Computer Security - Discussion
366
Chap ter 12 Se cure Com mu ni ca tions and Net work At tacks
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 4: Com mu ni ca tion and Net work Se cu rity 4.3 Im ple ment se cure com mu ni ca tion chan nels ac cord ing to de sign
4.3.1 Voice
4.3.2 Mul ti me dia col lab o ra tion
4.3.3 Re mote ac cess
4.3.4 Data com mu ni ca tions
4.3.5 Vir tu al ized net works
Data re sid ing in a static form on a stor age de vice is fairly sim ple to se cure. As long as phys i cal ac cess con trol is main tained and rea son able log i cal ac cess con trols are im ple mented, stored files re main con fi den tial, re tain their in tegrity, and are avail able to au tho rized users. How ever, once data is used by an ap pli ca tion or trans ferred over a net work con nec tion, the process of se cur ing it be comes much more dif fi cult.
Com mu ni ca tions se cu rity cov ers a wide range of is sues re lated to the trans porta tion of elec tronic in for ma tion from one place to an other. That trans porta tion may be be tween sys tems on op po site sides of the planet or be tween sys tems on the same busi ness net work. Once it is in volved in any means of trans porta tion, data be comes vul ner a ble to a plethora of threats to its con fi den tial ity, in tegrity, and avail abil ity. For tu nately, many of these threats can be re duced or elim i nated with the ap pro pri ate coun ter mea sures.
Com mu ni ca tions se cu rity is de signed to de tect, pre vent, and even cor rect data trans porta tion er rors (that is, it pro vides in tegrity pro tec tion as well as con fi den tial ity). This is done to sus tain the se cu rity of net works while sup port ing the need to ex change and share data. This chap ter cov ers the many forms of com mu ni ca tions se cu rity, vul ner a bil i ties, and coun ter mea sures.
The Com mu ni ca tion and Net work Se cu rity do main for the CISSP cer ti fi ca tion exam deals with top ics re lated to net work com po nents (i.e., net work de vices and pro to cols), specif i cally how they func tion and how they are rel e vant to se cu rity. This do main is dis cussed in this chap ter and in Chap ter 11, “Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents.” Be sure to read and study the ma te rial in both chap ters to en sure com plete cov er age of the es sen tial ma te rial for the CISSP cer ti fi ca tion exam.
Net work and Pro to col Se cu rity Mech a nisms Trans mis sion Con trol Pro to col/In ter net Pro to col (TCP/IP) is the pri mary pro to col suite used on most
net works and on the in ter net. It is a ro bust pro to col suite, but it has nu mer ous se cu rity de fi cien cies. In an ef fort to im prove the se cu rity of TCP/IP, many sub pro to cols, mech a nisms, or ap pli ca tions have been de vel oped to pro tect the con fi den tial ity, in tegrity, and avail abil ity of trans mit ted data. It is im por tant to re mem ber that even with the foun da tional pro to col suite of TCP/IP, there are lit er ally hun dreds, if not thou sands, of in di vid ual pro to cols, mech a nisms, and ap pli ca tions in use across the in ter net. Some of them are de signed to pro vide se cu rity ser vices. Some pro tect in tegrity, oth ers pro tect con fi den tial ity, and oth ers pro vide au then ti ca tion and ac cess con trol. In the next sec tions, we’ll dis cuss some of the more com mon net work and pro to col se cu rity mech a nisms.
Se cure Com mu ni ca tions Pro to cols
Pro to cols that pro vide se cu rity ser vices for ap pli ca tion-spe cific com mu ni ca tion chan nels are called se cure com mu ni ca tion pro to cols. The fol low ing list in cludes a small sam pling of some of the op tions avail able:
IPsec In ter net Pro to col se cu rity (IPsec) uses pub lic key cryp tog ra phy to pro vide en cryp tion, ac cess con trol, non re pu di a tion, and mes sage au then ti ca tion, all us ing IP-based pro to cols. The pri mary use of IPsec
367
is for vir tual pri vate net works (VPNs), so IPsec can op er ate in ei ther trans port or tun nel mode. IPsec is dis cussed fur ther in Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions.”
Ker beros Ker beros of fers a sin gle sign-on so lu tion for users and pro vides pro tec tion for lo gon cre den tials. Mod ern im ple men ta tions of Ker beros use hy brid en cryp tion to pro vide re li able au then ti ca tion pro tec tion. Ker beros is dis cussed fur ther in Chap ter 13, “Cryp tog ra phy and Sym met ric Key Al go rithms.”
SSH Se cure Shell (SSH) is a good ex am ple of an end-to-end en cryp tion tech nique. This se cu rity tool can be used to en crypt nu mer ous plain text util i ties (such as rcp, rlogin, rexec), serve as a pro to col en crypter (such as with SFTP), and func tion as a VPN.
Sig nal Pro to col This is a cryp to graphic pro to col that pro vides end-to-end en cryp tion for voice com mu ni ca tions, video con fer enc ing, and text mes sage ser vices. The Sig nal Pro to col is non fed er ated and is a core el e ment in the mes sag ing app named Sig nal.
Se cure Re mote Pro ce dure Call (S-RPC) This is an au then ti ca tion ser vice and is sim ply a means to pre vent unau tho rized ex e cu tion of code on re mote sys tems.
Se cure Sock ets Layer (SSL) This is an en cryp tion pro to col de vel oped by Net scape to pro tect the com mu ni ca tions be tween a web server and a web browser. SSL can be used to se cure web, email, File Trans fer Pro to col (FTP) or even Tel net traf fic. It is a ses sion-ori ented pro to col that pro vides con fi den tial ity and in tegrity. SSL is de ployed us ing a 40-bit key or a 128-bit key. SSL is su per seded by Trans port Layer Se cu rity (TLS).
Trans port Layer Se cu rity (TLS) TLS func tions in the same gen eral man ner as SSL, but it uses stronger au then ti ca tion and en cryp tion pro to cols.
SSL and TLS both have the fol low ing fea tures:
Sup port se cure client-server com mu ni ca tions across an in se cure net work while pre vent ing tam per ing, spoof ing, and eaves drop ping.
Sup port one-way au then ti ca tion.
Sup port two-way au then ti ca tion us ing dig i tal cer tifi cates.
Of ten im ple mented as the ini tial pay load of a TCP pack age, al low ing it to en cap su late all higher-layer pro to col pay loads.
Can be im ple mented at lower lay ers, such as layer 3 (the Net work layer) to op er ate as a VPN. This im ple men ta tion is known as Open VPN.
In ad di tion, TLS can be used to en crypt User Data gram Pro to col (UDP) and Ses sion Ini ti a tion Pro to col (SIP) con nec tions. (SIP is a pro to col as so ci ated with Voice over IP [VoIP].)
Au then ti ca tion Pro to cols Af ter a con nec tion is ini tially es tab lished be tween a re mote sys tem and a server or a net work, the first
ac tiv ity that should take place is to ver ify the iden tity of the re mote user. This ac tiv ity is known as au then ti ca tion. There are sev eral au then ti ca tion pro to cols that con trol how the lo gon cre den tials are ex changed and whether those cre den tials are en crypted dur ing trans port:
Chal lenge Hand shake Au then ti ca tion Pro to col (CHAP) This is one of the au then ti ca tion pro to cols used over Point-to-Point Pro to col (PPP) links. CHAP en crypts user names and pass words. It per forms au then ti ca tion us ing a chal lenge-re sponse di a logue that can not be re played. CHAP also pe ri od i cally reau then ti cates the re mote sys tem through out an es tab lished com mu ni ca tion ses sion to ver ify a per sis tent iden tity of the re mote client. This ac tiv ity is trans par ent to the user.
Pass word Au then ti ca tion Pro to col (PAP) This is a stan dard ized au then ti ca tion pro to col for PPP. PAP trans mits user names and pass words in clear t ext. It of fers no form of en cryp tion; it sim ply pro vides a means to trans port the lo gon cre den tials from the client to the au then ti ca tion server.
Ex ten si ble Au then ti ca tion Pro to col (EAP) This is a frame work for au then ti ca tion in stead of an ac tual pro to col. EAP al lows cus tom ized au then ti ca tion se cu rity so lu tions, such as sup port ing smart cards, to kens, and bio met rics. (See the side bar “EAP, PEAP, and LEAP” for in for ma tion about other pro to cols based on EAP.)
These three au then ti ca tion pro to cols were ini tially used over dial-up PPP con nec tions. To day, these and many other, newer au then ti ca tion pro to cols (such as openID, OAuth, and Shib bo leth) and con cepts (such as au then ti ca tion fed er a tion and SAML) are in use over a wide num ber of dis tance con nec tion tech nolo gies, in clud ing broad band and vir tual pri vate net works (VPNs), as well as ex pand ing sup port and us ing tra di tional au then ti ca tion ser vices, such as Ker beros, Re mote Au then ti ca tion Dial-in User Ser vice (RA DIUS), and even Ter mi nal Ac cess Con troller Ac cess Con trol Sys tem Plus (TACACS+).
368
EAP, PEAP, and LEAP
Pro tected Ex ten si ble Au then ti ca tion Pro to col (PEAP) en cap su lates EAP in a TLS tun nel. PEAP is pre ferred to EAP be cause EAP as sumes that the chan nel is al ready pro tected but PEAP im poses its own se cu rity. PEAP is used for se cur ing com mu ni ca tions over 802.11 wire less con nec tions. PEAP can be em ployed by Wi-Fi Pro tected Ac cess (WPA) and WPA-2 con nec tions.
PEAP is also pre ferred over Cisco’s pro pri etary EAP known as Light weight Ex ten si ble Au then ti ca tion Pro to col (LEAP). LEAP was Cisco’s ini tial re sponse to in se cure WEP. LEAP sup ported fre quent reau then ti ca tion and chang ing of WEP keys (whereas WEP used sin gle au then ti ca tion and a static key). How ever, LEAP is crack able us ing a va ri ety of tools and tech niques, in clud ing the ex ploit tool Asleap.
Se cure Voice Com mu ni ca tions The vul ner a bil ity of voice com mu ni ca tion is tan gen tially re lated to in for ma tion tech nol ogy (IT) sys tem
se cu rity. How ever, as voice com mu ni ca tion so lu tions move on to the net work by em ploy ing dig i tal de vices and VoIP, se cur ing voice com mu ni ca tions be comes an in creas ingly im por tant is sue. When voice com mu ni ca tions oc cur over the IT in fra struc ture, it is im por tant to im ple ment mech a nisms to pro vide for au then ti ca tion and in tegrity. Con fi den tial ity should be main tained by em ploy ing an en cryp tion ser vice or pro to col to pro tect the voice com mu ni ca tions while in tran sit.
Nor mal pri vate branch ex change (PBX) or POTS/pub lic switched tele phone net work (PSTN) voice com mu ni ca tions are vul ner a ble to in ter cep tion, eaves drop ping, tap ping, and other ex ploita tions. Of ten, phys i cal se cu rity is re quired to main tain con trol over voice com mu ni ca tions within the con fines of your or ga ni za tion’s phys i cal lo ca tions. Se cu rity of voice com mu ni ca tions out side your or ga ni za tion is typ i cally the re spon si bil ity of the phone com pany from which you lease ser vices. If voice com mu ni ca tion vul ner a bil i ties are an im por tant is sue for sus tain ing your se cu rity pol icy, you should de ploy an en crypted com mu ni ca tion mech a nism and use it ex clu sively.
Voice over In ter net Pro to col (VoIP) VoIP is a tech nol ogy that en cap su lates au dio into IP pack ets to sup port tele phone calls over TCP/IP
net work con nec tions. VoIP has be come a pop u lar and in ex pen sive tele phony so lu tion for com pa nies and in di vid u als world wide.
It is im por tant to keep se cu rity in mind when se lect ing a VoIP so lu tion to en sure that it pro vides the pri vacy and se cu rity you ex pect. Some VoIP sys tems are es sen tially plain-form com mu ni ca tions that are eas ily in ter cepted and eaves dropped; oth ers are highly en crypted, and any at tempt to in ter fere or wire tap is de terred and thwarted.
VoIP is not with out its prob lems. Hack ers can wage a wide range of po ten tial at tacks against a VoIP so lu tion:
Caller ID can be fal si fied eas ily us ing any num ber of VoIP tools, so hack ers can per form vish ing (VoIP phish ing) or Spam over In ter net Tele phony (SPIT) at tacks.
The call man ager sys tems and the VoIP phones them selves might be vul ner a ble to host op er at ing sys tem (OS) at tacks and DoS at tacks. If a de vice’s or soft ware’s host OS or firmware has vul ner a bil i ties, there is in creased risk of ex ploits.
At tack ers might be able to per form man-in-the-mid dle (MitM) at tacks by spoof ing call man agers or end point con nec tion ne go ti a tions and/or re sponses.
De pend ing on the de ploy ment, there are also risks as so ci ated with de ploy ing VoIP phones off the same switches as desk top and server sys tems. This could al low for 802.1X au then ti ca tion fal si fi ca tion as well as vir tual lo cal area net work (VLAN) and VoIP hop ping (i.e., jump ing across au then ti cated chan nels).
Since VoIP traf fic is just net work traf fic, it is of ten pos si ble to lis ten in on VoIP com mu ni ca tions by de cod ing the VoIP traf fic when it isn’t en crypted.
Se cure Real-Time Trans port Pro to col or Se cureRTP (SRTP) is a se cu rity im prove ment over the Real-Time Trans port Pro to col (RTP) that is used in many VoIP com mu ni ca tions. SRTP aims to min i mize the risk of VoIP DoS through ro bust en cryp tion and re li able au then ti ca tion.
So cial En gi neer ing
369
Ma li cious in di vid u als can ex ploit voice com mu ni ca tions through a tech nique known as so cial en gi neer ing. So cial en gi neer ing is a means by which an un known, un trusted, or at least unau tho rized per son gains the trust of some one in side your or ga ni za tion. Adept in di vid u als can con vince em ploy ees that they are as so ci ated with up per man age ment, tech ni cal sup port, the help desk, and so on. Once con vinced, the vic tim is of ten en cour aged to make a change to their user ac count on the sys tem, such as re set ting their pass word. Other at tacks in clude in struct ing the vic tim to open spe cific email at tach ments, launch an ap pli ca tion, or con nect to a spe cific uni form re source lo ca tor (URL). What ever the ac tual ac tiv ity is, it is usu ally di rected to ward open ing a back door that the at tacker can use to gain net work ac cess.
The peo ple within an or ga ni za tion make it vul ner a ble to so cial en gi neer ing at tacks. With just a lit tle in for ma tion or a few facts, it is of ten pos si ble to get a vic tim to dis close con fi den tial in for ma tion or en gage in ir re spon si ble ac tiv ity. So cial en gi neer ing at tacks ex ploit hu man char ac ter is tics such as a ba sic trust in oth ers, a de sire to pro vide as sis tance, or a propen sity to show off. Over look ing dis crep an cies, be ing dis tracted, fol low ing or ders, as sum ing oth ers know more than they ac tu ally do, want ing to help oth ers, and fear ing rep ri mands can also lead to at tacks. At tack ers are of ten able to by pass ex ten sive phys i cal and log i cal se cu rity con trols be cause the vic tim opens an ac cess path way from the in side, ef fec tively punch ing a hole in the se cured perime ter.
The Fas ci nat ing World of So cial En gi neer ing
So cial en gi neer ing is a fas ci nat ing sub ject. It is the means to break into the per fectly tech ni cally se cured en vi ron ment. So cial en gi neer ing is the art of us ing an or ga ni za tion’s own peo ple against it. Al though not nec es sary for the CISSP exam, there are lots of ex cel lent re sources, ex am ples, and dis cus sions of so cial en gi neer ing that can in crease your aware ness of this se cu rity prob lem. Some are also highly en ter tain ing. We sug gest do ing some search ing on the term so cial en gi neer ing to dis cover books and on line videos. You’ll find the read ing in for ma tive and the video ex am ples ad dict ing.
The only way to pro tect against so cial en gi neer ing at tacks is to teach users how to re spond and in ter act with any form of com mu ni ca tions, whether voice-only, face to face, IM, chat, or email. Here are some guide lines:
Al ways err on the side of cau tion when ever voice com mu ni ca tions seem odd, out of place, or un ex pected.
Al ways re quest proof of iden tity. This can be a driver’s li cense num ber, So cial Se cu rity num ber, em ployee ID num ber, cus tomer num ber, or a case or ref er ence num ber, any of which can be eas ily ver i fied. It could also take the form of hav ing a per son in the of fice that would rec og nize the caller’s voice take the call. For ex am ple, if the caller claims to be a de part ment man ager, you could con firm their iden tity by ask ing their ad min is tra tive as sis tant to take the call.
Re quire call back au tho riza tions on all voice-only re quests for net work al ter ations or ac tiv i ties. A call back au tho riza tion oc curs when the ini tial client con nec tion is dis con nected, and a per son or party would call the client on a pre de ter mined num ber that would usu ally be stored in a cor po rate di rec tory in or der to ver ify the iden tity of the client.
Clas sify in for ma tion (user names, pass words, IP ad dresses, man ager names, dial-in num bers, and so on), and clearly in di cate which in for ma tion can be dis cussed or even con firmed us ing voice com mu ni ca tions.
If priv i leged in for ma tion is re quested over the phone by an in di vid ual who should know that giv ing out that par tic u lar in for ma tion over the phone is against the com pany’s se cu rity pol icy, ask why the in for ma tion is needed and ver ify their iden tity again. This in ci dent should also be re ported to the se cu rity ad min is tra tor.
Never give out or change pass words via voice-only com mu ni ca tions.
When dis pos ing of of fice doc u men ta tion (ac cord ing to pol icy and reg u la tion com pli ance) al ways use a se cure dis posal or de struc tion process, es pe cially for any pa per work or me dia that con tains in for ma tion about the IT in fra struc ture or its se cu rity mech a nisms.
Fraud and Abuse An other voice com mu ni ca tion threat is pri vate branch ex change (PBX) fraud and abuse. Many PBX
sys tems can be ex ploited by ma li cious in di vid u als to avoid toll charges and hide their iden tity. Ma li cious at tack ers known as phreak ers abuse phone sys tems in much the same way that at tack ers abuse com puter net works. Phreak ers may be able to gain unau tho rized ac cess to per sonal voice mail boxes, re di rect mes sages, block ac cess, and re di rect in bound and out bound calls.
370
Coun ter mea sures to PBX fraud and abuse in clude many of the same pre cau tions you would em ploy to pro tect a typ i cal com puter net work: log i cal or tech ni cal con trols, ad min is tra tive con trols, and phys i cal con trols. Here are sev eral key points to keep in mind when de sign ing a PBX se cu rity so lu tion:
Con sider re plac ing re mote ac cess or long-dis tance call ing through the PBX with a credit card or call ing card sys tem.
Re strict dial-in and dial-out fea tures to au tho rized in di vid u als who re quire such func tion al ity for their work tasks.
If you still have dial-in modems, use un pub lished phone num bers that are out side the pre fix block range of your voice num bers.
Pro tect ad min is tra tive in ter faces for the PBX.
Block or dis able any unas signed ac cess codes or ac counts.
De fine an ac cept able use pol icy and train users on how to prop erly use the sys tem.
Log and au dit all ac tiv i ties on the PBX and re view the au dit trails for se cu rity and use vi o la tions.
