Sockets Layer (SSL) [Transport Layer Security
(TLS)] protocol can provide secure access to network devices
Show how Secure File Transfer Protocol (SFTP) can be used to safely upload
and download files
Describe the Simple Network Management Protocol version 3 (SNMPv3)
security upgrades
Describe how antivirus software on endpoint devices works to keep the
network safe
Explain what a sandbox is and how it can prevent malware infections
Show how personal firewalls help protect against internal or Web-based attacks
Describe software patches and how they protect a network
Understand how network security solutions monitor and ensure endpoints’
security compliance
Explain the functions of comprehensive security solutions
Describe how network device features such as the following can help secure
a network:
• Bridge Protocol Data Unit (BPDU) blocking
• Dynamic Host Configuration Protocol (DHCP) protection
• dynamic Address Resolution Protocol (ARP) protection
• Virus Throttle™ software
• Simple Network Management Protocol (SNMP) throttle
Describe how an intrusion detection system (IDS) discovers network attacks
Discuss how an intrusion prevention system (IPS) can keep a network secure
Explain how a unified threat management (UTM) device can be a valuable
part of your network security
Show how a wireless IDS/IPS can add an important element of security to
your wireless network

Course Modules
This course contains the following modules:
Module 1 introduces network security and describes the problems associated with
protecting network resources and information.
Module 2 discusses network attacks and introduces six different types of attacks
that can compromise and harm a network.
Module 3 provides a framework for approaching network security issues and
implementing security solutions. This module discusses the proactive/defensive
network security paradigm and introduces the four network security layers.
Module 4 describes the technologies that are used to provide network access
control. These technologies include the AAA framework, the 802.1X
authentication standard, EAP, authentication protocols such as Remote
Authentication Dial-In User Service (RADIUS) and Terminal Access Controller
Access Control System Plus (TACACS+), and other technologies.
Module 5 explains the process behind data encryption and describes how hash
functions and encryption algorithms are used to secure data. This module discusses
information on VPNs, digital certificates, wireless encryption, and hard drive
encryption.
Module 6 focuses on the authentication methods and secure file transfer
technologies that are used to keep network backbone devices secure.
Module 7 discusses software solutions that can be used to protect network
endpoint software, such as personal firewalls, antivirus software, and sandbox
software.
Module 8 describes comprehensive network security solutions that can protect a
network at more than one security layer. This module discusses network security
solutions such as advanced firewalls, IDS/IPS technologies, and UTM solutions.
Further Reading
Because this is an introductory course, the security subjects are only briefly
discussed here. This course provides references to more in-depth information at
the end of each section. Students are encouraged to do their own research on each
of these subjects. Additionally, comprehensive information on network security
can be found in the following books:
Gast, Matthew S. 802.11 Wireless Networks: The Definitive Guide. Second
Edition. O’Reilly: April 2005. ISBN 0596100523..
Hansche, Susan; Berti, John; and Hare, Chris. Official (ISC)2 Guide to the
CISSP Exam. First Edition. Auerbach Publications: 2004. ISBN
084931707X.
Northcutt, Stephen and Novak, Judy. Network Intrusion Detection: An
Analyst’s Handbook. Third Edition. New Riders: August 2002. ISBN
0735712654.

Overview
Rash, Michael; Orebaugh, Angela; Clark, Graham; Pinkard, Becky; and

Babbin, Jake. Intrusion Prevention and Active Response. First Edition.
Syngress: February 2005. ISBN 193226647X.
Stallings, William. Network Security Essentials: Applications and Standards.
Third Edition. Prentice-Hall: July 2006. ISBN 0132380331.
Wotring, Brian and Potter, Bruce. Host Integrity Monitoring Using Osiris
and Samhain.First Edition. Syngress, May 2005. ISBN 1597490180.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND

WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors
contained herein or for incidental or consequential damages in connection with the
furnishing, performance, or use of this material.
The only warranties for ProCurve Networking products and services are set forth
in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty.
ProCurve Networking shall not be liable for technical or editorial errors or
omissions contained herein.
Hewlett-Packard assumes no responsibility for the use or reliability of its software
on equipment that is not furnished by Hewlett-Packard.
© Copyright 2005, 2006 Hewlett-Packard Development Company,
L.P. The information contained herein is subject to change
without notice.


Introduction to Network Security
Module 1
Objectives
In this course, you will learn about the limitations of traditional network security
and about new technologies designed to overcome these limitations. After
describing common threats to network security, the course will describe proactive
and defensive measures and technologies that can provide a robust security
solution. The course will close with a discussion of comprehensive network
security technologies that incorporate multiple proactive and defensive measures.
This module will introduce you at a high level to both today’s network security
problems and to emerging methods designed to solve them.
After completing this module, you should be able to:
Explain how the traditional network is evolving to fit today’s business needs
Explain the threats that face the evolving network and why a traditional
network security approach is not sufficient for today’s threats
Describe the common regulatory statutes and layered security solutions that,
if properly implemented, will strengthen your company’s network security
Rev. 6.41 1–1

ProCurve Network Security Fundamentals
Traditional Network
Attacks wreaked havoc on traditional networks through two main doors: the
Internet and employee workstations. Traditional security solutions focused almost
entirely on securing the opening between the untrusted Internet—from which it
was assumed all attacks originated—and the private network, considered
inherently trustworthy. Workstations inside the trusted network were also
considered vulnerable, however, because employees could load infected or
insecure personal software and devices onto them.
Internet
A firewall was the primary means of protecting the traditional network. The
firewall allowed employees to access what they needed on the Internet but blocked
external traffic in accordance with the defined network policy.
Employees accessed private company data on internal servers. Rarely was this data
transmitted over an untrusted network or to unknown users accessing the private
network. With this limited business flow, attacks from the Internet were still a
danger, but a danger against which the firewall was designed to protect.
1–2 Rev. 6.41

Introduction
The firewall, however, did not control traffic from the internal network to the
Internet. Employees could take advantage of the company’s high-speed Internet
access to fulfill personal needs and interests. By accessing Internet email accounts
containing virus attachments or downloading popular songs and games that
contained malware, or otherwise opening security holes, employees often allowed
threats to breach their workstation and then the network. But keeping antivirus
software up to date on each workstation protected the network against most
malware infections.
Workstations
In addition to protecting the network against Internet downloads, network
administrators had to worry about what lurked on the removable media employees
used. Would the floppy disks have a virus? And what kinds of dangers were hiding
on removable drives and CDs? Again, up-to-date antivirus software on each
workstation protected against major attacks.
The traditional network was static: the network administrator knew who connected
to the network and at what ports because employees were assigned to specific
computers and ports. Employees accessed necessary files from their own personal
workstations, which were protected with each employee’s personal password.
These simple desktop computers and an Ethernet connection served most of their
work needs. As a result, administrators could create security policies for network
devices and be confident that users would have access to the correct network
resources.
Rev. 6.41 1–3

Network Evolutionary Forces
Yesterday’s static network cannot address today’s fast-paced, dynamic network

needs. To maintain a competitive edge, today’s companies need a way to take
advantage of ever-changing communication and business opportunities.
The Internet, along with other recent technological advances in mobility, enables
employees to work from anywhere and even change location while retaining
access to all network systems. These technologies also enable partners,
contractors, vendors, and customers to access your network at all times of the day
and from anywhere. Mobile users may be:
on site, connecting through various wired workstations or wireless access
points (APs, devices that serve as a bridge between wired and wireless
networks)
offsite, connecting through Internet Exchange Points and access points
Companies know they must embrace the opportunities afforded by global access
in order to compete in today’s marketplace. These companies also understand
that employees must be able to access the resources to which they have rights via
any computer. From offsite, an employee traveling to a conference overseas,
meeting a deadline after hours, or working at home can use the Internet to access
the company network. Business partners, customers, and other constituents can
also connect to your network from on site or offsite to meet their needs, using
wired connections, APs, and the Internet.
1–4 Rev. 6.41
Introduction
Unfortunately, while opening your network can provide a competitive advantage,

it also creates vulnerabilities against which traditional security solutions are not
designed to protect.
Rev. 6.41 1–5

Today’s Network Structure
Each year brings new ways for your company to use technology to increase
productivity: more employees who rely on networking connections and personal
devices to take their work with them wherever they go, and more wireless
networks supporting increasingly mobile workers. However, new technologies
bring new threats that you must confront.
Threats from Within

Firewalls could never completely quarantine the private network from the outside
untrusted network because they operate at points on the perimeter of the two
networks, private and public. As discussed earlier, unless you barred employees
from accessing the Internet, this wall of security never prevented problems
introduced by traffic rightfully passing through the gates, nor did it protect against
threats introduced from within that never crossed the gate between the private and
public network, such as users bringing their own devices into the network or
introducing threats via removable corporate devices they took from the premises
and accidentally exposed to attack. Personal devices were difficult for harried IT
departments to regulate. And as discussed below, corporate devices, like Internet
access, are essential business tools: network administrators were reluctant to
restrict employees from taking these with them as needed.
1–6 Rev. 6.41

Introduction
Threats from Mobile Devices

The Internet and portable memory devices such as CDs have long been intrinsic to
business; today mobile devices such as laptops and personal digital assistants
(PDAs) are becoming so as well. Such tools cannot be barred, and their
widespread use has multiplied vulnerabilities. For example, employees can now
take their laptops into an Internet cafe and expose them to viruses and malware.
Internet cafes and other “hotspots” are essential tools for the productive business
traveler, yet they can facilitate the infection of the unwary. When, in all innocence,
these employees next connect to your private network, they infect it. And
unfortunately, the antivirus software on your workstations cannot detect every
form of the new viruses, worms, and other malware infiltrating your network at
increased rates through all these open doors.
Wireless APs also hook directly into your network, allowing anyone, including
attackers, to connect. The AP receives all wireless traffic, so anyone who can
access the AP can hijack a great deal of traffic.
Threats from New Technology

Finally, advancements in technology have increased the threat from employees
who use the Internet, software, and devices for personal reasons. For example,
instant messaging (IM) clients have become a popular employee download—both
as a means of collaboration with coworkers and as another distraction from the
work at hand. Unfortunately, unsecured IM installations place companies at risk of
attacks from hackers and malware such as Trojans, worms, and viruses. Viruses,
for example, can disguise themselves as file attachments in IM messages. Once
they breach your network, these threats can wreak havoc, potentially causing a
denial-of-service (DoS) attack, which can consume your network bandwidth or
overload the computational resources of your system. (For more information on
Trojans, worms, viruses, and DoS attacks, see Module 2—General Threats.)
Hackers using a network sniffer can also easily obtain passwords, as well as
company data, from employee IM chats. Manually blocking these free services by
tweaking firewalls is difficult: IM clients are adept at circumventing port
restrictions. And employees can always bring their contraband in from offsite.
Confronting New Threats

At this point, there are only two options: eliminate the access methods that drive
the continual growth and competitiveness of your enterprise or accept them—and
develop your security solutions to effectively confront the vulnerabilities of the
modern network.
Rev. 6.41 1–7

Mobile Access Dangers
Mobile users can connect to your network via one of three methods:
Temporary access—For example, contractors and temporary employees
may need network rights for several months or weeks only; guests, for a day
or even an hour.
Wireless access—Many companies are realizing the benefits of continuous
network access, access not tied to a particular location. The wireless medium
makes such access possible.
Offsite access—For example, employees might telecommute, using their
home Internet connections to access the company network.
Offering these network access methods can help company productivity, but each
can also open network vulnerabilities.
1–8 Rev. 6.41

Introduction
Mobile Access Dangers: Temporary access
Because so many people request temporary access to your network, new

technologies now provide a way for many users to authenticate to one port. Each
form of temporary access brings with it various dangers that a contemporary
security solution must control.
Shared and Mobile Workstations

In today’s enterprise, each port on a network often supports multiple users. To
provide adequate user access while maintaining security, each port must be
equipped to meet each user’s needs. For example, a chief executive officer (CEO),
a chief information officer (CIO), and an employee all access the network through
the same port, but cannot for security reasons have the same access rights. To
secure the port, the network must first authenticate the user. Users are
authenticated by proving their identity. Then, after the users are authenticated,
each port must customize network access to that user. Authentication will be
discussed in detail in Module 4—Layer 1: Network Access Control Security.
Rev. 6.41 1–9

Guest Users
Customers, vendors, partners, and contractors need to interact and do business
with your company. These users are given access to your network through a guest
user account with limited rights. If the guest account does not use a password,
attackers can log on to your network and easily attack. Often, guest accounts
installed on computers are inactive and unprotected. Attackers can enable the guest
account. Once they are in your system, even with limited access, they can infiltrate
it. Attackers can also provide false information to set up a legitimate guest account
to access company information and connect to any other compromised account
they can find on your network.
1 – 10 Rev. 6.41
Introduction
Mobile Access Dangers: Wireless access
To accommodate a mobile workforce that needs access to the network at all times,
companies are increasingly providing their employees with laptops. Nearly all of
these laptops are equipped with wireless capabilities. If you add wireless products
to your network to take advantage of these capabilities, you might also open your
network to attack.
Particular characteristics of the wireless medium create particular vulnerabilities.
Shared Medium
Without special measures, wireless access is inherently insecure. In a traditional
Ethernet network, data is more or less confined to the wire; not so in a wireless
network, where anyone with a wireless-enabled device can pluck frames out of the
air. If these frames are not encrypted properly, attackers can easily intercept and
read or corrupt it before it reaches its destination. Even when frames are encrypted,
an attacker can intercept data and decipher it if the encryption relies on the
denigrated, but still-used Wired Equivalent Privacy (WEP) protocol.
Rev. 6.41 1 – 11
APs
As mentioned earlier, an AP handles all traffic traveling between a wireless
connection and a wired connection. Anyone who can access the AP can hijack a
great deal of traffic. Unfortunately, rogue APs—APs set up without permission
and frequently not in compliance with the company’s wireless local area network
(WLAN) security policies—are frequently connected to a network by well-
intentioned employees looking for convenience and flexibility at work. These
employees unwittingly place the network at risk of attack.
Attackers can also set up rogue APs in order to sniff wireless network traffic and
thereby gain unauthorized access to your network environment. One danger is an
attacker’s ability to overpower a legitimate hotspot AP signal, causing the
employee’s computer to connect to the attacker’s rogue AP because it is the
stronger signal. Once connected, the employee can be sent to a spoofed but
familiar-seeming login page where he or she may give away username and
password login information or inadvertently have his or her wireless device loaded
with Trojans and other security threats that can steal confidential information.
Multiple Users on a Single Switch Port

The AP connects to a single switch port, but through that AP multiple users
connect to the network. This creates the same problems with access rights
discussed for shared workstations.
1 – 12 Rev. 6.41
Introduction
Mobile Access Dangers: Offsite access
Employees can access the company’s network from remote areas such as homes,
hotels, and Internet cafes. Typically, these employees use the Internet to reach
your company. Thus there are many more points of access to your network
through the Internet than there have been in the past. And just as in a wireless
network, any data sent through the Internet can be intercepted and eavesdropped
upon unless it is protected by encryption.
Employees or other users accessing your network offsite pose a number of
additional threats. Other business’s Internet connections or computers could
contain malware that employees transfer when they hook up their laptops to your
private network. In addition, there could be backdoor vulnerabilities on other
business’s devices through which attackers could steal identities or other important
information to gain access to your network. And data that users retrieve from your
company’s Web site—such as images, scripts, portlets, secure information,
personal information, and session-specific data—may be unintentionally cached on
the devices they use and left behind for attackers to access and abuse.
Rev. 6.41 1 – 13
Employees could also unknowingly download malware from unauthorized sites

you do not allow them to access within your company. This is because the
technologies you may use inside your company to limit what employees can
download and access on the Internet do not extend to offsite locations. (More
about these company protections and technologies will be discussed in Module 4—
Layer 1: Network Access Control Security.) Once offsite, employees (or their
family members at home) can use company laptops for personal purposes,
including browsing the Web or Internet, opening and downloading personal files
that may contain any number of worms or other attacks, or connecting their own
devices for school, work, or entertainment activities. When the employees return
to the company and reconnect their laptops, your network is subject to whatever
dangers they or their family members have placed on those laptops.
1 – 14 Rev. 6.41
Introduction
Increased Incidents and Velocity
As mobility increases and doors open to allow more business flow onto your
network, attackers are taking advantage by exploiting an increasing number of
vulnerabilities and by increasing the speed of attacks. Consequently, it is easy to
see why contemporary network managers and administrators often feel as if they
are under siege.
Increasing Number of Vulnerabilities

Vulnerabilities are weaknesses in a network’s technical infrastructure (endpoints
such as PCs, as well as network components) and within the organization
(procedures, policies, and staff practices) that attackers can exploit to cause
damage and large financial losses. Attacks that exploit these vulnerabilities are
called incidents. The following statistics are taken from the Computer Emergency
Response Team Coordination Center (CERT/CC), a U.S. federally funded center
of Internet security expertise:
Reported vulnerabilities increased by 5,819 in the last 10 years, and from
2004 to 2005 vulnerabilities increased by 2,210.
In the first quarter of 2006, there were 1,597 reported vulnerabilities.
Rev. 6.41 1 – 15
Incidents have become so common that CERT no longer counts them. Typical
incidents include hackers exploiting security weaknesses to access confidential
data, employees opening email attachments that include viruses, and theft of laptop
computers from insecure locations where doors have been left unlocked.
According to the 2005 Malware Report: Executive Summary, in 2005 the financial
impact of viruses worldwide was U.S. $14.2 billion.
Faster Attacks
Given the increasing number of network vulnerabilities, attacks are having a more
immediate and devastating impact:
The Code Red Worm, discovered on July 16, 2001, infected 75,000 hosts in
15 hours, and two years later Slammer, discovered on January 24, 2003,
infected the same number of hosts in only 30 minutes.
As of November 29, 2005, the Sober-Z worm accounted for 1 in 13 emails
traveling across the Internet.
Massive attacks now take as little as 5.5 hours to spread via hundreds of
millions of emails.*
Modern attacks are also more sophisticated because the tools attackers use are
more advanced. These tools include:
Password crackers—Attackers use password crackers to find weak
passwords, crack them, and gain network access to aid in their attacks.
Sniffers—These tools seek out and grab all data and sensitive information
being transferred from one computer to the other.
Sweepers—Sweepers erase files and applications on your computer.
*Commtouch Detection Center January 2006 statistics
Evolving Attacks
Methods that have worked in the past to prevent or manage attacks do not stand up
to today’s sophisticated attacks. Attackers use technologies that are intended to
secure or enhance a network to launch attacks. For example, password crackers
were programs originally intended for network administrators to identify weak
passwords and create more secure ones. As new technologies intended to enhance
the network are developed, attackers will continue to find ways to use them to
compromise network security.
In addition, because of increased use of the Internet for buying, selling, and
entertainment, it is easier now than ever for attackers to bait victims—often your
own employees—with promises of “free” and “new, improved” products. These
offers entice employees to click on a link that exposes them to viruses, worms, or
other kinds of advanced attacks. As the Internet becomes more and more
integrated into everyday business activity, these attacks will continue to increase.
1 – 16 Rev. 6.41
Introduction
Ineffectual Defenses
Despite the increasing volume and velocity of network threats, most companies
still use traditional security products and methods. The 2006 CSI/FBI Computer
Crime and Security Survey revealed the following about a cross-section of U.S.
companies that are older than three years and have more than five employees and
U.S. $1 million in revenue:
Worms and viruses were the most costly incidents—even though 97 percent
of respondents stated they use antivirus software.
Ninety-eight percent of respondents used firewalls and 79 percent said they
use anti-spyware methods, yet almost 10 percent of businesses said that they
suffered 10 or more security incidents.
The top four categories of incidents were virus infections, unauthorized
access, laptop or mobile hardware theft, and theft of proprietary information.
Losses due to such incidents accounted for nearly three-quarters (74.3
percent) of total cyber losses, which exceed U.S. $52 million.
Despite basic network security measures such as firewalls, antivirus software, and
even anti-spyware measures, network attacks continue to be a costly problem.
Additionally, network security has not kept up with issues created by the
increasingly mobile workforce, such as the theft of unsecured information on
mobile devices.
Rev. 6.41 1 – 17
Increased Insider Attacks: Insider threat and

attack statistics
Insider attacks account for a significant portion of company cyber losses. In the
2006 CSI/FBI Computer Crime and Security Survey, a significant number of the
respondents reported that they believe insider attacks account for a substantial
portion of cyber losses. Awareness of internal threats is growing: more than three-
fourths (77 percent) of respondents reported that employee company security
policy education is very important.
Employees’ lack of security knowledge accounts for large security threats to your
network, opening doors to internal attacks. When employees don’t update antivirus
software—to save time, to avoid slowing down their machines, or because they
simply don’t know how—they create security gaps in your network. Without that
protection on their machines, when they surf the Web or download files, they can
open backdoors into your network or download viruses that will spread throughout
your system. Employees who fail to comply with company policies have always
been a threat, but with the greater freedom employees now have to use and control
their own machines, the threat has increased.
1 – 18 Rev. 6.41
Introduction
Internal attacks can also come from angry employees or other constituents seeking
revenge or gain. Because these insiders have access—sometimes extensive
access—to your network, intentional internal attacks can be even more detrimental
to your company than external attacks.
Whether or not internal attacks are intentional, your network is in danger because
traditional security methods defend from the outside in rather than the inside out,
making it easy for an attack to come from the inside. (For more information on
internal and external attacks, see Module 2—General Threats.)
Rev. 6.41 1 – 19
IT Regulations: U.S. regulations
As people have become more aware of the necessity to keep information secure,
countries worldwide, including the U.S., Britain, Europe, Canada, Japan, and
Australia, have implemented privacy laws or reinforced existing ones to improve
security standards in company networks. The U.S. government has issued a
number of regulatory statutes to raise security levels in companies of all sizes:
Sarbanes-Oxley Act of 2002 (SOX)

SOX improves the accuracy and reliability of corporate disclosure accuracy,
which, in turn, protects investors. The U.S. government passed this act in response
to a number of major corporate and accounting scandals, including ones involving
Enron, Tyco International, and WorldCom (which is now MCI). By establishing
new or enhanced standards for U.S. company boards, management, and accounting
firms, the legislation attempts to restore trust in accounting and reporting practices.
SOX provisions dictate that companies establish a public company accounting
oversight board, auditor independence, corporate responsibility, and enhanced
financial disclosure. SOX also provides a way to review the dated legislative audit
requirements.
Health Insurance Portability and Accounting Act (HIPAA)

HIPAA combats present dangers in the healthcare world, such as waste, fraud, and
abuse in health insurance and healthcare delivery. HIPAA now prohibits
1 – 20 Rev. 6.41
Introduction
companies using electronic transactions and the Internet to publish personal health
information. (Before HIPAA, some companies were transferring or selling such
information for commercial gain.)
Gramm-Leach-Bliley Act (GLBA)

GLBA is a comprehensive U.S. law that requires companies to protect consumer
information through security, integrity, and confidentiality. In an attempt to
modernize the financial services world, GLBA sought to end regulations that
prevented the merger of banks, stock brokerage companies, and insurance
companies. With an open door to mergers, these companies could then
consolidate, analyze, and sell large amounts of their consumers’ personal
information. To mitigate the risks of these mergers for the consumer, GLBA
requires that these companies store personal financial information securely,
advise consumers of their policies on sharing personal financial information, and
give consumers the option to opt out of some sharing of personal financial
information.
Federal Information Security Management Act of 2002 (FISMA)

FISMA is the primary legislation governing U.S. federal information security.
Passed as part of the Homeland Security Act of 2002 and the E-Government Act
of 2002, FISMA requires every government agency to secure information and the
information systems that support its operations and assets, including those
provided or managed by other agencies, contractors, or other sources. Therefore, if
the government is to use commercially developed security products, those products
must offer advanced and effective information security solutions and work in
concert with government policies, procedures, and guidelines.
Payment Card Industry Data Security Standard (PCI)

PCI came about in response to a 1995 breach of credit card security through a
faulty electronic sales system at Polo Ralph Lauren, as well as a breach of
customer data security at LexisNexis. At Polo Ralph Lauren, approximately
180,000 customers’ credit card data was compromised because the company had
not properly stored the three-digit card verification value in its checkout system.
To combat these breaches and identity theft dangers, all major credit card
companies agreed upon PCI as an industry-wide data security standard. PCI
applies to all members, merchants, and service providers that store, process, or
transmit cardholder data, as well as any network component, server, or application
included in, or connected to, the cardholder data domain. Companies will now
have to use firewalls, message encryption, computer access controls, and antivirus
software. PCI also requires frequent security audits and network monitoring and
forbids the use of default passwords.
Rev. 6.41 1 – 21
IT Regulations: Worldwide regulations
Personal privacy has long been of concern to member states of the European
Union (EU). As these member states began to legislate electronic privacy
protection in the 1980s and 1990s, the European Commission soon realized that
diverging data protection laws would impede the free flow of data, and therefore
the free flow of trade, within the EU zone. To standardize privacy laws, in 1995
the European Commission proposed the Directive on the Protection of Personal
Data (Directive 95/46/EC). This directive specifies how personal and sensitive
data should be handled. The majority of the directive focuses on the explicit
reasons for which an entity can collect and store personal data. The directive also
includes the specification that stored data must be secured, protected against
accidental loss, and kept for a limited amount of time. Meeting these specifications
necessitates a highly secure and organized network infrastructure.
Directive 95/46/EC was modified and adopted by each EU member state either
through the revision of an existing law or through new legislation. In addition,
countries such as Canada, Australia, and Japan have adopted similar legislation:
Germany—Bundesdatenschutzgesetz (Federal Data Protection Act)
United Kingdom—Data Protection Act of 1998
1 – 22 Rev. 6.41
Introduction
France—Law 78-17 (revised)

Canada—Personal Information Protection and Electronic Documents Act
(PIPEDA)
Australia—Private Sector Provisions of the Privacy Act 1988 (Cth)
Japan—Personal Information Protection Law
Infractions for losing personal data under these laws are stiff: most countries
specify prison time and fines amounting to thousands of U.S. dollars per incident.
For a network to comply with these laws and standards, it must be organized, well-
designed, and secure. This course will provide you with an organized, layered
approach to securing your network.
Rev. 6.41 1 – 23
Network Security Components
Given increasing user needs, evolving attacks, and increasingly stringent

government security standards, the need for strong network security has never
been greater. This course is designed to introduce you to the technologies,
methods, and tools you can use to create a comprehensive security solution for
your network.
A comprehensive security solution allows your network to meet the needs of its
users while providing the highest level of security possible. Such a solution should
meet all government standards, be expandable to adapt to network changes, and be
adaptable to new security threats. Comprehensive network security
implementation can be categorized into two key areas that allow you to both
prevent and protect your network from attacks:
Proactive components—Proactive network security components address
threats and problems before they become a crisis.
Defensive components—Defensive network components focus on creating a
network structure that is secure and protected from common network attacks.
1 – 24 Rev. 6.41
Introduction
Rather than attempt to fit a single solution over all possible network vulnerabilities
or to smatter disparate solutions across the network, a company must establish
comprehensive network security by implementing proactive and defensive
components in organized layers. Network security is similar to the roof of a
building that must keep the interior dry and protected while constantly being
deluged with water. Most people can’t tell where the leaks are by looking at the
roof: most leaks are only discovered after they let in the rain. If you spend all of
your time bolting patches over specific holes, you’ll spend a lot of time and money
patching problems while the rain continues to trickle in elsewhere.
Similarly, many of today’s companies address security problems as they occur
rather than planning and then implementing a comprehensive solution. These sorts
of bolt-on, single-problem solutions are time consuming and expensive, and
inevitably they address only a single point of failure. Through layering, you can
design and build a roof that has all the elements it needs to keep the rain out.
Layering also allows you to cater your solution to your business’s needs. For
example, the roof of a skyscraper is designed in a very different manner than the
roof of a family home. Similarly, a security solution that works for a small-to-
medium business will be inadequate for a large corporate structure. When you
implement security layers, you can use solutions that fit the needs of your business
and your users.
Rev. 6.41 1 – 25
Summary
In this module, you learned about how networks have evolved to include not only
more stationary workstations and employees but also mobile devices and workers.
Opening up network access has created many opportunities but has also created
vulnerabilities to ever-increasing attacks. Current security measures alone cannot
protect your network against these threats. You must have a scalable, layered
proactive and defensive security approach to protect every point of your network.
1 – 26 Rev. 6.41
General Threats
Module 2
Objectives
“If you know the enemy and know yourself, you need not fear the result
of a hundred battles.” Sun Tzu, The Art of War, ~500 B.C.
Hacker attacks, employee threats, virus skirmishes, and battles with worms—to
implement successful network security, you must first seek to understand the types
of attacks that threaten your network. While a list of every attack is beyond the
scope of this (or any) course, this module will explore some of the most common
network attacks.
The first part of the module will introduce you to four network attack vectors.
Understanding the origin of an attack and the intentions behind it can help you to
implement the correct type of network protection in the correct network location.
Next, this module will discuss five common network attack types. While these
attack types are by no means comprehensive, learning about them will greatly
increase your understanding of the ways that attackers can infiltrate or damage
your network so that you can protect your network accordingly.
After reading this module, you should be able to:
Understand attack vectors
Recognize and understand:
• Attacks that gain confidential information by manipulating the users
• Attacks that force unauthorized access into your network
• Attacks that search your network to discover vulnerabilities that can be
exploited
• Attacks in which attackers impersonate legitimate network access devices
• Attacks that install malicious software without the knowledge or
consent of the device administrator
• Attacks that infect a network with viruses and worms
• Attacks that inundate a network with traffic to prevent legitimate users
from accessing network resources
Rev. 6.41 2–1

Attack Vector Models: External attacks
Network attacks can be broadly categorized according to the direction, or vector,

from which the attacks originate. Understanding attack vectors and the intentions
behind the attacks will help you to secure your network against both known
network attacks and new types of attacks.
An external attack, as its name suggests, is an intrusion that originates outside
your trusted network. Ideally, you should prevent an external attack before it
ever enters your network. Because external attacks are historically the most
common type, most networks are designed to guard against them using perimeter
protection methods such as firewalls and/or intrusion prevention systems (IPSs).
These methods have become more sophisticated at detecting attacks and are
usually able to prevent an obvious external network attack.
However, some external attacks use perfectly legitimate traffic such as Internet
Control Message Protocol (ICMP) echoes to infiltrate, overwhelm, rob, cripple, or
destroy your network. Because attackers use legitimate traffic, attacks cannot
always be easily distinguished and stopped by perimeter protection methods such
as a firewall alone. External intrusions can also use port scans, sniffers, proxy
servers, and TCP sessions to reveal weak points in your network security.
Preventing such external attacks can be very difficult.
2–2 Rev. 6.41

General Threats
Attack Intentions
To appropriately manage intrusions and take the correct preventive measures, it is
important first to classify attack intentions.
Intentional attacks are malicious attempts to harm a network. These attacks target
a particular network either to profit from the information on the network or to
reduce the company’s profitability by damaging company credibility and the
ability to serve customers. Because attackers usually seek to infiltrate or harm a
network using the quickest and dirtiest methods, it is often possible to predict what
files and resources will be attacked. For example, intentional attacks usually target
specific (often crucial) network resources such as OS system files, network
bandwidth, or files that contain customer or employee personal information.
Knowing this, you can predict attacks that target these files and resources and
focus network security around them.
Unintentional attacks are much more difficult to predict because most of these
attacks occur as unexpected side effects of network applications or operating
procedures. Although not created to maliciously injure the network, these side
effects can nevertheless have the same devastating effect as successful intentional
attacks. For example, actions by inexperienced users or administrators can result in
network outages, data loss, or worm infections. To prevent unexpected side
effects, you should use a robust network design and make sure your users and
administrators are well educated.
The attack vectors of external attacks are:
External intentional—In most cases, external attackers will aim attacks at
well-known network vulnerabilities. These attacks are usually stopped by
good perimeter measures such as firewalls. However, not every external
intentional attack is preventable. For example, some zero-day attacks might
be unpreventable because they are designed to exploit vulnerabilities your
security solutions are not configured to address. One hundred percent
protection from external attacks cannot be guaranteed without disconnecting
your network from the Internet. However, a well-planned solution will
eliminate the majority of attacks.
External unintentional—External unintentional attacks are those that
originate outside the network but are not necessarily targeted to harm your
network. While most external unintentional attacks—such as a sudden flood
of time requests to an overwhelmed Network Time Protocol (NTP) server
that results in network devices losing synch—can be easily prevented through
sturdy software and a good network design, some external unintentional
attacks are impossible to predict or prevent. An example is the Slashdot
effect, which occurs when a Web site suddenly becomes too popular for the
bandwidth and hosting devices to handle. This creates an unintentional
denial-of-service (DoS) attack.
Rev. 6.41 2–3

Attack Vector Models: Internal attacks
As discussed in Module 1—Introduction to Network Security, attacks from inside

the network are becoming much more prevalent. Employee misuse of company
resources, the installation of unauthorized software, limited access control, and
scam email are just some of the internal threats to your corporate assets. In
addition, harried managers may not verify the resumes of people they hire into
positions with access to sensitive information. These people, as well as dissatisfied
or recently terminated employees, may seek to gain access to sensitive information
on the network just to wreak havoc. And while internal attacks such as virus and
worm infections are usually immediately noticeable, not all network intrusions are
that obvious.
For example, your network may store customer information on a particular server,
and you may have set up your security to protect that server, predicting it to be a
likely attack target. But not every attack is straightforward: an attacker may be
able to successfully attack your network and retrieve the information from the
backup server. You can predict certain attacks, but you cannot always predict the
method of the attack. And unless you are specifically looking for these problems,
the unauthorized retrieval of restricted files or the misuse of network resources can
go unnoticed for long periods of time. The resulting damage can be devastating.
2–4 Rev. 6.41

General Threats
As the number of internal intrusions increases, it becomes increasingly important to

enable attack detection and security measures that work within the network
perimeter. Securing the interior of your network will allow you to reduce or prevent
network downtime caused by common problems such as worms and viruses, as well
as allow you to quickly discover less-obvious intrusions and attacks.
The two basic types of internal attacks are:
Internal intentional—Internal intentional attacks are caused by someone
who already has some trusted access to the network. For example, the
disgruntled employees, partners, or administrators mentioned above who
abuse their network access privileges to wreak havoc or deliberately open
perimeter network security holes.
Internal unintentional—Internal unintentional attacks are caused by
uninformed users or administrators. For example, less-than-savvy network
users may inadvertently release a virus or worm onto the network by using an
insecure laptop or workstation to access the network or by downloading
infected software while accessing the Internet through the network. Or, as
another example, a company may have a policy that if the internal email
server receives an email infected with a virus or worm, it will send a warning
to every email box on the network. While a warning is a good idea, if the
email server is slammed with infected emails, it may generate hundreds or
even thousands of warning emails that can quickly clog email boxes.
Rev. 6.41 2–5

Types of Attacks
In addition to understanding attack vectors, you should also understand some of

the specific types of attacks that can endanger your network. While all attacks
generally damage or incapacitate your network, most attacks can be categorized
according to the method used to inflict the damage. It would be impossible to list
every network attack: attacks are continuously evolving, changing, and
increasing in sophistication, and new attacks are constantly being created.
However, in this section we will discuss six of the most common attack
categories: social engineering, unauthorized access, reconnaissance,
impersonation, malware, and DoS.
2–6 Rev. 6.41

General Threats
Social Engineering
Social engineering targets the network indirectly. By manipulating network users

and employees (wetware), social engineering attackers can gain private or
confidential information—such as employee names, office phone numbers, or
usernames and passwords—that can then be used to gain access to the network.
Social engineering is generally an attacker’s manipulation of the natural human
tendency to trust. The most prevalent type of social engineering attack is
conducted by phone. An attacker will call up and imitate someone in a position of
authority or trust and gradually pull information out of the user. Other social
engineering attacks rely on methods as devious as giving employees free USB
devices that infect their computers with keyloggers, and as straightforward as
diving through the dumpster looking for information.
Rev. 6.41 2–7

Social engineering attackers count on several psychological factors:

People have a desire to be helpful—Most employees are trained to be as
helpful and accommodating as possible. An attacker can exploit this training
to obtain information about the company structure. For example, an attacker
may call up a low-level employee and impersonate someone in IT. The
attacker informs the employee that the network is down and that she needs to
exit and log in again. Saying that the supposed problem isn’t going away, the
attacker next requests the employee’s username and password. The
employee, thinking that she is helping to solve a network problem, will
usually comply.
People have a desire to impress those in positions of authority—
Employees are willing to bend over backwards to do something that will
ingratiate them to higher-ups. For example, if an employee is led to believe
that the attacker is doing work for his boss, the employee may reveal
sensitive information to the attacker, believing that this will earn him kudos
with the boss.
People have a desire to conform—Attackers may assure an employee that
other employees she knows have already helped by providing sensitive
information, making the employee more likely to give the attacker the
sought-after information.
People have a desire to trust—Employees will initially trust others until
given a reason not to. Usually, by the time the employee realizes that an
attacker isn’t entirely trustworthy, the damage has been done.
Social engineering attacks happen because it is easier to pick up the phone and ask
for a username and password than to spend time and effort trying to break into a
network. These types of attacks are best prevented by educating employees:
warning users against blithely giving out sensitive network information such as
usernames, passwords, and internal phone numbers can go a long way to
preventing many network attacks.
Many of today’s most common network attacks blend social engineering with
networking know-how. Because many attacks include elements of social
engineering, educating employees can also help prevent some of the next five
types of attacks.
Further Reading
For more information on social engineering, see
http://en.wikipedia.org/wiki/Social_engineering_%28computer_securit
y%29, or The Art of Deception: Controlling the Human Element of
Security by Mitnick, Simon, and Wozniak.
2–8 Rev. 6.41

General Threats
Unauthorized Access
Unauthorized access attacks occur when an unauthorized user accesses your

network either by guessing or stealing a password or by finding insecure network
access points. These attacks are external intentional.
Brute force—In the example above, an attacker uses brute force to discover
a password and gain entry into the network. A brute force attack requires an
attacker to systematically attempt possible password combinations. Despite
requiring a large amount of time and processing power, brute force attacks
are often successful. Implementing a brute force attack is relatively simple:
brute force and dictionary-based password cracker software is easily
available online. A vigilant network administrator can usually detect a brute
force attack before it succeeds.
War driving—Another example of an unauthorized access attack is war
driving. War drivers exploit the open nature of the wireless medium to find
and infiltrate wireless networks, often driving around looking for unsecured
or easily cracked wireless Internet access. For example, many people will
simply plug in a wireless access point (AP) and immediately begin using it
without enabling any sort of security measures. A network without
encryption or authentication is a network to which war drivers have open
access. And because all transmissions between wireless devices and the AP
are unencrypted, a war driver can listen in and steal any information passed
between the two.
Rev. 6.41 2–9

Additionally, not all wireless encryption schemes are secure. For example, a
war driver may gain access to a Wired Equivalent Privacy (WEP)-secured
network by intercepting traffic passed between the AP and authorized
wireless device and analyzing the traffic with software that decipher
encryption keys. The encryption key can then be used as a password to access
the network.
Wire tapping—Another way that attackers can gain access to network
information is by tapping the physical data or phone wires. Wiretapping
occurs when a device that intercepts and broadcasts information is placed on
the physical wire. Any intercepted or “tapped” traffic can then be recorded
and analyzed.
Many unauthorized access attacks are quickly discovered using basic network
logging and management software. However, the next attack type introduces a
slightly more elegant way for an attacker to infiltrate your network with decreased
risk of discovery.
Further Reading
For more information on brute force attacks, see
http://en.wikipedia.org/wiki/Brute_force_attack.
For more information on war driving, see
http://en.wikipedia.org/wiki/War_driver.
For more information on wire tapping, see
http://en.wikipedia.org/wiki/Wire_tapping#Internet_wiretapping.
2 – 10 Rev. 6.41
General Threats
Reconnaissance
Reconnaissance attacks are internal or external intentional. Less straightforward

than brute force or other unauthorized access attacks, reconnaissance attacks rely
on several methods for detecting vulnerabilities in your network. And any
discovered vulnerabilities will be exploited.
Port scans—A common reconnaissance attack involves a TCP/UDP port
scan. Any open TCP or UDP port will allow traffic and reveal information
about the services offered on the network. Because certain networking
applications use particular, well-known ports, the attacker may be able to
deduce which services are available on the network according to the open
ports and use these ports to launch an attack.
Network mapping software—Network administrators use network mapping
software to verify their network security. However, this software, which is
freely available on the Internet, can also be used as part of an attack.
Attackers can use network mapping software to gain information on all
available endpoints and applications on your network before even attempting
to breach the network perimeter security. Attackers can quickly and quietly
discover a large amount of information about your network, including any
network vulnerabilities.
Rev. 6.41 2 – 11
Similar to reconnaissance attacks, the next attack type is intended to steal network
information. However, instead of directly searching the network for
vulnerabilities, these attacks try to fool unsuspecting users into revealing private or
sensitive information.
Further Reading
For more information on port scanning, see
http://en.wikipedia.org/wiki/Port_scan.
For more information on the Nmap network mapping software, see
http://en.wikipedia.org/wiki/Nmap and http://www.insecure.org/nmap/.
2 – 12 Rev. 6.41
General Threats
Impersonation: Man-in-the-Middle
An impersonation attack occurs when an attacker masquerades as a legitimate

resource provider with the intent to steal private information or install malware on
a workstation. Two common examples of impersonation attacks are man-in-the-
middle (MITM) attacks and phishing.
Because of the open nature of the radio medium, wireless communications
between network devices are particularly susceptible to MITM and other
eavesdropping attacks. Wired communications, however, are still at risk for such
attacks, particularly over an insecure network such as the Internet.
Wired MITM attacks—In a wired MITM attack, an attacker uses a proxy
server between two legitimate endpoints. This proxy server can be used to
steal information that the two endpoints are transmitting or to modify packets
before forwarding them. Traffic from the sending endpoint is redirected to
the proxy server, which can log, change, and forward the traffic to the
receiving endpoint. Using this attack, the attacker can sniff passwords and
other login, authentication, and personal information to use in infiltrating a
network, or the attacker can use the modified packets to inflict damage to the
receiving endpoint. In many cases, the receiving endpoint never realizes that
the data has been tampered with.
Rev. 6.41 2 – 13
Wireless MITM attacks—In a wireless MITM attack, the attacker uses a

rogue AP that overpowers the legitimate network AP. To facilitate
connecting to the closest AP, most wireless devices associate with the
wireless AP that has the strongest signal. The attacker takes advantage of this
standard practice. He or she will usually park near the network and use an AP
with a very strong signal to entice network endpoints to connect. By getting
an endpoint to log in to this rogue AP, the attacker can gain usernames,
passwords, and other authentication information that allows him or her entry
into the legitimate network.
Another common type of impersonation attack is a very sophisticated method of
stealing information: phishing.
Further Reading
For more information on MITM attacks, see
http://en.wikipedia.org/wiki/Man-in-the-middle.
2 – 14 Rev. 6.41
General Threats
Impersonation: Phishing
A phishing attack involves an attacker looking for ways to steal sensitive

information by appearing to be a legitimate and trusted endpoint. These attacks are
usually sent via email or as pop-up ads and rely on inexperienced or unsuspecting
computer users. Ironically, phishing attacks often prey on users’ fears of
identity theft.
In the example above, the attackers sent this email claiming to be from PayPal to
thousands of addresses. The email requested that the recipient click on a link and
update their personal information. Although the link seemed legitimate, it opened a
spoofed page, and any information that was entered into this spoofed page was
subsequently stolen.
Phishing attacks are difficult to prevent, simply because it is often difficult to
initially tell the difference between an authentic request and an attack. An easy
way to educate users is to remind them that they should make sure that links take
them to the correct address. In the example above, when the link in the email was
clicked, the resulting Web page URL did not match the URL in the email.
Rev. 6.41 2 – 15
Along with reconnaissance attacks, MITM and phishing attacks focus on gaining
information about your network. The next type of attack, however, infects
endpoint devices with the intent to outright damage the network, steal information,
or use the devices to attack another network.
Further Reading
For more information on phishing, see
http://en.wikipedia.org/wiki/Phishing.
2 – 16 Rev. 6.41
General Threats
Malware
Malware is a term that broadly describes software that is at best a nuisance and at
worst destructive to your network devices. Any software designed to use network
resources or infiltrate network devices without the knowledge or consent of the
device owner is considered malware:
Adware—Adware is software that displays unwanted pop-up ads on an
infected endpoint. While this type of malware may seem innocuous, the
number and repetition of the ads can disrupt productivity and drain network
bandwidth. Some adware programs are extremely difficult to uninstall or
remove. Adware is usually installed using a Trojan. The example above is the
install screen for a desktop theme that also installs several adware programs.
Spyware—Similar to adware, spyware is often installed on an endpoint as
part of a seemingly legitimate program. It, too, is often very difficult to find
and remove once installed and is much more sinister than adware. Rather
than simply displaying unwanted ads, spyware can keep a record of Web sites
visited, keystrokes, and other personal information. This information can then
be used for identity theft or network access. A single network endpoint
infected with spyware can compromise an entire network.
Rev. 6.41 2 – 17
Rootkits—A rootkit consists of several programs that are secretly installed

on a network device after it has been successfully attacked. These programs
allow an attacker to open network backdoors and steal personal or network
information. What makes rootkits such a threat is that they are extremely
difficult to detect and even more difficult to remove.
Trojan horses—A method for spreading malware, Trojans (Trojan horses)
are programs that offer desirable software enhancements and applications.
However, these programs also include adware, spyware, or other malware as
an implicit part of the software package. Trojan programs are never explicitly
labeled as such. For example, free downloads on the Internet often serve as
Trojans, but any adware installation notification may be missing or obscured
in an overly complex end-user license agreement (EULA).
To reduce the likelihood of downloading a Trojan, users should only
download material from trusted Web sites and sources. Once the software
is downloaded and installed, the malware lurking inside is often difficult
to remove: uninstalling a Trojan program will not uninstall the malware
that was included, and uninstalling the malware will not necessarily plug
backdoors or other security holes that were opened.
Malware can cause serious damage to a network. In some cases, malware is able
not only to steal secrets, disrupt network functioning, and annoy users, but also to
completely destroy all software on network devices.
Further Reading
For more information on adware, see
http://en.wikipedia.org/wiki/Adware.
For more information on spyware, see
http://en.wikipedia.org/wiki/Spyware.
For more information on rootkits, see
http://en.wikipedia.org/wiki/Rootkit.
For more information on Trojan horses, see
http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29.
2 – 18 Rev. 6.41
General Threats
Viruses and Worms
Viruses and worms can spread rampant through an unprotected network and cause
enormous amounts of damage to vital files and network resources. These network
attacks are caused by small, malicious bits of code that self-replicate and
propagate.
Viruses—Viruses are bits of programming code that require a computer file
to act as a host. Viruses spread by inserting copies of themselves into as
many host files as possible, and they spread to other computers when an
infected file is transferred.
Virus code usually includes instructions for destroying programs and
documents on a hard drive. For example, a virus may insert itself into a
required executable file and spread itself to other files as they open. Then,
whenever an infected file is opened, the virus executes a part of its code that
erases large portions of the endpoint’s memory. If spread to a server, viruses
can damage network software and resources while infecting crucial files.
Rev. 6.41 2 – 19
It may seem that it should be easy to remove a virus from a computer by

finding every infected file and erasing the virus code. This is true for some
well-understood viruses. Most viruses, however, are not easily removed from
a file, and infected files must instead be erased or quarantined (disconnected
from use). Infection removal is further complicated when viruses infect
crucial bootup or operating system files, which can incapacitate an
infected endpoint.
Worms—Worms, unlike viruses, do not require computer files to act as their
hosts. Worms propagate themselves by taking advantage of an infected
computer’s ability to send data such as an email application over a network.
For example, a worm will often send itself as an email attachment. When the
receiving user opens the attachment, the worm is run as an executable and
infects the receiving endpoint.
Worms often include instructions in their code to erase data and destroy
network resources as well as to open security holes and backdoors that allow
an attacker access to and control of the infected network device. Some worms
can also disable antivirus and firewall software. Several worms can also take
over an infected computer to send thousands of spam emails and messages.
When a network infection occurs, the most immediate problem comes from the
vast amounts of bandwidth consumed and the disruption of network functions
while the virus or worm replicates and sends itself. Stopping a virus or worm once
it has infected a network can be difficult and usually requires antivirus software
with a definition file that can recognize the type of infection. And some viruses
and worms have become even more difficult to stop. These worms are designed to
implement zero-day attacks or to encrypt or mutate themselves to avoid detection.
Zero-day worms—Worm attacks initially took days or weeks to spread over
a geographical area. However, in 2003 and 2004, worms such as
SQLSlammer and Sasser proved their ability to aggressively propagate
throughout the world in a matter of hours. These zero-day attacks consume
incredible amounts of network resources when propagating and can use
unique code that may not be detected by most antivirus software. Without a
way for antivirus software to detect the new worm, most networks are left
completely vulnerable.
Polymorphic/Metamorphic viruses and worms—Some viruses and worms
are designed to use self-encryption and self-alteration to disguise themselves
to antivirus software. This is done using metamorphic code: the code changes
itself so that no part remains the same after the worm or virus replicates.
Because the code continually changes, it is impossible to develop a virus
definition file that can recognize the mutated virus or worm.
2 – 20 Rev. 6.41
General Threats
Worm, virus, and malware attacks are the most costly security problems facing
most networks. And some virus and worm attacks can destroy irreplaceable and
mission-critical applications, documents, or network components. The next attack
type, however, can be just as devastating to a network.
Further Reading
For more information on viruses, see
http://en.wikipedia.org/wiki/Computer_virus.
For more information on worms, see
http://en.wikipedia.org/wiki/Computer_worm.
For information on zero-day worms, see
http://en.wikipedia.org/wiki/Zero_day_worm
For information on polymorphic and metamorphic worms, see “On
Deriving Unknown Vulnerabilities from Zero-day Polymorphic and
Metamorphic Worm Exploits” by Chong, Crandall, Su, and Wu,
which can be found at
http://portal.acm.org/citation.cfm?id=1102152&dl=ACM&coll=porta
l&CFID=15151515&CFTOKEN=6184618, or at
http://wwwcsif.cs.ucdavis.edu/~crandall/ccsdacoda.pdf.
Rev. 6.41 2 – 21
DoS
A DoS attack occurs when an attacker is able to overwhelm a network’s resources

such as bandwidth or processing power. By tying up these resources, users with
legitimate needs become unable to access the network and are denied network
services. Some common DoS attacks include TCP SYN flooding and ICMP/UDP
ping smurfing or fraggling.
SYN flooding—To establish a TCP session, peers are required to complete
a three-step handshake: the requesting peer sends a SYN packet, the
responding peer then sends an acknowledgement (SYN-ACK), and the
requesting peer responds with an acknowledgement. Once the initial SYN
packet is received, network resources are allocated to manage the TCP
session. SYN flooding attacks succeed because the attacker continues to
send session-initiating packets (SYN packets), but does not respond to the
endpoint’s acknowledgement (SYN-ACK) packet. As the number of half-
open sessions increases, available bandwidth and processing power for
legitimate TCP sessions decreases.
2 – 22 Rev. 6.41
General Threats
Ping smurfing or fraggling—Using ICMP or UDP echo packets, ping

smurfing or fraggling involves sending pings to a broadcast IP address.
Ping smurfing uses ICMP echoes, and ping fraggling uses UDP packets.
In an attack, the ping source IP address is spoofed to be that of a crucial
network device. Because the ping destination IP address is a network
broadcast address, every network device receives the ping and generates a
reply packet. In a large network, the number of simultaneous pings can
quickly overwhelm the network device.
In many DoS attack cases, the only way to regain occupied network resources is to
trace the source of the attack and stop the triggers. Finding the source of a
straightforward SYN flood can be somewhat difficult, but not impossible.
However, the new, sophisticated techniques of distributed and reflected DoS
attacks allow an attacker to better disguise the attack source.
Further Reading
For more information on DoS attacks, see
http://en.wikipedia.org/wiki/Denial-of-service_attack.
For more information about SYN flood DoS attacks, see
http://en.wikipedia.org/wiki/SYN_flood.
For more information on ping smurfing, see
http://en.wikipedia.org/wiki/Smurf_attack.
For more information on ping fraggling, see
http://en.wikipedia.org/wiki/Fraggle_attack.
Rev. 6.41 2 – 23
DoS: Distributed Denial of Service (DDoS)
Rather than sending traffic directly from the attacker to the attack target, a
distributed DoS (DDoS) attack involves sending seemingly legitimate traffic from
many sources to a target network. The purpose behind a DDoS attack is to use
Internet-connected devices to leverage the power of a DoS attack and disguise the
attack source. The process is as follows:
1. An attacker distributes malware to thousands or millions of unsuspecting
Internet-connected endpoints. This malware is often spread using worms.
These worms include spyware that opens a network backdoor, allowing the
attacker to control certain aspects of the infected endpoints. These infected
endpoints are called zombies.
2. The attack begins when the attacker sends a particular packet to the zombie
endpoints. Using the backdoor access created by the malware, the attacker is
able to control the zombie endpoints, which become unwilling attack
participants.
3. Now activated by the attacker, the zombies begin to send large amounts of
traffic to the attack target. The number of zombie computers can exceed one
million and can quickly overwhelm the target network’s resources.
2 – 24 Rev. 6.41
General Threats
A DDoS attack can create network outages for both the target network and the
zombie endpoint networks. And because the attacker hides behind the zombie
traffic sources, tracing and catching the attacker is much more difficult.
The next section details a third type of DoS attack, reflected DDoS, which is less
draining on zombie devices, but is vastly more devastating to the target and makes
tracing the attacker exponentially more difficult.
Rev. 6.41 2 – 25
DoS: Reflected DDoS
To amplify the amount of traffic involved in a DDoS attack, DDoS attackers can
employ a second layer of devices between themselves and the attack target. This
second layer is composed of reflectors.
Reflectors are network devices that generate return traffic to acknowledge the
receipt of a request, such as the generation of a SYN-ACK in response to a SYN
request. The most common Internet reflectors in a reflected DDoS attack are Web
servers, Domain Name System (DNS) servers, and routers. A reflected DDoS
attack follows these steps:
1. The attacker installs malware on thousands or even millions of Internet
endpoints. These endpoints then become zombies.
2. The attack begins when the attacker accesses the zombie endpoints through
the malware-created backdoor.
3. The zombies begin to generate and send traffic. However, unlike DDoS attacks
in which the zombie computers send traffic directly to the attack target, reflected
DDoS zombies send traffic to Internet reflectors using the target’s spoofed IP
address as the traffic source.
4. The reflectors flood the target network with traffic.
2 – 26 Rev. 6.41
General Threats
Rather than each zombie sending a large amount of traffic, which can cripple the
zombie endpoint’s network, zombies need only send traffic to a couple of reflectors
for the attack to succeed. And the large number of zombies and use of reflectors
makes tracing the source of a reflected DDoS attack extremely difficult.
Further Reading
For more information on DDoS attacks and reflected DDoS attacks,
see
http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-
whitepaper.html.
Rev. 6.41 2 – 27
Summary
The attack types that have been discussed in this module are intended as a guide to
understanding the kinds of problems that you face in securing a network.
However, with all the different attacks that can threaten your network, it would
take a lifetime to think of every possible way to exploit a network and plug each
hole. Rather than consider each attack one by one, you can apply network security
in a layered, organized manner. The next module will discuss four layers of
network security that can be used to create a comprehensive security solution.
2 – 28 Rev. 6.41
Security Layers Overview
Module 3
Objectives
To protect your network from attacks, both the many known and the as-yet-
unknown, you will need an organized method to implement network security.
Network security can be broken down into four layers, each of which can help to
protect against particular network vulnerabilities. In this module, you will be
briefly introduced to the four main network security layers and to comprehensive
security solutions. Comprehensive security solutions are security measures that
handle two or more of the network security layers. Each of the layers will be
discussed in greater detail in later modules, and the course will close with an in-
depth discussion of comprehensive security solutions.
After reading this chapter, you should be able to:
Explain proactive and defensive security components used to protect your
network
Describe the Network Access Control Security layer and give examples of
methods for controlling access to your network
Describe the Data Integrity and Privacy layer and methods used to keep
network data secure
Identify the Device Access Security layer and explain why access to managed
devices must be secured
Identify the Endpoint Integrity layer and explain why endpoint devices must
be protected
Give examples of security solutions that cover more than one network
security layer
Rev. 6.41 3–1

