Sunteți pe pagina 1din 337
Guide to Network Security Fundamentals
Guide to Network Security
Fundamentals
C Chapter 1
C
Chapter 1

Learning Objectives

• Understand network security

• Understand security threat trends and their ramifications

• Understand the goals of network security

• Determine the factors involved in a secure network strategy

Understanding Network Security

• Network security

o Process by which digital information assets are protected

• Goals

o

Maintain integrity

o

Protect confidentiality

o

Assure availability

Understanding Network Security

• Security ensures that users:

o

Perform only tasks they are authorized to do

o

Obtain only information they are authorized to have

o

Cannot cause damage to data, applications, or operating environment

Security Threats

• Identity theft

• Privacy concerns

• Wireless access

To Offset Security Threats

• Integrity

o Assurance that data is not altered or destroyed in an unauthorized manner

• Confidentiality

o Protection of data from unauthorized disclosure to a third party

• Availability

o Continuous operation of computing systems

Security Ramifications:

Costs of Intrusion

• Causes of network security threats

o

Technology weaknesses

o

Configuration weaknesses

o

Policy weaknesses

o

Human error

Technology Weaknesses

• TCP/IP

• Operating systems

• Network equipment

Configuration Weaknesses

• Unsecured accounts

• System accounts with easily guessed passwords

• Misconfigured Internet services

• Unsecured default settings

• Misconfigured network equipment

• Trojan horse programs

• Vandals

• Viruses

Policy Weaknesses

• Lack of a written security policy

• Politics

• High turnover

• Concise access controls not applied

• Software and hardware installation and changes do not follow policy

• Proper security

• Nonexistent disaster recovery plan

Human Error

• Accident

• Ignorance

• Workload

• Dishonesty

• Impersonation

• Disgruntled employees

• Snoops

• Denial-of-service attacks

Goals of Network Security

• Achieve the state where any action that is not expressly permitted is prohibited

o

Eliminate theft

o

Determine authentication

o

Identify assumptions

o

Control secrets

Creating a Secure Network Strategy

• Address both internal and external threats

• Define policies and procedures

• Reduce risk across across perimeter security, the Internet, intranets, and LANs

Creating a Secure Network Strategy

• Human factors

• Know your weaknesses

• Limit access

• Achieve security through persistence

o Develop change management process

• Remember physical security

• Perimeter security

o Control access to critical network applications, data, and services

continued…

Creating a Secure Network Strategy

• Firewalls

o

Prevent unauthorized access to or from private network

o

Create protective layer between network and outside world

o

Replicate network at point of entry in order to receive and transmit authorized data

o

Have built-in filters

o

Log attempted intrusions and create reports

continued…

Creating a Secure Network Strategy

• Web and file servers

• Access control

o Ensures that only legitimate traffic is allowed into or out of the network

Passwords

PINs

Smartcards

continued…

Creating a Secure Network Strategy

• Change management

o Document changes to all areas of IT infrastructure

• Encryption

o Ensures messages cannot be intercepted or read by anyone other than the intended person(s)

continued…

Creating a Secure Network Strategy

• Intrusion detection system (IDS)