Dis able main te nance modems (i.e., re mote ac cess modems used by the ven dor to re motely man age, up date, and tune a de ployed prod uct) and/or any form of re mote ad min is tra tive ac cess.
Change all de fault con fig u ra tions, es pe cially pass words and ca pa bil i ties re lated to ad min is tra tive or priv i leged fea tures.
Block re mote call ing (that is, al low ing a re mote caller to dial in to your PBX and then dial out again, thus di rect ing all toll charges to the PBX host).
De ploy Di rect In ward Sys tem Ac cess (DISA) tech nolo gies to re duce PBX fraud by ex ter nal par ties. (But be sure to con fig ure it prop erly; see the side bar “DISA: A Dis ease and the Cure.”)
Keep the sys tem cur rent with ven dor/ser vice provider up dates.
Ad di tion ally, main tain ing phys i cal ac cess con trol to all PBX con nec tion cen ters, phone por tals, and wiring clos ets pre vents di rect in tru sion from on site at tack ers.
DISA: A Dis ease and the Cure
An of ten-touted “se cu rity” im prove ment to PBX sys tems is Di rect In ward Sys tem Ac cess (DISA). This sys tem is de signed to help man age ex ter nal ac cess and ex ter nal con trol of a PBX by as sign ing ac cess codes to users. Al though great in con cept, this sys tem is be ing com pro mised and abused by phreak ers. Once an out side phreaker learns the PBX ac cess codes, they can of ten fully con trol and abuse the com pany’s tele phone net work. This can in clude us ing the PBX to make long-dis tance calls that are charged to your com pany’s tele phone ac count rather than the phreaker’s phone.
DISA, like any other se cu rity fea ture, must be prop erly in stalled, con fig ured, and mon i tored in or der to ob tain the de sired se cu rity im prove ment. Sim ply hav ing DISA is not suf fi cient. Be sure to dis able all fea tures that are not re quired by the or ga ni za tion, craft user codes/pass words that are com plex and dif fi cult to guess, and then turn on au dit ing to keep watch on PBX ac tiv i ties. Phreak ing is a spe cific type of at tack di rected to ward the tele phone sys tem. Phreak ers use var i ous types of tech nol ogy to cir cum vent the tele phone sys tem to make free long-dis tance calls, to al ter the func tion of tele phone ser vice, to steal spe cial ized ser vices, and even to cause ser vice dis rup tions. Some phreaker tools are ac tual de vices, whereas oth ers are just par tic u lar ways of us ing a reg u lar tele phone. No mat ter what the tool or tech nol ogy ac tu ally is, phreaker tools are re ferred to as col ored boxes (black box, red box, and so on). Over the years, many box tech nolo gies have been de vel oped and widely used by phreak ers, but only a few of them work against to day’s tele phone sys tems based on packet switch ing. Here are a few of the phreaker tools of ten used to at tack tele phone ser vices:
Black boxes are used to ma nip u late line volt ages to steal long-dis tance ser vices. They are of ten just cus tom-built cir cuit boards with a bat tery and wire clips.
Red boxes are used to sim u late tones of coins be ing de posited into a pay phone. They are usu ally just small tape recorders.
Blue boxes are used to sim u late 2600 Hz tones to in ter act di rectly with tele phone net work trunk sys tems (that is, back bones). This could be a whis tle, a tape recorder, or a dig i tal tone gen er a tor.
White boxes are used to con trol the phone sys tem. A white box is a dual-tone mul ti fre quency (DTMF) gen er a tor (that is, a key pad). It can be a cus tom-built de vice or one of the pieces of equip ment that most
371
tele phone re pair per son nel use.
As you prob a bly know, cell phone se cu rity is a grow ing con cern. Cap tured elec tronic se rial
num bers (ESNs) and mo bile iden ti fi ca tion num bers (MINs) can be burned into blank phones to cre ate clones (even sub scriber iden tity mod ules—SIMs—can be du pli cated). When a clone is used, the charges are billed to the orig i nal owner’s cell phone ac count. Fur ther more, con ver sa tions and data trans mis sion can be in ter cepted us ing ra dio fre quency scan ners. Also, any one in the im me di ate vicin ity can over hear at least one side of the con ver sa tion. So don’t talk about con fi den tial, pri vate, or sen si tive top ics in pub lic places.
Mul ti me dia Col lab o ra tion Mul ti me dia col lab o ra tion is the use of var i ous mul ti me dia-sup port ing com mu ni ca tion so lu tions to
en hance dis tance col lab o ra tion (peo ple work ing on a project to gether re motely). Of ten, col lab o ra tion al lows work ers to work si mul ta ne ously as well as across dif fer ent time frames. Col lab o ra tion can also be used for track ing changes and in clud ing mul ti me dia func tions. Col lab o ra tion can in cor po rate email, chat, VoIP, video con fer enc ing, use of a white board, on line doc u ment edit ing, real-time file ex change, ver sion ing con trol, and other tools. It is of ten a fea ture of ad vanced forms of re mote meet ing tech nol ogy.
Re mote Meet ing
Re mote meet ing tech nol ogy is used for any prod uct, hard ware, or soft ware that al lows for in ter ac tion be tween re mote par ties. These tech nolo gies and so lu tions are known by many other terms: dig i tal col lab o ra tion, vir tual meet ings, video con fer enc ing, soft ware or ap pli ca tion col lab o ra tion, shared white board ser vices, vir tual train ing so lu tions, and so on. Any ser vice that en ables peo ple to com mu ni cate, ex change data, col lab o rate on ma te ri als/data/doc u ments, and oth er wise per form work tasks to gether can be con sid ered a re mote meet ing tech nol ogy ser vice.
No mat ter what form of mul ti me dia col lab o ra tion is im ple mented, the at ten dant se cu rity im pli ca tions must be eval u ated. Does the ser vice use strong au then ti ca tion tech niques? Does the com mu ni ca tion oc cur across an open pro to col or an en crypted tun nel? Does the so lu tion al low for true dele tion of con tent? Are ac tiv i ties of users au dited and logged? Mul ti me dia col lab o ra tion and other forms of re mote meet ing tech nol ogy can im prove the work en vi ron ment and al low for in put from a wider range of di verse work ers across the globe, but this is only a ben e fit if the se cu rity of the com mu ni ca tions so lu tion can be en sured.
In stant Mes sag ing In stant mes sag ing (IM) is a mech a nism that al lows for real-time text-based chat be tween two users
lo cated any where on the in ter net. Some IM util i ties al low for file trans fer, mul ti me dia, voice and video con fer enc ing, and more. Some forms of IM are based on a peer-to-peer ser vice while oth ers use a cen tral ized con trol ling server. Peer-to-peer-based IM is easy for end users to de ploy and use, but it’s dif fi cult to man age from a cor po rate per spec tive be cause it’s gen er ally in se cure. It has nu mer ous vul ner a bil i ties: It’s sus cep ti ble to packet sniff ing, it lacks true na tive se cu rity ca pa bil i ties, and it pro vides no pro tec tion for pri vacy.
Many forms of tra di tional in stant mes sag ing lack com mon se cu rity fea tures, such as en cryp tion or user pri vacy. Many stand-alone IM clients have been sus cep ti ble to ma li cious code de posit or in fec tion through their file trans fer ca pa bil i ties. Also, IM users are of ten sub ject to nu mer ous forms of so cial-en gi neer ing at tacks, such as im per son ation or con vinc ing a vic tim to re veal in for ma tion that should re main con fi den tial (such as pass words).
There are sev eral mod ern in stant mes sag ing so lu tions to con sider for both per son-to-per son in ter ac tions and col lab o ra tion and com mu ni ca tions among a group. Some are pub lic ser vices, such as Twit ter, Face book Mes sen ger, and Snapchat. Oth ers are de signed for pri vate or in ter nal use, such as Slack, Google Hang outs, Cisco Spark, Work place by Face book, and Skype. Most of these mes sag ing ser vices are de signed with se cu rity as a key fea ture, of ten em ploy ing mul ti fac tor au then ti ca tion and trans mis sion en cryp tion.
Man age Email Se cu rity Email is one of the most widely and com monly used in ter net ser vices. The email in fra struc ture em ployed
on the in ter net pri mar ily con sists of email servers us ing Sim ple Mail Trans fer Pro to col (SMTP) to ac cept mes sages from clients, trans port those mes sages to other servers, and de posit them into a user’s server-based in box. In ad di tion to email servers, the in fra struc ture in cludes email clients. Clients re trieve email from their
372
server-based in boxes us ing Post Of fice Pro to col ver sion 3 (POP3) or In ter net Mes sage Ac cess Pro to col (IMAP). Clients com mu ni cate with email servers us ing SMTP. Many in ter net-com pat i ble email sys tems rely on the X.400 stan dard for ad dress ing and mes sage han dling.
Send mail is the most com mon SMTP server for Unix sys tems, and Ex change is the most com mon SMTP server for Mi cro soft sys tems. In ad di tion to these three pop u lar prod ucts, nu mer ous al ter na tives ex ist, but they all share the same ba sic func tion al ity and com pli ance with in ter net email stan dards.
If you de ploy an SMTP server, it is im per a tive that you prop erly con fig ure au then ti ca tion for both in bound and out bound mail. SMTP is de signed to be a mail re lay sys tem. This means it re lays mail from sender to in tended re cip i ent. How ever, you want to avoid turn ing your SMTP server into an open re lay (also known as an open re lay agent or re lay agent), which is an SMTP server that does not au then ti cate senders be fore ac cept ing and re lay ing mail. Open re lays are prime tar gets for spam mers be cause they al low spam mers to send out floods of emails by pig gy back ing on an in se cure email in fra struc ture. As open re lays are locked down, be com ing closed or au then ti ca tion re lays, a grow ing num ber of SMTP at tacks are oc cur ring through hi jacked au then ti cated user ac counts.
An other op tion to con sider for cor po rate email is a SaaS email so lu tion. Ex am ples of cloud or hosted email in clude Gmail (Google Apps for Busi ness) and Out look/Ex change On line. SaaS email en ables you to lever age the se cu rity ex pe ri ence and man age ment ex per tise of some of the largest in ter net-fo cused or ga ni za tions to sup port your com pany’s com mu ni ca tions. Ben e fits of SaaS email in clude high avail abil ity, dis trib uted ar chi tec ture, ease of ac cess, stan dard ized con fig u ra tion, and phys i cal lo ca tion in de pen dence. How ever, there are some po ten tial risks us ing a hosted email so lu tion, in clud ing black list ing is sues, rate lim it ing, app/add-on re stric tions, and what (if any) ad di tional se cu rity mech a nisms you can de ploy.
Email Se cu rity Goals For email, the ba sic mech a nism in use on the in ter net of fers the ef fi cient de liv ery of mes sages but lacks
con trols to pro vide for con fi den tial ity, in tegrity, or even avail abil ity. In other words, ba sic email is not se cure. How ever, you can add se cu rity to email in many ways. Adding se cu rity to email may sat isfy one or more of the fol low ing ob jec tives:
Pro vide for non re pu di a tion
Re strict ac cess to mes sages to their in tended re cip i ents (i.e., pri vacy and con fi den tial ity)
Main tain the in tegrity of mes sages
Au then ti cate and ver ify the source of mes sages
Ver ify the de liv ery of mes sages
Clas sify sen si tive con tent within or at tached to mes sages
As with any as pect of IT se cu rity, email se cu rity be gins in a se cu rity pol icy ap proved by up per man age ment. Within the se cu rity pol icy, you must ad dress sev eral is sues:
Ac cept able use poli cies for email
Ac cess con trol
Pri vacy
Email man age ment
Email backup and re ten tion poli cies
Ac cept able use poli cies de fine what ac tiv i ties can and can not be per formed over an or ga ni za tion’s email in fra struc ture. It is of ten stip u lated that pro fes sional, busi ness-ori ented email and a lim ited amount of per sonal email can be sent and re ceived. Spe cific re stric tions are usu ally placed on per form ing per sonal busi ness (that is, work for an other or ga ni za tion, in clud ing self-em ploy ment) and send ing or re ceiv ing il le gal, im moral, or of fen sive com mu ni ca tions as well as on en gag ing in any other ac tiv i ties that would have a detri men tal ef fect on pro duc tiv ity, prof itabil ity, or pub lic re la tions.
Ac cess con trol over email should be main tained so that users have ac cess only to their spe cific in box and email ar chive data bases. An ex ten sion of this rule im plies that no other user, au tho rized or not, can gain ac cess to an in di vid ual’s email. Ac cess con trol should pro vide for both le git i mate ac cess and some level of pri vacy, at least from other em ploy ees and unau tho rized in trud ers.
The mech a nisms and pro cesses used to im ple ment, main tain, and ad min is ter email for an or ga ni za tion should be clar i fied. End users may not need to know the specifics of email man age ment, but they do need to know whether email is con sid ered pri vate com mu ni ca tion. Email has re cently been the fo cus of nu mer ous court cases in which archived mes sages were used as ev i dence—of ten to the cha grin of the au thor or re cip i ent of those mes sages. If email is to be re tained (that is, backed up and stored in ar chives for fu ture use), users
373
need to be made aware of this. If email is to be re viewed for vi o la tions by an au di tor, users need to be in formed of this as well. Some com pa nies have elected to re tain only the last three months of email ar chives be fore they are de stroyed, whereas oth ers have opted to re tain email for years. De pend ing upon your coun try and in dus try, there are of ten reg u la tions that dic tate re ten tion poli cies.
Un der stand Email Se cu rity Is sues The first step in de ploy ing email se cu rity is to rec og nize the vul ner a bil i ties spe cific to email. The stan dard
pro to cols used to sup port email (i.e., SMTP, POP, and IMAP) do not em ploy en cryp tion na tively. Thus, all mes sages are trans mit ted in the form in which they are sub mit ted to the email server, which is of ten plain text. This makes in ter cep tion and eaves drop ping easy. How ever, the lack of na tive en cryp tion is one of the least im por tant se cu rity is sues re lated to email.
Email is a com mon de liv ery mech a nism for viruses, worms, Tro jan horses, doc u ments with de struc tive macros, and other ma li cious code. The pro lif er a tion of sup port for var i ous script ing lan guages, autodown load ca pa bil i ties, and au toex e cute fea tures has trans formed hy per links within the con tent of email and at tach ments into a se ri ous threat to ev ery sys tem.
Email of fers lit tle in the way of source ver i fi ca tion. Spoof ing the source ad dress of email is a sim ple process for even a novice at tacker. Email head ers can be mod i fied at their source or at any point dur ing tran sit. Fur ther more, it is also pos si ble to de liver email di rectly to a user’s in box on an email server by di rectly con nect ing to the email server’s SMTP port. And speak ing of in-tran sit mod i fi ca tion, there are no na tive in tegrity checks to en sure that a mes sage was not al tered be tween its source and des ti na tion.
In ad di tion, email it self can be used as an at tack mech a nism. When suf fi cient num bers of mes sages are di rected to a sin gle user’s in box or through a spe cific STMP server, a de nial-of-ser vice (DoS) at tack can re sult. This at tack is of ten called mail-bomb ing and is sim ply a DoS per formed by in un dat ing a sys tem with mes sages. The DoS can be the re sult of stor age ca pac ity con sump tion or pro cess ing ca pa bil ity uti liza tion. Ei ther way, the re sult is the same: Le git i mate mes sages can not be de liv ered.
Like email flood ing and ma li cious code at tach ments, un wanted email can be con sid ered an at tack. Send ing un wanted, in ap pro pri ate, or ir rel e vant mes sages is called spam ming. Spam ming is of ten lit tle more than a nui sance, but it does waste sys tem re sources both lo cally and over the in ter net. It is of ten dif fi cult to stop spam be cause the source of the mes sages is usu ally spoofed.
Email Se cu rity So lu tions
Im pos ing se cu rity on email is pos si ble, but the ef forts should be in tune with the value and con fi den tial ity of the mes sages be ing ex changed. You can use sev eral pro to cols, ser vices, and so lu tions to add se cu rity to email with out re quir ing a com plete over haul of the en tire in ter net-based SMTP in fra struc ture. These in clude S/MIME, MOSS, PEM, and PGP. We’ll S/MIME was dis cussed in Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions.”
Se cure Mul ti pur pose In ter net Mail Ex ten sions (S/MIME) Se cure Mul ti pur pose In ter net Mail Ex ten sions is an email se cu rity stan dard that of fers au then ti ca tion and con fi den tial ity to email through pub lic key en cryp tion and dig i tal sig na tures. Au then ti ca tion is pro vided through X.509 dig i tal cer tifi cates. Pri vacy is pro vided through the use of Pub lic Key Cryp tog ra phy Stan dard (PKCS) en cryp tion. Two types of mes sages can be formed us ing S/MIME: signed mes sages and se cured en veloped mes sages. A signed mes sage pro vides in tegrity, sender au then ti ca tion, and non re pu di a tion. An en veloped mes sage pro vides in tegrity, sender au then ti ca tion, and con fi den tial ity.
MIME Ob ject Se cu rity Ser vices (MOSS) MIME Ob ject Se cu rity Ser vices can pro vide au then ti ca tion, con fi den tial ity, in tegrity, and non re pu di a tion for email mes sages. MOSS em ploys Mes sage Di gest 2 (MD2) and MD5 al go rithms; Rivest–Shamir–Adle man (RSA) pub lic key; and Data En cryp tion Stan dard (DES) to pro vide au then ti ca tion and en cryp tion ser vices.
Pri vacy En hanced Mail (PEM) Pri vacy En hanced Mail is an email en cryp tion mech a nism that pro vides au then ti ca tion, in tegrity, con fi den tial ity, and non re pu di a tion. PEM uses RSA, DES, and X.509.
Do mainKeys Iden ti fied Mail (DKIM) DKIM is a means to as sert that valid mail is sent by an or ga ni za tion through ver i fi ca tion of do main name iden tity. See http://www.dkim.org.
Pretty Good Pri vacy (PGP) Pretty Good Pri vacy (PGP) is a pub lic-pri vate key sys tem that uses a va ri ety of en cryp tion al go rithms to en crypt files and email mes sages. The first ver sion of PGP used RSA, the sec ond ver sion, In ter na tional Data En cryp tion Al go rithm (IDEA), but later ver sions of fered a spec trum of al go rithm op tions. PGP is not a stan dard but rather an in de pen dently de vel oped prod uct that has wide in ter net grass roots sup port.
Op por tunis tic TLS for SMTP Gate ways (RFC 3207) A lot of or ga ni za tions are us ing Se cure SMTP over TLS nowa days; how ever, it’s not as wide spread as it should be be cause of a lack of aware ness. Op por tunis tic TLS for SMTP will at tempt to set up an en crypted con nec tion with ev ery other email server in the event that it
374
is sup ported. Oth er wise, it will down grade to plain text. Us ing op por tunis tic TLS for SMTP gate ways re duces the op por tu ni ties for ca sual sniff ing of email.
Sender Pol icy Frame work (SPF) To pro tect against spam and email spoof ing, an or ga ni za tion can also con fig ure their SMTP servers for Sender Pol icy Frame work. SPF op er ates by check ing that in bound mes sages orig i nate from a host au tho rized to send mes sages by the own ers of the SMTP ori gin do main. For ex am ple, if I re ceive a mes sage from mark.nugget@ abc corps.com, then SPF checks with the ad min is tra tors of smtp.abc corps.com that mark.nugget is au tho rized to send mes sages through their sys tem be fore the in bound mes sage is ac cepted and sent into a re cip i ent in box. There are pros and cons of us ing it, so you’ll need to bal ance the needs of this ex ten sive ser vice prior to in clud ing SPF.
