IOT
World Headquarters Jones & Bartlett Learning
5 Wall Street
Burlington, MA 01803
978-443-5000
www.jblearning.com
Jones & Bartlett Learning books and products are available through most
bookstores and online booksellers. To contact Jones & Bartlett Learning directly,
call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning
publications are available to corporations, professional associations, and other
qualified organizations. For details and specific discount information, contact
the special sales department at Jones & Bartlett Learning via the above
contact information or send an email to [email protected].
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend
Learning Company All rights reserved. No part of the material protected by
this copyright may be reproduced or utilized in any form, electronic or
mechanical, including photocopying, recording, or by any information storage
and retrieval system, without written permission from the copyright owner.
The content, statements, views, and opinions herein are the sole expression of
the respective authors and not that of Jones & Bartlett Learning, LLC. Reference
herein to any specific commercial product, process, or service by trade name,
trademark, manufacturer, or otherwise does not constitute or imply its
endorsement or recommendation by Jones & Bartlett Learning, LLC and such
reference shall not be used for advertising or product endorsement purposes. All
trademarks displayed are the trademarks of the parties noted herein. Network
Security, Firewalls, and VPNs, Second Edition is an independent publication and
has not been authorized, sponsored, or otherwise approved by the owners of the
trademarks or service marks referenced in this product.
There may be images in this book that feature models; these models do not
necessarily endorse, represent, or participate in the activities represented in the
images. Any screenshots in this product are for educational and instructive
purposes only. Any individuals and scenarios featured in the case studies
throughout this product may be real or fictitious, but are used for instructional
purposes only.
This publication is designed to provide accurate and authoritative information in
regard to the subject matter covered. It is sold with the understanding that the
publisher is not engaged in rendering legal or other professional service. If legal
advice or other expert assistance is required, the service of a competent
professional person should be sought.
Production Credits
Chief Executive Officer: Ty Field
President: James Homer
SVP, Editor-in-Chief: Michael Johnson SVP, Curriculum Solutions: Christopher Will
Director of Sales, Curriculum Solutions: Randi Roger Senior Marketing
Manager: Andrea DeFronzo Associate Marketing Manager: Kelly Thompson VP,
Design and Production: Anne Spencer VP, Manufacturing and Inventory
Control: Therese Connell Manufacturing and Inventory Control Supervisor: Amy
Bacus Editorial Management: High Stakes Writing, LLC, President: Lawrence J.
Goodrich Senior Editor, HSW: Ruth Walker
Senior Editorial Assistant: Rainna Erikson Production Manager: Susan Schultz
Composition: Gamut+Hue, LLC
Cover Design: Kristin E. Parker
Director of Photo Research and Permissions: Amy Wrynn Rights & Photo
Research Assistant: Joseph Veiga Cover Image: © HunThomas/ShutterStock,
Inc.
Chapter Opener Image: © Rodolfo Clix/Dreamstime.com
Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers
Malloy ISBN: 978-1-284-03167-6
Library of Congress Cataloging-in-Publication Data Not available at time
of printing.
6048
Printed in the United States of America 17 16 15 14 13 10 9 8 7 6 5 4 3 2 1
Contents
Preface
PART ONE Foundations of Network Security
CHAPTER
1
Fundamentals of Network Security
What Is Network Security?
What Is Trust?
Who—or What—Is Trustworthy?
What Are Security Objectives?
What Are You Trying to Protect?
Seven Domains of a Typical IT
Infrastructure
Goals of Network Security
How Can You Measure the Success of
Network Security?
Why Are Written Network Security Policies
Important?
Planning for the Worst
Who Is Responsible for Network Security?
Examples of Network Infrastructures and
Related Security Concerns
Workgroups
SOHO Networks
Client/Server Networks
LAN Versus WAN
Thin Clients and Terminal Services
Remote Control, Remote Access, and VPN
Boundary Networks
Strengths and Weaknesses of Network
Design
Enhancing the Security of Wired Versus
Wireless LAN Infrastructures
Internal and External Network Issues
Common Network Security Components
Used to Mitigate Threats
Hosts and Nodes
IPv4 Versus IPv6
Firewall
Virtual Private Networks
Proxy Servers
Network Address Translation
Routers, Switches, and Bridges
The Domain Name System
Directory Services
Intrusion Detection Systems and
Intrusion Prevention Systems
Network Access Control
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER
2
Firewall Fundamentals
What Is a Firewall?