Proactive Components
You will recall from Module 1—Introduction to Network Security that

comprehensive network security includes two components: proactive and
defensive. Proactive network components provide policy-based access control to
mitigate network security problems before they become crises. They accomplish
this goal using:
Network access control—Network access control is similar to airport
security: to reach your airplane, you must verify your identity, be scanned to
ensure that you are in compliance with airline security policies, and be
directed to the gate at which you will board the plane. Those who do not
comply with security policies or who attempt to access airport areas that are
off-limits are isolated and detained. The Network Access Control Security
layer works in a similar manner to control and monitor the users and devices
that access the network.
Data integrity and privacy—After you protect your network and your data
by limiting network access, you must protect your data both within the
network and as it is forwarded between networks. The Data Integrity and
Privacy layer works by using encryption technologies to verify your data’s
authenticity, as well as restrict access to it.
The Network Access Control Security layer and the Data Integrity and Privacy
layer both serve as proactive network security measures.
3–2 Rev. 6.41
Protection Layers
Network Access Control Security
To prevent a burglar from vandalizing or stealing from your business, you can
restrict entry to the building where your business is located. Network security
begins the same way: to prevent an attacker from breaking in and stealing or
destroying data, begin by controlling who and what devices gain entry to your
network and by making sure that the only endpoints that connect to the network
are known, approved, and trusted.
The Network Access Control Security layer focuses on methods to prevent
attackers from gaining entry, or access, to your network. At this layer, you will use
technologies that can verify an endpoint’s identity (authentication), grant the
endpoint limited access (authorization), and keep a record of what the endpoint
accesses (accounting).
Before an endpoint connects to the network and requests access to network resources,
network devices can require it to authenticate. The process for authenticating an
endpoint includes verifying its identity through passwords or digital certificates and
policies stored on authentication servers. After an endpoint’s identity has been
established, the network device may then restrict the endpoint’s access to network
resources using virtual local area networks (VLANs) or host-based access control lists
(ACLs). And for auditing and prevention purposes, records of all endpoint connect
attempts may be logged using a Remote Authentication Dial-In User Service
(RADIUS) accounting server.
Rev. 6.41 3–3

A well-secured network at the Network Access Control Security layer will

resemble a locked building that requires keys and passwords (authentication), has
security guards (authorization), and has surveillance cameras (accounting) at each
point of entry. However, even after all endpoints on the network are authenticated,
endpoint devices may still pose a security risk.
Further Reading
For more information on access control, including information on
VLANs, ACLs, authentication, authorization, and accounting, see
Module 4—Layer 1: Network Access Control Security.
3–4 Rev. 6.41

Protection Layers
Data Integrity and Privacy
A burglar may seek to attack a business by discovering and copying sensitive

company paperwork. For example, a company may be doing proprietary research
on a new product. This research is kept in a locked filing cabinet in a locked room.
However, a burglar may break in and access this research. To protect the papers, in
addition to locking the room and filing cabinet in which the research is kept, the
pages are placed in a particular file in a particular order. If a burglar were then to
break in, missing or out-of-place research pages would signal a security breach.
This security measure is comparable to data integrity protections: burglars might
find the data, but they cannot tamper with it without your knowledge.
The company might also tell researchers to write papers in language a typical
burglar would not understand even if he or she did manage to obtain the papers.
This measure is similar to encryption, which ensures data privacy.
In networking terms, it is important to ensure that data is protected while it is stored
or forwarded through the local area networks (LANs) and wide area networks
(WANs). Stored data can be copied or erased with a minimum of network access.
Forwarded data can be sniffed, intercepted, altered, forwarded, and analyzed. This
stolen or intercepted data can then be used to gain access to your network.
Rev. 6.41 3–5

The Data Integrity and Privacy layer focuses on securing data as it is stored or
as it transits the network. At this layer, you will implement encryption
algorithms (such as the Advanced Encryption Standard [AES] or Triple Data
Encryption Standard [3DES]) on the data to ensure that it cannot be
eavesdropped on, and hash functions (such as the Secure Hash Algorithm
[SHA-1] or Message Digest 5 [MD5]) on the data to ensure that it has not been
tampered with.
While data security measures can protect the data itself, attackers may still be able
to open a network security hole by gaining access to the network devices. To
protect against such attacks, your network should incorporate defensive network
security components, which provide security and attack immunity for your
network devices.
Further Reading
For more information on data integrity and privacy, including
information on encryption, see Module 5—Layer 2: Data Integrity
and Privacy.
3–6 Rev. 6.41

Protection Layers
Defensive Components
Defensive network components focus on creating a network structure that is secure

and protected from common network attacks. They accomplish this goal using:
Secure network devices—Network backbone devices such as routers, switches,
and wireless access points (APs) must be secured from unauthorized access and
tampering to maintain network integrity and security.
Resilient network immunity—Network devices, particularly endpoint
devices, must be immunized against common network security issues such as
worms, viruses, and malware.
The next two network security layers—the Device Access Security layer and the
Endpoint Integrity layer—each serve as defensive network security measures.
Rev. 6.41 3–7

Device Access Security
Another way that a burglar can overcome security is by subverting the measures
already in place, such as security guards, surveillance cameras, or other devices.
For example, in many court cases, impartial trial jurors form the backbone of the
trial system. If an attacker were able to subvert one of the trial jurors, the attacker
could get private information about the case, or the attacker could attempt to sway
the juror’s decision with inappropriate or incorrect information. To protect the
jurors’ impartiality and safety, they are quarantined and guarded.
In a network, an attacker may attempt to gain management access to a network
device such as a router, switch, or server with the intent to reconfigure the device to
allow unlimited access to network resources. For example, unauthorized access to a
switch may allow an attacker to reconfigure a VLAN (in the slide, VLAN 164) that
opens a severe network security hole.
The Device Access Security layer focuses on protecting managed network devices
that serve as network security checkpoints. Under the control of an attacker, these
devices can cause devastating problems in your network, including group or
network outages, unauthorized access, and untraceable theft of information. You
can protect managed devices by requiring login authentication and by limiting
unsecured methods of access.
3–8 Rev. 6.41

Protection Layers
To establish a terminal management session with the device, you will either need
to connect directly to the device using a cable, or you will need to establish a
remote session using a Web browser, Telnet, or Secure Shell (SSH) session. The
device, however, can require authentication using passwords or digital certificates
to the device itself or to an external authentication server. (For more information
on authentication methods, see Module 4—Layer 1: Network Access Control
Security.) The device can also be configured to reject unsecured Telnet or HTTP
sessions to ensure that management passwords and traffic are kept secure.
Further Reading
For more information on device access security, including information
on Telnet, SSH, and HTTP, see Module 6—Layer 3: Device Access
Security.
Rev. 6.41 3–9

Endpoint Integrity
Despite good building security, a motivated burglar will look for ways to
circumvent perimeter defense. One way to get around perimeter security is to use
authorized employees to get information about the business and about the building
that houses the business. For example, a burglar may subvert an employee to tell
him about the building layout or use an unsuspecting employee to carry a camera
or microphone inside the building.
Employee subversion is a very uncommon occurrence in most businesses, but
endpoint subversion by using an authorized host (usually an endpoint device) to
act as a carrier is a common way that network attacks can overcome network
access layer security. For example, an endpoint device may include malware,
worms, viruses, or spyware that can infect the network and compromise security.
A computer that is not running a personal firewall may become vulnerable to
attacks that can carry over to your LAN. Workstations that do not have the most
current OS patches are susceptible to attacks that exploit well-known software
vulnerabilities. Antivirus software that is not up to date may leave a laptop open to
newer viruses and worms.
3 – 10 Rev. 6.41
Protection Layers
The Endpoint Integrity layer of network security protects endpoint devices from
knowingly or unknowingly infecting the network. At this layer, you will ensure
that endpoint devices have the appropriate personal firewall, antivirus software,
OS patches, and monitoring agents to secure the network against vulnerabilities
opened by endpoint devices.
You should now understand the four layers that build a secure network. The next
four modules will discuss each of these layers in depth.
As you create a multi-layered approach to your network security, you will discover
that many solutions address security at one particular layer. To maintain granular
control over your network solution, you may want to implement one solution for
each security layer. However, for simplicity, you may want to consider a single
solution that secures more than one layer.
Further Reading
For more information on ways you can keep network endpoints
secure, including antivirus software, firewalls, and OS patches, see
Module 7—Layer 4: Endpoint Integrity.
Rev. 6.41 3 – 11
Comprehensive Security Solutions
The best network security comes from implementing measures at all four security
layers. However, using a separate system for each layer can create a management
and compatibility nightmare. For example, going back to the burglar scenario,
suppose your company decides to outsource each layer of security to a separate
company. You must devote time and money to monitor and audit the behavior of
each company, ensuring that the security measures are being adjusted to fit
changing policies, evolving company infrastructure, and new security threats. A
far better solution would be to outsource security to a single company that
provides a comprehensive solution.
Similarly, by integrating all four security layers—the Network Access Control
Security layer, the Data Integrity and Privacy layer, the Device Access Security layer,
and the Endpoint Integrity layer—you can protect your network at multiple layers
from multiple types of attacks.
In addition, even after deploying network solutions at all four layers, your network
is vulnerable to new and evolving attacks. To mitigate this vulnerability, you can
deploy comprehensive security solutions that cover multiple layers. These
comprehensive solutions include intrusion detection systems/intrusion prevention
systems (IDS/IPS) and unified threat management (UTM) solutions, among others.
Each of these solution devices or mechanisms allows you to simultaneously
protect multiple layers of your network.
3 – 12 Rev. 6.41
Protection Layers
IDS/IPSs—IDS/IPSs are hardware and software solutions that monitor

network traffic and look for network intrusions and attacks. IDS/IPS devices
can either be placed at network choke points or on network endpoints.
Attacks are detected either by benchmarking traffic usage and monitoring for
deviations or by inspecting traffic and looking for known attack patterns.
UTM solutions—Unified threat management solutions provide IDS/IPS,
antivirus software, email and Web content filtering, and firewall functions in a
single unit. Most UTM solutions are easy to manage and can often work as a
router. However, UTM solutions are generally useful for small- and medium-
sized businesses and for networks that do not need a granular solution.
Comprehensive security solution components such as IDS/IPS and UTM solutions
can provide low-cost vital security solutions that run over one or more of the
network security layers. These devices can save your company time and money
while protecting your network.
Further Reading
For more information on comprehensive network solutions such as
IDSs, IPSs, and UTM devices, see Module 8—Comprehensive
Security Solutions.
Rev. 6.41 3 – 13
Summary
In this module, you were introduced to the four network security layers. You
should now be familiar with network access security, endpoint integrity, data
integrity and privacy, and device access security. You should also be aware of
some comprehensive security solutions that span multiple security layers.
While it takes a great deal of time and effort for a burglar to physically infiltrate a
company, network infiltration requires much less effort. Attacks are real and can
occur for a much less sinister reason than corporate espionage. To ensure your
company's network integrity, you should implement security solutions in multiple
security layers. Specific security solutions at each layer will be discussed in the
next four modules.
3 – 14 Rev. 6.41
Layer 1: Network Access Control Security
Module 4
Objectives
This module explains how network devices identify each user that connects to the
network (authentication) and enforce the appropriate network rights for that user
(authorization). It also describes the wide array of technologies for monitoring
traffic at levels ranging from the packet header to the packet content.
By the time you have completed this module, you should be able to:
List advantages and disadvantages for several types of authentication
credentials
Describe authentication protocols, outlining in particular the Extensible
Authentication Protocol (EAP) process
Describe the Authentication, Authorization, and Accounting (AAA)
framework
Explain the roles of supplicant, authenticator, and authentication server in
List several types of access controls and explain how a network device
applies them to a user
Identify other ways of filtering network traffic, including firewalls and
content filtering
Rev. 6.41 4–1

Network Access Control Security: Authentication

and authorization
Somehow a user connects to your network—she turns on her workstation, she

associates with a wireless network. In a secure network, the network infrastructure
immediately springs into action to control traffic from that user. Network devices
must block traffic from unauthenticated users and control traffic from
authenticated users—and implement the processes that let them distinguish
between the two types. With security at the edge, the edge device coordinates these
processes as the authenticator.
In essence, network access control security consists of a process for matching a
user’s credentials with a predefined policy, and, based on the result, granting the
user the appropriate level of access. Although this process sounds simple, the
actual implementation of network access control security requires numerous
interacting protocols and devices.
This module will describe the elements in this process, building piece by piece
until you understand how, using one of several different authentication methods,
network devices identify users and grant them the appropriate rights.
4–2 Rev. 6.41

The slide above illustrates one authentication model. A switch enforces a

particular authentication method on its ports, typically working in conjunction with
an AAA (pronounced “triple A”) server. When a station connects to a port, the
user must submit his authentication credentials, via an authentication protocol such
as EAP, to be checked by a AAA server against the credentials stored in a
directory server. (For more information on AAA, see the “AAA” section of this
module; for EAP, see the section titled “EAP.”)
This module will explain various components in authentication and authorization
(access control) in turn. The following concepts in mind will help you remember
the role of each device at each step:
The station of the user requesting network access includes an authentication
client. This client enables the user to respond to the authenticator’s challenge.
In other words, the user is the person; the endpoint is the station; and the
client is the software.
An authenticator controls authentication, typically initiating the process and
ultimately enforcing whether the user can or cannot access the network. The
closer to the edge the authenticator is, the better the security.
An authentication server verifies users’ authentication credentials, which may
be stored in a database on that server or on a directory server. Although the
same device that acts as the authenticator may be the authentication server,
typically a different device performs this role. If the authentication server
also acts as an authorization, or access control, server, it determines users’
network rights as well as verifies their credentials.
A directory server stores many different kinds of information about users,
including their authentication credentials. An authentication server can send
users’ credentials to a directory server to be verified. The directory server checks
the credentials and passes the results of this check to the authentication server.
Rev. 6.41 4–3

Network Access Control Security: Filtering traffic
The previous slide outlined a process for controlling users’ network rights through
authentication and access control. This slide illustrates other security technologies
that filter traffic, including:
Firewalls—Firewalls stand between a device and untrusted devices, often a
WAN router and the Internet, and filter traffic.
Access control lists (ACLs)—If a user has the correct credentials and is
allowed to enter the network, ACLs determine which devices he is allowed to
use and what applications and data he can access within the network.
Content filters—For example, a Web filter can block Web traffic to sites
that include particular forbidden keywords.
Firewalls, ACLs, and content filters will be discussed in detail later in this module.
4–4 Rev. 6.41

Authentication Credentials
You can identify yourself in many different ways: give your name, show an ID
badge, tell information an imposter would not know. In the networking world, a
user can also submit many different forms of authentication: a password, a number
displayed on a token card, a fingerprint. In the end, all authentication techniques
rely on the user’s client software submitting a value the authentication server has
previously associated with the user.
The client can derive this value based on:
something the user knows
something the user has
something the user is
The weakest authentication techniques use only one of these methods (typically
the first), while stronger techniques combine several.
Rev. 6.41 4–5

Single-factor Authentication: Passwords
To pass the guard, you must first answer his questions satisfactorily—an old
authentication scheme. Most traditional authentication solutions use a single form
of credentials: a shared secret. You are presumed to be someone because you know
something. When withdrawing money from an automated teller machine (ATM),
the secret can be your credit card’s personal identification number (PIN).
In the networking world, the secret is typically a password, stored on a server and
known by the user. When a user must authenticate herself, she enters her
password. The server receives the password and verifies that it matches the one
stored for that user.
Passwords are convenient network credentials because they are portable (you carry
them in your head), and as data, they are easily transferred through a system
designed to carry data.
Unfortunately, shared secrets have a way of ceasing to be secret. Nothing is so
easily spread as information. Users may write down their passwords where anyone
can find them; they may tell them to friends and family members. Users often
select easily guessed passwords such as birthdays, children’s names, and favorites.
In addition, passwords that are not changed frequently be can be collected by
hackers.
4–6 Rev. 6.41

Shared Keys and Digital Certificates
Primarily, encryption addresses confidentiality, ensuring that only authorized

endpoints can read your data, and message integrity, ensuring that other endpoints
can detect if your data has been altered. However, encryption is sometimes enlisted
to play a part in authentication.
Module 5—Layer 2: Data Integrity and Privacy will explain how encryption
ensures data confidentiality and message integrity and delve into the mechanics of
encryption. This module will simply briefly describe the role of encryption in
authentication.
Encryption transforms data into a form that only an endpoint using the correct
decryption key can read. Encryption comes in several forms:
one-way encryption, in which the data is irreversibly encrypted
encryption with symmetric keys, in which the same key encrypts and
decrypts data
encryption with asymmetric keys, in which a private key encrypts data and a
public key decrypts it
The sections below outline why you might encounter each of these types of
encryption in discussions of authentication.
Rev. 6.41 4–7

Password Obfuscation (One-way Encryption)

One-way encryption transforms and usually condenses data into a unique stream,
often called a hash value or message digest.
One-way encryption, or hashing, is used in a variety of situations to preserve
message integrity. For the purposes of this module, however, you simply need to
understand that endpoints often hash their passwords before submitting them to an
authentication server. Similarly, directory servers often store passwords in a
hashed form. These measures obfuscate passwords, making them more difficult for
hackers to collect.
Common hash functions include Message Digest 5 (MD5) and Secure Hash
Algorithm 1 (SHA-1).
Shared Keys (Symmetric Encryption)

A shared, symmetric encryption key can serve as the “something you must know”
for authentication.
For example, Wired Equivalent Privacy (WEP) is a protocol for encrypting data in
the shared wireless medium. Some companies also use WEP to attempt to control
who connects to their wireless networks. Because a wireless access point (AP) drops
traffic unless the traffic is encrypted with the correct key, in effect the encryption
key acts as a shared password for every endpoint in the wireless network.
Kerberos, a directory service, also uses shared keys to authenticate.
Like passwords, the security of a shared key depends on how often it is changed
and how many people know the key. If, as with WEP, all users have the same
shared key and all packets in a network are encrypted with this key, hackers can
collect a great deal of information necessary to crack the key.
Digital Certificates (Asymmetric Encryption)

Digital signatures and certificates—one of the most secure forms of
authentication—rely on asymmetric encryption.
You “sign” data by encrypting it with your private key—a key that you generate
and that never leaves your possession. Others verify your signature with the
corresponding public key: if they can successfully decrypt data with the public
key, they know that you must have encrypted it (because you alone have the
corresponding private key).
You distribute your public key in a digital certificate, which in addition to the
public key contains information about your identity. This certificate must be
signed by a certificate authority (CA), which testifies that you are who you claim
to be in the certificate.
An advantage of digital certificates is that the asymmetric encryption algorithms
on which they rely are very secure. In addition, you can authenticate yourself to
any endpoint that trusts your CA, not only to endpoints with which you have
already established a trusted relationship—a system ideal for environments such as
the Internet.
4–8 Rev. 6.41

On the other hand, your certificate is only as trusted as your CA is trusted, and
purchasing certificates from reputable CAs can be expensive, while deploying
certificates to many endpoints can be time consuming.
Although X.509 was created as part of the X.500 standard (which will be
discussed in detail later in this module) to provide strong authentication, it has
become the de facto standard for digital certificates used in other security
implementations as well.
Rev. 6.41 4–9

Two-factor Authentication
Two-factor authentication combines two types of credentials for greater security:

for example, a password and another form of authentication such as an iris scan.
An authenticator that requires two-factor authentication resembles a cashier who
checks customers’ driver’s licenses and asks for a PIN.
Two-factor authentication combines any two types of authentication. You have
already learned about passwords and digital certificates for single-factor
authentication. Both types of credentials are also often used as one factor in two-
factor authentication.
The following slides will discuss two other types of factors:
tokens, physical objects a user must have in order to authenticate
biometrics, using a physical characteristic such as a fingerprint or iris pattern
4 – 10 Rev. 6.41
Tokens: Security enhancements
A token is a physical object the user must have in order to authenticate. At its most
literal level, such an object would be, for example, a key a user would insert in a
lock before he could access a keypad and enter a password.
In the networking world, the physical object is almost always some form of token
card. The user can either enter a value read from the card as a password, or the
card itself can generate and submit authentication credentials.
Using tokens in addition to passwords typically provides the two security
enhancements explained below.
Non-Reproducible Credentials
A password is easily copied and transferred. Your password may be stolen and your
network account accessed without your realizing it. If, on the other hand, someone
steals your token, you can at least inform network administrators of the theft.
As hard-to-duplicate physical objects, tokens also prevent users from voluntarily
distributing their credentials to unauthorized users.
Rev. 6.41 4 – 11
One-time Passwords (OTPs)

Clearly, the less often a password is used, the harder for hackers to hijack it. The
most secure credentials would be valid the first time the user submits them and
never again. But how do you synchronize such changing credentials on the client
and the server?
Once, OTPs were stored as a list of passwords that users actually crossed off as
they used them. Now, tokens provide much more secure and manageable OTPs.
The token stores a great many OTPs (or values used to calculate the OTPs), at any
given moment returning the one that matches the OTP currently on the
authentication server.
An eavesdropper sniffing for passwords may detect the OTP. However, by the
time she can send the password herself, the correct OTP no longer matches the one
she has intercepted.
4 – 12 Rev. 6.41
Tokens: Token types
Many companies, including RSA Security Inc., VeriSign, Inc., Bluetooth SIG,
Inc., CRYPTOCard Corp., Booleansoft Inc., and Mykotronx Corp., have
developed tokens. While all tokens are physical objects that allow a user to
retrieve authentication credentials, some require a great deal of user interaction
and others none at all. Some contain complex encryption capabilities, and others
are relatively simple.
Disconnected Tokens
Perhaps the most common type of token, a disconnected token requires the user to
manually input information into whatever client she uses for authentication.
Some tokens display a value on an LCD screen. This value periodically changes in a
non-predictable fashion. (Other tokens change the value only when a user presses a
button.) When a user wants to authenticate, he must manually input the value into
his authentication client along with, if required, his password. The authentication
client or other software generates an OTP from this value. Other tokens can generate
the OTP themselves. For example, in addition to the screen, the token may have a
keypad. You input your password, and the token returns the OTP.
Rev. 6.41 4 – 13
Because the user reads information from the disconnected token, the token can be
relatively simple and does not require an expensive input device. However,
disconnected tokens have a limited battery life (usually two to four years) and
require more from users and their authentication clients.
Connected Tokens
Connected tokens are installed in a station, offering the advantage of submitting
credentials directly to the user’s authentication client and thus on to the
The most common types are:
Smart cards—Roughly the size of a credit card, the smart card stores a
digital certificate as well as a private key. With its cryptographic capabilities,
the smart card both signs data and verifies signatures. Smart cards may
require expensive input devices called card readers to be installed in a station.
USB tokens—Some USB tokens hold a bank of OTPs. Others store digital
certificates and private keys like a smart card. Because most endpoint devices
now have USB ports, USB tokens are generally easier to use and install than
smart cards. Also, because they do not require card readers, USB tokens tend
to be cheaper.
RSA security is in the process of developing standards for integrated OTP
applications in connected tokens. Among other functions, these standards will
regulate:
the configuration of the token (how the token is programmed with the OTPs
also programmed on the authentication server)
the retrieval of OTPs (how authentication clients retrieve an OTP from a
connected token)
4 – 14 Rev. 6.41
Biometrics: Physical characteristics
Both passwords and tokens associate individuals with more or less arbitrary
credentials, whether a piece of information or an object. An increasingly important
authentication factor, biometrics attempts to equate users and their credentials by
identifying individuals with something intrinsic to them—a physical characteristic
such as a fingerprint.
Passwords can be intercepted and guessed; tokens can be stolen. A person’s
physical characteristics are (in theory at least) inseparable from him or herself—
unalterable and irreproducible.
The term “biometric” refers to two, closely connected concepts: the physical
characteristics themselves and the process of using those characteristics for
authentication. The first will be discussed on this slide and the second on the next.
Biometric Types
A biometric is the physical characteristic used to identify a user. One of the oldest
biometrics is a fingerprint. Other biometrics—such as voices, faces, and
handwriting—have long been used in day-to-day life, but only relatively recently
as systematic authentication methods. Still other biometrics, such as iris patterns,
are relatively new on all fronts.
Rev. 6.41 4 – 15
Usefulness of Particular Biometrics

Factors that affect a biometric’s usefulness include:
Uniqueness of the profile—For example, fingerprints and voice patterns are
not entirely unique to an individual.
Ease of collecting the data—Finger and handprints require the user to co-
operate (to touch a sensor). Iris and face scans, on the other hand, can be
done without the user even being aware of the scan. If extraneous factors,
such as an individual’s clothing, hairstyle, position, or stance, make it
difficult for the sensor to collect the data, the biometric is less easily
implemented.
Expense—Iris, voice, and face recognition in particular require expensive
hardware and software to collect and analyze the biometric.
Reliability—Dirty or worn-out sensors might return false results.
User perception—Because fingerprints have been associated with criminal
investigation, some users resist being fingerprinted. Some also fear the safety
of iris scans.
4 – 16 Rev. 6.41
Biometrics: Process
“Biometric” also refers to the process of using a biometric (such as an iris scan) to
authenticate a user. This process breaks down into these general steps:
1. Data collection—A sensor must collect the individual’s biometric and
convert it into digital form.
2. Signal processing—The biometric must then be transformed into a digital
template. Biometric standards define signal processing algorithms, which
should return a unique digital template for each individual.
3. Transfer—The authentication client transmits the digital template to the
authenticator as the user’s credentials. The authenticator transmits the
template to an internal or external server for processing.
4. Matching—The authentication server stores digital templates. Using a
relatively complex algorithm, it determines whether the received digital
template matches a template in its database.
5. Deciding—The authentication server might store a list of templates allowed
to access a system (a white list) or a list of templates barred from the system
(a black list). Based on which list a user’s template matches, the authenticator
decides whether to grant the user access.
Rev. 6.41 4 – 17
As shown in the slide, often a biometric is only one factor in an authentication

scheme. For example, a biometric can also be a second factor for password
authentication.
The slide also illustrates a two-factor authentication scheme in which a token
requires the user to press his thumb against a plate before the token displays a
value. The first authentication factor is the biometric (thumbprint) and the second,
the token. In this case, all five steps in the biometric take place within the token,
which acts as the sensor, the authentication client, and the authentication server.
However, the authentication server for the token factor resides in the network to
which the user connects.
Further Reading
For information on digital certificates, see also these ProCurve
Networking courses:
ProCurve Networking Security
ProCurve WAN Fundamental Technologies
4 – 18 Rev. 6.41
Authentication Protocols
To this point, this module has focused on the various types of authentication
credentials and how users receive these credentials and submit them to an
You must also understand how an authenticator (typically an edge network device
such as a switch or wireless AP) requests these credentials and how an endpoint
returns them. (From this point, it will be assumed that the client retrieves and
submits the credentials, and the authentication client will not be distinguished from
the endpoint as an entity.)
One of several authentication protocols defines this process. You will learn about:
Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol (CHAP), including the more
robust and commonly used Microsoft CHAP version 2 (MS-CHAP v2)
Extensible Authentication Protocol (EAP)
These three protocols were originally designed to authenticate peers on either end
of a Point-to-Point Protocol (PPP) link. EAP, however, has become particularly
important as part of the overall authentication method 802.1X (discussed later in
the module).
Rev. 6.41 4 – 19
PAP
Fundamentally, an authentication protocol must allow:

the endpoint to submit the user’s authentication credentials to the
authenticator as part of a request for network access
the authenticator to either accept or reject the request (based on the
credentials)
PAP, an extremely simple protocol rarely used in contemporary networks,
provides an easily understood model of this process. The slide above shows PAP
as it is implemented over a PPP connection between two routers.
1. The endpoint sends an Authenticate-Request packet. This request includes
the username and password in plaintext.
2. The authenticator compares the submitted password to a password stored for
the user and determines whether the user can access the network. This
process might involve submitting the username and password to a server.
(Because this section of the module does not focus on this step, the password
database is simply shown floating somewhere in the network.)
Whatever the intervening steps, the authenticator finally either allows the
endpoint access, sending an Authenticate-Ack, or denies the endpoint access,
sending an Authenticate-Nak.
4 – 20 Rev. 6.41
PAP opens several security vulnerabilities. First, because the endpoint initiates the
process, the authenticator cannot control parameters such as how many times the
endpoint can reattempt to authenticate. Second, the password is sent in plaintext
and can be intercepted. However, to limit the interception window to a point-to-
point link, the authenticator can obfuscate the password with the MD5 hash
function before sending it through the network to a Remote Authentication Dial-In
User Service (RADIUS) server. (RADIUS is the most common AAA protocol. For
more information on RADIUS servers, see the “RADIUS” section of this module.)
Some administrators allow PAP as a final authentication option for endpoints that do
not support more secure protocols. However, you should be wary of such
implementations because a network is only as secure as the least secure protocol.
Rev. 6.41 4 – 21
CHAP
CHAP addresses several of PAP’s problems.

Initiated by Authenticator
CHAP uses a three-way handshake, adding a new first step to PAP’s two-way
handshake. In the new first step, the authenticator issues a challenge. Because the
authenticator initiates the protocol, the authenticator has more control over the
process. For example, the authenticator can periodically force an endpoint to
reauthenticate.
Hashed Passwords
Although, like PAP, CHAP sends usernames and passwords for authentication
credentials, it does not send them in plaintext. Instead a one-way hash is sent to the
authenticator to be compared with the hash stored for the user. To prevent hackers
from simply capturing and resending the hash of a user’s password (called a
playback or replay attack), different challenges include different values. Both the
endpoint and the authenticator include the current challenge value in the hash. If a
hacker sends an old hash value, it does not match the hash for the password and
the new challenge value, and the authentication fails.
4 – 22 Rev. 6.41
Because the authenticator must recalculate the hash of the password with various
challenge values, it must be able to extract the password. Therefore, the database
must store the password in plaintext or reversible encrypted form. This
requirement excludes certain types of authentication servers from a network that
uses CHAP.
MS-CHAP v2
The most common version of CHAP used in contemporary networks is MS-CHAP

v2. MS-CHAP v2 builds on the basic CHAP process, adding several capabilities.
Mutual Authentication
In contemporary networks, unauthorized users are not the only danger: users are
also vulnerable to hackers posing as legitimate servers. CHAP provides one-way
authentication. If an endpoint wants to authenticate a server, it must initiate its own
authentication process.
MS-CHAP v2 provides mutual authentication in a single CHAP exchange by
piggybacking a CHAP-Challenge onto the endpoint’s Response packet. When the
authenticator sends a Success packet, it includes its own authentication
information for the endpoint to check.
Rev. 6.41 4 – 23
Additional Authenticator Controls

MS-CHAP v2 also adds settings that the authenticator can control. For example,
the authenticator can limit the number of times an endpoint can attempt to
authenticate. It can also force users to periodically change their passwords. Finally,
the authenticator can include a field in Failure packets to explain to users why their
authentication failed.
4 – 24 Rev. 6.41
EAP
Soon after PAP and CHAP were developed, designers began experimenting with
various authentication methods in environments with rapidly changing needs. For
example, the spread of wireless technologies has driven the quest for robust
authentication in environments with many eavesdroppers. Rather than limiting
such experiments, designers agreed upon an overall framework for authentication
called EAP.
This framework follows the basic three-way handshake of CHAP: challenge,
response, and result (success or failure). EAP was originally defined for PPP
connections. Ethernet networks also use EAP, for example as a part of 802.1X
authentication (discussed later in this module). In this case, EAP must be
encapsulated in Ethernet frames, called EAP over LAN (EAPOL) frames.
Challenge and Response

The initial EAP request and response initiate EAP; they do not transmit any
authentication credentials. (The EAP Response/Identity packet, however, usually
includes the user’s identity, which can be checked against information in
credentials submitted later for an additional layer of security.) Instead, the user and
authenticator exchange credentials as dictated by a particular EAP method.
Rev. 6.41 4 – 25
Exchange
The exchange can be quite simple—a two-step request and response—or quite
complex—involving, for example, the negotiation of a secure tunnel to exchange
credentials. In addition, different methods can require different types of
credentials. Unlike PAP and CHAP, therefore, which only use passwords, EAP
can support OTPs, token cards, and digital certificates.
Result
Based on the result of the exchange, the authenticator decides whether the
authentication has succeeded or failed.
4 – 26 Rev. 6.41
Selecting EAP Method
Many authenticators support multiple EAP methods and allow endpoints to

negotiate the method they support.
After the initial exchange of Request/Identity and Response/Identity packets, the
next EAP Request both specifies the method the authenticator requires and
initiates that method.
If the endpoint does not support the method, it returns a NAK, which can specify a
different method. If the server allows this method, it can then initiate it with the
corresponding EAP Request.
Rev. 6.41 4 – 27
EAP Methods
EAP Methods
The least secure methods simply transport authentication

credentials:
• EAP-MD5
• EAP-Generic Token Card (EAP-GTC)
Authenticator
Station
MySecret
Hash EAP Request/MD5
3$ EAP Response/MD5
3$
Rev. 6.41 Student Guide: 4–28 19
The least secure EAP methods simply transport the authentication credentials
much as they are transported in CHAP. For example, EAP-MD5 involves an EAP
Request, which indicates the authenticator requires this method, and an EAP
Response, which includes the hash of the user’s password.
EAP-Generic Token Card (EAP-GTC) features a similar two-step exchange.
Traditionally, the authentication credential submitted was a value read from a
token card. However, EAP-GTC can carry simple passwords as well.
The slide illustrates only the MD5-specific portion of an EAP exchange. An entire
exchange would include these packets:
1. An EAP Request/Identity packet that initiates the authentication
2. An EAP Response/Identity packet that indicates the endpoint’s support for
EAP and, perhaps, the user’s identity
3. An EAP Request/MD5 packet that indicates the authenticator requires MD5
authentication
4. An EAP Response/MD5 packet that includes the user’s hashed password
5. An EAP Success or EAP Failure packet, depending on whether this password
is correct
4 – 28 Rev. 6.41
EAP Methods: Continued
While EAP-MD5 and EAP-GTC meet the basic requirements of EAP, they do not
meet the goal of secure authentication in unsafe, public environments. Nor do they
support mutual authentication—an increasingly important requirement in a world
in which identity thieves mask themselves as legitimate servers.
More secure EAP methods include:
EAP-Transport Layer Security (EAP-TLS)
EAP-Tunneled TLS (EAP-TTLS)
Protected EAP (PEAP)
EAP-TLS
Considered one of the most secure EAP methods, EAP-TLS uses a three-way TLS
handshake to exchange digital certificates and generate encryption keys. By the
end of the process, the endpoint of the connection is not only authenticated, but the
connection itself is also secured with encryption.
Rev. 6.41 4 – 29
The EAP Request/TLS and EAP Response/TLS packets include such

information as:
digital certificates and certificate verifications
supported encryption suites
values for generating encryption keys
The greatest barrier to adopting EAP-TLS is the requirement for digital
certificates. Too many endpoints simply do not have them.
EAP-TTLS and PEAP

EAP-TTLS and PEAP were developed to provide much of the security of EAP-
TLS without forcing endpoints to use digital certificates—drastically cutting the
work in implementing the protocol. For this reason, they are among the most
common EAP methods. EAP-TTLS and PEAP function very similarly (the first is
a protocol developed by Funk Software and Certicom; the second, by Microsoft,
Cisco Systems, and RSA Security).
Like EAP-TLS, EAP-TTLS and PEAP use a three-way TLS handshake to generate
encryption keys and negotiate a tunnel secured by those keys. However, only the
server authenticates itself with a digital certificate during this exchange. The
endpoint authenticates itself later; it uses a weaker—and so more easily
implemented—authentication method, bolstered by the secure tunnel in which it
takes place.
EAP-TTLS and PEAP tunnels can support these inner authentication methods:
EAP-GTC
MS-CHAP v2
Because many Windows endpoints support PEAP with MS-CHAP v2 by default,
this is by far the most prevalent method.
Further Reading
For information on authentication protocols such as PAP, CHAP,
and EAP, see also the ProCurve Fundamental WAN Technologies
course.
4 – 30 Rev. 6.41
AAA
Although the distinction between an authenticator and an authentication server has

been mentioned in passing, they have primarily been considered as a single
identity throughout most of this module. While a single device can fill both roles,
you must now consider this distinction more closely.
The authenticator enforces network access:
When a user attempts to connect, it challenges the user to authenticate.
Depending on the results of a user’s authentication, it restricts the user’s
access, informing the user’s client of the result.
The authentication server controls the authenticator’s decisions:
It verifies the user credentials passed on by the authenticator. (The server
may use its own database to check the credentials, or it may query a
directory server.)
Based on the user’s identity and other rules defined on the server, it decides
whether a particular user can connect to the network.
Separating the roles of authenticator and authentication server centralizes security
and eases implementing security policies. No matter where a user connects to the
system, access is controlled by the same policies configured on the same server.
The authenticator at the edge, for its part, ensures that a user is controlled from the
moment he or she connects to the network.
Rev. 6.41 4 – 31
The Authentication, Authorization, and Accounting (AAA) framework defines

the role of an authentication server. In addition, it defines two other roles for a
AAA server:
authorization—deciding what users are allowed to do (access control)
accounting—tracking what users actually do
Again, centralizing these functions standardizes policies throughout a network.
The AAA server makes decisions that edge devices—in AAA, called network
access servers (NASs)—enforce.
The NASs and AAA servers communicate using a AAA protocol, of which the
two must common are:
RADIUS
Terminal Access Controller Access Control System Plus (TACACS+)
Airport Analogy
This module will, from time to time, compare the AAA model to airport security.
Of course, this comparison cannot hold entirely true, and procedures described
may not match your experiences at the airport. However, by putting technologies
in familiar terms, the analogy will hopefully help you to understand how these
technologies work.
In the analogy of airport security, the area with the arrival and departure gates is
like the private network. Before you can enter this area, airport officials check
your ticket and documents. In an actual airport, you might show your ticket and ID
at one location to check in and later to pass a security checkpoint. For simplicity,
this analogy will discuss you submitting your credentials only once at a check-in
counter.
The officials in the check-in area (who are like the authenticators) force you to
show your documents and ticket before you receive your boarding pass and
proceed deeper into the airport.
Most airports have several check-in counters; you could turn up at any of them.
The airport therefore finds it efficient to keep a central database of reservations.
Officials submit your ticket and identification information to a computer that
verifies you against this central database.
The computer that verifies your reservation is like an authentication server; the
reservation database, like a directory. The computer also acts like an authorization
server if it prints out the gate number on your boarding pass to direct you toward a
certain section of the airport.
4 – 32 Rev. 6.41
Authentication
Authentication determines who is connecting to the network or attempting to

access a service. The authenticator uses an authentication protocol such as EAP to
retrieve a user’s credentials—you are already familiar with this process. Some
authenticators can verify the credentials themselves. In a AAA system, however,
the authenticator uses a AAA protocol to pass the credentials on to an
authentication server, which checks the credentials.
For example, an endpoint uses PEAP to authenticate. The endpoint establishes a
tunnel to the authentication server (not to the NAS), and the server verifies the
user’s credentials (whether by checking them against its own database or
submitting them to a directory server for processing). If the credentials check out,
the server informs the authenticator (the NAS) that the user is indeed who she
claims to be (in this example, “User1”) and can connect to the network.
If authentication credentials are incorrect or the username invalid, the server
rejects the authentication and the user cannot connect.
In the metaphor of the airport, authentication could be an official at the check-in
counter entering a would-be-flyer’s driver’s license and ticket numbers into a
computer. The computer, which equates to the authentication server, verifies the
reservation.
Rev. 6.41 4 – 33
Authorization
Authorization, also known as access control, builds on authentication. An

authenticated user is granted certain rights, which determine:
which resources and services the user can and cannot access
other settings for the connection such as bandwidth and quality of
service (QoS)
The AAA server makes these decisions based on any of these factors:
User identity and authentication state—The simplest access control rules
simply look at these criteria. All authenticated users can access all network
services, and all unauthenticated users are denied all access.
However, not all users are the same. As your network expands to include
contractors and guests, you need more complicated rules that allow different
users rights to different services. In a network with many anonymous guests,
you might allow even unauthenticated users to access a public Web page.
A well-managed network also ensures that each user receives only the
bandwidth and QoS for which she has paid or company policies allow her.
4 – 34 Rev. 6.41
Time and location—You cannot always predict which users will cause
problems. However, you can create rules that minimize suspicious activity.
For example, you can prevent a typically authorized user from connecting to
the network after normal work hours.
Previous activity—The server might deny or allow a user certain kinds of
network access based on whether the user has logged certain types of activity.
Implementing such a rule relies on the server’s accounting functions as well
as its authorization functions.
The AAA server communicates its authorization decisions to the NAS, which
enforces them using such configurations as:
Virtual local area network (VLAN) assignments—VLANs are logically
independent networks within a network that divide users into separate
broadcast domains, each isolated and relatively secure from the others. Data
cannot enter a VLAN without first being filtered and directed to the correct
endpoint, and VLANs also isolate attacks so a hacker cannot infiltrate an
entire network at once by entering a single VLAN. (For more information on
VLANs, see the “VLANs” section of this module.)
ACLs—If a user has the correct credentials and is allowed to enter the
network, ACLs (the access rules) determine which devices he is allowed to
use and what applications and data he can access within the network. (For
more information on ACLs, see the “ACL” section later in this module.)
Rate limits—Rate limits control the maximum bandwidth for traffic sent or
received on a network interface.
QoS settings—QoS priorities are assigned to packets as they traverse the
network so that packets that must be delivered in real time, such as voice and
video packets, receive higher delivery priority than other packets, creating an
unbroken data flow and higher quality reception.
In the metaphor of the airport, authorization divides checked-in travelers into
different flight and boarding groups by printing information on their boarding
passes. For example, just as an authorization server might divide users into
separate VLANs, the check-in counter computer might mark a traveler to
Singapore’s boarding pass with gate A-37, but the pass for a traveler to Paris with
gate B-12.
Similarly, just as an authorization server can assign rate limits and QoS settings to
user traffic, the check-in counter computer could place handicapped, elderly, and
underage passengers in the first boarding group for their flights. (The officials at
the gates, not the computer itself, will enforce this priority treatment, as do NASs
in the networking world.)
Rev. 6.41 4 – 35
Accounting
Many network administrators now realize that a single security check is not
sufficient to ensure network security. It is important to authenticate a user when
she connects, but it is also important to monitor what she actually does.
Accounting, the third AAA function, collects information from NASs about users’
activities. The information the NASs report varies widely from protocol to
protocol and implementation to implementation. Some AAA servers can gather
and analyze a great deal of granular information so that you can analyze traffic
patterns and even monitor for suspicious activity. For example, you can view
which network resources various users access.
Other AAA servers simply receive a summary of information about each user’s
connection, including its duration and the resources used. In this case, accounting
facilitates billing by providing information about resource use and only some
degree of network auditing.
In the airport metaphor, video cameras placed throughout the airport provide
accounting. All cameras feed into a central room where officials scan the video for
people behaving suspiciously.
4 – 36 Rev. 6.41
RADIUS
The most common AAA protocol, RADIUS is the transport protocol for
communications between NASs and RADIUS servers. RADIUS servers:
store and check authentication credentials (authenticate)
grant users access rights based on those credentials (authorize)
collect information about the resources a user consumes (account)
At the Transport Layer, RADIUS uses User Datagram Protocol (UDP). While
often considered a less reliable protocol, UDP does offer fast, flexible service:
Servers can quickly open multiple sessions to authenticate many users at once.
You can set retransmission timers more suited to authentication than those of
Transmission Control Protocol (TCP). For example, users must have time to
enter their credentials, but on the other hand, most will not wait more than a
minute to be authenticated.
Any information about a user, an endpoint, and a NAS is valuable. Although
RADIUS does encrypt the password field, it does not encrypt the entire packet.
Rev. 6.41 4 – 37
A rogue user passively collecting RADIUS packets can learn sensitive