o

Provides 24/7 network surveillance

o

Analyzes packet data streams within the network

o

Searches for unauthorized activity

Chapter Summary

• Understanding network security

• Security threats

• Security ramifications

• Goals of network security

• Creating a secure network strategy

Authentication • Chapter 2
Authentication
• Chapter 2
Learning Objectives • Create strong passwords and store them securely • Understand the Kerberos authentication
Learning Objectives
• Create strong passwords and store them
securely
• Understand the Kerberos authentication process
• Understand how CHAP works
• Understand what mutual authentication is and
why it is necessary
• Understand how digital certificates are created
and why they are used
continued…
Learning Objectives • Understand what tokens are and how they function • Understand biometric authentication
Learning Objectives
• Understand what tokens are and how they
function
• Understand biometric authentication processes
and their strengths and weaknesses
• Understand the benefits of multifactor
authentication
Security of System Resources • Three-step process (AAA) o Authentication Positive identification of person/system
Security of System Resources
• Three-step process (AAA)
o
Authentication
Positive identification of person/system seeking access to
secured information/services
o
Authorization
Predetermined level of access to resources
o
Accounting
Logging use of each asset
Authentication Techniques • Usernames and passwords • Kerberos • Challenge Handshake Authentication Protocol
Authentication Techniques
• Usernames and passwords
• Kerberos
• Challenge Handshake Authentication Protocol
(CHAP)
• Mutual authentication
• Digital certificates
• Tokens
• Biometrics
• Multifactor authentication
Usernames and Passwords • Username o Unique alphanumeric identifier used to identify an individual when
Usernames and Passwords
• Username
o Unique alphanumeric identifier used to identify an
individual when logging onto a computer/network
• Password
o Secret combination of keystrokes that, when
combined with a username, authenticates a user
to a computer/network
Basic Rules for Password Protection 1.Memorize passwords; do not write them down 2.Use different passwords
Basic Rules for Password Protection
1.Memorize passwords; do not write them down
2.Use different passwords for different functions
3.Use at least 6 characters
4.Use mixture of uppercase and lowercase letters,
numbers, and other characters
5.Change periodically
Strong Password Creation Techniques • Easy to remember; difficult to recognize • Examples: o First
Strong Password Creation
Techniques
• Easy to remember; difficult to recognize
• Examples:
o
First letters of each word of a simple phrase; add
a number and punctuation
Asb4M?
o
Combine two dissimilar words and place a number
between them
SleigH9ShoE
o
Substitute numbers for letters (not obviously)
Techniques to Use Multiple Passwords • Group Web sites or applications by appropriate level of
Techniques to Use Multiple
Passwords
• Group Web sites or applications by appropriate
level of security
o
Use a different password for each group
o
Cycle more complex passwords down the groups,
from most sensitive to least
Storing Passwords • Written o Keep in a place you are not likely to lose
Storing Passwords
• Written
o
Keep in a place you are not likely to lose it
o
Use small type
o
Develop a personal code to apply to the list
• Electronic
o Use a specifically designed application (encrypts
data)
Kerberos • Provides secure and convenient way to access data and services through: o Session
Kerberos
• Provides secure and convenient way to
access data and services through:
o
Session keys
o
Tickets
o
Authenticators
o
Authentication servers
o
Ticket-granting tickets
o
Ticket-granting servers
o
Cross-realm authentication
Kerberos in a Simple Environment • Session key o Secret key used during logon session
Kerberos in a Simple Environment
• Session key
o Secret key used during logon session between
client and a service
• Ticket
o Set of electronic information used to authenticate
identity of a principal to a service
• Authenticator
o Device (eg, PPP network server) that requires
authentication from a peer and specifies
authentication protocol used in the configure
request during link establishment phase
continued…
Kerberos in a Simple Environment • Checksum o Small, fixed-length numerical value o Computed as
Kerberos in a Simple Environment
• Checksum
o
Small, fixed-length numerical value
o
Computed as a function of an arbitrary number of
bits in a message
o
Used to verify authenticity of sender
Kerberos in a Simple Environment
Kerberos in a Simple Environment
Kerberos in a More Complex Environment • Ticket-granting ticket (TGT) o Data structure that acts
Kerberos in a More Complex
Environment
• Ticket-granting ticket (TGT)
o Data structure that acts as an authenticating proxy
to principal’s master key for set period of time
• Ticket-granting server (TGS)
o Server that grants ticket-granting tickets to a
principal
Kerberos in a More Complex Environment
Kerberos in a More Complex
Environment
Kerberos in Very Large Network Systems • Cross-realm authentication o Allows principal to authenticate itself
Kerberos in Very Large
Network Systems
• Cross-realm authentication
o Allows principal to authenticate itself to gain
access to services in a distant part of a Kerberos
system
Cross-Realm Authentication
Cross-Realm Authentication
Security Weaknesses of Kerberos • Does not solve password-guessing attacks • Must keep password secret
Security Weaknesses of Kerberos
• Does not solve password-guessing attacks
• Must keep password secret
• Does not prevent denial-of-service attacks
• Internal clocks of authenticating devices must be
loosely synchronized
• Authenticating device identifiers must not be
recycled on a short-term basis
Challenge Handshake Authentication Protocol (CHAP) • PPP mechanism used by an authenticator to authenticate a
Challenge Handshake Authentication
Protocol (CHAP)
• PPP mechanism used by an authenticator to
authenticate a peer
• Uses an encrypted challenge-and-response
sequence
CHAP Challenge-and-Response Sequence
CHAP Challenge-and-Response
Sequence
CHAP Security Benefits • Multiple authentication sequences throughout Network layer protocol session o Limit time
CHAP Security Benefits
• Multiple authentication sequences throughout
Network layer protocol session
o Limit time of exposure to any single attack
• Variable challenge values and changing
identifiers
o Provide protection against playback attacks
CHAP Security Issues • Passwords should not be the same in both directions • Not
CHAP Security Issues
• Passwords should not be the same in both
directions
• Not all implementations of CHAP terminate the
link when authentication process fails, but instead
limit traffic to a subset of Network layer protocols
o Possible for users to update passwords
Mutual Authentication • Process by which each party in an electronic communication verifies the identity
Mutual Authentication
• Process by which each party in an electronic
communication verifies the identity of the other
party
Digital Certificates • Electronic means of verifying identity of an individual/organization • Digital signature o
Digital Certificates
• Electronic means of verifying identity of an
individual/organization
• Digital signature
o Piece of data that claims that a specific, named
individual wrote or agreed to the contents of an
electronic document to which the signature is
attached
Electronic Encryption and Decryption Concepts • Encryption o Converts plain text message into secret message
Electronic Encryption and
Decryption Concepts
• Encryption
o Converts plain text message into secret message
• Decryption
o Converts secret message into plain text message
• Symmetric cipher
o Uses only one key
• Asymmetric cipher
o Uses a key pair (private key and public key)
continued…
Electronic Encryption and Decryption Concepts • Certificate authority (CA) o Trusted, third-party entity that
Electronic Encryption and
Decryption Concepts
• Certificate authority (CA)
o Trusted, third-party entity that verifies the actual
identity of an organization/individual before
providing a digital certificate
• Nonrepudiation
o Practice of using a trusted, third-party entity to
verify the authenticity of a party who sends a
message
o Practice of using a trusted, third-party entity to verify the authenticity of a party who
o Practice of using a trusted, third-party entity to verify the authenticity of a party who
How Much Trust Should One Place in a CA? • Reputable CAs have several levels
How Much Trust
Should One Place in a CA?
• Reputable CAs have several levels of
authentication that they issue based on the
amount of data collected from applicants
• Example: VeriSign
Security Tokens • Authentication devices assigned to specific user • Small, credit card-sized physical devices
Security Tokens
• Authentication devices assigned to specific user
• Small, credit card-sized physical devices
• Incorporate two-factor authentication methods
• Utilize base keys that are much stronger than
short, simple passwords a person can remember
Types of Security Tokens • Passive o Act as a storage device for the base
Types of Security Tokens
• Passive
o
Act as a storage device for the base key
o
Do not emit, or otherwise share, base tokens
• Active
o
Actively create another form of a base key or
encrypted form of a base key that is not subject to
attack by sniffing and replay
o
Can provide variable outputs in various
circumstances
One-Time Passwords • Used only once for limited period of time; then is no longer
One-Time Passwords
• Used only once for limited period of time; then
is no longer valid
• Uses shared keys and challenge-and-
response systems, which do not require that
the secret be transmitted or revealed
• Strategies for generating one-time passwords
o
Counter-based tokens
o
Clock-based tokens
Biometrics • Biometric authentication o Uses measurements of physical or behavioral characteristics of an individual
Biometrics
• Biometric authentication
o
Uses measurements of physical or behavioral
characteristics of an individual
o
Generally considered most accurate of all
authentication methods
o
Traditionally used in highly secure areas
o
Expensive
How Biometric Authentication Works 1.Biometric is scanned after identity is verified 2.Biometric information is analyzed
How Biometric Authentication Works
1.Biometric is scanned after identity is verified
2.Biometric information is analyzed and put into
an electronic template
3.Template is stored in a repository
4.To gain access, biometric is scanned again
5.Computer analyzes biometric data and
compares it to data in template
6.If data from scan matches data in template,
person is allowed access
7.Keep a record, following AAA model
False Positives and False Negatives • False positive o Occurrence of an unauthorized person being
False Positives and False
Negatives
• False positive
o Occurrence of an unauthorized person being
authenticated by a biometric authentication
process
• False negative
o Occurrence of an authorized person not being
authenticated by a biometric authentication
process when they are who they claim to be
Different Kinds of Biometrics • Physical characteristics o Fingerprints o Hand geometry o Retinal scanning
Different Kinds of Biometrics
• Physical characteristics
o
Fingerprints
o
Hand geometry
o
Retinal scanning
o
Iris scanning
o
Facial scanning
• Behavioral characteristics
o
Handwritten signatures
o
Voice
Fingerprint Biometrics
Fingerprint Biometrics
Hand Geometry Authentication
Hand Geometry Authentication
Retinal Scanning
Retinal Scanning
Iris Scanning
Iris Scanning
Signature Verification
Signature Verification
General Trends in Biometrics • Authenticating large numbers of people over a short period of
General Trends in Biometrics
• Authenticating large numbers of people over a
short period of time (eg, smart cards)
• Gaining remote access to controlled areas
Multifactor Authentication • Identity of individual is verified using at least two of the three
Multifactor Authentication
• Identity of individual is verified using at least two
of the three factors of authentication
o
Something you know (eg, password)
o
Something you have (eg, smart card)
o
Something about you (eg, biometrics)
Chapter Summary • Authentication techniques o Usernames and passwords o Kerberos o CHAP o Mutual
Chapter Summary
• Authentication techniques
o
Usernames and passwords
o
Kerberos
o
CHAP
o
Mutual authentication
o
Digital certificates
o
Tokens
o
Biometrics
o
Multifactor authentication
Attacks and Malicious Code • Chapter 3
Attacks and Malicious Code
• Chapter 3
Learning Objectives • Explain denial-of-service (DoS) attacks • Explain and discuss ping-of-death attacks •
Learning Objectives
• Explain denial-of-service (DoS) attacks
• Explain and discuss ping-of-death attacks
• Identify major components used in a DDoS attack
and how they are installed
• Understand major types of spoofing attacks
• Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
continued…
Learning Objectives • Detail three types of social-engineering attacks and explain why they can be
Learning Objectives
• Detail three types of social-engineering attacks
and explain why they can be incredibly damaging
• List major types of attacks used against
encrypted data
• List major types of malicious software and
identify a countermeasure for each one
Denial-of-Service Attacks • Any malicious act that causes a system to be unusable by its
Denial-of-Service Attacks
• Any malicious act that causes a system to be
unusable by its real user(s)
• Take numerous forms
• Are very common
• Can be very costly
• Major types
o
SYN flood
o
Smurf attack
SYN Flood • Exploits the TCP three-way handshake • Inhibits server’s ability to accept new
SYN Flood
• Exploits the TCP three-way handshake
• Inhibits server’s ability to accept new TCP
connections
TCP Three-Way Handshake
TCP Three-Way Handshake
4
4
4
4
Smurf • Non-OS specific attack that uses the network to amplify its effect on the
Smurf
• Non-OS specific attack that uses the network to
amplify its effect on the victim
• Floods a host with ICMP
• Saturates Internet connection with bogus traffic
and delays/prevents legitimate traffic from
reaching its destination
Saturates Internet connection with bogus traffic and delays/prevents legitimate traffic from reaching its destination 5
Saturates Internet connection with bogus traffic and delays/prevents legitimate traffic from reaching its destination 5
IP Fragmentation Attacks: Ping of Death • Uses IP packet fragmentation techniques to crash remote
IP Fragmentation Attacks:
Ping of Death
• Uses IP packet fragmentation techniques to
crash remote systems
Ping of Death
Ping of Death
Distributed Denial-of-Service Attacks • Use hundreds of hosts on the Internet to attack the victim
Distributed Denial-of-Service Attacks
• Use hundreds of hosts on the Internet to
attack the victim by flooding its link to the
Internet or depriving it of resources
• Used by hackers to target government and
business Internet sites
• Automated tools; can be executed by script
kiddies
• Result in temporary loss of access to a given
site and associated loss in revenue and
prestige
by script kiddies • Result in temporary loss of access to a given site and associated