What Firewalls Cannot Do
Why Do You Need a Firewall?
What Are Zones of Risk?
How Firewalls Work and What Firewalls Do
TCP/IP Basics
OSI Reference Model
Sub-Protocols
Headers and Payloads
Addressing
Types of Firewalls
Ingress and Egress Filtering
Types of Filtering
Static Packet Filtering
Stateful Inspection and Dynamic Packet
Filtering
Network Address Translation (NAT)
Application Proxy
Circuit Proxy
Content Filtering
Software Versus Hardware Firewalls
IPv4 Versus IPv6 Firewalls
Dual-Homed and Triple-Homed Firewalls
Placement of Firewalls
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER
3
VPN Fundamentals
What Is a Virtual Private Network?
What Are the Benefits of Deploying a VPN?
What Are the Limitations of a VPN?
What Are Effective VPN Policies?
VPN Deployment Models and Architecture
Tunnel Versus Transport Mode
The Relationship Between Encryption and
VPNs
Symmetric Cryptography
Asymmetric Cryptography
Hashing
What Is VPN Authentication?
VPN Authorization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER
4
Network Security Threats and
Issues
Hacker Motivation
Favorite Targets of Hackers
Threats from Internal Personnel and External
Entities
The Hacking Process
Fallback Attacks
Common IT Infrastructure Threats
Hardware Failures and Other Physical
Threats
Natural Disasters
Accidents and Intentional Concerns
Malicious Code (Malware)
Advanced Persistent Threat
Fast Growth and Overuse
Wireless Versus Wired
Eavesdropping
Replay Attacks
Insertion Attacks
Fragmentation Attacks, Buffer Overflows,
and XSS Attacks
Fragmentation Attacks
Buffer Overflows
XSS (Cross-Site Scripting) Attacks
Man-in-the-Middle, Session Hijacking, and
Spoofing Attacks
Man-in-the-Middle Attacks
Session Hijacking
Spoofing Attacks
Covert Channels
Network and Resource Availability Threats
Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Hacker Tools
Social Engineering
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
PART TWO Technical Overview of Network
Security, Firewalls, and VPNs
CHAPTER
5
Network Security Implementation
Seven Domains of a Typical IT Infrastructure
Network Design and Defense in Depth
Protocols
Common Types of Addressing
IPv6
Controlling Communication Pathways
Hardening Systems
Equipment Selection
Authentication, Authorization, and
Accounting
Communication Encryption
Hosts: Local-Only or Remote and Mobile
Redundancy
Endpoint Security
Clients
Servers
Routers
Switches
Firewalls and Proxies
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
Network Security Management
CHAPTER
6
Network Security Management Best
Practices
Fail-Secure, Fail-Open, and Fail-Close Options
Physical Security
Watching for Compromise
Incident Response
Trapping Intruders and Violators
Why Containment Is Important
Imposing Compartmentalization
Using Honeypots, Honeynets, and Padded
Cells
Essential Host Security Controls
Backup and Recovery
User Training and Awareness
Network Security Management Tools
Security Checklist
Network Security Troubleshooting
Compliance Auditing
Security Assessment
Configuration Scans
Vulnerability Scanning
Penetration Testing
Post-Mortem Assessment Review
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER
7
Firewall Basics
Firewall Rules
Authentication, Authorization, and
Accounting
Monitoring and Logging
Understanding and Interpreting Firewall Logs
and Alerts
Intrusion Detection
Limitations of Firewalls
Improving Performance
The Downside of Encryption with Firewalls
Firewall Enhancements
Management Interfaces
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER
8
Firewall Deployment
Considerations
What Should You Allow and What Should You
Block?