information. However, a rogue user posing as a NAS, actively sending fake
requests, perhaps poses an even greater danger. RADIUS guards against rogue
NASs by forcing the NAS to use a shared secret specific to that NAS when
calculating the password hash.
4 – 38 Rev. 6.41
RADIUS Authentication
You have already learned about how an authenticator forces an endpoint to submit
a user’s authentication credentials. An authenticator configured for RADIUS
authentication (in AAA terminology, a NAS) translates the endpoint’s response
into RADIUS format and forwards the resulting NAS Access-Request packet to a
RADIUS server. The server then decides whether to accept or reject the response.
RADIUS supports several authentication protocols, including:
PAP
CHAP
EAP, with EAP extensions
Translation
The NAS must format the authentication information it receives from an endpoint
into a RADIUS packet, called the NAS Access-Request. For example, a CHAP
Response packet includes fields for:
a username
a hash
the challenge string used by the endpoint when creating the hash
Rev. 6.41 4 – 39
The NAS reads the username and copies it to the NAS Access-Request User ID
field. It reads the hash and copies it to the CHAP-Password field.
The NAS also adds relevant information to the NAS Access-Request. For
example, it includes the challenge value in the CHAP Challenge it sent to the
endpoint. The RADIUS server then has all necessary values for hashing the
password.
The NAS should also add information to the request such as the port to which
the endpoint connects (Port ID), its own IP address, and the type of service the
endpoint needs.
Other authentication protocols require slightly different translation. For example,
PAP passwords are copied and encrypted in the RADIUS password field.
RADIUS specifies a special field into which entire EAP messages are copied.
In short, the NAS supplies the RADIUS server with all necessary information for
making its decision to either accept or reject the authentication.
Decision
The server can base its decision on several factors, including:
password
port ID
NAS ID
type of service
The server must factor the password into the decision, and often, if the user’s
password matches the stored password, the server automatically grants the user
access. However, the server might also consider the port and NAS to which the
user connects and the type of service it requests. For example, you might configure
your RADIUS server to restrict guest access to certain workstations in public
locations.
If the server ultimately decides to authenticate the user, it sends an Access-Accept
packet to the NAS. This packet can include attribute-value pairs (AVPs) to control
the user’s traffic; these attributes are discussed as part of RADIUS authorization.
If the server rejects the user’s authentication (whether because her credentials are
incorrect or because she is connecting from an unauthorized location), it sends an
Access-Reject packet. This packet can include an explanation that displays on the
user’s station.
4 – 40 Rev. 6.41
RADIUS Authorization
RADIUS combines authentication with authorization: typically, if a user is in

the RADIUS or directory server’s database and successfully authenticates, he
can access the network.
The same Access-Accept packet that permits the access also controls the access.
When the RADIUS server prepares this packet, it checks its rules for the user in
question (factoring in, perhaps, the time and location). To enforce the rules, it adds
a series of AVPs to the Access-Accept packet. Common AVPs include:
VLAN assignment
ACLs
rate limits
You will learn about how VLAN assignments and ACLs protect your network
later in the module. Rate limits ensure each user shares resources fairly. Rate limits
also prevent an endpoint infected with a virus from monopolizing all bandwidth.
Emerging standardized RADIUS AVPs promise to maintain your control over
network access as networks continue to evolve.
The NAS knows how to read and apply AVPs to enforce the rules.
Rev. 6.41 4 – 41
Often, combining authentication and authorization is an efficient way to control a

user from the moment that user starts sending and receiving data. However, the
complete overlap of the two functions in RADIUS does mean that:
You must use RADIUS for both functions.
If your network includes a legacy authentication server, you cannot add a
RADIUS server for authorization alone. Instead you must integrate the RADIUS
server with the existing system or transfer all authentication information to the
RADIUS server.
For the most part, RADIUS servers apply access controls to users only when
they authenticate.
Traditionally, the controls did not respond to changes in the user’s activities
or needs, although they were enforced throughout the connection. For
example, once the user authenticated and received access to a server, as far as
RADIUS was concerned, the user could continue to access that server no
matter how he behaved. Now, dynamic RADIUS extensions can allow for
arbitrary updates to the authorization state throughout a session.
4 – 42 Rev. 6.41
RADIUS Accounting
RADIUS accounting is designed primarily for billing: it tracks how much

bandwidth users consume, not the type of resources and services they access.
However, enterprise networks more commonly use accounting for security audits.
You can analyze which users connect to the network, when, and for how long—
information that can raise the red flag for an alert administrator. For example, you
might question what legitimate business purpose would lead users to access the
network late at night.
Each NAS informs the RADIUS server when it begins granting a user service (the
user is authenticated) and when it stops granting the user service (the user
disconnects). It can also send accounting packets periodically throughout the
connection. The first packet (an Accounting-Request-Start) is primarily
informative; interim packets and the final packet (an Accounting-Request-Stop)
include more detailed information about the user’s activity.
Rev. 6.41 4 – 43
The Accounting-Request-Stop packet identifies the user in question with its ID. It
then adds one or more of the following fields:
Acct-Input-Octets—the number of bytes the user received
Acct-Output-Octets—the number of bytes the user sent
Acct-Session-Time—the number of seconds the user was connected
Acct-Input-Packets—the number of packets the user received
Acct-Output-Packets—the number of packets the user sent
If RADIUS accounting is used for billing, the RADIUS server can process this
information and forward it to the billing server, which calculates how much the
user should be charged for the services.
Because lost accounting packets are literally lost money, RADIUS takes certain
steps to prevent such losses. A NAS should store and retransmit an Accounting-
Request until the RADIUS server acknowledges it with an Accounting-Response.
4 – 44 Rev. 6.41
TACACS+
Cisco Systems developed TACACS+ as an alternative to RADIUS. TACACS+ is

loosely based on TACACS, a standard designed to authentication dial-in users that
is rarely used in contemporary networks. However, TACACS+ is not compatible
with previous versions of TACACS.
Because TACACS+ uses TCP at the Transport Layer—widely considered the
more reliable transport protocol—some administrators prefer it to RADIUS.
Nonetheless, TACACS+ has not been as widely adopted as RADIUS.
Security, as well as reliability, is designed into TACACS+. When a NAS and a
server first open a session, they negotiate an encryption algorithm and encryption
keys. The IP payload for all future packets is encrypted, protecting not only
passwords but other information about users. Like RADIUS servers, TACACS+
servers reject packets from NASs that do not use the correct shared secret.
Rev. 6.41 4 – 45
TACACS+ Authentication
The TACACS+ protocol defines a sequence of exchanges into which a variety of

authentication methods can fit. The basic sequence consists of three types of packets.
START Packets
The NAS starts the exchange when it needs the server to verify authentication
information sent by an endpoint. The START packet includes the authentication
type. TACACS+ supports:
PAP
CHAP
MS-CHAP
The START packet generally also includes a user ID.
4 – 46 Rev. 6.41
REPLY Packets
The TACACS+ server only sends REPLY packets, which fall into two general
categories:
REPLY packets that tell the NAS to continue the exchange—According
to the authentication type in the START packet, REPLY packets request
different types of information. For example, a TACACS+ server that receives
a CHAP request may be programmed to request first the user’s username and
then password.
REPLY packets that tell the NAS to terminate the authentication
session—Once the server has collected enough information, it processes the
information and decides whether to authenticate the user. A terminate
REPLY packet indicates whether the user’s authentication passed or failed.
The flexibility of this scheme—developers can program TACACS+ servers to
request new types of information as well as to process this information in new
ways—helps TACACS+ meet as-yet-unpredicted challenges.
CONTINUE Packets
The NAS sends CONTINUE packets to return the information requested by the
server. The NAS copies this information from authentication responses elicited
from the endpoint. For example, a REPLY packet asks the NAS to get the user’s
password. The NAS copies the user’s password from a CHAP Response and sends
it in the user message field of a CONTINUE packet.
Rev. 6.41 4 – 47
TACACS+ Authorization
For TACACS+, authorization always consists of a single exchange:

a REQUEST from the NAS
a RESPONSE from the server
The REQUEST includes information about the user, how she authenticated, and
her current authentication status. It then lists one or more AVPs, which, much like
RADIUS AVPs, correspond to various controls on resources and services. For
example, an AVP might specify a certain rate limit.
The server uses the first part of the REQUEST (the user identity and status), along
with various other factors configured on the server, to evaluate the request. Its
RESPONSE lists the AVPs it has determined apply to the user.
For example, certain users need to view a certain Web page—their endpoints must
be able to access a Dynamic Host Configuration Protocol (DHCP) server, a
Domain Name System (DNS) server, and the Web server. When the NAS sends an
access control REQUEST packet on behalf of such a user, the TACACS+ server
checks its rules and decides whether the user is indeed authorized to access these
servers. If so, it returns a REPLY with an AVP for the appropriate IP addresses.
The NAS begins controlling the user’s access appropriately—and the user’s
browser opens the Web page.
4 – 48 Rev. 6.41
Because TACACS+ separates authentication and authorization, a user can be

authorized for various types of network access at various points in its connection.
Like RADIUS, TACACS+ attempts to control users’ activities the moment they
begin sending and receiving traffic. Therefore, a NAS should always request
controls for the user when the user first authenticates.
If necessary, the NAS can send later requests for new services and resources. For
example, the user might open a video stream and suddenly need more bandwidth.
If so configured, the NAS can request more bandwidth on behalf of the user to
support this application.
The number of defined AVPs is expanding all the time as networks must provide
more services to more users.
Rev. 6.41 4 – 49
TACACS+ Accounting
Like RADIUS accounting, TACACS+ accounting is used primarily for billing and
possibly for tracking network activity and planning for expansion. However,
TACACS+ accounting can also act as a security measure, showing you which
users access which resources.
A NAS sends accounting information whenever it starts or stops granting a user a
particular service or access to a particular resource. For example, the NAS can
send accounting packets when a user connects to the network; it can also send
accounting packets when a user accesses a device and when a user enters a
command into the device’s management interface.
The mechanics of TACACS+ accounting are similar to TACACS+ authorization. A
NAS sends a server a REQUEST packet that indicates a certain resource or service.
However, rather than asking the server to decide whether the user has rights to this
resource, the packet simply reports that the user is accessing it. A REQUEST stop
packet typically includes additional information such as the duration of the service and
the number of bytes or packets the user sent and received.
4 – 50 Rev. 6.41
The TACACS+ server stores and processes the accounting information and, if so
configured, forwards it to a Syslog server.
Reliability is crucial to accounting, and TCP helps to maintain accurate records. In
addition, TACACS+ ensures that servers actually store the information: the server
does not send a RESPONSE packet until it has not only received, but also logged,
the account.
Further Reading
For more information on AAA protocols such as RADIUS and
TACACS+, see the ProCurve Networking Security course.
Rev. 6.41 4 – 51
Authentication Methods
You should now be familiar with all the elements of authentication:

types of authentication credentials, including basic implementations such as
passwords and innovative techniques including biometrics
authentication protocols, such as PAP, CHAP, and EAP, used to exchange
credentials
AAA protocols, which allow network devices to check these credentials, and
based on the results of this check, control and track users’ activities
Next, you will examine how these elements are combined to form overall
authentication methods. Such methods include:
802.1X
Web authentication (Web-Auth)
MAC authentication (MAC-Auth)
These authentication methods are enforced at the NAS port and allow different
users to authenticate through the same port at different times.
4 – 52 Rev. 6.41
802.1X
802.1X is the industry standard for port authentication—ensuring that users are
properly identified and controlled as soon as they connect to a network. Developed
primarily for Ethernet, 802.1X has proved vital to wireless networks—which are
designed to provide convenient access to authorized users, but are all too prone to
providing easy access to any user, authorized or not. As part of the wireless
security standard, 802.11i, and of Wi-Fi Protected Access (WPA)/WPA2, 802.1X
promises to become practically mandatory for all enterprises.
802.1X is implemented on ports on edge devices. It activates as soon as the Data
Link Layer for a connection opens:
An Ethernet cable is plugged into a switch, and the link opens.
A wireless endpoint associates with a wireless AP.
802.1X splits the port into two virtual ports:
a controlled port, for which the state depends on a user’s authentication state
an uncontrolled port, which is always open but which can accept only certain
types of traffic
Rev. 6.41 4 – 53
The controlled port’s default state is closed. The controlled port is like a path with
two drawbridges. Both ends of the link control one “drawbridge.” When both
drawbridges are lowered, the path is accessible to traffic: it opens. When at least
one drawbridge is raised, the port is closed.
By default, the uncontrolled port only accepts EAP traffic. In other words, the user
can authenticate with EAP, but do nothing else until he has completed
authentication.
Note
If the user does not authenticate in time, his workstation might be placed in
the wrong VLAN and receive an incorrect IP address. Or the workstation
might fail to receive an IP address at all. Inexperienced users who do not
know how to check or renew an IP address will be frustrated that they cannot
access the network resources they expect.
Some products that act as 802.1X authenticators allow you to configure a
longer period of time for users to enter their credentials.
4 – 54 Rev. 6.41
802.1X Roles
802.1X defines three roles:

a supplicant
an authenticator
an authentication server
Supplicant
The supplicant is the device that requests access to a network, or more precisely,
requests that its link be activated. Typically, the supplicant is an endpoint with
either a static Ethernet connection or a mobile wireless connection. However,
network devices such as switches and routers can also be 802.1X supplicants.
Some administrators require new devices to authenticate when added to the
network, which enables supplicants to protect themselves from rogue devices and
provides for mutual authentication.
Rev. 6.41 4 – 55
Typical rogue devices are APs installed without authorization. As APs have
become cheaper and more common, some employees and low-level administrators
have begun to install unauthorized devices for their own convenience. For
example, employees want Internet access for their laptops in the employee lounge.
Rather than work through the appropriate channels, they simply plug an AP into a
spare Ethernet jack. While the employees may not mean any harm, an unsecured
AP can punch holes in network security. Implementing 802.1X on all ports plugs
the holes before they are created.
Because the supplicant controls one “drawbridge” on the port, the supplicant, as
well as the authenticator, can affect the state of the controlled port. This provision
allows supplicants to protect themselves from rogue devices. It also provides for
mutual authentication. However, unlike an authenticator, the supplicant might
open the controlled port on its side (“lower the drawbridge”) even when the other
endpoint does not authenticate. For example, EAP times out, so the supplicant
assumes that the network does not enforce 802.1X.
Authenticator
The authenticator controls network access for a supplicant at the other end of the
link. In the graphic above, the entire edge device, either a switch or an AP, is
labeled as authenticator. However, an authenticator typically resides within an
individual port on the edge device, deciding whether to open or close its side of
that single controlled port.
The authenticator makes this decision based on the supplicant’s authentication
state. Almost always, an unauthenticated or failed authenticate state signals the
authenticator to close the port while an authenticated state signals it to open
the port.
As shown in the slide, the authenticator and the supplicant use EAP to
communicate, giving the supplicant a chance to change its authentication state.
Typically, the authenticator is responsible for initiating authentication by sending
an EAP Request/Identity packet.
Because some stations activate an Ethernet link before they boot sufficiently for
users to enter their authentication credentials, EAP authentication sometimes
expires. Once the station finally boots, the user would be shut out entirely—
authorized or not. The latest version of 802.1X solves this problem by allowing the
supplicant to initiate EAP with an EAP Start packet.
Authentication Server
The authentication server checks users’ authentication credentials for the authenticator.
In other words, the authentication server decides the user’s authentication state while
(based on this decision) the authenticator decides the port’s activation state.
The role of the authenticator and the authentication server can be played by the
same device. However, a centralized authentication server simplifies database
management.
The authenticator and authentication server communicate with a AAA protocol
(almost always RADIUS, although TACACS+ is theoretically a possibility).
4 – 56 Rev. 6.41
Another of the authenticator’s responsibilities is to repackage information it

receives from the client in EAP packets into RADIUS packets.
Airport Analogy
In the analogy of the airport, the supplicant is a traveler who wants to check in.
The authenticator is the official at the reservation desk, and the authentication
server is this official’s computer.
An important 802.1X concept is the separation of the role of authenticator and
authentication server. This separation makes sense in terms of the airport analogy.
The computer (the authentication server) actually verifies a traveler’s
reservation—how can each check-in counter official (authenticator) be expected to
keep track of the hundreds of people who have reservations?
In essence, then, the traveler is submitting her name, ID, and ticket directly to the
computer. However, because she does not know how to work this computer (and
would not be allowed access to it even if she did), she passes this information
through the official behind the counter.
Rev. 6.41 4 – 57
802.1X Process
802.1X Process
The link opens and 802.1X authentication begins.
Controlled port
1
Uncontrolled port – EAP
Supplicant Authenticator
RADIUS server
EAP Request/Identity 2
3
EAP Response/Identity NAS Access-Request
Username 4
EAP Response/Identity
5
6 EAP Request/METHOD Access-Challenge
EAP Request/METHOD
7 EAP Response/METHOD NAS Access-Request 8

EAP Response/METHOD
You should now be able to trace the entire 802.1X process from the time the link
comes up to the time an authenticated user receives full network access—or an
unauthenticated user none. You should keep in mind all that you have learned
about authentication techniques, as well as EAP and AAA protocols. As shown
above, the steps in the authentication process are:
1. The supplicant’s authentication state is unauthenticated. The 802.1X
controlled port is closed. The uncontrolled port allows EAP packets. The
authenticator drops all other packets from the client.
2. The authenticator sends an EAP Request/Identity packet to initiate
authentication.
3. The supplicant responds with an EAP Response/Identity packet containing
the username. (If the supplicant does not support EAP, authentication times
out, and the supplicant cannot connect to the network.)
4. The authenticator repackages the EAP Response/Identity in a AAA protocol
and forwards it to the authentication server. In this example, the network uses
a RADIUS server, so the authenticator sends a NAS Access-Request.
RADIUS includes an AVP field for EAP messages, so the authenticator
simply copies the response into this field. The authenticator also adds other
information such as the user’s identity, the port ID, its own identity, and its
own shared key.
5. The authentication server initiates a certain EAP method. The server might
support several methods and be configured to always try one first, or it might
4 – 58 Rev. 6.41
be configured to use certain methods with certain users. The EAP-

Request/Method packet is encapsulated in a RADIUS Access-Challenge.
6. The authenticator de-encapsulates the EAP Request/Method and forwards it
to the supplicant.
7. The supplicant sends the appropriate EAP Response/Method packet. For
EAP-MD5, this packet would include a hashed password. For PEAP, the
response would continue the negotiation of the secure tunnel. (If the
supplicant does not support the method, it can send an EAP NAK and suggest
a different method. Again, the authenticator would forward this message to
the server.)
8. The authentication server and supplicant continue sending EAP packets,
using the authenticator as an intermediary, until the authentication process
completes.
Airport Analogy
Sometimes it is easier to remember a process if you think of it as a story. For
example, you can follow the 802.1X process through the airport analogy.
Port Deactivation
Recall that 802.1X deactivates the controlled port until authentication is complete.
You can think of this measure as that of a harried official in a busy airport.
Travelers may ask him to check their bags, to tell them about the weather at their
destinations, or to recommend a good airport restaurant. The official refuses to do
anything until he has checked them in.
EAP Process
You should now be familiar with the flexibility of EAP. Perhaps you have witnessed
a similar flexibility at the airport. In a single trip, you might be required to show two
forms of ID at one airport, to show ID and to answer questions about your luggage
at a second airport, and to undergo more intensive searching at a third.
In any case, the official behind the check-in counter will probably start by asking
you your name and entering it into the computer. Similarly, EAP always begins
with an EAP Request/Identity packet. After submitting your name to the computer,
the official can determine what else he must do to check you in. (Note that, in the
analogy, the separation between the roles of authenticator and authentication
server is not perfect. In 802.1X, the authentication server is completely responsible
for verifying the supplicant’s identity. In a world of human interaction, roles are
more fluid.)
Rev. 6.41 4 – 59
802.1X Process: Continued
The EAP process completes when the server either accepts or rejects the
supplicant’s authentication. Based on this decision, the authenticator determines its
own action. The slide illustrates the two possible outcomes.
1. The RADIUS server matches the user’s credentials to those stored for the
user in its database. Any other rules (such as time and location) also
permit the user. The server sends the authenticator an Access-Accept
packet, which includes:
• an encapsulated EAP Success that the authenticator forwards to the
supplicant
• optional AVPs to control the supplicant’s network rights
The supplicant’s state is now authenticated, so the authenticator opens the
controlled port. As far as 802.1X authentication is concerned, the supplicant
can now send any traffic into the network. However, if the Access-Accept
packet included any AVPs, the authenticator should apply them to control
this traffic.
The server can also send information necessary for generating an encryption
key with the Access-Accept—another reason 802.1X suits wireless security
needs so well.
4 – 60 Rev. 6.41
2. The RADIUS server rejects the supplicant’s authentication, usually because

the user is not in the database or his credentials are incorrect, but possibly
because the user is attempting to connect at an unauthorized time or from an
unauthorized location. The server sends the authenticator an Access-Reject,
which includes an EAP Failure.
The supplicant’s state is now failed authentication, so the authenticator keeps
the controlled port closed. It also forwards the EAP Failure from the server,
informing the supplicant of this decision. The authenticator continues to
block all traffic except the EAP packets the supplicant sends in a new effort
to authenticate.
Airport Analogy
In the end, airport security decides:
whether you are or are not who you claim to be (verifies your credentials)
whether you do or do not have a reservation (matches you to a policy to see
whether you are allowed to enter)
In real life, of course, the official at the check-in counter decides the first by
looking at your photo ID while the computer decides the second. It is important to
remember that in the networking world both decisions are under the providence of
the authentication server.
Authentication Success
If your documents and reservation check out, you are checked in. At this point,
many officials simply wave you toward other security checkpoints, baggage
checks, and departure gates. Similarly, 802.1X opens a port entirely to
authenticated users.
However, an NAS might receive access controls from a RADIUS server. In an
airport, your boarding pass may similarly affect where you go within the airport
(although in a less rigorous way). For example, boarding passes typically assign
you to a departure gate (just as network users are typically assigned to VLANs).
Authentication Failure
If you fail to pass the check-in procedure—whether because you don’t have a
reservation, you don’t look like the person shown on your ID, or you’ve come too
early for your flight—the computer will not issue you a boarding pass. In airports
with particularly tight security, officials may escort you out of the area.
Rev. 6.41 4 – 61
Web-Auth
Access to contemporary networks cannot usually be limited only to regular

employees. In many enterprises, customers and vendors require Internet access to
perform their business functions. Furthermore, customers often demand Internet
access for convenience and for non-business uses. Enterprises that do not provide
this type of service usually find that their competitors will provide it.
In such a situation, you cannot be sure that all endpoints will support 802.1X or
particular EAP methods. It is also difficult to collect and distribute the information
necessary to authenticate each guest user. On the other hand, you cannot simply
open a network entirely to all comers.
Web-Auth, while not providing the rigorous security of 802.1X, addresses these
concerns. This authentication method places the bulk of the responsibility for
authentication on the NAS, so supplicants need not meet particular standards. In
addition, Web-Auth provides limited access for unauthenticated users—ideal for a
network with anonymous guests.
Typically, administrators select Web-Auth for “hot spots”—public networks,
increasingly ubiquitous as wireless technology improves and spreads.
4 – 62 Rev. 6.41
The slide illustrates how the authenticator maintains a white list of IP addresses
unauthenticated users can access such as a private Web server. Some white lists
might also include DHCP and DNS servers. If the user attempts to access an
unauthorized device—for example, the user opens her Web browser and types in
an external Web site—the NAS redirects the traffic to the private Web server. The
user sees a login screen that prompts her to authenticate.
Rev. 6.41 4 – 63
Web-Auth: Continued
The Web page guides the user through the authentication while the authenticator
handles all behind-the-scenes processes.
In addition to whatever text, logos, and graphics Web administrators design, the
login page includes two fields: one for the username and one for the password.
(Some companies display a guest username and password on the login page so
anyone can receive guest access.)
The authenticator retrieves whatever the user enters in the username field and
places it in the username field of a RADIUS Access-Request PAP packet.
Similarly, it copies the user input in the password field into the password field of
the Access-Request packet (where the password is encrypted for greater security).
Alternatively, the authenticator can use a RADIUS Access-Request CHAP packet.
The authenticator adds any necessary information such as the access port and its
own ID and forwards the packet to the RADIUS server.
The server sends a reply. If it accepts the authentication, the authenticator allows
the user to access all traffic, limited, however, by any AVPs in the Access-Accept.
(For example, if your company freely distributes a guest account on the login page,
you should carefully control this account.) If the server rejects the authentication,
the user remains confined to the limited access granted by the white list.
4 – 64 Rev. 6.41
MAC-Auth
Operating at Layer 2, MAC authentication identifies hardware, not users. For this
reason, it is sometimes downplayed in contemporary security solutions. However,
MAC authentication remains the only choice for devices without user interfaces
and without support for 802.1X.
Note
A device without a user interface may still support 802.1X. For example, many
Voice-over-IP (VoIP) phones support EAP-Subscriber Identity Module (SIM)
and include smart cards automatically configured to send their authentication
credentials. Some network devices such as APs and switches can also act as
802.1X supplicants as well as authenticators.
You can configure two types of lists for MAC authentication:

Black lists—Black lists are, by default, inclusive. Any device in the world
except those on the list can connect to the network.
White lists—White lists, on the other hand, are exclusive. If you want a
device to connect to the network, you must explicitly add it to the list.
Rev. 6.41 4 – 65
MAC-Auth to a RADIUS Server
As with any other type of credentials, an authenticator can forward MAC addresses to
be checked against a central database—for example, on a RADIUS server.
In this case, the authenticator must forward the credentials exactly as they are
stored in the database.
You should first consider the format. Does the RADIUS server store the address
with or without colons?
Next consider the password for the MAC address. Most applications store the
MAC address as both the username and the password. Some, on the other hand,
use a value such as the service set identifier (SSID) to which a wireless endpoint
connects for its password. In this way, administrators can control which devices
connect to which wireless networks.
You should verify that your authenticator device forwards the correct credentials
in the correct format.
4 – 66 Rev. 6.41
Further Reading
For information on 802.1X, Web-Auth, and MAC authentication,
see also these ProCurve Networking courses:
ProCurve Networking Mobility
See also these ProCurve Networking white papers:
Access Control Security Solution
Protecting the Extended Enterprise Network
You can look up these white papers at
http://www.hp.com/rnd/library/a-z_index.htm#Archived.
Rev. 6.41 4 – 67
Directory Services
To this point, you have learned about security methods in which edge and other
infrastructure devices act as authenticators, as well as network access controllers.
Another security solution is a directory service, which:
organizes network resources into a searchable directory structure
authenticates users who attempt to access network resources
controls access to network resources based on the rights granted to each
authorized user
In a typical directory service implementation, users submit their login credentials
directly to the directory service. The network switches act solely to transport data
from the user to the directory service and visa versa. After users are authenticated,
the directory service handles authorization as well.
A directory service can also integrate with other security solutions, such as 802.1X.
In this implementation, users must first authenticate to an edge device (such as a
switch) before activating the connection at all. When the AAA server verifies the
user’s credentials, it queries the directory server.
4 – 68 Rev. 6.41
In order for users to access a directory service the same way regardless of the
directory type or how it is implemented, two global standards have been created to
secure and ease communication between a user and a directory service:
X.500
Lightweight Directory Access Protocol (LDAP)
Some specific implementations of directory services include:
Microsoft Active Directory
Novell eDirectory
Red Hat Directory Server
Sun Java System Directory Server Enterprise Edition
Rev. 6.41 4 – 69
X.500 Hierarchical Directory Structure
The X.500 standard was jointly developed by the International Organization for
Standardization (ISO) and the Consultative Committee for International Telegraph
and Telephone (CCITT). (The CCITT is the predecessor of the International
Telecommunications Union-Telecommunication Standardization Sector [ITU-T].)
Designed to allow companies to organize and manage their network resources,
the X.500 standard outlines a hierarchical directory structure that includes:
The tree—The tree is the entire directory structure. If you compare using a
directory for organizing network resources with using a file cabinet for
organizing paper documents, the tree is the room that contains the file
cabinet.
The root—The root is the file cabinet itself. In the hierarchical X.500 tree,
nothing is superior to the root; it contains the entire directory. In a X.500
implementation for a particular company, the company name could be
the root.
4 – 70 Rev. 6.41
Container objects—Container objects hold portions of the tree, including

other container objects or leaf objects (which are described below). You use
container objects to organize network resources in a way that is meaningful
to your company. In the file cabinet analogy, container objects can be
compared to the drawers and the file folders within those drawers.
For example, within your company root, one container object could hold all
of the network resources for the main office, and another container object
could hold all of the network resources for a branch office. Within each of
these container objects, another container object could hold all the network
users at that location, and yet another could hold all servers and printers at
that location.
Examples of container objects include country, organization, and
organizational unit (OU) objects.
Leaf objects—Leaf objects are the simplest part of the directory tree
structure. Each leaf object represents a network resource or user on your
network. Examples of leaf objects include server, printer, and user objects.
Leaf objects cannot contain other objects. In the file cabinet analogy, leaf
objects can be compared to the documents filed in the folders and drawers.
Rev. 6.41 4 – 71
Basic X.500 Communications
The X.500 standard defines agents, which enable communication between a user
and the servers that hold the directory information base (DIB):
Directory User Agent (DUA)—The DUA runs on the endpoint, enabling an
authorized user to perform the operations for which he has rights. For
example, with the appropriate rights, a user can access, read, search, or
modify information in the directory tree.
Directory System Agent (DSA)—The DSA runs on servers that hold the
DIB. In addition to responding to queries from DUAs, a DSA communicates
with other DSAs in the directory tree.
The DUAs and DSAs use X.500 protocols to communicate with each other:
Directory Access Protocol (DAP)—DAP enables communication between a
DUA and a DSA. DAP defines the operations users can perform, including
read, search, and modify.
Directory System Protocol (DSP)—DSP defines the way DSAs
communicate with one another.
4 – 72 Rev. 6.41
DAP uses all the layers of the Open Systems Interconnection (OSI) model, a
characteristic that has made it difficult for vendors to create applications and
directories based on the X.500 standard.
Note
DAP and DSP are only two of the protocols outlined in the X.500 standard.
The standard defines additional protocols to handle specific types of
communications (such as updates) between DSAs.
Rev. 6.41 4 – 73
X.500 Authentication
In the X.500 standard, the DUA uses the bind operation to establish a session with
the DSA. During this operation, the DUA initiates a connection to the DSA and
submits the user’s login credentials.
The X.500 standard defines two authentication methods:
simple authentication, which requires the user to enter his or her
distinguished name and password
strong authentication, which requires a digital certificate as outlined in the
X.509 standard
Distinguished Name and Password

Each object in an X.500 directory tree has a unique name based on its context, or
position, in that tree. For example, user Samantha Reynolds is in the Engineering
OU object, which is in the Research organization object, which is in the ABC
Company root. Her distinguished name reflects that context, as shown below:
CN=Samantha Reynolds, OU=Engineering, O=Research
(CN stands for common name.)
4 – 74 Rev. 6.41
To log in to the directory tree, the user must provide his or her password, as well
as his or her distinguished name.
The DUA can transmit the distinguished name and password in plaintext to the
DSA, or the DUA can encrypt it. The X.500 standard does not require encryption.
X.509
With X.509, each X.500 operation and result can be signed to ensure its integrity. In
this process, either the originating user or the server can use its public key, and the
signed request transfers from end to end in the protocol: with the public key, X.500
can check integrity at every step to protect against attackers or intermediate servers
modifying information along the way. (For more information on digital certificates,
see the “Digital Certificates” section of this module.)
Rev. 6.41 4 – 75
X.500 Authorization
In addition to controlling authentication to the directory tree, the X.500 standard

defines authorization, or access controls, for objects and attributes in the directory
tree. Attributes define the information that can be stored about each object in the
directory tree. For example, attributes for a user object might include a password, a
telephone number, and a company department.
The X.500 standard defines which objects and attributes can be protected through
access controls. It also defines the types of permissions that can be granted to each
protected object. For example, the read permission allows the user to view an
object. The modify permission allows the user to change an object or its attributes.
Permissions are granted to both the user objects that perform operations in the
directory tree and the protected objects on which the operations will be performed.
Each access control decision includes:
the user object requesting the operation
the object or attribute that is affected by the operation
the permissions required to complete the operation
4 – 76 Rev. 6.41
The X.500 access controls are more complex than this simplified description
suggests. What is important to understand, however, is that these access controls
allow the directory service to determine the operations each user can perform on
the different objects in the directory tree.
The X.500 standard also defines administrative models that allow you to delegate
administrative control for portions of the directory tree. For example, you could
grant a network administrator in Chicago all the rights needed to manage the
Chicago container, which includes all of the objects for the network resources and
users in the Chicago office. Although the network administrator has all rights to
the Chicago container, however, you could ensure that he or she does not have any
rights to the London container.
Rev. 6.41 4 – 77
LDAPv3
The Internet Engineering Task Force (IETF) developed LDAP to overcome one of
the major issues preventing vendors from creating directories and applications that
complied with the X.500 standard. LDAP provides a simplified method for
communications between an endpoint and the directory. LDAP uses TCP/IP
instead of the entire OSI stack to access the directory, eliminating much of the
connection setup and packet-handling overhead of the OSI Session and
Presentation Layers, which DAP requires.
Over time, LDAP has evolved to become more than a lightweight access protocol
for X.500. For example, LDAP makes the directory extensible, allowing vendors
to add new objects or new attributes to entries.
Like X.500, LDAP also defines the operations that users can perform in the
directory tree.
Because LDAP is an open protocol, LDAP-compliant directories should
recognize all applications that support this standard—although you should
always verify support with the vendor. Some of the major directory services that
support LDAP include:
Novell eDirectory
Microsoft Active Directory
Red Hat Directory Server
4 – 78 Rev. 6.41
Sun Java System Directory Server Enterprise Edition
Rev. 6.41 4 – 79
LDAPv3 Authentication Methods
Before requesting information from a directory, an LDAP client must first use the
bind operation to authenticate to an LDAP server. (An LDAP client can represent
a user or an application.) LDAPv3 supports two authentication methods with the
bind operation:
simple authentication
Simple Authentication and Security Layer (SASL)
Simple Authentication
With simple authentication, three types of authentication are possible:
Anonymous authentication—In an anonymous bind operation, the LDAP
client sends a bind request that contains a zero in both the name and the
password values. Provided primarily for LDAP-compliant applications, the
anonymous authentication enables applications to:
• read the directory
• determine the access controls and directory extensions that have been
applied
• determine if SASL authentication methods have been implemented
4 – 80 Rev. 6.41
Unauthenticated—The unauthenticated method is provided for logging

purposes. It is not intended for user logins and should not provide access to
the directory tree.
Distinguished name and password—When a user enters a valid
distinguished name and password, that user can be both authenticated and
authorized to access the tree. Because most users do not know their
distinguished name, most LDAP clients allow users to browse the directory
tree until they find the correct context and object—thereby deriving their
distinguished name.
When LDAPv3 was first released, it did not require encryption for the user’s
password as it was sent over the wire. The password could be sent in plaintext.
In an effort to strengthen LDAPv3 security, the IETF established “mandatory-to-
implement mechanisms” in June 2006. (See Request for Comments [RFC] 4513.)
For example, LDAP servers that support the distinguished name and password
authentication must be able to use TLS to protect the transmission of login
credentials. In addition, LDAP servers must support the anonymous
authentication.
As an open standard, LDAPv3 supports other types of protections for the
distinguished name and password. For example, some directory services use
LDAP over Secure Sockets Layer (SSL) to encrypt the name and password before
it is sent across the wire.
Simple Authentication and Security Layer (SASL)

SASL provides an open authentication framework that supports a variety of
authentication and data integrity methods. (As Module 5—Layer 2: Data Integrity
and Privacy explains, data integrity mechanisms encrypt data so eavesdroppers
cannot read the data as it is transmitted across the network infrastructure.) In
general, SASL specifies a challenge-response sequence in which the LDAP server
and the LDAP client exchange information required to authenticate.
SASL supports different mechanisms for authentication, including:
Generic Security Services Application Program Interface (GSSAPI 2)—
By itself, GSSAPI does not provide any security; rather it is an application
programming interface for programs to access security services. To establish
a session, the two endpoints exchange inherently secure tokens on an
insecure network. After numerous token exchanges, the GSSAPI
implementations at both ends inform their local application that a security
context has been established and that sensitive application messages can be
encrypted and sent.
Kerberos (Kerbos) 4 and 5—Kerberos allows individuals communicating
over an insecure network to prove their identity one another in a secure
manner that prevents eavesdropping or replay attacks and that ensures data .
Rev. 6.41 4 – 81
Digest-MD5—Using Digest-MD5, the LDAP server sends authentication

options to the client, to which the client responds with an encrypted packet.
The LDAP server decrypts the data and verifies the client’s response. The
Digest-MD5 SASL mechanism also supports the establishment of a
negotiated security layer after successful authentication. This layer provides
for integrity and privacy protection.
Challenge-Response Authentication Mechanism-MD5 (CRAM-MD5)—
Superseded by Digest-MD5, CRAM-MD5 is a challenge-response
authentication mechanism. The server first sends a challenge to the client.
The client responds with a username and a password, which acts as the secret
key, followed by a digest in hexadecimal notation. The server also calculates
its own digest with the password stored for the user. If the client’s digest and
the server’s digest match, then authentication was successful.
S/Key—S/Key is a one-time challenge-response password scheme that
eliminates the need for the same password to be conveyed over a network
each time a password is needed for access. A series of passwords is created at
once, and each password is used only one time; therefore, an attacker who
obtains a password cannot use it in a replay attack; the password becomes
invalid after the first use.
External—External authentication enables security protections such as IP
Security (IPsec) or TLS (for authentication as well as for data integrity).
4 – 82 Rev. 6.41
LDAPv3 Access Controls and Operations
LDAPv3 does not define a standard set of access controls for authorization—
probably because vendors had already defined their own access controls before
LDAPv3 was released. Instead, LDAPv3 supports the access controls implemented
by the various directory service vendors.
LDAPv3 does, however, define the types of operations that LDAP clients can
perform in the directory tree:
• Bind—enables authentication
• Unbind—terminates an LDAP session
• Abandon—terminates an operation that is not completed
• Search—defines the criteria and scope for a search and initiates the lookup
• Compare—compares the attribute value provided by the LDAP client to the
attribute value stored on the LDAP server
• Add—adds a new object
• Delete—deletes an object
Rev. 6.41 4 – 83
• Modify—changes an object or its attributes

• Modify Distinguished Name (sometimes referred to as rename)—changes
an object’s distinguished name
In addition to these operations, LDAPv3 includes an extended operation that
directory service vendors can use to define new types of operations. The standard
also provides controls, which allow the vendors to modify the standard operations.
For example, a vendor could use a control in conjunction with a search operation
to make the LDAP server sort the search results in a particular order.
4 – 84 Rev. 6.41
Authentication via a Directory Service
This slide shows the authentication process when a network is protected by a

directory service. Using the LDAP client on the workstation, a user enters his or
her authentication credentials. The LDAP client uses a bind request to submit the
login credentials to the LDAP server, which checks these credentials against the
credentials stored in the directory. If the credentials match, the LDAP server
notifies the LDAP client and then allows the endpoint to access the network
resources to which the user has rights.
Rev. 6.41 4 – 85
Authentication via a RADIUS Server and a

Directory Service
Many companies are beginning to use RADIUS servers to authenticate users as

soon as they connect to an edge device. When a switch receives a user’s login
request, it submits the request to the RADIUS server. Many RADIUS servers, in
turn, are configured to use a directory as its data store. The RADIUS server
submits the request to the server that holds the directory.
The server compares the user’s login credential to the values stored in the directory
and returns the results to the RADIUS server. If the user’s login credentials match
the values stored in the directory, the RADIUS server allows the user. It might also
apply ACLs and other settings to the user. The switch receives and enforces
RADIUS settings.
If the user’s login credentials do not match the values stored in the directory, the
RADIUS server rejects the authentication and the user is denied access.
Further Reading
For more information about X.500, see DW Chadwick, Understanding
X.500—The Directory, 1994 (http://sec.cs.kent.ac.uk/x500book/).
For more information about LDAPv3, see RFC 4513 (by visiting
http://www.ietf.org and entering the RFC number in the IETF Search
field).
4 – 86 Rev. 6.41
Single Sign-on (SSO)
Directory services were partially designed to simplify and bring consistency to

authentication and authorization. Instead of authenticating to many servers, users
would authenticate to a directory service that controlled access to those servers.
However, directory domains have multiplied and applications that enforce their
own authentication have proliferated. Users may need to enter separate passwords
to access secondary domains or applications that do not integrate completely with
the directory.
The slide illustrates a typical day for an employee forced to use multiple
passwords for multiple systems. Note that the user has developed several password
habits that could compromise network security.
In the morning, the user turns on her computer and enters her dog’s name as a
password to log into her workstation and default domain. Next she checks her
email and is forced to enter another password; in this case, she uses a password she
first composed to log on to her college system years earlier. She has been using
this password for years on a number of systems and Internet sites.
Rev. 6.41 4 – 87
Later in the day, she must access a database of financial records and a File
Transfer Protocol (FTP) site in another domain. She’s forgotten the FTP site’s
password, as she has several times. She’ll once again have to contact the IT staff;
if no one is available to resolve her issue, she’ll be forced to do without this
information. To prevent herself from forgetting the password for the financial
records database, she has written it down on a sticky note—a good idea, maybe, as
an aid against forgetfulness, except that anyone who finds the note can freely
browse sensitive information about the company’s customers.
This scenario illustrates two problems that arise when users must enter password
after password throughout the day:
Inefficiency—Instead of immediately accessing necessary resources, users
must wait to once again authenticate. Forgotten passwords may prevent
users from completing work until they receive a new password. Users may
become frustrated by the many passwords they must remember, and the
more passwords each user has, the more calls IT staff will receive about lost
passwords and other authentication problems. On the network administrator
side, managing many accounts is a nightmare, particularly when a user must
be added or deleted from the system.
Decreased security—When users must remember many passwords, they
make those passwords easy to remember—and easy to guess. Users who
write down their passwords might almost as well hand them over to hackers.
SSO solutions reduce the number of passwords users must enter themselves—
ideally to one, although this is not always possible. The mechanics of SSO
solutions, which may need to integrate a great many separate authentications, can
be rather complex. For this course, you simply need to understand the end result of
these mechanisms at a high level.
An SSO solution renders multiple authentications transparent to the user. He signs in
once to the SSO server, and this server handles subsequent authentications for him.
Various SSO solutions implement the service differently. Some have the user log
into a primary domain. The SSO service then passes authentication credentials
directly on to secondary domains.
Others, such as Kerberos, issue tickets to users who have authenticated themselves
to the Kerberos server. Each ticket authorizes the user for a specific service or
resource. For this implementation, the services requiring authentication must
understand and accept Kerberos tickets.
Other SSO solutions tap into a bank of all passwords and credentials associated
with users. The SSO service intercepts requests for authentication and fills in the
necessary information. In addition to storing user credentials securely (far more
securely than on a sticky note), some solutions actually negotiate new credentials
with applications requiring authentication. This ensures that passwords follow
your company’s policies.
4 – 88 Rev. 6.41
Considerations for an SSO service include:

The process by which the service integrates with the directories and
applications that require authentication—Not all services can integrate, or
integrate easily, with all applications, which is why SSO is often more a goal
than a reality. Still, while entering three passwords may not be ideal, it is
better than entering ten.
The measures the service takes to store and submit authentication
credentials securely—The SSO service should use strong encryption
algorithms (which you will learn about in Module 5—Layer 2: Data Integrity
and Privacy).
Further Reading
For more information on SSO, see the Open Group at
http://www.opengroup.org/security/sso; or see
http://www.wikipedia.org/wiki/Single_sign-on).
For information from various SSO solution vendors, see:
Protocom SecureLogin (http://www.protocom.com)
Citrix Password Manager (http://www.citrix.com, listed with
products and solutions)
Novell SecureLogin (http://www.novell.com, listed with
products)
Rev. 6.41 4 – 89
Access Control
You should now have a thorough understanding of authentication—all of the many

cogs in the machine that decide who connects to your network at which times and
from which locations.
In the discussion of AAA, you learned that authorization, or access control, is
closely tied to authentication. In many ways, simple authentication is just
wholesale access—opening the floodgates and letting everything through.
Access control, on the other hand, controls the authenticated user. If authentication
is deciding whether to open the floodgates, access control is installing a water
treatment plant at the gates, filtering the water, and piping it toward permissible
destinations.
You will now look at the mechanics of this “plant,” which are built in large part on
VLAN assignments and ACLs.
You will also learn about firewalls, which serve much the same function—filtering
traffic—but with quite different processes.
4 – 90 Rev. 6.41
VLANs
One of the oldest ways of managing and isolating user traffic, VLANs remain an
important security tool—though far from the capstone of security, a foundational
block nonetheless.
In very early LANs, all users were part of the same subnet or broadcast domain.
Any bad traffic could spread throughout the entire network. What did would-be
hackers care for traffic controls, if their traffic could reach servers and
management interfaces without ever having to pass through a device intelligent
enough to filter it?
A VLAN divides users into separate broadcast domains, each isolated and
relatively secure from the others. For example, a network typically includes a
management VLAN, which cordons off all the IP addresses through which you
access and configure network devices from the one or more user VLANs. Traffic
cannot cross a VLAN boundary unless forwarded by a router, which can filter the
traffic appropriately.
Rev. 6.41 4 – 91
Sometimes the management VLAN is also the default VLAN, into which all newly
connected devices are automatically placed. Such a system places the most trusted
and most sensitive devices (in terms of the havoc a hacker can wreak by accessing
them) with the least trusted devices. Therefore, some administrators create a new
management VLAN and use the default VLAN for currently unused ports. If a
rogue user plugs into an unguarded port, his traffic dead-ends in the default
VLAN.
In contemporary networks, edge devices often filter traffic, and VLANs are far
from the only way to immediately control traffic. However, VLANs remain an
essential way of classifying traffic for the appropriate controls. Intelligently
placing users in VLANs ensures that each user always receives the correct
network rights.
4 – 92 Rev. 6.41
User-Based VLANs
A VLAN is a logical definition all too often stated in physical terms.

Administrators decide which users should be in which VLANs and which users
should use which access ports; they then place the port—not the user—in the
VLAN. The user’s connection to the VLAN is only as strong as their connection
to the port.
In the past, a single user may have been fixed securely to a single port—not so
today. Contractors and temporary workforce may come and go. Various visitors
might need various levels of access; you cannot dedicate a workstation to each
visitor and leave it unused for long stretches of time. A wireless AP, in the
revolving-door wireless world, might support a constantly shifting group of users.
VLANs—those locked-off rooms of the networking building—still isolate traffic,
but users might find themselves in any room.
No human can reassign ports to the correct VLANs quickly enough. You are faced
once again with the dilemma of the contemporary administrator: leave matters as
they stand and watch your security solutions evaporate, or tighten security—
restrict all user VLANs to the lowest level of access, prohibit guests from
connecting to your network, abolish wireless devices—and risk cutting users off
from the very resources you are trying to protect.
Rev. 6.41 4 – 93
User-based VLANs offer a third option. Instead of assigning a user to a port and a
port to a VLAN and trusting that the user will stay put, you can remove the
middleman: assign the user to the VLAN and store the assignment on a AAA
server. The server takes over your role (assigning a port to a VLAN depending on
the user who connects to it) and delivers the correct VLAN assignment to the
access port every time a new user authenticates.
4 – 94 Rev. 6.41
Wireless LANs (WLANs)
A WLAN is to the wireless world much as a VLAN is to the Ethernet world.