Free PGP So lu tion
PGP started off as a free prod uct for all to use, but it has since splin tered into var i ous di ver gent prod ucts. PGP is a com mer cial prod uct, while OpenPGP is a de vel op ing stan dard that GnuPG is com pli ant with and that was in de pen dently de vel oped by the Free Soft ware Foun da tion. If you have not used PGP be fore, we rec om mend down load ing the ap pro pri ate GnuPG ver sion for your pre ferred email plat form. This se cure so lu tion is sure to im prove your email pri vacy and in tegrity. You can learn more about GnuPG at http://gnupg.org. You can learn more about PGP by vis it ing its pages on Wikipedia.
By us ing these and other se cu rity mech a nisms for email and com mu ni ca tion trans mis sions, you can re duce or elim i nate many of the se cu rity vul ner a bil i ties of email. Dig i tal sig na tures can help elim i nate im per son ation. The en cryp tion of mes sages re duces eaves drop ping. And the use of email fil ters keep spam ming and mail-bomb ing to a min i mum.
Block ing at tach ments at the email gate way sys tem on your net work can ease the threats from ma li cious at tach ments. You can have a 100 per cent no-at tach ments pol icy or block only at tach ments that are known or sus pected to be ma li cious, such as at tach ments with ex ten sions that are used for ex e cutable and script ing files. If at tach ments are an es sen tial part of your email com mu ni ca tions, you’ll need to train your users and use an tivirus tools for pro tec tion. Train ing users to avoid con tact with sus pi cious or un ex pected at tach ments greatly re duces the risk of ma li cious code trans fer ence via email. An tivirus soft ware is gen er ally ef fec tive against known viruses, but it of fers lit tle pro tec tion against new or un known viruses.
Un wanted emails can be a has sle, a se cu rity risk, and a drain on re sources. Whether spam, ma li cious email, or just bulk ad ver tis ing, there are sev eral ways to re duce the im pact on your in fra struc ture. Black list ser vices of fer a sub scrip tion sys tem to a list of known email abuse sources. You can in te grate the black list into your email server so that any mes sage orig i nat ing from a known abu sive do main or IP ad dress is au to mat i cally dis carded. An other op tion is to use a chal lenge/re sponse fil ter. In these ser vices, when an email is re ceived from a new/un known ori gin ad dress, an au tore spon der sends a re quest for a con fir ma tion mes sage. Spam mers and auto-email ers will not re spond to these re quests, but valid hu mans will. Once they have con firmed that they are hu man and agree not to spam the des ti na tion ad dress, their source ad dress is added to a whitelist for fu ture com mu ni ca tions.
Un wanted email can also be man aged through the use of email re pu di a tion fil ter ing. Sev eral ser vices main tain a grad ing sys tem of email ser vices in or der to de ter mine which are used for stan dard/nor mal com mu ni ca tions and which are used for spam. These ser vices in clude sender score.org, sender base.org, Rep u ta tio nAu thor ity.org, trust ed source.org, and Bar racuda Cen tral. These and other mech a nisms are used as part of sev eral spam fil ter ing tech nolo gies, such as Apache Spa mAs sas sin and spamd.
375
Fax Se cu rity
Fax com mu ni ca tions are wan ing in pop u lar ity be cause of the wide spread use of email. Elec tronic doc u ments are eas ily ex changed as at tach ments to email. Printed doc u ments are just as easy to scan and email as they are to fax. How ever, you must still ad dress fax ing in your over all se cu rity plan. Most modems give users the abil ity to con nect to a re mote com puter sys tem and send and re ceive faxes. Many op er at ing sys tems in clude built-in fax ca pa bil i ties, and there are nu mer ous fax prod ucts for com puter sys tems. Faxes sent from a com puter’s fax/mo dem can be re ceived by an other com puter, by a reg u lar fax ma chine, or by a cloud-based fax ser vice.
Even with de clin ing use, faxes still rep re sent a com mu ni ca tions path that is vul ner a ble to at tack. Like any other tele phone com mu ni ca tion, faxes can be in ter cepted and are sus cep ti ble to eaves drop ping. If an en tire fax trans mis sion is recorded, it can be played back by an other fax ma chine to ex tract the trans mit ted doc u ments.
Some of the mech a nisms that can be de ployed to im prove the se cu rity of faxes are fax en cryp tors, link en cryp tion, ac tiv ity logs, and ex cep tion re ports. A fax en cryp tor gives a fax ma chine the ca pa bil ity to use an en cryp tion pro to col to scram ble the out go ing fax sig nal. The use of an en cryp tor re quires that the re ceiv ing fax ma chine sup port the same en cryp tion pro to col so it can de crypt the doc u ments. Link en cryp tion is the use of an en crypted com mu ni ca tion path, like a VPN link or a se cured tele phone link, to trans mit the fax. Ac tiv ity logs and ex cep tion re ports can be used to de tect anom alies in fax ac tiv ity that could be symp toms of at tack.
In ad di tion to the se cu rity of a fax trans mis sion, it is im por tant to con sider the se cu rity of a re ceived fax. Faxes that are au to mat i cally printed may sit in the out tray for a long pe riod of time, there fore mak ing them sub ject to view ing by un in tended re cip i ents. Stud ies have shown that adding ban ners of CON FI DEN TIAL, PRI VATE, and so on spur the cu rios ity of passersby. So dis able au to matic print ing. Also, avoid fax ma chines that re tain a copy of the fax in mem ory or on a lo cal stor age de vice. Con sider in te grat ing your fax sys tem with your net work so you can email faxes to in tended re cip i ents in stead of print ing them to pa per.
Re mote Ac cess Se cu rity Man age ment Telecom mut ing, or work ing re motely, has be come a com mon fea ture of busi ness com put ing.
Telecom mut ing usu ally re quires re mote ac cess, the abil ity of a dis tant client to es tab lish a com mu ni ca tion ses sion with a net work. Re mote ac cess can take the fol low ing forms (among oth ers):
Us ing a mo dem to dial up di rectly to a re mote ac cess server
Con nect ing to a net work over the in ter net through a VPN
Con nect ing to a ter mi nal server sys tem through a thin-client con nec tion
Con nect ing to an of fice-lo cated per sonal com puter (PC) us ing a re mote desk top ser vice, such as Mi cro soft’s Re mote Desk top, TeamViewer, Go To MyPC, Citirx’s Xen Desk top, or VNC
Us ing cloud-based desk top so lu tions, such as Ama zon’s Workspaces
The first two ex am ples use fully ca pa ble clients. They es tab lish con nec tions just as if they were di rectly con nected to the lo cal area net work (LAN). In the last ex am ple, all com put ing ac tiv i ties oc cur on the ter mi nal server sys tem rather than on the dis tant client.
Tele phony is the col lec tion of meth ods by which tele phone ser vices are pro vided to an or ga ni za tion or the mech a nisms by which an or ga ni za tion uses tele phone ser vices for ei ther voice and/or data com mu ni ca tions. Tra di tion ally, tele phony in cluded plain old tele phone ser vice (POTS)—also called pub lic switched tele phone net work (PSTN)—com bined with modems. How ever, pri vate branch ex change (PBX), VoIP, and VPNs are com monly used for tele phone com mu ni ca tions as well.
376
Re mote Ac cess and Telecom mut ing Tech niques
Telecom mut ing is per form ing work at a re mote lo ca tion (i.e., other than the pri mary of fice). In fact, there is a good chance that you per form some form of telecom mut ing as part of your cur rent job. Telecom mut ing clients use many re mote ac cess tech niques to es tab lish con nec tiv ity to the cen tral of fice LAN. There are four main types of re mote ac cess tech niques:
Ser vice Spe cific Ser vice-spe cific re mote ac cess gives users the abil ity to re motely con nect to and ma nip u late or in ter act with a sin gle ser vice, such as email.
Re mote Con trol Re mote-con trol re mote ac cess grants a re mote user the abil ity to fully con trol an other sys tem that is phys i cally dis tant from them. The mon i tor and key board act as if they are di rectly con nected to the re mote sys tem.
Screen Scraper/Scrap ing This term can be used in two dif fer ent cir cum stances. First, it is some times used to re fer to re mote con trol, re mote ac cess, or re mote desk top ser vices. These ser vices are also called vir tual ap pli ca tions or vir tual desk tops. The idea is that the screen on the tar get ma chine is scraped and shown to the re mote op er a tor. Since re mote ac cess to re sources presents ad di tional risks of dis clo sure or com pro mise dur ing the dis tance trans mis sion, it is im por tant to em ploy en crypted screen scraper so lu tions.
Sec ond, screen scrap ing is a tech nol ogy that can al low an au to mated tool to in ter act with a hu man in ter face. For ex am ple, some stand-alone data-gath er ing tools use search en gines in their op er a tion. How ever, most search en gines must be used through their nor mal web in ter face. For ex am ple, Google re quires that all searches be per formed through a Google web search form field. (In the past, Google of fered an API that en abled prod ucts to in ter act with the back end di rectly. How ever, Google ter mi nated this prac tice to sup port the in te gra tion of ad ver tise ments with search re sults.) Screen-scrap ing tech nol ogy can in ter act with the hu man-friendly de signed web front end to the search en gine and then parse the web page re sults to ex tract just the rel e vant in for ma tion. Site Dig ger from Found stone/McAfee is a great ex am ple of this type of prod uct.
Re mote Node Op er a tion Re mote node op er a tion is just an other name for dial-up con nec tiv ity. A re mote sys tem con nects to a re mote ac cess server. That server pro vides the re mote client with net work ser vices and pos si ble in ter net ac cess.
POTS and PSTN re fer to tra di tional land line tele phone con nec tions. POTS/PSTN con nec tions were the only or pri mary re mote net work links for many busi nesses un til high-speed, cost-ef fec tive, and ubiq ui tous ac cess meth ods were avail able. POTS/PSTN also waned in use for home-user in ter net con nec tiv ity once broad band and wire less ser vices be came more widely avail able. POTS/PSTN con nec tions are some times still used as a backup op tion for re mote con nec tions when broad band so lu tions fail, as ru ral in ter net and re mote con nec tions, and as stan dard voice lines when ISDN, VoIP, or broad band so lu tions are un avail able or not cost ef fec tive.
When re mote ac cess ca pa bil i ties are de ployed in any en vi ron ment, se cu rity must be con sid ered and im ple mented to pro vide pro tec tion for your pri vate net work against re mote ac cess com pli ca tions:
Re mote ac cess users should be strin gently au then ti cated be fore be ing granted ac cess.
Only those users who specif i cally need re mote ac cess for their as signed work tasks should be granted per mis sion to es tab lish re mote con nec tions.
All re mote com mu ni ca tions should be pro tected from in ter cep tion and eaves drop ping. This usu ally re quires an en cryp tion so lu tion that pro vides strong pro tec tion for the au then ti ca tion traf fic as well as all data trans mis sion.
It is im por tant to es tab lish se cure com mu ni ca tion chan nels be fore ini ti at ing the trans mis sion of sen si tive, valu able, or per sonal in for ma tion. Re mote ac cess can pose sev eral po ten tial se cu rity con cerns if not pro tected and mon i tored suf fi ciently:
If any one with a re mote con nec tion can at tempt to breach the se cu rity of your or ga ni za tion, the ben e fits of phys i cal se cu rity are re duced.
Telecom muters might use in se cure or less-se cure re mote sys tems to ac cess sen si tive data and thus ex pose it to greater risk of loss, com pro mise, or dis clo sure.
Re mote sys tems might be ex posed to ma li cious code and could be used as a car rier to bring mal ware into the pri vate LAN.
377
Re mote sys tems might be less phys i cally se cure and thus be at risk of be ing used by unau tho rized en ti ties or stolen.
Re mote sys tems might be more dif fi cult to trou bleshoot, es pe cially if the is sues re volve around re mote con nec tion.
Re mote sys tems might not be as easy to up grade or patch due to their po ten tial in fre quent con nec tions or slow through put links. How ever, this is sue is less ened when high-speed re li able broad band links are present.
Plan Re mote Ac cess Se cu rity When out lin ing your re mote ac cess se cu rity man age ment strat egy, be sure to ad dress the fol low ing is sues:
Re mote Con nec tiv ity Tech nol ogy Each type of con nec tion has its own unique se cu rity is sues. Fully ex am ine ev ery as pect of your con nec tion op tions. This can in clude cel lu lar/mo bile ser vices, modems, Dig i tal Sub scriber Line (DSL), In te grated Ser vices Dig i tal Net work (ISDN), wire less net work ing, satel lite, and ca ble modems.
Trans mis sion Pro tec tion There are sev eral forms of en crypted pro to cols, en crypted con nec tion sys tems, and en crypted net work ser vices or ap pli ca tions. Use the ap pro pri ate com bi na tion of se cured ser vices for your re mote con nec tiv ity needs. This can in clude VPNs, SSL, TLS, Se cure Shell (SSH), IPsec, and Layer 2 Tun nel ing Pro to col (L2TP).
Au then ti ca tion Pro tec tion In ad di tion to pro tect ing data traf fic, you must en sure that all lo gon cre den tials are prop erly se cured. This re quires the use of an au then ti ca tion pro to col and may man date the use of a cen tral ized re mote ac cess au then ti ca tion sys tem. This can in clude Pass word Au then ti ca tion Pro to col (PAP), Chal lenge Hand shake Au then ti ca tion Pro to col (CHAP), Ex ten si ble Au then ti ca tion Pro to col (EAP, or its ex ten sions PEAP or LEAP), Re mote Au then ti ca tion Dial-In User Ser vice (RA DIUS), and Ter mi nal Ac cess Con troller Ac cess-Con trol Sys tem Plus (TACACS+).
Re mote User As sis tance Re mote ac cess users may pe ri od i cally re quire tech ni cal as sis tance. You must have a means es tab lished to pro vide this as ef fi ciently as pos si ble. This can in clude, for ex am ple, ad dress ing soft ware and hard ware is sues and user train ing is sues. If an or ga ni za tion is un able to pro vide a rea son able so lu tion for re mote user tech ni cal sup port, it could re sult in loss of pro duc tiv ity, com pro mise of the re mote sys tem, or an over all breach of or ga ni za tional se cu rity.
If it is dif fi cult or im pos si ble to main tain a sim i lar level of se cu rity on a re mote sys tem as is main tained in the pri vate LAN, re mote ac cess should be re con sid ered in light of the se cu rity risks it rep re sents. Net work Ac cess Con trol (NAC) can as sist with this but may bur den slower con nec tions with large up date and patch trans fers.
The abil ity to use re mote ac cess or es tab lish a re mote con nec tion should be tightly con trolled. You can con trol and re strict the use of re mote con nec tiv ity by means of fil ters, rules, or ac cess con trols based on user iden tity, work sta tion iden tity, pro to col, ap pli ca tion, con tent, and time of day.
To re strict re mote ac cess to only au tho rized users, you can use call back and caller ID. Call back is a mech a nism that dis con nects a re mote user upon ini tial con tact and then im me di ately at tempts to re con nect to them us ing a pre de fined phone num ber (in other words, the num ber de fined in the user ac count’s se cu rity data base). Call back does have a user-de fined mode. How ever, this mode is not used for se cu rity; it is used to re verse toll charges to the com pany rather than charg ing the re mote client. Caller ID ver i fi ca tion can be used for the same pur pose as call back—by po ten tially ver i fy ing the phys i cal lo ca tion (via phone num ber) of the au tho rized user.
It should be a stan dard el e ment in your se cu rity pol icy that no unau tho rized modems be present on any sys tem con nected to the pri vate net work. You may need to fur ther spec ify this pol icy by in di cat ing that those with por ta ble sys tems must ei ther re move their modems be fore con nect ing to the net work or boot with a hard ware pro file that dis ables the mo dem’s de vice driver.
Dial-Up Pro to cols
When a re mote con nec tion link is es tab lished, a pro to col must be used to gov ern how the link is ac tu ally cre ated and to es tab lish a com mon com mu ni ca tion foun da tion over which other pro to cols can work. It is im por tant to se lect pro to cols that sup port se cu rity when ever pos si ble. At a min i mum, a means to se cure au then ti ca tion is needed, but adding the op tion for data en cryp tion is also pre ferred. The two pri mary ex am ples of dial-up pro to cols, PPP and SLIP, pro vide link gov er nance, not only for true dial-up links but also for some VPN links:
Point-to-Point Pro to col (PPP) This is a full-du plex pro to col used for trans mit ting TCP/IP pack ets over var i ous non-LAN con nec tions, such as modems, ISDN, VPNs, Frame Re lay, and so on. PPP is widely sup ported and is the trans port pro to col of choice for dial-up in ter net con nec tions. PPP au then ti ca tion is
378
pro tected through the use of var i ous pro to cols, such as CHAP and PAP. PPP is a re place ment for SLIP and can sup port any LAN pro to col, not just TCP/IP.
Se rial Line In ter net Pro to col (SLIP) This is an older tech nol ogy de vel oped to sup port TCP/IP com mu ni ca tions over asyn chro nous se rial con nec tions, such as se rial ca bles or mo dem dial-up. SLIP is rarely used but is still sup ported on many sys tems. It can sup port only IP, re quires static IP ad dresses, of fers no er ror de tec tion or cor rec tion, and does not sup port com pres sion.
Cen tral ized Re mote Au then ti ca tion Ser vices As re mote ac cess be comes a key el e ment in an or ga ni za tion’s busi ness func tions, it is of ten im por tant to
add lay ers of se cu rity be tween re mote clients and the pri vate net work. Cen tral ized re mote au then ti ca tion ser vices, such as RA DIUS and TACACS+, pro vide this ex tra layer of pro tec tion. These mech a nisms pro vide a sep a ra tion of the au then ti ca tion and au tho riza tion pro cesses for re mote clients that per formed for LAN or lo cal clients. The sep a ra tion is im por tant for se cu rity be cause if the RA DIUS or TACACS+ servers are ever com pro mised, then only re mote con nec tiv ity is af fected, not the rest of the net work.
Re mote Au then ti ca tion Dial-In User Ser vice (RA DIUS) This is used to cen tral ize the au then ti ca tion of re mote dial-up con nec tions. A net work that em ploys a RA DIUS server is con fig ured so the re mote ac cess server passes dial-up user lo gon cre den tials to the RA DIUS server for au then ti ca tion. This process is sim i lar to the process used by do main clients send ing lo gon cre den tials to a do main con troller for au then ti ca tion. RA DIUS op er ates over sev eral ports; you should rec og nize the orig i nal UDP 1812 port as well as that used by RA DIUS over TLS, which is TCP 2083. The TCP ver sion of RA DIUS was de signed in 2012 to take ad van tage of TLS en cryp tion (see RFC 6614 at https://tools.ietf.org/html/rfc6614).
Ter mi nal Ac cess Con troller Ac cess-Con trol Sys tem (TACACS+) This is an al ter na tive to RA DIUS. TACACS is avail able in three ver sions: orig i nal TACACS, Ex tended TACACS (XTA CACS), and TACACS+. TACACS in te grates the au then ti ca tion and au tho riza tion pro cesses. XTA CACS keeps the au then ti ca tion, au tho riza tion, and ac count ing pro cesses sep a rate. TACACS+ im proves XTA CACS by adding two-fac tor au then ti ca tion. TACACS+ is the most cur rent and rel e vant ver sion of this prod uct line. The pri mary port for TACACS+ is TCP 49.