Common Security Strategies for Firewall
Deployments
Security Through Obscurity
Least Privilege
Simplicity
Defense in Depth
Diversity of Defense
Chokepoint
Weakest Link
Fail-Safe
Forced Universal Participation
Essential Elements of a Firewall Policy
Software and Hardware Options for Firewalls
Benefit and Purpose of Reverse Proxy
Use and Benefit of Port-Forwarding
Considerations for Selecting a Bastion Host
OS
Constructing and Ordering Firewall Rules
Evaluating Needs and Solutions in Designing
Security
What Happens When Security Gets in the
Way of Doing Business?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER
9
Firewall Management and Security
Best Practices for Firewall Management
Security Measures in Addition to a Firewall
Selecting the Right Firewall for Your Needs
The Difference Between Buying and Building
a Firewall
Mitigating Firewall Threats and Exploits
Concerns Related to Tunneling Through or
Across a Firewall
Testing Firewall Security
Important Tools for Managing and Monitoring
a Firewall
Troubleshooting Firewalls
Proper Firewall Implementation Procedure
Responding to Incidents
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER
10
Using Common Firewalls
Individual and Small Office/Home Office
(SOHO) Firewall Options
Uses for a Host Software Firewall
Examples of Software Firewall Products
Using Windows 7’s Host Software Firewall
Using a Linux Host Software Firewall
Managing the Firewall on an ISP Connection
Device
Converting a Home Router into a Firewall
Commercial Software Network Firewalls
Open-Source Software Network Firewalls
Appliance Firewalls
Virtual Firewalls
Simple Firewall Techniques
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER
11
VPN Management
VPN Management Best Practices
Developing a VPN Policy
Developing a VPN Deployment Plan
Bypass Deployment
Internally Connected Deployment
DMZ-Based Implementation
VPN Threats and Exploits
Commercial or Open Source VPNs
Differences Between Personal and
Enterprise VPNs
Balancing Anonymity and Privacy
Protecting VPN Security to Support
Availability
The Importance of User Training
VPN Troubleshooting
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER
12
VPN Technologies
Differences Between Software and Hardware
Solutions
Software VPNs
Hardware VPNs
Differences Between Layer 2 and Layer 3
VPNs
Internet Protocol Security (IPSec)
Layer 2 Tunneling Protocol (L2TP)
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
SSL/TLS and VPNs
Secure Shell (SSH) Protocol
Establishing Performance and Stability for
VPNs
Performance
Stability
Using VPNs with Network Address
Translation (NAT)
Types of Virtualization
Desktop Virtualization
SSL VPN Virtualization
Differences Between Internet Protocol
Version 4 (IPv4) and Internet Protocol
Version 6 (IPv6)
The TCP/IP Protocol Suite
IPv4 Challenges
IPv6
IPSec and IPv6
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
PART THREE Implementation, Resources, and
the Future
CHAPTER
13
Firewall Implementation
Constructing, Configuring, and Managing a
Firewall
SmoothWall
Examining Your Network and Its Security
Needs
What to Protect and Why
Preserving Privacy
Firewall Design and Implementation
Guidelines
Selecting a Firewall
Hardware Requirements for SmoothWall
Planning a Firewall Implementation with
SmoothWall
Firewalling a Big Organization:
Application-Level Firewall and Package
Filtering, a Hybrid System
Firewalling a Small Organization: Packet
Filtering or Application-Level Firewall,
a Proxy Implementation
Firewalling in a Subnet Architecture
Installing a Firewall with SmoothWall
Configuring a Firewall with SmoothWall
Elements of Firewall Deployment
Performing Testing with SmoothWall
Firewall Troubleshooting
Additional SmoothWall Features
Firewall Implementation Best Practices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER
14
Real-World VPNs
Operating System–Based VPNs
VPN Appliances
Configuring a Typical VPN Appliance
Client-Side Configuration
Remote Desktop Protocol
Using Remote Control Tools
Using Remote Access
The Technology for Remote Use
Choosing Between IPSec and SSL Remote
Access VPNs
Terminal Services
TS RemoteApp
TS Web Access
Microsoft DirectAccess
DMZ, Extranet, and Intranet VPN Solutions
Intranet VPNs
Extranet VPNs
Internet Café VPNs
Online Remote VPN Options
Security
Wake-on-LAN Support
File Sharing
Remote Printing
Mac Support
The Tor Application
Planning a VPN Implementation
Requirements
Installation
Deployment
Testing and Troubleshooting
VPN Implementation Best Practices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER
15
Perspectives, Resources, and the
Future
What the Future Holds for Network Security,
Firewalls, and VPNs
Threats
Firewall Capabilities
Encryption
Authentication
Metrics
Focus
Securing the Cloud
Securing Mobile Devices
Mobile IP
Bring Your Own Device (BYOD)
Resource Sites for Network Security,
Firewalls, and VPNs
Tools for Network Security, Firewalls, and
VPNs
Commercial Off-the-Shelf (COTS)
Software
Open Source Applications and Tools
The Impact of Ubiquitous Wireless
Connectivity
Potential Uses of Security Technologies
What Happens When There Is No
Perimeter?