by script kiddies • Result in temporary loss of access to a given site and associated
Conducting DDoS Attacks
Conducting DDoS Attacks
DDoS Countermeasures • Security patches from software vendors • Antivirus software • Firewalls • Ingress
DDoS Countermeasures
• Security patches from software vendors
• Antivirus software
• Firewalls
• Ingress (inbound) and egress (outbound) filtering
Ingress and Egress Filtering
Ingress and Egress Filtering
Preventing the Network from Inadvertently Attacking Others • Filter packets coming into the network destined
Preventing the Network from
Inadvertently Attacking Others
• Filter packets coming into the network destined
for a broadcast address
• Turn off directed broadcasts on internal routers
• Block any packet from entering the network that
has a source address that is not permissible on
the Internet (see Figures 3-8 and 3-9)
continued…
Preventing the Network from Inadvertently Attacking Others • Block at the firewall any packet that
Preventing the Network from
Inadvertently Attacking Others
• Block at the firewall any packet that uses a
protocol or port that is not used for Internet
communications on the network
• Block packets with a source address originating
inside your network from entering your network
Ingress Filtering of Packets with RFC 1918 Addresses
Ingress Filtering of Packets
with RFC 1918 Addresses
Filtering of Packets with RFC 2827 Addresses
Filtering of Packets
with RFC 2827 Addresses
Spoofing • Act of falsely identifying a packet’s IP address, MAC address, etc • Four
Spoofing
• Act of falsely identifying a packet’s IP address,
MAC address, etc
• Four primary types
o
IP address spoofing
o
ARP poisoning
o
Web spoofing
o
DNS spoofing
IP Address Spoofing • Used to exploit trust relationships between two hosts • Involves creating
IP Address Spoofing
• Used to exploit trust relationships between two
hosts
• Involves creating an IP address with a forged
source address
to exploit trust relationships between two hosts • Involves creating an IP address with a forged
to exploit trust relationships between two hosts • Involves creating an IP address with a forged
ARP Poisoning • Used in man-in-the-middle and session hijacking attacks; attacker takes over victim’s IP
ARP Poisoning
• Used in man-in-the-middle and session hijacking
attacks; attacker takes over victim’s IP address
by corrupting ARP caches of directly connected
machines
• Attack tools
o
ARPoison
o
Ettercap
o
Parasite
Web Spoofing • Convinces victim that he or she is visiting a real and legitimate
Web Spoofing
• Convinces victim that he or she is visiting a real
and legitimate site
• Considered both a man-in-the-middle attack and
a denial-of-service attack
Web Spoofing
Web Spoofing
DNS Spoofing • Aggressor poses as the victim’s legitimate DNS server • Can direct users
DNS Spoofing
• Aggressor poses as the victim’s legitimate DNS
server
• Can direct users to a compromised server
• Can redirect corporate e-mail through a hacker’s
server where it can be copied or modified before
sending mail to final destination
To Thwart Spoofing Attacks • IP spoofing o Disable source routing on all internal routers
To Thwart Spoofing Attacks
• IP spoofing
o
Disable source routing on all internal routers
o
Filter out packets entering local network from the
Internet that have a source address of the local
network
• ARP poisoning
o Use network switches that have MAC binding
features
continued…
To Thwart Spoofing Attacks • Web spoofing o Educate users • DNS spoofing o Thoroughly
To Thwart Spoofing Attacks
• Web spoofing
o Educate users
• DNS spoofing
o
Thoroughly secure DNS servers
o
Deploy anti-IP address spoofing measures
Man in the Middle • Class of attacks in which the attacker places himself between
Man in the Middle
• Class of attacks in which the attacker places
himself between two communicating hosts and
listens in on their session
• To protect against
o Configure routers to ignore ICMP redirect packets
Man-in-the-Middle Attacks
Man-in-the-Middle Attacks
Man-in-the-Middle Applications • Web spoofing • TCP session hijacking • Information theft • Other attacks
Man-in-the-Middle Applications
• Web spoofing
• TCP session hijacking
• Information theft
• Other attacks (denial-of-service attacks,
corruption of transmitted data, traffic analysis to
gain information about victim’s network)
Man-in-the-Middle Methods • ARP poisoning • ICMP redirects • DNS poisoning
Man-in-the-Middle Methods
• ARP poisoning
• ICMP redirects
• DNS poisoning
Replay Attacks • Attempts to circumvent authentication mechanisms by: o Recording authentication messages from a
Replay Attacks
• Attempts to circumvent authentication
mechanisms by:
o
Recording authentication messages from a
legitimate user
o
Reissuing those messages in order to
impersonate the user and gain access to systems
Replay Attack
Replay Attack
TCP Session Hijacking • Attacker uses techniques to make the victim believe he or she
TCP Session Hijacking
• Attacker uses techniques to make the victim
believe he or she is connected to a trusted host,
when in fact the victim is communicating with the
attacker
• Well-known tool
o Hunt (Linux)
to a trusted host, when in fact the victim is communicating with the attacker • Well-known
to a trusted host, when in fact the victim is communicating with the attacker • Well-known
Attacker Using Victim’s TCP Connection
Attacker Using Victim’s TCP
Connection
Social Engineering • Class of attacks that uses trickery on people instead of computers •
Social Engineering
• Class of attacks that uses trickery on people
instead of computers
• Goals
o
Fraud
o
Network intrusion
o
Industrial espionage
o
Identity theft
o
Desire to disrupt the system or network
Dumpster Diving
Dumpster Diving
Online Attacks • Use chat and e-mails venues to exploit trust relationships
Online Attacks
• Use chat and e-mails venues to exploit trust
relationships
Social Engineering Countermeasures • Take proper care of trash and discarded items • Ensure that
Social Engineering Countermeasures
• Take proper care of trash and discarded items
• Ensure that all system users have periodic
training about network security
Attacks Against Encrypted Data • Weak keys • Mathematical attacks • Birthday attack • Password
Attacks Against Encrypted Data
• Weak keys
• Mathematical attacks
• Birthday attack
• Password guessing
• Brute force
• Dictionary
Weak Keys • Secret keys used in encryption that exhibit regularities in encryption, or even
Weak Keys
• Secret keys used in encryption that exhibit
regularities in encryption, or even a poor level of
encryption
Mathematical Attack • Attempts to decrypt encrypted data using mathematics to find weaknesses in the
Mathematical Attack
• Attempts to decrypt encrypted data using
mathematics to find weaknesses in the
encryption algorithm
• Categories of cryptanalysis
o
Cyphertext-only analysis
o
Known plaintext attack
o
Chosen plaintext attack
Birthday Attack • Class of brute-force mathematical attacks that exploits mathematical weaknesses of hash algorithms
Birthday Attack
• Class of brute-force mathematical attacks that
exploits mathematical weaknesses of hash
algorithms and one-way hash functions
Password Guessing • Tricks authentication mechanisms by determining a user’s password using techniques such as
Password Guessing
• Tricks authentication mechanisms by determining
a user’s password using techniques such as
brute force or dictionary attacks
Brute Force • Method of breaking passwords that involves computation of every possible combination of
Brute Force • Method of breaking passwords that involves computation of every possible combination of
Brute Force
• Method of breaking passwords that involves
computation of every possible combination of
characters for a password of a given character
length
Dictionary • Method of breaking passwords by using a predetermined list of words as input
Dictionary
• Method of breaking passwords by using a
predetermined list of words as input to the
password hash
• Only works against poorly chosen passwords
Software Exploitation • Utilizes software vulnerabilities to gain access and compromise systems • Example o
Software Exploitation
• Utilizes software vulnerabilities to gain access
and compromise systems
• Example
o Buffer overflow attach
• To stop software exploits
o Stay appraised of latest security patches provided
by software vendors
Malicious Software
Malicious Software
Viruses • Self-replicating programs that spread by “infecting” other programs • Damaging and costly
Viruses
• Self-replicating programs that spread by
“infecting” other programs
• Damaging and costly
Virus Databases 28
Virus Databases 28
Virus Databases
Virus Databases
Evolution of Virus Propagation Techniques
Evolution of Virus Propagation
Techniques
Protecting Against Viruses • Enterprise virus protection solutions o Desktop antivirus programs o Virus filters
Protecting Against Viruses
• Enterprise virus protection solutions
o
Desktop antivirus programs
o
Virus filters for e-mail servers
o
Network appliances that detect and remove
viruses
• Instill good behaviors in users and system
administrators
o Keep security patches and virus signature
databases up to date
Backdoor • Remote access program surreptitiously installed on user computers that allows attacker to control
Backdoor
• Remote access program surreptitiously
installed on user computers that allows
attacker to control behavior of victim’s
computer
• Also known as remote access Trojans
• Examples
o
Back Orifice 2000 (BO2K)
o
NetBus
• Detection and elimination
o
Up-to-date antivirus software
o
Intrusion detection systems (IDS)
o NetBus • Detection and elimination o Up-to-date antivirus software o Intrusion detection systems (IDS) 30
o NetBus • Detection and elimination o Up-to-date antivirus software o Intrusion detection systems (IDS) 30
Trojan Horses • Class of malware that uses social engineering to spread • Types of
Trojan Horses • Class of malware that uses social engineering to spread • Types of
Trojan Horses • Class of malware that uses social engineering to spread • Types of
Trojan Horses
• Class of malware that uses social engineering to
spread
• Types of methods
o
Sending copies of itself to all recipients in user’s
address book
o
Deleting or modifying files
o
Installing backdoor/remote control programs
Logic Bombs • Set of computer instructions that lie dormant until triggered by a specific
Logic Bombs
• Set of computer instructions that lie dormant
until triggered by a specific event
• Once triggered, the logic bomb performs a
malicious task
• Almost impossible to detect until after
triggered
• Often the work of former employees
• For example: macro virus
o Uses auto-execution feature of specific
applications
Worms • Self-contained program that uses security flaws such as buffer overflows to remotely compromise
Worms
• Self-contained program that uses security flaws
such as buffer overflows to remotely compromise
a victim and replicate itself to that system
• Do not infect other executable programs
• Account for 80% of all malicious activity on
Internet
• Examples: Code Red, Code Red II, Nimda
Defense Against Worms • Latest security updates for all servers • Network and host-based IDS
Defense Against Worms
• Latest security updates for all servers
• Network and host-based IDS
• Antivirus programs
Chapter Summary • Mechanisms, countermeasures, and best practices for: o Malicious software o Denial-of-service
Chapter Summary
• Mechanisms, countermeasures, and best
practices for:
o
Malicious software
o
Denial-of-service attacks
o
Software exploits
o
Social engineering
o
Attacks on encrypted data
Remote Access • Chapter 4
Remote Access
• Chapter 4
Learning Objectives • Understand implications of IEEE 802.1x and how it is used • Understand
Learning Objectives
• Understand implications of IEEE 802.1x and
how it is used
• Understand VPN technology and its uses for
securing remote access to networks
• Understand how RADIUS authentication
works
• Understand how TACACS+ operates
• Understand how PPTP works and when it is
used
continued…
Learning Objectives • Understand how L2TP works and when it is used • Understand how
Learning Objectives
• Understand how L2TP works and when it is used
• Understand how SSH operates and when it is
used
• Understand how IPSec works and when it is used
• Understand the vulnerabilities associated with
telecommuting
IEEE 802.1x • Internet standard created to perform authentication services for remote access to a
IEEE 802.1x
• Internet standard created to perform
authentication services for remote access to a
central LAN
• Uses SNMP to define levels of access control
and behavior of ports providing remote access to
LAN environment
• Uses EAP over LAN (EAPOL) encapsulation
method
802.1x General Topology
802.1x General Topology
802.1x General Topology 3
802.1x General Topology 3
Telnet • Standard terminal emulation protocol within TCP/IP protocol suite defined by RFC 854 •
Telnet
• Standard terminal emulation protocol within
TCP/IP protocol suite defined by RFC 854
• Utilizes UDP port 23 to communicate
• Allows users to log on to remote networks and
use resources as if locally connected
Controlling Telnet • Assign enable password as initial line of defense • Use access lists
Controlling Telnet
• Assign enable password as initial line of defense
• Use access lists that define who has access to
what resources based on specific IP addresses
• Use a firewall that can filter traffic based on ports,
IP addresses, etc
Virtual Private Network • Secures connection between user and home office using authentication mechanisms and
Virtual Private Network
• Secures connection between user and home
office using authentication mechanisms and
encryption techniques
o Encrypts data at both ends
• Uses two technologies
o
IPSec
o
PPTP
VPN Diagram
VPN Diagram
Tunneling • Enables one network to send its data via another network’s connections • Encapsulates
Tunneling
• Enables one network to send its data via another
network’s connections
• Encapsulates a network protocol within packets
carried by the second network
Tunneling
Tunneling
VPN Options • Install/configure client computer to initiate necessary security communications • Outsource VPN to
VPN Options
• Install/configure client computer to initiate
necessary security communications
• Outsource VPN to a service provider
o Encryption does not happen until data reaches
provider’s network
Service Providing Tunneling
Service Providing Tunneling
VPN Drawbacks • Not completely fault tolerant • Diverse implementation choices o Software solutions Tend
VPN Drawbacks
• Not completely fault tolerant
• Diverse implementation choices
o
Software solutions
Tend to have trouble processing all the simultaneous
connections on a large network
o
Hardware solutions
Require higher costs
Remote Authentication Dial-in User Service (RADIUS) • Provides a client/server security system • Uses distributed
Remote Authentication Dial-in User
Service (RADIUS)
• Provides a client/server security system
• Uses distributed security to authenticate users
on a network
• Includes two pieces
o
Authentication server
o
Client protocols
• Authenticates users through a series of
communications between client and server
using UDP
Authenticating with a RADIUS Server
Authenticating with a RADIUS Server