Vir tual Pri vate Net work A vir tual pri vate net work (VPN) is a com mu ni ca tion tun nel that pro vides point-to-point trans mis sion of
both au then ti ca tion and data traf fic over an in ter me di ary un trusted net work. Most VPNs use en cryp tion to pro tect the en cap su lated traf fic, but en cryp tion is not nec es sary for the con nec tion to be con sid ered a VPN.
VPNs are most com monly as so ci ated with es tab lish ing se cure com mu ni ca tion paths through the in ter net be tween two dis tant net works. How ever, they can ex ist any where, in clud ing within pri vate net works or be tween end-user sys tems con nected to an ISP. The VPN can link two net works or two in di vid ual sys tems. They can link clients, servers, routers, fire walls, and switches. VPNs are also help ful in pro vid ing se cu rity for legacy ap pli ca tions that rely on risky or vul ner a ble com mu ni ca tion pro to cols or method olo gies, es pe cially when com mu ni ca tion is across a net work.
VPNs can pro vide con fi den tial ity and in tegrity over in se cure or un trusted in ter me di ary net works. They do not pro vide or guar an tee avail abil ity. VPNs also are in rel a tively wide spread use to get around lo ca tion re quire ments for ser vices like Net flix and Hulu and thus pro vide a (at times ques tion able) level of anonymity.
Tun nel ing Be fore you can truly un der stand VPNs, you must first un der stand tun nel ing. Tun nel ing is the net work
com mu ni ca tions process that pro tects the con tents of pro to col pack ets by en cap su lat ing them in pack ets of an other pro to col. The en cap su la tion is what cre ates the log i cal il lu sion of a com mu ni ca tions tun nel over the un trusted in ter me di ary net work. This vir tual path ex ists be tween the en cap su la tion and the de-en cap su la tion en ti ties lo cated at the ends of the com mu ni ca tion.
In fact, send ing a snail mail let ter to your grand mother in volves the use of a tun nel ing sys tem. You cre ate the per sonal let ter (the pri mary con tent pro to col packet) and place it in an en ve lope (the tun nel ing pro to col). The en ve lope is de liv ered through the postal ser vice (the un trusted in ter me di ary net work) to its in tended re cip i ent. You can use tun nel ing in many sit u a tions, such as when you’re by pass ing fire walls, gate ways, prox ies, or other traf fic con trol de vices. The by pass is achieved by en cap su lat ing the re stricted con tent in side pack ets that are au tho rized for trans mis sion. The tun nel ing process pre vents the traf fic con trol de vices from block ing or drop ping the com mu ni ca tion be cause such de vices don’t know what the pack ets ac tu ally con tain.
Tun nel ing is of ten used to en able com mu ni ca tions be tween oth er wise dis con nected sys tems. If two sys tems are sep a rated by a lack of net work con nec tiv ity, a com mu ni ca tion link can be es tab lished by a mo dem dial-up link or other re mote ac cess or wide area net work (WAN) net work ing ser vice. The ac tual LAN traf fic is en cap su lated in what ever com mu ni ca tion pro to col is used by the tem po rary con nec tion, such as Point-to-
379
Point Pro to col in the case of mo dem dial-up. If two net works are con nected by a net work em ploy ing a dif fer ent pro to col, the pro to col of the sep a rated net works can of ten be en cap su lated within the in ter me di ary net work’s pro to col to pro vide a com mu ni ca tion path way.
Re gard less of the ac tual sit u a tion, tun nel ing pro tects the con tents of the in ner pro to col and traf fic pack ets by en cas ing, or wrap ping, it in an au tho rized pro to col used by the in ter me di ary net work or con nec tion. Tun nel ing can be used if the pri mary pro to col is not routable and to keep the to tal num ber of pro to cols sup ported on the net work to a min i mum.
The Pro lif er a tion of Tun nel ing
Tun nel ing is such a com mon ac tiv ity within com mu ni ca tion sys tems that many of us use tun nel ing on a reg u lar ba sis with out even rec og niz ing it. For ex am ple, ev ery time you ac cess a web site us ing a se cured SSL or TLS con nec tion, you are us ing tun nel ing. Your plain text web com mu ni ca tions are be ing tun neled within an SSL or TLS ses sion. Also, if you use in ter net tele phone or VoIP sys tems, your voice com mu ni ca tion is be ing tun neled in side a VoIP pro to col.
How many other in stances of tun nel ing can you pin point that you en counter on a weekly ba sis?
If the act of en cap su lat ing a pro to col in volves en cryp tion, tun nel ing can pro vide a means to trans port sen si tive data across un trusted in ter me di ary net works with out fear of los ing con fi den tial ity and in tegrity.
Tun nel ing is not with out its prob lems. It is gen er ally an in ef fi cient means of com mu ni cat ing be cause most pro to cols in clude their own er ror de tec tion, er ror han dling, ac knowl edg ment, and ses sion man age ment fea tures, so us ing more than one pro to col at a time com pounds the over head re quired to com mu ni cate a sin gle mes sage. Fur ther more, tun nel ing cre ates ei ther larger pack ets or ad di tional pack ets that in turn con sume ad di tional net work band width. Tun nel ing can quickly sat u rate a net work if suf fi cient band width is not avail able. In ad di tion, tun nel ing is a point-to-point com mu ni ca tion mech a nism and is not de signed to han dle broad cast traf fic. Tun nel ing also makes it dif fi cult, if not im pos si ble, to mon i tor the con tent of the traf fic in some cir cum stances, cre at ing is sues for se cu rity prac ti tion ers.
How VPNs Work A VPN link can be es tab lished over any other net work com mu ni ca tion con nec tion. This could be a typ i cal
LAN ca ble con nec tion, a wire less LAN con nec tion, a re mote ac cess dial-up con nec tion, a WAN link, or even a client us ing an in ter net con nec tion for ac cess to an of fice LAN. A VPN link acts just like a typ i cal di rect LAN ca ble con nec tion; the only pos si ble dif fer ence would be speed based on the in ter me di ary net work and on the con nec tion types be tween the client sys tem and the server sys tem. Over a VPN link, a client can per form the same ac tiv i ties and ac cess the same re sources as if they were di rectly con nected via a LAN ca ble.
VPNs can con nect two in di vid ual sys tems or two en tire net works. The only dif fer ence is that the trans mit ted data is pro tected only while it is within the VPN tun nel. Re mote ac cess servers or fire walls on the net work’s bor der act as the start points and end points for VPNs. Thus, traf fic is un pro tected within the source LAN, pro tected be tween the bor der VPN servers, and then un pro tected again once it reaches the des ti na tion LAN.
VPN links through the in ter net for con nect ing to dis tant net works are of ten in ex pen sive al ter na tives to di rect links or leased lines. The cost of two high-speed in ter net links to lo cal ISPs to sup port a VPN is of ten sig nif i cantly less than the cost of any other con nec tion means avail able.
Com mon VPN Pro to cols VPNs can be im ple mented us ing soft ware or hard ware so lu tions. In ei ther case, there are four com mon
VPN pro to cols: PPTP, L2F, L2TP, and IPsec. PPTP, L2F, and L2TP op er ate at the Data Link layer (layer 2) of the OSI model. PPTP and IPsec are lim ited for use on IP net works, whereas L2F and L2TP can be used to en cap su late any LAN pro to col.
SSL/TLS can also be used as a VPN pro to col, not just as a ses sion en cryp tion tool
op er at ing on top of TCP. The CISSP exam does not seem to in clude SSL/TLS VPN con tent at this time.
Point-to-Point Tun nel ing Pro to col
Point-to-Point Tun nel ing Pro to col (PPTP) is an en cap su la tion pro to col de vel oped from the dial-up Point- to-Point Pro to col. It op er ates at the Data Link layer (layer 2) of the OSI model and is used on IP net works.
380
PPTP cre ates a point-to-point tun nel be tween two sys tems and en cap su lates PPP pack ets. It of fers pro tec tion for au then ti ca tion traf fic through the same au then ti ca tion pro to cols sup ported by PPP:
Mi cro soft Chal lenge Hand shake Au then ti ca tion Pro to col (MS-CHAP)
Chal lenge Hand shake Au then ti ca tion Pro to col (CHAP)
Pass word Au then ti ca tion Pro to col (PAP)
Ex ten si ble Au then ti ca tion Pro to col (EAP)
Shiva Pass word Au then ti ca tion Pro to col (SPAP)
The ini tial tun nel ne go ti a tion process used by PPTP is not en crypted. Thus, the ses sion es tab lish ment pack ets that in clude the IP ad dress of the sender and re ceiver—and can in clude user names and hashed pass words—could be in ter cepted by a third party. PPTP is used on VPNs, but it is of ten re placed by the L2TP, which can use IPsec to pro vide traf fic en cryp tion for VPNs. Most mod ern uses of PPTP have adopted the Mi cro soft cus tom ized im ple men ta tion which sup ports data en cryp tion us ing Mi cro soft Point-to-Point En cryp tion (MPPE) and which sup ports var i ous se cure au then ti ca tion op tions.
PPTP does not sup port TACACS+ and RA DIUS.
Layer 2 For ward ing Pro to col and Layer 2 Tun nel ing Pro to col
Cisco de vel oped its own VPN pro to col called Layer 2 For ward ing (L2F), which is a mu tual au then ti ca tion tun nel ing mech a nism. How ever, L2F does not of fer en cryp tion. L2F was not widely de ployed and was soon re placed by L2TP. As their names sug gest, both op er ate at layer 2. Both can en cap su late any LAN pro to col.
Layer 2 Tun nel ing Pro to col (L2TP) was de rived by com bin ing el e ments from both PPTP and L2F. L2TP cre ates a point-to-point tun nel be tween com mu ni ca tion end points. It lacks a built-in en cryp tion scheme, but it typ i cally re lies on IPsec as its se cu rity mech a nism. L2TP also sup ports TACACS+ and RA DIUS. IPsec is com monly used as a se cu rity mech a nism for L2TP.
IP Se cu rity Pro to col
The most com monly used VPN pro to col is now IPsec. IP Se cu rity (IPsec) is both a stand-alone VPN pro to col and the se cu rity mech a nism for L2TP, and it can be used only for IP traf fic. IPsec con sists of the se cu rity el e ments of IPv6 crafted into an add-on pack age for IPv4. IPsec works only on IP net works and pro vides for se cured au then ti ca tion as well as en crypted data trans mis sion. IPsec has two pri mary com po nents, or func tions:
Au then ti ca tion Header (AH) AH pro vides au then ti ca tion, in tegrity, and non re pu di a tion.
En cap su lat ing Se cu rity Pay load (ESP) ESP pro vides en cryp tion to pro tect the con fi den tial ity of trans mit ted data, but it can also per form lim ited au then ti ca tion. It op er ates at the Net work layer (layer 3) and can be used in trans port mode or tun nel mode. In trans port mode, the IP packet data is en crypted but the header of the packet is not. In tun nel mode, the en tire IP packet is en crypted and a new header is added to the packet to gov ern trans mis sion through the tun nel.
Ta ble 12.1 il lus trates the main char ac ter is tics of VPN pro to cols.
TA BLE 12.1 VPN char ac ter is tics
VPN Pro to col
Na tive Au then ti ca tion Pro tec tion
Na tive Data En cryp tion
Pro to cols Sup ported
Dial-Up Links Sup ported
Num ber of Si mul ta ne ous Con nec tions
PPTP Yes No PPP Yes Sin gle point-to-point L2F Yes No PPP/SLIP Yes Sin gle point-to-point L2TP Yes No (can use
IPsec) PPP Yes Sin gle point-to-point
IPsec Yes Yes IP only No Mul ti ple
The VPN pro to cols which en cap su late PPP are able to sup port any sub pro to col com pat i ble with PPP, which in cludes IPv4, IPv6, IPX, and Ap pleTalk.
A VPN de vice is a net work add-on de vice used to cre ate VPN tun nels sep a rately from server or client OSs. The use of the VPN de vices is trans par ent to net worked sys tems.
Vir tual LAN
A vir tual lo cal area net work (VLAN) is a hard ware-im posed net work seg men ta tion cre ated by switches. By de fault, all ports on a switch are part of VLAN 1. But as the switch ad min is tra tor changes the VLAN as sign ment on a port-by-port ba sis, var i ous ports can be grouped to gether and kept dis tinct from other VLAN
381
port des ig na tions. VLANs can also be as signed or cre ated based on de vice MAC ad dress, mir ror ing the IP sub net ting, around spec i fied pro to cols, or based on au then ti ca tion. VLAN man age ment is most com monly used to dis tin guish be tween user traf fic and man age ment traf fic. And VLAN 1 very typ i cally is the des ig nated man age ment traf fic VLAN.
VLANs are used for traf fic man age ment. Com mu ni ca tions be tween mem bers of the same VLAN oc cur with out hin drance, but com mu ni ca tions be tween VLANs re quire a rout ing func tion, which can be pro vided ei ther by an ex ter nal router or by the switch’s in ter nal soft ware (one rea son for the terms L3 switch and mul ti layer switch). VLANs are treated like sub nets but aren’t sub nets. VLANs are cre ated by switches. Sub nets are cre ated by IP ad dress and sub net mask as sign ments.
VLAN man age ment is the use of VLANs to con trol traf fic for se cu rity or per for mance rea sons. VLANs can be used to iso late traf fic be tween net work seg ments. This can be ac com plished by not defin ing a route be tween dif fer ent VLANs or by spec i fy ing a deny fil ter be tween cer tain VLANs (or cer tain mem bers of a VLAN). Any net work seg ment that doesn’t need to com mu ni cate with an other in or der to ac com plish a work task/func tion shouldn’t be able to do so. Use VLANs to al low what is nec es sary and to block/deny any thing that isn’t nec es sary. Re mem ber, “deny by de fault; al low by ex cep tion” isn’t a guide line just for fire wall rules but for se cu rity in gen eral.
VLANs func tion in much the same way as tra di tional sub nets. For com mu ni ca tions to travel from one VLAN to an other, the switch per forms rout ing func tions to con trol and fil ter traf fic be tween its VLANs.
VLANs are used to seg ment a net work log i cally with out al ter ing its phys i cal topol ogy. They are easy to im ple ment, have lit tle ad min is tra tive over head, and are a hard ware-based so lu tion (specif i cally a layer 3 switch). As net works are be ing crafted in vir tual en vi ron ments or in the cloud, soft ware switches are of ten used. In these sit u a tions, VLANs are not hard ware-based but in stead are switch-soft ware-based im ple men ta tions.
VLANs let you con trol and re strict broad cast traf fic and re duce a net work’s vul ner a bil ity to snif fers be cause a switch treats each VLAN as a sep a rate net work di vi sion. To com mu ni cate be tween seg ments, the switch must pro vide a rout ing func tion. It’s the rout ing func tion that blocks broad casts be tween sub nets and VLANs, be cause a router (or any de vice per form ing layer 3 rout ing func tions such as a layer 3 switch) doesn’t for ward layer 2 Eth er net broad casts. This fea ture of a switch blocks Eth er net broad casts be tween VLANs and so helps pro tect against broad cast storms. A broad cast storm is a flood of un wanted Eth er net broad cast net work traf fic.
An other el e ment of some VLAN de ploy ments is that of port iso la tion or pri vate ports. These are pri vate VLANs that are con fig ured to use a ded i cated or re served up link port. The mem bers of a pri vate VLAN or a port-iso lated VLAN can in ter act only with each other and over the pre de ter mined exit port or up link port. A com mon im ple men ta tion of port iso la tion oc curs in ho tels. A ho tel net work can be con fig ured so that the Eth er net ports in each room or suite are iso lated on unique VLANs so that con nec tions in the same unit can com mu ni cate, but con nec tions be tween units can not. How ever, all of these pri vate VLANs have a path out to the in ter net (i.e., the up link port).
VLANs work like sub nets, but keep in mind that they are not ac tual sub nets. VLANs are
cre ated by switches at layer 2. Sub nets are cre ated by IP ad dress and sub net mask as sign ments at layer 3.
VLAN Man age ment for Se cu rity
Any net work seg ment that does not need to com mu ni cate with an other to ac com plish a work task/func tion should not be able to do so. Use VLANs to al low what is nec es sary, but block/deny any thing not nec es sary. Re mem ber, “deny by de fault; al low by ex cep tion” is not just a guide line for fire wall rules but for se cu rity in gen eral.
Vir tu al iza tion Vir tu al iza tion tech nol ogy is used to host one or more op er at ing sys tems within the mem ory of a sin gle
host com puter. This mech a nism al lows vir tu ally any OS to op er ate on any hard ware. Such an OS is also known as a guest op er at ing sys tem. From the per spec tive that there is an orig i nal or host OS in stalled di rectly on the com puter hard ware, the ad di tional OSes hosted by the hy per vi sor sys tem are guests. It also al lows mul ti ple op er at ing sys tems to work si mul ta ne ously on the same hard ware. Com mon ex am ples in clude VMware/vSphere, Mi cro soft’s Hy per-V, Vir tu al Box, XenServer, and Ap ple’s Par al lels.
382
Vir tu al ized servers and ser vices are in dis tin guish able from tra di tional servers and ser vices from a user’s per spec tive.
Vir tu al iza tion has sev eral ben e fits, such as be ing able to launch in di vid ual in stances of servers or ser vices as needed, real-time scal a bil ity, and be ing able to run the ex act OS ver sion needed for the needed ap pli ca tion. Ad di tion ally, re cov ery from dam aged, crashed, or cor rupted vir tual sys tems is of ten quick: Sim ply re place the vir tual sys tem’s main hard drive file with a clean backup ver sion and then re launch it.
In re la tion to se cu rity, vir tu al iza tion of fers sev eral ben e fits. It is of ten eas ier and faster to make back ups of en tire vir tual sys tems than the equiv a lent na tive hard ware-in stalled sys tem. Plus, when there is an er ror or prob lem, the vir tual sys tem can be re placed by a backup in min utes. Ma li cious code com pro mise or in fec tion of vir tual sys tems rarely af fects the host OS. This al lows for safe test ing and ex per i men ta tion.
VM es cap ing oc curs when soft ware within a guest OS is able to breach the iso la tion pro tec tion pro vided by the hy per vi sor in or der to vi o late the con tainer of other guest OSs or to in fil trate a host OS. Sev eral es cap ing vul ner a bil i ties have been dis cov ered in re cent times. For tu nately, the ven dors have been fast to re lease patches. For ex am ple, Vir tu al ized En vi ron ment Ne glected Op er a tions Ma nip u la tions (VENOM) was able to breach nu mer ous VM prod ucts that em ployed a com pro mised open-source vir tual floppy disc driver to al low ma li cious code to jump be tween VMs and even ac cess the host.
VM es cap ing can be a se ri ous prob lem, but steps can be im ple mented to min i mize the risk. First, keep highly sen si tive sys tems and data on sep a rate phys i cal ma chines. An or ga ni za tion should al ready be con cerned about over con sol i da tion re sult ing in a sin gle point of fail ure, so run ning nu mer ous hard ware servers so each sup ports a hand ful of guest OSs helps with this risk. Keep ing enough phys i cal servers on hand to main tain phys i cal iso la tion be tween highly sen si tive guest OSs will fur ther pro tect against VM es cap ing. Sec ond, keep all hy per vi sor soft ware cur rent with ven dor-re leased patches (es pe cially with up dates re lated to VM es cap ing vul ner a bil i ties). Third, mon i tor at tack, ex po sure, and abuse in dexes for new threats to your en vi ron ment.