A single switch can support multiple VLANs, and multiple switches can support
the same VLAN; the virtual association, not the physical, is key. Similarly, a
single wireless AP can support multiple WLANs, and multiple APs can support
the same WLAN. Endpoints in the same WLAN are part of the same network no
matter to which AP they currently connect; mobile users can, and do, roam to new
APs all the time. A WLAN is associated with an Extended Service Set (ESS)
because it is made up of the Basic Service Sets (BSSs) of multiple APs.
Due to the particular needs and security vulnerabilities of a wireless network, a
WLAN defines various settings that a VLAN does not. Most important for
security, a WLAN specifies the encryption standard for the network as well as the
authentication method users must complete to join the WLAN. For example, the
most secure WLANs use 802.1X authentication.
Wireless APs are the interface between wireless and Ethernet networks, and the
AP must forward traffic from each user in a WLAN into a particular VLAN.
The AP can assign all traffic from a particular WLAN to a single VLAN: this is
much like assigning a port to a VLAN without assurance that the correct user
connects through that port. APs can also receive AVPs to assign traffic to
VLANs on a user-to-user basis.
Rev. 6.41 4 – 95
ACLs
An ACL is a more granular mechanism for controlling network access. It is a

series of rules to which a network device compares every packet that arrives. An
ACL can operate either at Layer 2 or Layer 3/4. A Layer 2 ACL is a list of allowed
MAC addresses, such as those discussed in “MAC Authentication.” A Layer 3/4
ACL might include a variety of fields:
protocol (TCP, UDP, Internet Group Management Protocol [IGMP], Generic
Route Encapsulation [GRE], and so forth)
IP source address
source port
IP destination address
destination port (for example, UDP 67 to allow DHCP traffic)
The network device compares a packet’s IP header to the rule. If the fields match,
it applies the rule, forwarding packets that match “allow” rules and dropping
packets that match “deny” rules.
4 – 96 Rev. 6.41
In effect, the ACL controls which devices can access which other devices using
which applications. For example, you want to allow devices in VLAN 100 to
access a private Web server. In an “allow” rule, you enter TCP for the protocol,
specify the address of the VLAN 100 subnet as the IP source address, leave the
source port unspecified, and enter the Web server’s IP address as the IP destination
address and 88 (HTTP) for the destination port.
You can apply ACLs manually to a certain access port to control all traffic on that
connection, or you can apply an ACL to a certain VLAN to control all traffic from
users in that VLAN. You can also apply ACLs to interfaces on a router.
A device today should be able to process hundreds of ACLs.
Rev. 6.41 4 – 97
User-based ACLs
User-based ACLs
• A NAS can also apply ACLs dynamically—to a particular user for as

long as that user connects.
• The NAS receives the ACL as an AVP from a RADIUS or TACACS+
server.
AAA Server
NAS
Monday
Access-Accept
User 1 ACL A AVP-ACL A
AAA Server
NAS
Tuesday
Access-Accept
User 2 ACL B AVP-ACL B
Just as your network can implement user-based VLANs, it can implement user-
based ACLs—and for the same reasons. Users in the same VLAN should typically
receive the same rights, and ACLs do the grunt work of enforcing those rights. A
port without the appropriate ACL is not properly secured, even if it implements
authentication.
User-based ACLs preserve you from devoting all your time to configuring
complicated ACLs that still are not where they need to be.
When the AAA server accepts a user’s authentication, it sends the ACL configured
for that user, ensuring all users receive the correct level of access no matter when,
where, and how they connect to the network.
4 – 98 Rev. 6.41
ProCurve Identity Driven Manager (IDM)
An example of user-based ACL management is ProCurve Networking’s Identity

Driven Manager (IDM). Stepping back, we know the RADIUS server sends the
user-based settings, but where does the server itself learn them? Transferring user
rights stored in a directory to AVPs stored for each user in each RADIUS database
can be complicated—not to mention time consuming.
ProCurve IDM, a part of the ProCurve Manager Plus (PCM Plus) software
included as a free trial with all ProCurve products, simplifies the process.
With IDM, you create communities of users. (In addition to user identities, the
community can specify certain times and locations.) You then use IDM’s Policy
Manager to define these user-based settings for every user in the community:
subnet (VLAN)
ACLs, which determine what resources the user can and cannot access
rate limit
QoS settings
Finally, you apply the policy to one or more RADIUS servers. IDM agents
installed on the server automatically configure the correct AVPs to implement the
policy whenever and wherever a user connects.
Rev. 6.41 4 – 99
Further Reading
For information on ACLs, both manual and user-based, user-based
VLANs, and IDM, see also these ProCurve Networking courses:
ProCurve Networking Mobility (for how these policies
integrate with the wireless word)
See also these ProCurve Networking white papers:
Delivering Intelligent Network Access through Identity Driven
Management
IDC Report: Identity and Access Management
ACLs in ProCurve IDM 2.0: Making User-Based Security
More Usable
You can look up these white papers at
http://www.hp.com/rnd/library/a-z_index.htm#Archived.
4 – 100 Rev. 6.41

Firewalls
Firewalls are another security component intrinsic to access control. Sitting at the
network perimeter, a firewall acts as the guardian, filtering and controlling all
traffic flow into a trusted network.
Firewalls can enforce relatively complex access control policies between any
internal and external network—or even between two remote networks that are part
of the same organization. Most often, however, they secure a private network that
connects to the insecure Internet. Firewalls have long shouldered the bulk of
network security, and while the network perimeter is no longer the only
vulnerability, a firewall is still an important security device.
Firewalls filter incoming packets primarily based on header information such as
source and destination network addresses, protocol, and application, or any
combination of these factors. They also screen for packets that display symptoms
indicative of an attack, such as an out-of-order TCP-RST (reset) packet.
Rev. 6.41 4 – 101

Various types of firewalls offer different protection methods, which differ in

performance and the level of security offered. These types include:
packet filtering firewalls
circuit-level gateways
proxy servers (application-level gateways)
stateful-inspection firewalls
Depending on the type, a firewall can provide:
advanced packet-by-packet inspection
application content filtering
application authentication/authorization
encryption technology
Network Address Translation (NAT)
4 – 102 Rev. 6.41

Packet-filtering Firewall
As the network guardian, a packet-filtering firewall screens incoming and outgoing

packets according to rules configured on it. Operating at the Network and
Transport Layers (Layers 3 and 4) of the OSI model, the firewall accepts or denies
a packet based on information contained in the packet’s IP and Layer 4 (TCP or
UDP) headers, including:
protocol type
source IP address
destination IP address
source port number
destination port number
The firewall works like a guard who stands at a company’s door with a list of
people allowed to come in and the employees they are allowed to see. However,
once the guard opens the door to and escorts a visitor to an employee, the guard
leaves the employee and visitor to do their own talking.
Because a packet-filtering firewall checks information in IP packet headers only,
sneaking packets through this type of firewall is relatively easy: a hacker simply
creates packet headers that satisfy the firewall’s rules for permitting packets. The
firewall cannot detect the actual contents of a packet.
Rev. 6.41 4 – 103
Advantages and Disadvantages

To integrate a packet-filtering firewall into your network, you must establish rules,
such as ACLs, against which the firewall compares the full association of the
packets to decide which should be allowed and which discarded. For example, you
can create rules that block packets from specific untrusted endpoints, which you
identify by IP address. You can also create rules that permit particular types of
connections (such as FTP connections) only if they are using the appropriate
trusted servers (such as the company’s FTP server). The rules are fairly complex to
create, and you must update the firewall rules table whenever your network’s
topology changes.
It is also important to note that a packet-filtering firewall examines each packet
individually without regard for any other packet transmitted as part of the same
session. If a packet matches the pre-configured set of rules, it is accepted and
continues to its intended destination. If a packet does not match the rules, it is
blocked or discarded.
However, because a packet-filtering firewall operates at lower layers, it works
quickly and can be implemented transparently. The only time a user may notice
the firewall is when he is denied access to a resource or service that has been
blocked. Otherwise, any port open to the user is open to all traffic from that user.
4 – 104 Rev. 6.41

Circuit-level Gateway
A packet-filtering firewall is like a guard who lets anyone on his list talk to an
employee. A circuit-level gateway, on the other hand, is like a guard that monitors
the conversation itself. If someone arrives with a “flag” that signals danger—for
example, a bulge in the shape of a gun—the guard will not admit her. If, at any
point during a conversation, the visitor starts acting oddly—speaking gibberish or
out-of-order words—the guard escorts her out. Finally, the guard might stand
between an employee and visitor, passing messages back and forth between them.
A circuit-level gateway protects your network by monitoring TCP handshakes
between untrusted endpoints and trusted clients or servers to determine whether or
not a requested session is legitimate. The gateway can also act as a proxy to
establish the session, communicating with the untrusted endpoint on behalf of the
trusted endpoint. This guardian operates at a more complex layer of the OSI
model—the Session Layer (Layer 5).
Attack Checking
When establishing a session between endpoints, the TCP handshake should
proceed as follows:
1. An endpoint sends a TCP packet with a SYN (synchronize) flag.
2. The server sends a TCP packet with SYN and ACK (acknowledge) flags.
3. The endpoint sends a TCP-ACK packet.
Rev. 6.41 4 – 105

Various denial-of-service (DoS) attacks disrupt this process. For example, a SYN-
flood attacker bombards a server with multiple session requests, but never returns
TCP-ACK packets to finish the handshake. The server soon lacks the resources to
accept legitimate requests. The circuit-level gateway can guard against such an
attack by acting as a proxy. Instead of forwarding an endpoint’s TCP-SYN packet
directly to a server, the firewall returns the SYN-ACK to the endpoint as well as a
cookie that stores information about the session. Only if the endpoint replies with a
TCP-ACK and the correct cookie does the firewall treat the request as legitimate.
Other attackers capitalize on set behaviors elicited by certain TCP flags. The
firewall can drop any SYN packets with unnecessary flags:
URG
RST
FIN
Untrusted endpoints must meet other basic filtering criteria. For example, the DNS
server must be able to locate the client’s IP address and associated Web address.
However, once a requested session is deemed legitimate, the circuit-level gateway
copies and forwards packets back and forth without further filtering them. For this
reason, as with a packet-filtering firewall, a hacker on an untrusted network could
possibly slip malicious packets past the circuit-level gateway.
Proxy Server
A circuit-level gateway can act as a proxy server throughout sessions between
the internal and external endpoint. Such a gateway can optionally translate
source addresses on all outgoing packets so that they appear to have the proxy
server’s IP address. Such a server is also called a NAT server because it
translates internal addresses to a public address.

Circuit-level gateways that use NAT are useful for hiding information about
protected networks because all information passed to the external endpoint appears
to have originally come from the gateway. But these firewalls are not as
transparent as packet-filtering firewalls. Because they act as proxy servers, their
operation is processor-intensive. They require two sessions—one between the
internal endpoint and the gateway, and one between the gateway and the external
endpoint.
In some ways, circuit-level gateways are considered more secure: once a port is
open, only packets from the accepted session are allowed to pass, and as soon as
the session terminates, the port is closed. However, once the gateway establishes a
connection, any application can run across that connection because the gateway
filters packets only at the Session Layer of the OSI model. In other words, a
circuit-level gateway cannot examine the application-level content of the packets it
relays between a trusted network and an untrusted network.
4 – 106 Rev. 6.41

Proxy Server (Application-level Gateway)
Like a circuit-level gateway, an application-level gateway (ALG) intercepts

incoming and outgoing packets, runs proxies that copy and forward information
across the gateway, and functions as a proxy server, preventing any direct
connection between a trusted server or endpoint and an untrusted endpoint. Unlike
circuit-level gateways, ALGs operate at the OSI Application Layer (Layer 7). An
ALG do not simply copy all packets and forward them blindly across the gateway,
but rather examines and filters all packets and accepts only those packets
generated by services they are designed to copy, forward, and filter (such as
HTTP, FTP, and Telnet).

ALGs can deny access to some network services, while providing access to others,
in accordance with your network security policy. They filter particular commands
or information relating to specific application protocols. They can even restrict
your employees from performing specific actions. For example, the gateway could
be configured to prevent employees from performing the FTP Put command: the
firewall would drop packets containing this command, so that employees could not
write to the FTP server. Prohibiting this action can prevent serious damage to the
information stored on the server. And ALGs can log activities and note significant
events, which can alert you to potential intruders. An ALG is one of the most
secure firewalls available.
Rev. 6.41 4 – 107
However, because of their complex screening process, ALGs are less transparent
even than circuit-level gateways. The gateway also requires two separate
connections (from the trusted network to the gateway and from the gateway to the
untrusted network).
The greatest limitation of the ALG is that a separate proxy must exist for each
protocol used in the network. For example, only a Telnet proxy can copy, forward,
and filter Telnet traffic. Thus, if the network relies only on an ALG, incoming and
outgoing packets cannot access services for which there is not a proxy, and the
administrator must modify the gateway’s protocol stack to handle each new
application. Finally, ALGs cannot provide proxies for UDP, Remote Procedure
Call (RPC), and certain other services from common protocol families.
4 – 108 Rev. 6.41

Stateful-inspection Firewall
A stateful-inspection firewall combines aspects of a packet-filtering firewall, a

circuit-level gateway, and ALGs, examining packet contents at the Network,
Transport, Session, Presentation, and Application Layers (Layers 3–7).
At the Network Layer, the stateful-inspection firewall operates like a packet-
filtering firewall, filtering all incoming and outgoing packets based on source and
destination IP addresses and port numbers. Like a circuit-level gateway, it also
ensures that the packets in a session are appropriate. Finally, a stateful-inspection
firewall evaluates the contents of each packet up through the Application Layer
and ensures that these contents match the rules in your company’s network
security policy.
However, to analyze data at the Application Layer, a stateful-inspection firewall does
not require the two separate connections (from the trusted network to the gateway and
from the gateway to the untrusted network) that may affect performance.
Rev. 6.41 4 – 109

Attack Checking
In a dynamic state table, the stateful-inspection firewall records the significant
attributes of each connection from start to finish that constitute the state of the
connection:
source and destination TCP and UDP port numbers
TCP sequence numbering
TCP flags
TCP session state based on the RFCed TCP state machine
UDP traffic tracking based on timers
In other words, the firewall compares packets against pre-configured rules and
then checks the table to confirm that the packets are part of a valid, established
connection. If part of an established session, packets are processed rapidly
because the firewall can quickly determine that they belong to the existing, pre-
screened session.
The firewall inspection process relies on the three-way handshake of the TCP
protocol during session initiation. Packets containing the SYN bit are considered
requests for new sessions. If the packet is allowed, the firewall sends back a packet
containing both the SYN and ACK bit. When the endpoint sends back only the
ACK bit, the session is set and recorded in the table. All outgoing packets pass
through the firewall, but only incoming packets that are part of a valid session can
enter, which protects a network against attackers who try to start unsolicited
connections with internal devices.
Once a session ends, its entry in the state table is discarded. Sessions will also time
out if no traffic has passed for a certain period of time, which helps to clear the
state table. A common DoS attack, the SYN flood, occurs when large numbers of
SYN packets are sent to the server in order to overflow the state table, impeding
the server from accepting other connections. Therefore, if a connection does not
send periodic keepalive messages, the firewall times it out and clears it for
protection.
As with an application-level firewall, modern stateful-inspection firewalls are
aware of application-layer protocols, such as FTP and HTTP, and can perform
access-control functions based on these protocols’ specific needs. It uses
application-level filters, called proxies, without significant decease in performance
because devices with modern CPU speeds are capable of performing deep-packet
inspection in reasonable time. These proxies can read the data part of each packet
in order to make more intelligent decisions about the connection.
Stateful-inspection firewalls are transparent to users because they work faster than
other packet screening methods: they require less processing at higher levels and
make allow or deny decisions at lower layers of the OSI model.
Further Reading
For more information about firewalls, see the ProCurve Secure
WAN Router course.
4 – 110 Rev. 6.41

Content Filtering
While firewalls are a necessary component of any security solution, they do not
protect against more sophisticated attacks that can circumvent their access control
and filtering methods. An endpoint protected by a firewall can still be infected by
one of the many threats that slip in via Web-based downloading and surfing—
attack-loaded ads, cookies, and malware included in downloadable programs,
email, or email attachments.
Content filtering is one of the most effective and accurate scanning and filtering
measures to prevent these attacks. Because viruses, worms, and other attacks often
spread through email, it is important to implement security measures that filter and
scan not only email content but also attachments, including Word documents,
PowerPoint presentations, and any other Windows applications or attachments.
Content filtering protects your network from attacks originating from:
the Internet
chat/instant messaging (IM)
email
attachments (including Word, PowerPoint, and other Windows applications)
Rev. 6.41 4 – 111

Web-based Content Filtering
Because your company’s employees work so closely with the Internet, they can be
threats to your network: with or without realizing it, they can cause large amounts
of damage. An employee could visit a Web site, for example, to download an IM
client he needs to communicate with a business correspondent, or simply surf his
way through a workday. Without the employee’s knowledge, either of these
activities could enable a Trojan horse to enter your system and install itself so that
it will be ready for an attacker to use on demand.
A number of Web-based content filtering methods can help protect your system
against attacks:
keyword filtering
cookie filtering
URL-based/IP address filtering
port filtering
active content filtering
4 – 112 Rev. 6.41

Keyword Filtering
The most basic method of Web-based content filtering is keyword filtering. This
method scans for specific words in the text of a Web page as it is downloaded and
blocks the page if any of the listed words in its database are detected. Keyword
filtering is a less effective way of protecting your system because it cannot take
into account the context for specified character strings that make up the keywords,
and as a result, often blocks perfectly acceptable content. Attackers, on the other
hand, can slip through the filters by modifying words—for example, typing
“w0rd5” instead of “words.”
Because keyword filtering works by scanning only the text portion of Web sites, it
also cannot protect against virus- and worm-laden sites that contain nothing but
non-textual photographs. In addition, photographs themselves can pose security
risks. Hackers are developing ways to breach networks with shell code embedded
into seemingly innocent image files.
Cookie Filtering
Though cookies cannot deliver viruses to your system, it is possible that the Web
sites your company’s employees visit can collect their personal information and
pass it on to third parties through third-party cookies embedded in advertisements
in the Web sites. Cookie filters combat this threat by tracking all changes to your
cookie folder and informing you when you receive a cookie from a third party.
These filters can also transparently delete any cookies you receive that you add to
a cookie black list.
URL-based/IP Address Filtering

Often, questionable Web sites are loaded with viruses and other potential threats to
your network besides the content. URL-based filtering blocks Web sites or specific
pages within a Web site. If certain pages on a Web site do not contain threats to
your system, you can accept those pages, while blocking the pages that may
contain harmful files or offers. For instance, you could allow employees to look at
an entertainment Web site that includes anything from sports to theater. But you
might block the site’s poker page because it contains not only questionable
material but possibly viruses as well, placed by attackers who assume people are
more willing to click on ads or offers on a poker page.
IP address filtering works in much the same manner as URL-based filtering, but
does not allow you to block only parts of a Web site: it shuts down the entire Web
site, blocking all traffic from specific IP addresses. If a number of different sites
are virtually hosted at a shared IP address, this method would either block all of
them or none. Since many ISPs host multiple Web sites on the same server, IP
address filters could incorrectly block every site on the hosted Web server even
those without damaging content.
Rev. 6.41 4 – 113

Port Filtering
Peer-to-peer (P2P) file transferring allows your employees to download and use
copyrighted material in a way that violates intellectual property laws or to share
files in a way that violates your company’s security policies—and it also opens the
floodgates to attacks. According to FaceTime Security Labs, in the first quarter of
2006, reported incidents of viruses and security threats via P2P applications, such
as MP3 and AVI file sharing and IM clients, increased by 723 percent over the
previous year. Because these applications open your network ports to shared files
and transform computers into pseudo-servers, they also open your network to
intrusions, data theft, DoS attacks, viruses, and worms. In order to combat these
threats and attacks, you can install security technologies that deny Internet access
to the centralized servers of public IM and P2P servers. Other technologies block
IM and P2P services by detecting the actual IM and P2P packets sent to unknown,
private, or proxy servers, thus preventing the application’s use.
Active Content Filtering

Web pages today do not just include passive content but also programs that
actually force your workstation to perform various actions. For example, you run
your mouse over a section of a screen and a Java or an ActiveX script opens a pop-
up window. Most Web designers simply use such script to make their Web pages
more eye-catching. However, attackers can easily exploit scripts to install viruses
and otherwise hijack your workstation. For this reason, many filters block all or
some Java and ActiveX script, increasing security (though disabling some features
on some Web sites).
4 – 114 Rev. 6.41

Content Filtering: Incoming email
You can filter your incoming emails using the following techniques.
Virus Detection
The means for detecting viruses include:
Antivirus software—The virus-scanning software installed on each endpoint
in your system can scan emails, searching for code snippets that identify
email as infected. Software can scan emails before they enter your inbox and
deny any malicious or seemingly suspicious emails before they damage your
system.
Your system can block any suspicious emails based on specific words or
phrases found in the message subject, message body, and any attachments.
Without this type of filtering, viruses such as the 2000 I Love You virus can
spread rapidly. This virus seemed harmless because its subject line read,
“ILOVEYOU,” but it contained a virus-infested attachment titled “Love-
Letter-For-You.txt.vbs” that destroyed millions of computer systems in a few
short hours.
Rev. 6.41 4 – 115

This software can also check email addresses or message content in known
email addresses to verify that the email’s address and content have not
changed. This integrity checking can either dump emails that no longer match
the recorded address or content quality, or it can restore the email to its pre-
corrupted/infected state.
The software checks for virus-like behavior. For example, viruses commonly
relocate themselves and install themselves as trusted identities. If the
software does detect a virus in your email, it can intercept it and warn you
before the virus does damage.
Antivirus gateway—Antivirus gateways offer additional protection: before
emails enter your network, routers direct them to your antivirus gateway.
There, the gateway scans emails for viruses, and if the emails are safe, it sends
them on to your network. If the email contains a virus, the gateway will send a
notice to the recipient indicating who sent the email (though some new viruses
fake the source) and what virus was embedded in the attachment. The gateway
also tells the recipient what it did to the virus and where to go for more
information on the virus and protections against it.
Spam Filtering
Email filters provide several types of spam filtering:
White list/black list filters—You and your employees can create a list of
approved addresses from the filter accepts messages. Because you place only
safe senders on your white list, attackers’ emails will not reach your
employees and tempt them to click on seemingly harmless links that in reality
contain viruses, worms, or other attacks such as phishing. For instance, your
employee could receive a legitimate-looking email from your IT staff
requesting him to update his login and password details. By clicking on the
links in the email, the employee is taken to an external Web site where he is
asked to enter details that are captured by a phishing script.
Any white-listed messages are delivered to the user’s inbox, but all others are
filtered into a low-priority folder, including mail from spoofers who slightly
change an address to pretend to be legitimate business associates. A white list
filter does place an extra burden on you and employees, though, and could
affect productivity because you are required to maintain an updated white
list. Also, some valid emails that are not on your white list might be sent to
the low-priority mailbox because the filter suspects a threat.
Alternatively, you can set up a black list against incoming email is checked.
When an email reaches your filter, its sending-machine identity is checked
against several identities on the black list. Emails from senders on this list are
dropped. Placing threatening email senders on a blacklist will once again
protect your employees and your company from Internet-born attacks such as
phishing.
4 – 116 Rev. 6.41

Fingerprinting—Some filters “fingerprint” messages to detect matches with

known spam that contain harmful attachments and threat characteristics.
These fingerprints can identify viruses, worms, or other attacks in
attachments. Also, fingerprints can pick up on threatening characteristics,
such as malformed Multipurpose Internet Mail Extensions (MIME) headers,
HTML mail with embedded scripts, and unusual file formats. One
threatening file format is .rar, a spam email attachment that contains a virus.
Some technologies aggregate data from all spam they block, allowing the
process to become more intelligent over time. They also take into account
legitimate email to learn your company’s email patterns. Thus they can better
distinguish spam from important business correspondences and avoid false
positives (legitimate email mistaken for spam).
Scoring—Technologies can also score messages based on thousands of
characteristics of harmful spam and of legitimate email. The technologies can
detect incorrect “from” headers and addresses in the email body, as well as
other typical spam practices. When a message’s score reaches a defined
threshold, it is flagged as spam, or dangerous spam, and is discarded.
Image Filtering
Using a filter, your system can analyze an image or video dataflow based on its
visual features (shape, color, texture). This dataflow is then translated into a digital
signature, or DNA, which is used to identify a number of visual categories that
must be monitored for security purposes. If an image DNA matches that of a virus,
the system either destroys the virus but keeps the email or blocks the email
entirely. If the system keeps the email, it sends the clean version and image to the
recipient.
Rev. 6.41 4 – 117

Content Filtering: Outgoing email
As discussed previously, employees are often one of the greatest threats your
company faces. A 2006 Proofpoint survey of 294 decision-makers at large U.S.
companies found that more than 1 in 5 outgoing emails in their companies contain
content that poses a legal, financial, or regulatory risk. The most common form of
non-compliant content is messages that contain confidential or proprietary
business information. It is, therefore, imperative to protect your company’s
security with security policies and encryption that target outgoing email.
Email Security Policies

To protect your company from damaging information leaks, all outgoing mail
should be scanned for confidential corporate information. You should set email
security policies that allow technologies to act in real time to audit, quarantine, and
block any mail going to unauthorized recipients. You can re-route emails with
sensitive information to your email gateway where they will be encrypted before
they are released to authorized recipients.
4 – 118 Rev. 6.41

Encryption
To secure messages between your employees and your business partners or other
trusted entities, you can establish a secure private email network. All email sent
between your mail server and the designated entity travels via TLS or SSL
encrypted tunnels. (For more information on these protocols, see Module 6—
Layer 3: Device Access Security.) All other, non-secured, emails travel through a
different network.
There are currently two protocols that enable email encryption:
• Secure MIME (S/MIME)—The more widely-known protocol,
S/MIME provides authentication, message integrity, non-repudiation of
origin, and data privacy using encryption for email.
• Pretty Good Privacy (PGP)—PGP is incompatible with S/MIME, but
it does encrypt emails using both public-key cryptography and
symmetric key cryptography. It also includes a system that binds the
public key to the user identity.
Further Reading
For more information on Web and content filtering, see
http://www.wikipedia.org/wiki/Content_control_software. You
can research some particular solutions at
http://www.cerberian.com/resources_technology.html and
http://www.cyberoam.com/whitepapers.html.
For more information on malicious code stored in images, see
“Lethal Shell Game” (http://www.darkreading.com, search for the
article title).
Rev. 6.41 4 – 119

Summary
In this module, you learned about:

various types of authentication credentials
authentication protocols by which users to prove that they have rights to
network services
AAA protocols such as RADIUS and TACACS
authentication methods, particularly 802.1X, and how they regulate the roles
of supplicant, authenticator, and authentication server
directories, which organize network components and control users’ access to
these components
methods of access control including VLANs, ACLs, and firewalls
filtering processes that track activities in your network to block threats and
attacks
The next module will introduce you to some specific technologies that are used to
keep data secure as it traverses the network or is stored in network devices.
4 – 120 Rev. 6.41

Layer 2: Data Integrity and Privacy
Module 5
Objectives
Networks are designed to allow users to create and access the information they
need. The challenge of data security is balancing the need to make data available
with the need to protect it. We’ve already discussed ways to make sure that only
permitted users can access the data. In this module, we discuss technologies used
to protect the data itself, both as it is stored and as it is moved through a network.
Explain how encryption secures data
Describe encryption key management technologies
Identify hash functions and how they are used to secure data
Explain how digital certificates are created and used to ensure data security
Describe virtual private networks (VPNs) and how they are used to ensure
data security
Identify IPv6 security standards that improve the security of forwarded data
Describe wireless encryption standards
Discuss how the 802.1AE standard (MACsec) can protect Layer 2 networks
Explain how change auditing and honeypots can be used to protect stored data
Rev. 6.41 5–1

Data Integrity
After you have secured access to your network, you need to employ measures to
protect your data. Your data should remain uncompromised while stored within
your network and as it is forwarded between networks, particularly across the
Internet. Data crossing networks is forwarded through many devices, any of which
can be compromised by an attacker. And even the most protected network will still
be subject to intrusions that place your stored data at risk.
In a corporate environment, a burglar may seek to attack a business by discovering
and altering sensitive company paperwork. For example, a mortgage company
may be transferring to a new office building across town. To protect the mortgage
documents while stored on site, the papers are usually kept in a locked filing
cabinet in a locked room. During the move, however, to prevent the identity theft
problems that could be caused by the loss of these papers, the company may hire
an armored truck to transport them. The mortgage papers would be put into
envelopes, placed in a locked suitcase inside a locked truck, and sent to their
destination. Then, in the unlikely event that attackers are able to capture the truck,
they would be unable to access and alter the contracts unless they had the keys to
open the truck and the lock combination to open the suitcase within.
5–2 Rev. 6.41

Layer 2: Data Integrity & Privacy
Encryption works in a similar manner. The data to be protected is scrambled with

an encryption key according to a particular process; it is then encased in several
protocol layers. Even if an attacker were able to intercept and view the encrypted
data, he or she would be unable to make sense of it without the encryption key.
Rev. 6.41 5–3

Encryption Techniques
In this section of the module, we will introduce you to the basics of encryption.
You will learn the elements involved in secure encryption and how these elements
are used to ensure data privacy. You will be introduced to the XOR function: a
logical function that can work as a simple two-way encryption algorithm. This
section will also provide examples of simple encryption and decryption. And
finally, we will discuss hash functions, often enlisted to ensure data integrity.
5–4 Rev. 6.41

Encryption Algorithms
Encryption is the art of altering data so that it is recoverable only by the intended
recipient. Therefore, encryption must make the data change complex enough to
prevent unintended access, but not so complex that the recipient cannot reliably
and quickly recover the data.
Most encryption uses a mathematical formula to combine data with strings of
characters. The string of characters is called an encryption key, and the
mathematical formula is called an encryption algorithm. If the recipient knows the
right key, the data can be recovered using the correct algorithm.
When in school, you may have written secret messages that you wanted to pass to
a friend. To prevent intervening note-handlers from reading it, you might have
written it using a code that only you and the friend knew. In the example above, a
basic encryption algorithm “Shift +3” is used to encrypt a message. This algorithm
shifts alphabet letters by three so that A becomes D, B becomes E, and so on. In
this example, the unencrypted (or plaintext) message is “Let’s go to the movies,”
and the encrypted (or ciphertext) message becomes “Ohw’v jr wr wkh prylhv,”
using the Shift +3 algorithm.
This is a very simple example. Encryption algorithms are usually complex
mathematical formulas that allow the data to be recovered easily only if one or
more secret variables are known by both parties. Without knowing the secret
variable, the recipient will find it extremely difficult to decrypt the data.
Rev. 6.41 5–5

Exclusive Or
One of the most basic encryption functions is called the “exclusive or” (XOR)
function. A basic XOR operation is a simple way to encrypt a data string using a
key. Most standard encryption algorithms, including Rivest Cipher 4 (RC4),
Advanced Encryption Standard (AES), and Blowfish, involve the XOR function.
This function combines two binary strings, usually data and an encryption key, to
yield an encrypted result. The XOR function is performed bit by bit: the first bits
in each string are XORed together to produce the first bit of the encrypted string,
then the second bits to produce the second bit of the encrypted string, and so on.
The XOR function works by comparing the two bits in question. “Exclusive or”
simply means that one bit of the two can be a particular value, but not both. So if
both bits in the two strings are the same, the result is 0. If the two bits are different,
the result is 1. In the example above, the first bit of both the data string and the key
string is 1. When we XOR them, the result is 0. The second bits in the data string
and the key string are different; the XOR result is 1.
5–6 Rev. 6.41

The beauty of the XOR function is that it is symmetric; that is, the same function
can be used to both encrypt and decrypt the data. For example, the 12-digit binary
string 101110001010 and the encryption key 111000101011 are XORed together
to yield 010110100001. If you XOR the result (010110100001) with the
encryption key (111000101011), you recover the original string (101110001010).
Most encryption algorithms are not symmetric—two separate sets of instructions
are used to encrypt and decrypt the data. The next example is a simple encryption
algorithm that specifies separate instructions for encrypting and decrypting
the data.
Rev. 6.41 5–7

Encryption
This example features a plaintext message, an encryption key, and a simple

algorithm for encrypting the message:
1. The algorithm states that the key and the plaintext message should each be
converted to a string of two-digit numbers. To do this, each character is
converted to the number corresponding to the letter’s place in the
alphabet. Thus, the letter “l” is converted to 12, the letter “e” is converted
to 05, and so on.
2. After the data and the key have both been converted to two-digit numbers,
each number in the data is added to the corresponding number in the key.
So 12 (representing the letter “l” in the data) is added to 19 (representing the
letter “s” from the key) to yield 31, 05 (from the data) is added to 05 (from
the key) to yield 10, and so on.
3. The resulting string of two-digit numbers is next converted back into
alphabetic characters. However, the English alphabet includes only 26 letters,
and the resulting string includes values over this number. To address this
discrepancy, at 27 the algorithm begins again with the first letter of the
alphabet: 27 is A, 28 is B, and so on. Capital letters distinguish values
above 26.
4. The resulting string of characters is the encrypted message or ciphertext.
5–8 Rev. 6.41

Decryption
Given the ciphertext and the encryption key, we can use the corresponding
decryption algorithm to recover the message:
1. First, the characters in both the ciphertext and the encryption key are
converted into two-digit numbers according to their place in the alphabet
(capital letters having 26 added to their value). For example, the letter E has a
value of 05, but because the character is capitalized, we add 26, giving a total
value of 31.
2. Then, the value of each two-digit number in the encryption key is subtracted
from the value of each number in the ciphertext.
3. The resulting values each correspond to a letter in the alphabet. The original
data is recovered by converting the numbers into alphabetic characters.
You can see from this example that even if someone were to intercept the
encrypted message and figure out the encryption algorithm, it would still be very
difficult for the eavesdropper to recover the message without the encryption key.
In data encryption, the encrypted text is protected by the algorithm and the key.
However, the algorithm used to encrypt a particular bit of data is often openly
declared in the packet header. Therefore, it is very important to closely guard the
encryption keys.
Rev. 6.41 5–9

Algorithms
There are two types of encryption algorithms: block ciphers and stream ciphers.
Block ciphers encrypt chunks of data, while stream ciphers encrypt bit by bit.
Block ciphers separate data into chunks, typically 128-bit chunks in contemporary
algorithms. Next, the algorithm encrypts each block and sequences the encrypted
blocks in the packet. The same mathematical algorithm is used on each block, but
the most secure block ciphers use a separate encryption key for each block. Block
ciphers often use a large amount of processing power, but are relatively secure.
Stream ciphers encrypt each bit as it comes, using a slightly different
encryption key for each packet. Stream ciphers require less processing power
and time than block ciphers, but are inherently insecure if an encryption key is
ever used more than once.
Further Reading
For more information on stream ciphers, see
http://en.wikipedia.org/wiki/Stream_cipher.
For more information on block ciphers, see
http://en.wikipedia.org/wiki/Block_cipher.
5 – 10 Rev. 6.41
Hash Functions
A hash function is an encryption algorithm that gives a fixed-length result

regardless of the input length. Hash functions, for the most part, also give a unique
result for each input. This means that two similar data strings will give
dramatically different results, and no two data strings will give the same result.
Many hash functions are used for one-way encryption: the original data is
encrypted so that it can never be recovered from the resulting hash.
Be careful that you do not confuse hash functions, such as the Cyclic Redundancy
Check 32 (CRC-32) checksum and Message Digest 5 (MD5), with encryption
algorithms such as RC4 and AES. Hash functions are not used for data encryption.
Instead, hash functions are used for message authentication. A hash of a file or
message is called a message digest, and message digests serve as digital
fingerprints of the original file. Because hashes give a unique result for each input,
if the message digest of two files is the same, the data in each file must be the
same. Endpoints check the message digest to determine whether a particular block
of data has been altered in transit.
Rev. 6.41 5 – 11
Keyed-hash Message Authentication Code (HMAC)

For a more secure message digest, you can use the HMAC algorithm with the hash
function. HMAC works by combining the data with an encryption key and running
the results through a hash function such as Secure Hash Algorithm 1 (SHA-1) or
MD5. HMAC creates an authenticated message digest: to create or verify an
HMAC message digest, the endpoint must have both the correct data and the
encryption key.
Further Reading
For more information on hash functions, see
http://en.wikipedia.org/wiki/Hash_function.
For information on HMAC, see request for comment (RFC) 2104 at
http://www.rfc-archive.org/getrfc.php?rfc=2104, or see
http://en.wikipedia.org/wiki/HMAC.
5 – 12 Rev. 6.41
Algorithm Security
To protect your network, you should ensure that you stay current on the status of
the encryption algorithms that you are using. Most network encryption
applications rely on one of several standardized encryption algorithms. Public
encryption algorithms are constantly being tested by the cryptographic community
against many types of attacks.
If it can be shown that an encryption key can be recovered from ciphertext, the
algorithm used to protect the ciphertext is said to be broken. Brute force attacks
represent the most difficult and time-consuming method to break an encryption
algorithm: most algorithms require decades of computer-aided analysis to recover
a single encryption key. The object of cryptanalysis, then, is to find a more elegant
method than a brute force attack to recover the encryption key. The ease of an
attack method is measured by the number of mathematical operations it takes to
recover that encryption key. When a brute force attack is not practical, a successful
break uses fewer operations than the number of operations it takes to
systematically try every encryption key.
Rev. 6.41 5 – 13
Broken algorithms include:

DES—Created in the 1970s, Data Encryption Standard (DES) was officially
broken in 1997 using a brute force attack made possible by advances in
computer processor speeds.
RC4 as used in Wired Equivalent Privacy (WEP)—RC4 is a string cipher
that is the basis for Secure Sockets Layer (SSL), among other protocols. As
implemented in WEP, a deprecated protocol for wireless security, RC4 has
been broken: WEP allows multiple frames to be encrypted by the same key, a
security risk for string ciphers.
Tiny Encryption Standard (TEA)—TEA uses a small key, allowing a brute
force attack. TEA was used as a hash function to protect code on Microsoft’s
Xbox console. However, the key length weaknesses allowed attackers to hack
the device.
Just because an algorithm is broken does not mean that it is insecure. Many of
today’s standardized algorithms have been broken to an extent, but the amount of
processing power and time it takes to overcome a particular algorithm is usually
very prohibitive. In many cases, the method used to break the algorithm is only
negligibly more efficient than a brute force attack. However, knowing the status of
your algorithms will help you to understand the likelihood that your encrypted data
will be at risk.
Further Reading
For more information on cryptanalysis, see
http://en.wikipedia.org/wiki/Category:Cryptographic_attacks, and
http://www.ssh.com/support/cryptography/.
A CPU cache can be used to attack encryption algorithms that use a
lookup table, such as AES. However, these attacks can only take
place if an attacker has full access to the device. For more
information about CPU cache timing attacks on AES, see “Cache
Attacks and Countermeasures: The Case of AES” by Osvik, Shamir,
and Tromer at
http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf, and
see “Cache Collision Timing Attacks against AES” by Bonneau and
Mironov at http://www.stanford.edu/~jbonneau/AES_timing.pdf.
5 – 14 Rev. 6.41
Key Management
The inherent weakness in data encryption is that the ciphertext is only as secure as
the key protecting it. If a key is leaked, all data encrypted with that key becomes
vulnerable.
Rather than simply picking an arbitrary value for the encryption key, network
devices can calculate a key that is unique to the communicating devices. And
instead of sending the encryption key across a connection (and thus compromising
it), both communicating parties can agree on a secure encryption key based on a
shared secret, as well as a combination of device attributes, such as MAC
addresses, and random numbers that are used only once. The securely generated
keys can then be used to hash, encrypt, and decrypt the data.
There are two types of encryption key schemes: symmetric and asymmetric. The
symmetric key scheme requires both the sender and the recipient to have the
same encryption key. The asymmetric key scheme uses two encryption keys: a
publicly known key that is used to encrypt the data and a private key that is used
to decrypt the data.
This section of the module will introduce you to some of the technologies used to
generate and manage each type of encryption keys.
Rev. 6.41 5 – 15
Symmetric Key Scheme
The symmetric key scheme uses the same key to both encrypt and decrypt a
packet. It is typically faster and easier to use than the asymmetric key scheme.
However, because only one key is used, using a symmetric key can be less secure:
the lone key must be kept secret.
How the Symmetric Key Scheme Works

When Alice and Bob want to communicate securely using a symmetric key
scheme, the following steps occur:
1. Alice and Bob agree on the same algorithm.
2. Alice and Bob agree on a common, or secret, key to use with their selected
algorithm.
3. Alice encrypts a message with the secret key and sends the message to Bob.
4. Bob receives the message and decrypts the message using the same secret
key. Bob reads the message.
The symmetric key scheme works based on the secrecy of the lone key. If any part
of the key is compromised, all data encrypted with this key is at risk. A more
secure option is to use the asymmetric key scheme.
5 – 16 Rev. 6.41
Asymmetric Key Scheme
The asymmetric key scheme allows you to use different keys to encrypt and
decrypt your data: a public key and a private key. The sender uses the recipient’s
public key to encrypt the data and the recipient uses his or her private key to
decrypt it. Each user must have his or her own public/private key pair.
How the Asymmetric Key Scheme Works

When Alice and Bob want to communicate securely using the asymmetric key
scheme, the following steps occur:
1. Alice and Bob create individual public/private key pairs.
2. Alice and Bob exchange only their public keys.
3. Alice encrypts a message using Bob’s public key.
4. Bob receives the message and decrypts it using his private key. He reads the
message.
5. When Bob replies to the message, he encrypts his reply using Alice’s
public key.
6. Alice receives her message and decrypts it using her private key. Alice reads
the reply message.
Rev. 6.41 5 – 17
Asymmetric encryption works because public and private key pairs are
complementary. That is, the public key is mathematically related to the private
key. However, the keys are related in such a way as to make it extremely difficult
to derive the private key from the public key.
5 – 18 Rev. 6.41
Key Distribution Centers
Key Distribution Centers

(KDCs)
KDC
e n Sh
ed cr are
ar b yp d
sh B o t e se
t /
es w et d cr
q u re t cr h A w e
ith t
e
R se c se wit
ed d B
a r te
Sh ryp
c
en
Alice Bob
A = Alice’s KDC encryption key

B = Bob’s KDC encryption key
The challenge with encryption is finding ways to create and exchange encryption
keys or shared secrets in a safe manner. This can be done by receiving keys from a
trusted third party, such as a key distribution center (KDC), or by using a key
exchange algorithm to establish keys. A KDC is used to create and distribute a
shared secret to endpoints from which these endpoints calculate a key to be used in
a symmetric key scheme.
In the example above, Alice wants to communicate securely with Bob, but Alice
and Bob do not have a shared secret. However, Alice and Bob each have a
symmetric encryption key that they share with the KDC server.
How KDC Shared Secret Assignments Work
When Alice and Bob request a shared secret from the KDC, the following steps occur:
1. Alice sends a request to the KDC for a shared secret to communicate with Bob.
2. The KDC calculates a shared secret for the two and sends Alice the shared
secret encrypted with Alice’s KDC symmetric encryption key.
3. The KDC then sends Bob the same shared secret encrypted with Bob’s
KDC symmetric encryption key.
4. Alice and Bob then used the shared secret to create a symmetric
encryption key.
Rev. 6.41 5 – 19
Diffie-Hellman Exchange
The Diffie-Hellman exchange allows parties to calculate a shared key by using an

asymmetric algorithm. Both parties first choose a prime number and a base
number. Each party then chooses another number at random. Only the initial prime
number and base number are transmitted. All other transmissions are the
algorithmic results. Using the Diffie-Hellman algorithm and the exchanged values,
each party calculates the same shared key. The algorithm is extremely difficult to
solve without knowledge of the randomly chosen numbers; the amount of time it
would take is more than several lifetimes.
How the Diffie-Hellman Exchange Works

When Alice and Bob want to generate a secure shared secret, the following
steps occur:
1. Alice and Bob each generate a random number. Alice’s random number (A)
and Bob’s random number (B) are never transmitted.
2. Alice and Bob then agree on the prime number and the base number that will
be used to calculate the shared secret. These numbers, P and Q, are public
values: they are openly transmitted between the Diffie-Hellman peers.
5 – 20 Rev. 6.41
3. P, Q, and each random number are put into a mathematical formula. The
result is sent to the other party. In this example, Alice puts P, Q, and A into
the formula and sends the result, , to Bob. Bob puts P, Q, and B into the
formula and sends the result, Δ, to Alice.
4. The result of putting , P, and A in the formula is the same as the result of
putting Δ, P, and B in the formula. Knowing this, Alice and Bob can solve
for the shared secret, .
Using the shared secret, Alice and Bob can then create symmetric encryption keys.
The Diffie-Hellman exchange does not require the peers to ever transmit any
information that could be used to easily guess or calculate the shared secret.
However, the exchange can be vulnerable to a man-in-the-middle (MITM) attack.
For example:
1. An attacker, Mallory, creates her own random number and puts it into the
mathematical formula to come up with the result, .
2. Mallory intercepts from Alice and substitutes before sending the packet
to Bob. Bob then uses Mallory’s and his Δ to calculate a shared secret.
3. Mallory also intercepts Δ from Bob and substitutes before sending the
packet to Alice. Alice then uses her and Mallory’s to calculate a shared
secret.
4. Mallory calculates two shared secrets, one with Alice and one with Bob.
These shared secrets are used to create symmetric encryption keys.
To protect against MITM attacks, the Diffie-Hellman exchange can be secured
through authentication and asymmetric keys, such as in a public key infrastructure
(PKI) system, which we’ll learn about in a moment. However, on their own,
asymmetric key schemes are still vulnerable to MITM attacks.
Further Reading
For more information on the Diffie-Hellman exchange, see
http://en.wikipedia.org/wiki/Diffie-Hellman and
http://www.rsasecurity.com/rsalabs/node.asp?id=2248.
Rev. 6.41 5 – 21
Public Key Authentication
When you use an asymmetric key scheme, you trust your data to the peer’s public
key. If a public key has been compromised, anyone holding an associated private
key would be able to decrypt your data. For example, an attacker could create a
public/private key pair and falsely attribute the public key to the peer to which
you’re sending data. Any data that you send using this key is completely open to
the attacker, who holds the private key.
To provide peer authentication and prevent MITM attacks when using the Diffie-
Hellman exchange or other asymmetric key scheme, endpoints can use the PKI
system. PKI is a system that allows a trusted third party to vouch for an endpoint’s
identity by verifying credentials and issuing digital certificates. In this section of
the module, we will discuss digital certificates and how they secure public keys in
an asymmetric key scheme.
5 – 22 Rev. 6.41
Digital Certificates
Digital certificates are data files that prove a particular public encryption key
belongs to the certificate holder. Digital certificate file formats are standardized in
the IETF X.509 standard, and the protocols that support X.509 certificates include
SSL-Transport Layer Security (SSL-TLS), Secure/Multipurpose Internet Mail
Extensions (S/MIME), IP Security (IPsec), Secure Shell (SSH), HTTP over SSL
(HTTPS), Lightweight Directory Access Protocol version 3 (LDAPv3), and
Extensible Authentication Protocol (EAP).
Digital certificates are composed of several parts:
Public key—This is the public encryption key held by the certificate owner.
X.509 version number—This field identifies which X.509 format this
certificate uses. All PKI certificates are version 3.
Certificate serial number—Certificate issuers keep a record of the
certificates they generate. To track these certificates, each certificate is given
a serial number that is unique to the issuer.
Issuer information—This information identifies the certificate issuing
authority in distinguished name format.
Validity—This is the range of dates between which this certificate is valid.
Rev. 6.41 5 – 23
Subject—This information, in distinguished name format, identifies the

entity that holds this certificate.
Signature algorithm—The signature algorithm is the hash function and
encryption algorithm used to create the signature.
Signature value—The signature value is the certificate signature, in HEX.
The certificate is signed by a Certificate Authority (CA). This CA acts as the
trusted third party that verifies the information in the certificate is correct.
Copies of the certificate can be sent to endpoints that wish to ensure the certificate
holder’s public key has not been compromised.
Further Reading
For more information on PKI and X.509 digital certificates, see RFC
2459 at http://www.rfc-archive.org/getrfc.php?rfc=2459.
5 – 24 Rev. 6.41
Certificate Authorities (CAs)
Certificate Authorities create, sign, distribute, and revoke digital certificates. CAs,
such as VeriSign, Thawte, and Entrust, must be trusted by both parties: the
certificate is trustworthy only as long as both parties have faith in the CA’s
credibility.
To protect its credibility, CAs maintain the right to revoke or place a hold on the
certificates they issue. Held and revoked certificate serial numbers are published
online in a certificate revocation list (CRL).
A hold is a reversible status. A certificate may be put on hold if the user has
lost the private key and is uncertain whether it has been compromised. If the
private key is found and remains secure, the hold can be reversed and the
certificate’s serial number removed from the CRL. A certificate revocation,
however, is non-reversible.
Certificates may be held or revoked because:
a private key is suspected of being compromised
the user is not the sole possessor of the private key
the certificate holder fails to adhere to CA policy requirements—Certificate
holders must not do anything that brings the credibility of the certificate or
the CA into question.
Rev. 6.41 5 – 25
The CA’s reputation is based on whether the public key in the certificate belongs
to the certificate holder. This reputation is put on the line with every certificate the
CA signs. Therefore, when the CA receives a request to create a certificate, it
verifies the applicant’s identity. For example, when an applicant applies for an
SSL certificate, the CA requires the applicant to prove the existence of the
business, the ownership of the domain name, and employment status. This
information is then verified using two-factor authentication.
After verifying and authenticating the applicant, the CA digitally signs the
certificate. As described on the next slide, digital signatures are generated in a way
that allows an authenticating party to verify the legitimacy of the certificate.
5 – 26 Rev. 6.41
Digital Signatures
The CA digitally signs a certificate by:

1. hashing the certificate contents to create a message digest
2. encrypting the message digest using the CA’s private key
3. appending the resulting signature to the certificate
The CA’s asymmetric key scheme runs somewhat opposite from the endpoint
asymmetric key scheme. When an endpoint wants to send traffic, the packets are
encrypted using the recipient’s public key and decrypted using the endpoint’s
private key. The CA, however, uses its own private key to encrypt the signature
data, and the data is decrypted during the certificate validation process using the
CA’s public key. Private keys, rather than public keys, encrypt signatures because
the goal of the encryption is to verify the signer’s identity, not to protect the data.
Only the CA knows the CA private key, so only the CA can produce the signature
verifying the certificate’s validity. Of course, if the CA’s private key were ever
compromised, every certificate issued by the CA would become invalid.
The entire signed certificate file is given to the applicant. A signed certificate has
the elements needed for other endpoints to verify that the certificate was indeed
signed by a legitimate CA and that the contents of the certificate are valid.
Rev. 6.41 5 – 27
Certificate Validation
There are three steps to validating a certificate: verifying the signature, verifying
the validity date, and verifying the revocation status.
1. Verify the signature—Certificate signatures are validated using a second
certificate. This certificate, called a root or validation certificate, is a self-
signed certificate verifying the CA’s public key belongs to the CA. The
public key from the root certificate is used to decrypt the certificate signature,
which yields the certificate hash. If the certificate hash in the signature
matches a hash of the entire certificate, the certificate is considered valid.
Validation (root) certificates from well-known CAs such as Thawte and
VeriSign are included in most Web browsers.
2. Verify the validity date—Make sure that the current date falls within the
validity period specified on the certificate.
3. Verify revocation status—Ensure that the certificate serial number is not on
the issuing CA’s CRL.
If all three criteria are met, the certificate is considered valid.
5 – 28 Rev. 6.41
Further Reading
For information on the Online Certification Status Protocol, which
automatically verifies that a certificate is not on a CRL, see RFC 4557
at http://www.rfc-archive.org/getrfc.php?rfc=4557, or see
http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol.
For more information on proxy certificates, which allow proxy devices
that work on behalf of an endpoint to have the same authenticated
rights as that endpoint, see RFC 3820 at http://www.rfc-
archive.org/getrfc.php?rfc=3820.
Rev. 6.41 5 – 29
VPNs
Thus far, we have discussed encryption techniques, technologies that are used to
generate and manage encryption keys, and the process by which digital certificates
secure asymmetric key schemes.
The next few sections of the module will introduce you to data security
technologies that use these encryption and key management technologies.
5 – 30 Rev. 6.41
Tunnels
One way to help ensure that data is secure as it is forwarded across the Internet is
to send the data through a tunnel. A tunnel is a virtual point-to-point connection
that is created by encapsulating a packet’s contents inside another protocol. The
data contained in encapsulated packets is not visible to intermediate devices. This
provides the data with an extra layer of anonymity.
Packets that are sent over the Internet are wrapped in many protocol layers. For
example, data for a Web page is usually encapsulated in an Ethernet frame, an IP
header, a TCP header, and an HTTP header, among others. The packet is
forwarded only according to the information on the outer protocol layer. After the
packet is received at the outer layer destination, that protocol layer is stripped off,
and the packet is forwarded to its next destination based on the next layer. This
process continues until the data reaches its intended endpoint. Tunneling protocols
such as Generic Routing Encapsulation (GRE) provide an extra protocol layer that
must be processed by the endpoint before the data can be recovered.
Rev. 6.41 5 – 31
As an example, imagine that you want to send a birthday card with a special
message to a nephew. You write the message on the inside of the card, sign it,
place it in an envelope, write the address on the outside of the envelope, and give
the envelope to the postal service. The postal service then forwards the card
entirely based on the address on the outside. After the letter arrives at your
nephew’s house, the boy’s mother or father removes the envelope and delivers the
card to him. Your nephew can then open the card and see the message that you
wrote. Encasing the card in an envelope prevents the letter handlers from casually
reading the message inside.
This level of security is fine for most correspondence, but merely encasing the
message on a card in an envelope wouldn’t stop a determined busybody from
taking the card, opening it, and reading the message. If you were sending a highly
sensitive contract to a client, you would want to make sure that the contract is
secure as it is transported. To protect it, you could ensure that it is hand-delivered
to the client, and that the envelope cannot be opened by casual busybodies.
Similarly, you can add a small level of security to your data transmissions by
tunneling them, but true security requires more.
Data can be tunneled over several OSI Layers. For example, GRE tunneling is
Layer 3 tunneling because it encapsulates a Layer 3 (IP) packet with a header,
which is in turn encapsulated with a new IP header. Basic tunneling is similar
to wrapping information in an envelope, providing the data with a small
amount of security.
However, for a tunnel to fully protect the data, it must provide these additional
functions:
Authentication—This ensures that each endpoint creates a point-to-point
connection with the correct endpoint.
Integrity—This verifies that all traffic sent through the tunnel is generated
by the tunnel’s two endpoints, preventing MITM attacks.
Confidentiality—Encryption protects the data itself from being sniffed and
read by attackers.
Tunnels that provide this level of security create a secure virtual point-to-point
connection between endpoints on two separate networks. These secure tunnels are
called virtual private networks (VPNs).
Note
Various vendors offer solutions for what they call tunneling and
VPN capabilities. This module will discuss only secure VPNs,
primarily those based on IPsec and SSL.
5 – 32 Rev. 6.41
VPNs
The two basic types of VPNs are site-to-site and client-to-site.