Benefits of Distributed Approach to Network Security • Greater security • Scalable architecture • Open
Benefits of Distributed Approach to
Network Security
• Greater security
• Scalable architecture
• Open protocols
• Future enhancements
Terminal Access Controller Access Control System (TACACS+) • Authentication protocol developed by Cisco • Uses
Terminal Access Controller Access
Control System (TACACS+)
• Authentication protocol developed by Cisco
• Uses TCP – a connection-oriented
transmission – instead of UDP
• Offers separate acknowledgement that
request has been received regardless of
speed of authentication mechanism
• Provides immediate indication of a crashed
server
been received regardless of speed of authentication mechanism • Provides immediate indication of a crashed server
been received regardless of speed of authentication mechanism • Provides immediate indication of a crashed server
Advantages of TACACS+ over RADIUS • Addresses need for scalable solution • Separates authentication, authorization,
Advantages of TACACS+
over RADIUS
• Addresses need for scalable solution
• Separates authentication, authorization, and
accounting
• Offers multiple protocol support
Point-to-Point Tunneling Protocol • Multiprotocol that offers authentication, methods of privacy, and data compression
Point-to-Point Tunneling Protocol
• Multiprotocol that offers authentication,
methods of privacy, and data compression
• Built upon PPP and TCP/IP
• Achieves tunneling by providing encapsulation
(wraps packets of information within IP
packets)
o
Data packets
o
Control packets
• Provides users with virtual node on corporate
LAN or WAN
PPTP Tasks • Queries status of communications servers • Provides in-band management • Allocates channels
PPTP Tasks
• Queries status of communications servers
• Provides in-band management
• Allocates channels and places outgoing calls
• Notifies Windows NT Server of incoming calls
• Transmits and receives user data with bi-
directional flow control
• Notifies Windows NT Server of disconnected
calls
• Assures data integrity; coordinates packet
flow
Layer Two Tunneling Protocol • PPP defines an encapsulation mechanism for transporting multiprotocol packets across
Layer Two Tunneling Protocol
• PPP defines an encapsulation mechanism for
transporting multiprotocol packets across layer
two point-to-point links
• L2TP extends PPP model by allowing layer two
and PPP endpoints to reside on different devices
interconnected by a packet-switched network
continued…
Layer Two Tunneling Protocol • Allows separation of processing of PPP packets and termination of
Layer Two Tunneling Protocol
• Allows separation of processing of PPP packets
and termination of layer two circuit
o Connection may terminate at a (local) circuit
concentrator
• Solves splitting problems by projecting a PPP
session to a location other than the point at which
it is physically received
Secure Shell (SSH) • Secure replacement for remote logon and file transfer programs (Telnet and
Secure Shell (SSH)
• Secure replacement for remote logon and file
transfer programs (Telnet and FTP) that
transmit data in unencrypted text
• Uses public key authentication to establish an
encrypted and secure connection from user’s
machine to remote machine
• Used to:
o
Log on to another computer over a network
o
Execute command in a remote machine
o
Move files from one machine to another
Key Components of an SSH Product • Engine • Administration server • Enrollment gateway •
Key Components of an SSH Product
• Engine
• Administration server
• Enrollment gateway
• Publishing server
IP Security Protocol • Set of protocols developed by the IETF to support secure exchange
IP Security Protocol
• Set of protocols developed by the IETF to
support secure exchange of packets at IP
layer
• Deployed widely to implement VPNs
• Works with existing and future IP standards
• Transparent to users
• Promises painless scalability
• Handles encryption at packet level using
Encapsulating Security Payload (ESP)
IPSec Security Payload
IPSec Security Payload
ESP and Encryption Models • Supports many encryption protocols • Encryption support is designed for
ESP and Encryption Models
• Supports many encryption protocols
• Encryption support is designed for use by
symmetric encryption algorithms
• Provides secure VPN tunneling
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
Remote Solutions • Microsoft Terminal Server • Citrix Metaframe • Virtual Network Computing
Remote Solutions
• Microsoft Terminal Server
• Citrix Metaframe
• Virtual Network Computing
Chapter Summary • Paramount need for remote access security • Use of technologies to mitigate
Chapter Summary
• Paramount need for remote access security
• Use of technologies to mitigate some of the risk
of compromising the information security of a
home network
• Importance of keeping pace with technology
changes
E-mail • Chapter 5
E-mail
• Chapter 5
Learning Objectives • Understand the need for secure e-mail • Outline benefits of PGP and
Learning Objectives
• Understand the need for secure e-mail
• Outline benefits of PGP and S/MIME
• Understand e-mail vulnerabilities and how to
safeguard against them
• Explain the dangers posed by e-mail hoaxes and
spam, as well as actions that can be taken to
counteract them
Challenges to Utility and Productivity Gains Offered by E-mail • E-mail security • Floods of
Challenges to Utility and Productivity
Gains Offered by E-mail
• E-mail security
• Floods of spam
• Hoaxes
E-mail Security Technologies • Two main standards o Pretty good privacy (PGP) o Secure/Multipurpose Internet
E-mail Security Technologies
• Two main standards
o
Pretty good privacy (PGP)
o
Secure/Multipurpose Internet Mail Extension
(S/MIME)
• These competing standards:
o
Seek to ensure integrity and privacy of information
by wrapping security measures around e-mail data
itself
o
Use public key encryption techniques (alternative
to securing communication link itself, as in VPN)
Secure E-mail and Encryption • Secure e-mail o Uses cryptography to secure messages transmitted across
Secure E-mail and Encryption
• Secure e-mail
o Uses cryptography to secure messages
transmitted across insecure networks
• Advantages of e-mail encryption
o
E-mail can be transmitted over unsecured links
o
E-mail can be stored in encrypted form
• Key cryptography concepts
o
Encryption
o
Digital signatures
o
Digital certificates
Main Features of Secure E-mail • Confidentiality • Integrity • Authentication • Nonrepudiation
Main Features of Secure E-mail
• Confidentiality
• Integrity
• Authentication
• Nonrepudiation
Encryption • Passes data and a value (key) through a series of mathematical formulas that
Encryption
• Passes data and a value (key) through a series
of mathematical formulas that make the data
unusable and unreadable
• To recover information, reverse the process
using the appropriate key
• Two main types
o
Conventional cryptography
o
Public key cryptography
Encryption
Encryption
Hash Functions • Produce a message digest that cannot be reversed to produce the original
Hash Functions
• Produce a message digest that cannot be
reversed to produce the original
• Two major hash functions in use
o
SHA-1 (Secure Hash Algorithm 1)
o
MD5 (Message Digest algorithm version 5)
Digital Signatures • Electronic identification of a person or thing created by using a public
Digital Signatures
• Electronic identification of a person or thing
created by using a public key algorithm
• Verify (to a recipient) the integrity of data and
identity of the sender
• Provide same features as encryption, except
confidentiality
• Created by using hash functions
Digital Certificates • Electronic document attached to a public key by a trusted third party
Digital Certificates • Electronic document attached to a public key by a trusted third party
Digital Certificates
• Electronic document attached to a public key
by a trusted third party
• Provide proof that the public key belongs to a
legitimate owner and has not been
compromised
• Consist of:
o
Owner’s public key
o
Information unique to owner
o
Digital signatures or an endorser
Combining Encryption Methods • Hybrid cryptosystems o Take advantage of symmetric and public key cryptography
Combining Encryption Methods • Hybrid cryptosystems o Take advantage of symmetric and public key cryptography
Combining Encryption Methods
• Hybrid cryptosystems
o
Take advantage of symmetric and public key
cryptography
o
Example: PGP/MIME
• Conventional encryption
o Fast, but results in key distribution problem
• Public key encryption
o Private key and public key
Public Key Encryption
Public Key Encryption
How Secure E-mail Works • Encryption 1.Message is compressed 2.Session key is created 3.Message is
How Secure E-mail Works
• Encryption
1.Message is compressed
2.Session key is created
3.Message is encrypted using session key with
symmetrical encryption method
4.Session key is encrypted with an asymmetrical
encryption method
5.Encrypted session key and encrypted message
are bound together and transmitted to recipient
• Decryption: reverse the process
Secure E-mail Decryption 9
Secure E-mail Decryption 9
Secure E-mail Decryption
Secure E-mail Decryption
Background on PGP • Current de facto standard • Written by Phil Zimmerman 1991 •
Background on PGP
• Current de facto standard
• Written by Phil Zimmerman 1991
• Supports major conventional encryption
methods
o
CAST
o
International Data Encryption Algorithm (IDEA)
o
Triple Data Encryption Standard (3DES)
o
Twofish
PGP Certificates • More flexible and extensible than X.509 certificates • A single certificate can
PGP Certificates
• More flexible and extensible than X.509
certificates
• A single certificate can contain multiple
signatures
PGP Certificate Format
PGP Certificate Format
S/MIME • Specification designed to add security to e-mail messages in MIME format • Security
S/MIME
• Specification designed to add security to
e-mail messages in MIME format
• Security services
o
Authentication (using digital signatures)
o
Privacy (using encryption)
What S/MIME Defines • Format for MIME data • Algorithms that must be used for
What S/MIME Defines
• Format for MIME data
• Algorithms that must be used for
interoperability
o
RSA
o
RC2
o
SHA-1
• Additional operational concerns
o
ANSI X.509 certificates
o
Transport over the Internet
S/MIME Background • Four primary standards o RFC 2630 Cryptographic Message Syntax o RFC 2633
S/MIME Background
• Four primary standards
o
RFC 2630
Cryptographic Message Syntax
o
RFC 2633
S/MIME version 3 Message Specification
o
RFC 2632
S/MIME version 3 Certificate Handling
o
RFC 2634
Enhanced Security Services for S/MIME
S/MIME Encryption Algorithms • Three symmetric encryption algorithms o DES o 3DES o RC2 •
S/MIME Encryption Algorithms
• Three symmetric encryption algorithms
o
DES
o
3DES
o
RC2
• PKCS (Public Key Cryptography Standards)
• S/MIME prevents exposure of signature
information to eavesdropper
o Applies digital signature first; then encloses
signature and original message in an encrypted
digital envelope
X.509 Certificates • Rather than define its own certificate type (like PGP), S/MIME relies on
X.509 Certificates
• Rather than define its own certificate type (like
PGP), S/MIME relies on X.509
• Issued by a certificate authority (CA)
S/MIME Trust Model: Certificate Authorities • Purely hierarchical model • Line of trust goes up
S/MIME Trust Model: Certificate Authorities • Purely hierarchical model • Line of trust goes up
S/MIME Trust Model:
Certificate Authorities
• Purely hierarchical model
• Line of trust goes up the chain to a CA, whose
business is verifying identity and assuring validity
of keys or certificates
Differences Between PGP and S/MIME Features S/MIME3 OpenPGP Structure of Binary, based on CMS PGP
Differences Between
PGP and S/MIME
Features
S/MIME3
OpenPGP
Structure of
Binary, based on
CMS
PGP
messages
Structure of digital
certificates
X.509
PGP
Algorithm:
3DES
3DES
symmetric
encryption
Algorithm: digital
signature
Diffie-Hellman
EIGamal
continued…
Differences Between PGP and S/MIME Features S/MIME3 OpenPGP Algorithm: hash SHA-1 SHA-01 MIME encapsulation for
Differences Between
PGP and S/MIME
Features
S/MIME3
OpenPGP
Algorithm: hash
SHA-1
SHA-01
MIME
encapsulation for
signed data
Choice of
multipart/signed or
CMS format
Multipart/signed
with ASCII armor
MIME
encapsulation for
encrypted data
Application/
Multipart/
PKCS#7-MIME
encrypted
Trust model
Hierarchical
Web of trust
continued…
Differences Between PGP and S/MIME Features S/MIME3 OpenPGP Marketplace Growing quickly adoption Current
Differences Between
PGP and S/MIME
Features
S/MIME3
OpenPGP
Marketplace
Growing quickly
adoption
Current encryption
standard
Marketplace
advocates
Microsoft, RSA,
VeriSign
Some PGP, Inc.
products absorbed
into McAfee line
Ease of use
Configuration not
intuitive; must obtain
and install
certificates; general
use straight-forward
Configuration not
intuitive; must
create certificates;
general use
straight-forward
continued…
Differences Between PGP and S/MIME Features S/MIME3 OpenPGP Software Already integrated in Microsoft and Netscape
Differences Between
PGP and S/MIME
Features
S/MIME3
OpenPGP
Software
Already integrated
in Microsoft and
Netscape products
PGP software must
be downloaded
and installed
Cost of
certificates
Must be purchased
from CA; yearly fee
PGP certificates
can be generated
by anyone; free
Key
management
Easy, but you must
trust CA
Harder; user must
make decisions on
validity of identities
continued…
Differences Between PGP and S/MIME Features S/MIME3 OpenPGP Compatibility Transparently works with any vendor’s
Differences Between
PGP and S/MIME
Features
S/MIME3
OpenPGP
Compatibility
Transparently
works with any
vendor’s MIME e-
mail client, but not
compatible with
non-MIME
e-mail Possible formats through
PKI
Compatible with
MIME and non-MIME
e-mail formats, but
recipient must have
PGP installed
Centralized
Status is in doubt
management
E-mail Vulnerabilities continued…
E-mail Vulnerabilities
continued…
E-mail Vulnerabilities
E-mail Vulnerabilities
Spam • Act of flooding the Internet with many copies of the same message in
Spam
• Act of flooding the Internet with many copies of
the same message in an attempt to force the
message on people who would not otherwise
choose to receive it
• Unrequested junk mail
E-mail Spam • Targets individual users with direct mail messages • Creates lists by: o
E-mail Spam
• Targets individual users with direct mail
messages
• Creates lists by:
o
Scanning Usenet postings
o
Stealing Internet mailing lists
o
Searching the Web for addresses
• Uses automated tools to subscribe to as many
mailing lists as possible
Hoaxes and Chain Letters • E-mail messages with content designed to get the reader to
Hoaxes and Chain Letters
• E-mail messages with content designed to get
the reader to spread them by:
o
Appealing to be an authority to exploit trust
o
Generating excitement about being involved
o
Creating a sense of importance/belonging
o
Playing on people’s gullibility/greed
• Do not carry malicious payload, but are usually
untrue or resolved
Costs of Hoaxes and Chain Letters • Lost productivity • Damaged reputation • Relaxed attitude
Costs of Hoaxes and Chain
Letters
• Lost productivity
• Damaged reputation
• Relaxed attitude toward legitimate virus warnings
Chain Letters • Lost productivity • Damaged reputation • Relaxed attitude toward legitimate virus warnings 20