Vir tu al iza tion is used for a wide va ri ety of new ar chi tec tures and sys tem de sign so lu tions. Cloud com put ing is ul ti mately a form of vir tu al iza tion (see Chap ter 9, “Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures,” for more on cloud com put ing). Lo cally (or at least within an or ga ni za tion’s pri vate in fra struc ture), vir tu al iza tion can be used to host servers, client op er at ing sys tems, lim ited user in ter faces (i.e., vir tual desk tops), ap pli ca tions, and more.
Vir tual Soft ware A vir tual ap pli ca tion is a soft ware prod uct de ployed in such a way that it is fooled into be liev ing it is
in ter act ing with a full host OS. A vir tual (or vir tu al ized) ap pli ca tion has been pack aged or en cap su lated to make it por ta ble and able to op er ate with out the full in stal la tion of its orig i nal host OS. A vir tual ap pli ca tion has enough of the orig i nal host OS in cluded in its en cap su la tion bub ble (tech ni cally called a vir tual ma chine, or VM) that it op er ates/func tions as if it were tra di tion ally in stalled. Some forms of vir tual ap pli ca tions are used as por ta ble apps (short for ap pli ca tions) on USB drives. Other vir tual ap pli ca tions are de signed to be ex e cuted on al ter na tive host OS plat forms—for ex am ple, run ning a Win dows ap pli ca tion within a Linux OS.
The term vir tual desk top refers to at least three dif fer ent types of tech nol ogy:
A re mote ac cess tool that grants the user ac cess to a dis tant com puter sys tem by al low ing re mote view ing and con trol of the dis tant desk top’s dis play, key board, mouse, and so on.
An ex ten sion of the vir tual ap pli ca tion con cept en cap su lat ing mul ti ple ap pli ca tions and some form of “desk top” or shell for porta bil ity or cross-OS op er a tion. This tech nol ogy of fers some of the fea tures/ben e fits/ap pli ca tions of one plat form to users of an other with out the need for mul ti ple com put ers, dual-boot ing, or vir tu al iz ing an en tire OS plat form.
An ex tended or ex panded desk top larger than the dis play be ing used al lows the user to em ploy mul ti ple ap pli ca tion lay outs, switch ing be tween them us ing key strokes or mouse move ments.
See Chap ter 8, “Prin ci ples of Se cu rity Mod els, De sign, and Ca pa bil i ties,” and Chap ter 9, “Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures,” for more in for ma tion on vir tu al iza tion as part of se cu rity ar chi tec ture and de sign.
Vir tual Net work ing
The con cept of OS vir tu al iza tion has given rise to other vir tu al iza tion top ics, such as vir tu al ized net works. A vir tu al ized net work or net work vir tu al iza tion is the com bi na tion of hard ware and soft ware net work ing com po nents into a sin gle in te grated en tity. The re sult ing sys tem al lows for soft ware con trol over all net work func tions: man age ment, traf fic shap ing, ad dress as sign ment, and so on. A sin gle man age ment con sole or in ter face can be used to over see ev ery as pect of the net work, a task re quir ing phys i cal pres ence at each hard ware com po nent in the past. Vir tu al ized net works have be come a pop u lar means of in fra struc ture de ploy ment and man age ment by cor po ra tions world wide. They al low or ga ni za tions to im ple ment or adapt
383
other in ter est ing net work so lu tions, in clud ing soft ware-de fined net works, vir tual SANs, guest op er at ing sys tems, and port iso la tion.
Soft ware-de fined net work ing (SDN) is a unique ap proach to net work op er a tion, de sign, and man age ment. The con cept is based on the the ory that the com plex i ties of a tra di tional net work with on-de vice con fig u ra tion (i.e., routers and switches) of ten force an or ga ni za tion to stick with a sin gle de vice ven dor, such as Cisco, and limit the flex i bil ity of the net work to adapt to chang ing phys i cal and busi ness con di tions. SDN aims at sep a rat ing the in fra struc ture layer (i.e., hard ware and hard ware-based set tings) from the con trol layer (i.e., net work ser vices of data trans mis sion man age ment). Fur ther more, this also re moves the tra di tional net work ing con cepts of IP ad dress ing, sub nets, rout ing, and the like from need ing to be pro grammed into or be de ci phered by hosted ap pli ca tions.
SDN of fers a new net work de sign that is di rectly pro gram mable from a cen tral lo ca tion, is flex i ble, is ven dor neu tral, and is open stan dards based. Us ing SDN frees an or ga ni za tion from hav ing to pur chase de vices from a sin gle ven dor. It in stead al lows or ga ni za tions to mix and match hard ware as needed, such as to se lect the most cost-ef fec tive or high est through put–rated de vices re gard less of ven dor. The con fig u ra tion and man age ment of hard ware are then con trolled through a cen tral ized man age ment in ter face. In ad di tion, the set tings ap plied to the hard ware can be changed and ad justed dy nam i cally as needed.
An other way of think ing about SDN is that it is ef fec tively net work vir tu al iza tion. It al lows data trans mis sion paths, com mu ni ca tion de ci sion trees, and flow con trol to be vir tu al ized in the SDN con trol layer rather than be ing han dled on the hard ware on a per-de vice ba sis.
An other in ter est ing de vel op ment aris ing out of the con cept of vir tu al ized net works is that of a vir tual SAN (stor age area net work). A SAN is a net work tech nol ogy that com bines mul ti ple in di vid ual stor age de vices into a sin gle con sol i dated net work-ac ces si ble stor age con tainer. A vir tual SAN or a soft ware-de fined shared stor age sys tem is a vir tual re-cre ation of a SAN on top of a vir tu al ized net work or an SDN.
Net work Ad dress Trans la tion The goals of hid ing the iden tity of in ter nal clients, mask ing the de sign of your pri vate net work, and
keep ing pub lic IP ad dress leas ing costs to a min i mum are all sim ple to achieve through the use of net work ad dress trans la tion (NAT). NAT is a mech a nism for con vert ing the in ter nal IP ad dresses found in packet head ers into pub lic IP ad dresses for trans mis sion over the in ter net.
NAT was de vel oped to al low pri vate net works to use any IP ad dress set with out caus ing col li sions or con flicts with pub lic in ter net hosts with the same IP ad dresses. In ef fect, NAT trans lates the IP ad dresses of your in ter nal clients to leased ad dresses out side your en vi ron ment.
NAT of fers nu mer ous ben e fits, in clud ing the fol low ing:
You can con nect an en tire net work to the in ter net us ing only a sin gle (or just a few) leased pub lic IP ad dresses.
You can use the pri vate IP ad dresses de fined in RFC 1918 in a pri vate net work and still be able to com mu ni cate with the in ter net.
NAT hides the IP ad dress ing scheme and net work to pog ra phy from the in ter net.
NAT re stricts con nec tions so that only traf fic stem ming from con nec tions orig i nat ing from the in ter nal pro tected net work is al lowed back into the net work from the in ter net. Thus, most in tru sion at tacks are au to mat i cally re pelled.
384
Are You Us ing NAT?
Most net works, whether at an of fice or at home, em ploy NAT. There are at least three ways to tell whether you are work ing within a NATed net work:
1. Check your client’s IP ad dress. If it is one of the RFC 1918 ad dresses and you are still able to in ter act with the in ter net, then you are on a NATed net work.
2. Check the con fig u ra tion of your proxy, router, fire wall, mo dem, or gate way de vice to see whether NAT is con fig ured. (This ac tion re quires au thor ity and ac cess to the net work ing de vice.)
3. If your client’s IP ad dress is not an RFC 1918 ad dress, then com pare your ad dress to what the in ter net thinks your ad dress is. You can do this by vis it ing any of the IP-check ing web sites; a pop u lar one is http://whatismyi pad dress.com. If your client’s IP ad dress and the ad dress that What Is My IP Ad dress claims is your ad dress are dif fer ent, then you are work ing from a NATed net work.
Fre quently, se cu rity pro fes sion als re fer to NAT when they re ally mean PAT. By def i ni tion,
NAT maps one in ter nal IP ad dress to one ex ter nal IP ad dress. How ever, port ad dress trans la tion (PAT) maps one in ter nal IP ad dress to an ex ter nal IP ad dress and port num ber com bi na tion. Thus, PAT can the o ret i cally sup port 65,536 (2^16) si mul ta ne ous com mu ni ca tions from in ter nal clients over a sin gle ex ter nal leased IP ad dress. So with NAT, you must lease as many pub lic IP ad dresses as you want to have for si mul ta ne ous com mu ni ca tions, while with PAT you can lease fewer IP ad dresses and ob tain a rea son able 1000:1 ra tio of in ter nal clients to ex ter nal leased IP ad dresses. The prac ti cal limit seems to be a ra tio of 4,000 in ter nal sys tems to a sin gle pub lic ad dress.
NAT is part of a num ber of hard ware de vices and soft ware prod ucts, in clud ing fire walls, routers, gate ways, and prox ies. It can be used only on IP net works and op er ates at the Net work layer (layer 3).
Pri vate IP Ad dresses The use of NAT has pro lif er ated re cently be cause of the in creased scarcity of pub lic IP ad dresses and
se cu rity con cerns. With only roughly 4 bil lion ad dresses (232) avail able in IPv4, the world has sim ply de ployed more de vices us ing IP than there are unique IP ad dresses avail able. For tu nately, the early de sign ers of the in ter net and TCP/IP had good fore sight and put aside a few blocks of ad dresses for pri vate, un re stricted use. These IP ad dresses, com monly called the pri vate IP ad dresses, are de fined in RFC 1918. They are as fol lows:
10.0.0.0–10.255.255.255 (a full Class A range)
172.16.0.0–172.31.255.255 (16 Class B ranges)
192.168.0.0–192.168.255.255 (256 Class C ranges)
385
Can’t NAT Again!
On sev eral oc ca sions we’ve needed to re-NAT an al ready NATed net work. This might oc cur in the fol low ing sit u a tions:
You need to make an iso lated sub net within a NATed net work and at tempt to do so by con nect ing a router to host your new sub net to the sin gle port of fered by the ex ist ing net work.
You have a DSL or ca ble mo dem that of fers only a sin gle con nec tion but you have mul ti ple com put ers or want to add wire less to your en vi ron ment.
By con nect ing a NAT proxy router or a wire less ac cess point, you are usu ally at tempt ing to re-NAT what was NATed to you ini tially. One con fig u ra tion set ting that can ei ther make or break this setup is the IP ad dress range in use. It is not pos si ble to re-NAT the same sub net. For ex am ple, if your ex ist ing net work is of fer ing 192.168.1.x ad dresses, then you can not use that same ad dress range in your new NATed sub net. So change the con fig u ra tion of your new router/WAP to per form NAT on a slightly dif fer ent ad dress range, such as 192.168.5.x, so you won’t have the con flict. This seems ob vi ous, but it is quite frus trat ing to trou bleshoot the un wanted re sult with out this in sight.
All routers and traf fic-di rect ing de vices are con fig ured by de fault not to for ward traf fic to or from these IP ad dresses. In other words, the pri vate IP ad dresses are not routed by de fault. Thus, they can not be di rectly used to com mu ni cate over the in ter net. How ever, they can be eas ily used on pri vate net works where routers are not em ployed or where slight mod i fi ca tions to router con fig u ra tions are made. Us ing pri vate IP ad dresses in con junc tion with NAT greatly re duces the cost of con nect ing to the in ter net by al low ing fewer pub lic IP ad dresses to be leased from an ISP.
At tempt ing to use these pri vate IP ad dresses di rectly on the in ter net is fu tile be cause all
pub licly ac ces si ble routers will drop data pack ets con tain ing a source or des ti na tion IP ad dress from these RFC 1918 ranges.
State ful NAT NAT op er ates by main tain ing a map ping be tween re quests made by in ter nal clients, a client’s in ter nal IP
ad dress, and the IP ad dress of the in ter net ser vice con tacted. When a re quest packet is re ceived by NAT from a client, it changes the source ad dress in the packet from the client’s to the NAT server’s. This change is recorded in the NAT map ping data base along with the des ti na tion ad dress. Once a re ply is re ceived from the in ter net server, NAT matches the re ply’s source ad dress to an ad dress stored in its map ping data base and then uses the linked client ad dress to re di rect the re sponse packet to its in tended des ti na tion. This process is known as state ful NAT be cause it main tains in for ma tion about the com mu ni ca tion ses sions be tween clients and ex ter nal sys tems.
NAT can op er ate on a one-to-one ba sis with only a sin gle in ter nal client able to com mu ni cate over one of its leased pub lic IP ad dresses at a time. This type of con fig u ra tion can re sult in a bot tle neck if more clients at tempt in ter net ac cess than there are pub lic IP ad dresses. For ex am ple, if there are only five leased pub lic IP ad dresses, the sixth client must wait un til an ad dress is re leased be fore its com mu ni ca tions can be trans mit ted over the in ter net. Other forms of NAT em ploy mul ti plex ing tech niques in which port num bers are used to al low the traf fic from mul ti ple in ter nal clients to be man aged on a sin gle leased pub lic IP ad dress. Tech ni cally, this mul ti plex ing form of NAT is known as port ad dress trans la tion (PAT) or NAT over load ing, but it seems that the in dus try still uses the term NAT to re fer to this newer ver sion.
Static and Dy namic NAT You can use NAT in two modes: static and dy namic.
Static NAT Use static mode NAT when a spe cific in ter nal client’s IP ad dress is as signed a per ma nent map ping to a spe cific ex ter nal pub lic IP ad dress. This al lows for ex ter nal en ti ties to com mu ni cate with sys tems in side your net work even if you are us ing RFC 1918 IP ad dresses.
Dy namic NAT Use dy namic mode NAT to grant mul ti ple in ter nal clients ac cess to a few leased pub lic IP ad dresses. Thus, a large in ter nal net work can still ac cess the in ter net with out hav ing to lease a large block of pub lic IP ad dresses. This keeps pub lic IP ad dress us age abuse to a min i mum and helps keep in ter net ac cess costs to a min i mum.
386
In a dy namic mode NAT im ple men ta tion, the NAT sys tem main tains a data base of map pings so that all re sponse traf fic from in ter net ser vices is prop erly routed to the orig i nal in ter nal re quest ing client. Of ten NAT is com bined with a proxy server or proxy fire wall to pro vide ad di tional in ter net ac cess and con tent-caching fea tures.
NAT is not di rectly com pat i ble with IPsec be cause it mod i fies packet head ers, which IPsec re lies on to pre vent se cu rity vi o la tions. How ever, there are ver sions of NAT prox ies de signed to sup port IPsec over NAT. Specif i cally, NAT-Tra ver sal (RFC 3947) was de signed to sup port IPsec VPNs through the use of UDP en cap su la tion of IKE. IP Se cu rity (IPsec) is a stan dards-based mech a nism for pro vid ing en cryp tion for point- to-point TCP/IP traf fic.
Au to matic Pri vate IP Ad dress ing Au to matic Pri vate IP Ad dress ing (APIPA), aka link-lo cal ad dress as sign ment (de fined in RFC 3927),
as signs an IP ad dress to a sys tem in the event of a Dy namic Host Con fig u ra tion Pro to col (DHCP) as sign ment fail ure. APIPA is pri mar ily a fea ture of Win dows. APIPA as signs each failed DHCP client with an IP ad dress from the range of 169.254.0.1 to 169.254.255.254 along with the de fault Class B sub net mask of 255.255.0.0. This al lows the sys tem to com mu ni cate with other APIPA-con fig ured clients within the same broad cast do main but not with any sys tem across a router or with a cor rectly as signed IP ad dress.
Don’t con fuse APIPA with the pri vate IP ad dress ranges, de fined in RFC 1918.
APIPA is not usu ally di rectly con cerned with se cu rity. How ever, it is still an im por tant is sue to un der stand. If you no tice that a sys tem is as signed an APIPA ad dress in stead of a valid net work ad dress, that in di cates a prob lem. It could be as mun dane as a bad ca ble or power fail ure on the DHCP server, but it could also be a symp tom of a ma li cious at tack on the DHCP server. You might be asked to de ci pher is sues in a sce nario where IP ad dresses are pre sented. You should be able to dis cern whether an ad dress is a pub lic ad dress, an RFC 1918 pri vate ad dress, an APIPA ad dress, or a loop back ad dress.
Con vert ing IP Ad dress Num bers
IP ad dresses and sub net masks are ac tual bi nary num bers, and through their use in bi nary, all the func tions of rout ing and traf fic man age ment oc cur. There fore, it is a good idea to know how to con vert be tween dec i mal, bi nary, and even hexa dec i mal. Also, don’t for get how to con vert from a dot ted-dec i mal no ta tion IP ad dress (such as 172.16.1.1) to its bi nary equiv a lent (that is, 10101100000100000000000100000001). And it is prob a bly not a bad idea to be able to con vert the 32- bit bi nary num ber to a sin gle dec i mal num ber (that is, 2886729985). Knowl edge of num ber con ver sions comes in handy when at tempt ing to iden tify ob fus cated ad dresses. If you are rusty in this skill area, take ad van tage of on line con ver sion primers, such as at the fol low ing lo ca tion:
http://www.math s is fun.com/bi nary-dec i mal-hexa dec i mal-con verter.html
The Loop back Ad dress
An other IP ad dress range that you should be care ful not to con fuse with the pri vate IP ad dress ranges de fined in RFC 1918 is the loop back ad dress. The loop back ad dress is purely a soft ware en tity. It is an IP ad dress used to cre ate a soft ware in ter face that con nects to it self via TCP/IP. The loop back ad dress al lows for the test ing of lo cal net work set tings in spite of miss ing, dam aged, or non func tional net work hard ware and re lated de vice driv ers. Tech ni cally, the en tire 127.x.x.x net work is re served for loop back use. How ever, only the 127.0.0.1 ad dress is widely used.
Switch ing Tech nolo gies When two sys tems (in di vid ual com put ers or LANs) are con nected over mul ti ple in ter me di ary net works,
the task of trans mit ting data pack ets from one to the other is a com plex process. To sim plify this task, switch ing tech nolo gies were de vel oped. The first switch ing tech nol ogy was cir cuit switch ing.
Cir cuit Switch ing
387
Cir cuit switch ing was orig i nally de vel oped to man age tele phone calls over the pub lic switched tele phone net work. In cir cuit switch ing, a ded i cated phys i cal path way is cre ated be tween the two com mu ni cat ing par ties. Once a call is es tab lished, the links be tween the two par ties re main the same through out the con ver sa tion. This pro vides for fixed or known trans mis sion times, a uni form level of qual ity, and lit tle or no loss of sig nal or com mu ni ca tion in ter rup tions. Cir cuit-switch ing sys tems em ploy per ma nent, phys i cal con nec tions. How ever, the term per ma nent ap plies only to each com mu ni ca tion ses sion. The path is per ma nent through out a sin gle con ver sa tion. Once the path is dis con nected, if the two par ties com mu ni cate again, a dif fer ent path may be as sem bled. Dur ing a sin gle con ver sa tion, the same phys i cal or elec tronic path is used through out the com mu ni ca tion and is used only for that one com mu ni ca tion. Cir cuit switch ing grants ex clu sive use of a com mu ni ca tion path to the cur rent com mu ni ca tion part ners. Only af ter a ses sion has been closed can a path way be reused by an other com mu ni ca tion.