Site-to-site VPNs allow a VPN tunnel to be established between two or more
private networks across a public network. Every authorized endpoint on any of the
private networks linked in the VPN can use the VPN tunnels to gain access to
resources on the other private networks.
A client-to-site VPN establishes a VPN tunnel between a particular endpoint and
the remote private network—for example, a network endpoint can use VPN client
software to connect to a corporate network over the Internet.
Several protocols support VPN tunnels:
Point-to-Point Tunneling Protocol (PPTP)—PPTP encapsulates a PPP
session inside a GRE protocol header. PPTP can provide endpoint
authentication using Microsoft CHAP version 2 (MS-CHAP v2) or EAP-
Transport Layer Security (EAP-TLS), and data encryption using the
Microsoft Point-to-Point Encryption (MPPE) protocol.
Rev. 6.41 5 – 33
Layer 2 Tunneling Protocol (L2TP)—L2TP uses PPTP and the Layer 2

Forwarding (L2F) protocols to provide encapsulation for Layer 2 protocols
such as Frame Relay, Asynchronous Transfer Mode (ATM), and High-Level
Data Link Control (HDLC), in addition to providing PPP encapsulation.
However, L2TP does not provide encryption or authentication, so it is usually
used with the next VPN protocol listed: IPsec. (For example, Microsoft’s
VPN IPsec client supports L2TP.)
IPsec—IPsec creates and maintains VPN tunnels secured with encryption
and endpoint authentication.
SSL—SSL sets up Web-based VPNs.
The next two sections will discuss the two most common VPN protocols: IPsec
and SSL.
Further Reading
For more information on VPNs, see http://en.wikipedia.org/wiki/VPN
or “Chapter 8: Virtual Private Networks” in the ProCurve Secure
Router 7000dl Advanced Management Configuration guide at
ftp://ftp.hp.com/pub/networking/software/A-C08-VPNs.pdf.
For more information on PPTP, see the PPTP FAQ at
http://www.microsoft.com/.
For more information on L2TP, see RFC 2661 at
http://rfc.net/rfc2661.html, or see http://en.wikipedia.org/wiki/L2TP.
5 – 34 Rev. 6.41
IPsec
IPsec is a standard that operates at OSI Layer 3 to provide an open framework for
tunneling data using secure encryption algorithms and authentication methods.
Using IPsec, a network administrator can customize the security protocols,
algorithms, and cryptographic keys used to establish and maintain a VPN.
When an IPsec connection is created, the two endpoints must agree to a
Security Association (SA) that defines the terms of the VPN connection. These
terms include the exact set of algorithms, protocols, and keys that will be used
to authenticate and protect the traffic transmitted across the connection. After
the endpoint devices are authenticated and an SA is established, the VPN
tunnel is created.
Rev. 6.41 5 – 35
The IPsec standard has three parts:

Internet Key Exchange (IKE)—IKE is an optional standard for
automatically negotiating and establishing SAs.
Authentication Header (AH) protocol—This protocol provides message
integrity authentication using hash functions.
Encapsulating Security Payload (ESP) protocol—This protocol provides
data encryption as well as some message integrity authentication.
Further Reading
For more in-depth information on IPsec, see RFC 4301 at
http://rfc.net/rfc4301.html.
5 – 36 Rev. 6.41
IPsec IKE
Note
In this discussion, VPN tunnel “endpoints” can refer to network
endpoints, such as workstations and servers, or gateway devices, such as
routers, that can set up VPNs on behalf of network devices.
When an endpoint attempts to communicate with another endpoint, IPsec assumes

that an SA is already in place and checks its database for this SA. If the SA exists,
the endpoint simply applies the specified algorithms and keys.
If an SA does not exist, the two endpoints must negotiate an SA. The easiest and
most secure method of negotiation is IKE, which enables the endpoints to
authenticate each other and to establish a temporary SA called the IKE SA. The
two endpoints can then create a temporary IKE tunnel so that they can
communicate securely and negotiate the actual SA or SAs that will control the
connection.
Rev. 6.41 5 – 37
To create IKE SAs and the IKE tunnel, the endpoints perform the following steps:
1. The initiating endpoint (Initiator) sends a message to the recipient endpoint
(Responder) proposing several security parameter options for
communication. Each of the proposed parameters includes an authentication
method, an encryption algorithm, and a hash algorithm.
2. The Responder accepts one of these parameters, provided one is listed in the
Responder’s accepted list, and sends it back to the Initiator. This exchange
sets the security policy for the next exchange of messages.
3. The Initiator and Responder use the Diffie-Hellman exchange to establish a
shared secret, which will be used to create the encryption keys.
4. The last message exchange, which is encrypted over the temporary IKE
tunnel, authenticates each tunnel endpoint. This authentication can be done
using a pre-shared key or digital certificates.
After authentication, IKE enters a second phase in which the endpoints determine
the keys that will encrypt data in the final IPsec tunnel. This negotiation can be
based on the Diffie-Hellman exchange in phase 1. However, in implementations
using Perfect Forward Secrecy, a second Diffie-Hellman exchange is required.
SAs are protocol specific. To supply encryption and data authentication over an
IPsec tunnel, you can use AH, ESP, or both. If both protocols are used, two SAs
must be established, one for each protocol.
Further Reading
For more information on IKE, see RFC 4306 at
5 – 38 Rev. 6.41
IPsec AH and ESP
After the encryption algorithms and keys are agreed upon in the IKE exchange,
IPsec uses the AH and ESP protocols to manage the actual data encryption and
authentication. These IPsec protocols operate within the new, or delivery, IP
packet header.
The AH protocol is used for authentication. It verifies the identity of the sender
and the integrity of packet contents. It can also provide an anti-replay service. A
replay attack occurs when an attacker deliberately delays or resends a stolen
packet, such as a password packet. Replay protection ensures that messages in the
IPsec session cannot be reused or replayed. AH does not, however, provide
encryption.
The ESP protocol encrypts and decrypts tunnel packets. ESP uses the keys
calculated during the last phase of IKE to encrypt the data and can support both
symmetric and asymmetric key schemes. This protocol can also provide
authentication and anti-replay service, but its authentication capabilities are more
limited than those of AH.
An AH header authenticates both the packet payload and the IP header. An ESP
header only authenticates the payload, but can also encrypt it.
Rev. 6.41 5 – 39
AH and ESP both use a hash function to authenticate data. The hash function uses an
encryption key to create a message digest. The endpoint then appends the message
digest to the data. When the remote endpoint receives the complete packet, it uses
the same encryption key and algorithm to hash the received data into a message
digest. The endpoint then compares the result to the message digest that was
appended to the packet. If the two match, then the endpoint knows both that:
the data was sent by the endpoint claimed as the source (because only this
endpoint also knows the unique authentication key)
the data has not been tampered with en route
AH and ESP can be used independently or together; for most applications, just one
of these protocols is sufficient.
In most cases, clients who establish and connect to a client-to-site VPN tunnel
must use VPN client software. This software supports the IPsec standard and
provides the AH and ESP protocol functions. However, rather than installing
separate VPN client software, a client can create and connect to a non-IPsec VPN
tunnel using a Web browser and SSL.
Further Reading
For more information on AH, see RFC 4302 at
For more information about ESP, see RFC 4303 at
5 – 40 Rev. 6.41
SSL VPNs
The SSL-TLS protocol provides authenticated and encrypted Web communication

using hash functions and encryption algorithms. (For more information on SSL-TLS
and HTTPS SSL, see Module 6—Layer 3: Device Access Security.) Using SSL-TLS,
you can establish a VPN over the Internet using your Web browser. SSL VPNs have
the following benefits:
OSI Layer 7 operation—Unlike IPsec VPNs, which operate at OSI Layer 3,
SSL VPNs provide client-to-site network access operating at OSI Layer 7. SSL
VPNs are therefore able to tunnel to all Web-enabled applications on the
network.
Browser-based implementation—SSL VPNs are the most common type of
VPN. This is because most Web browsers already support SSL-TLS, so in
most cases an endpoint client does not need special client software to utilize
browser-based applications. Most Web browsers also support a range of key
negotiating algorithms and industry-standard encryption algorithms that can
be used to establish an SSL VPN tunnel.
Granular access control—SSL VPNs tunnel to specific Web-enabled
resources rather than to an entire local area network (LAN). This allows
network administrators to specify what applications a particular SSL VPN
endpoint is permitted to access based on network access control rights.
Rev. 6.41 5 – 41
IPv6 Security Enhancements
IPv6, previously called IPng, is the next version of IP. This version is primarily
designed to provide enough IP addresses that every device on every network can
have a globally unique address. IPv6 also includes some design elements that
improve packet security over that offered by IPv4.
IPv6 implementation will take several years, and even after implementation, IPv4
will operate concurrently with IPv6. For a more in-depth discussion of IPv6, see
http://en.wikipedia.org/wiki/IPv6.
This section of the module will discuss IPv6 security enhancements.
5 – 42 Rev. 6.41
IPv6 IPsec
Though IPv4 can provide security by optionally supporting IPsec, IPv6 requires
the use of IPsec. In other words, every IPv6 packet travels through a VPN tunnel
across the Internet.
IPv6 handles IPsec packets much like IPv4 does:
1. The original IP header and data are encrypted, or encrypted and hashed, using
the algorithms specified in the SA. The packet is then encapsulated in an
outside IP header.
2. The packet is forwarded at each hop using the outside IP header until it
reaches its destination.
3. The outside header is then removed, and the encrypted packet contents are
processed, decrypted, and authenticated.
Rev. 6.41 5 – 43
IPv6 Header Length
To provide enough addresses for IP devices, the IPv6 address length was increased
to 128 bits. The 128-bit address space provides 3.4 x 1038 total IP addresses, or
roughly 5 x 1028 addresses for each person on the planet. The IPv6 address length
is a considerable increase over the 32-bit length used in IPv4, which provided only
4.3 billion addresses total.
The increased address and header size makes IPv6 networks much more resistant
to some reconnaissance attacks such as network mapping. For example, network
mapping software systematically scans every possible address on the target
network’s subnet to map the devices on that network. On an IPv4 network, this
scan can complete within seconds. However, with greatly increased IPv6 address
length and subnet size, it can take years to scan every possible IP address within
a subnet.
5 – 44 Rev. 6.41
IPv6 Privacy Extensions
IPv6 addresses are created using an interface identifier that is unique to each
device and a network-specific prefix. Because device MAC addresses are globally
unique identifiers, it was initially proposed that these be used as the interface
identifiers.
However, a problem arises: IPv6 was designed to implement stateless
autoconfiguration, a process for automatically assigning IP addresses without
resorting to a Dynamic Host Configuration Protocol (DHCP) server. Stateless
autoconfiguration can be used to assign addresses to both stationary and mobile
devices that may need temporary IP addresses. However, using a static interface
identifier, such as a MAC address, in conjunction with a set autoconfiguration
process may allow certain attacks:
An attacker may be able to find a network address pattern that allows a
successful network attack.
An attacker may be able to track a particular device no matter where or how
it is connected to the Internet.
IPv6 privacy extensions obscure address patterns by creating dynamic interface
identifiers to be used with stateless autoconfiguration. These dynamic identifiers
vary within a particular network and are created by using an MD5 hash to
periodically generate pseudo-random interface identifiers.
Rev. 6.41 5 – 45
Wireless Security
IPv6 and VPNs use encryption and authentication to secure data as it is forwarded
across an untrusted network. However, data doesn’t need to be forwarded across
an untrusted network to be at risk. A strong, additional layer of security is needed
to protect data as it is moved between a wireless network access point (AP) and a
wireless device.
The Internet Engineering Task Force (IETF) 802.11 standard specifies the
encapsulation and transmission methods used to forward traffic between a wireless
device and the network AP. The 802.11i amendment, which became part of the
802.11 standard in 2004, specifies the wireless security measures required to
ensure wireless data confidentiality.
This section of the module will discuss technologies used to secure data that is
forwarded over wireless connections.
5 – 46 Rev. 6.41
Wireless Encryption
To protect data as it is forwarded over a wireless connection, several encryption

and authentication standards have been developed. Protected data is wrapped in
layers of complex encryption algorithms and data integrity functions, and
protected data is sent between endpoints authenticated by strong techniques. The
combination of authentication, encryption, and integrity checking creates what
amounts to a wireless tunnel between the network wireless AP and the wireless
device. As shown in the example above, the wireless tunnel doesn’t prevent other
devices from listening in. However, implementing wireless security standards does
help to prevent potential attackers from gaining easy access to data they may
intercept.
Rev. 6.41 5 – 47
Wired Equivalent Privacy (WEP)

Not all wireless security standards have remained secure. The initial 802.11
standard used an encryption algorithm called WEP. This algorithm was based on
the RC4 stream cipher and typically used a static key for encrypting packets
transmitted to and from an AP. Each packet was encrypted with a slightly different
encryption key that was created by adding a counter to the static key. WEP was
proven to be very insecure in 2001 because of several vulnerabilities, including:
A single, static key for every device connected to the AP—The WEP
protocol provided no method for dynamically changing encryption keys.
Once a WEP key was set on a device, it was used to communicate with every
device that connected to it. Additionally, the key had to be manually
changed: because of the time and effort required, encryption keys were rarely
changed. Therefore, if an attacker were able to determine the key, he or she
gained access to all traffic to or from the AP.
Insufficient per-packet counter length—The per-packet WEP encryption key
was created by tacking a 24-bit counter onto the manually-set static WEP key.
A 24-bit counter can only go up to 16777215, giving only about 16.7 million
possible keys. If a different key is used for each packet, the counter, and
therefore the encryption key, begins to repeat every 16.7 million packets.
Stream ciphers, such as the RC4 cipher used in WEP, are very vulnerable if
an encryption key is ever used more than once. It may seem like 16 million
packets is a very large number, but a busy network handles that many within
a few hours.
Plaintext per-packet counter—The per-packet counter that was tacked onto
the encryption key was included, unencrypted, in the 802.11 frame header.
Because this component of the encryption key was already known, it became
much easier to solve for the static key.
CRC-32 checksum message integrity—CRC checksums are easily fooled.
For example, data in a packet can be altered in such a way that the CRC
checksum remains the same, or a new CRC checksum can be calculated to
reflect the changed data.
Since 2001, shareware WEP cracking software has become readily available for
download off the Internet. In 2005, the FBI was able to demonstrate that a WEP-
secured network can be compromised in as little as three minutes.
In 2001, most network devices (that were employing any type of wireless security
measures at all) were using WEP. To plug the gaping security hole that was
created when WEP was proven insecure, some network administrators began to
implement VPNs over the wireless connection. This solution provided data
encryption after the VPN tunnel was established, but did not prevent an attacker
from accessing the AP. Also, this solution was not always practical.
5 – 48 Rev. 6.41
After WEP was cracked, the IETF began to develop a new wireless security
amendment to the 802.11 standard called 802.11i. This security standard is
designed to provide a wireless security baseline for vendors to follow. However,
this standard took more than four years to ratify and networks needed an
immediate solution. The Wi-Fi Protected Access (WPA) standard was introduced
as an interim wireless security measure until the new IETF standard could be
implemented.
Further Reading
In the United States, the FBI performed a WEP-cracking demonstration at a
2005 Information Systems Security Association (ISSA) meeting. Read the
article at
http://www.tomsnetworking.com/2005/03/31/the_feds_can_own_your_wla
n_too.
For more information on WEP, see
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy.
Rev. 6.41 5 – 49
WPA
WPA is more secure than WEP in several ways: it uses a longer counter length, an
encrypted message integrity code (MIC) that is more complex than a simple CRC
checksum, and a complex encryption key generation and management protocol
called the Temporal Key Integrity Protocol (TKIP).
Important features of WPA include:
1. 802.1X peer authentication—WPA ensures that the peer connecting to the
wireless network is authorized to do so.
2. RC-4-based encryption—WPA is backward compatible with WEP devices
because it is based on the RC4 stream cipher. Although stream ciphers are
insecure if an encryption key is used more than once, TKIP overcomes this
problem by dynamically assigning unique per-frame keys.
5 – 50 Rev. 6.41
3. MIC for payload integrity—Rather than using a simple CRC checksum, the
MIC is calculated using the Michael algorithm. This algorithm creates a
complex blend of encrypted data excerpts mixed with one of the temporal
keys generated by TKIP. For further security, the MIC itself is encrypted and
added to the end of the packet.
4. TKIP—WEP was insecure because it used a single encryption key for every
device in the wireless network. TKIP greatly improves key security by
generating a set of keys, each of which are used for separate purposes in the
encryption and authentication process. These keys are unique to the device
and dynamically changed over time.
Rev. 6.41 5 – 51
TKIP
TKIP uses device MAC addresses, randomly generated numbers, and a shared secret
to create a set of encryption keys. The first key created is the Pairwise Master Key
(PMK), which is calculated using a shared secret generated during the 802.1X
authentication process. TKIP then uses a four-part handshake that uses randomly
generated numbers and device MAC addresses to calculate a Pairwise Transient Key
(PTK). Next, the PTK is split into three keys, each of which is used for a different
purpose. The three keys are:
The Key Encryption Key (KEK)—This key is used to encrypt the PTK,
ensuring that an unauthenticated endpoint does not intercept it during the
TKIP handshake.
The Key Confirmation Key (KCK)—This key is combined with frame-
specific data to calculate the MIC.
The Temporal Key (TK)—This key is used to encrypt the data.
5 – 52 Rev. 6.41
To encrypt each packet, the MIC is calculated and appended to the data. A 48-bit
counter is appended to the TK, and the TK+Counter is then used as the per-frame
key to encrypt the data and the MIC. The encrypted data is then encapsulated in
an 802.11 header and transmitted.
TKIP solved many of the most major problems with WEP. However, WPA does
not meet the IETF 802.11i wireless security standard. The WPA2 standard builds
on TKIP and is fully compliant with the 802.11i amendment.
Rev. 6.41 5 – 53
WPA2
The 802.11i amendment, which is part of the 802.11 standard, defines an

extensible standard for wireless security. It includes:
message authentication (MIC)
AES-based encryption
Counter Mode with Cipher Block Chaining Message Authentication Code
Protocol (CCMP)
WPA2 is the first approved implementation of 802.11i. Similar to WPA, WPA2
uses 802.1X authentication and MIC message authentication. WPA2 is backwards
compatible with TKIP encryption, meaning WPA2 APs can be configured to
support clients using TKIP. However, WPA2 is based on the more-secure AES
block cipher and CCMP encryption technique.
5 – 54 Rev. 6.41
CCMP
CCMP is a protocol that specifies how the AES encryption algorithm is applied to
the data. CCMP has two parts:
Cipher block chaining—This is used to calculate the MIC. Rather than use
the Michael algorithm, which was shown to be vulnerable to some attacks,
WPA2 uses chain block ciphering (CBC) to calculate the MIC. CBC works
by encrypting the first block of data using the KCK derived from the PTK.
Each successive block of data is then encrypted using the last encrypted
block of data. The high-level 64 bits of the result are the MIC.
AES counter mode—This is used to encrypt the data. A starting block with a
counter is encrypted using AES and the TK. The result is XORed with the
first 128-bit block of data yielding the first encrypted data block. The counter
is then incremented in the starting block and this new starting block is
encrypted using AES and the temporal key. This result is XORed with the
next 128-bit block of data to give the second encrypted data block. This
process continues until the entire payload of the frame is encrypted. The last
block that is encrypted is the MIC, which is added to the end of the payload.
CCMP provides a complex and secure encryption and data authentication method
for wireless traffic.
Rev. 6.41 5 – 55
MACsec
In addition to the 802.11i wireless security standard, the Institute of Electrical and
Electronics Engineers (IEEE) is now implementing similar security measures for
the 802 standard. The 802.1AE Media Access Control Security (MACsec)
amendment specifies per-hop security that includes:
mutual authentication
key management
message integrity
frame encryption
5 – 56 Rev. 6.41
MACsec
MACsec
• MACsec
CA
A
SCAB
SCBA
D B
SCAC SCCA
SCCB
C SCBC
SC = Secure Channel
• MACsec Frame
Authenticated
Src Dst MACsec

Data ICV
Address Address Tag
The IEEE 802.1AE and 802.1af MACsec standards are designed to deter some
network attacks by creating a connectivity association (CA) between trusted Layer 2
network devices. Traffic handled by devices within the CA is marked with a
MACsec tag, which differentiates traffic that originates from a trusted network
device from traffic that originates from an untrusted device.
For example, you have a network with four devices, three of which are in the CA.
The fourth device can send and receive frames using the connectivity provided by
the shared LAN, but it does not have the correct MACsec tag that would allow it to
participate in the CA. Instead, A, B, and C recognize the traffic from D as traffic
from an untrusted source, and they filter it. Filtering untrusted frames helps to
ensure that D cannot compromise the integrity, confidentiality, or origin of any of
the frames exchanged among A, B, and C.
MACsec performs three functions:
1. Defines a secure CA among devices within the LAN—Secure CAs are created
by mutually authenticating all devices within the group and creating the
MACsec tag. The MACsec tag is then added to every frame sent within the CA.
2. Sets up secure, one-way communication channels within the CA—After
the CA is established, the devices create unidirectional Secure Channels
(SCs) with each other. Each SC secures traffic using an overlapped sequence
of security associations (SAs) similar to those used in IPsec. The SAs define
the frame integrity verification process (and optionally the data encryption
process) that the device will use when transmitting over the SC.
Rev. 6.41 5 – 57
3. Uses cryptographic keys and algorithms to secure the data—Similar to

WPA, MACsec uses the 802.1X token to create a PMK. The PMK is split
into two keys: the CA key, which is used to create the MACsec tag, and the
SA key, which is used to provide message integrity and encryption for the
data. Message integrity is provided using an integrity check value (ICV),
calculated using the MACsec frame; the SA key; and the AES algorithm. The
result is appended to the frame and verified by the destination device. The SA
key can also encrypt the data within the MACsec frame.
By specifying and isolating traffic within a CA, MACsec can help prevent MITM,
replay, and some denial-of-service (DoS) attacks.
Further Reading
One of MACsec’s notable features is that it uses the AES
Galois/Counter Mode (GCM), which incorporates unique mathematical
matrices (called Galois fields) as part of the algorithm. For further
reading on GCM, see “The Galois/Counter Mode of Operation” by
McGrew and Viega at
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-
revised-spec.pdf.
For more information on MACsec, you can look up the IEEE 802.1AE
and 802.1af standards, or see
http://www.networkworld.com/details/7593.html?def.
5 – 58 Rev. 6.41
Stored Data Security
This module has primarily focused on protecting data as it moves across untrusted
networks. The same encryption methods can also be used to protect data as it is
stored within the network.
Unencrypted data is easily read and exploited by an attacker who gains access to
the storage device. To monitor that data, you can use hash algorithms to verify
data integrity. You can also protect data by requiring authentication for access or
by encrypting portions of the storage device to obscure either the data or the means
by which it is accessed. The final section of this module will discuss methods that
are used to protect stored data.
Rev. 6.41 5 – 59
Change Auditing
Securing stored data can be challenging. Stored data is static in its location and
availability. To access forwarded data, an attacker must intercept it while it is in
transit. To access stored data, an attacker simply must access the storage location.
To protect your stored data, you can use an auditing system that allows you to
detect intrusions and take measures to restore the original files.
Attackers often target specific OS system files. By changing these files, the
attacker can open backdoors and alter how the network operates. Most of these OS
files are not often accessed and do not change. Change auditing works by detecting
changes to these files. By noting and tracking these changes, you can detect
network intrusions and take actions to restore your data.
Change auditing software looks at several file aspects, including differing message
digests and unexpected file size changes, to detect an intrusion. The software
begins by creating a message digest of the file along with noting several other file
aspects such as file size and the date when the data was last accessed. Then, at
periodic intervals, the software hashes another message digest and compares the
digest and the current file specifications with the initial values. If the values don’t
match, you can then trace the intrusion and use a backup copy to restore the file.
This method only works to protect system files that do not change very often. For
files that are works in progress or need to be accessed from time to time, another
protection method should be used.
5 – 60 Rev. 6.41
Honeypots and Honeynets
Another way to protect your network is by intercepting network attacks and

providing the attacker with an attractive (but counterfeit) alternative to your
network.
Honeypots
A honeypot is a network resource that has no legitimate use within a network. In
other words, any interaction with the honeypot must be illegitimate, such as a
network intrusion. Honeypots are designed to attract attackers away from your
trusted network by intercepting an attack and providing an alternative environment
for the attacker to work in. A honeypot also monitors the attacker’s behavior,
allowing you to understand and prepare to combat different types of network
attacks.
There are two types of honeypots:
Low-interaction—These honeypots emulate the network OS and network
services to interact with a possible attacker while pretending to be legitimate
network resources. For example, some honeypot implementations intercept
an attacker by monitoring network IP address usage. If traffic is received
destined to an IP address that is not used on the network, the honeypot will
intercept the traffic and pose as a valid network device operating at that
address.
Rev. 6.41 5 – 61
The disadvantage to a low-interaction honeypot is that the emulator is only

designed to monitor and respond to predicted attacker behaviors. If the
attacker does something unexpected, the honeypot will return an error
message. And because the attacker is operating in an emulated environment,
low-interaction honeypots are also limited in the types of attacker behaviors
they can capture.
The most significant advantage of low-interaction honeypots is that the
attacker is operating only in the simulated environment and is effectively
isolated from the actual network.
High-interaction—High-interaction honeypots allow the attacker to have
actual access to the honeypot’s operating system and services. (Remember
that the honeypot device has no legitimate network use.) Allowing the
attacker to have access to the device’s systems gives the attacker much more
freedom to demonstrate attack methods while the honeypot tracks and
monitors behavior. However, because the attacker has real access to the
network device, it’s possible that the attacker can do real damage to your
network.
Honeynets
To gather more information on a network attack, you can deploy a honeynet. A
honeynet is a network—with actual servers, switches, routers, and hubs—that
includes one or more high-interaction honeypots. Similar to honeypots, honeynets
themselves provide no legitimate network services. Rather, the honeynet is
designed to intercept a network attack and give the attacker an isolated network
playground. Attacker behavior is then monitored and recorded.
Several risks are associated with honeynets:
If attackers discover the honeynet, they can bypass it to access your trusted
network.
The honeynet can be used as a zombie to attack another network.
The honeynet can be used for illegal activity such as uploading stolen credit
card numbers or illegal copies of CDs and DVDs. If illegal activity is traced
back to your network by law enforcement, you could be held liable until you
are able to prove that the traffic originated elsewhere.
5 – 62 Rev. 6.41
Summary
This module introduced you to the basics of encryption, including how encryption
algorithms and hash functions can be used to secure data. You were introduced to
key management techniques such as KDCs and the Diffie-Hellman exchange. You
also learned about digital certificates, how they are generated, and how they
authenticate an endpoint. You then learned about the ways in which encryption
and hash functions can be used to protect your network.
The next module will discuss ways in which authentication, encryption, and hash
function technologies can be used to secure network backbone devices.
Rev. 6.41 5 – 63
5 – 64 Rev. 6.41
Layer 3: Device Access Security
Module 6
Objectives
Network access control and data integrity and privacy technologies compose the
proactive components of network security. These proactive components are
designed to address security concerns and network vulnerabilities before they
become a network security crisis. However, attacks continue to evolve, and
proactive network security components will not always catch every intrusion. If
your infrastructure is insecure, you leave your network open to attacks that bypass
or worm their way through the proactive security layers. For comprehensive
network security, you must also ensure that your network devices are secure and
immunized against attacks.
In this module, you will learn about the authentication and file transfer
technologies that are used to secure managed devices. After reading this module,
you should be able to:
Explain how to use a local user database to secure managed devices
Describe how remote authentication can also be used to protect network
backbone devices
Show how the Secure Shell (SSH) protocol secures communication between
an endpoint and a managed device
Explain how the Secure Sockets Layer (SSL) (Transport Layer Security
[TLS]) protocol can provide secure access to network devices
Show how Secure File Transfer Protocol (SFTP) can be used to safely upload
and download files
Describe the Simple Network Management Protocol version 3 (SNMPv3)
security upgrades
Rev. 6.41 6–1

Managed Devices
Networks use several different types of devices to manage the flow of information
between endpoints. Called managed devices because they are controlled by the IT
staff, these devices, such as routers, switches, and wireless access points (APs),
form the network infrastructure. To adequately protect your network, you must
secure access to these network infrastructure devices.
These managed devices keep track of network structure and security information,
which allows them to efficiently route and forward traffic. However, if an attacker
were to obtain this information from these devices, the network would be quickly
and easily compromised. Sensitive data on managed devices includes:
Network device IP address and routing information—Routers and routing
switches maintain IP routing information for devices that are within and
outside the network. If an attacker accesses the route table, he or she can use
this information to impersonate a network device or perform a direct attack
on network resources.
Network security information—Devices such as routers and APs maintain
information on currently operating network security measures such as virtual
private network (VPN) security associations (SAs), access control lists
(ACLs), preshared keys, and authentication server information.
6–2 Rev. 6.41

MAC address information—In smaller networks, APs (and some switches)

can permit network access based on the connecting device’s MAC address. If
an attacker were able to get a list of trusted network MAC addresses, he or
she could masquerade as a trusted wireless client and infiltrate the network.
This module introduces authentication and encryption methods that can be used to
secure access to the information stored on network managed devices; the first way
to secure network devices is to restrict physical (or local) access.
Rev. 6.41 6–3

Local Access
When considering the security of your network, it is important to determine

potential physical threats to devices. Many devices can be managed locally
through a physical port, so you should position your managed devices where they
will be the safest from unauthorized access.
A laptop and a serial cable are all that is required to access the management
console of your network’s managed infrastructure devices. Consequently, the
devices must be housed in secure locations and their passwords must be carefully
guarded.
Access Rooms
Infrastructure devices should be installed in locations segregated from the general
office infrastructure. The ideal location is an enclosed wiring closet guarded by
security personnel and locaked and by locks that require two-token authentication.
(discussed in Module 4—Layer 1: Network Access Control Security).
To further secure the area, you can place cameras at the entrance as well as
inside the wiring closet to audit and monitor those accessing your network.
Security audits will also protect against security breaches: for example, you can
ensure that the door to the network access room is not propped open and is
always closed and locked.
6–4 Rev. 6.41

Disabled Physical Access Portals

As an additional security measure, many devices allow you to disable physical
access portals, including reset and power buttons in addition to the console port.
(For example, a reset button might allow an attacker to remove the managed
device’s configuration, even if he or she could not access a management interface.)
Disabling these portals allows you to restrict all management of the device to those
who use secure remote access.
Passwords
Most managed devices allow you to set a password to control console access.
This technique, which is also used to secure remote access, is discussed on the
next slide.
Rev. 6.41 6–5

Remote Access: Local user database
Unless forced to authenticate, an attacker needs little information to gain a

management session with many network devices. In many cases, an attacker will
initially perform a reconnaissance attack to discover information about the devices
on a particular subnet. Based on the information discovered, such as a managed
device’s IP address, an attacker can attempt to establish a terminal session. To
prevent carte blanche remote access to your network devices, you must implement
authentication and encryption technologies.
Passwords
The most basic way to increase security on your managed devices is to change the
default password to something that is not easily guessed. For example, almost
every attacker will attempt to use “admin” or “user” (and other common
variations) as both the username and password. Changing the password from the
default value will require the attacker to use a more sophisticated method of
attack—a brute force or social engineering attack—to discover the password.
Some devices allow you to set different passwords for different device access
methods. For example, you can configure one password for console access and
another password for remote access. On some of these devices you can also
configure separate passwords for administrator levels: you can set one password
for read-only access and another for read-write (configuration) access.
6–6 Rev. 6.41
While it is highly desirable to change passwords from their default settings, even a
highly complex management password must still be secured and kept secret. It is
best to encrypt device passwords so these passwords do not appear in plaintext
inside of configuration files.
Local User Database

Many managed devices contain simple databases that list usernames and
passwords for access control rights. While a directory, as discussed in Module 4—
Layer 1: Network Access Control Security, identifies all users requesting access to
the network and its devices, a device’s database does this specifically for that
device. In some ways, the local user database simplifies authentication to that
device: regardless of the status of its network connections, the device can request a
username and password from an endpoint, check the received values against those
in its database, and permit or deny access to its management interface accordingly.
Maintaining a username and password database on a managed device can present
some security risks:
Everyone who can access device or watch someone access it can see the
database passwords. You can increase database security on some managed
devices by encrypting all the passwords stored on the device.
Maintaining separate username and password databases on each managed
device can drain administrator time and resources. For example, removing a
single username and password entry from each device can take hours. And
any devices overlooked or forgotten can become a severe security risk.
A more centralized and secure authentication solution is to use the authentication
server that is already on your network.
Management VLAN
Virtual local area networks (VLANs) are logically independent networks within a
network that divide users into separate broadcast domains, each isolated and
relatively secure from the others. VLANs can also be used to secure device
management traffic: a management VLAN isolates all device management traffic
from all other user traffic on the device.
A management VLAN introduces the first level of administrative security, one
prior to any authentication or authorization on the switch: if the attacker cannot
even pass packets onto the management VLAN, he or she cannot successfully
attack the device. However, in many cases the management VLAN is the same as
the default VLAN: the default VLAN is the VLAN to which all unassigned ports
belong. If an attacker were to attach a device to an unassigned port, he or she
would gain access to the management VLAN. To prevent this, you should assign
the management VLAN to a separate VLAN.
Further Reading
For more information on VLANs, see Module 4—Layer 1: Network
Access Control Security or http://en.wikipedia.org/wiki/Vlan.
Rev. 6.41 6–7

Remote Access: Authentication using a local

server
Most managed devices can also secure management access using authentication
server protocols such as Remote Authentication Dial-In User Service (RADIUS)
and Terminal Access Controller Access Control System Plus (TACACS+).
In the example above, an attacker uses Telnet to connect to the router interface
at 10.5.2.19. Before the router opens a session with the attacker, it passes the
attacker’s authentication credentials to the network RADIUS server to
validate—but the attacker fails the RADIUS authentication and is denied access
to the router’s management interface.
6–8 Rev. 6.41

The benefits of using RADIUS or TACACS+ servers include:

You can use the existing network security infrastructure—There are no
additional profiles or username and password lists to configure.
You can maintain all authentication credentials in a central location—
Rather than maintaining separate username and password databases on each
managed device, you can keep a single database with user profiles on the
RADIUS or TACACS+ server. Updating and maintaining lists of permissions
becomes a manageable task.
You can encrypt passwords—Encryption is provided by RADIUS and
TACACS+ request and response packets.
Further Reading
For more information on RADIUS and TACACS+ authentication
servers, see Module 4—Layer 1: Network Access Control Security.
Rev. 6.41 6–9

Remote Access: SSH
Telnet
Telnet is a simple network protocol typically used to establish command-line login
sessions between a user and a managed device. For instance, when you configure
your router, you may use a Telnet session from a network workstation.
The Telnet protocol allows:
devices to interact regardless of characteristics
remote logon for the purpose of device management
users to access information from another device
Telnet allows a high degree of device interaction regardless of the differences in
OS and applications between the communicating devices. However, Telnet is
insecure because it sends all data plaintext. An attacker who intercepts the packets
can copy or steal all of the commands entered, giving the attacker access to the
session endpoint device.
6 – 10 Rev. 6.41
SSH Version 2 (SSH v2)

SSH v2 is a secure alternative to Telnet. Redesigned from SSH v1 (which has been
deprecated due to weaknesses such as a vulnerability to man-in-the-middle
[MITM] attacks), SSH v2 has two primary goals—to authenticate the two
endpoints of a session and to prevent eavesdropping on that session—and consists
of three major components:
Transport Layer—The Transport Layer component provides encryption and
message authentication. It also arranges for key re-exchange after a certain
amount of time or a certain amount of data transfer.
User authentication—After the Transport Layer protocol has constructed a
secure tunnel between the two devices, the user authentication protocol
authenticates the connecting peer. A number of authentication credentials,
including a password or a public key, can supply authentication. The entire
password is encrypted when moving over the Transport Layer, so it is safely
sent across the network.
Connection Layer—The connection component defines the concept of
channels. A single SSH connection can host multiple channels
simultaneously, each transferring data in both directions. When an endpoint
needs a particular service over the SSH connection, such a downloading a
file, it sends a channel request. Each channel represents the processing of a
single user service, and channels can forward on any number of ports, all at
the same time.
For security, when one SSH peer attempts to open a new channel, the new
channel number is sent along with the request. This information is stored by
the peer and used to direct a particular type of service’s communication to
that channel. Thus different types of sessions do not affect one another, and
channels can be closed without disrupting the primary SSH connection
between the two devices. Channels are secured with the encryption the
Transport Layer protocol provides, so an attacker cannot steal data from the
information flow.
SSH allows devices to create device-independent secure connections based on
line-by-line interfaces. Similar technology exists to create secure Web-based
connections.
Further Reading
For more information on Telnet, see
http://en.wikipedia.org/wiki/Telnet. For more information about SSH,
see http://en.wikipedia.org/wiki/Ssh.
Rev. 6.41 6 – 11
Remote Access: SSL
HTTP
HTTP is the protocol used over the Internet to establish connections and transfer
data between Web servers and endpoints. Similar to Telnet traffic, HTTP traffic is
transferred in plaintext, which provides plenty of opportunities for attackers to
intercept and steal information sent between the endpoint and the Web server.
Many network devices include a Web-based interface for management sessions.
To secure your Web-based management sessions, you must encrypt the data sent
between the user and the managed device.
SSL
SSL and its successor, TLS, can provide private and reliable data transfer by
encrypting the data sent between a server and an endpoint. The SSL-TLS standard
includes:
Encryption algorithms—SSL-TLS supports both stream and block ciphers,
including Rivest Cipher 2 (RC2), Rivest Cipher 4 (RC4), International Data
Encryption Algorithm (IDEA), Data Encryption Standard (DES), Triple DES
(3DES), and Advanced Encryption Standard (AES). For more information on
encryption algorithms, see Module 5—Layer 2: Data Integrity and Privacy.
6 – 12 Rev. 6.41
Key management—The SSL-TLS protocol can use the Diffie-Hellman

exchange to establish a shared secret. SSL-TLS also supports other key
management standards such as Rivest Shamir Adleman (RSA) and the
Fortezza exchange. For more information on encryption key management,
see Module 5—Layer 2: Data Integrity and Privacy.
Hash functions—SSL-TLS uses the Message Digest 5 (MD5) or Secure
Hash Algorithm (SHA) hash functions to provide message integrity. For
more information on hash functions, see Module 5—Layer 2: Data Integrity
and Privacy.
HTTPS
HTTP over SSL (HTTPS) is an HTTP session over an encrypted SSL tunnel. Using
HTTP, which transmits all data in plaintext, is much like sending a letter through the
post office in a transparent envelope. Everyone can see what you are sending; if it
looks valuable, someone may take it or alter it. With HTTPS, you can put your
information in a secure box that no one can see into or manipulate in transit.
An HTTPS connection is primarily intended to secure data sent from the endpoint
to the Web server. That is, the data sent from the Web server is sent in plaintext,
but the data sent from the endpoint to the Web server is encrypted. HTTPS also
involves checking the Web server’s certificate so that users can be sure, for
example, that they are sending credit card numbers to a legitimate business server
and not a phisher.
The establishment of an HTTPS session follows these steps:
1. The endpoint requests a secure session.
2. The HTTPS Web server sends its public key digital certificate.
3. The endpoint verifies the certificate is valid.
4. In the process of checking certificates, the Web server and the endpoint agree
on keying material to encrypt future data using one of the encryption
algorithms supported by SSL.
5. The encrypted data is sent to the Web server.
Rev. 6.41 6 – 13
With an HTTPS connection, users can safely send personal information such as
names, passwords, and credit card numbers. You can similarly protect network
information, including manager usernames and passwords, by using HTTPS for
Web-based management sessions. You can verify that your Web session is secure
by looking for clues in your Web browser:
URL begins with “https” rather than “http.”
Padlock icon is displayed in the address bar or on the bottom of the screen.
In some browsers, the URL window background color changes.
Further Reading
For more information on HTTP, see
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol. For more
information on HTTPS, see http://en.wikipedia.org/wiki/Https.
6 – 14 Rev. 6.41
Secure File Transfer: SFTP
File Transfer Protocol

FTP is a server-to-endpoint file transfer protocol similar to HTTP in function and
security. Once a user has connected to a server using FTP, he can upload and
download files from the server as well as rename or delete server files. FTP, and
its “lighter weight” version Trivial File Transfer Protocol (TFTP), are used by
network devices to transfer configuration files and OS software between network
devices and other machines.
FTP works by establishing a control session on TCP port 21 and using another TCP
port (usually port 20) for the actual file transfer. The control session on port 21 must
remain open while the file is being transferred. However, there is no traffic on port 21
while the file transfer is in progress, which can cause a network firewall to create a
transfer error when it times out the control connection.
Rev. 6.41 6 – 15
The files transferred through FTP and TFTP may contain username and password
information, addressing schemes, or other data that can leak information about
your network. It is therefore important to use secure methods to transfer files to
your managed devices. But FTP is insecure because it sends data and files in
plaintext, leaving the information vulnerable to internal attackers who can sniff
usernames, passwords, FTP commands, and file transfers. FTP also does not
support file integrity checks: if the transfer is interrupted or compromised, the
receiver has no way of verifying whether the received file is complete.
Attempts have been made to run FTP over SSH for increased security, despite the
difficulty in tunneling the entire FTP session. That is, an SSH tunnel can be set up
for the FTP control connection, which protects data on that TCP port, but when the
data is transferred over a separate port, the FTP peers set up a new TCP connection
that bypasses the SSH tunnel. In order to run all the FTP channels over the SSH
connection, you must either use an FTP client that explicitly supports FTP over
SSH, or you must configure the FTP client to connect to a SOCKS server, which
can manage setting up SSH tunnels over both TCP ports.
A better solution is to use a file transfer protocol that is built on SSH v2, such as
the two described below.
Secure Copy Protocol (SCP)

SCP protects transferred files from eavesdroppers. It relies on SSH v2 to create a
secure, encrypted session between the two endpoints and then tunnels the file over
this session. Designed for file transfer alone, SCP does not support some of the
more advanced features associated with FTP. However, its use of SSH v2 provides
data encryption and file integrity checking.
Secure File Transfer Protocol (SFTP)

Not to be mistaken for FTP over SSH, SFTP is an entirely new protocol for secure
file transfer. Like SCP, SFTP protects data by establishing an SSH v2 session
between the two endpoints before initiating any other functions. However, SFTP
supports more complicated features than simple file transfer, including:
deleting files remotely
managing the transfer (reinitiating interrupted transfers and so forth)
Further Reading
For more information on FTP, SCP, and SFTP, see:
http://en.wikipedia.org/wiki/File_Transfer_Protocol
http://en.wikipedia.org/wiki/Secure_Copy
http://en.wikipedia.org/wiki/SSH_file_transfer_protocol
6 – 16 Rev. 6.41
SNMP Version 3
Simple Network Management Protocol (SNMP) is a network monitoring and

management standard designed to help network administrators keep track of and
manage infrastructure devices such as servers, routers, switches, and hubs.
SNMP works in a client-server relationship: the clients (agents) are the software
components inside managed devices, and the server is a management application
that requests, handles, and analyzes the information from the managed devices.
SNMP is considered “simple” because only five basic commands are used to
communicate between the manager and the agent software within the devices.
Through SNMP, network administrators can track device uptime, link states, and
many other device information variables. SNMP managers can also request that
SNMP agents make changes to the managed devices.
Rev. 6.41 6 – 17
SNMP versions 1 and 2 use community strings to restrict SNMP access. To

segregate types of access, a separate community string is configured for each
access level implementation. SNMP access has three levels:
read only—This level limits the user to reading SNMP information only.
read-write—The user has full access to SNMP functions, including the
ability to make changes on managed devices.
trap—A trap allows the managed device to spontaneously send an update
packet to the manager, usually in response to an alarm. In this access level,
the user is only able to send traps: he or she has no access to SNMP
information.
SNMP version 1 did not include any security measures: neither the packets nor the
community strings were encrypted, and this version included no message integrity
measures. Because SNMP packets contain information about the network, it is
important to secure these packets. The early versions of SNMP are vulnerable to
these attacks:
MITM—An attacker can alter in-transit SNMP messages generated on
behalf of an authorized user in such a way as to affect management
operations. An attacker with read-write access can infiltrate any network
SNMP-managed device.
Impersonation—By assuming the identity of a user who has the appropriate
authorizations, an attacker can gain read-write access to management
operations.
Reconnaissance—Because early implementations do not encrypt the
community string or SNMP packet information, an attacker can eavesdrop on
the exchanges between managed agents and a management server. The
attacker can then collect information about the network or discover the read-
write community string. Although an attacker could use reconnaissance to
discover network information, it is usually easier than that: the “community”
string is often never altered from the default of “public,” so an attacker with
access to “management software” could easily manipulate the insecure
network devices by simply employing this string.
Unauthorized access—Early versions of SNMP are vulnerable to replay
attacks. During natural operation, most networks will experience packets that
are reordered, delayed, or replayed. Knowing this, an attacker can
maliciously reorder, delay, or resend packets to gain unauthorized access to
management operations.
Brute force—An attacker can use a brute-force attack to discover network
community strings.
6 – 18 Rev. 6.41
SNMP version 3 (SNMPv3) Security Enhancements

SNMPv3 addresses the major security flaws in SNMP versions 1 and 2 by
incorporating data authentication and encryption:
Community string encryption—SNMPv3 requires community string
encryption in all packets, preventing successful reconnaissance and brute
force attacks. Remember that it is still critical that you change this value from
the default of “public” to something else.
Data integrity—SNMPv3 uses usernames and passwords to determine who
can and cannot gain the read-write access necessary to modify information.
When the user provides his authentication password, the password is
converted into a localized key. This key, along with the SNMP engine
timestamp and the actual message, are compressed into a message digest and
forwarded with the packet to provide integrity authentication. Therefore, an
unauthorized user cannot alter the message in transit.
Encryption—Along with the username and authentication password, each
user is given a privacy password, which is used to encrypt the message
packet. SNMPv3 uses one of two encryption algorithms, AES and 3DES, to
encrypt the localized key and the SNMP packet.
Security Levels—SNMPv3 also provides three optional security levels:
• noAuthNoPriv—This level does not provide authentication or privacy.
• AuthNoPriv—This level provides authentication but no privacy.
• AuthPriv—This level provides authentication and privacy.
Further Reading
For more information on SNMP version 3 and the user-based security
model (USM), see RFC 3414 at http://rfc.net/rfc3414.html.
Rev. 6.41 6 – 19
Summary
In this module, you learned about:

local access to managed devices protected by secure physical location and
credential checks
authentication of users accessing managed devices with local user databases
or authentication servers
higher security using SSH, SSL, SCP, and SFTP
SNMPv3 to protect against former SNMP security threats
The technologies discussed in this module can help you to secure your network
backbone devices. The next module discusses technologies that are used to secure
and immunize network endpoint devices.
6 – 20 Rev. 6.41
Layer 4: Endpoint Integrity
Module 7
Objectives
Despite strong authentication requirements and strict access control, network
endpoint devices may continue to be a threat to network security. Even the most
securely protected network can become threatened if a single network entry point is
compromised. Likewise, a single authenticated and authorized user may
unknowingly bring in a security threat once he or she begins accessing network. To
help deter threats such as these from internal sources, many software applications
monitor and protect endpoint devices; this module is intended to raise your
awareness of the many endpoint security applications available for this purpose.
Describe how antivirus software on endpoint devices works to keep the
network safe
Explain what a sandbox is and how it can prevent malware infections
Show how personal firewalls help protect against internal or Web-based attacks
Describe software patches and how they protect a network
Understand how network security solutions monitor and ensure endpoints’
security compliance
Rev. 6.41 7–1