Specialized Firewalls Available
Intrusion Detection Systems (IDSs) and
Intrusion Prevention Systems (IPSs)
Effect of Honeypots, Honeynets, and Padded
Cells
Emerging Network Security Technologies
IP Version 6
VPNs, Firewalls, and Virtualization
Steganography
Anti-Forensics
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX
A
Answer Key
APPENDIX
B
Standard Acronyms
Glossary of Key Terms
References
Index
Preface
Purpose of This Book
This book is part of the Information Systems Security &
Assurance Series from Jones & Bartlett Learning
(www.jblearning.com). Designed for courses and curriculums
in IT Security, Cybersecurity, Information Assurance, and
Information Systems Security, this series features a
comprehensive, consistent treatment of the most current
thinking and trends in this critical subject area. These titles
deliver fundamental information-security principles packed
with real-world applications and examples. Authored by
Certified Information Systems Security Professionals
(CISSPs), they deliver comprehensive information on all
aspects of information security. Reviewed word for word by
leading technical experts in the field, these books are not
just current, but forward-thinking—putting you in the
position to solve the cybersecurity challenges not just of
today, but of tomorrow, as well.
The first part of this book on network security focuses on
the business challenges and threats that you face as soon
as you physically connect your organization’s network to the
public Internet. It will present you with key concepts and
terms, and reveal what hackers do when trying to access
your network, thus providing you with the necessary
foundation in network security for the discussions that
follow. It will define firewalls and virtual private networks
(VPNs), providing you with an understanding of how to use
them as security countermeasures to solve business
challenges.
Part 2 discusses how to implement network security and
reviews best practices. It discusses to how select and deploy
firewalls and the tools for managing and monitoring them. It
also reviews implementing a VPN, the technologies
involved, and VPN-management best practices.
Part 3 focuses on the practical, giving concrete, step-by-
step examples of how to implement a firewall and a VPN. It
also discusses what challenges the future holds for
information security professionals involved in network
security. It covers the tools and resources available to the
professional and scans the horizon of emerging
technologies.
Learning Features
The writing style of this book is practical and conversational.
Step-by-step examples of information security concepts and
procedures are presented throughout the text. Each chapter
begins with a statement of learning objectives. Illustrations
are used both to clarify the material and to vary the
presentation. The text is sprinkled with Notes, Tips, FYIs,
Warnings, and sidebars to alert the reader to additional and
helpful information related to the subject under discussion.
Chapter Assessments appear at the end of each chapter,
with solutions provided in the back of the book.
Chapter summaries are included in the text to provide a
rapid review or preview of the material and to help students
understand the relative importance of the concepts
presented.
Audience
The material is suitable for undergraduate or graduate
computer science majors or information science majors,
students at a two-year technical college or community
college who have a basic technical background, or readers
who have a basic understanding of IT security and want to
expand their knowledge.
About the Author
James Michael Stewart has been working with computers
and technology for more than 25 years. His work focuses on
security, certification, and various operating systems.
Recently, Michael has been teaching job-skill and
certification courses such as CISSP, CEH, and Security+. He
is the primary author of the CISSP Study Guide, 4th Edition
and the Security+ 2008 Review Guide. In addition, Michael
has written numerous books on other security and Microsoft
certification and administration topics. He has developed
certification courseware and training materials as well as
presented these materials in the classroom. Michael holds
the following certifications: CISSP, ISSAP, SSCP, MCT, CEI,
CEH, TICSA, CIW SA, Security+, MCSE+Security: Windows
2000, MCSA Windows Server 2003, MCDST, MCSE NT &
W2K, MCP+I, Network+, iNet+. He graduated in 1992 from
the University of Texas at Austin with a bachelor’s degree in
philosophy.
PART ONE
Foundations of Network
Security
CHAPTER
1
Fundamentals of Network Security
CHAPTER
2
Firewall Fundamentals
CHAPTER
3
VPN Fundamentals
CHAPTER
4
Network Security Threats and
Issues
CHAPTER
1 Fundamentals of
Network Security
COMPUTER NETWORK SECURITY is very complex. New threats from inside and outside networks appear constantly.