Chain Letters • Lost productivity • Damaged reputation • Relaxed attitude toward legitimate virus warnings 20
Countermeasures for Hoaxes • Effective security awareness campaign • Good e-mail policy • E-mail content
Countermeasures for Hoaxes • Effective security awareness campaign • Good e-mail policy • E-mail content
Countermeasures for Hoaxes • Effective security awareness campaign • Good e-mail policy • E-mail content
Countermeasures for Hoaxes
• Effective security awareness campaign
• Good e-mail policy
• E-mail content filtering solutions
Guidelines for Hoax Countermeasures • Create a policy and train users on what to do
Guidelines for Hoax
Countermeasures
• Create a policy and train users on what to do
when they receive a virus warning
• Establish the intranet site as the only
authoritative source for advice on virus
warnings
• Ensure that the intranet site displays up-to-
date virus and hoax information on the home
page
• Inform users that if the virus warning is not
listed on the intranet site, they should forward
it to a designated account
Chapter Summary • PGP o Current de facto e-mail encryption standard o Basis of OpenPGP
Chapter Summary
• PGP
o
Current de facto e-mail encryption standard
o
Basis of OpenPGP standard
• S/MIME
o
Emerging standard in e-mail encryption
o
Uses X.509 certificates used by Microsoft and
Netscape browser and e-mail client software
• E-mail vulnerabilities and scams, and how to
combat them
o
Spam
o
Hoaxes and e-mail chain letters
Web Security • Chapter 6
Web Security
• Chapter 6
Learning Objectives • Understand SSL/TLS protocols and their implementation on the Internet • Understand HTTPS
Learning Objectives
• Understand SSL/TLS protocols and their
implementation on the Internet
• Understand HTTPS protocol as it relates to SSL
• Explore common uses of instant messaging
applications and identify vulnerabilities
associated with those applications
continued…
Learning Objectives • Understand the vulnerabilities of JavaScript, buffer overflow, ActiveX, cookies, CGI, applets,
Learning Objectives
• Understand the vulnerabilities of JavaScript,
buffer overflow, ActiveX, cookies, CGI, applets,
SMTP relay, and how they are commonly
exploited
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) • Commonly used protocols for managing
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS)
• Commonly used protocols for managing the
security of a message transmission across the
“insecure” Internet
Secure Sockets Layer (SSL) • Developed by Netscape for transmitting private documents via the Internet
Secure Sockets Layer (SSL)
• Developed by Netscape for transmitting private
documents via the Internet
• Uses a public key to encrypt data that is
transferred over the SSL connection
• URLs that require an SSL connection start with
“https:” instead of “http:”
Transport Layer Security (TLS) • Latest version of SSL • Not as widely available in
Transport Layer Security (TLS)
• Latest version of SSL
• Not as widely available in browsers
SSL/TLS Protocol • Runs on top of the TCP and below higher- level protocols •
SSL/TLS Protocol
• Runs on top of the TCP and below higher-
level protocols
• Uses TCP/IP on behalf of higher-level
protocols
• Allows SSL-enabled server to authenticate
itself to SSL-enabled client
• Allows client to authenticate itself to server
• Allows both machines to establish an
encrypted connection
Secure Sockets Layer Protocol
Secure Sockets Layer Protocol
SSL/TLS Protocol • Uses ciphers to enable encryption of data between two parties • Uses
SSL/TLS Protocol
• Uses ciphers to enable encryption of data
between two parties
• Uses digital certificates to enable authentication
of the parties involved in a secure transaction
Cipher Types Used by SSL/TLS • Asymmetric encryption (public key encryption) • Symmetric encryption (secret
Cipher Types Used by SSL/TLS
• Asymmetric encryption (public key encryption)
• Symmetric encryption (secret key encryption)
Digital Certificates • Components o Certificate user’s name o Entity for whom certificate is being
Digital Certificates
• Components
o
Certificate user’s name
o
Entity for whom certificate is being issued
o
Public key of the subject
o
Time stamp
• Typically issued by a CA that acts as a trusted
third party
o
Public certificate authorities
o
Private certificate authorities
Secure Hypertext Transfer Protocol (HTTPS) • Communications protocol designed to transfer encrypted information
Secure Hypertext Transfer Protocol
(HTTPS)
• Communications protocol designed to transfer
encrypted information between computers
over the World Wide Web
• An implementation of HTTP
• Often used to enable online purchasing or
exchange of private information over insecure
networks
• Combines with SSL to enable secure
communication between a client and a server
Instant Messaging (IM) • Communications service that enables creation of a private chat room with
Instant Messaging (IM)
• Communications service that enables creation
of a private chat room with another individual
• Based on client/server architecture
• Typically alerts you whenever someone on
your private list is online
• Categorized as enterprise IM or consumer IM
systems
• Examples: AOL Instant Messenger, ICQ,
NetMessenger, Yahoo! Messenger
IM Security Issues • Cannot prevent transportation of files that contain viruses and Trojan horses
IM Security Issues
• Cannot prevent transportation of files that
contain viruses and Trojan horses
• Misconfigured file sharing can provide access
to sensitive or confidential data
• Lack of encryption
• Could be utilized for transportation of
copyrighted material; potential for substantial
legal consequences
• Transferring files reveals network addresses
of hosts; could be used for Denial-of-Service
attack
IM Applications • Do not use well-known TCP ports for communication and file transfers; use
IM Applications
• Do not use well-known TCP ports for
communication and file transfers; use registered
ports
• Ports can be filtered to restrict certain
functionalities or prevent usage altogether
Vulnerabilities of Web Tools • Security of Web applications and online services is as important
Vulnerabilities of Web Tools
• Security of Web applications and online
services is as important as intended
functionality
o
JavaScript
o
ActiveX
o
Buffers
o
Cookies
o
Signed applets
o
Common Gateway Interface (CGI)
o
Simple Mail Transfer Protocol (SMTP) relay
JavaScript • Scripting language developed by Netscape to enable Web authors to design interactive sites
JavaScript
• Scripting language developed by Netscape to
enable Web authors to design interactive sites
• Code is typically embedded into an HTML
document and placed between the <head> and
</head> tags
• Programs can perform tasks outside user’s
control
JavaScript Security Loopholes • Monitoring Web browsing • Reading password and other system files •
JavaScript Security Loopholes
• Monitoring Web browsing
• Reading password and other system files
• Reading browser’s preferences
ActiveX • Loosely defined set of technologies developed by Microsoft o Outgrowth of OLE (Object
ActiveX
• Loosely defined set of technologies developed
by Microsoft
o Outgrowth of OLE (Object Linking and
Embedding) and COM (Component Object Model)
• Provides tools for linking desktop applications
to WWW content
• Utilizes embedded Visual Basic code that can
compromise integrity, availability,and
confidentiality of a target system
Buffer • Temporary storage area, usually in RAM • Acts as a holding area, enabling
Buffer
• Temporary storage area, usually in RAM
• Acts as a holding area, enabling the CPU to
manipulate data before transferring it to a device
Buffer Overflow Attacks • Triggered by sending large amounts of data that exceeds capacity of
Buffer Overflow Attacks
• Triggered by sending large amounts of data
that exceeds capacity of receiving application
within a given field
• Take advantage of poor application
programming that does not check size of input
field
• Not easy to coordinate; prerequisites:
o
Place necessary code into program’s address
space
o
Direct application to read and execute embedded
code through effective manipulation of registers
and memory of system
Cookies • Messages given to Web browsers by Web servers o Browser stores message in
Cookies
• Messages given to Web browsers by Web
servers
o
Browser stores message in a text file
o
Message is sent back to server each time browser
requests a page from server
• Verify a user’s session
• Designed to enhance browsing experience
Vulnerabilities of Cookies • Contain tools that are easily exploited to provide information about users
Vulnerabilities of Cookies
• Contain tools that are easily exploited to
provide information about users without
consent
o
Attacker convinces user to follow malicious
hyperlink to targeted server to obtain the cookie
through error handling process on the server
o
User must be logged on during time of attack
• To guard against EHE attacks
o
Do not return unescaped data back to user
o
Do not echo 404 file requests back to user
Java Applets • Internet applications (written in Java programming language) that can operate on most
Java Applets
• Internet applications (written in Java
programming language) that can operate on
most client hardware and software platforms
• Stored on Web servers from where they can
be downloaded onto clients when first
accessed
• With subsequent server access, the applet is
already cached on the client and can be
executed with no download delay
Signed Applets • Technique of adding a digital signature to an applet to prove that
Signed Applets
• Technique of adding a digital signature to an
applet to prove that it came unaltered from a
particular trusted source
• Can be given more privileges than ordinary
applets
• Unsigned applets are subject to sandbox
restrictions
Unsigned Applets
Unsigned Applets
Sandbox Model • Prevent the applet from: o Performing required operations on local system resources
Sandbox Model
• Prevent the applet from:
o
Performing required operations on local system
resources
o
Connecting to any Web site except the site from
which the applet was loaded
o
Accessing client’s local printer
o
Accessing client’s system clipboard and properties
Signed Applets
Signed Applets
Reasons for Using Code Signing Features • To release the application from sandbox restrictions imposed
Reasons for Using
Code Signing Features
• To release the application from sandbox
restrictions imposed on unsigned code
• To provide confirmation regarding source of the
applications code
Common Gateway Interface (CGI) • Interface specification that allows communication between client programs and Web
Common Gateway Interface (CGI)
• Interface specification that allows
communication between client programs and
Web servers that understand HTTP
• Uses TCP/IP
• Can be written in any programming language
• Parts of a CGI script
o
Executable program on the server (the script itself)
o
HTML page that feeds input to the executable
Typical Form Submission
Typical Form Submission
CGI • Interactive nature leads to security loopholes o Allowing input from other systems to
CGI
• Interactive nature leads to security loopholes
o Allowing input from other systems to a program
that runs on a local server exposes the system to
potential security hazards
Precautions to Take When Running Scripts on a Server • Deploy IDS, access list filtering,
Precautions to Take When Running
Scripts on a Server
• Deploy IDS, access list filtering, and
screening on the border of the network
• Design and code applications to check size
and content of input received from clients
• Create different user groups with different
permissions; restrict access to hierarchical file
system based on those groups
• Validate security of a prewritten script before
deploying it in your production environment
Simple Mail Transfer Protocol (SMTP) • Standard Internet protocol for global e-mail communications • Transaction
Simple Mail Transfer Protocol
(SMTP)
• Standard Internet protocol for global
e-mail communications
• Transaction takes place between two SMTP
servers
• Designed as a simple protocol
o
Easy to understand and troubleshoot
o
Easily exploited by malicious users
Vulnerabilities of SMTP Relay • Spam via SMTP relay can lead to: o Loss of
Vulnerabilities of SMTP Relay
• Spam via SMTP relay can lead to:
o
Loss of bandwidth
o
Hijacked mail servers that may no longer be able
to serve their legitimate purpose
• Mail servers of innocent organizations can be
subject to blacklisting
Chapter Summary • Protocols commonly implemented for secure message transmissions o Secure Socket Layer o
Chapter Summary
• Protocols commonly implemented for secure
message transmissions
o
Secure Socket Layer
o
Transport Layer Security
• Data encryption across the Internet through
Secure Hyper Text Transfer Protocol in relation
to SSL/TSL
continued…
Chapter Summary • Instant Messaging o Common uses o Vulnerabilities • Well-known vulnerabilities associated with
Chapter Summary
• Instant Messaging
o
Common uses
o
Vulnerabilities
• Well-known vulnerabilities associated with web
development tools
Directory and File Transfer Services • Chapter 7
Directory and File Transfer Services
• Chapter 7
Learning Objectives • Explain benefits offered by centralized enterprise directory services such as LDAP over
Learning Objectives
• Explain benefits offered by centralized
enterprise directory services such as LDAP
over traditional authentication systems
• Identify major vulnerabilities of the FTP
method of exchanging data
• Describe S/FTP, the major alternative to using
FTP, in order to better secure your network
infrastructure
• Illustrate the threat posed to your network by
unmonitored file shares
Directory Services • Network services that uniquely identify users and can be used to authenticate
Directory Services
• Network services that uniquely identify users and
can be used to authenticate and authorize them
to use network resources
• Allow users to look up username or resource
information, just as DNS does
Lightweight Directory Access Protocol (LDAP) • Accesses directory data based on ISO’s X.500 standard, but
Lightweight Directory Access Protocol
(LDAP)
• Accesses directory data based on ISO’s X.500
standard, but includes TCP/IP support and
simplified client design
• Exchanges directory information with clients (is
not a database that stores the information)
• Allows users to search using a broad set of
criteria (name, type of service, location)
continued…
LDAP • Provides additional features including authentication and authorization o Each person uses only one
LDAP
• Provides additional features including
authentication and authorization
o Each person uses only one username and
password regardless of client software and OS
• Key feature and benefit
o Versatile directory system that is standards based
and platform independent
Major LDAP Products
Major LDAP Products
Common Applications of LDAP • Single sign-on (SSO) • User administration • Public key infrastructure
Common Applications of LDAP
• Single sign-on (SSO)
• User administration
• Public key infrastructure (PKI)
LDAP Operations
LDAP Operations
LDAP Framework • Directory Information Tree (DIT) o Data structure that actually contains directory information
LDAP Framework
• Directory Information Tree (DIT)
o