Network Endpoints
Network Endpoints
Network-terminating devices:
• Workstations
• Laptops
• Voice over IP (VoIP) phones
• Personal digital assistants (PDAs)
• Servers
VoIP
Phones
Laptops
Network
Workstations
and PDAs
Servers
Consider a corporation operating in a well-secured building. This corporation

probably uses security guards, keys, and perhaps even biometrics to secure access
to all areas of the building. Those in charge of the company do what they can to
secure the building from the outside. However, this corporation, operating within a
well-protected building, may still succumb to infiltration and theft if the employees
are not vigilant: employees may be overly casual about following company
security policies or make choices about their work environment without
understanding the security implications.
For example, an employee may intentionally or inadvertently leave an office
window open after hours. It may be that the employee simply wanted to keep the
room from getting too warm or too stuffy and forgot to close it at the end of the
day. Or perhaps someone doing maintenance in his office opened the window
without the employee’s knowledge or consent. Either way, the open window
presents a security vulnerability that can allow an attacker to enter the building.
In a network environment, endpoint devices such as servers, laptops,
workstations, and personal digital assistants (PDAs) are employee resources that
can be intentionally or inadvertently mishandled, opening security holes in the
network. For example, an employee may disable the antivirus software to allow
the workstation to boot up more quickly. Or the employee install personal
software that secretly includes malware, thereby unknowingly opening a window
to the network.
To prevent this and other security risks, employers may require employees to abide
by security standards, supervision requirements, and risk management policies.
7–2 Rev. 6.41
Similarly, network administrators can take steps to ensure that employee-handled

and other network endpoint devices operate according to network security
standards.
In this module, you will be introduced to networking technologies that help to
implement and maintain network endpoint device security. These technologies
include compliance monitoring, personal firewalls, sandboxes, software patches,
and antivirus software.
Rev. 6.41 7–3

Antivirus Software
Some of the most common and expensive network attacks are those from worms
and viruses that access the network through endpoint devices. Not only can viruses
and worms cause large amounts of damage and network downtime, but some well-
known worms such as MyDoom and Sasser can also install malware and open
back doors on infected devices, as well as use the infected devices to launch
distributed-denial-of-service (DDoS) attacks.
To help prevent and mitigate the damage caused by worm and virus infections,
you should install antivirus software on all endpoint devices. This is particularly
true for devices that may have access to untrusted networks such as the Internet.
Antivirus programs provide two functions: they continuously scan the endpoint
device for infections, and they manage infected files. Antivirus program
components include:
Antivirus software—This is a software engine that scans the endpoint
device and manages infected files.
Virus definition files—Antivirus software diagnoses infections based on the
presence of small snippets of code that are exclusive to worms and viruses.
These bits of code are called “signatures” and are used in virus definition files.
Many viruses and worms share common propagation or infection code, so a
particular antivirus signature may be able to detect multiple viruses or worms.
7–4 Rev. 6.41
New definition files are continually created as new viruses and worms are
discovered. New viruses and worms are analyzed, and an attack signature file
is created and distributed by the antivirus software vendor. Keeping your
definition files current gives your network endpoint devices the best chance
of defending against new attacks.
Infection Detection Methods

Antivirus software detects the presence of a worm or virus by comparing endpoint
system file code against known worm and virus signatures. However, while this is
a reliable way to detect certain infections, it leaves the device vulnerable to
polymorphic infections (in which the virus or worm produces varied copies of
itself to elude detection) as well as to zero-day attacks (which spread quickly and
can use a unique code that may not be detected by most antivirus software
currently installed). Good antivirus software uses several methods in addition to
signatures to discover and diagnose infections. These methods include:
Integrity checks—Viruses and worms often target specific OS files without
which the endpoint device would not function. These files are opened and
used at each device bootup, but are rarely altered or adjusted. Antivirus
software can create a database of cyclic redundancy check (CRC) checksum
values for these files and regularly check the file checksum against the stored
checksum. If the values do not match, the antivirus software reports an
infection warning.
Heuristic analysis—Infected devices almost always display certain behavior.
For example, when a worm infects a workstation, it begins to generate and
send emails to every address in the email address book. Using a heuristic
algorithm, antivirus software can compare current endpoint behavior against
typical endpoint behavior and known virus and worm infection behaviors.
While this check may allow the antivirus software to detect zero-day and
polymorphic infections, the method can also generate a large number of false
positives.
Scans—Every file that is created, opened, saved, closed, or emailed can be
scanned and compared against the virus definition files. Files on the device
can also be scanned on demand. Scanning provides a reliable way to detect
infections while producing a very small number of false positives. However,
constantly scanning can occupy a large amount of processing power and be a
drain on endpoint device resources.
For strong protection, particularly against zero-day and polymorphic infections,
endpoint devices should use all three methods.
Rev. 6.41 7–5

Infection Management
Once a worm or virus is diagnosed, the infection must be handled to prevent
further spread and damage. Antivirus software handles an infection in one of three
ways:
It repairs the file—In cases where the virus that is infecting the endpoint is
known and well understood, the virus code can be deleted from the file.
It deletes the file—When a worm file or virus-infected file is discovered, the
quickest way to nullify the infection is to delete the file. You should delete
infected non-essential files.
It quarantines the file—In some cases, the infected file is important or
necessary for normal device operation. In cases such as this, the file cannot
be deleted. If the file cannot be repaired or deleted, it can be quarantined.
Quarantine prevents further damage to the network and endpoint device by
restricting the infected file from being opened or altered by endpoint
applications. However, quarantined files may be eventually repaired: virus
definition files sometimes include updates that allow the antivirus software to
repair previously quarantined files.
Installing antivirus software on every network endpoint will protect your network
in two ways: endpoint devices with access to untrusted networks will be protected
from known attacks from outside, and they will be protected from known worms
and viruses that might gain access to the internal network.
Viruses and worms are not the only attacks that threaten network endpoints. While
antivirus software can protect endpoints from self-replicating code-based attacks,
the next endpoint security measure can protect servers and workstations from
methodical attacks that use seemingly legitimate traffic.
Further Reading
Many vendors offer antivirus software. For more information on
antivirus solutions, you can look up vendor Web sites or whitepapers,
or go to http://en.wikipedia.org/wiki/Antivirus_software.
7–6 Rev. 6.41

Personal Firewalls
Every network should have a perimeter firewall to protect all internal network
devices. Perimeter firewalls can protect against attacks that use seemingly
legitimate traffic: spoofing, malformed packet attacks, and some DoS attacks.
However, the perimeter firewall does not protect against attacks that originate
from internal sources such as infected laptops. Firewalls installed on network
endpoints can add a much-needed additional layer of protection.
Personal firewalls work in a similar manner to network perimeter firewalls. Both
types of firewalls check traffic at multiple layers, serve as a barrier against
network attacks, and permit or deny traffic based on a security policy. This
security policy stipulates a definition for the types of traffic that will be blocked.
Based on the security policy, personal firewalls can:
terminate or block a connection when an intrusion is suspected
check traffic at Layers 3 and 4 to permit or deny traffic based on source and
destination IP address and TCP/UDP flag logic, and to protect the device
against malformed packets
look at Layer 7 processes to decide access permission (to connect to a
particular port, for example)
Rev. 6.41 7–7

Personal firewalls also have the following advantages:

Antivirus capabilities and malware removal—Personal firewall software
can be a complete solution, providing attack checking, antivirus software, and
malware removal tools.
Instance control—Rather than immediately drop all requests associated with
suspicious behavior, personal firewalls can query the user for instructions in
certain instances. For example, many of today’s firewalls include provisions
for non-network applications attempting to access the Internet. When an
application attempts to transmit traffic over the Internet, the firewall may
query the user about whether to allow the transmission. This sort of control
provides a good level of security while also allowing the user to maintain
productivity.
The benefits of personal firewalls may be offset by various costs: the difficulty of
widespread deployment, vulnerabilities specific to personal firewalls, and false
positives.
Deployment—Personal firewalls must be installed and maintained on every
network endpoint device. Teaching all users of personal firewalls to
distinguish between legitimate Internet-related traffic and requests to open
potentially harmful connections is a formidable task for any IT department.
Vulnerabilities—Personal firewalls can be subverted by some worms and
malware programs. These programs can use, disable, or corrupt the firewall
software, making the endpoint (and the network) vulnerable. For example,
the Witty Worm can target a personal firewall and use it to overwhelm the
device’s processing power.
False Positives—When a firewall flags traffic that is not truly a threat, it has
found a false positive. While false positives do not seem to pose a threat, they
can lead users to takes steps that do. For example, instance control provides
end users with the flexibility to securely access the Internet services they
need to maintain productivity. However, instance control can also produce a
great many security notices and queries with which users may tire of dealing.
Unaware of the potential threat, end users may start to simply click “OK” to
every query without reading the notice, allowing malware or network attacks
to succeed despite the firewall.
Yet with all of the difficulties, the advantages of implementing personal firewall
software on network endpoints outweigh the disadvantages. The additional layer of
protection can prevent successful internal attacks as well as intrusions that seek to
attack the network through its weakest links. It is also good to remember that many
times “traveling” employees will use their laptops inside of unsecured networks
such as at coffee shop hotspots, airports, and hotels, often over wireless
connections. Attackers can easily wait for the unsuspecting employee to begin
work in this “open” environment and wreak havoc on that user’s laptop, or worse,
steal personal or company private information.
7–8 Rev. 6.41

It’s not always easy to tell whether a particular file or email is infected with a
worm or virus. Similarly, it’s not always possible to know whether a particular
program includes malware. The next endpoint integrity measure can allow you to
run a suspicious program or open an untrusted Web page while minimizing the
chances that the virus, worm, or malware will infect the endpoint device.
Further Reading
As with antivirus software, many vendors offer personal firewall
solutions. For more information, you can visit vendor Web sites or
see http://en.wikipedia.org/wiki/Personal_firewall.
Rev. 6.41 7–9

Sandboxes
Another way to protect network endpoints from attacks that use seemingly
legitimate traffic is by using a sandbox. A sandbox is a highly restricted
environment in which you can run untrusted files.
Sandboxes were originally used by software developers to test projects that were
in progress without actually putting the device at risk. New code is often unstable
and may have unexpected results: sandboxes allowed the software developers to
see where the code was unstable or to observe the unexpected results without
worrying about the potential damage.
Because sandboxes allow potentially damaging programs to be run in a restricted
environment, they can also be used to run programs that may have malicious code
while preventing them from attacking or harming the endpoint device.
7 – 10 Rev. 6.41
There are two types of sandboxes:

Emulators—An emulator simulates a normal OS work environment while
acting as an intermediary between the untrusted program and OS resources.
Programs running in this virtual environment have very limited access to
device resources and have no direct access to the OS.
Jails—A jail works by imposing device resource restrictions without
completely isolating the untrusted content from the OS. A jail often consists
of a file system that has severe limits on CPU time, RAM, shared memory,
and bandwidth. The untrusted content is placed in this highly restricted file
system before it is executed.
Sandboxes can work for many types of files. For example, you probably already
have sandboxes for Java and Flash installed on your home computer: many Web
browsers run all Java applets in a sandbox, and Flash Player runs Flash
presentations, by default, in a virtual environment. To protect network endpoints
from infection from non-Flash- or Java-based files, you can use sandbox software
such as Norman Sandbox or Virtual Sandbox.
Not only do sandboxes provide a protected environment in which to run suspect
files and programs, but for experienced network administrators sandboxes can
provide valuable information on how a network attack is perpetrated. A sandbox
allows a network administrator to analyze virus code, worm code, or malware code
within the virtual environment. Understanding how the code works helps the
administrator to improve network security.
Sandboxes, antivirus software, and personal firewalls can all help to protect the
endpoint device and the network from vulnerabilities that arise from file transfers
over the Internet. The next endpoint security measure, however, helps to close
vulnerabilities introduced by faulty software already operating on the endpoint
devices themselves.
Further Reading
For more information on sandboxes, see
http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29.
Rev. 6.41 7 – 11
Software Patches
New software is sometimes released before the implications of a feature or

seemingly harmless bug are fully understood. Security vulnerabilities inherent in
the software application may be discovered well after the software has been
released and distributed.
After the software flaw is discovered, the software developers will usually write
and distribute new code to cover the faulty code. This new code, called a “patch”
or a “software update,” allows end users to plug the vulnerability hole.
In some cases, however, software patches may be very poorly written and can
create more problems than they solve. For example, a software patch may plug a
security hole, but cause the program to become unstable or conflict with other
software. Despite this problem, it is important to download and maintain the most
current patches on all endpoint devices.
When a security vulnerability is discovered by a software user, that user can report
the problem to the software maker. However, the user might also publish the
vulnerability on the Internet. Attackers then write and distribute programs, such as
worms, that take advantage of the vulnerability. Often a vulnerability is made
public within a few days of (or in some cases, prior to) the software maker
becoming aware of the problem. Many worms that exploit a software vulnerability
to infect endpoint devices continue to spread and successfully attack simply
because the most recent patches have not been installed.
7 – 12 Rev. 6.41
Patches are easy to download and install, but installing patches on every
vulnerable endpoint device can quickly become a management nightmare. One
way to ease software patch deployment and ensure endpoint security is through
network management.
Further Reading
For more information on software patches and computer security,
see http://en.wikipedia.org/wiki/Software_patch. Visit
http://www.softwarepatch.com/ for information on available
software patches and upgrades.
Rev. 6.41 7 – 13
Web Browser Security
Web browser caches and HTTP cookies reduce the amount of information that
must travel over the Internet. This, in turn, speeds up Web page displays and
Internet access. However, the information stored in endpoint devices’ caches and
cookies can be used by an attacker to retrieve private information.
Caching
Caching is a data management technique for storing copies of frequently accessed
data in an easily accessible area and thus significantly reducing the amount of data
that has to be retransmitted or re-accessed to run an operation.
For example, a person living in a gated community must know his or her personal
combination to open the gate and enter the community. There are a couple of ways
that the person can manage the personal access code: he can memorize the code so
that he can quickly enter it when needed, or he can spend the time and effort of
stopping at the guard gate and requesting the code every time he wants to enter the
community. Similarly, caching allows devices to readily store frequently accessed
data rather than repeatedly requesting it every time it is needed.
7 – 14 Rev. 6.41
The Web browser cache is a file that stores information regarding recently
accessed graphics, sounds, and URLs. The cache allows a browser to quickly
display a recently visited Web page without having to reload it from the Web
server. However, when accessed by an attacker, a cache can reveal sensitive
information. For example, any personal or sensitive information that has been sent
over an Internet connection may be stored in the Web cache. This data is available
to an attacker with unauthorized access to the device, either through physical
access or through spyware programs. Additionally, data that may have been
encrypted before being forwarded through the Internet is often stored as plaintext
in the Web browser cache. To protect sensitive or personal data that has been sent
over the Internet from being compromised, you should routinely clear Web
browser caches.
Cookies
Cookies are little bits of data that act as an identifier between a Web browser and a
Web server. Cookies are created by and sent from a Web server to the Web
browser. The Web browser stores the cookie and sends it back unchanged to the
server the next time that Web site is visited. The cookie contains personalized
information, such as Web page display and other browser preferences, the site
shopping cart contents, successful login verification, and so on. Unique cookie
content allows a Web server to customize the Web page for each client. However,
because each Web page has a separate cookie, an attacker can see what Web sites
you have visited—and over time track your browsing behavior—by looking at the
cookies stored in your Web browser. Additionally, cookies may include personal
information that has been given to a Web site.
To protect personal and Web browsing information, most browsers allow users to
manage cookies by specifying which cookies are trusted and setting the browser to
routinely delete all other cookies. However, deleting certain cookies makes some
Web sites unusable.
Further Reading
For specific instructions on how to clear a Web cache or manage
cookies, see http://www.pcworld.com/article/106715-1/article.html, or
visit vendor Web sites:
• http://www.microsoft.com/windows/ie/ie7/privacy/ieprivacy_pr7.
mspx
• http://www.mozilla.org/projects/security/pki/psm/help_20/using_
priv_help.html
• http://browser.netscape.com/ns8/help/options-
privacy.jsp#cookie_settings
Rev. 6.41 7 – 15
Security Compliance Monitoring
It is one thing to create a security policy that requires all network endpoints to use
antivirus software, personal firewalls, and current patches, and quite another to
verify that each endpoint actually complies with this policy. By monitoring and
tracking endpoint software, behavior, and network usage, network security
compliance solutions can pinpoint security problems and ensure that endpoints
meet requirements. In some cases, these solutions can also distribute such software
from a central network location, further reducing the manpower required to
manage and maintain endpoint security.
A network that attempts to control endpoints’ compliance can be compared to a
government attempting to inoculate its population against various diseases. Just as
the inoculation of a single individual protects everyone who comes in contact with
him, ensuring that each endpoint has up-to-date antivirus software helps protect
the network as a whole as well as the node itself. Network security compliance
solutions are the means by which a network ensures endpoints do not “spread
disease.”
7 – 16 Rev. 6.41
Network security compliance solutions include:

Monitoring and configuration solutions—These solutions monitor
endpoints to ensure that they comply with network security policies. Some
solutions simply report on endpoints’ compliance, but the best solutions now
prohibit non-compliant endpoints from connecting to the network. For
example, an endpoint might be scanned when it sends a Dynamic Host
Configuration Protocol (DHCP) request, something almost all connected
devices do immediately on booting. Or the solution might function with
802.1X authentication, controlling the access of authenticated endpoints
according to their compliance with network security policies.
Some solutions continue to monitor and verify endpoint security throughout
the connection, tracking information such as endpoints’ bandwidth and
application usage. This information can be used to trend normal network
usage or pinpoint security problems.
Antivirus update and patch management solutions—These solutions
deploy patches and virus file updates from a remote, central location, helping
endpoints that failed the compliance test meet the requirements.
Network security compliance solutions have three components: the management
server, managed devices, and agents.
Management server—The management server is a central server that stores
and analyzes information received from endpoint devices. This information is
used to verify that endpoints comply with security policies, to monitor
network usage, and to detect attacks. In some solutions, software patches,
virus definition file updates, and configuration changes can also be quickly
deployed from the management server to endpoint devices.
Managed devices—These are endpoint devices that are managed or
monitored by the management server. Even devices foreign to the network
can become managed devices. In fact, some solutions are specifically geared
to managing devices that are introduced by guests.
Agent—An agent is an application on the managed devices. The agent acts as
the management server’s intermediary, reporting information on the managed
device’s network usage and activity and executing configuration and software
changes on behalf of the management server. Like doctors, who are specially
trained to check patients’ medical records and administer inoculations, agents
are specifically designed to help endpoints prove that they comply with
security policies (and if necessary to help them comply).
While all compliance solutions require some sort of agent, the type and capabilities
of agents vary. Some agents passively monitor the endpoint and report to the
management server. Other agents are able to record and analyze endpoint
behavior, discard false positives, generate alerts when warranted, and even make
configuration changes.
The next section of this module will discuss the benefits and drawbacks of the two
types of compliance solutions—agent-based and agentless.
Rev. 6.41 7 – 17
Agent-based Solutions: Permanent
All monitoring and management solutions require agents, but they differ in the
type of agent they use and the way in which that agent is installed on the endpoint.
Perhaps the most straightforward approach for deploying agents is to manually
install on each managed device the software application specific to your network
security compliance solution. Solutions that use this approach are considered
permanent agent-based solutions.
Permanent agent-based solutions have several benefits:
Reduced network bandwidth usage—Permanent agents can generate and
send alerts only when there is a problem, or they can send information to the
management server when requested.
Robustness—Permanent agents run independently from the management
server and can continue to monitor and manage a device even in the event of
a network outage.
Control—Permanent agents can often automatically correct configuration
problems.
7 – 18 Rev. 6.41
These permanent agent-based solutions provide good management and monitoring

solutions that can help establish and maintain endpoint security. However, there
are some drawbacks to using software-based agents:
Cost—Many vendors require you to purchase licenses for the agents that you
install on your network. This can become very costly for large networks.
Deployment—Software-based agents must be installed on each managed
network device. These installations take time and IT resources.
Some vendors offer lightweight compliance solutions to overcome these problems.
The next two slides discuss these types of solutions.
Rev. 6.41 7 – 19
Agent-based Solutions: Transient
Manually installing the agent permanently on every endpoint is not always

feasible, particularly for companies that must accommodate guests that bring their
own devices. With a permanent agent-based solution, those endpoints unable to
prove their compliance are unilaterally denied network access (or at best are given
extremely limited access).
In some ways, this is similar to how government agencies and organizations
handle inoculations of citizens and immigrants. Often, a government requires
citizens to prove they have received their inoculations before they can receive
services such as admission to a public school. However, some people cannot
afford to visit a private doctor, just as some network endpoints do not have
installed agents. Therefore, the government might offer a free clinic at which
citizens can see a doctor for the specific purpose of receiving the necessary shots.
Similarly, some solutions offer a modified agent-based solution that relies on a
transient agent. This agent is installed on endpoints only for the duration of the
compliance scan, which usually occurs when the endpoint first connects. The
endpoint downloads the transient agent, an executable program, which begins
working with the management server to complete the compliance scan. When the
scan is finished and the endpoint is declared compliant or non-compliant, the agent
is erased from the endpoint. For this reason, transient agents are sometimes called
disposable agents.
7 – 20 Rev. 6.41
For example, your company uses Web authentication (Web-Auth) to control the
complimentary network access it offers guests. Before prompting a user to enter
his username and password, the system directs him to a link where he can
download the agent that helps scan his device for compliance.
Transient agent-based solutions have several benefits:
Ease of deployment—Time and resources are saved because the solution
itself manages the installation of the transient agent.
Control—Like a permanent agent, a transient agent is designed to work with
your network compliance solution, so it may be able to help the endpoint fix
problems as specified by that solution.
But transient agent-based solutions are not without drawbacks:
Time to connect—Installing permanent agents on every endpoint may be
time consuming, but it is a one-time affair for each individual endpoint. With
transient agents, users must always wait for the agent to download before
they can connect to the network.
Imperfect deployment—Some endpoints still might fail to receive the agent
either because the user refuses the download or because the endpoint’s
security policies prohibit downloading executable files.
Note
Some vendors call their transient agent-based solutions “agentless” solutions
because you do not have to install software manually on every station.
However, the solutions do require an agent, albeit one that deploys
automatically.
Rev. 6.41 7 – 21
Agentless Solutions
In an attempt to further simplify network monitoring and management

implementation, vendors began to create and market truly agentless solutions.
Agentless solutions use applications that are already available on the device, such
as Windows Management Interface (WMI) and the Simple Network Management
Protocol (SNMP), to provide the agent functions.
Agentless solutions have several benefits:
Ease of deployment—Time and resources are saved because agentless
solutions do not require the installation of a separate software program on
each endpoint. You don’t have to train users to set up endpoints for
management: in most cases, the native applications that provide agent
functions are already active.
Cost—Agentless solutions are generally less expensive than agent-based
solutions; agentless monitoring does not require the purchase of agent
software or licenses, and the vendor cost is usually less expensive.
7 – 22 Rev. 6.41
Problems include:
Drain on network bandwidth—Communication and information gathering
between the managed device and the management server occurs through
device polling and SNMP traffic. Because all information from every
managed device must be collected by a management server, agentless
solutions can occupy a great deal of bandwidth and cause traffic choke points
at the management server.
Decreased security—Many agentless solutions use SNMP as a method to
report and collect information about managed devices. This leaves the
managed devices vulnerable to security issues raised by SNMP and the
additional open TCP/UDP ports.
Limited problem management—If a problem is discovered, agents can
usually implement an automatic configuration change, or changes can be
passed down from the management server. Agentless solutions, on the other
hand, are unable to make automatic or remote configuration changes.
However, users can still be directed toward resources that help them to solve
the problem.
An agentless solution can be compared to a government that consolidates medical
records with other commonly carried documents. When necessary, a citizen can
prove that she has received mandatory inoculations without the hassle of visiting
the doctor. However, should she find that she does not have the required
inoculations, she has fewer options for receiving them.
Rev. 6.41 7 – 23
Combined Solutions
Agentless solutions can work well on devices that do not allow the installation of
software-based agents or on devices that only need to be monitored. Agent-based
solutions are necessary for devices that need robust monitoring and management.
For the best of both worlds, some vendors are now offering solutions that combine
several types of agents. Combined solutions support the robustness of permanent
agent-based monitoring with the ease of deployment and smaller expense of
transient agent-based and agentless monitoring.
For example, network administrators might install software-based agents on
devices that require high availability and robust management, but use an agentless
approach for endpoint devices that need only monitoring or patch and update
management.
Some network compliance solutions automatically determine the best type of
monitoring for a particular endpoint based on configurable policies. For example,
the solution might automatically apply agentless monitoring to all endpoints with the
necessary native capabilities. Network administrators install permanent agent
software on older devices for which this approach fails. Finally, transient agents
deploy to endpoints missed by both of these methods.
7 – 24 Rev. 6.41
Combined solutions mitigate the cost and deployment time of agent-based

solutions as well as the management shortfalls of agentless solutions. They also
maximize the opportunity for all endpoints to prove their compliance with security
policies—or, if necessary, to improve their compliance.
Rev. 6.41 7 – 25
Trusted Network Connect (TNC)
To this point, the discussion of network security compliance solutions has focused
on testing for compliance. But tests mean little unless their results affect the level
of access an endpoint is granted.
Some security solutions force endpoints to download patches and antivirus software
when they connect to the network, but are implemented on the endpoint. Abdicating
control to the endpoint clearly causes problems: an endpoint without the appropriate
software connects to your network freely, and yet this is the very type of device you
want to control. It is far better to integrate compliance scans into a network-based
access control solution (such as those discussed in Module 4—Layer 1: Network
Access Control Security), preventing unprotected endpoints from ever connecting to
your network.
Trusted Network Connect (TNC) is a security standard developed by the Trusted
Computing Group (TCG) to integrate compliance testing with network access
control solutions. In other words, in order to receive network access rights, an
endpoint must prove its integrity in addition to its identity.
Because TNC defines open standards to which all vendors can develop, by
conforming with TNC you no longer have to worry so much about whether your
compliance solution integrates with software on your endpoints and with your
network access control solution.
7 – 26 Rev. 6.41
TNC defines standards for:

Completing scans and checking the results against a network policy—
Integrity Measurement Collectors (IMCs) reside on the endpoint and scan for
particular security features: for example, the most recent OS patch, the
antivirus signature file, and a working firewall. The TNC client (TNCC)
distills information from the IMCs, passing it on to the TNC server. Integrity
Measurement Verifiers (IMVs) reside on the server and match the
information submitted by the TNCC against your network’s security policies.
Controlling network access based on the result of the scan—TNC defines
several standards for integrating access control based on compliance with
existing access control technologies.
At a high-level, TNC manages this general process:
1. The endpoint connects to the network edge device, called a Policy
Enforcement Point (PEP) in the TNC standard, and the PEP forces the
endpoint to authenticate. The PEP might be a virtual private network (VPN)
gateway, an 802.1X authenticator, or another device that enforces network
access control. (See Module 4—Layer 1: Network Access Control Security.)
2. TNC inserts layers into the network access control technology for checking
the endpoint’s integrity.
For example, 802.1X traditionally consists of an authentication layer under
an access control layer: the state of the port (activated or deactivated)
depends entirely on the endpoint’s authentication state. With TNC, the state
of the port depends on both the endpoint’s authentication state and its
compliance with network policies.
a. The endpoint is first authenticated with one of the many protocols
supported by TNC.
b. Next, the endpoint’s compliance is checked. The server requests certain
checks, and the client submits information collected by IMCs.
3. Using its IMVs, the server comes to a verdict about whether the endpoint
complies and grants network rights accordingly.
The slide has described one standard for making network access hinge on
compliance with security policies. Similar standards include:
Network Endpoint Assessment (NEA)—Developed by the Internet
Engineering Task Force (IETF), NEA is a network access control solution
that outlines a framework quite similar to TNC’s.
Network Access Protection (NAP)—Microsoft’s solution for integrating
compliance checks with network access control, NAP is automatically
installed with Windows Vista and the emerging Windows Server version.
Rev. 6.41 7 – 27
The next slide will explain some of the actions both TNC and non-TNC solutions
can take to deal with non-compliant endpoints.
Further Reading
TCG is a group that includes over 50 of the networking industry’s leading
companies. For more information on TCG and the companies involved, see
http://www.trustedcomputinggroup.org.
For more information specifically on TNC, see
https://www.trustedcomputinggroup.org/groups/network/.
7 – 28 Rev. 6.41
Dealing with Non-compliant Endpoints
When an endpoint fails to meet your company’s security policies, the network
security compliance solution may dictate one of three possible responses:
Disconnect—Without the proper antivirus software and OS patches, the
endpoint might open security holes in your network. The most secure
solution would be to then shut down the port through which the non-
compliant device is trying to access the network. However, this can prevent
important users from accessing network resources they might need. Rather
than outright denying the endpoint access, you can specify that the network
grant the non-compliant device limited access.
Quarantine—Because a non-compliant network device is a security risk, it is
prudent to use virtual local area networks (VLANs) or other network
segregating techniques when granting such a device limited network access.
The VLAN should be highly restrictive: it should include severe rate-limiting
and access control lists (ACLs) to prevent the non-compliant devices from
having any contact with other devices on the network. Traditionally, while a
quarantine VLAN prevented, for example, an endpoint infected with a worm
from infecting fully compliant and trusted network devices, it did not prevent
the infected endpoint from contaminating other devices on the quarantine
VLAN. However, some solutions now place each quarantined device in its
own isolated VLAN. In either case, a quarantine VLAN protects the network
Rev. 6.41 7 – 29
from a non-compliant device; it does not present such a device with the
specific resources it needs to become compliant. (For more information on
VLANs and ACLs, see Module 4—Layer 1: Network Access Control
Security.)
Remediation—The third option is to quarantine the non-compliant device
but also provide it with the resources it needs to become compliant. Ideally,
the solution should inform the user how his or her device fails to comply with
security policies and what he or she can do to remediate the problem—for
example, users might be redirected to a network server from which their
devices can download the software they need to become compliant. For the
duration of this process, the endpoint is placed in a carefully controlled
remediation VLAN, which typically allows access only to the Web sites or
network servers with the necessary antivirus software and patches.
(Depending on your solution, the remediation VLAN might also provide
limited network access, such as to the Internet only.) Once the required
software is installed, the endpoint can be granted greater access to the
network (though access is still controlled by network policies).
Further Reading
For more information on quarantine and remediation solutions, see
vendor Web sites such as:
http://trial.patchlink.com/update.aspx
http://www.miragenetworks.com/products/quarantining.asp
http://www.stillsecure.com/safeaccess/index.php
Or you can see http://www.engr.sc.edu/its/ClientValidation/?c=4.
7 – 30 Rev. 6.41
Summary
An understanding of endpoint vulnerabilities can help you protect your network

from attacks that target endpoint devices or that use trusted endpoints to infiltrate a
private network. This module introduced you to software solutions that allow you
to reduce network vulnerabilities arising from endpoint devices, manage endpoint
network intrusions, and monitor and implement endpoint security.
The next module will introduce you to comprehensive security solutions. These
solutions can provide network security on more than one security layer.
Rev. 6.41 7 – 31
7 – 32 Rev. 6.41
Module 8
Objectives
The layered approach to network security allows you to apply security solutions in
an organized and methodological fashion. Even after deploying security solutions
from Layers 1 through 4, however, you may still have unprotected network
vulnerabilities: the current trend in network attacks is to exploit crucial network
protocols or to launch zero-day attacks on vital network software. Additionally,
most of the Layer 1 through 4 security solutions do not include methods for
establishing and tracking their effectiveness, impeding your ability to adjust the
solutions to meet your network’s needs.
This module introduces you to security solutions that work over several layers to
specifically monitor the network, detect security breaches, and in some cases
prevent network attacks.
Explain the functions of comprehensive security solutions
Describe how network device features such as the following can help secure
a network:
• Bridge Protocol Data Unit (BPDU) blocking
• Dynamic Host Configuration Protocol (DHCP) protection
• dynamic Address Resolution Protocol (ARP) protection
• Virus Throttle™ software
• Simple Network Management Protocol (SNMP) throttle
Describe how an intrusion detection system (IDS) discovers network attacks
Discuss how an intrusion prevention system (IPS) can keep a network secure
Explain how a unified threat management (UTM) device can be a valuable
part of your network security
Show how a wireless IDS/IPS can add an important element of security to
your wireless network
Rev. 6.41 8–1

Comprehensive Solutions
As you know, your network is constantly barraged by attacks. Most of these

attacks attempt to exploit well-known software design flaws or networks that do
not implement basic security measures, such as those that make up the four
protection layers discussed earlier in this course. However, new software or
protocol vulnerabilities are discovered daily, and the corresponding exploits
cannot always be stopped by the basic security solutions: these new attacks are
constantly evolving and are often invented and implemented so quickly that,
without network solutions such as an IDS/IPS, most networks remain vulnerable
despite other crucial security measures. And because these attacks are based on
vital network protocols and functions, without integrated solutions and techniques,
it can be extremely difficult to filter attacks from legitimate traffic.
The security solutions presented in this module use adaptive technologies for
detecting and preventing attacks. These solutions can secure the network over
several protection layers and have the following benefits:
Comprehensive coverage—In addition to protecting more than one network
security layer, several comprehensive solutions, such as IPSs and UTMs, can
provide superior network-wide protection and monitoring, complementing
other network security measures such as a firewall. For example, IPSs can
help guard your network against some denial-of-service (DoS) attacks in
addition to detecting both internal and external intrusions.
8–2 Rev. 6.41

Cost savings—An integrated solution such as a UTM device can provide the
same functionality as several separate security products. You can save money
by purchasing a single solution and decrease your management time by
managing one solution rather than several.
The first part of this module will discuss device-specific security measures that
address the lack of security in commonly used network protocols. The module will
then introduce IDSs and IPSs and, finally, UTM devices.
Rev. 6.41 8–3

Network Device Features

BPDU blocking
DHCP protection
Dynamic ARP protection
SNMP throttle
Virus Throttle™
Intrusion Detection Systems
Intrusion Prevention Systems
Unified Threat Management
Wireless IDS/IPS
Many networking protocols were not initially designed to provide security

measures. These protocols include:
Rapid Spanning Tree Protocol (RSTP)—This protocol prevents broadcast
storms that arise from redundant network links in a Layer 2 switched network.
DHCP—DHCP assigns and manages network IP addresses and other IP
information.
Address Resolution Protocol (ARP)—On each network device, this
protocol populates and maintains a table of MAC addresses and associated IP
addresses. The table allows devices such as switches and routers to
successfully manage both Layer 2 and Layer 3 network traffic.
Simple Network Management Protocol (SNMP)—SNMP provides a
framework for network monitoring.
8–4 Rev. 6.41

These protocols are all required for most networks to function properly. However,
because they do not include inherent security features, they are vulnerable to
specific attacks. (The functions and security implications of each of these
protocols will be discussed in greater detail in the following sections.) To mitigate
these vulnerabilities, many network devices now include features that overcome
security shortcomings in the protocol, protecting both the device and the network.
These features address the Network Access Control Security layer and the Device
Access Security layer.
Rev. 6.41 8–5

BPDU Blocking
Overview of RSTP
Recall that Layer 2 devices work by transmitting broadcast frames and frames with
unknown destinations out of every interface, except the interface on which the
traffic was received. This behavior can create a problem in a network with
redundant links because devices will continue to forward the broadcasts to each
other: a single frame can create a broadcast storm that saturates the bandwidth
capacity of the network.
Good network design includes redundant links that provide an alternate path for
traffic to follow in case one path should fail. To allow a Layer 2 network to have
redundant links while avoiding the pitfalls of broadcast storms, network ports must
be part of a spanning tree (a loopless network topology) that is designed to prevent
these broadcast storms.
This loopless topology is typically constructed using RSTP (which has superseded
the original STP). RSTP works by electing a root device that serves as a common
point around which the network can define primary connections. The root device is
usually the device with the lowest priority value. If more than one device has the
same priority value, the device with the lowest MAC address becomes the root.
8–6 Rev. 6.41

After the root device is chosen, each port on every participating device is put into a
forwarding or blocking state based on the path cost to the root device. The ports
with the lowest cost paths are put into a forwarding state and forward network
traffic. Any redundant ports are placed in a blocking state and do not forward
network traffic. If a forwarding port goes down, however, the redundant port is put
into a forwarding state and begins to forward traffic.
Vulnerabilities of RSTP
This is a high-level description of how RSTP works; at a lower lever, the protocol
relies on bridge protocol data units (BPDUs). BPDUs are a specific type of Layer 2
frame used to communicate spanning tree information. These frames are insecure:
they have no authentication, can be easily spoofed, and contain information about
the network such as infrastructure device MAC addresses. Several network attacks
take advantage of the lack of security measures:
Spoofed BPDUs—An attacker can broadcast a spoofed BPDU to the
network to cause network devices to recalculate path costs and perhaps to
force a device to use a slower port to forward all network traffic. A DoS
attack can occur when the traffic bottlenecks at a device port that doesn’t
have sufficient bandwidth.
Endpoint becoming root—An endpoint device can become the root either
unintentionally by assigning an incorrect priority value or intentionally using
a man-in-the-middle (MITM) attack. In an RSTP MITM attack, a rogue edge
switch with a priority value of zero is attached to the network. When an edge
switch becomes the spanning tree root, it impedes the network’s ability to
efficiently handle traffic, sometimes causing in a DoS attack.
In the slide on the previous page, a rogue switch is added to the network,
creating a spanning tree topology change. This topology change disables a
high-speed link between the two core switches, creating a DoS attack.
Rev. 6.41 8–7

Protections for RSTP Vulnerabilities

To prevent these attacks, many devices allow you to enable a BPDU block on
switch ports. There are two types of BPDU blocks:
BPDU filters—Ports with an enabled BPDU filter do not generate any
BPDUs and ignore all BPDUs received. Using a BPDU filter, you can
remove an entire device from the spanning tree, or you can remove a single
port. BPDU filtering can also prevent a port that is connected to an end
system from transmitting BPDUs in order to avoid leaking network
information.
BPDU protection—A port with BPDU protection automatically disables
when an unexpected BPDU arrives from an edge device. This allows the port
to participate in the spanning tree but automatically shuts down the port to
prevent an edge device from altering the spanning tree topology.
Further Reading
For more information on BPDU filtering and protection, see Chapter 10:
Bridging–Transmitting Non-IP Traffic or Merging Two Networks in the
ProCurve Secure Router 7000dl Series Basic Management and
Configuration Guide.
8–8 Rev. 6.41

DHCP Protection
DHCP Vulnerabilities
DHCP helps reduce network administrative overhead by automatically assigning
and managing IP addresses. However, DHCP packets do not provide
authentication or access control; therefore, the DHCP server has no way of
knowing if the client requesting the address is a legitimate client on the network,
and the DHCP client has no way of knowing if the server that assigned the address
is a legitimate network server. As a result, DHCP is vulnerable to attacks from
both rogue clients and servers. For example:
Address spoofing—A rogue DHCP server on the network can assign bogus
addresses to network devices. Without valid IP addresses and network
gateway addresses, these devices are unable to contact any other IP network
devices.
Address exhaustion—An attacker can access the network and request IP
addresses until the DHCP server’s supply of available addresses is exhausted.
This prevents legitimate hosts from receiving IP addresses and accessing the
network.
Rev. 6.41 8–9

Protections for DHCP Vulnerabilities

To prevent these types of attacks from succeeding, you can use DHCP protection,
a security feature that:
Differentiates between trusted and untrusted ports—A trusted port is one
that receives traffic only from within the network. An untrusted port is one
that connects to outside the network or firewall.
Builds and maintains a DHCP snooping table—This table tracks the MAC
address, IP address, lease time, binding type, virtual local area network
(VLAN) number, and interface information that corresponds to each DHCP
lease through an untrusted port.
Filters DHCP messages—DHCP snooping filters server responses on
untrusted ports. In this way, DHCP snooping can act like a firewall between
untrusted endpoints and DHCP servers.
8 – 10 Rev. 6.41
Dynamic ARP Protection
ARP Poisoning
ARP Table Switch ARP Table
IP MAC A B IP MAC
IP A MAC A IP A MAC C
IP B MAC C IP B MAC B
C

Entry Status
IP A MAC A Forward
IP B MAC C Drop
ARP Table Switch ARP Table
IP MAC A B IP MAC
IP A MAC A IP A MAC A
IP B MAC B IP B MAC B
C
ARP Vulnerabilities
ARP works to resolve a device’s MAC address with its IP address. ARP creates
and populates a table of known MAC and IP addresses, and it requests information
for unknown MAC or IP addresses. However, most ARP devices update their
tables every time they receive an ARP packet even if the information wasn’t
requested. This makes ARP vulnerable to these attacks:
ARP poisoning—ARP poisoning occurs when an unauthorized device forges
an ARP response that is subsequently adopted by a network device. In the
example above:
1) A sends a request for B’s MAC address.
2) C responds with a packet that matches B’s IP address with C’s
MAC address.
3) When A updates its ARP table with the spoofed entry, A’s ARP
table is considered “poisoned.”
4) C poisons B’s ARP table by matching A’s IP address with C’s
MAC address in response to a request from B.
5) Because A’s and B’s IP addresses are matched with C’s MAC
address, all IP traffic that the two intend to send to each other is
sent to C instead.
Rev. 6.41 8 – 11
5) Because A’s and B’s IP addresses are matched with C’s MAC
address, all IP traffic that the two intend to send to each other is
sent to C instead.
Reconnaissance—Device C works as a man-in-the-middle, intercepting and
sniffing all packets to A and B. This is problematic because C can sniff
information such as usernames and passwords and use this information to
gain authenticated access to the network.
DoS—C can spoof the network gateway’s MAC address with a non-gateway
device’s IP address. Because the non-gateway does not have access to outside
networks, outgoing traffic is prevented from leaving the network. The non-
gateway device may also be overwhelmed by the outgoing traffic.
Protections for ARP Vulnerabilities

To secure your network against these ARP attacks, you should enable Dynamic
ARP protection. Dynamic ARP protection does the following:
1. It intercepts all ARP requests and responses received on an untrusted port.
2. It verifies that each of these intercepted packets has a valid IP-to-MAC
address binding. This is done by comparing the MAC-to-IP address binding
as reported in the packet to the information in the DHCP snooping table.
3. If the binding is valid, the device updates the local ARP cache or forwards
the packet to the appropriate destination.
4. If the binding is invalid, the device drops the packet.
8 – 12 Rev. 6.41
SNMP Throttle
Recall from Module 6—Layer 3: Device Access Security that SNMP provides
device monitoring and management and that SNMP version 3 (SNMPv3) includes
some security features. However, despite the inherent security measures in
version 3, SNMP can still cause an unintentional DoS attack: a network outage can
cause several devices to generate SNMP traps, and many of these traps in rapid
succession can quickly overwhelm the network.
SNMP throttling solves this problem by requiring network devices to wait a
configurable time period between sending traps. This fix is similar to that for some
highway traffic access problems. For example, in some urban areas, highway
onramps are equipped with metering lights. These metering lights only allow a
single car from each onramp lane to enter the highway at a time. By staggering
access to the highway, these meters mitigate bottlenecks created when a large
group of cars all attempt to enter the highway at once.
Just as metering a single onramp will not necessarily make a large difference in
highway traffic, enabling the SNMP throttle limit on one device will not eliminate
the danger of a DoS attack. You should set the SNMP throttle limit on the majority
of managed network devices to prevent traps from clogging the network and
causing a DoS attack.
Rev. 6.41 8 – 13
Virus Throttle™ Software Operation
Virus-throttling is a security measure that works to reduce the network damage

done when a virus or worm infects a network endpoint. Rather than stop virus
attacks based on signature files, this feature monitors behavior, working on the
principle that a worm will request sessions with a large number of devices on the
network as it attempts to spread.
Virus Throttle™ software, an invention of HP Labs and implemented in ProCurve
Networking devices, limits the number of new outgoing connections (that is,
sessions or conversations with other endpoints) for each endpoint based on
parameters set by the network administrator. When an endpoint makes a
connection request, Virus Throttle™ software follows these steps:
1. It compares the destination for the packet to a working set (short list) of
recently contacted destinations.
2. If the destination is listed in the working set, the new connection is allowed
and all packets to that destination are processed immediately.
8 – 14 Rev. 6.41
3. If the destination endpoint is not listed in the working set, Virus Throttle™
software checks the connection rate threshold for the source. The connection
rate threshold determines how many new connections an endpoint is allowed
to make in a set time period. The connection rate is a good indicator of virus
activity. For example, in most circumstances an endpoint may open one new
connection per second while an infected endpoint may attempt to open
hundreds.
4. If the new connection request exceeds the source’s threshold, Virus
Throttle™ software takes action. It can both send an alarm and block traffic
associated with new connections, either for a short “penalty period” or—if
the endpoint continues exceeding its threshold—permanently.
Throttling viruses can also be compared to onramp metering lights. Each car is like
a connection (or conversation). The meter restricts access to the highway to one
car per light while allowing cars already on the highway to continue moving
freely. Similarly, Virus Throttle™ software restricts the number of new
connections, but allows traffic associated with existing connections to flow freely.
Because Virus Throttle™ software manages traffic based on its behavior rather
than on virus signatures, wide deployment of this feature makes the network
infrastructure resistant to known and unknown threats. This feature also works for
zero-day attacks: if a previously unknown worm infects a machine, Virus
Throttle™ software limits outgoing connections based on the worm behavior and
greatly slows the spread of the infection.
Further Reading
For more information on Virus Throttle™ software, see
http://www.hp.com/rnd/pdfs/virus_throttling_tech_brief.pdf, or see
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c0036
9532/c00369532.pdf.
Rev. 6.41 8 – 15
9 Network device features

Detection components
Network-based IDS (NIDS)
NIDS sensor support
TAPs, port mirroring, and traffic sampling
Host-based IDS (HIDS)
Hybrid IDS solutions
Pattern-based detection
Anomaly-based detection
Active Response
Wireless IDS/IPS
So far, we have discussed device features that not only protect network
infrastructure devices but also protect against unintentional and intentional DoS
attacks. These features, however, are focused preventive measures: they only
protect against specific types of network attacks.
The next two sections will introduce you to network security technologies that put
systems in place to identify, react to, and in some cases prevent a broad range of
network intrusions.
8 – 16 Rev. 6.41
IDS
IDS
Network
Attack Attack Attack
IDS Internet
Attacker
Attack
detected
Alert
generated
Intrusion detection is the art of detecting and differentiating unwanted or

unauthorized network traffic from normal network traffic. An IDS uses a
combination of sensors, network audit data such as SNMP traps and syslogs,
integrity monitoring, and various analysis methods to detect network intrusions.
However, detecting intrusions is not always an easy task: many attacks use normal,
legitimate traffic and conform to normal network behaviors. Additionally, because
anomalous behavior exists in a network environment by default, it is not easy to
distinguish anomalous network behavior that may have a security implication from
anomalous network behavior that is caused by legitimate traffic. Detecting
intruders becomes considerably more complex when attackers understand this and
use it to their advantage.
However, as normal as attackers try to make their attacks appear, network
intrusions leave traces. Intrusion detection works on the principle that all intruders
leave a mark: they often target certain types of files and information, create
anomalous network activity, or make network changes. Knowing how an intruder
works can give you an idea of the kinds of intrusions for which you should look.
For example, when you were younger, you may have suspected that someone was
going into your bedroom and rifling through your things when you were not
looking. To confirm your suspicions, you may have installed a homemade alarm
system with the following elements:
Tripwire—You could have put an upright cup full of red punch next to your
dresser: a red stain on the floor would have implied the presence of an intruder.
Rev. 6.41 8 – 17
Benchmark—You could have recorded the arrangement of objects in areas

of your room into which an intruder was most likely to go and then compared
its current state to that recording. Anything out of place, added, or missing
would signal an intrusion.
Security guard—You might have bribed a younger brother or sister to keep
an eye on your room and let you know immediately when something
suspicious happened.
IDSs
Intrusion detection with an IDS works in a similar manner. The IDS acts as an
alarm system: it is a tripwire, benchmark, and security guard that looks for and
tracks network changes and reports suspicious behavior. By using audit data
collected by the IDS (such as bandwidth usage, packet elements, and file activity),
you can detect whether your network has been compromised.
IDSs provide a good security solution that allows network administrators to
address security issues that may otherwise go unnoticed. However, IDSs are not a
perfect solution:
They only monitor and report—When an intrusion is detected, traditional
IDSs do not take automatic preventive or reactive measures beyond sending
notifications to the network administrator.
They can generate a high number of false positives—If the number of
false positives is too high, it can render the IDS more of a problem than a
solution. To overcome over-sensitive IDSs, network administrators must put
a considerable amount of time into fine-tuning the traditional IDS.
Further Reading
For more information on IDS, see http://www.sans.org/resources/idfaq/.
8 – 18 Rev. 6.41
Detection Components
IDSs have the following elements:

Sensors—IDS sensors collect data, such as packet information or host logs,
and forward it to the analyzer.
Analyzer—The analyzer receives and processes the data from the sensor.
Based on its analysis of the audit data, the IDS can generate alerts to warn
network administrators of a possible attack.
User interface—Also called the console, the user interface displays
information on alarms and the results of the analysis to the network
administrator.
The IDS analyzer and user interface can either be located on a central network
server that stores and manages the audit data, or they can be located in the same
place as the sensor. With regard to sensors, IDSs come in two flavors based on the
sensors’ location and the network parameters the sensors are designed to monitor:
Network-based IDS (NIDS)—In a NIDS, the sensors are placed at network
choke points to capture and analyze all packets that traverse the network.
Host-based IDS (HIDS)—Host-based IDS sensors are placed on network
endpoint devices, along with the analyzer and user interface, to monitor
endpoint device behavior.
Rev. 6.41 8 – 19
For comprehensive network monitoring, installing both NIDS and HIDS services
on your network is recommended. For example, when diagnosing an infection, a
doctor may perform multiple tests: the doctor may check the blood for signs of
infection as well as look at the tissue for wounds or other telltale signs. In cases
where the doctor is unable to find a specific infection in the tissue, the blood test
may return more definite results. And in cases where the blood test is negative, the
doctor may find small infections in the tissue and begin to treat them before they
become larger.
IDSs work in a similar way: network-based IDSs monitor the network bloodstream
while host-based IDSs monitor the network tissues, looking for wounds and other
signs of problems. And just as the doctor needs both tests to watch a person’s
health or diagnose an infection, you need both a NIDS to watch the traffic flow
and HIDSs to monitor network endpoints in order to keep a comprehensive watch
on network health and security.
8 – 20 Rev. 6.41
Network-based IDS
Network-based IDS
IDS
Network
Analyzer
IDS Internet
Sensor
A NIDS uses strategically placed sensors to monitor network traffic. These sensors
are placed at traffic choke points and near traffic sources. A NIDS provides the
following benefits:
All network traffic is monitored—When deploying a NIDS, it is important
to monitor all network traffic streams: any traffic entry point left unmonitored
creates a security hole. With sensors placed at strategic points within the
network, a NIDS can observe all network traffic. However, processing a large
amount of traffic can create a bottleneck that can impair the overall network
speed. Additionally, certain types of traffic, such as encrypted packets, may
require extra time and processing power to analyze.
Intrusions can be detected before attacks become security breaches—
Because a NIDS looks at network traffic, attacks can be detected as the traffic
enters the network and before the first attack packet reaches its destination
endpoint.
Reconnaissance and DoS attacks can be detected—Again, because a NIDS
watches all network traffic, it can detect attacks such as network mapping
attempts and repeated DoS packets that would otherwise go unnoticed by a
firewall.
No host or network impact—A properly installed NIDS does not use
network or host bandwidth or resources.
Although a NIDS may seem like a good method for monitoring and detecting
network intrusions, it:
Rev. 6.41 8 – 21
Requires heavy management—To be effective, network security personnel

must investigate every alarm that the IDS generates: managing positives
requires a great deal of time and resources.
Requires a good understanding of the network—To successfully deploy a
NIDS, you must know where to place the NIDS sensors to benefit the
network most.
Early IDS implementations also erred on the side of caution, and as a result they
generated a large number of false positives. However, as attack detection methods
have evolved, later generation systems have developed more refined attack
detection methods that are less likely, when properly managed, to produce false
positives.
There are several ways to send network traffic to the NIDS sensors and analyzers:
test access points (TAPs) that are placed in-line with network traffic; port
mirroring, which works within network devices; and packet sampling
technologies.
8 – 22 Rev. 6.41
TAPs
TAPs are specialized devices designed to split off in-line copies of network traffic
without affecting network throughput. Copying occurs at Layer 1; that is, the data
signal itself is split.
In most networks, data is forwarded over two types of media: fiber optic cables or
copper wire such as that found in CAT-5 cables. TAPs split the signal differently
depending on the transmission medium:
Fiber optic cables—The optical signal is divided into two streams with a
beam splitter. After the signal has been split, one signal is sent to the NIDS
and the other signal continues through the TAP unimpeded. Optical signals
are usually strong enough to withstand beam splitting without requiring
signal augmentation or regeneration. Therefore, fiber taps are passive devices
and often do not require a power supply.
Note
When implementing TAPs on fiber optic cables, you must carefully
analyze your potential optical signal loss and attenuation. Fiber optic
technologies and devices vary greatly and this course cannot, within its
scope, address all the potential issues.
Rev. 6.41 8 – 23
Copper cables—The electrical signal is split into two and forwarded over
two separate wires. Electrical signals can degrade fairly quickly. As a result,
electrical signal regeneration is required in most cases.
When properly implemented, TAPs provide complete network information for the
IDS. Some considerations to keep in mind when using TAPs:
They are passive devices—Absolutely no packet inspection occurs on the
TAP. The TAP sends all signals exactly as they are received, including errors
and malformed packets. This allows for an accurate view of the network.
However, because TAPs are passive devices, they cannot be used to mitigate
an attack.
They can operate without an IP address—TAPs that operate without an IP
address are transparent to network traffic. The lack of address works as an
additional security measure: TAPs cannot be seen by reconnaissance attacks,
so they cannot be used as a pathway to directly attack the IDS or the network.
They can become a potential single point of failure—A TAP that fails
closed will prevent any traffic from being forwarded on that line. In some
cases, such as during DoS attacks, it may be preferable for all network traffic
to be halted in the area of failure rather than allowed to blindly continue
through. However, most TAPs are designed to fail open to allow continued
network operation.
They must be placed carefully—TAPs must be deployed at network choke
points. However, if not placed correctly, portions of the network may be left
unmonitored.
They can be expensive—Because TAPs should be placed at every network
choke point, the cost of deploying TAPs can quickly add up, particularly in
large networks.
8 – 24 Rev. 6.41
Port Mirroring
Rather than purchase and deploy separate TAPs to collect traffic data for the
NIDS, you can collect the data using the port mirroring feature commonly found in
switches.
Port mirroring may seem to be a simple solution that takes advantage of network
device features you may already have. However, there are several drawbacks to
port mirroring:
Often only one port or VLAN can be mirrored—Because of processor
constraints, in many cases only one port or VLAN on the switch can be
mirrored. For those switches that can be configured to mirror a number of
ports or VLANs, there is no guarantee of reliability: the mirror port usually
has the same bandwidth capabilities as any other port on the switch. Any
traffic that is received over the mirror port’s bandwidth limit may be
dropped, and this packet loss affects the IDS’s ability to comprehensively
observe the network.
Mirroring can affect network throughput—Copying and forwarding
traffic requires device processing resources. During high network usage, the
mirroring device may have difficulty managing mirrored traffic while
continuing to switch and forward all other network traffic. Thus mirroring
can affect the device’s throughput rate.
Rev. 6.41 8 – 25
Mirrored traffic is incomplete—Not every packet sent or received over the

monitored port is copied to the mirror port. For example, mirrored packets do
not include VLAN information, and session reply packets are often excluded.
Furthermore, because the copied traffic is handled and reproduced by a
network device, mirrored ports may hide information such as jitter and
certain types of packets such as runts and giants.
Mirrored ports are subject to switch integrity—If the switch is
compromised, the integrity of the traffic received over the mirror port may
also be compromised and is therefore untrustworthy.
Remote Mirroring
Ideally, IDS traffic should travel over dedicated lines to the IDS analyzer.
However, in most cases, the IDS analyzer will not have enough ports to
accommodate a direct connection with every network device, and a switch
dedicated to IDS traffic is not always practical. Some network devices can
overcome this limitation by using remote mirroring. Remote mirroring allows you
to send mirrored traffic from network devices to a remote analyzer using the
network infrastructure rather than a dedicated line.
Remote mirroring allows you to specify a particular port or VLAN on a remote
device as the mirrored traffic destination. You also have the option to send mirrored
traffic to any port either across a wide area network (WAN) connection or within the
local area network (LAN). Remote mirroring overcomes the port limitations
imposed by using dedicated lines for IDS traffic; however, it consumes network
bandwidth and is still limited by device bandwidth and resource constraints.
8 – 26 Rev. 6.41
Traffic Profiling
Rather than send copies of all network traffic to be analyzed to the IDS, you can
reduce the network and device bandwidth and resources used for traffic analysis
by using traffic profiling technology. Traffic profiling collects and organizes
information on the traffic that traverses a network.
The main components of traffic profiling implementations are:
The agent—The agent is usually embedded into network backbone devices.
Working in tandem with the switching/routing Application-Specific
Integrated Circuits (ASICs), the agents applies an algorithm to network
traffic to collect traffic information. The agent then packages and sends the
gathered information.
The collector—The collector receives and analyzes the packaged
information. From this information, the collector creates a statistical model of
network traffic that can be used by an IDS.
Rev. 6.41 8 – 27
There are two main traffic profiling methods: flow-based and sample-based.
Flow-based
Flow-based traffic profilers work by looking at packet attributes and organizing
traffic with the same characteristics into flows. In some implementations, the
packet characteristics used to define flows are configurable. However, in most
cases flows are defined based on five Layer 3 characteristics: source IP address,
source Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port,
destination IP address, destination TCP/UDP port, and IP protocol. After the
traffic is separated into flows, the flow-based profiling agent tallies up flow
statistics, such as how many packets were exchanged and bytes sent/received
during the session associated with the flow. Statistics such as these are collected
from several flows, packaged, and sent to the collector, which analyzes the
information and generates reports. Examples of flow-based traffic profilers include
NetFlow, JFlow, and IP Flow Information eXport (IPFIX).
Sample-based
Rather than separating traffic into flows, a sample-based profiler uses statistical
traffic sampling to create a statistically accurate profile of network traffic within a
margin of error. That is, rather than require the agent to inspect every packet that
passes through, sample-based profiling looks at every nth packet and derives
correct statistics based on the sampled traffic. The standard sample-based profiling
technology is sFlow.
Unlike flow-based profilers that package the information into an export data
packet, sFlow packages sample information into small datagrams. These sFlow
datagrams include Layer 2 through 7 information, including packet routing
information (source, destination, hop addresses, and AS numbers) as well as
authentication information and a payload sample. sFlow datagrams are compact
and do not require a large amount of network bandwidth: they are approximately
0.7 percent of the original packet size, and information from several packets can fit
into a single datagram.
One sFlow collector can monitor a network of thousands of switches because the
UDP datagrams do not include the user data payload. Therefore, the collector
provides timely reports of network traffic while consuming a minimum of
bandwidth.
8 – 28 Rev. 6.41
Traffic Profiling Benefits

Traffic profiling has several benefits that allow security personnel to:
Identify normal network behavior and design network security
policies—Because profiling looks at all types of network traffic, it can
determine which groups of data are safe and which are potentially harmful to
your network. With this knowledge, you can establish a baseline for normal
network activity. When traffic deviates from that norm, you can take action
to protect your network against these threats before they harm your system.
For more information on how traffic profiling can be used to detect attacks,
see “Network Behavior-based Anomaly Detection (NBAD)” in this module.
Identify attacks—A properly deployed traffic profiler monitors your entire
network, including each employee’s workstation. If an infection enters your
network from a workstation, the profiling protocol will help you identify the
infected endpoint and catch the infection before it shuts down your entire
network. The traffic profiler can also identify significant changes in
endpoints’ fan-out (the number of nodes an endpoint has established a session
with), helping you to identify quick-moving attacks as well as large DoS
attacks.
Further Reading
For more information on sFlow, see RFC 3176 at
http://www.ietf.org/rfc/rfc3176.txt, or see the sFlow Web site at
http://www.sflow.org.
For more information on NetFlow, see
http://en.wikipedia.org/wiki/NetFlow.
For more information on IPFIX, see RFC 3917 at
http://www.ietf.org/rfc/rfc3917.txt or RFC 3955 at
http://www.ietf.org/rfc/rfc3955.txt.
Rev. 6.41 8 – 29
Host-based IDS
Host-based IDS
HIDS
Internet
Internet
IDS
Manager
IDSs work by monitoring the network and generating alarms to notify network
administrators when unusual behavior is detected. A NIDS collects audit data from
disbursed sensors, forwarding the data to a central engine that analyzes it and
generates alarms when potential attacks are detected. HIDSs, however, work
without disbursed sensors: instead, they monitor the network by collecting,
analyzing, and generating alarms autonomously on each endpoint device.
HIDSs monitor network endpoints in several ways:
File integrity monitoring—Using checksums and message digests, HIDSs
can ensure that no files, particularly crucial system files, are compromised.
Device state monitoring—Device states include a list of all currently
running processes. Because endpoint intrusions often alter a device state by
running malware or other executables, a HIDS can detect possible intrusions
based on unexpected device states.
Dynamic behavior monitoring—A HIDS can monitor applications on the
device and ensure that they are behaving as expected. For example, a HIDS
will detect if a word processor suddenly starts to modify the system password
database, which would signal a network intrusion.
HIDSs have the following benefits:
They can verify the success or failure of a network intrusion—While
NIDSs can detect that an attack packet is on the network, HIDSs can report
whether an attack successfully reaches its intended destination.
8 – 30 Rev. 6.41
They generally are not impacted by bandwidth requirements—Network-

based detection can be limited by the amount of data that the sensors and
analyzer can handle. HIDS analysis, however, is not constrained by the
amount of data generated over network bandwidth.
They have a low number of false positives—Endpoint behavior is limited
and state-based. Because there is less variation in endpoint behavior than in
network traffic, it is much simpler to positively identify anomalous behavior.
They can detect internal intrusions that firewalls and NIDSs will miss—
HIDSs can discover attacks that are not apparent in a packet’s composition.
For example, a HIDS can detect unauthorized network resource access or
unauthorized file modification.
Despite these benefits, HIDSs have several vulnerabilities:
Endpoint resource impact—The HIDS agent runs from the same resource
pool from which all other endpoint processes run. In some cases, the HIDS
agent can drain resources that are needed for other endpoint applications.
OS dependency—HIDSs run under the endpoint’s OS. If the OS is
compromised or insecure, the HIDS can be rendered useless.
Scalability—HIDSs require an agent to be installed on each network
endpoint. For networks with thousands of endpoints that must be monitored,
this requirement can be a large management issue.
Localization—HIDSs only monitor the endpoint on which they are installed.
To get a larger picture of network intrusions, network administrators must
gather HIDS alerts, correlate the data, and make inferences based on
otherwise isolated instance information.
Residency—HIDSs reside on the network devices that they are designed to
protect. If the endpoint device is compromised, the HIDS is vulnerable to the
attacker and can no longer be trusted.
Rev. 6.41 8 – 31
Hybrid IDS Solutions
HIDSs allow you to monitor endpoint integrity and catch internal attacks, and
NIDSs allow you to monitor network traffic and detect reconnaissance and DoS
attacks. As mentioned earlier, for a complete IDS solution, you should use a
combination of a NIDS and a HIDS, allowing you to leverage the best of both IDS
types. For example:
Hybrid solutions can discover attacks that, separately, HIDSs and NIDSs
would miss.
Hybrid solutions can both detect an attack through the NIDS and determine
whether it was successful through the HIDS.
Hybrid solution IDS analyzers are able to correlate NIDS and HIDS
information for more complete network monitoring.
Hybrid solutions are deployed in a similar fashion to HIDS and NIDS solutions:
NIDS sensors should be deployed at all network entry and exit points as well as
next to all traffic sources, and HIDSs should be deployed on all business critical
endpoint devices such as servers and superuser workstations.
After the IDS sensors are in place, the hybrid IDS analyzer can then monitor NIDS
and HIDS audit data.
8 – 32 Rev. 6.41
Pattern-based Detection
IDSs analyze audit data and look for intrusions using two different methods:
pattern-based analysis
anomaly-based analysis
Pattern-based analysis compares the network audit data with known attack
behaviors and patterns in one of two ways: by defining rules or by using attack
signatures.
Rule-based Detection
Rule-based detection uses preconfigured profiles (rules) that characterize known
security attack scenarios. For example, a known DoS attack might involve three
unique phases; during each phase the attacker sends a specific type of packet. The
IDS analyzer will recognize the first packet as part of the first phase of the known
DoS attack. Rule-based analysis can detect intruders that exhibit specific patterns of
behavior known to be suspicious or in violation of security policies. In particular, it
is intended to detect attempts to exploit known security vulnerabilities, such as OS
holes and protocol weaknesses, and to raise an alarm if observed activity matches
any of its encoded rules.
Rev. 6.41 8 – 33
Most rule-based systems are user configurable so that you can define your own
rules based on your corporate environment. However, because rule-based detection
relies on pre-configured profiles of known intrusions, intrusions not profiled in the
set of rules will be overlooked.
Signature-based Detection
Similar to rule-based detection, signature-based detection works by comparing
audit data with the signatures of known attacks. A signature consists of an
attack model based on past intrusions and is stored in a signature database.
Unlike rule-based detection, in which the IDS detects attacks based on
behaviors, signature-based detection looks only at packet contents. Signature-
based IDSs must recognize and interpret certain series of packets (or data
within the packets) as an intrusion attempt.
Disadvantages of Pattern-based Detection

Because pattern-based methods rely heavily on known attacks, they may not
recognize or detect new types of attacks. However, it is easier to update pattern-
based IDS rules and signatures than it is to adjust the next detection type:
anomaly-based detection.
Further Reading
For more information on signature-based detection, see
http://www.sans.org/resources/idfaq/limitations.php.
For more information on rule-based detection, see the Snort Web site
at http://www.snort.org.
8 – 34 Rev. 6.41
Anomaly-based Detection
Relying on known attack patterns can leave the network vulnerable to new attacks;
instead, you can use an attack detection method based on the fact that any network
intrusion will create some sort of anomalous behavior. Anomaly-based detection
discovers network intrusions based on statistical deviations from pre-established
network norms.
Anomaly-based IDSs analyze audit data and compare it to typical or predicted
network profiles. Suspicious behavior is flagged when it deviates from the
normal network usage by a pre-set percentage.
This type of detection requires a network baseline to act as a standard. This
baseline is usually established through the following steps:
1. System usage samples are taken over a learning period of normal operation.
2. Using these samples, the IDS establishes average network resource usage,
such as CPU utilization, packet protocol types, bandwidth consumption,
and so on.
3. As the learning period progresses, the baseline thresholds are adjusted to take
into consideration normal deviations.
Rev. 6.41 8 – 35
4. At the end of the learning period, this baseline is used to define expected
normal network behavior. Any sequence of events that deviate from this
baseline by a statistically significant amount is flagged as a possible
intrusion. For example, a statistically significant deviation may include 10 or
more failed login attempts, users logging in at odd hours, or unexplained
device restarts.
Because anomaly-based IDSs do not rely on known attack profiles, they can detect
new or zero-day attacks that may not be recognized by signatures. Anomaly-based
IDSs can also be more sensitive to intrusions because of their ability to adapt and
create baselines that keep close to normal network behavior.
However, anomaly-based IDSs tend to produce more false positives than pattern-
based detection. To mitigate this problem, network administrators must take the
time to determine and fine-tune the statistical standard deviation thresholds. An
attacker can also outsmart this type of IDS by making gradual behavior changes
over time.
Network Behavior-based Anomaly Detection (NBAD)

NBAD is an example of an anomaly-based NIDS: it specifically monitors and
detects intrusions based on network traffic behaviors rather than signatures or
endpoint behavior anomalies. NBAD works by observing network traffic and
building a normal network usage profile. When the traffic flow deviates
significantly from the established profile, NBAD generates an alarm.
To generate traffic baselines and detect deviations, NBAD systems collect network
information in a variety of different ways. For example, many NBAD systems rely
on traffic profiling technologies such as NetFlow and sFlow.
Some things to keep in mind when deploying NBAD:
Expense—Because NBAD monitors network traffic, it must have access to

network traffic. Unless network backbone devices support traffic profiling or
port mirroring, it may be necessary to deploy TAPs, which can be costly.
Management of positives—NBADs typically generate few false positives.
However, benign unexpected changes in traffic patterns can generate
positives that must be managed.
Complementary deployment—Combining NBAD with a signature-based
IDS can provide your network with powerful intrusion detection capabilities.
Some IDSs—including NBAD—can do more than just generate alarms and report
intrusions: they can automatically respond to a detected intrusion.
8 – 36 Rev. 6.41
Further Reading
For more information on anomaly-based detection, see
http://www.sans.org/resources/idfaq/anomaly_detection.php.
For more information on NBAD, see
http://www.itarchitectmag.com/shared/article/showArticle.jhtml?articleId
=163700677.
Rev. 6.41 8 – 37
Active Response
Traditional IDSs analyze network traffic and generate alerts in response to

perceived intrusions. However, some IDS implementations are able to take limited
protective measures after an attack is detected. They are said to “mitigate” the
threat. These automatic measures are called an active response.
Active response can help mitigate the damage that stems from a network intrusion.
However, active response does not prevent the initial attack from succeeding:
protective measures are only taken after the initial attack succeeds in accessing the
network and is detected by the IDS.
Active response uses two methods to respond to attacks:
Session disruption—TCP sessions are terminated by packets that have the
TCP reset (RST) flag set. To shut down a TCP session between an attacker
and a network peer, the IDS sends TCP RST packets to both session
endpoints. The attacker must then reestablish a network session to continue
the attack.
Access control manipulation—To prevent an attacker from reestablishing a
session to continue the attack, the IDS can make adjustments to specific
access control lists (ACLs) that would cause all packets from the attacker to
be dropped.
8 – 38 Rev. 6.41
Intrusion Prevention System
Intrusion Prevention System

9 Intrusion Detection Systems
IDS and IPS
IPS
Content-based detection
Rate-based detection
Incident databases
UTM
Wireless IDS/IPS
As you have seen, IDSs provide comprehensive network monitoring but very little
in the way of actively protecting the network against attacks.
Next, we will discuss IPSs, which are comprehensive security solutions that use
intrusion detection methods to identify attacks and take active measures to protect
the network before an attack succeeds.
Rev. 6.41 8 – 39
IDS and IPS
Most network administrators do not have the time to constantly respond to IDS
alerts. Active response reduces the need for immediate administrator response.
However, a good network security product will do more than send RST packets
and adjust ACLs.
IPSs do just that. IPSs are designed to detect network attacks and take immediate
countermeasures rather than waiting for a network administrator to react to the
threat. And unlike IDSs, IPSs can stop the initial exploit from being successful
while responding to the attack. As a result, IPSs are becoming the standard
comprehensive security solution.
Similar to IDSs, IPSs can be deployed as a host-based solution or as a network-
based solution:
Host-based IPS (HIPS)—Because an HIPS resides directly on an endpoint
and so can tightly monitor that device, it is very effective at detecting
attacks and taking appropriate countermeasures. But similar to HIDS,
HIPSs are not an easily scalable solution: deployment on every network
endpoint requires a large amount of time and management.
8 – 40 Rev. 6.41
Network-based IPS (NIPS)—Similar to NIDS devices, NIPS devices are

deployed at network choke points. However, unlike NIDS implementations
where the choke-point devices forward the traffic to an analyzer that can be
located anywhere in the network, NIPS analyzers must be deployed in-line to
allow the IPS to implement countermeasures.
Further Reading
For more information on HIPS, see
http://www.networkworld.com/news/tech/2005/072505techupdate.
html.
For more information on NIPS, see
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci969054,
00.html.
Rev. 6.41 8 – 41
IPS
Initially, IPSs identified and stopped network attacks using access control and
firewalls: ACLs and firewalls prevent attacking packets from accessing the
network.
The current approach to intrusion prevention is much more sophisticated than
merely whitelisting or blacklisting packet attributes. When placed in-line with
network traffic, an IPS can take countermeasures as soon as an attack is detected.
IPSs implement countermeasures at four OSI Layers:
Data Link—For local or internal attacks, the IPS can shut down a network
port interface associated with the system from which attacks are being
launched.
Network—The IPS can interact with the firewall or gateway device to add
ACL entries that block all communication from an individual IP address or
from an entire network.
Transport—To tear down malicious TCP sessions, the IPS can generate and
send TCP RST packets. For malicious UDP sessions, the IPS can respond by
generating and sending Internet Control Message Protocol (ICMP) error packets.
Application—The IPS can alter malicious application layer data to make it
harmless before it is forwarded to the destination endpoint.
8 – 42 Rev. 6.41
However, because IPSs handle network traffic in a different manner than IDSs,
they detect attacks in slightly different ways. The next section will discuss the two
ways in which an IPS can identify attacks:
content-based detection
rate-based detection
Rev. 6.41 8 – 43
Content-based Detection
Similar to IDSs that use pattern-based detection, content-based IPSs identify

attacks by matching traffic content to signatures of known attacks.
In addition to the basic attack signatures and rules, many IPSs allow you to
customize which attack signatures are enabled as a method to avoid an excessive
number of false positives.
For example, vendors often include more signatures than can be reliably
implemented by the IPS while maintaining adequate network QoS. Thus, IPSs
automatically enable only those signatures and rules that are known and tested
with a very high confidence rating. Other signatures that may be able to detect
less-common attacks at the cost of a higher rate of false positives are initially
disabled. To maximize the benefits of your IPS, you should enable the signatures
that will most benefit your network.
In addition to content-based detection, IPSs can detect DoS attacks based on the
traffic behaviors, such as the rate at which packets are received on the network.
8 – 44 Rev. 6.41
Rate-based Detection
IPS rate-based attack detection is intended to prevent DoS and distributed DoS
(DDoS) attacks. Much like IDS’s anomaly-based detection, many rate-based IPS
solutions ignore traffic content and instead only monitor for traffic that displays
characteristics of a network flood, scan, or malware outbreak.
Just as with IDSs, rate-based IPSs requires the development of a baseline, and
intrusions are detected from statistical deviations. Specifically, IPSs check for the
following anomalies:
Behavioral—The IPS looks for anomalies in endpoint-based user behavior.
In particular, this detection method focuses on tracking the types of
applications and protocols that are typically used at certain times of day.
Some implementations can be specific enough to check keystroke timing and
the number of database queries.
Traffic—The IPS looks for anomalies in network traffic patterns. This is not
packet inspection: the IPS focuses on metrics such as traffic volume, types of
protocols, and distribution of elements such as source and destination IP
addresses.
Rev. 6.41 8 – 45
Protocol—IPSs can also look for deviations from a restrictive and detailed
set of protocol standards. For example, it can look for IP packets that use
restricted addresses (or even addresses that simply do not make sense in your
network) or TCP packets set with invalid flags. Based on the protocol
standards and average usage, the IPS creates models to act as the baselines
from which it detects deviation. This detection method can cause false
positives: not all vendors strictly comply with protocol standards.
A rate-based IPS uses very granular anomaly-detection methods and requires
network administrators to set adaptive thresholds on network parameters. For
example, this type of IPS can be configured to detect attacks that use SYN flood
packets based on several elements such as source IP address and SYN packet
thresholds.
Rate-based thresholds are adaptive. That is, the IPS is designed to learn average
traffic patterns for specific times and areas and predict expected traffic each
moment for each network parameter. That is, in addition to predicting the number
of total expected packets, rate-based IPSs can look at patterns as specific as the
number of IP packets, the number of ARP packets, the number of new connections
per second, and the number of packets on a particular TCP or UDP port expected
in the next few moments.
If the amount of actual traffic for a particular parameter exceeds the expected
amount by a statistically significant number, the IPS detects an attack. It then
prevents the attack from succeeding by using several techniques, including:
Granular rate limiting—Similar to virus throttling and SNMP throttling, the
IPS can limit the rate at which packets with certain characteristics are
forwarded through the network.
Address, network, and port scan filtering—DoS and other attack traffic
can be dropped based on the source and destination IP addresses, TCP port
numbers, or other behavior.
Rate-based IPS solutions are designed for deployment outside of the firewall to
protect the network against SYN flood and other DoS attacks. These solutions can
also identify and stop zero-day attacks based on the anomalous behavior that they
create (for example, a sudden jump in traffic).
8 – 46 Rev. 6.41
Incident Databases
As part of a cooperative effort, several communities collect and analyze

information on current network intrusions, creating searchable databases. The
intent of these communities is to anonymously collect and correlate intrusion
information in an effort to quickly discover new attacks and immediately take
preventive actions.
The three main IDS/IPS databases are:
Bugtraq—Bugtraq is an electronic mailing list that discusses both new and
established network vulnerabilities while proposing solutions. For more
information, see http://www.securityfocus.com/archive/1.
Common Vulnerabilities and Exposures (CVE)—CVE is a dictionary that
provides common names and information on publicly known network
vulnerabilities. For more information, see http://cve.mitre.org/.
DeepSight—DeepSight is a free service that allows companies to anonymously
upload their firewall and IDS records to a central database. The database is
analyzed, and details of the attacks are correlated using several variables. Based on
the results of the correlation, warnings are issued to companies with networks that
are at risk. DeepSight maintains information on attack types, times, locations, and
attack target profiles. For more information on DeepSight, see
http://aris.securityfocus.com/faq.aspx.
Rev. 6.41 8 – 47

9 Intrusion Detection Systems
9 Intrusion Prevention Systems
Wireless IDS/IPS
IDS/IPS solutions provide a good level of network security when properly

deployed. These solutions act as a watchdog that hunts, finds, and in the case of
active response and IPS, chases off potential attacks. However, IDS/IPS solutions
are designed to complement an immune network infrastructure that includes
separate network solutions such as antivirus software and firewalls.
The next solution works as an all-in-one solution to provide comprehensive
network security.
8 – 48 Rev. 6.41
UTM
UTM is a network security solution that works at all four network security
layers—endpoint integrity, device access, data integrity and privacy, and network
access. It is an all-in-one solution that includes IDS/IPS, a stateful inspection
firewall, and antivirus capabilities. The UTM industry is a growing and changing
field, and UTM devices are becoming more comprehensive. For example, in
addition to IDS/IPS, firewall, and antivirus solutions, industry-leading UTMs can
also include:
content and spam filtering
spyware and Trojan protection
virtual private network (VPN) support
event logging
network access authentication
dynamic routing
Network Address Translation (NAT), DHCP, and Quality of Service (QoS)
support
Rev. 6.41 8 – 49
The best network location for a UTM device is between the trusted network and
the Internet. However, UTM devices can also be installed at network choke points
to offer additional protection.
A UTM offers the following benefits:
Cost-effective security— Like IPD/IPSs, UTM devices require subscriptions
to keep antivirus, content filtering, and attack signatures up to date. However,
investing in a single comprehensive solution, even one that seems rather
expensive, might be more cost-effective than purchasing several independent
solutions.
Ease of management—The UTM presents a single site for managing a great
many network functions.
While a UTM device can be a good comprehensive security solution, you should
be aware that it has the following disadvantages:
Throughput and latency—UTM processors can easily become
overwhelmed. Because UTMs are placed at network choke points, this can
affect network throughput and introduce packet latency.
Single point of failure—A failed UTM device leaves the network
completely vulnerable.
Support that varies from vendor to vendor—Because UTMs can support a
wide range of features, you must carefully research the particular features
offered by the vendor solution you are considering. For example, a UTM
device by an antivirus company may offer superior UTM antivirus protection
while providing a relatively weak IDS/IPS UTM solution. Additionally, you
should be aware that some vendors claim to offer a UTM solution, but the
solution is not truly comprehensive.
8 – 50 Rev. 6.41
Wireless IDS/IPS
Wireless IDS/IPS
9Network device features

9Intrusion Detection Systems
9Intrusion Prevention Systems
9Unified Threat Management
Wireless IDS/IPS
Wireless attacks
Wireless IDS/IPS
A wireless network is a vital part of many networks. However, wireless

networking presents some unique security issues that cannot be addressed by wire-
based IDSs or IPSs. The next section introduces wireless IDS/IPSs, which are
specifically designed to address these issues.
Rev. 6.41 8 – 51
Wireless Attacks
Because of the unique nature of the shared medium, wireless networks are
susceptible to several types of attacks that do not affect wired networks. These
attacks, which take advantage of the physical nature of radio communications and
of the workings of 802.11, include:
Wired Equivalent Privacy (WEP) cracking—The initial 802.11 encryption
standard (WEP) is very weak: using easily accessible software, attackers can
recover the WEP key and break into a WEP-secured network within minutes.
For more information on WEP, see Module 5—Layer 2: Data Integrity and
Privacy.
Rogue Access Points (APs)—Most endpoint devices are designed to
associate with the wireless AP that has the strongest signal, which facilitates
roaming by allowing the endpoint to detect when it is leaving one AP cell and
entering another. However, an attacker can mount a MITM attack by
introducing a rogue AP that has a vastly stronger signal than the network
APs. Wireless endpoints will try to associate with the rogue AP and reveal
username and password information in the process. This information can then
be used to gain unauthorized access to the network.
8 – 52 Rev. 6.41
MAC spoofing—Rather than use a username and password, some smaller

wireless networks only allow devices with specific MAC addresses to
associate. An attacker can gain unauthorized access to the network merely by
spoofing the MAC address of another device.
Signal jamming—Wireless devices are subject to radio interference. For
example, signals on the 802.11b/g frequencies can be affected by microwave
ovens, cordless phones, and Bluetooth devices. Intentionally broadcasting
radio interference near an AP can prevent nearby endpoints from associating
to the network, effectively creating a wireless DoS attack.
Authenticate or associate frame flooding—The 802.11 standard requires
endpoints to complete two steps before they are granted access to the
network: authentication and association. Before the endpoint can forward
data frames, it must be authenticated and issued an association ID. An
attacker can overwhelm an AP by flooding it with spoofed authenticate or
association requests, causing a DoS attack.
Disassociate or deauthenticate spoofing—An attacker can also impersonate
an AP to forcibly disassociate wireless endpoints from the network. The
attacker needs only to know the AP’s MAC address to spoof the frames.
Reconnaissance attacks—Wireless network mapping software is a great tool
for network administrators that want to monitor and control their wireless
network. However, as with wired network mapping software, an attacker can
use wireless network mapping software to locate wireless devices and sniff
wireless frame information. Often, attackers can perform wireless
reconnaissance attacks even more easily than wired attacks because wireless
frames are easier to intercept.
To address and mitigate the unique threats to wireless networking, you should
deploy a wireless IDS/IPS.
Rev. 6.41 8 – 53
Wireless IDS/IPS
Wireless IDS/IPSs have been developed to specifically meet wireless network

security needs. They complement your network wired IDS or IPS to provide a high
level of network security.
Wireless IDS/IPS devices detect attacks in several ways, including:
Signature and anomaly analysis—The wireless IDS/IPS can detect attacks
based on known wireless attack signatures and on anomalous behavior. The
analysis requires 802.11 frame inspection as well as behavior profiling.
Protocol analysis—A wireless IDS/IPS can look at 802.11 header fields to
ensure that frames do not include unusual settings that can be used in an attack.
Policy deviation—The wireless IDS/IPS can verify that all the traffic detected
by a sensor meets policy standards. For example, in a network that has a policy
requiring Wi-Fi Protected Access (WPA) or WPA2 encryption, a wireless
IDS/IPS detects a policy violation if it sniffs unencrypted wireless traffic.
Spectrum analysis—By scanning 802.11 frequencies, the wireless IDS/IPS
can detect jamming attacks and locate rogue APs.
8 – 54 Rev. 6.41
The best way to deploy a wireless IDS/IPS is to place a sensor next to every AP.
These sensors can then monitor all wireless traffic and in some cases respond to
detected attacks. Wireless IDS/IPS attack responses include:
Locating attacking devices—Wireless attackers are almost always near the
AP that is being attacked, and it is often possible for the wireless IDS/IPS to
approximate the attacker’s location. With this knowledge, network
administrators can stop an attack by using a laptop with wireless network
mapping software such as NetStumbler to find the attacker and turn off the
attacking devices.
Signal jamming—When a rogue AP is detected, some wireless IPSs can
generate signal noise. This prevents any sessions between network devices
and the rogue AP from continuing.
Closing network ports—Most wireless IDS/IPSs have the ability to identify
the network port from which the attack is originating and disable that port.
Adjusting ACLs—Wireless IDS/IPSs can add ACL entries to deny traffic
from the IP or MAC address associated with an attack.
Further Reading
For more information on wireless IDS or IPS products, see vendor Web sites
such as:
• AirMagnet (http://www.airmagnet.com/products/enterprise.htm)
• AirDefense (http://www.airdefense.net/products/airdefense_ids.shtm)
Rev. 6.41 8 – 55
Summary
This course has introduced you to four network security layers, as well as solutions
that secure your network at each layer. Additionally, this module introduced you to
some technologies and solutions that you should use create a comprehensive
network security solution at several layers.
After reading this module, you should be able to describe and discuss solutions
such as IDSs, IPSs, and UTM devices and explain how to implement these
solutions for comprehensive network security.
8 – 56 Rev. 6.41
Glossary
Numeric
3DES Triple DES. A well-known public encryption standard that
encrypts information multiple times (encrypts, decrypts, and
encrypts again). Each phase uses a 56-bit key, making the total key
length 168 bits. This 168-bit key provides 2,168 or approximately
3.741e+50 possible combinations. Many security solutions,
including IPsec, the industry standard for VPNs, support 3DES.
See also IPsec and VPN.
802.1AE An IEEE 802.1 standard that specifies Layer 2 security measures

that are designed to withstand MITM, replay, and some DoS
attacks. These measures are collectively known as MACsec.
802.1af A key creation and management amendment that updates the

802.1X standard. IEEE 802.1af keys are used to secure data and
authenticate endpoints in a MACsec-secured LAN.
802.11i An amendment to the 802.11 standard specifying security

mechanisms for wireless networks (also known as WPA2). This
standard supersedes the weak security specification WEP. 802.11i
uses the AES block cipher while WEP and WPA use the RC4
stream cipher.
802.11i architecture contains the following components: a four-
way handshake, 802.1X for authentication, RSN for keeping track
of associations, and AES-based CCMP to provide confidentiality,
integrity, and origin authentication.
802.1X A port-based authentication standard (based on EAP) that is

available on certain network switches and wireless APs. It can be
configured to authenticate hosts equipped with supplicant
software, denying unauthorized access to the network at the Data
Link Layer. The standard is part of the 802.1 group of protocols
and provides authentication to devices attached to a LAN port,
establishing a point-to-point connection or preventing access from
that port if authentication fails.
Rev. 6.41 G–1

A
AAA Authentication, Authorization (Access Control), and Accounting.
AAA controls network access and enforces security policies.
Authentication refers to the process of confirming each user’s
identity and is accomplished through the use of passwords, keys,
and often a RADIUS or TACACS+ server. Authorization ensures
that the authenticated user can access only the network resources
to which that user has rights. Accounting refers to the process of
collecting information about how resources are used. The collected
information can then be used for trend analysis, billing, or
auditing. For more information about AAA, see Request for
Comments (RFC) 2989 (at http://www.ietf.org/rfc/rfc2989.txt).
Access control When a capable device prevents an attacker from reestablishing a

manipulation session by adjusting network ACLs so that all packets from the
attacker are dropped.
ACL Access control list. An ACL determines a user’s access rights—

read, write, execute—to different objects depending on the
identifier. The list is a data structure, usually a table, containing
entries that specify individual user or group rights to specific
system objects, such as programs and files. Each accessible object
contains an identifier to its ACL.
Active Content Blocking Java and ActiveX scripts in order to increase security by
Filtering preventing attackers from exploiting such scripts to install
malware or hijack a workstation.
Active response An IDS implementation that automatically takes limited protective

measures once an attack is detected.
Address An attack that exhausts a DHCP server’s supply of available

exhaustion addresses.
Address spoofing An attack involving a rogue DHCP server on the network

assigning bogus addresses to network devices.
Adware Any software package that plays, displays, or downloads

advertising material on a computer while the application is being
used or once the software has been installed.
AES Advanced Encryption Standard. An encryption algorithm used by

IPsec to transform data sent over a VPN tunnel. AES is a block
cipher and a symmetric algorithm (identical encryption and
decryption keys). The winner of a competition sponsored by the
United States government, AES has replaced DES as the preferred
non-classified encryption standard in that country. See DES.
G–2 Rev. 6.41

Glossary
Agent An application on managed devices that acts as the management

server’s intermediary, reporting information on the managed
device’s network usage and activity, and executing configuration
and software changes on behalf of the management server.
AH Authentication Header. A protocol that provides message integrity

authentication using hash functions.
ALG Application-Level Gateway. A gateway that operates at the

Application Layer, intercepting packets from both ends of a
session. The gateway forwards packets as if it were the other
endpoint.
Anomaly-based An attack detection method that attempts to discover network

detection intrusions based on statistical deviations from pre-established
network norms.
AP Access Point. A device that connects wireless communication

devices together to form a wireless network. The AP usually
connects to a wired network, and can relay data between wireless
devices and wired devices. Several APs can link together to form a
larger network that allows “roaming.” (In contrast, a network
where client devices manage themselves—without the need for
APs—is an ad-hoc network.) Wireless APs have configurable IP
addresses.
ARP Address Resolution Protocol. A Network Layer Ethernet protocol

used to convert a network IP address into a physical address. An
endpoint that wants to obtain a physical address broadcasts an
ARP request onto the TCP/IP network. The endpoint on the
network that has this IP address replies with its physical hardware
address. Most often used in Ethernet networks using IPv4. For
more information about ARP, see RFC 826 (at
http://www.ietf.org/rfc/rfc0826.txt).
ARP poisoning When an unauthorized device forges an ARP response that is

subsequently adopted by a network device.
ASIC Application-Specific Integrated Circuit. An integrated circuit (IC)

customized for a particular use, rather than intended for general-
purpose use. For example, a chip designed solely to run a cell
phone is an ASIC.
Asymmetric key A public key or a private key used in an asymmetric key algorithm.
Asymmetric key An algorithm for cryptography that uses one cryptographic key for
algorithm encryption and a different key for decryption
Rev. 6.41 G–3

ATM Asynchronous Transfer Mode. A cell-relay network protocol

standard that encodes data traffic into small, fixed-sized cells (53
bytes; 48 bytes of data and 5 bytes of header information) instead
of variable-sized packets
Authentication The process of confirming a device’s or a user’s identity before

granting a network connection. Authentication can be
implemented through the use of passwords or keys. A RADIUS or
TACACS+ server can handle authentication for an entire network.
Authorization The process of controlling the network resources and services that
a user can access, usually based on the user’s identity. A RADIUS
or TACACS+ server can act as an authorization server, which
makes authorization decisions enforced by other infrastructure
devices. Authorization is sometimes called access control.
Authentication Protocols that allow the peers in a connection to verify each

Protocols other’s identity. In the PPP protocol suite, authentication protocols
include PAP, CHAP, and EAP.
AV Software Antivirus software.
AVP Attribute-Value Pair. AVPs express data as a collection of pairs

<attribute name, value>, thus providing an open-ended, extensible
structure.
B
Backdoor A method of bypassing normal authentication or securing remote
access to a computer, while attempting to remain hidden from
casual inspection. The backdoor may take the form of an installed
program or could be a modification to a legitimate program.
Biometrics Technologies that authenticate users via their physical

characteristics. One of the oldest biometrics is a fingerprint. Other
biometrics—such as voices, faces, and handwriting—have long
been used in day-to-day life, but only relatively recently as
systematic authentication methods. Still other biometrics, such as
iris patterns, are relatively new on all fronts.
Black list A list of devices created for MAC authentication that blocks
network access for any listed device, while granting access to all
other devices.
Block cipher An algorithm that encrypts chunks of data, separating data into
(typically) 128-bit chunks, encrypting each block, and then
sequencing them.
Blowfish A popular block cipher that uses a complex symmetric key.

G–4 Rev. 6.41
Glossary
BPDU Bridge protocol data unit. A specific type of Layer 2 packet frame
that carries spanning tree information. BPDUs are insecure: they
have no authentication and can be easily spoofed. A switch sends a
BPDU frame using the unique MAC address of the port as a
source address, and a destination address of the STP multicast
address.
Brute force attack A method of defeating a cryptographic scheme by trying a large

number of possibilities; working through all possible keys, for
example, in order to decrypt a message
BSS Basic Service Set. The coverage area in a wireless LAN of one
AP, identified by an SSID. In infrastructure mode, groups of BSSs
can be connected together with the use of a backbone network and
form a network called an ESS.
Bugtraq An electronic mailing list that discusses both new and established
network vulnerabilities while proposing solutions.
C
CA Certificate Authority. A trusted third-party that verifies the
identity of two parties that wish to communicate with one another.
CAs are responsible for generating, distributing, and revoking
digital authentication certificates. VeriSign is an example of a CA.
CA Connectivity Association. A security association between devices

that participate in a MACsec-secured network.
Cache A collection of data duplicating original values stored elsewhere or

computed earlier, where the original data is expensive (usually in
terms of access time) to access or compute relative to reading the
cache. Once data is stored in the cache, a computer can access the
cached copy rapidly instead of having to access or compute the
original data another time, reducing the average access time.
CBC Cipher-Block Chaining. The most common encryption mode,

CBC encrypts the first block of data using the KCK derived from
the PTK. Each successive block of data is then encrypted using the
last encrypted block of data. The high-level 64 bits of the result
are the MIC.
Rev. 6.41 G–5

CCMP Counter Mode with Cipher-Block Chaining Message

Authentication Code Protocol. An 802.11i encryption protocol,
replacing the insecure WEP protocol. CCMP uses the AES
algorithm, and unlike with WPA, a single component handles key
management and message integrity. CCMP encapsulates data
through encryption and wrapping packet headers for transmission
in an effort to ensure the confidentiality and integrity of the
communications channel, and to prevent replay attacks.
CERT/CC Computer Emergency Response Team Coordination Center. A

U.S. federally funded center of Internet security expertise.
CHAP Challenge Handshake Authentication Protocol. An authentication

protocol that is supported by PPP. With CHAP, the authenticator
challenges the peer. The peer creates a hash value from its pre-
shared password and a string of text. The authenticator also creates
a hash value. The authenticator compares the hash values. If they
match, authentication succeeds, and the link is established. For
more information about CHAP, see RFC 2759 (at
http://www.ietf.org/rfc/rfc2759.txt). See also PAP and PPP.
Ciphertext The encrypted form of original information. See plaintext.
Circuit-level A type of firewall, the gateway works at the Session Layer, or

gateway between the Application Layer and the Transport Layer of the
TCP/IP stack. The gateway monitors TCP handshaking between
packets to determine whether a requested session is legitimate.
Information passed to a remote computer through a circuit-level
gateway appears to have originated from the gateway. While
circuit-level gateways hide information about the private network
they protect, they do not filter individual packets once a requested
session is deemed legitimate.
Cleartext Unencrypted text.
Collector An sFlow entity that aggregates and analyzes sFlow datagrams.
Connected token A token such as a smart card or USB token that submits
credentials directly to the user’s authentication client and from
there to the server.
Content-based An IPS detection method that identifies attacks using anomaly-

detection based and pattern-based methods.
Content filtering Web and email filtering to protect a network through the use of
content-control software and spam-blocking solutions.
G–6 Rev. 6.41

Glossary
Cookie A small bit of data that acts as an identifier between a Web

browser and a Web server.
Cookie filtering A method of filtering that tracks changes to a cookie folder and
informs the user when a third party sends a cookie. These filters
can also transparently delete any cookies on a cookie black list.
CRAM-MD5 Challenge-Response Authentication Mechanism-MD5.