Just as constantly, the security community is developing
new products and procedures to defend against threats of
the past and unknowns of the future.
As companies merge, people lose their jobs, new
equipment comes online, and business tasks change, people
do not always do what you expect. Network security
configurations that worked well yesterday might not work
quite as well tomorrow. In an ever-changing business
climate, whom should you trust? Has your trust been
violated? How would you even know? Who is attempting to
harm your network this time? And why?
Because of these complex issues, you need to
understand the essentials of network security. This chapter
will introduce you to the basic elements of network security.
Once you have a firm grasp of these fundamentals, you will
be well equipped to put effective security measures into
practice on your organization’s network.
Chapter 1 Topics
This chapter covers the following topics and
concepts:
What network security is
What you are trying to protect within the
seven domains of a typical IT infrastructure
What the goals of network security are
How you can assess the success of your
network security implementation
Why written network security policies are
important
Who is responsible for network security
What some examples of network
infrastructures and related security concerns
are
Which controls can enhance the security of
wired vs. wireless local area network (LAN)
infrastructures
What some examples of internal and external
network issues are
Which common network security
components are used to mitigate threats
throughout the IT infrastructure
Chapter 1 Goals
When you complete this chapter, you will be able
to:
Describe the key concepts and terms
associated with network security
Describe the importance of a written security
policy and explain how policies help mitigate
risk exposure and threats to a network
infrastructure
Define network security roles and
responsibilities and who within an IT
organization is accountable for these security
implementations
Identify examples of network security
concerns or threats that require enhanced
security countermeasures to properly
mitigate risk exposure and threats
Describe the security requirements needed
for wired versus wireless LAN infrastructures
in order to provide an enhanced level of
security
Compare and contrast common network
security components and devices and their
use throughout the IT infrastructure
What Is Network Security?
Network security is the control of unwanted intrusion into,
use of, or damage to communications on your organization’s
computer network. This includes monitoring for abuses,
looking for protocol errors, blocking non-approved
transmissions, and responding to problems promptly.
Network security is also about supporting essential
communication necessary to the organization’s mission and
goals, avoiding the unapproved use of resources, and
ensuring the integrity of the information traversing the
network.
Network security includes elements that prevent
unwanted activities while supporting desirable activities.
This is hard to do efficiently, cost effectively, and
transparently. Efficient network security provides quick and
easy access to resources for users. Cost-effective network
security controls user access to resources and services
without excessive expense. Transparent network security
supports the mission and goals of the organization through
enforcement of the organization’s network security policies,
without getting in the way of valid users performing valid
tasks.
Computer networking technology is changing and
improving faster today than ever before. Wireless
connectivity is now a realistic option for most companies
and individuals. Malicious hackers are becoming more adept
at stealing identities and money using every means
available.
Today, many companies spend more time, money, and
effort protecting their assets than they do on the initial
installation of the network. And little wonder. Threats, both
internal and external, can cause a catastrophic system
failure or compromise. Such security breaches can even
result in a company going out of business. Without network
security, many businesses and even individuals would not
be able to work productively.
Network security must support workers in doing their
jobs while protecting against compromise, maintaining high
performance, and keeping costs to a minimum. This can be
an incredibly challenging job, but it is one that many
organizations have successfully tackled.
Network security has to start somewhere. It has to start
with trust.
What Is Trust?
Trust is confidence in your expectation that others will act
in your best interest. With computers and networks, trust is
the confidence that other users will act in accordance with
your organization’s security rules. You trust that they will
not attempt to violate the stability, privacy, or integrity of
the network and its resources. Trust is the belief that others
are trustworthy.
Unfortunately, sometimes people violate your trust.
Sometimes they do this by accident, oversight, or ignorance
that the expectation even existed. In other situations, they
violate trust deliberately. Because these people can be
either internal personnel or external hackers, it’s difficult to
know whom to trust.
So how can you answer the question, “Who is
trustworthy?” You begin by realizing that trust is based on
past experiences and behaviors. Trust is usually possible
between people who already know each other. It’s neither
easy nor desirable to trust strangers. However, once you’ve
defined a set of rules and everyone agrees to abide by
those rules, you have established a conditional trust. Over
time, as people demonstrate that they are willing to abide
by the rules and meet expectations of conduct, then you
can consider them trustworthy.