Data structure that actually contains directory
information about network users and services
o
Hierarchical structure
Directory Information Tree
Directory Information Tree
LDAP Framework • DN example o cn=Jonathan Q Public o ou=Information Security Department o o=XYZ
LDAP Framework
• DN example
o
cn=Jonathan Q
Public
o
ou=Information
Security Department
o
o=XYZ Corp.
o
c=United States
LDAP Security Benefits • Authentication o Ensures users’ identities o Three levels No authentication Simple
LDAP Security Benefits
• Authentication
o
Ensures users’ identities
o
Three levels
No authentication
Simple authentication
Simple Authentication and Security Layer (SASL)
• Authorization
o
Determines network resources the user may
access
o
Determined by access control lists (ACLs)
• Encryption
o Utilizes other protocols through (SASL)
LDAP Security Vulnerabilities • Denial of service • Man in the middle • Attacks against
LDAP Security Vulnerabilities
• Denial of service
• Man in the middle
• Attacks against data confidentiality
File Transfer Services • Ability to share programs and data around the world is an
File Transfer Services
• Ability to share programs and data around the
world is an essential aspect of the Internet
• Critical to today’s networked organizations
File Transfer Protocol (FTP) • Commonly used but very insecure • Two standard data transmission
File Transfer Protocol (FTP)
• Commonly used but very insecure
• Two standard data transmission methods –
active FTP and passive FTP
o
In both, client initiates a TCP session using
destination port 21 (command connection)
o
Differences are in the data connection that is set
up when user wants to transfer data between two
machines
Setup of FTP Control Connection
Setup of FTP Control Connection
Active FTP • FTP’s default connection • FTP server creates data connection by opening a
Active FTP
• FTP’s default connection
• FTP server creates data connection by opening a
TCP session using source port of 20 and
destination port greater than 1023 (contrary to
TCP’s normal operation)
Setup of the Active FTP Data Connection
Setup of the
Active FTP Data Connection
Passive FTP • Not supported by all FTP implementations • Client initiates data connection to
Passive FTP
• Not supported by all FTP implementations
• Client initiates data connection to the server with
a source and destination port that are both
random high ports
Setup of the Passive FTP Data Connection
Setup of the
Passive FTP Data Connection
FTP Security Issues • Bounce attack • Clear text authentication and data transmission • Glob
FTP Security Issues
• Bounce attack
• Clear text authentication and data transmission
• Glob vulnerability
• Software exploits and buffer overflow
vulnerabilities
• Anonymous FTP and blind FTP access
FTP Countermeasures • Do not allow anonymous access unless a clear business requirement exists •
FTP Countermeasures
• Do not allow anonymous access unless a clear
business requirement exists
• Employ a state-of-the-art firewall
• Ensure that server has latest security patches
and has been properly configured to limit user
access
• Encrypt data before placing it on FTP server
continued…
FTP Countermeasures • Encrypt FTP data flow using a VPN connection • Switch to a
FTP Countermeasures
• Encrypt FTP data flow using a VPN connection
• Switch to a secure alternative
Secure File Transfers • Secure File Transfer Protocol (S/FTP) o Replacement for FTP that uses
Secure File Transfers
• Secure File Transfer Protocol (S/FTP)
o Replacement for FTP that uses SSH version 2 as
a secure framework for encrypting data transfers
Benefits of S/FTP over FTP • Offers strong authentication using a variety of methods including
Benefits of S/FTP over FTP
• Offers strong authentication using a variety of
methods including X.509 certificates
• Encrypts authentication, commands, and all
data transferred between client and server
using secure encryption algorithms
• Easy to configure a firewall to permit S/FTP
communications (uses a single, well-behaved
TCP connection)
• Requires no negotiation to open a second
connection
SecureFTP Implementation Programs
SecureFTP Implementation Programs
File Sharing • Originally intended to share files on a LAN • Easy to set
File Sharing
• Originally intended to share files on a LAN
• Easy to set up
• Uses Windows graphical interface
• Can be configured as peer-to-peer or as
client/server shares
Easy to set up • Uses Windows graphical interface • Can be configured as peer-to-peer or
File Sharing Risks • Confidentiality of data • Some viruses spread via network shares •
File Sharing Risks
• Confidentiality of data
• Some viruses spread via network shares
• Other types of critical information beside user
documentation could become compromised if
files shares are misconfigured
Protecting Your File Shares • Define and communicate a policy • Conduct audits of file
Protecting Your File Shares
• Define and communicate a policy
• Conduct audits of file shares using commercial
scanning and audit tools
Chapter Summary • Key resources used to support mission-critical business applications o Directory services LDAP
Chapter Summary
• Key resources used to support mission-critical
business applications
o
Directory services
LDAP
o
File transfer mechanisms
FTP
S/FTP
Wireless and Instant Messaging • Chapter 8
Wireless and Instant Messaging
• Chapter 8
Learning Objectives • Understand security issues related to wireless data transfer • Understand the 802.11x
Learning Objectives
• Understand security issues related to wireless
data transfer
• Understand the 802.11x standards
• Understand Wireless Application Protocol (WAP)
and how it works
• Understand Wireless Transport Layer Security
(WTLS) protocol and how it works
continued…
Learning Objectives • Understand Wired Equivalent Privacy (WEP) and how it works • Conduct a
Learning Objectives
• Understand Wired Equivalent Privacy (WEP) and
how it works
• Conduct a wireless site survey
• Understand instant messaging
802.11 • IEEE group responsible for defining interface between wireless clients and their network access
802.11
• IEEE group responsible for defining interface
between wireless clients and their network
access points in wireless LANs
• First standard finalized in 1997 defined three
types of transmission at Physical layer
o
Diffused infrared - based on infrared transmissions
o
Direct sequence spread spectrum (DSSS) - radio-
based
o
Frequency hopping spread spectrum (FHSS) -
radio-based
continued…
802.11 • Established WEP as optional security protocol • Specified use of 2.4 GHz industrial,
802.11
• Established WEP as optional security protocol
• Specified use of 2.4 GHz industrial, scientific, and
medical (ISM) radio band
• Mandated 1 Mbps data transfer rate and optional
2 Mbps data transfer rate
• Most prominent working groups: 802.11b,
802.11a, 802.11i, and 802.11g
802.11a • “High-Speed Physical Layer in the 5 GHz Band” • Sets specifications for wireless
802.11a
• “High-Speed Physical Layer in the 5 GHz Band”
• Sets specifications for wireless data transmission
of up to 54 Mbps in the
5 GHz band
• Uses an orthogonal frequency division
multiplexing encoding scheme rather than FHSS
or DSSS
• Approved in 1999
802.11b • “Higher-Speed Layer Extension in the 2.4 GHz Band” • Establishes specifications for data
802.11b
• “Higher-Speed Layer Extension in the 2.4
GHz Band”
• Establishes specifications for data
transmission that provides 11 Mbps
transmission (with fallback to 5.5, 2, and 1
Mbps) at 2.4 GHz band
• Sometimes referred to as “Wi-Fi” when
associated with WECA certified devices
• Uses only DSSS
• Approved in 1999
802.11c • Worked to establish MAC bridging functionality for 802.11 to operate in other countries
802.11c
• Worked to establish MAC bridging functionality
for 802.11 to operate in other countries
• Folded into 802.1D standard for MAC bridging
802.11d • Responsible for determining requirements necessary for 802.11 to operate in other countries •
802.11d
• Responsible for determining requirements
necessary for 802.11 to operate in other
countries
• Continuing
802.11e • Responsible for creating a standard that will add multimedia and quality of service
802.11e
• Responsible for creating a standard that will add
multimedia and quality of service (QoS)
capabilities to wireless MAC layer and therefore
guarantee specified data transmission rates and
error percentages
• Proposal in draft form
802.11f • Responsible for creating a standard that will allow for better roaming between multivendor
802.11f
• Responsible for creating a standard that will allow
for better roaming between multivendor access
points and distribution systems
• Ongoing
802.11g • Responsible for providing raw data throughput over wireless networks at a throughput rate
802.11g
• Responsible for providing raw data throughput
over wireless networks at a throughput rate of 22
Mbps or more
• Draft created in January 2002; final approval
expected in late 2002 or early 2003
802.11h • Responsible for providing a way to allow for European implementation requests regarding the
802.11h
• Responsible for providing a way to allow for
European implementation requests regarding
the 5 GHz band
• Requirements
o
Limits PC card from emitting more radio signal
than needed
o
Allows devices to listen to radio wave activity
before picking a channel on which to broadcast
• Ongoing; not yet approved
802.11i • Responsible for fixing security flaws in WEP and 802.1x • Hopes to eliminate
802.11i
• Responsible for fixing security flaws in WEP and
802.1x
• Hopes to eliminate WEP altogether and replace it
with Temporal Key Integrity Protocol (TKIP),
which would require replacement of keys within a
certain amount of time
• Ongoing; not yet approved
802.11j • Worked to create a global standard in the 5 GHz band by making
802.11j
• Worked to create a global standard in the
5 GHz band by making high-performance LAN
(HiperLAN) and 802.11a interoperable
• Disbanded after efforts in this area were mostly
successful
LAN (HiperLAN) and 802.11a interoperable • Disbanded after efforts in this area were mostly successful 8
Wireless Application Protocol (WAP) • Open, global specification created by the WAP Forum • Designed
Wireless Application Protocol
(WAP)
• Open, global specification created by the WAP
Forum
• Designed to deliver information and services to
users of handheld digital devices
• Compatible with most wireless networks
• Can be built on any operating system
WAP-Enabled Devices
WAP-Enabled Devices
WAP-Enabled Devices
WAP-Enabled Devices
How WAP 1x Works • WAP 1.x Stack o Set of protocols created by the
How WAP 1x Works
• WAP 1.x Stack
o
Set of protocols created by the WAP Forum that
alters the OSI model
o
Five layers lie within the top four (of seven) layers
of the OSI model
o
Leaner than the OSI model
Each WAP protocol makes data transactions as
compressed as possible and allows for more dropped
packets than OSI model
WAP 1.x Stack Compared to OSI/Web Stack
WAP 1.x Stack Compared to
OSI/Web Stack
Differences Between Wireless and Wired Data Transfer • WAP 1.x stack protocols require that data
Differences Between Wireless and
Wired Data Transfer
• WAP 1.x stack protocols require that data
communications between clients (wireless
devices) and servers pass through a WAP
gateway
• Network architectural structures
WAP versus Wired Network
WAP versus Wired Network
The WAP 2.0 Stack • Eliminates use of WTLS; relies on a lighter version of
The WAP 2.0 Stack
• Eliminates use of WTLS; relies on a lighter
version of TLS – the same protocol used on
the common Internet stack – which allows
end-to-end security and avoids any WAP
gaps
• Replaces all other layers of WAP 1.x by
standard Internet layers
• Still supports the WAP 1.x stack in order to
facilitate legacy devices and systems
Additional WAP 2.0 Features • WAP Push • User agent profile • Wireless Telephony Application
Additional WAP 2.0 Features • WAP Push • User agent profile • Wireless Telephony Application
Additional WAP 2.0 Features • WAP Push • User agent profile • Wireless Telephony Application
Additional WAP 2.0 Features
• WAP Push
• User agent profile
• Wireless Telephony Application
• Extended Functionality Interface (EFI)
• Multimedia Messaging Service (MMS)
Wireless Transport Layer Security (WTLS) Protocol • Provides authentication, data encryption, and privacy for WAP
Wireless Transport Layer Security
(WTLS) Protocol
• Provides authentication, data encryption, and
privacy for WAP 1.x users
• Three classes of authentication
o
Class 1
Anonymous; does not allow either the client or the
gateway to authenticate each other
o
Class 2
Only allows the client to authenticate the gateway
o
Class 3
Allows both the client and the gateway to authenticate
each other
WTLS Protocol: Steps of Class 2 Authentication 1.WAP device sends request for authentication 2.Gateway responds,
WTLS Protocol:
Steps of Class 2 Authentication
1.WAP device sends request for authentication
2.Gateway responds, then sends a copy of its
certificate – which contains gateway’s public
key – to the WAP device
3.WAP device receives the certificate and public
key and generates a unique random value
4.WAP gateway receives encrypted value and
uses its own private key to decrypt it
WTLS Security Concerns • Security threats posed by WAP gap • Unsafe use of service
WTLS Security Concerns
• Security threats posed by WAP gap
• Unsafe use of service set identifiers (SSIDs)
Wired Equivalent Privacy (WEP) • Optional security protocol for wireless local area networks defined in
Wired Equivalent Privacy (WEP)
• Optional security protocol for wireless local
area networks defined in the 802.11b
standard
• Designed to provide same level of security as
a wired LAN
• Not considered adequate security without also
implementing a separate authentication
process and providing for external key
management
Wireless LAN (WLAN) • Connects clients to network resources using radio signals to pass data
Wireless LAN (WLAN)
• Connects clients to network resources using
radio signals to pass data through the ether
• Employs wireless access points (AP)
o
Connected to the wired LAN
o
Act as radio broadcast stations that transmit data
to clients equipped with wireless network interface
cards (NICs)
How a WLAN Works
How a WLAN Works
APs
APs
NICs
NICs
How WEP Works • Uses a symmetric key (shared key) to authenticate wireless devices (not
How WEP Works
• Uses a symmetric key (shared key) to
authenticate wireless devices (not wireless
device users) and to guarantee integrity of data
by encrypting transmissions
• Each of the APs and clients need to share the
same key
• Client sends a request to the AP asking for
permission to access the wired network
continued…
How WEP Works • If WEP has not been enabled (default), the AP allows the
How WEP Works
• If WEP has not been enabled (default), the AP
allows the request to pass
• If WEP has been enabled, client begins a
challenge-and-response authentication process
WEP’s Weaknesses • Problems related to the initialization vector (IV) that it uses to encrypt
WEP’s Weaknesses
• Problems related to the initialization vector (IV)
that it uses to encrypt data and ensure its
integrity
o
Can be picked up by hackers
o
Is reused on a regular basis
• Problems with how it handles keys
Other WLAN Security Loopholes • War driving • Unauthorized users can attach themselves to WLANs