Real-World Cir cuit Switch ing
There is very lit tle real-world cir cuit switch ing in the mod ern world (or at least in the past 10 to 15 years or so). Packet switch ing, dis cussed next, has be come ubiq ui tous for data and voice trans mis sions. Decades ago we could of ten point to the plain old tele phone ser vice (POTS)—also called pub lic switched tele phone net work (PSTN)—as a prime ex am ple of cir cuit switch ing, but with the ad vent of dig i tal switch ing and VoIP sys tems, those days are long gone. That’s not to say that cir cuit switch ing is nonex is tent in to day’s world; it is just not be ing used for data trans mis sion. In stead, you can still find cir cuit switch ing in rail yards, ir ri ga tion sys tems, and even elec tri cal dis tri bu tion sys tems.
Packet Switch ing Even tu ally, as com puter com mu ni ca tions in creased as op posed to voice com mu ni ca tions, a new form of
switch ing was de vel oped. Packet switch ing oc curs when the mes sage or com mu ni ca tion is bro ken up into small seg ments (usu ally fixed-length pack ets, de pend ing on the pro to cols and tech nolo gies em ployed) and sent across the in ter me di ary net works to the des ti na tion. Each seg ment of data has its own header that con tains source and des ti na tion in for ma tion. The header is read by each in ter me di ary sys tem and is used to route each packet to its in tended des ti na tion. Each chan nel or com mu ni ca tion path is re served for use only while a packet is ac tu ally be ing trans mit ted over it. As soon as the packet is sent, the chan nel is made avail able for other com mu ni ca tions.
Packet switch ing does not en force ex clu siv ity of com mu ni ca tion path ways. It can be seen as a log i cal trans mis sion tech nol ogy be cause ad dress ing logic dic tates how com mu ni ca tions tra verse in ter me di ary net works be tween com mu ni ca tion part ners. Ta ble 12.2 com pares cir cuit switch ing to packet switch ing.
TA BLE 12.2 Cir cuit Switch ing vs. Packet Switch ing
Cir cuit Switch ing Packet Switch ing Con stant traf fic Bursty traf fic Fixed known de lays Vari able de lays Con nec tion ori ented Con nec tion less Sen si tive to con nec tion loss Sen si tive to data loss Used pri mar ily for voice Used for any type of traf fic
In re la tion to se cu rity, there are a few po ten tial is sues to con sider. A packet-switch ing sys tem places data from dif fer ent sources on the same phys i cal con nec tion. This could lend it self to dis clo sure, cor rup tion, or eaves drop ping. Proper con nec tion man age ment, traf fic iso la tion, and usu ally en cryp tion are needed to pro tect against shared phys i cal path way con cerns. A ben e fit of packet-switch ing net works is that they are not as de pen dent on spe cific phys i cal con nec tions as cir cuit switch ing is. Thus, when or if a phys i cal path way is dam aged or goes off line, an al ter nate path can be used to con tinue the data/packet de liv ery. A cir cuit- switch ing net work is of ten in ter rupted by phys i cal path vi o la tions.
Vir tual Cir cuits A vir tual cir cuit (also called a com mu ni ca tion path) is a log i cal path way or cir cuit cre ated over a packet-
switched net work be tween two spe cific end points. Within packet-switch ing sys tems are two types of vir tual cir cuits:
Per ma nent vir tual cir cuits (PVCs)
Switched vir tual cir cuits (SVCs)
388
A PVC is like a ded i cated leased line; the log i cal cir cuit al ways ex ists and is wait ing for the cus tomer to send data. A PVC is a pre de fined vir tual cir cuit that is al ways avail able. The vir tual cir cuit may be closed down when not in use, but it can be in stantly re opened when ever needed. An SVC is more like a dial-up con nec tion be cause a vir tual cir cuit has to be cre ated us ing the best paths cur rently avail able be fore it can be used and then dis as sem bled af ter the trans mis sion is com plete. In ei ther type of vir tual cir cuit, when a data packet en ters point A of a vir tual cir cuit con nec tion, that packet is sent di rectly to point B or the other end of the vir tual cir cuit. How ever, the ac tual path of one packet may be dif fer ent from the path of an other packet from the same trans mis sion. In other words, mul ti ple paths may ex ist be tween point A and point B as the ends of the vir tual cir cuit, but any packet en ter ing at point A will end up at point B.
A PVC is like a two-way ra dio or walkie-talkie. When ever com mu ni ca tion is needed, you press the but ton and start talk ing; the ra dio re opens the pre de fined fre quency au to mat i cally (that is, the vir tual cir cuit). An SVC is more like a short wave or ham ra dio. You must tune the trans mit ter and re ceiver to a new fre quency ev ery time you want to com mu ni cate with some one.
WAN Tech nolo gies Wide area net work links are used to con nect dis tant net works, nodes, or in di vid ual de vices to gether. This
can im prove com mu ni ca tions and ef fi ciency, but it can also place data at risk. Proper con nec tion man age ment and trans mis sion en cryp tion is needed to en sure a se cure con nec tion, es pe cially over pub lic net work links. WAN links and long-dis tance con nec tion tech nolo gies can be di vided into two pri mary cat e gories:
A ded i cated line (also called a leased line or point-to-point link) is one that is in de fin ably and con tin u ally re served for use by a spe cific cus tomer (see Ta ble 12.3). A ded i cated line is al ways on and wait ing for traf fic to be trans mit ted over it. The link be tween the cus tomer’s LAN and the ded i cated WAN link is al ways open and es tab lished. A ded i cated line con nects two spe cific end points and only those two end points.
TA BLE 12.3 Ex am ples of ded i cated lines
Tech nol ogy Con nec tion Type Speed Dig i tal Sig nal Level 0 (DS-0) Par tial T1 64 Kbps up to 1.544 Mbps Dig i tal Sig nal Level 1 (DS-1) T1 1.544 Mbps Dig i tal Sig nal Level 3 (DS-3) T3 44.736 Mbps Eu ro pean dig i tal trans mis sion for mat 1 El 2.108 Mbps Eu ro pean dig i tal trans mis sion for mat 3 E3 34.368 Mbps Ca ble mo dem or ca ble routers 10+ Mbps
A nonded i cated line is one that re quires a con nec tion to be es tab lished be fore data trans mis sion can oc cur. A nonded i cated line can be used to con nect with any re mote sys tem that uses the same type of nonded i cated line.
Achiev ing Fault Tol er ance with Car rier Net work Con nec tions
To ob tain fault tol er ance with leased lines or with con nec tions to car rier net works (that is, Frame Re lay, ATM, SONET, SMDS, X.25, and so on), you must de ploy two re dun dant con nec tions. For even greater re dun dancy, you should pur chase the con nec tions from two dif fer ent tel cos or ser vice providers. How ever, when you’re us ing two dif fer ent ser vice providers, be sure they don’t con nect to the same re gional back bone or share any ma jor pipe line. The phys i cal lo ca tion of mul ti ple com mu ni ca tion lines lead ing from your build ing is also of con cern be cause a sin gle dis as ter or hu man er ror (e.g., a mis guided back hoe) could cause mul ti ple lines to fail at once. If you can not af ford to de ploy an ex act du pli cate of your pri mary leased line, con sider a nonded i cated DSL, ISDN, or ca ble mo dem con nec tion. These less- ex pen sive op tions may still pro vide par tial avail abil ity in the event of a pri mary leased line fail ure.
Stan dard modems, DSL, and ISDN are ex am ples of nonded i cated lines. Dig i tal sub scriber line (DSL) is a tech nol ogy that ex ploits the up graded tele phone net work to grant con sumers speeds from 144 Kbps to 20 Mbps (or more). There are nu mer ous for mats of DSL, such as ADSL, xDSL, CDSL, HDSL, SDSL, RAS DSL, IDSL, and VDSL. Each for mat varies as to the spe cific down stream and up stream band width pro vided.
For the exam, just worry about the gen eral idea of DSL in stead of try ing to mem o rize all the
de tails about the var i ous DSL sub for mats.
The max i mum dis tance a DSL line can be from a cen tral of fice (that is, a spe cific type of dis tri bu tion node of the tele phone net work) is ap prox i mately 5,000 me ters.
389
In te grated Ser vices Dig i tal Net work (ISDN) is a fully dig i tal tele phone net work that sup ports both voice and high-speed data com mu ni ca tions. There are two stan dard classes, or for mats, of ISDN ser vice:
Ba sic Rate In ter face (BRI) of fers cus tomers a con nec tion with two B chan nels and one D chan nel. The B chan nels sup port a through put of 64 Kbps and are used for data trans mis sion. The D chan nel is used for call es tab lish ment, man age ment, and tear down and has a band width of 16 Kbps. Even though the D chan nel was not de signed to sup port data trans mis sions, a BRI ISDN is said to of fer con sumers 144 Kbps of to tal through put.
Pri mary Rate In ter face (PRI) of fers con sumers a con nec tion with mul ti ple 64 Kbps B chan nels (2 to 23 of them) and a sin gle 64 Kbps D chan nel. Thus, a PRI can be de ployed with as lit tle as 192 Kbps and up to 1.544 Mbps. How ever, re mem ber that those num bers are band width, not through put, be cause they in clude the D chan nel, which can not be used for ac tual data trans mis sion (at least not in most nor mal com mer cial im ple men ta tions).
When con sid er ing con nec tion op tions, don’t for get about satel lite con nec tions. Satel lite
con nec tions may of fer high-speed so lu tions even in lo cales that are in ac ces si ble by ca ble-based, ra dio- wave-based, and line-of-sight-based com mu ni ca tions. Satel lites are usu ally con sid ered in se cure be cause of their large sur face foot print: Com mu ni ca tions over a satel lite can be in ter cepted by any one. But if you have strong en cryp tion, satel lite com mu ni ca tions can be rea son ably se cured. Just think of satel lite ra dio. As long as you have a re ceiver, you can get the sig nal any where. But with out a paid ser vice plan, you can’t gain ac cess to the au dio con tent.
WAN Con nec tion Tech nolo gies Nu mer ous WAN con nec tion tech nolo gies are avail able to com pa nies that need com mu ni ca tion ser vices
be tween mul ti ple lo ca tions and even ex ter nal part ners. These WAN tech nolo gies vary greatly in cost and through put. How ever, most share the com mon fea ture of be ing trans par ent to the con nected LANs or sys tems. A WAN switch, spe cial ized router, or bor der con nec tion de vice pro vides all the in ter fac ing needed be tween the net work car rier ser vice and a com pany’s LAN. The bor der con nec tion de vice is called the chan nel ser vice unit/data ser vice unit (CSU/DSU). These de vices con vert LAN sig nals into the for mat used by the WAN car rier net work and vice versa. The CSU/DSU con tains data ter mi nal equip ment/data cir cuit- ter mi nat ing equip ment (DTE/DCE), which pro vides the ac tual con nec tion point for the LAN’s router (the DTE) and the WAN car rier net work’s switch (the DCE). The CSU/DSU acts as a trans la tor, a store-and- for ward de vice, and a link con di tioner. A WAN switch is sim ply a spe cial ized ver sion of a LAN switch that is con structed with a built-in CSU/DSU for a spe cific type of car rier net work. There are many types of car rier net works, or WAN con nec tion tech nolo gies, such as X.25, Frame Re lay, ATM, and SMDS.
X.25 WAN Con nec tions
X.25 is an older packet-switch ing tech nol ogy that was widely used in Eu rope. It uses per ma nent vir tual cir cuits to es tab lish spe cific point-to-point con nec tions be tween two sys tems or net works. It is the pre de ces sor to Frame Re lay and op er ates in much the same fash ion. X.25 use is de clin ing be cause of its lower per for mance and through put rates when com pared to Frame Re lay or ATM. How ever, even Frame Re lay and ATM are slated for re tire ment as they are re placed by fiber-op tic and wire less so lu tions.
Frame Re lay Con nec tions
Like X.25, Frame Re lay is a packet-switch ing tech nol ogy that also uses PVCs (see the dis cus sion of vir tual cir cuits). How ever, un like X.25, Frame Re lay sup ports mul ti ple PVCs over a sin gle WAN car rier ser vice con nec tion. Frame Re lay is a layer 2 con nec tion mech a nism that uses packet-switch ing tech nol ogy to es tab lish vir tual cir cuits be tween com mu ni ca tion end points. Un like ded i cated or leased lines, for which cost is based pri mar ily on the dis tance be tween end points, Frame Re lay’s cost is pri mar ily based on the amount of data trans ferred. The Frame Re lay net work is a shared medium across which vir tual cir cuits are cre ated to pro vide point-to-point com mu ni ca tions. All vir tual cir cuits are in de pen dent of and in vis i ble to each other.
A key con cept re lated to Frame Re lay is the com mit ted in for ma tion rate (CIR). The CIR is the guar an teed min i mum band width a ser vice provider grants to its cus tomers. It is usu ally sig nif i cantly less than the ac tual max i mum ca pa bil ity of the provider net work. Each cus tomer may have a dif fer ent CIR es tab lished and de fined in their con tract. The ser vice net work provider may al low cus tomers to ex ceed their CIR over short in ter vals when ad di tional band width is avail able. This is known as band width on de mand. (Al though at first this might sound like an out stand ing ben e fit, the re al ity is that the cus tomer is charged a pre mium rate for the ex tra con sumed band width.) Frame Re lay op er ates at layer 2 (the Data Link layer) of the OSI model as a con nec tion-ori ented packet-switch ing trans mis sion tech nol ogy.
390
Frame Re lay re quires the use of DTE/DCE at each con nec tion point. The cus tomer owns the DTE, which acts like a router or a switch and pro vides the cus tomer’s net work with ac cess to the Frame Re lay net work. The Frame Re lay ser vice provider owns the DCE, which per forms the ac tual trans mis sion of data over the Frame Re lay as well as es tab lish ing and main tain ing the vir tual cir cuit for the cus tomer. How ever, Frame Re lay is now an older tech nol ogy that is be ing phased out in fa vor of faster fiber so lu tions.
ATM
Asyn chro nous trans fer mode (ATM) is a cell-switch ing WAN com mu ni ca tion tech nol ogy, as op posed to a packet-switch ing tech nol ogy like Frame Re lay. It frag ments com mu ni ca tions into fixed-length 53-byte cells. The use of fixed-length cells al lows ATM to be very ef fi cient and of fer high through puts. ATM can use ei ther PVCs or SVCs. As with Frame Re lay providers, ATM providers can guar an tee a min i mum band width and a spe cific level of qual ity to their leased ser vices. Cus tomers can of ten con sume ad di tional band width as needed when avail able on the ser vice net work for an ad di tional pay-as-you-go fee. ATM is a con nec tion-ori ented packet-switch ing tech nol ogy. How ever, ATM is now an older tech nol ogy that is be ing phased out in fa vor of faster fiber so lu tions.
SMDS
Switched Mul ti megabit Data Ser vice (SMDS) is a con nec tion less packet-switch ing tech nol ogy. Of ten, SMDS is used to con nect mul ti ple LANs to form a met ro pol i tan area net work (MAN) or a WAN. SMDS was of ten a pre ferred con nec tion mech a nism for link ing re mote LANs that com mu ni cate in fre quently. SMDS sup ports high-speed bursty traf fic and band width on de mand. It frag ments data into small trans mis sion cells.
Syn chro nous Dig i tal Hi er ar chy and Syn chro nous Op ti cal Net work
Syn chro nous Dig i tal Hi er ar chy (SDH) and Syn chro nous Op ti cal Net work (SONET) are fiber-op tic high- speed net work ing stan dards. SDH was stan dard ized by the In ter na tional Telecom mu ni ca tions Union (ITU) and SONET by the Amer i can Na tional Stan dards In sti tute (ANSI). SDH and SONET are mostly hard ware or phys i cal layer stan dards defin ing in fra struc ture and line speed re quire ments. SDH and SONET use syn chro nous time-di vi sion mul ti plex ing (TDM) to high-speed du plex com mu ni ca tions with min i mal need for con trol and man age ment over head.
These two stan dards have only slight vari a tions and use the same hi er ar chy of band width lev els. The trans mis sion ser vice sup ports a foun da tional level of speed of 51.48 Mbps, which sup ports the Syn chro nous Trans port Sig nals (STS) of SDH and/or the Syn chro nous Trans port Mod ules (STM) of SONET. The term Op ti cal Car rier (OC) can also be sub sti tuted for STS. The main band width lev els of SDH and SONET are shown in Ta ble 12.4.
TA BLE 12.4 Band width lev els of SDH and SONET
SONET SDH Data Rate STS-1 / OC-1 STM-0 51.84 Mbps STS-3 / OC-3 STM-1 155.52 Mbps STS-12 / OC-12 STM-4 622.08 Mbps STS-48 / OC-48 STM-16 2.488 Gbps STS-96 / OC-96 STM-32 4.876 Gbps STS-192 / OC-192 STM-64 9.953 Gbps STS-768 / OC-768 STM-256 39.813 Gbps
SDH and SONET both sup port mesh and ring topolo gies. These fiber so lu tions are of ten im ple mented as the back bone of a telco ser vice and di vi sions or frac tions of the ca pac ity are sub scribed out to cus tomers. The in ter con nec tion points or nodes of SDH and SONET are of ten Add-Drop Mul ti plex ers (ADMs), which al low for the ad di tion or re moval of low-rate bit stream con nec tions or prod ucts into the main trunk line.
Spe cial ized Pro to cols
Some WAN con nec tion tech nolo gies re quire ad di tional spe cial ized pro to cols to sup port var i ous types of spe cial ized sys tems or de vices. Three of these pro to cols are SDLC, HDLC, and HSSI:
Syn chro nous Data Link Con trol (SDLC) Syn chro nous Data Link Con trol is used on per ma nent phys i cal con nec tions of ded i cated leased lines to pro vide con nec tiv ity for main frames, such as IBM Sys tems Net work Ar chi tec ture (SNA) sys tems. SDLC uses polling, op er ates at OSI layer 2 (the Data Link layer), and is a bit-ori ented syn chro nous pro to col.
High-Level Data Link Con trol (HDLC) High-Level Data Link Con trol is a re fined ver sion of SDLC de signed specif i cally for se rial syn chro nous con nec tions. HDLC sup ports full-du plex com mu ni ca tions and
391
sup ports both point-to-point and mul ti point con nec tions. HDLC, like SDLC, uses polling and op er ates at OSI layer 2 (the Data Link layer). HDLC of fers flow con trol and in cludes er ror de tec tion and cor rec tion.
Dial-Up En cap su la tion Pro to cols The Point-to-Point Pro to col (PPP) is an en cap su la tion pro to col de signed to sup port the trans mis sion of IP
traf fic over dial-up or point-to-point links. PPP al lows for mul ti ven dor in ter op er abil ity of WAN de vices sup port ing se rial links. All dial-up and most point-to-point con nec tions are se rial in na ture (as op posed to par al lel). PPP in cludes a wide range of com mu ni ca tion ser vices, in clud ing the as sign ment and man age ment of IP ad dresses, man age ment of syn chro nous com mu ni ca tions, stan dard ized en cap su la tion, mul ti plex ing, link con fig u ra tion, link qual ity test ing, er ror de tec tion, and fea ture or op tion ne go ti a tion (such as com pres sion).