Trust can also come from using a third-party method. If a
trustworthy third party knows you and me, and that third
party states that you and I are both trustworthy people,
then you and I can assume that we can conditionally trust
each other. Over time, someone’s behavior shows whether
the initial conditional trust was merited or not.
A common example of a third-party trust system is the
use of digital certificates that a public certificate authority
issues. As shown in Figure 1-1, a user communicates with a
Web e-commerce server. The user does not initially know
whether a Web server is what it claims to be or if someone
is “spoofing” its identity. Once the user examines the digital
certificate issued to the Web server from the same
certificate authority that issued the user’s digital certificate,
the user can then trust that the identity of the Web site is
valid. This occurs because both the user and the Web site
have a common, trustworthy third party that they both
know.
Ultimately, network security is based on trust.
Companies assume that their employees are trustworthy
and that all of the computers and network devices are
trustworthy. But not all trust is necessarily the same. You
can (and probably should) operate with different levels or
layers of trust. Those with a higher level of trust can be
assigned greater permissions and privileges. If someone
or something violates your trust, then you remove the
violator’s access to the secure environment. For example,
companies terminate an untrustworthy employee or replace
a defective operating system.
FIGURE 1-1
An example of a third-party trust system.
Who—or What—Is Trustworthy?
Determining who or what is trustworthy is an ongoing
activity of every organization, both global corporations and
a family’s home network. In both cases, you offer trust to
others on a conditional basis. This conditional trust changes
over time based on adherence to or violation of desired and
prescribed behaviors.
If a program causes problems, it loses your trust and you
remove it from the system. If a user violates security, that
person loses your trust and might have access privileges
revoked. If a worker abides by the rules, your trust grows
and privileges increase. If an Internet site does not cause
harm, you deem it trustworthy and allow access to that site.
To review, trust is subjective, tentative, and changes over
time. You can offer trust based on the reputation of a third
party. You withhold trust when others violate the rules. Trust
stems from actions in the past and can grow based on
future behaviors.
In network security, trust is complex. Extending trust to
others without proper background investigation can be
devastating. A network is only as secure as its weakest link.
You need to vet every aspect of a network, including
software, hardware, configuration, communication patterns,
content, and users, to maintain network security. Otherwise,
you will not be able to accomplish the security objectives of
your organization’s network.
What Are Security Objectives?
Security objectives are goals an organization strives to
achieve through its security efforts. Typically, organizations
recognize three primary security objectives:
Confidentiality/privacy
Integrity/nonrepudiation
Availability/uptime
Confidentiality is the protection against unauthorized
access, while providing authorized users access to resources
without obstruction. Confidentiality ensures that data is not
intentionally or unintentionally disclosed to anyone without
a valid need to know. A job description defines the
person’s need to know. If a task does not require access to a
specific resource, then that person does not have a need to
know that resource.
Integrity is the protection against unauthorized
changes, while allowing for authorized changes performed
by authorized users. Integrity ensures that data remain
consistent, both internally and externally. Consistent data do
not change over time and remain in sync with the real
world. Integrity also protects against accidents and hacker
modification by malicious code, or software written with
malicious intent.
Availability is the protection against downtime, loss of
data, and blocked access, while providing consistent uptime,
protecting data, and supporting authorized access to
resources. Availability ensures that users can get their work
done in a timely manner with access to the proper
resources.
Authentication is the proof or verification of a user’s
identity before granting access to a secured area. This can
occur both on a network as well as in the physical, real
world. While the most common form of authentication is a
password, password access is also the least secure method
of authentication. Multifactor authentication is the method
most network administrators prefer for secure logon.
Authorization is controlling what users are allowed and
not allowed to do. Authorization is dictated by the
organization’s security structure, which may focus on
discretionary access control (DAC), mandatory access
control (MAC), or role-based access control (RBAC).
Authorization restricts access based on need to know and
users’ job descriptions. Authorization is also known as
access control.
Nonrepudiation is the security service that prevents a
user from being able to deny having performed an action.
For example, nonrepudiation prevents a sender from
denying having sent a message. Auditing and public-key
cryptography commonly provide nonrepudiation services.