Other WLAN Security Loopholes
• War driving
• Unauthorized users can attach themselves to
WLANs and use their resources, set up their
own access points and jam the network
• WEP authenticates clients, not users
• Wireless network administrators and users
must be educated about inherent insecurity of
wireless systems and the need for care
Conducting a Wireless Site Survey 1.Conduct a needs assessment of network users 2.Obtain a copy
Conducting a Wireless Site
Survey
1.Conduct a needs assessment of network users
2.Obtain a copy of the site’s blueprint
3.Do a walk-through of the site
4.Identify possible access point locations
5.Verify access point locations
6.Document findings
Instant Messaging (IM) • AOL Instant Messenger (AIM) • MSN Messenger • Yahoo! Messenger •
Instant Messaging (IM)
• AOL Instant Messenger (AIM)
• MSN Messenger
• Yahoo! Messenger
• ICQ
• Internet Relay Chat (IRC)
Definition of IM • Uses a real-time communication model • Allows users to keep track
Definition of IM
• Uses a real-time communication model
• Allows users to keep track of online status and
availability of other users who are also using IM
applications
• Can be used on both wired and wireless devices
• Easy and fast
continued…
Definition of IM • Operates in two models: o Peer-to-peer model May cause client to
Definition of IM
• Operates in two models:
o
Peer-to-peer model
May cause client to expose sensitive information
o
Peer-to-network model
Risk of network outage and DoS attacks making IM
communication unavailable
Problems Facing IM • Lack of default encryption enables packet sniffing • Social engineering overcomes
Problems Facing IM
• Lack of default encryption enables packet sniffing
• Social engineering overcomes even encryption
Technical Issues Surrounding IM • Files transfers • Application sharing
Technical Issues Surrounding IM
• Files transfers
• Application sharing
Legal Issues Surrounding IM • Possible threat of litigation or criminal indictment should the wrong
Legal Issues Surrounding IM
• Possible threat of litigation or criminal indictment
should the wrong message be sent or overheard
by the wrong person
• Currently immune to most corporate efforts to
control it
• Must be monitored in real time
Blocking IM • Install a firewall to block ports that IM products use; IM will
Blocking IM
• Install a firewall to block ports that IM products
use; IM will be unavailable to all employees
• Limited blocking not currently possible
Cellular Phone Simple Messaging Service (SMS) • Messages are typed and sent immediately • Problems
Cellular Phone Simple Messaging
Service (SMS)
• Messages are typed and sent immediately
• Problems
o
Tracking inappropriate messages
o
Risk of having messages sniffed
Chapter Summary • Efforts of IEEE, specifically 802.11x standards, to standardize wireless security • Security
Chapter Summary
• Efforts of IEEE, specifically 802.11x standards, to
standardize wireless security
• Security issues related to dominant wireless
protocols
o
WAP
Connects mobile telephones, PDAs, pocket computers,
and other mobile devices to the Internet
o
WEP
Used in WLANs
continued…
Chapter Summary • WTLS protocol • Conducting a site survey in advance of building a
Chapter Summary
• WTLS protocol
• Conducting a site survey in advance of building a
WLAN
• Security threats related to using (IM)
Devices • Chapter 9
Devices
• Chapter 9
Learning Objectives • Understand the purpose of a network firewall and the kinds of firewall
Learning Objectives
• Understand the purpose of a network firewall and
the kinds of firewall technology available on the
market
• Understand the role of routers, switches, and
other networking hardware in security
• Determine when VPN or RAS technology works
to provide a secure network connection
Firewalls • Hardware or software device that provides a means of securing a computer or
Firewalls
• Hardware or software device that provides a
means of securing a computer or network from
unwanted intrusion
o
Dedicated physical device that protects network
from intrusion
o
Software feature added to a router, switch, or
other device that prevents traffic to or from part of
a network
Management Cycle for Firewall Protection 1.Draft a written security policy 2.Design the firewall to implement
Management Cycle for
Firewall Protection
1.Draft a written security policy
2.Design the firewall to implement the policy
3.Implement the design by installing selected
hardware and software
4.Test the firewall
5.Review new threats, requirements for
additional security, and updates to systems
and software; repeat process from first step
Drafting a Security Policy • What am I protecting? • From whom? • What services
Drafting a Security Policy
• What am I protecting?
• From whom?
• What services does my company need to access
over the network?
• Who gets access to what resources?
• Who administers the network?
Available Targets and Who Is Aiming at Them • Common areas of attack o Web
Available Targets and
Who Is Aiming at Them
• Common areas of attack
o
Web servers
o
Mail servers
o
FTP servers
o
Databases
• Intruders
o
Sport hackers
o
Malicious hackers
Who Gets Access to Which Resources? • List employees or groups of employees along with
Who Gets Access to Which Resources? • List employees or groups of employees along with
Who Gets Access to Which Resources? • List employees or groups of employees along with
Who Gets Access to Which
Resources?
• List employees or groups of employees along
with files and file servers and databases and
database servers they need to access
• List which employees need remote access to the
network
Who Administers the Network? • Determine individual(s) and scope of individual management control
Who Administers the Network?
• Determine individual(s) and scope of individual
management control
Designing the Firewall to Implement the Policy • Select appropriate technology to deploy the firewall
Designing the Firewall
to Implement the Policy
• Select appropriate technology to deploy the
firewall
What Do Firewalls Protect Against? • Denial of service (DoS) • Ping of death •
What Do Firewalls Protect
Against?
• Denial of service (DoS)
• Ping of death
• Teardrop or Raindrop attacks
• SYN flood
• LAND attack
• Brute force or smurf attacks
• IP spoofing
How Do Firewalls Work? • Network address translation (NAT) • Basic packet filtering • Stateful
How Do Firewalls Work?
• Network address translation (NAT)
• Basic packet filtering
• Stateful packet inspection (SPI)
• Application gateways
• Access control lists (ACL)
Network Address Translation (NAT) • Only technique used by basic firewalls • Enables a LAN
Network Address Translation
(NAT)
• Only technique used by basic firewalls
• Enables a LAN to use one set of IP addresses
for internal traffic and a second set for
external traffic
• Each active connection requires a unique
external address for duration of
communication
• Port address translation (PAT)
o
Derivative of NAT
o
Supports thousands of simultaneous connections
on a single public IP address
Basic Packet Filtering • Firewall system examines each packet that enters it and allows through
Basic Packet Filtering
• Firewall system examines each packet that
enters it and allows through only those
packets that match a predefined set of rules
• Can be configured to screen information
based on many data fields:
o
Protocol type
o
IP address
o
TCP/UDP port
o
Source routing information
Stateful Packet Inspection (SPI) • Controls access to network by analyzing incoming/outgoing packets and letting
Stateful Packet Inspection (SPI)
• Controls access to network by analyzing
incoming/outgoing packets and letting them
pass or not based on IP addresses of source
and destination
o Examines a packet based on information in its
header
• Enhances security by allowing the filter to
distinguish on which side of firewall a
connection was initiated; essential to blocking
IP spoofing attaches
Access Control Lists (ACL) • Rules built according to organizational policy that defines who can
Access Control Lists (ACL)
• Rules built according to organizational policy that
defines who can access portions of the network
Routers • Network management device that sits between network segments and routes traffic from one
Routers
• Network management device that sits between
network segments and routes traffic from one
network to another
• Allows networks to communicate with one
another
• Allows Internet to function
• Act as digital traffic cop (with addition of packet
filtering)
How a Router Moves Information • Examines electronic envelope surrounding a packet; compares address to
How a Router Moves Information
• Examines electronic envelope surrounding a
packet; compares address to list of addresses
contained in router’s lookup tables
• Determines which router to send the packet to
next, based on changing network conditions
How a Router Moves Information
How a Router Moves Information
Beyond the Firewall • Demilitarized zone (DMZ) • Bastion hosts (potentially)
Beyond the Firewall
• Demilitarized zone (DMZ)
• Bastion hosts (potentially)
Demilitarized Zone • Area set aside for servers that are publicly accessible or have lower
Demilitarized Zone
• Area set aside for servers that are publicly
accessible or have lower security
requirements
• Sits between the Internet and internal
network’s line of defense
o
Stateful device fully protects other internal
systems
o
Packet filter allows external traffic only to services
provided by DMZ servers
• Allows a company to host its own Internet
services without sacrificing unauthorized
access to its private network
• Allows a company to host its own Internet services without sacrificing unauthorized access to its
• Allows a company to host its own Internet services without sacrificing unauthorized access to its
Bastion Hosts • Computers that reside in a DMZ and that host Web, mail, DNS,
Bastion Hosts
• Computers that reside in a DMZ and that host
Web, mail, DNS, and/or FTP services
• Gateway between an inside network and an
outside network
• Defends against attacks aimed at the inside
network; used as a security measure
• Unnecessary programs, services, and
protocols are removed; unnecessary network
ports are disabled
• Do not share authentication services with
trusted hosts within the network
Application Gateways • Also known as proxy servers • Monitor specific applications (FTP, HTTP, Telnet)
Application Gateways
• Also known as proxy servers
• Monitor specific applications (FTP, HTTP, Telnet)
• Allow packets accessing those services to go to
only those computers that are allowed
• Good backup to packet filtering
Application Gateways • Security advantages o Information hiding o Robust authentication and logging o Simpler
Application Gateways
• Security advantages
o
Information hiding
o
Robust authentication and logging
o
Simpler filtering rules
• Disadvantage
o Two steps are required to connect inbound or
outbound traffic; can increase processor overhead
OSI Reference Model • Architecture that classifies most network functions • Seven layers o Application
OSI Reference Model
• Architecture that classifies most network
functions
• Seven layers
o
Application
o
Presentation
o
Session
o
Transport
o
Network
o
Data-Link
o
Physical
The OSI Stack • Layers 4 and 5 o Where TCP and UDP ports that
The OSI Stack • Layers 4 and 5 o Where TCP and UDP ports that
The OSI Stack • Layers 4 and 5 o Where TCP and UDP ports that
The OSI Stack
• Layers 4 and 5
o Where TCP and UDP ports that control
communication sessions operate
• Layer 3
o Routes IP packets
• Layer 2
o Delivers data frames across LANs
Limitations of Packet-Filtering Routers • ACL can become long, complicated, and difficult to manage and
Limitations of
Packet-Filtering Routers
• ACL can become long, complicated, and difficult
to manage and comprehend
• Throughput decreases as number of rules being
processed increases
• Unable to determine specific content or data of
packets at layers 3 through 5
Switches • Provide same function as bridges (divide collision domains), but employ application- specific integrated
Switches
• Provide same function as bridges (divide
collision domains), but employ application-
specific integrated circuits (ASICs) that are
optimized for the task
• Reduce collision domain to two nodes (switch
and host)
• Main benefit over hubs
o Separation of collision domains limits the
possibility of sniffing
Switches
Switches
Switch Security • ACLs • Virtual Local Area Networks (VLANs)
Switch Security
• ACLs
• Virtual Local Area Networks (VLANs)
Virtual Local Area Network • Uses public wires to connect nodes • Broadcast domain within
Virtual Local Area Network
• Uses public wires to connect nodes
• Broadcast domain within a switched network
• Uses encryption and other security
mechanisms to ensure that
o
Only authorized users can access the network
o
Data cannot be intercepted
• Clusters users in smaller groups
o
Increases security from hackers
o
Reduces possibility of broadcast storm
Security Problems with Switches • Common ways of switch hijacking o Try default passwords which
Security Problems with Switches
• Common ways of switch hijacking
o
Try default passwords which may not have been
changed
o
Sniff network to get administrator password via
SNMP or Telnet
Securing a Switch • Isolate all management interfaces • Manage switch by physical connection to
Securing a Switch
• Isolate all management interfaces
• Manage switch by physical connection to a serial
port or through secure shell (SSH) or other
encrypted method
• Use separate switches or hubs for DMZs to
physically isolate them from the network and
prevent VLAN jumping
continued…
Securing a Switch • Put switch behind dedicated firewall device • Maintain the switch; install
Securing a Switch
• Put switch behind dedicated firewall device
• Maintain the switch; install latest version of
software and security patches
• Read product documentation
• Set strong passwords
Example of a Compromised VLAN
Example of a Compromised VLAN
Wireless • Almost anyone can eavesdrop on a network communication • Encryption is the only
Wireless
• Almost anyone can eavesdrop on a network
communication
• Encryption is the only secure method of
communicating with wireless technology
Modems
Modems
DSL versus Cable Modem Security • DSL o Direct connection between computer/network and the Internet
DSL versus Cable Modem
Security
• DSL
o Direct connection between computer/network and
the Internet
• Cable modem
o
Connected to a shared segment; party line
o
Most have basic firewall capabilities to prevent
files from being viewed or downloaded
o
Most implement the Data Over Cable Service
Interface Specification (DOCSIS) for
authentication and packet filtering
Dynamic versus Static IP Addressing • Static IP addresses o Provide a fixed target for
Dynamic versus Static IP Addressing
• Static IP addresses
o Provide a fixed target for potential hackers
• Dynamic IP addresses
o
Provide enhanced security
o
By changing IP addresses of client machines,
DHCP server makes them moving targets for
potential hackers
o
Assigned by the Dynamic Host Configuration
Protocol (DHCP)
Remote Access Service (RAS) • Provides a mechanism for one computer to securely dial in
Remote Access Service (RAS)
• Provides a mechanism for one computer to
securely dial in to another computer
• Treats modem as an extension of the network