PPP was orig i nally de signed to sup port CHAP and PAP for au then ti ca tion. How ever, re cent ver sions of PPP also sup port MS-CHAP, EAP, and SPAP. PPP can also be used to sup port In ter net work Packet Ex change (IPX) and DEC net pro to cols. PPP is an in ter net stan dard doc u mented in RFC 1661. It re placed the Se rial Line In ter net Pro to col (SLIP). SLIP of fered no au then ti ca tion, sup ported only half-du plex com mu ni ca tions, had no er ror-de tec tion ca pa bil i ties, and re quired man ual link es tab lish ment and tear down.
Mis cel la neous Se cu rity Con trol Char ac ter is tics When you’re se lect ing or de ploy ing se cu rity con trols for net work com mu ni ca tions, you need to eval u ate
nu mer ous char ac ter is tics in light of your cir cum stances, ca pa bil i ties, and se cu rity pol icy. We dis cuss these is sues in the fol low ing sec tions.
Trans parency Just as the name im plies, trans parency is the char ac ter is tic of a ser vice, se cu rity con trol, or ac cess
mech a nism that en sures that it is un seen by users. Trans parency is of ten a de sir able fea ture for se cu rity con trols. The more trans par ent a se cu rity mech a nism is, the less likely a user will be able to cir cum vent it or even be aware that it ex ists. With trans parency, there is a lack of di rect ev i dence that a fea ture, ser vice, or re stric tion ex ists, and its im pact on per for mance is min i mal.
In some cases, trans parency may need to func tion more as a con fig urable fea ture than as a per ma nent as pect of op er a tion, such as when an ad min is tra tor is trou bleshoot ing, eval u at ing, or tun ing a sys tem’s con fig u ra tions.
Ver ify In tegrity To ver ify the in tegrity of a trans mis sion, you can use a check sum called a hash to tal. A hash func tion is
per formed on a mes sage or a packet be fore it is sent over the com mu ni ca tion path way. The hash to tal ob tained is added to the end of the mes sage and is called the mes sage di gest. Once the mes sage is re ceived, the hash func tion is per formed by the des ti na tion sys tem, and the re sult is com pared to the orig i nal hash to tal. If the two hash to tals match, then there is a high level of cer tainty that the mes sage has not been al tered or cor rupted dur ing trans mis sion. Hash to tals are sim i lar to cyclic re dun dancy checks (CRCs) in that they both act as in tegrity tools. In most se cure trans ac tion sys tems, hash func tions are used to guar an tee com mu ni ca tion in tegrity.
Check ing the Hash
Check ing the hash value of files is al ways a good idea. This sim ple task can pre vent the use of cor rupted files and pre vent the ac ci den tal ac cep tance of ma ligned data. Sev eral in tru sion de tec tion sys tems (IDSs) and sys tem in tegrity ver i fi ca tion tools use hash ing as a means to check that files did not change over time. This is done by cre at ing a hash for ev ery file on a drive, stor ing those hashes in a data base, and then pe ri od i cally re cal cu lat ing hashes for files and check ing the new hash against the his tor i cal one. If there is ever any dif fer ence in the hashes, then you should in ves ti gate the file.
An other com mon use of hashes is to ver ify down loads. Many trusted in ter net down load sites pro vide MD5 and SHA hash to tals for the files they of fer. You can take ad van tage of these hashes in at least two ways. First, you can use a down load man ager that au to mat i cally checks the hashes for you upon down load com ple tion. Sec ond, you can ob tain a hash ing tool, such as md5 sum or sha1 sum, to gen er ate your own hash val ues. Then man u ally com pare your gen er ated value from the down loaded file against the claimed hash value from the down load site. This mech a nism en sures that the file you ul ti mately have on your sys tem matches, to the last bit, the file from the down load site.
392
Record se quence check ing is sim i lar to a hash to tal check; how ever, in stead of ver i fy ing con tent in tegrity, it ver i fies packet or mes sage se quence in tegrity. Many com mu ni ca tions ser vices em ploy record se quence check ing to ver ify that no por tions of a mes sage were lost and that all el e ments of the mes sage are in their proper or der.
Trans mis sion Mech a nisms Trans mis sion log ging is a form of au dit ing fo cused on com mu ni ca tions. Trans mis sion log ging records the
par tic u lars about source, des ti na tion, time stamps, iden ti fi ca tion codes, trans mis sion sta tus, num ber of pack ets, size of mes sage, and so on. These pieces of in for ma tion may be use ful in trou bleshoot ing prob lems and track ing down unau tho rized com mu ni ca tions or used against a sys tem as a means to ex tract data about how it func tions.
Trans mis sion er ror cor rec tion is a ca pa bil ity built into con nec tion- or ses sion-ori ented pro to cols and ser vices. If it is de ter mined that a mes sage, in whole or in part, was cor rupted, al tered, or lost, a re quest can be made for the source to re send all or part of the mes sage. Re trans mis sion con trols de ter mine whether all or part of a mes sage is re trans mit ted in the event that a trans mis sion er ror cor rec tion sys tem dis cov ers a prob lem with a com mu ni ca tion. Re trans mis sion con trols can also de ter mine whether mul ti ple copies of a hash to tal or CRC value are sent and whether mul ti ple data paths or com mu ni ca tion chan nels are em ployed.
Se cu rity Bound aries A se cu rity bound ary is the line of in ter sec tion be tween any two ar eas, sub nets, or en vi ron ments that have
dif fer ent se cu rity re quire ments or needs. A se cu rity bound ary ex ists be tween a high-se cu rity area and a low- se cu rity one, such as be tween a LAN and the in ter net. It is im por tant to rec og nize the se cu rity bound aries both on your net work and in the phys i cal world. Once you iden tify a se cu rity bound ary, you need to de ploy mech a nisms to con trol the flow of in for ma tion across those bound aries.
Di vi sions be tween se cu rity ar eas can take many forms. For ex am ple, ob jects may have dif fer ent clas si fi ca tions. Each clas si fi ca tion de fines what func tions can be per formed by which sub jects on which ob jects. The dis tinc tion be tween clas si fi ca tions is a se cu rity bound ary.
Se cu rity bound aries also ex ist be tween the phys i cal en vi ron ment and the log i cal en vi ron ment. To pro vide log i cal se cu rity, you must pro vide se cu rity mech a nisms that are dif fer ent from those used to pro vide phys i cal se cu rity. Both must be present to pro vide a com plete se cu rity struc ture, and both must be ad dressed in a se cu rity pol icy. How ever, they are dif fer ent and must be as sessed as sep a rate el e ments of a se cu rity so lu tion.
Se cu rity bound aries, such as a perime ter be tween a pro tected area and an un pro tected one, should al ways be clearly de fined. It’s im por tant to state in a se cu rity pol icy the point at which con trol ends or be gins and to iden tify that point in both the phys i cal and log i cal en vi ron ments. Log i cal se cu rity bound aries are the points where elec tronic com mu ni ca tions in ter face with de vices or ser vices for which your or ga ni za tion is legally re spon si ble. In most cases, that in ter face is clearly marked, and unau tho rized sub jects are in formed that they do not have ac cess and that at tempts to gain ac cess will re sult in pros e cu tion.
The se cu rity perime ter in the phys i cal en vi ron ment is of ten a re flec tion of the se cu rity perime ter of the log i cal en vi ron ment. In most cases, the area over which the or ga ni za tion is legally re spon si ble de ter mines the reach of a se cu rity pol icy in the phys i cal realm. This can be the walls of an of fice, the walls of a build ing, or the fence around a cam pus. In se cured en vi ron ments, warn ing signs are posted in di cat ing that unau tho rized ac cess is pro hib ited and at tempts to gain ac cess will be thwarted and re sult in pros e cu tion.
When trans form ing a se cu rity pol icy into ac tual con trols, you must con sider each en vi ron ment and se cu rity bound ary sep a rately. Sim ply de duce what avail able se cu rity mech a nisms would pro vide the most rea son able, cost-ef fec tive, and ef fi cient so lu tion for a spe cific en vi ron ment and sit u a tion. How ever, all se cu rity mech a nisms must be weighed against the value of the ob jects they are to pro tect. De ploy ing coun ter mea sures that cost more than the value of the pro tected ob jects is un war ranted.
Pre vent or Mit i gate Net work At tacks Com mu ni ca tion sys tems are vul ner a ble to at tacks in much the same way any other as pect of the IT
in fra struc ture is vul ner a ble. Un der stand ing the threats and pos si ble coun ter mea sures is an im por tant part of se cur ing an en vi ron ment. Any ac tiv ity or con di tion that can cause harm to data, re sources, or per son nel must be ad dressed and mit i gated if pos si ble. Keep in mind that harm in cludes more than just de struc tion or dam age; it also in cludes dis clo sure, ac cess de lay, de nial of ac cess, fraud, re source waste, re source abuse, and loss. Com mon threats against com mu ni ca tion sys tem se cu rity in clude de nial of ser vice, eaves drop ping, im per son ation, re play, and mod i fi ca tion.
DoS and DDoS
393
A de nial-of-ser vice (DoS) at tack is a re source con sump tion at tack that has the pri mary goal of pre vent ing le git i mate ac tiv ity on a vic tim ized sys tem. A DoS at tack ren ders the tar get un able to re spond to le git i mate traf fic.
There are two ba sic forms of de nial of ser vice:
At tacks ex ploit ing a vul ner a bil ity in hard ware or soft ware. This ex ploita tion of a weak ness, er ror, or stan dard fea ture of soft ware in tends to cause a sys tem to hang, freeze, con sume all sys tem re sources, and so on. The end re sult is that the vic tim ized com puter is un able to process any le git i mate tasks.
At tacks that flood the vic tim’s com mu ni ca tion pipe line with garbage net work traf fic. These at tacks are some times called traf fic gen er a tion or flood ing at tacks. The end re sult is that the vic tim ized com puter is un able to send or re ceive le git i mate net work com mu ni ca tions.
In ei ther case, the vic tim has been de nied the abil ity to per form nor mal op er a tions (ser vices).
DoS isn’t a sin gle at tack but rather an en tire class of at tacks. Some at tacks ex ploit flaws in op er at ing sys tem soft ware, whereas oth ers fo cus on in stalled ap pli ca tions, ser vices, or pro to cols. Some at tacks ex ploit spe cific pro to cols, in clud ing In ter net Pro to col (IP), Trans mis sion Con trol Pro to col (TCP), In ter net Con trol Mes sage Pro to col (ICMP), and User Data gram Pro to col (UDP).
DoS at tacks typ i cally oc cur be tween one at tacker and one vic tim. How ever, they aren’t al ways that sim ple. Most DoS at tacks em ploy some form of in ter me di ary sys tem (usu ally an un will ing and un know ing par tic i pant) to hide the at tacker from the vic tim. For ex am ple, if an at tacker sends at tack pack ets di rectly to a vic tim, it’s pos si ble for the vic tim to dis cover who the at tacker is. This is made more dif fi cult, al though not im pos si ble, through the use of spoof ing (de scribed in more de tail else where in this chap ter).
Many DoS at tacks be gin by com pro mis ing or in fil trat ing one or more in ter me di ary sys tems that then serve as launch points or at tack plat forms. These in ter me di ary sys tems are com monly re ferred to as sec ondary vic tims. The at tacker in stalls re mote-con trol tools, of ten called bots, zom bies, or agents, onto these sys tems. Then, at an ap pointed time or in re sponse to a launch com mand from the at tacker, the DoS at tack is con ducted against the vic tim. The vic tim may be able to dis cover zom bie sys tems that are caus ing the DoS at tack but prob a bly won’t be able to track down the ac tual at tacker. At tacks in volv ing zom bie sys tems are known as dis trib uted de nial-of-ser vice (DDoS) at tacks. De ploy ments of nu mer ous bots or zom bies across nu mer ous un sus pect ing sec ondary vic tims have be come known as bot nets.
Here are some coun ter mea sures and safe guards against these at tacks:
Add fire walls, routers, and in tru sion de tec tion sys tems (IDSs) that de tect DoS traf fic and au to mat i cally block the port or fil ter out pack ets based on the source or des ti na tion ad dress.
Main tain good con tact with your ser vice provider in or der to re quest fil ter ing ser vices when a DoS oc curs.
Dis able echo replies on ex ter nal sys tems.
Dis able broad cast fea tures on bor der sys tems.
Block spoofed pack ets from en ter ing or leav ing your net work.
Keep all sys tems patched with the most cur rent se cu rity up dates from ven dors.
Con sider com mer cial DoS pro tec tion/re sponse ser vices like Cloud Flare’s DDoS mit i ga tion or Pro lexic. These can be ex pen sive, but they are of ten ef fec tive.
For fur ther dis cus sion of DoS and DDoS, see Chap ter 17, “Pre vent ing and Re spond ing to In ci dents.”
Eaves drop ping As the name sug gests, eaves drop ping is sim ply lis ten ing to com mu ni ca tion traf fic for the pur pose of
du pli cat ing it. The du pli ca tion can take the form of record ing data to a stor age de vice or us ing an ex trac tion pro gram that dy nam i cally at tempts to ex tract the orig i nal con tent from the traf fic stream. Once a copy of traf fic con tent is in the hands of an at tacker, they can of ten ex tract many forms of con fi den tial in for ma tion, such as user names, pass words, process pro ce dures, data, and so on.
Eaves drop ping usu ally re quires phys i cal ac cess to the IT in fra struc ture to con nect a phys i cal record ing de vice to an open port or ca ble splice or to in stall a soft ware-record ing tool onto the sys tem. Eaves drop ping is of ten fa cil i tated by the use of a net work traf fic cap ture or mon i tor ing pro gram or a pro to col an a lyzer sys tem (of ten called a snif fer). Eaves drop ping de vices and soft ware are usu ally dif fi cult to de tect be cause they are used in pas sive at tacks. When eaves drop ping or wire tap ping is trans formed into al ter ing or in ject ing com mu ni ca tions, the at tack is con sid ered an ac tive at tack.
394
You Too Can Eaves drop on Net works
Eaves drop ping on net works is the act of col lect ing pack ets from the com mu ni ca tion medium. As a valid net work client, you are lim ited to see ing just the traf fic des ig nated for your sys tem. How ever, with the right tool (and au tho riza tion from your or ga ni za tion!), you can see all the data that passes your net work in ter face. Snif fers such as Wire shark and NetWit ness and ded i cated eaves drop ping tools such as T-Sight, Zed At tack Proxy (ZAP), and Cain & Abel can show you what is go ing on over the net work. Some tools will dis play only the raw net work pack ets, while oth ers will re assem ble the orig i nal data and dis play it for you in real time on your screen. We en cour age you to ex per i ment with a few eaves drop ping tools (only on net works where you have the proper ap proval) so you can see first hand what can be gleaned from net work com mu ni ca tions.
You can com bat eaves drop ping by main tain ing phys i cal ac cess se cu rity to pre vent unau tho rized per son nel from ac cess ing your IT in fra struc ture. As for pro tect ing com mu ni ca tions that oc cur out side your net work or for pro tect ing against in ter nal at tack ers, us ing en cryp tion (such as IPsec or SSH) and one time au then ti ca tion meth ods (that is, one time pads or to ken de vices) on com mu ni ca tion traf fic will greatly re duce the ef fec tive ness and time li ness of eaves drop ping.
The com mon threat of eaves drop ping is one of the pri mary mo ti va tions to main tain re li able com mu ni ca tions se cu rity. While data is in tran sit, it is of ten eas ier to in ter cept than when it is in stor age. Fur ther more, the lines of com mu ni ca tion may lie out side your or ga ni za tion’s con trol. Thus, re li able means to se cure data while in tran sit out side your in ter nal in fra struc ture are of ut most im por tance. Some of the com mon net work health and com mu ni ca tion re li a bil ity eval u a tion and man age ment tools, such as snif fers, can be used for ne far i ous pur poses and thus re quire strin gent con trols and over sight to pre vent abuse.
Im per son ation/Mas querad ing Im per son ation, or mas querad ing, is the act of pre tend ing to be some one or some thing you are not to gain
unau tho rized ac cess to a sys tem. This usu ally im plies that au then ti ca tion cre den tials have been stolen or fal si fied in or der to sat isfy (i.e., suc cess fully by pass) au then ti ca tion mech a nisms. This is dif fer ent from spoof ing, where an en tity puts forth a false iden tity but with out any proof (such as falsely us ing an IP ad dress, MAC ad dresses, email ad dress, sys tem name, do main name, etc.). Im per son ation is of ten pos si ble through the cap ture of user names and pass words or of ses sion setup pro ce dures for net work ser vices.
Some so lu tions to pre vent im per son ation are us ing one time pads and to ken au then ti ca tion sys tems, us ing Ker beros, and us ing en cryp tion to in crease the dif fi culty of ex tract ing au then ti ca tion cre den tials from net work traf fic.
Re play At tacks Re play at tacks are an off shoot of im per son ation at tacks and are made pos si ble through cap tur ing net work
traf fic via eaves drop ping. Re play at tacks at tempt to reestab lish a com mu ni ca tion ses sion by re play ing cap tured traf fic against a sys tem. You can pre vent them by us ing one time au then ti ca tion mech a nisms and se quenced ses sion iden ti fi ca tion.
Mod i fi ca tion At tacks In mod i fi ca tion at tacks, cap tured pack ets are al tered and then played against a sys tem. Mod i fied pack ets
are de signed to by pass the re stric tions of im proved au then ti ca tion mech a nisms and ses sion se quenc ing. Coun ter mea sures to mod i fi ca tion re play at tacks in clude us ing dig i tal sig na ture ver i fi ca tions and packet check sum ver i fi ca tion.
Ad dress Res o lu tion Pro to col Spoof ing
The Ad dress Res o lu tion Pro to col (ARP) is a sub pro to col of the TCP/IP pro to col suite and op er ates at the Data Link layer (layer 2). ARP is used to dis cover the MAC ad dress of a sys tem by polling us ing its IP ad dress. ARP func tions by broad cast ing a re quest packet with the tar get IP ad dress. The sys tem with that IP ad dress (or some other sys tem that al ready has an ARP map ping for it) will re ply with the as so ci ated MAC ad dress. The dis cov ered IP-to-MAC map ping is stored in the ARP cache and is used to di rect pack ets.
395
If you find the idea of mis di rect ing traf fic through the abuse of the ARP sys tem in ter est ing,
then con sider ex per i ment ing with at tack ing tools that per form this func tion. Some of the well-known tools for per form ing ARP spoof ing at tacks in clude Et ter cap, Cain & Abel, and arp spoof. Us ing these tools in com bi na tion with a net work snif fer (so you can watch the re sults) will give you great in sight into this form of net work at tack. How ever, as al ways, per form these ac tiv i ties only on net works where you have proper ap proval; oth er wise, your at tacker ac tiv i ties could land you in le gal trou ble.
ARP map pings can be at tacked through spoof ing. ARP spoof ing pro vides false MAC ad dresses for re quested IP-ad dressed sys tems to re di rect traf fic to al ter nate des ti na tions. ARP at tacks are of ten an el e ment in man-in-the-mid dle at tacks. Such at tacks in volve an in truder’s sys tem spoof ing its MAC ad dress against the des ti na tion’s IP ad dress into the source’s ARP cache. All pack ets re ceived from the source sys tem are in spected and then for warded to the ac tual in tended des ti na tion sys tem. You can take mea sures to fight ARP at tacks, such as defin ing static ARP map pings for crit i cal sys tems, mon i tor ing ARP caches for MAC-to-IP- ad dress map pings, or us ing an IDS to de tect anom alies in sys tem traf fic and changes in ARP traf fic.