Superseded by Digest-MD5, CRAM-MD5 is a challenge-response
authentication mechanism.
CRC checksums Cyclic Redundancy Checking. A method of checking for errors in

data transmitted between two devices. The sending device applies
a 16- or 32-bit polynomial to data, appends the resulting cyclic
redundancy code to the data, and then sends the data. The
receiving device applies the same polynomial to the data and
checks the results against the appended results. If the two do not
match, an error has occurred during the transmission.
CVE Common Vulnerabilities and Exposures. A dictionary that

provides common names and information on publicly known
network vulnerabilities.
D
DAP Directory Access Protocol. In basic X.500 communications, the
DAP enables communication between the DUA and the DSA, and
defines the operations that users can perform, including read,
search, and modify.
Data Access Encryption of sensitive data for secure storage and transmission
Control over untrusted networks.
Data Integrity A security layer that focuses on protecting stored and transmitted
layer data through the use of various encryption algorithms.
Data Link Layer Layer 2 of the OSI model. At this layer, data frames are encoded
and decoded into bits. The Data Link Layer is divided into two
sublayers: Media Access Control (MAC) and Logical Link
Control (LLC). The MAC sublayer controls how a computer on
the network gains access to data and permission to transmit it. The
LLC sublayer controls frame synchronization, flow control, and
error checking.
Rev. 6.41 G–7

DDoS attack Distributed Denial-of-Service attack. This attack involves multiple

compromised systems flooding the bandwidth or resources of a
targeted system—usually web servers. Attackers use a variety of
methods to compromise these systems.
Malware can carry DDoS attack mechanisms. One example was
MyDoom, triggered at a certain date and time. This type of DDoS
involved hardcoding the target IP before release of the malware
and no further interaction was necessary to launch the attack.
DeepSight A free service that allows a company to anonymously upload

firewall and IDS records to a central database so that the company
may discover network vulnerabilities.
Degauss A data destruction method that applies a very strong electric

current to a hard drive. The data stored on a hard drive has an
associated magnetic field: bits are polarized in different directions
based on their values and orientation. Depending on the type of
current used, degaussing either scrambles the magnetic polarity
into random formations or completely polarizes the drive in one
direction.
DES Data Encryption Standard. An early, influential block cipher

design developed at IBM and published in 1977. A precursor to
the AES, adopted in 2001.
Device Access A security layer that focuses on protecting managed network

Security layer devices such as routers, switches, and servers that act as network
security checkpoints.
DHCP Dynamic Host Configuration Protocol. A protocol that allows

network administrators to set up a server that manages IP
addresses, automatically assigning IP addresses to devices on the
network. For more information about DHCP, see RFC 2131 (at
DHCP snooping A security feature that differentiates between trusted and untrusted
ports, builds and maintains a DHCP snooping table, and filters
DHCP requests received on an untrusted port.
DIB Directory Information Base. A database of names in an X.500

system, also called “white pages.”
Diffie-Hellman A cryptographic protocol that allows two parties without prior

exchange acquaintance to set up a shared secret key over an insecure
communications channel. This key can then be used to encrypt
subsequent communications using a symmetric key cipher.
G–8 Rev. 6.41

Glossary
MD5 Message-Digest algorithm 5. Using Digest-MD5, the LDAP server

sends authentication options to the client, to which the client
responds using an encrypted response. The LDAP server decrypts
the data and verifies the client’s response. The Digest-MD5 SASL
mechanism also supports the establishment of a negotiated
security layer that performs integrity and privacy protection after
successful authentication.
Digital certificate An electronic document that contains a public key and is digitally
signed by a third-party issuer such as a CA. Digital certificates are
used for network authentication. They contain the certificate
holder’s name, a serial number, the expiration dates, and a copy of
the certificate holder’s public key (used for encrypting messages).
Disconnected A token that requires the user to manually input information into
token an authentication client.
DNS Domain Name System. A system that translates URLs to their

associated IP addresses and communicates this information
throughout the Internet. DNS allows a user to enter a URL instead
of a numeric IP address into an Internet browser while providing a
way for network devices to find and reconcile the URL with its IP
address. For more information, see RFC 3696 (at http://
www.ietf.org/rfc/rfc3696.txt).
DoS attack Denial-of-Service attack. An attack that consumes network

bandwidth or overloads the resources of a computer system. DoS
attacks obstruct communication between intended users and cause
computers to reset or consume their resources so they can no
longer provide their intended service.
DSA Directory System Agent. In basic X.500 communications, the

DSA runs on servers that hold the DIB—holding a portion of it—
and functions as an access point for the DUA. In addition to
responding to queries from DUAs, a DSA communicates with
other DSAs in the directory tree.
DSP Directory System Protocol. In basic X.500 communications, the

DSP enables and defines communication between DSAs.
DUA Directory User Agent. In basic X.500 communications, the DUA

accesses the directory tree on behalf of the user. The DUA runs on
the user’s endpoint, enabling a user to perform authorized
operations such as accessing, reading, searching, or modifying
information in the directory tree.
Dynamic ARP Intercepts ARP communication on untrusted ports and checks

protection whether intercepted packets have valid address binding.
Rev. 6.41 G–9

E
EAP Extensible Authentication Protocol. A protocol that allows PPP to
use authentication protocols that are not part of the PPP suite. For
more information about EAP, see RFC 3748 (at
http://www.ietf.org/rfc/rfc3748.txt). See also CHAP, PAP,
and PPP.
EAP-GTC EAP-Generic Token Card. One of the least secure EAP methods,
EAP-GTC features a two-step exchange similar to EAP-MD5.
Traditionally, the authentication credential submitted was a value
read from a token card. However, EAP-GTC can carry simple
passwords as well. EAP-GTC transports the authentication
credentials much as they are transported in CHAP.
EAP-MD5 EAP-Message Digest 5. One of the least secure EAP methods,

EAP-MD5 involves an EAP Request, which indicates the
authenticator requires this method, and an EAP Response, which
includes the hash of the user’s password. EAP-MD5 transports the
authentication credentials much as they are transported in CHAP.
EAP-TLS EAP-Transport Layer Security. This transport mechanism uses a

three-way TLS handshake to exchange digital certificates and
generate encryption keys. Considered one of the most secure EAP
standards available, EAP-TLS is universally supported by all
manufacturers of wireless LAN hardware and software. The
requirement for a client-side certificate gives EAP-TLS its
authentication strength but limits its implementation.
EAP-TTLS EAP-Tunnel Transport Layer Security. A transport mechanism

developed to provide much of the security of EAP-TLS without
forcing endpoints to use digital certificates—drastically cutting the
work in implementing the protocol. EAP-TTLS is widely
supported across platforms, and offers very good security, using
PKI certificates only on the authentication server.
Email content Using virus detection, spam filters, and content and image filters
filtering to filter incoming and outgoing emails.
Emulator A type of sandbox that simulates an OS work environment while

acting as an intermediary between an untrusted program and OS
resources. Programs running in this virtual environment have
limited access to device resources and no direct access to the OS.
Endpoint A security layer that focuses on keeping endpoint devices such as

Integrity layer laptops and workstations from infecting the network by ensuring
that the devices are continuously running antivirus software,
personal firewall software, and monitoring agents, and that they
are staying up to date on OS patches.
G – 10 Rev. 6.41
Glossary
ESP Encapsulating Security Payload. An IPsec security protocol that

provides data encryption as well as some message integrity
authentication.
ESS Extended Service Set. A set of one or more interconnected BSSs

and integrated LANs that appear as a single BSS to the logical link
control layer at any station associated with one of those BSSs.
F
False positive Traffic that may appear abnormal and is flagged as an attack, but
that is not destructive in any way.
Firewall A logical barrier designed to prevent unauthorized or unwanted

communications between sections of a computer network. A
firewall is hardware/software that functions in a networked
environment to prevent some communications forbidden by the
security policy, analogous to the function of firewalls in building
construction.
Flow A flow is a collection of IP packets that have similar attributes.
Fraggling An enhanced version of smurfing, with the attacker simulating a

victim so as to request more information from computers on the
network so that the victim is even more heavily bombarded with
messages.
Frame Relay Frame Relay is a protocol standard that provides a fast and
efficient method of data transmission for intermittent traffic
between LANs and between endpoints in a WAN. Frame Relay
puts data in a variable-size unit called a frame and leaves any
necessary error correction (retransmission of data) up to the
endpoints, which speeds up overall transmission time.
G
Galois/Counter An AES block cipher mode that incorporates Galois mathematical
Mode fields into the algorithm. This mode of AES allows MACsec to be
implemented within hardware at nominal cost while satisfying
high-speed requirements. See “The Galois/Counter Mode of
Operation” by McGrew and Viega at
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gc
m-revised-spec.pdf for more information.
Granular rate When an IPS limits packet-forwarding rates based on their

limiting characteristics.
Rev. 6.41 G – 11
GRE Generic Routing Encapsulation. A protocol that allows an arbitrary

network protocol A to be transmitted over any other arbitrary
network protocol B by encapsulating the packets of A within GRE
packets, which in turn are contained within packets of B.
GSSAPI 2 Generic Security Services Application Program Interface. While

not providing any security, GSSAPI enables programs to access
security services. It addresses the problem that there are many
similar but incompatible security services in use today.
H
Hash function An encryption function that generates a number by running a string
of text through an algorithm. Because algorithms transform data so
that it is extremely unlikely that some other text will produce the
same hash value, the resulting hash is deemed to be unique.
HC-256 A stream cipher developed by Hungjun Wu for relatively strong

encryption at high-speeds.
HDLC High-Level Data Link Control. A group of protocols or rules for

transmitting data between network endpoints. The data is
organized into a unit called a frame and sent to a destination that
verifies its successful arrival. HDLC also manages the speed at
which data is sent.
HIDS Host-based intrusion detection system. Monitors and analyzes the

internals of a computing system (endpoint devices) in order to
detect attacks.
HIPS Host-based intrusion prevention system. An IPS that resides upon

and monitors a network endpoint device.
HMAC Keyed-hash message authentication code. A message digest that is

created using a one-way hash function and an encryption key.
Honeypot A network resource without a legitimate use within a network,

designed to attract attackers away from a trusted network by
intercepting an attack and providing an alternative environment for
the attacker to work in.
Honeynet A network—with actual servers, switches, routers, and hubs—that

includes one or more high-interaction honeypots. While honeynets
provide no legitimate network services, they are designed to
intercept an attack and monitor it in an isolated network
playground.
G – 12 Rev. 6.41
Glossary
I
ICMP Internet Control Message Protocol. ICMP is part of the IP suite.
OSs that use IP as their network protocol chiefly use ICMP to send
error messages—indicating, for instance, that a requested service
is not available or that an endpoint or router could not be reached.
For more information, see RFC 792 (at
IDEA International Data Encryption Algorithm. A block cipher intended

as a replacement for DES. Originally called IPES (Improved
Proposed Encryption Standard).
IDM Identity Driven Manager. Software that provides management of

user-based profiles (including ACLs, QoS settings, and rate
limits). IDM can create communities of users and define settings
for each user.
IDS Intrusion detection system. Intrusion detection is the art of

detecting and differentiating unwanted or unauthorized network
traffic from normal network behavior. An IDS uses a combination
of sensors, network audit data such as SNMP traps and syslogs,
integrity monitoring, and various analysis methods to detect
network intrusions.
Intrusion detection works on the principle that all intruders leave a
mark: they often target certain types of files and information,
create anomalous network activity, or make network changes.
Knowing how an intruder works can give you an idea of what
kinds of intrusions to look for.
IETF Internet Engineering Task Force. A large international community

of network designers, operators, vendors, and researchers
concerned with developing Internet architecture and maintaining
the smooth operation of the Internet. The IETF is responsible for
publishing RFCs. For more information on IETF, visit their Web
site at http://www.ietf.org/.
IGMP Internet Group Management Protocol. A communications protocol

that manages the membership of IP multicast groups. IP hosts and
adjacent multicast routers use IGMP to establish multicast group
memberships. IGMP is an integral part of the IP multicast
specification, like ICMP for unicast connections. IGMP is used for
online video and gaming, and allows more efficient use of
resources when supporting these uses.
IKE Internet Key Exchange. A standard that negotiates and

establishes SAs.
Rev. 6.41 G – 13
IM Instant messaging. A form of real-time communication between

two or more people based on typed text. The text is conveyed via
computers connected over a network such as the Internet.
Impersonation When an attacker assumes the identity of an authorized user in

attack order to gain read-write access to management operations.
IPFIX IP Flow Information eXport. IPFIX is a protocol that samples the

beginning and end of every flow transmitted through a network
backbone device and reports the information it gathers to a
network management and accounting system. For more
information, see RFC 3917 (at http://www.ietf.org/rfc/rfc3917.txt),
and RFC 3955 (at http://www.ietf.org/rfc/rfc3955.txt).
IPS Intrusion prevention system. A device that exercises access control

to protect computers from exploitation. IPSs were invented to
resolve ambiguities in passive network monitoring by placing
detection systems in-line. They are designed to detect network
attacks and take immediate countermeasures rather than waiting
for a network administrator to take reactive measures. And unlike
IDSs, IPSs can stop the initial exploit from being successful while
responding to the attack.
IPsec IP Security. A set of protocols that supports the secure exchange

of packets at the IP layer. For example, devices can use IPsec to
establish a VPN through an untrusted IP network such as the
Internet. The VPN connection, secure by IPsec, can connect
remote sites or provide individual remote users access to the
private network through their Internet connections. For more
information on IPsec, see RFC 2401 (at
IPv4 Internet Protocol version 4. The fourth IP version, and the first
iteration of the protocol to be widely deployed. Besides IPv6, it is
the only protocol used on the Internet.
IPv6 Internet Protocol version 6. The sixth IP version. IPv6 is a Network

Layer standard that electronic devices use to exchange data across a
packet-switched internetwork. It is the second IP version (after
IPv4) to be formally adopted for general use. Among IPv6
improvements is an increase of addresses for networked devices.
IPv6 Privacy A tool to obscure address patterns by creating dynamic interface

Extensions identifiers used with stateless autoconfiguration. These dynamic
identifiers vary within a particular network, and are created by
using an MD5 hash to periodically generate pseudo-random
interface identifiers.
G – 14 Rev. 6.41
Glossary
ISAAC Indirection, Shift, Accumulate, Add, and Count. An algorithm

developed by Bob Jenkins used for string-cipher encryption.
IXP Internet Exchange Point. Infrastructure through which Internet

service providers exchange traffic, allowing wide-spread
communication between networks.
J
Jail A type of sandbox that imposes device resource restrictions without
completely isolating the untrusted content from the OS. A jail often
consists of a file system that has severe limits on CPU time, RAM,
shared memory, and bandwidth. The untrusted content is executed
after placing it in this highly restricted file system.
JFlow Juniper Networks’ proprietary implementation of NetFlow.
K
KCK Key Confirmation Key. A key that combines with packet-specific
data to calculate the MIC in TKIP.
KDC Key Distribution Center. A trusted third party that facilitates the
exchange of encryption keys.
KEK Key Encryption Key. A key used in TKIP to encrypt 802.1X

packets, ensuring that authentication takes place over a secure
connection.
Kerberos A security suite that allows individuals communicating over an

insecure network to prove their identity to one another in a secure
manner that prevents eavesdropping or replay attacks and ensures
data integrity. An authentication server checks clients’ credentials
and issues tickets to authenticated clients for various network
services.
Key A known string of text (cryptovariable) that encryption algorithms

use to be able to convert sensitive data into ciphertext and also to
turn ciphertext back into the original information (plaintext).
Keylogger Hardware or software that captures the user’s keystrokes.

Keylogging is used to determine error sources in computer
systems. Keylogging is also highly useful for law enforcement and
espionage—for instance, providing a means to obtain passwords or
encryption keys and thus bypassing other security measures.,
Keyloggers, however, are widely available on the Internet and can
be used by anyone for the same purposes.
Rev. 6.41 G – 15
Keyword The most basic and least effective method of Web-based content
Filtering filtering, keyword filtering scans for specific words in the text of a
Web page as it is downloaded and blocks the page if any of the
listed words in its database are detected.
L
L2F Layer 2 Forwarding. A tunneling protocol enabling organizations
to set up VPNs that use the Internet backbone to move packets.
L2TP Layer 2 Transport Protocol. A VPN support protocol that uses

PPTP and the L2F protocols to provide encapsulation for Layer 2
protocols such as Frame Relay, ATM, and HDLC, in addition to
providing PPP encapsulation.
LAN Local area network. A group of computers and associated devices

within a small geographic area that share a common
communications line. The computers also often share the resources
of a single server or set of servers.
LDAP Lightweight Directory Access Protocol. A networking protocol for

querying and modifying directory services running over TCP/IP.
An LDAP directory—following the X.500 model—is usually a
tree of entries, each consisting of a set of named attributes with
values. The directory is extensible, allowing vendors to add new
objects or new attributes to entries.
An LDAP directory often reflects various organizational
boundaries. Deployments tend to use DNS names for structuring
the root level of the hierarchy. Further into the LDAP directory
may appear entries representing organizational units, people,
printers, and documents.
M
MAC Media Access Control. The MAC layer is the lowest Data Link
sublayer, and it interfaces directly with the network medium. A
MAC address is a hardware address that uniquely identifies each
node of a network.
MAC-Auth Mac authentication. A type of authentication that is hardware-

based as opposed to user-based and operates at the Data Link
layer. MAC-Auth does not require device configuration or user
interaction, blocking and granting network access on the basis of
black lists and white lists.
MACsec Media Access Code Security. MACsec is the IEEE 802.1AE

standard, which specifies additional network security at OSI Layer 2.
G – 16 Rev. 6.41
Glossary
Malware Software designed to infiltrate or damage a computer system. The

term covers computer viruses, worms, Trojan horses, spyware, and
adware. In law, malware is sometimes known as a computer
contaminant. Malware is different from defective software that has
a legitimate purpose but contains errors or bugs.
Managed devices Network endpoint devices that the management server manages
and monitors.
Management A central server that analyzes information received from endpoint

server devices. With this information a network administrator can
monitor network usage and detect attacks.
Management A VLAN that isolates device management traffic from all other
VLAN user traffic on the device. A remote user must gain access to the
management VLAN before he or she can gain management access
to the switch.
MD5 Message Digest 5. A hash algorithm used to create digital

signatures. MD5 is a one-way hash function that transforms and
condenses data into a fixed string of digits called a message digest.
A variety of protocols, including AH and ESP, use MD5 to check
a message’s data integrity as well as authenticate the sender. The
ProCurve Secure Router uses MD5 transformation to encrypt
various system passwords.
MIC Message Integrity Code. A cryptographic checksum, more

complex than a simple CRC checksum, used in the handshaking
process, equivalent to Message Authentication Code.
MIME Multipurpose Internet Mail Extension. MIME is an Internet

standard for the format of email. MIME extends the format of
Internet mail to allow non-ASCII textual messages, non-textual
messages, multipart message bodies, and non-ASCII information
in message headers.
MITM attack Man-in-the-middle attack. When an attacker reads, inserts, and

modifies messages between two parties without either party
knowing that the link between them has been compromised. The
attacker must be able to observe and intercept messages going
between the two victims.
MPPE Microsoft Point to Point Encryption. A method of encrypting data

transferred across PPP-based dial-up connections or PPTP VPN
connections.
Rev. 6.41 G – 17
MyDoom A computer worm that became the fastest spreading email worm
ever (as of January 2004). Perhaps commissioned by email
spammers so as to send junk email through infected computers, the
actual author of the worm is unknown.
N
NAS Network Access Server. NASs enforce the decisions of AAA
servers, guarding access to the Internet, printers, a phone network,
or other protected resources. While an NAS does not contain
information about what clients can connect or what credentials are
valid, it does send a client’s credentials to an AAA server that
processes them and directs the NAS how to proceed.
NAT Network Address Translation. Conserving IP addresses, NAT acts

as a gateway between two networks, translating IP addresses used
in one network to different IP addresses known within another
network. NAT enables multiple hosts on a private network to
access the Internet with a single public IP address. Typically, NAT
translates many private network addresses to one or a few public
IP addresses. For more information on NAT, see RFC 3022 (at
NBAD Network Behavior based Anomaly Detection. NBAD is an

anomaly-based NIDS that is designed to detect intrusions based on
the network traffic behavior rather than on signatures. The NBAD
system observes network traffic and builds a normal network
usage profile. When the current traffic flow deviates significantly
from the established profile it generates an attack alarm.
NCP Network Control Protocol. A group of protocols within the PPP

suite. NCPs carry information about how to manage higher-level
protocols, primarily Network Layer (Layer 3) protocols. Each
Network Layer protocol that can be encapsulated in a PPP frame
has a separate NCP with its own configuration options. When
establishing a PPP session, peers exchange the NCP for the
Network Layer protocol used by the packets that they will send
across the link.
NetFlow A proprietary packet sampling standard for collecting IP traffic

information. NetFlow profiles and characterizes traffic flows and
sends the resulting information to a NetFlow collector that
analyzes the data.
G – 18 Rev. 6.41
Glossary
Network Access A security implementation that attempts to control access to a

Control network by enforcing security policy, restricting prohibited
traffic types, identifying and containing users that break rules or
are noncompliant with policy, and stopping and mitigating
security threats.
Network Access A security layer that focuses on methods to prevent attackers from
Control Security gaining entry or access to a network by using identity
layer authentication, access control, and recordkeeping.
NIDS Network-based intrusion detection system. A system that tries to

detect malicious activity such as DoS attacks by monitoring
network traffic. To do this, sensors are placed at choke points to
capture and analyze all packets that traverse the network.
NIPS Network-based intrusion prevention system. An IPS that detects

attacks by monitoring network traffic. NIPS devices must be
placed in-line with traffic to be able to effect security measures.
Non-reproducible A hard-to-duplicate physical object such as a token card. Users

credential are less apt to voluntarily distribute such credentials to
unauthorized users.
NTP Network Time Protocol. One of the oldest internet protocols still
in use, NTP synchronizes computer clocks over packet-switched,
variable-latency data networks. NTP uses UDP as its transport
layer and is designed to resist the effects of variable latency.
O
One-way Irreversibly encrypting data into a unique stream called a hash
encryption value or message digest.
OSI Open Systems Interconnection. A layered description for

communications and computer network protocol design,
developed as part of the OSI initiative. The seven layers of the OSI
Model in descending order are: Application, Presentation, Session,
Transport, Network, Data Link, and Physical.
OTP One-time password. A password that changes after each login, or

after a set time interval, making unauthorized access to computer
resources more difficult.
Rev. 6.41 G – 19
P
Packet Referencing OSI Layer 3, it is a block of data encapsulated within
one or more lower layer protocol headers. These headers provide
information about the packet’s application and about how the
packet is to be handled and routed as it travels through the
network. A packet that has been encapsulated within a Data Link
Layer protocol is called a frame or a cell.
Packet-filtering As the network guardian, a packet-filtering firewall screens

firewall incoming and outgoing packets according to defined rules by
scanning IP headers. The firewall operates at the Transport and
Network layers.
Packet Sampling Rather than sending every single packet that traverses the network
to the IDS analyzer, packet sampling uses statistical sampling to
create a statistically accurate profile of network traffic within a
margin of error.
PAP Password Authentication Protocol. An authentication protocol that

is part of the PPP suite. Because PAP authenticates hosts by
transmitting unencrypted ASCII passwords over the network, PAP
is considered insecure. See also CHAP and EAP.
Password cracker Software that finds weak passwords and cracks them, granting
attackers access to the network. Password crackers were originally
intended for network administrators to identify weak passwords
and create more secure ones.
Pattern-based A method of attack detection that compares network audit data

detection with known attack behaviors and patterns using either rules or
signatures.
PDA Personal digital assistant. A versatile handheld device originally

designed as a personal organizer. The uses of a basic PDA include:
accessing the Internet, recording notes, sending and receiving
email, video recording, calculating, and playing computer games.
A PDA can also function as a clock, calendar, radio, stereo,
address book, and spreadsheet. Newer PDAs have color screens,
audio capabilities, and can act as mobile phones, Web browsers, or
media players.
PEAP Protected EAP. A transport mechanism developed to provide

much of the security of EAP-TLS without forcing endpoints to use
digital certificates—drastically cutting the work in implementing
the protocol. PEAP requires only a server-side PKI certificate to
create a secure TLS tunnel to protect user authentication.
G – 20 Rev. 6.41
Glossary
PGP Pretty Good Privacy. PGP encrypts emails using both public-key
and symmetric-key cryptography. PGP also includes a system that
binds a public key to user identities and is incompatible with
S/MIME.
Phishing A form of criminal activity using social engineering techniques.

Phishers attempt to fraudulently acquire sensitive information,
such as passwords and credit card details, by masquerading as a
trustworthy person or business in an electronic communication.
Phishing is typically carried out using email or instant messaging.
Ping A computer network tool used to test whether a particular host is

reachable across an IP network. Ping works by sending ICMP “echo
request” packets to the target host and listening for ICMP “echo
response” replies. Using interval timing and response rate, ping
estimates the round-trip time and packet loss rate between hosts.
Ping of Death An attack on a computer that involves sending a malformed ping

to a computer. A ping is normally 64 bytes in size; many computer
systems cannot handle a ping larger than the maximum IP packet
size that is 65,535 bytes. Sending a ping of this size often crashes
the target computer.
Generally, sending a ping packet of a size such as 65,536 bytes is
illegal according to networking protocol, but a packet of such a
size can be sent if it is fragmented. When the target computer
reassembles the packet, a buffer overflow can occur, often causing
a system crash. Most systems since 1998, however, have been
fixed, so this bug is mostly historical.
In recent years a different kind of ping attack has become
widespread, ping flooding. The idea is to simply flood the victim with
so much ping traffic that normal traffic fails to reach the system.
PKI Public key infrastructure. A system of digital certificates, CAs,

and other registration authorities that verify and authenticate the
validity of each party involved in an Internet transaction. PKI
enables users to privately exchange data using a public
infrastructure, like the Internet, by managing keys and certificates.
A user obtains a public and private key pair from a trusted CA.
The user authenticates itself with a certificate, which includes its
identification information, public key, and a CA signature. The
user can authenticate messages with its private key. See also CA,
digital certificates, and DSS.
PMK Pairwise Master Key. The first key created in TKIP, calculated
using a shared secret generated during the 802.1X authentication
process.
Rev. 6.41 G – 21
Polymorphic / Code that mutates while keeping the original algorithm intact.
metamorphic Viruses and worms sometimes use this technique to hide their
code presence. Polymorphic algorithms make it difficult for AV
software and IDSs to locate offending code as it constantly
mutates.
Encryption is the most commonly used method of achieving
polymorphism in code. Not all of the code, however, can be
encrypted as it would be completely unusable. A small portion is
left unencrypted and used to jumpstart the encrypted software. AV
software targets the unencrypted portion of code.
Malicious programmers try to protect polymorphic code by
rewriting the unencrypted decryption engine each time the virus or
worm is propagated. Antivirus software uses sophisticated pattern
analysis to find underlying patterns within the different mutations
of the decryption engine in order to detect such malware.
Port filtering Denying Internet access to centralized servers of public IM and

peer-to-peer (P2P) servers in order to protect a network from
intrusions, data theft, DoS attacks, viruses, and worms.
Portlet A pluggable user interface component managed and displayed in a

web portal. Portlets produce fragments of markup code that are
aggregated into a portal page. A portal page is typically displayed
as a collection of non-overlapping portlet windows. Hence a
portlet (or collection of portlets) resembles a web-based
application that is hosted in a portal. Portlet applications include
email, weather reports, discussion forums, and news.
Positive Any traffic or behavior that a security solution marks as an attack

(whether rightly or wrongly). See also False positive.
PPP Point-to-Point Protocol. A suite of Data Link Layer protocols. PPP

connects two peers in an end-to-end link. To establish a PPP
session, the two peers must exchange frames, in order, from at
least three protocols: LCP, an NCP, and PPP. As its name
suggests, PPP is typically used for Internet connections originating
from a dial-up line or a high-speed modem. For more information
on PPP, see RFC 1661 (at http://www.ietf.org/rfc/rfc1661.txt).
PPTP Point-to-Point Tunneling Protocol. A VPN support protocol that

encapsulates a PPP session inside a GRE protocol header.
Encryption is provided by MPPE, and endpoint authentication is
provided by EAP.
Private key A key used only for decryption in an asymmetric key algorithm.
The key is kept secret and enables only the receiver to perform
decryption.
G – 22 Rev. 6.41
Glossary
Protocol A set of standard rules required for sending mutually-coherent

information over a communications channel. Each layer of the OSI
model can include many different protocols. For example, Data
Link Layer protocols include (among others) Ethernet, Frame
Relay, PPP, and ATM, and these protocols dictate how links
between hosts on a network are initiated, maintained, and
terminated.
Proxy server A server that allows clients to make indirect network connections
to other network services. A client that has connected to a proxy
server requests a resource available on another server. The proxy
then provides the resource either by connecting to the specified
server or by serving it from a cache. In some cases, the proxy may
alter the client’s request or the server’s response for various
purposes. A proxy server can also serve as a firewall.
PTK Pairwise Temporal Key. A key calculated in TKIP by a four-part

handshake that uses randomly generated numbers and device
MAC addresses. The PTK splits into three keys—KEK, KCK,
TK—each with its own part to play in TKIP.
Public key A key used only for encryption in an asymmetric key algorithm.
The key is published and enables any sender to perform
encryption.
Q
QoS Quality of Service. The “quality” of the packet forwarding service
provided to a packet. A value set in the packet’s ToS field can
request a specific level of QoS. QoS mechanisms regulate and
manage traffic across a WAN link to reduce latency for high-
priority packets and to increase the quality and speed of data
transmissions. QoS mechanisms include queuing methods,
buffering, dropping of excess traffic, and traffic shaping. For more
information on current QoS architecture, see RFC 2990 (at
http://www.ietf.org/rfc/rfc2990.txt). See also DiffServ, FRTS,
GTS, IP precedence, LLQ, and WFQ.
R
RADIUS Remote Authentication Dial-In User Service (RADIUS) is an
AAA for applications such as network access or IP mobility. It is
intended to work in both local and roaming situations. For more
information, see RFC2865 (http://www.ietf.org/rfc/rfc2865.txt).
Rev. 6.41 G – 23
RADIUS server When you connect to an ISP, the RADIUS server checks that the
information is correct using authentication schemes. If accepted,
the server then authorizes access to the ISP system and selects an
IP address, L2TP parameters, etc. The RADIUS server will also be
notified if and when a session starts and stops.
Rate-based An IPS detection method that attempts to prevent DoS and DDoS
detection attacks. Rate-based IPS solutions typically ignore traffic content,
only monitoring traffic that is characteristic of a network flood,
scan, or malware outbreak.
RC2 Rivest Cipher 2. A 64-bit block cipher with a variable size key
created by noted cryptologist Ron Rivest of RSA fame. See RSA.
RC4 Rivest Cipher 4 (or ARCFOUR). A widely used software stream

cipher used in protocols such as SSL and WEP. Created by noted
cryptologist Ron Rivest of RSA fame. See RSA.
Reconnaissance A method of attack in which the attacker eavesdrops on the

attack exchanges between managed agents and a management station in
order to collect information about the network or discover the
read-write community string.
Reflected DDoS A method of attack in which forged requests of some type are sent
attack to a large number of computers that will reply to the requests.
Using IP spoofing, the attacker sets the source address to that of
the targeted victim so that all replies flood the target.
Remanence The magnetic field that remains in a material after the magnetizing
element is removed.
Remediation The process of quarantining non-compliant endpoint devices that

request network access.
Remote Technology that enables you to send mirrored traffic from network
Mirroring devices to a remote analyzer using the network infrastructure
rather than a dedicated line.
RFC Request For Comment. The core method of publishing Internet

specifications. RFCs are a series of technical documents submitted
to IETF and published on the Internet. An Internet Document can
be submitted to the IETF by anyone, but the IETF decides whether
the document becomes an RFC. Eventually, if it gains enough
interest, the RFC may evolve into an Internet standard. For more
information see RFC pages at the IETF Web site
(http://www.ietf.org/rfc.html).
G – 24 Rev. 6.41
Glossary
Rootkit Software tools that conceal running processes, files, or system

data, thus helping an intruder maintain access to a system while
avoiding detection. Rootkits often modify parts of an OS or install
themselves as drivers or kernel modules.
Router A device that forwards data packets from one network to another.
A router connects at least two different networks. A WAN router
often connects LANs to WANs or to an ISP. A router uses a
packet’s Layer 3 header to determine the route it should send the
packet over. The router uses its routing table, which can be
configured manually or generated using routing protocols, to
determine the best routes for forwarding packets.
RSA Rivest Shamir Adleman. Algorithm for public key encryption

developed by Ron Rivest, Adi Shamir, and Len Adleman and used
in many digital certificates.
RSTP Rapid Spanning Tree Network Protocol. An evolution of STP

providing for faster spanning tree convergence after a topology
change. RSTP prevents broadcast storms (unintentional DoS
attacks) that arise from redundant network links in an OSI Layer 2
switched network.
Rule-based Attack detection on the basis of preconfigured profiles that

detection characterize known security attack scenarios.
S
SA Security association. The set of algorithms, protocols,
authentication methods, and keys to be used to authenticate
endpoint devices and protect the traffic transmitted across a
particular secured connection.
Sandbox A highly restricted environment for running untrusted files.

Software engineers originally used sandboxes to test projects in
development without actually putting devices at risk.
SASL Simple Authentication and Security Layer. SASL provides an

open authentication framework that supports a variety of
authentication and data integrity methods. In general, SASL
specifies a challenge-response sequence in which the LDAP server
and the LDAP client exchange information required for
authentication.
Sasser A computer worm that affects computers running vulnerable

versions of Windows XP and 2000. Like other recent worms,
Sasser spreads by exploiting the system through a susceptible
network port.
Rev. 6.41 G – 25
SC Secure Channel. A one-way communications path that is secured

by a security association (SA). In a MACsec-secured network,
devices that participate in the connectivity association form SCs
with directly connected neighbors.
SCP Secure Copy Protocol. Secures file transfers over an encrypted

SSH connection.
Session disruption When an IDS terminates a TCP session to stop an attack by

sending flagged packets to both session endpoints.
sFlow An industry standard technology for monitoring high-speed

switched networks. sFlow provides complete network usage
visibility allowing for performance optimization,
accounting/billing for usage, and defense against security threats.
SFTP Secure File Transfer Protocol. Secures transfers over an encrypted

SSH connection. SFTP allows more options that SCP, including
deleting files remotely.
SHA-1 Secure Hash Algorithm 1. A hash algorithm that produces a 160-

bit message digest, SHA-1 improves on MD5, an earlier, still
widely-used hash function. In an IPsec VPN, AH can use SHA-1
to authenticate a packet.
Shared key A key used for both encryption and decryption in a symmetric key
algorithm. The sender and receiver use the same key set up in
advance and kept secret from others.
Shoulder surf To discover information by looking over the shoulder of an

authorized user.
Signature-based Attack detection that compares audit data with known attack
detection signatures stored in a signature database. Signature-based IDSs
recognize and interpret series of packets consistent with past
intrusions as new attacks.
SSO Single sign-on. A specialized form of authentication that enables a

user to authenticate once and gain access to the resources of
multiple software systems.
S/Key A one-time challenge-response password scheme that eliminates

the need for the same password to be conveyed over a network
each time a password is needed for access.
G – 26 Rev. 6.41
Glossary
Slashdot effect Term given to the phenomenon of a popular website linking to a

smaller site, causing the smaller site to slow down or even
temporarily close due to increased traffic. The name comes from
the huge influx of web traffic that often results from sites being
mentioned on Slashdot, a popular technology news and
information site. Less robust sites are unable to cope with the huge
increase in traffic and become unavailable—either their bandwidth
is consumed or their servers fail to cope with the high number of
requests.
S/MIME Secure Multipurpose Internet Mail Extension. An encryption

protocol, S/MIME provides authentication, message integrity, non-
repudiation of origin, and privacy and data security for emails. See
also PGP.
Smurfing A type of DoS attack that causes a network to become flooded

with responses to a fake TCP/IP ping request. An attacker
broadcasts a message to every computer in a vulnerable network,
simulating the victim and requesting a reply. In this way, the
victim computer is saturated by numerous messages from
computers on the network.
Sniffer Software (usually) or hardware that can intercept and log traffic
passing over a digital network or part of a network. As data
streams travel over the network, the sniffer captures each packet
and eventually decodes and analyzes its content. Depending on the
network structure (hub or switch), one can sniff all or just parts of
the traffic from a single machine within the network.
SNMPv3 Simple Network Management Protocol version 3. Part of the IP

suite as defined by the IETF. Network management systems use
SNMP to monitor network devices for conditions that merit
administrative attention, and administrators can track device
uptime, link states, and other device information variables.
SNMP throttle An SNMP fix that requires network devices to wait a configurable
time period between sending traps.
Spam The practice of sending unsolicited, bulk messages. While the

most widely recognized form is email spam, the term applies to
similar abuses in other media: instant messaging spam, Usenet
newsgroup spam, Web search engine spam, spam in blogs, and
mobile phone messaging spam.
Spoofing attack When a person or program masquerades as another in order to

fraudulently gain network access.
Rev. 6.41 G – 27
Spyware A broad category of malicious software designed to intercept or

take partial control of a computer’s operation without the informed
consent of that machine’s owner or legitimate user. While the term
taken literally suggests software that surreptitiously monitors the
user, it has come to refer more broadly to software that subverts
the computer’s operation for the benefit of a third party.
SSH Secure SHell. A program/network protocol that allows a user to

log into another computer over a network, execute commands in
the remote machine’s OS, and move files from one machine to
another. SSH provides strong authentication. It secures
communications over insecure channels and can be used when
tunneling. For more information on SSH, see RFC4251
(http://www.ietf.org/rfc/rfc4251.txt).
SSID Service Set IDentifier. A code—consisting of a maximum of 32

alphanumeric characters—attached to all packets on a wireless
network that identifies each packet as part of that network. All
wireless devices attempting to communicate with each other must
share the same SSID.
SSO Single sign-on. A solution that attempts to integrate authentication

between multiple directories and applications.
Stateful- Combines aspects of a packet-filtering firewall, a circuit-level

inspection firewall gateway, and an application-level gateway, examining packet
contents at the Network, Transport, Session, Presentation, and
Application Layers (Layers 3–7).
STP Spanning Tree Protocol. See RSTP.
Stream cipher An encryption algorithm that encrypts each bit as it comes, using a
slightly different encryption key for each packet.
Sweeper Computer software that erases files and applications on a computer.
Symmetric key A key used for both encryption and decryption. The sender and
receiver use the same key set up in advance and kept secret
from others.
Symmetric key An algorithm for cryptography that uses the same cryptographic
algorithm key to encrypt and decrypt the message.
G – 28 Rev. 6.41
Glossary
SYN flooding A DoS attack in which an attacker sends a succession of SYN

requests to a target’s system.
When a client attempts to start a TCP connection to a server, the
client and server exchange a series of messages called the TCP three-
way handshake—the foundation for every connection established
using TCP/IP protocols. A malicious client can skip sending the last
acknowledge (ACK) message in the three-way handshake. The server
will wait for this bit for some time, as simple network congestion
could also be the cause of the missing ACK.
Once all resources set aside for half-open connections are
reserved, no new connections (legitimate or not) can be made,
resulting in a denial of service. Some systems may malfunction
badly or even crash if other OS functions are starved of resources.
T
TACACS+ Terminal Access Controller Access Control System Plus. A
client/server protocol that transports data between a TACACS+
client and server. The TACACS+ server contains a database of
information on network hosts and users. It provides a client
authentication at the client’s request. TACACS+ can also provide
a client authorization to access certain network applications, and
TACACS+ can log, or account, for clients’ activity. TACACS+
allows independent handling of the aspects of AAA. For more
information on the original TACACS protocol, see RFC 1492 (at
http://www.ietf.org/rfc/rfc1492.txt). See also AAA.
TAP Test Access Point. A device designed to split off copies of

network traffic without affecting throughput. Rather than copying
traffic and forwarding it over a designated port, the data signal
itself is split.
TCP Transmission Control Protocol. An OSI Transport Layer protocol

that is part of the IP protocol suite. TCP allows applications on
networked hosts to create connections to one another over which
they can exchange data. TCP guarantees reliable and in-order data
delivery. TCP also distinguishes data for multiple, concurrent
applications (e.g. a web server and an email server) running on the
same host. TCP protocols include, among many others, HTTP,
email, and SSH. For more information on TCP, see RFC 793 (at
TEA Tiny Encryption Algorithm. A block cipher famous for its

simplicity. It uses a small key, allowing a brute force attack.
Rev. 6.41 G – 29
Telnet TELephone NETwork. A TCP/IP protocol/program. The purpose

of the Telnet Protocol is to provide a fairly general, bi-directional,
8-bit byte-oriented communications facility. It is typically used to
provide user-oriented command line login sessions between hosts
on the Internet. The name “Telnet” came about because the
protocol was designed to emulate a single terminal attached to the
other computer. For more information about the Telnet protocol,
see RFC 854 (at http://www.ietf.org/ rfc/rfc0854.txt).
TK Temporal Key. A key that encrypts the data in TKIP.
TKIP Temporal Key Integrity Protocol. A security protocol used in

WPA designed to replace WEP without replacing legacy
hardware. TKIP uses device MAC addresses, randomly generated
numbers, and a shared secret to create a set of encryption keys.
Unlike WEP, TKIP provides per-packet key mixing, a message
integrity check, and a re-keying mechanism. TKIP ensures that
every data packet is sent with its own unique encryption key.
TLS Transport Layer Security. A successor to the Secure Socket Layer

protocol (SSL), TLS is a protocol that provides secure Internet
communications through encryption and endpoint authentication.
Token Physical object a user must have for purposes of authentication.
ToS Type of Service. An 8-bit header field in IPv4 packets that allows
marking traffic for special handling. Two standards define how the
ToS field defines traffic: IP precedence, the original standard for
using this field, and DiffServ. For more information about the ToS
field in the IP header, see the RFC 791 on IP (at
Transparent Invisible to the network devices that handle it. For example, a
protocol header is considered transparent if it neither impedes
processing nor is processed by the devices through which it passes.
G – 30 Rev. 6.41
Glossary
Trojan horse A malicious program disguised as or embedded within legitimate

software. The term comes from the classical myth of the Trojan
Horse—something that looks useful, interesting, or harmless, but
is actually harmful when executed.
There are two common types of Trojan horses. One is otherwise
useful software corrupted by the insertion of malicious code that
executes while the program is used. Examples include weather
alerting programs, computer clock setting software, and peer-to-
peer file sharing utilities. The other type is a standalone program
that masquerades as something else, like a game or image file, in
order to trick the user into innocently carrying out the program’s
objectives.
Trojan horse programs cannot operate autonomously, in contrast to
some other types of malware, like viruses or worms. Trojan horse
programs depend on the actions of their intended victims.
TNC Trusted Network Connect. A standard developed by over 50 of the

networking industry’s leading companies for integrating
compliance testing with access control.
Tunnel A virtual point-to-point connection where data is encrypted and

encapsulated at one endpoint for secure transmission across a
public or untrusted network, and de-encapsulated and decrypted at
the receiving endpoint.
Tunneling A network protocol that encapsulates one protocol or session

protocol inside another. Protocol A is encapsulated within protocol B, such
that A treats B as though it were a Data Link Layer. Tunneling
may be used to transport a network protocol through a network
that would not otherwise support it. Tunneling may also be used to
provide various types of VPN functionality such as private
addressing.
Two-factor Authentication that requires two types of credentials for more

authentication robust security—for example, a password and a digital certificate.
Rev. 6.41 G – 31
U
UDP User Datagram Protocol. One of the core protocols of the Internet
protocol suite. Using UDP, programs on networked computers can
send short messages known as datagrams to one another.
UDP does not provide the reliability and ordering guarantees that
TCP does. Datagrams may arrive out of order or go missing without
notice. Without the overhead of checking if every packet actually
arrived, UDP is faster and more efficient for many lightweight or
time-sensitive purposes. Also, its stateless nature is useful for
servers that answer small queries from huge numbers of clients.
UDP is required for broadcast (sent to all on local network) and
multicast (sent to all subscribers) traffic. As of 2006, UDP was 20
percent of Internet traffic, second to TCP at 75 percent.
URL-based / URL-based filtering blocks Web sites or specific pages within a

IP address Web site. In contrast, IP address filtering blocks out an entire Web
filtering site, blocking all traffic from specific IP addresses.
USB Universal Serial Bus. A serial bus standard for interface devices. It
was designed for computers, but its popularity has made it
commonplace on video game consoles, PDAs, cell phones,
portable memory devices, and even on televisions and home stereo
equipment.
UTM Unified threat management. Combining numerous security

functions in one appliance. At the minimum, a UTM device is a
router and firewall that can also run a VPN. In addition, most
current UTM devices act as IDS/IPS devices, perform network
antivirus scanning, and carry out web content and email spam
filtering.
V
Virus Throttle™ A ProCurve Networking security measure that works to reduce
software network damage when a virus or worm infects an endpoint. Virus
Throttle™ software works on the principle that a worm will
request sessions with a large number of devices on the network as
it attempts to spread. Created by ProCurve HP Labs and
implemented in ProCurve Networking devices and other HP
devices and servers.
VLAN Virtual LAN. The IEEE 802.1Q standard enables you to group
users by logical function rather than by physical location. By
creating VLANs on switches, you can segment networks into
smaller broadcast domains, enhance network security, and
simplify network management.
G – 32 Rev. 6.41
Glossary
VPN Virtual private network. A virtual point-to-point connection that

transfers data over the public telecommunication infrastructure
while maintaining privacy through the use of a tunneling protocol
and security procedures. A VPN has comparable security with a
system of owned or leased lines that can only be used by one
company. For more information about VPNs, see RFC 2764 (at
http://www.ietf.org/rfc/rfc2764.txt). See also IPsec.
W
WAN Wide area network. A network within a wide geographical area
(usually larger than a city or metropolitan area) that shares data,
programs, or equipment.
Wardriving Searching for Wi-Fi wireless networks by moving vehicle. It

involves using a car or truck and a Wi-Fi-equipped computer, such
as a laptop or a PDA, to detect the networks. It is similar to using a
scanner for radio.
Many wardrivers use GPS devices to measure the location of the
network find and log it on a website. For better range, antennas are
built or bought, and vary from omnidirectional to highly
directional.
Web-Auth Web authentication. A type of authentication that permits users to

access a limited list of addresses; all other traffic redirects to a
Web login page. Web-Auth authenticates users without 802.1X
support—the authenticator handles the entire process—and is
often used for wireless “hot spots.”
Web-based Content filtering that includes keyword filtering, cookie filtering,

content filtering URL-based/IP address filtering, port filtering, and active content
filtering.
WEP Wired Equivalent Privacy. A scheme that is part of the IEEE

802.11 wireless networking standard to secure IEEE 802.11
wireless networks (also known as Wi-Fi networks). Because a
wireless network broadcasts messages using radio, it is particularly
susceptible to eavesdropping. WEP was intended to provide
comparable confidentiality to a traditional wired network (in
particular it doesn’t protect users of the network from each other),
hence the name. Cryptanalysts identified serious weaknesses in
WEP and thus WPA superseded it in 2003. Then in 2004 the full
IEEE 802.11i standard (also known as WPA2) superseded WPA.
Despite its inherent weaknesses, WEP provides a level of security
that can deter casual snooping.
Rev. 6.41 G – 33
Wetware Human beings (programmers, operators, administrators) associated

with a computer system, as opposed to the system's hardware or
software.
White list A list of devices created for MAC authentication that grants
network access for any listed device, while blocking access to all
other devices.
Wi-Fi A brand originally licensed by the Wi-Fi Alliance to describe the

underlying technology of wireless LANs based on IEEE 802.11
specifications. Wi-Fi was intended to be used for mobile
computing devices, such as laptops, in LANs, but is now often
used for increasingly more applications, including Internet and
VoIP phone access, gaming, and basic connectivity of consumer
electronics such as televisions and DVD players.
WLAN Wireless LAN. The linking of two or more computers without

using wires. It is the same as a LAN, but has a wireless interface.
WLAN utilizes spread-spectrum technology based on radio waves
to enable communication between devices in a limited area, also
known as the basic service set. This gives users the mobility to
move around within a broad coverage area and still be connected
to the network.
This technology is becoming increasingly popular, especially with
the rapid emergence of small portable devices such as PDAs.
WMI Windows Management Instrumentation. A set of extensions that

provides an OS interface for instrumented components to provide
information and notification. WMI provides an agentless solution
for endpoint device management by using applications already
available on the device.
Worm A computer worm is a self-replicating computer program similar

to a computer virus. While a virus attaches itself to and becomes
part of another executable program, a worm is self-contained and
does not need to be part of another program to propagate. Worms
often exploit file transmission capabilities found on many
computers, using networks to send copies of themselves to other
systems without any intervention. In general, worms harm the
network and consume bandwidth, whereas viruses infect or corrupt
files on a targeted computer. Viruses generally do not affect
network performance, as their malicious activities are mostly
confined within the target computer itself.
G – 34 Rev. 6.41
Glossary
WPA Wi-Fi Protected Access. The WPA standard was introduced as an

interim wireless security measure until the new IETF standard
could be implemented. WPA is more secure than WEP in several
ways: it uses a longer counter length, an encrypted MIC that is
more complex than a simple CRC checksum, and a complex
encryption key generation and management protocol, TKIP.
WPA2 Wi-Fi Protected Access 2. The first approved implementation of

802.11i. Similar to WPA, WPA2 uses 802.1X authentication,
TKIP key generation, and MIC message authentication.
Additionally, WPA2 is based on the more secure AES block
cipher and CCMP encryption technique.
X
X.500 A series of computer networking standards covering electronic
directory services, developed in order to support the requirements
of X.400 electronic mail exchange and name lookup. X.500
secures and eases communication between a user and a directory
service.
X.509 A strong authentication standard for PKI. One of its functions is to

specify a standard format for public key certificates and a path for
certification validation.
XOR Exclusive Or. A basic encryption function, XOR combines two

binary strings, usually data and an encryption key, to yield an
encrypted result. The XOR function is performed bit by bit.
Z
Zero-day worms Worms that can aggressively propagate throughout the world in a
matter of hours. Zero-day attacks consume incredible amounts of
network resources when propagating and can use unique code that
most antivirus software does not detect.
Zombie A zombie is a network endpoint that has been infected with

malware and is subsequently used in a DDoS attack.
Rev. 6.41 G – 35
G – 36 Rev. 6.41
For further information, please visit our Web site at:
www.procurve.com
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is

subject to change without notice. The only warranties for HP products and services are set forth in
the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.

Pro Curve Network Security Student Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Pro Curve Network Security Student Guide

Încărcat de

Drepturi de autor:

Formate disponibile

ProCurve Networking by HP

ProCurve Network Security

Introducing the Course

Module 1: Introduction to Network Security

Module 2—General Threats

Biometrics: Physical characteristics............................................................4-15

Rev. 6.41 iii

802.1X Process: Continued.........................................................................4-60

Content Filtering: Incoming email ....................................................................4-115

Wireless Encryption ............................................................................................5-47

Module 7—Layer 4: Endpoint Integrity

viii Rev. 6.41

The ProCurve Network Security Fundamentals course provides a basic

Rev. 6.41 Overview – 1

• Attacks that install malicious software without the knowledge or

Overview – 2 Rev. 6.41

Rev. 6.41 Overview – 3

Overview – 4 Rev. 6.41

 Rash, Michael; Orebaugh, Angela; Clark, Graham; Pinkard, Becky; and

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND

Rev. 6.41 Overview – 5

Overview – 6 Rev. 6.41

Rev. 6.41 1–1

1–2 Rev. 6.41

Rev. 6.41 1–3

Network Evolutionary Forces

Yesterday’s static network cannot address today’s fast-paced, dynamic network

Unfortunately, while opening your network can provide a competitive advantage,

Rev. 6.41 1–5

Today’s Network Structure

Threats from Within

1–6 Rev. 6.41

Threats from Mobile Devices

Threats from New Technology

Confronting New Threats

Rev. 6.41 1–7

Mobile Access Dangers

1–8 Rev. 6.41

Mobile Access Dangers: Temporary access

Because so many people request temporary access to your network, new

Shared and Mobile Workstations

Rev. 6.41 1–9

Mobile Access Dangers: Wireless access

Multiple Users on a Single Switch Port

Mobile Access Dangers: Offsite access

Employees could also unknowingly download malware from unauthorized sites

Increased Incidents and Velocity

Increasing Number of Vulnerabilities

Increased Insider Attacks: Insider threat and

IT Regulations: U.S. regulations

Sarbanes-Oxley Act of 2002 (SOX)

Health Insurance Portability and Accounting Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Federal Information Security Management Act of 2002 (FISMA)

Payment Card Industry Data Security Standard (PCI)

IT Regulations: Worldwide regulations

 France—Law 78-17 (revised)

Network Security Components

Given increasing user needs, evolving attacks, and increasingly stringent

Rev. 6.41 2–1

Attack Vector Models: External attacks

Network attacks can be broadly categorized according to the direction, or vector,

2–2 Rev. 6.41

Rev. 6.41 2–3

Rash, Michael; Orebaugh, Angela; Clark, Graham; Pinkard, Becky; and

France—Law 78-17 (revised)

Wireless MITM attacks—In a wireless MITM attack, the attacker uses a

Rootkits—A rootkit consists of several programs that are secretly installed

Ping smurfing or fraggling—Using ICMP or UDP echo packets, ping

IDS/IPSs—IDS/IPSs are hardware and software solutions that monitor