• Includes encryption and logging
• Accepts incoming calls
• Should be placed in the DMZ
Security Problems with RAS • Behind physical firewall; potential for network to be compromised •
Security Problems with RAS
• Behind physical firewall; potential for network to
be compromised
• Most RAS systems offer encryption and callback
as features to enhance security
Telecom/Private Branch Exchange (PBX) • PBX o Private phone system that offers features such as
Telecom/Private Branch Exchange
(PBX)
• PBX
o
Private phone system that offers features such as
voicemail, call forwarding, and conference calling
o
Failure to secure a PBX can result in toll fraud,
theft of information, denial of service, and
enhanced susceptibility to legal liability
IP-Based PBX
IP-Based PBX
PBX Security Concerns • Remote PBX management • Hoteling or job sharing o Many move
PBX Security Concerns
• Remote PBX management
• Hoteling or job sharing
o Many move codes are standardized and posted
on the Internet
Virtual Private Networks • Provide secure communication pathway or tunnel through public networks (eg, Internet)
Virtual Private Networks
• Provide secure communication pathway or
tunnel through public networks (eg, Internet)
• Lowest levels of TCP/IP are implemented
using existing TCP/IP connection
• Encrypts either underlying data in a packet or
the entire packet itself before wrapping it in
another IP packet for delivery
• Further enhances security by implementing
Internet Protocol Security (IPSec)
in another IP packet for delivery • Further enhances security by implementing Internet Protocol Security (IPSec)
in another IP packet for delivery • Further enhances security by implementing Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) • Allows encryption of either just the data in a packet
Internet Protocol Security (IPSec)
• Allows encryption of either just the data in a
packet (transport mode) or the packet as a whole
(tunnel mode)
• Enables a VPN to eliminate packet sniffing and
identity spoofing
• Requirement of Internet Protocol version 6 (IPv6)
specification
Intrusion Detection Systems (IDS) • Monitor networks and report on unauthorized attempts to access any
Intrusion Detection Systems (IDS)
• Monitor networks and report on unauthorized
attempts to access any part of the system
• Available from many vendors
• Forms
o
Software (computer-based IDS)
o
Dedicated hardware devices (network-based IDS)
• Types of detection
o
Anomaly-based detection
o
Signature-based detection
Computer-based IDS • Software applications (“agents”) are installed on each protected computer o Make use
Computer-based IDS
• Software applications (“agents”) are installed
on each protected computer
o
Make use of disk space, RAM, and CPU time to
analyze OS, applications, system audit trails
o
Compare these to a list of specific rules
o
Report discrepancies
• Can be self-contained or remotely managed
• Easy to upgrade software, but do not scale
well
Network-based IDS • Monitors activity on a specific network segment • Dedicated platforms with two
Network-based IDS
• Monitors activity on a specific network segment
• Dedicated platforms with two components
o
Sensor
Passively analyzes network traffic
o
Management system
Displays alarm information from the sensor
Anomaly-based Detection • Builds statistical profiles of user activity and then reacts to any activity
Anomaly-based Detection • Builds statistical profiles of user activity and then reacts to any activity
Anomaly-based Detection
• Builds statistical profiles of user activity and
then reacts to any activity that falls outside
these profiles
• Often leads to large number of false positives
o
Users do not access computers/network in static,
predictable ways
o
Cost of building a sensor that could hold enough
memory to contain the entire profile and time to
process the profiles is prohibitively large
Signature-based Detection • Similar to antivirus program in its method of detecting potential attacks •
Signature-based Detection
• Similar to antivirus program in its method of
detecting potential attacks
• Vendors produce a list of signatures used by
the IDS to compare against activity on the
network or host
• When a match is found, the IDS take some
action (eg, logging the event)
• Can produce false positives; normal network
activity may be construed as malicious
Network Monitoring and Diagnostics • Essential steps in ensuring safety and health of a network
Network Monitoring and Diagnostics
• Essential steps in ensuring safety and health of a
network (along with IDS)
• Can be either stand-alone or part of a network-
monitoring platform
o
HP’s OpenView
o
IBM’s Netview/AIX
o
Fidelia’s NetVigil
o
Aprisma’s Spectrum
Ensuring Workstation and Server Security • Remove unnecessary protocols such as NetBIOS or IPX •
Ensuring Workstation and
Server Security
• Remove unnecessary protocols such as NetBIOS
or IPX
• Remove unnecessary user accounts
• Remove unnecessary shares
• Rename the administrator account
• Use strong passwords
Personal Firewall Software Packages • Offer application-level blocking, packet filtering, and can put your computer
Personal Firewall Software Packages
• Offer application-level blocking, packet
filtering, and can put your computer into
stealth mode by turning off most if not all ports
• Many products available, including:
o
Norton Firewall
o
ZoneAlarm
o
Black Ice Defender
o
Tiny Software’s Personal Firewall
Firewall Product Example
Firewall Product Example
Antivirus Software Packages • Necessary even on a secure network • Many vendors, including: o
Antivirus Software Packages
• Necessary even on a secure network
• Many vendors, including:
o
McAffee
o
Norton
o
Computer Associates
o
Network Associates
Mobile Devices • Can open security holes for any computer with which these devices communicate
Mobile Devices
• Can open security
holes for any
computer with which
these devices
communicate
Chapter Summary • Virtual isolation of a computer or network by implementing a firewall through
Chapter Summary
• Virtual isolation of a computer or network by
implementing a firewall through software and
hardware techniques:
o
Routers
o
Switches
o
Modems
o
Various software packages designed to run on
servers, workstations, and PDAs
continued…
Chapter Summary • Virtual private networks (VPNs) • Private branch exchanges (PBX) • Remote Access
Chapter Summary
• Virtual private networks (VPNs)
• Private branch exchanges (PBX)
• Remote Access Services (RAS)
Media and Medium • Chapter 10
Media and Medium
• Chapter 10
Learning Objectives • Identify and discuss the various types of transmission media • Explain how
Learning Objectives
• Identify and discuss the various types of
transmission media
• Explain how to physically protect transmission
media adequately
• Identify and discuss the various types of storage
media
• Know how to lessen the risk of catastrophic loss
of information
continued…
Learning Objectives • Understand the various ways to encrypt data • Properly maintain or destroy
Learning Objectives
• Understand the various ways to encrypt data
• Properly maintain or destroy stored data
Transmission Media • Coaxial cable • Twisted pair copper cable o Shielded o Unshielded •
Transmission Media
• Coaxial cable
• Twisted pair copper cable
o
Shielded
o
Unshielded
• Fiber-optic cable
• Wireless connections
Coaxial Cable • Hollow outer cylinder surrounds a single inner wire conductor
Coaxial Cable
• Hollow outer cylinder surrounds a single inner
wire conductor
Coaxial Cable • More expensive than traditional telephone wiring • Less prone to interference •
Coaxial Cable
• More expensive than traditional telephone
wiring
• Less prone to interference
• Typically carries larger amounts of data
• Easily spliced; allows unauthorized users
access to the network
• Two types (not interchangeable)
o
50-ohm
o
75-ohm
50-Ohm Coaxial Cable • Uses unmodulated signal over a single channel • Two standards o
50-Ohm Coaxial Cable
• Uses unmodulated signal over a single channel
• Two standards
o
10Base2 (ThinNet)
o
10Base5 (ThickNet)
50-Ohm Coaxial Cable • Advantages o Simple to implement and widely available o Low cost
50-Ohm Coaxial Cable
• Advantages
o
Simple to implement and widely available
o
Low cost alternative that provides relatively high
rates of data transmission
• Disadvantages
o
Can only carry data and voice
o
Limited in distance it can transmit signals
10Base2 (ThinNet) • Uses a thin coaxial cable in an Ethernet environment • Capable of
10Base2 (ThinNet)
• Uses a thin coaxial cable in an Ethernet
environment
• Capable of covering up to 180 meters
• Allows daisy chaining
• Not highly susceptible to noise interference
• Transmits at 10 Mbps
• Can support up to 30 nodes per segment
10Base5 (ThickNet) • Primarily used as a backbone in an office LAN environment • Often
10Base5 (ThickNet)
• Primarily used as a backbone in an office LAN
environment
• Often connects wiring closets
• Can transmit data at speeds up to 10 Mbps
• Covers distances up to 500 meters
• Can accommodate up to 100 nodes per segment
• Rigid and difficult to work with
75-ohm Coaxial Cable • For analog signaling and high-speed digital signaling
75-ohm Coaxial Cable
• For analog signaling and high-speed digital
signaling
75-ohm Coaxial Cable • Advantages o Allows for data, voice, and video capabilities o Can
75-ohm Coaxial Cable
• Advantages
o
Allows for data, voice, and video capabilities
o
Can cover greater distances and offers more
bandwidth
• Disadvantages
o
Requires hardware to connect via modems
o
More difficult to maintain
Twisted Pair Copper Cable • Individual copper wires are twisted together to prevent cross talk
Twisted Pair Copper Cable
• Individual copper wires are twisted together to
prevent cross talk between pairs and to
reduce effects of EMI and RFI
• Inexpensive alternative to coaxial cable, but
cannot support the same distances
• Long been used by telephone companies
• Types
o
Unshielded twisted pair (UTP)
o
Shielded twisted pair (STP)
Unshielded Twisted Pair (UTP) • Most common medium for both voice and data • Currently
Unshielded Twisted Pair (UTP)
• Most common medium for both voice and data
• Currently supports up to 1 Gbps protocols
Shielded Twisted Pair (STP) • Extra foil shield wrapped between copper pairs provides additional insulation
Shielded Twisted Pair (STP)
• Extra foil shield wrapped between copper pairs
provides additional insulation from EMI
• Used extensively in LAN wiring
Shielded Twisted Pair (STP)
Shielded Twisted Pair (STP)
Twisted Pair Categories • Category 3 (CAT 3) • Category 5 (CAT 5) • Category
Twisted Pair Categories
• Category 3 (CAT 3)
• Category 5 (CAT 5)
• Category 6 (CAT 6)
Twisted Pair CAT 3 • For voice and data transmission
Twisted Pair CAT 3
• For voice and data transmission
Twisted Pair CAT 5 • Supports fast Ethernet • Utilizes an 8-pin configuration that can
Twisted Pair CAT 5
• Supports fast Ethernet
• Utilizes an 8-pin configuration that can be
modified for use as a crossover cable, straight-
through cable, or customized cable
Twisted Pair CAT 6 • Supports Gigabit Ethernet • Offers backwards compatibility • Uses an
Twisted Pair CAT 6
• Supports Gigabit Ethernet
• Offers backwards compatibility
• Uses an 8-pin configuration
Twisted Pair • Connects to hardware using an RJ-45 connector
Twisted Pair
• Connects to hardware using an RJ-45 connector
Fiber-Optic Cable • Glass core encased in plastic outer covering • Smaller, lighter, more fragile
Fiber-Optic Cable
• Glass core encased in plastic outer covering
• Smaller, lighter, more fragile and susceptible to
damage than coaxial or twisted pair cable
• Carries light
Fiber-Optic Cable
Fiber-Optic Cable
Fiber-Optic Cable • Advantages o Capable of transmitting more data much further than other wiring
Fiber-Optic Cable
• Advantages
o
Capable of transmitting more data much further
than other wiring types
o
Completely immune to effects of EMI
o
Nearly impossible to splice without detection
• Disadvantages
o
Expensive
o
Difficult to install and manipulate
Comparison of Wired Transmission Media Media Advantages Disadvantages Coaxial cable High bandwidth Long distances
Comparison of
Wired Transmission Media
Media
Advantages
Disadvantages
Coaxial cable
High bandwidth
Long distances
EMI immunity
Physical dimensions (difficult
to work with)
Easily tapped
Twisted pair
copper cable
Inexpensive
Widely used
Easy to add nodes
Most sensitive to EMI
Supports short distances
Limited bandwidth capabilities
Easily tapped
Fiber-optic
cable
Very high bandwidth
EMI immunity
Long distances
High security
Small size
Difficult to implement
Expensive
Fragile
Unguided Transmission • Uses various technologies (microwave, radio and infrared) to receive and transmit through
Unguided Transmission
• Uses various technologies (microwave, radio and
infrared) to receive and transmit through the air
• Vulnerable to security breaches in which
unauthorized users intercept data flow
• Difficult to secure; unguided connections cannot
be physically contained easily
Securing Transmission Media • Common attacks on data flow include interception and interruption of traffic
Securing Transmission Media
• Common attacks on data flow include
interception and interruption of traffic
• Use lock and key
• Install closed circuit security cameras
• Use equipment that limits or eliminates signal
leaks
• Use dry methods for fire extinguishing
continued…
Securing Transmission Media • Deploy an uninterruptible power supply • Implement a redundant network •
Securing Transmission Media
• Deploy an uninterruptible power supply
• Implement a redundant network
• Utilize a VPN or other encryption technology
when using wireless LANs
• Map out cabling and deploy fiber optics in
unsecured areas
Storage Media • Provides a way to hold data at rest • Hard disk drive
Storage Media
• Provides a way to hold data at rest
• Hard disk drive
o
Developed by IBM in 1970s
o
Ubiquitous
• Removable storage media
o
Magnetic
o
Optical
o
Solid-state
Magnetic Storage Media • Coated with iron oxide • When data is recorded: o Electromagnet
Magnetic Storage Media
• Coated with iron oxide
• When data is recorded:
o Electromagnet inside disk drive rearranges the
iron oxide particles into a series of patterns that
represent 0s and 1s
• When data is retrieved:
o
Reading disk drive uses a magnetic field to read
the pattern
o
Pattern is translated into data that is sent to
computer in binary form
Types of Magnetic Storage Media
Types of Magnetic Storage Media
Floppy Disk • 3.5 inch, high density • 1.44 MB capacity • Circular magnetic piece
Floppy Disk
• 3.5 inch, high density
• 1.44 MB capacity
• Circular magnetic piece of plastic inside a rigid
plastic case
Zip Disk • High-capacity floppy disk developed by Iomega Corporation • 100 MB and 250
Zip Disk
• High-capacity floppy disk developed by Iomega
Corporation
• 100 MB and 250 MB capacity
• Relatively inexpensive and durable
• Ideal for transporting larger multimedia files
• Can be used for backup
Optical Storage Media • Light and reflection transmit data • Most common: CD o Plastic
Optical Storage Media
• Light and reflection
transmit data
• Most common: CD
o
Plastic disc covered
by a layer of
aluminum and a
layer of acrylic
o
Typically can store
700 MB of data
o
Commonly used to
store multimedia
Compact Disc • Data is recorded by creating very small bumps in the aluminum layer
Compact Disc