DNS Poi son ing, Spoof ing, and Hi jack ing DNS poi son ing and DNS spoof ing are also known as res o lu tion at tacks. Do main Name Sys tem (DNS)
poi son ing oc curs when an at tacker al ters the do main-name-to-IP-ad dress map pings in a DNS sys tem to re di rect traf fic to a rogue sys tem or to sim ply per form a de nial of ser vice against a sys tem. DNS spoof ing oc curs when an at tacker sends false replies to a re quest ing sys tem, beat ing the real re ply from the valid DNS server. This is also tech ni cally an ex ploita tion of race con di tions. Pro tec tions against false DNS re sults caused by poi son ing and spoof ing in clude al low ing only au tho rized changes to DNS, re strict ing zone trans fers, and log ging all priv i leged DNS ac tiv ity.
In 2008, a fairly sig nif i cant vul ner a bil ity was dis cov ered and dis closed to the world by Dan Kamin sky. The vul ner a bil ity lies in the method by which lo cal or caching DNS servers ob tain in for ma tion from root servers re gard ing the iden tity of the au thor i ta tive servers for a par tic u lar do main. By send ing fal si fied replies to a caching DNS server for nonex is tent sub do mains, an at tacker can hi jack the en tire do main’s res o lu tion de tails. For an ex cel lent de tailed ex pla na tion on how DNS works and how this vul ner a bil ity threat ens the cur rent DNS in fra struc ture, visit “An Il lus trated Guide to the Kamin sky DNS Vul ner a bil ity” lo cated at http://unixwiz.net/techtips/igu ide-kamin sky-dns-vuln.html.
An other DNS con cern is that of the Ho mo graph at tack. These at tacks lever age sim i lar i ties in char ac ter sets to reg is ter phony in ter na tional do main names (IDNs) that to the naked eye ap pear le git i mate. For ex am ple, some let ters in Cyril lic look like Latin char ac ters; for ex am ple, the p in Latin looks like the Palochka Cyril lic let ter. Thus, do main names of ap ple.com and pay pal.com might look valid as Latin char ac ters but ac tu ally in clude Cyril lic char ac ters that when re solved di rect you to a dif fer ent site than which you in tended. For a thor ough dis cus sion of the Ho mo graph at tack, see https://blog .mal ware bytes.com/101/2017/10/out-of- char ac ter-ho mo graph-at tacks-ex plained/.
The only real so lu tion to this DNS hi jack ing vul ner a bil ity is to up grade DNS to Do main Name Sys tem Se cu rity Ex ten sions (DNSSEC). For de tails, please visit dnssec.net.
Hy per link Spoof ing
Yet an other re lated at tack is hy per link spoof ing, which is sim i lar to DNS spoof ing in that it is used to re di rect traf fic to a rogue or im poster sys tem or to sim ply di vert traf fic away from its in tended des ti na tion. Hy per link spoof ing can take the form of DNS spoof ing or can sim ply be an al ter ation of the hy per link URLs in the HTML code of doc u ments sent to clients. Hy per link spoof ing at tacks are usu ally suc cess ful be cause most users do not ver ify the do main name in a URL via DNS; rather, they as sume that the hy per link is valid and just click it.
396
Go ing Phish ing?
Hy per link spoof ing is not lim ited to just DNS at tacks. In fact, any at tack that at tempts to mis di rect le git i mate users to ma li cious web sites through the abuse of URLs or hy per links could be con sid ered hy per link spoof ing. Spoof ing is fal si fy ing in for ma tion, which in cludes fal si fy ing the re la tion ship be tween a URL and its trusted and orig i nal des ti na tion.
Phish ing is an other at tack that com monly in volves hy per link spoof ing. The term means fish ing for in for ma tion. Phish ing at tacks can take many forms, in clud ing the use of false URLs.
Be wary of any URL or hy per link in an email, PDF file, or pro duc tiv ity doc u ment. If you want to visit a site of fered as such, go to your web browser and man u ally type in the ad dress, use your own pre ex ist ing URL book mark, or use a trusted search en gine to find the site. These meth ods do in volve more work on your part, but they will es tab lish a pat tern of safe be hav ior that will serve you well. There are too many at tack ers in the world to be ca sual or lazy about fol low ing prof fered links and URLs.
An at tack re lated to phish ing is pre tex ting, which is the prac tice of ob tain ing your per sonal in for ma tion un der false pre tenses. Pre tex ting is of ten used to ob tain per sonal iden tity de tails that are then sold to oth ers who ac tu ally per form the abuse of your credit and rep u ta tion.
Pro tec tions against hy per link spoof ing in clude the same pre cau tions used against DNS spoof ing as well as keep ing your sys tem patched and us ing the in ter net with cau tion.
Sum mary Re mote ac cess se cu rity man age ment re quires se cu rity sys tem de sign ers to ad dress the hard ware and
soft ware com po nents of the im ple men ta tion along with pol icy is sues, work task is sues, and en cryp tion is sues. This in cludes de ploy ment of se cure com mu ni ca tion pro to cols. Se cure au then ti ca tion for both lo cal and re mote con nec tions is an im por tant foun da tional el e ment of over all se cu rity.
Main tain ing con trol over com mu ni ca tion path ways is es sen tial to sup port ing con fi den tial ity, in tegrity, and avail abil ity for net work, voice, and other forms of com mu ni ca tion. Nu mer ous at tacks are fo cused on in ter cept ing, block ing, or oth er wise in ter fer ing with the trans fer of data from one lo ca tion to an other. For tu nately, there are also rea son able coun ter mea sures to re duce or even elim i nate many of these threats.
Tun nel ing, or en cap su la tion, is a means by which mes sages in one pro to col can be trans ported over an other net work or com mu ni ca tions sys tem us ing a sec ond pro to col. Tun nel ing can be com bined with en cryp tion to pro vide se cu rity for the trans mit ted mes sage. VPNs are based on en crypted tun nel ing.
A VLAN is a hard ware-im posed net work seg men ta tion cre ated by switches. VLANs are used to log i cally seg ment a net work with out al ter ing its phys i cal topol ogy. VLANs are used for traf fic man age ment.
Telecom mut ing, or re mote con nec tiv ity, has be come a com mon fea ture of busi ness com put ing. When re mote ac cess ca pa bil i ties are de ployed in any en vi ron ment, se cu rity must be con sid ered and im ple mented to pro vide pro tec tion for your pri vate net work against re mote ac cess com pli ca tions. Re mote ac cess users should be strin gently au then ti cated be fore be ing granted ac cess; this can in clude the use of RA DIUS or TACACS+. Re mote ac cess ser vices in clude Voice over IP (VoIP), ap pli ca tion stream ing, VDI, mul ti me dia col lab o ra tion, and in stant mes sag ing.
NAT is used to hide the in ter nal struc ture of a pri vate net work as well as to en able mul ti ple in ter nal clients to gain in ter net ac cess through a few pub lic IP ad dresses. NAT is of ten a na tive fea ture of bor der se cu rity de vices, such as fire walls, routers, gate ways, and prox ies.
In cir cuit switch ing, a ded i cated phys i cal path way is cre ated be tween the two com mu ni cat ing par ties. Packet switch ing oc curs when the mes sage or com mu ni ca tion is bro ken up into small seg ments (usu ally fixed- length pack ets, de pend ing on the pro to cols and tech nolo gies em ployed) and sent across the in ter me di ary net works to the des ti na tion. Within packet-switch ing sys tems are two types of com mu ni ca tion: paths and vir tual cir cuits. A vir tual cir cuit is a log i cal path way or cir cuit cre ated over a packet-switched net work be tween two spe cific end points. There are two types of vir tual cir cuits: per ma nent vir tual cir cuits (PVCs) and switched vir tual cir cuits (SVCs).
WAN links, or long-dis tance con nec tion tech nolo gies, can be di vided into two pri mary cat e gories: ded i cated and nonded i cated lines. A ded i cated line con nects two spe cific end points and only those two end points. A nonded i cated line is one that re quires a con nec tion to be es tab lished be fore data trans mis sion can oc cur. A nonded i cated line can be used to con nect with any re mote sys tem that uses the same type of nonded i cated line. WAN con nec tion tech nolo gies in clude X.25, Frame Re lay, ATM, SMDS, SDLC, HDLC, SDH, and SONET.
397
When se lect ing or de ploy ing se cu rity con trols for net work com mu ni ca tions, you need to eval u ate nu mer ous char ac ter is tics in light of your cir cum stances, ca pa bil i ties, and se cu rity pol icy. Se cu rity con trols should be trans par ent to users. Hash to tals and CRC checks can be used to ver ify mes sage in tegrity. Record se quences are used to en sure se quence in tegrity of a trans mis sion. Trans mis sion log ging helps de tect com mu ni ca tion abuses.
Vir tu al iza tion tech nol ogy is used to host one or more op er at ing sys tems within the mem ory of a sin gle host com puter. This mech a nism al lows vir tu ally any OS to op er ate on any hard ware. It also al lows mul ti ple op er at ing sys tems to work si mul ta ne ously on the same hard ware. Vir tu al iza tion of fers sev eral ben e fits, such as be ing able to launch in di vid ual in stances of servers or ser vices as needed, real-time scal a bil ity, and be ing able to run the ex act OS ver sion needed for the ap pli ca tion.
In ter net-based email is in se cure un less you take steps to se cure it. To se cure email, you should pro vide for non re pu di a tion, re strict ac cess to au tho rized users, make sure in tegrity is main tained, au then ti cate the mes sage source, ver ify de liv ery, and even clas sify sen si tive con tent. These is sues must be ad dressed in a se cu rity pol icy be fore they can be im ple mented in a so lu tion. They of ten take the form of ac cept able use poli cies, ac cess con trols, pri vacy dec la ra tions, email man age ment pro ce dures, and backup and re ten tion poli cies.
Email is a com mon de liv ery mech a nism for ma li cious code. Fil ter ing at tach ments, us ing an tivirus soft ware, and ed u cat ing users are ef fec tive coun ter mea sures against that kind of at tack. Email spam ming or flood ing is a form of de nial of ser vice that can be de terred through fil ters and IDSs. Email se cu rity can be im proved us ing S/MIME, MOSS, PEM, and PGP.
Fax and voice se cu rity can be im proved by us ing en cryp tion to pro tect the trans mis sion of doc u ments and pre vent eaves drop ping. Train ing users ef fec tively is a use ful coun ter mea sure against so cial en gi neer ing at tacks.
A se cu rity bound ary can be the di vi sion be tween one se cured area and an other se cured area, or it can be the di vi sion be tween a se cured area and an un se cured area. Both must be ad dressed in a se cu rity pol icy.
Com mu ni ca tion sys tems are vul ner a ble to many at tacks, in clud ing dis trib uted de nial of ser vice (DDoS), eaves drop ping, im per son ation, re play, mod i fi ca tion, spoof ing, and ARP and DNS at tacks. For tu nately, ef fec tive coun ter mea sures ex ist for each of these. PBX fraud and abuse and phone phreak ing are prob lems that must also be ad dressed.
Exam Es sen tials Un der stand the is sues around re mote ac cess se cu rity man age ment. Re mote ac cess se cu rity
man age ment re quires that se cu rity sys tem de sign ers ad dress the hard ware and soft ware com po nents of an im ple men ta tion along with is sues re lated to pol icy, work tasks, and en cryp tion.
Be fa mil iar with the var i ous pro to cols and mech a nisms that may be used on LANs and WANs for data com mu ni ca tions. These are SKIP, SWIPE, SSL, SET, PPP, SLIP, CHAP, PAP, EAP, and S- RPC. They can also in clude VPN, TLS/SSL, and VLAN.
Know what tun nel ing is. Tun nel ing is the en cap su la tion of a pro to col-de liv er able mes sage within a sec ond pro to col. The sec ond pro to col of ten per forms en cryp tion to pro tect the mes sage con tents.
Un der stand VPNs. VPNs are based on en crypted tun nel ing. They can of fer au then ti ca tion and data pro tec tion as a point-to-point so lu tion. Com mon VPN pro to cols are PPTP, L2F, L2TP, and IPsec.
Be able to ex plain NAT. NAT pro tects the ad dress ing scheme of a pri vate net work, al lows the use of the pri vate IP ad dresses, and en ables mul ti ple in ter nal clients to ob tain in ter net ac cess through a few pub lic IP ad dresses. NAT is sup ported by many se cu rity bor der de vices, such as fire walls, routers, gate ways, and prox ies.
Un der stand the dif fer ence be tween packet switch ing and cir cuit switch ing. In cir cuit switch ing, a ded i cated phys i cal path way is cre ated be tween the two com mu ni cat ing par ties. Packet switch ing oc curs when the mes sage or com mu ni ca tion is bro ken up into small seg ments and sent across the in ter me di ary net works to the des ti na tion. Within packet-switch ing sys tems are two types of com mu ni ca tion paths, or vir tual cir cuits: per ma nent vir tual cir cuits (PVCs) and switched vir tual cir cuits (SVCs).
Un der stand the dif fer ence be tween ded i cated and nonded i cated lines. A ded i cated line is al ways on and is re served for a spe cific cus tomer. Ex am ples of ded i cated lines in clude T1, T3, E1, E3, and ca ble modems. A nonded i cated line re quires a con nec tion to be es tab lished be fore data trans mis sion can oc cur. It can be used to con nect with any re mote sys tem that uses the same type of nonded i cated line. Stan dard modems, DSL, and ISDN are ex am ples of nonded i cated lines.
Know var i ous is sues re lated to re mote ac cess se cu rity. Be fa mil iar with re mote ac cess, dial-up con nec tions, screen scrap ers, vir tual ap pli ca tions/desk tops, and gen eral telecom mut ing se cu rity con cerns.
398
Know the var i ous types of WAN tech nolo gies. Know that most WAN tech nolo gies re quire a chan nel ser vice unit/data ser vice unit (CSU/DSU), some times called a WAN switch. There are many types of car rier net works and WAN con nec tion tech nolo gies, such as X.25, Frame Re lay, ATM, SMDS, SDH, and SONET. Some WAN con nec tion tech nolo gies re quire ad di tional spe cial ized pro to cols to sup port var i ous types of spe cial ized sys tems or de vices.
Un der stand the dif fer ences be tween PPP and SLIP. The Point-to-Point Pro to col (PPP) is an en cap su la tion pro to col de signed to sup port the trans mis sion of IP traf fic over dial-up or point-to-point links. PPP in cludes a wide range of com mu ni ca tion ser vices, in clud ing as sign ment and man age ment of IP ad dresses, man age ment of syn chro nous com mu ni ca tions, stan dard ized en cap su la tion, mul ti plex ing, link con fig u ra tion, link qual ity test ing, er ror de tec tion, and fea ture or op tion ne go ti a tion (such as com pres sion). PPP was orig i nally de signed to sup port CHAP and PAP for au then ti ca tion. How ever, re cent ver sions of PPP also sup port MS-CHAP, EAP, and SPAP. PPP re placed Se rial Line In ter net Pro to col (SLIP). SLIP of fered no au then ti ca tion, sup ported only half-du plex com mu ni ca tions, had no er ror-de tec tion ca pa bil i ties, and re quired man ual link es tab lish ment and tear down.
Un der stand com mon char ac ter is tics of se cu rity con trols. Se cu rity con trols should be trans par ent to users. Hash to tals and CRC checks can be used to ver ify mes sage in tegrity. Record se quences are used to en sure se quence in tegrity of a trans mis sion. Trans mis sion log ging helps de tect com mu ni ca tion abuses.
Un der stand how email se cu rity works. In ter net email is based on SMTP, POP3, and IMAP. It is in her ently in se cure. It can be se cured, but the meth ods used must be ad dressed in a se cu rity pol icy. Email se cu rity so lu tions in clude us ing S/MIME, MOSS, PEM, or PGP.
Know how fax se cu rity works. Fax se cu rity is pri mar ily based on us ing en crypted trans mis sions or en crypted com mu ni ca tion lines to pro tect the faxed ma te ri als. The pri mary goal is to pre vent in ter cep tion. Ac tiv ity logs and ex cep tion re ports can be used to de tect anom alies in fax ac tiv ity that could be symp toms of at tack.
Know the threats as so ci ated with PBX sys tems and the coun ter mea sures to PBX fraud. Coun ter mea sures to PBX fraud and abuse in clude many of the same pre cau tions you would em ploy to pro tect a typ i cal com puter net work: log i cal or tech ni cal con trols, ad min is tra tive con trols, and phys i cal con trols.
Un der stand the se cu rity is sues re lated to VoIP. VoIP is at risk for caller ID spoof ing, vish ing, SPIT, call man ager soft ware/firmware at tacks, phone hard ware at tacks, DoS, MitM, spoof ing, and switch hop ping.
Rec og nize what a phreaker is. Phreak ing is a spe cific type of at tack in which var i ous types of tech nol ogy are used to cir cum vent the tele phone sys tem to make free long-dis tance calls, to al ter the func tion of tele phone ser vice, to steal spe cial ized ser vices, or even to cause ser vice dis rup tions. Com mon tools of phreak ers in clude black, red, blue, and white boxes.
Un der stand voice com mu ni ca tions se cu rity. Voice com mu ni ca tions are vul ner a ble to many at tacks, es pe cially as voice com mu ni ca tions be come an im por tant part of net work ser vices. You can ob tain con fi den tial ity by us ing en crypted com mu ni ca tions. Coun ter mea sures must be de ployed to pro tect against in ter cep tion, eaves drop ping, tap ping, and other types of ex ploita tion. Be fa mil iar with voice com mu ni ca tion top ics, such as POTS, PSTN, PBX, and VoIP.
Be able to ex plain what so cial en gi neer ing is. So cial en gi neer ing is a means by which an un known per son gains the trust of some one in side your or ga ni za tion by con vinc ing em ploy ees that they are, for ex am ple, as so ci ated with up per man age ment, tech ni cal sup port, or the help desk. The vic tim is of ten en cour aged to make a change to their user ac count on the sys tem, such as re set their pass word, so the at tacker can use it to gain ac cess to the net work. The pri mary coun ter mea sure for this sort of at tack is user train ing.
Ex plain the con cept of se cu rity bound aries. A se cu rity bound ary can be the di vi sion be tween one se cured area and an other se cured area. It can also be the di vi sion be tween a se cured area and an un se cured area. Both must be ad dressed in a se cu rity pol icy.
Un der stand the var i ous net work at tacks and coun ter mea sures as so ci ated with com mu ni ca tions se cu rity. Com mu ni ca tion sys tems are vul ner a ble to many at tacks, in clud ing dis trib uted de nial of ser vice (DDoS), eaves drop ping, im per son ation, re play, mod i fi ca tion, spoof ing, and ARP and DNS at tacks. Be able to sup ply ef fec tive coun ter mea sures for each.
Writ ten Lab
1. De scribe the dif fer ences be tween trans port mode and tun nel mode of IPsec.
2. Dis cuss the ben e fits of NAT.
3. What are the main dif fer ences be tween cir cuit switch ing and packet switch ing?
4. What are some se cu rity is sues with email and op tions for safe guard ing against them?