Privacy protects the confidentiality, integrity, and
availability of personally identifiable or sensitive data.
Private data often includes financial records and medical
information. Privacy prevents the unauthorized watching
and monitoring of users and employees.
Maintaining and protecting these security objectives can
be a challenge. As with most difficult tasks, breaking
security down into simpler or smaller components will help
you to understand and ultimately accomplish this objective.
To support security objectives, you need to know clearly
what you are trying to protect.
What Are You Trying to Protect?
In terms of security, the things you want to protect are
known as assets. An asset is anything used to conduct
business. Any object, computer, program, piece of data, or
other logical or physical component employees need to
accomplish a task is an asset.
Assets do not have to be expensive, complicated, or
large. In fact, many assets are relatively inexpensive,
commonplace, and variable in size. But no matter the
characteristics, an asset needs protection. When assets are
unavailable for whatever reason, people can’t get their work
done.
For most organizations, including SOHO (small office,
home office) environments, the assets of most concern
include business and personal data. If this information is
lost, damaged, or stolen, serious complications result.
Businesses can fail. Individuals can lose money. Identities
can be stolen. Even lives can be ruined.
What causes these problems? What violates network
security? The answer includes accidents, ignorance,
oversight, and hackers. Accidents happen, including
hardware failures and natural disasters. Poor training equals
ignorance. Workers with the best of intentions damage
systems if they don’t know proper procedures or lack
necessary skills. Overworked and rushed personnel overlook
issues that can result in asset compromise or loss. Malicious
hackers can launch attacks and exploits against the
network, seeking to gain access or just to cause damage.
Hacking originally meant tinkering or modifying systems
to learn and explore. However, the term has come to refer
to malicious and possibly criminal intrusion into and
manipulation of computers. In either case, a malicious or
criminal hacker is a serious threat. Every network
administrator should be concerned about hacking.
Some important aspects of security stem from
understanding the techniques, methods, and motivations of
hackers. Once you learn to think like a hacker, you may be
able to anticipate future attacks. This enables you to devise
new defenses before a hacker can successfully breach your
organization’s network.
So how do hackers think? Hackers think along the lines of
manipulation or change. They look into the rules to create
new ways of bending, breaking, or changing them. Many
successful security breaches have been little more than
slight variations or violations of network communication
rules.
Hackers look for easy targets or overlooked
vulnerabilities. Hackers seek out targets that provide them
the most gain, often financial rewards. Hackers turn things
over, inside out, and in the wrong direction. Hackers
attempt to perform tasks in different orders, with incorrect
values, outside the boundaries, and with a purpose to cause
a reaction. Hackers learn from and exploit mistakes,
especially mistakes of the network security professionals
who fail to properly protect an organization’s assets.
FIGURE 1-2
The seven domains of a typical IT infrastructure.
Why is thinking like a hacker critically important? A sixth
century Chinese military strategist and philosopher, Sun
Tzu, in his famous military text The Art of War, stated: “If
you know the enemy and know yourself you need not fear
the results of a hundred battles.” Once you understand how
hackers think, the tools they use, their exploits, and the
attack techniques they employ, you can create effective
defenses to protect against them.
You’ve often heard that “the best defense is a good
offense.” While this statement may have merit elsewhere,
most network security administrators do not have the luxury
—or legal right—to attack hackers. Instead, you need to turn
this strategic phrase around: The best offense is a good
defense. While network security administrators cannot
legally or ethically attack hackers, they are fully empowered
to defend networks and assets against hacker onslaughts.
Seven Domains of a Typical IT
Infrastructure
Hackers look for any and every opportunity to exploit a
target. No aspect of an IT infrastructure is without risk, nor
is it immune to the scrutiny of a hacker. When thinking like a
hacker, analyze every one of the seven domains of a
typical IT infrastructure (Figure 1-2) for potential
vulnerabilities and weaknesses. Be thorough. A hacker
needs only one crack in the protections to begin chipping
away at the defenses. You need to find every possible
breach point to secure it and harden the network.
The seven domains of a typical IT infrastructure are:
User Domain—This domain refers to actual users,
whether they are employees, consultants, contractors,
or other third-party users. Any user who accesses and
uses the organization’s IT infrastructure must review
and sign an acceptable use policy (AUP) prior to being
granted access to the organization’s IT resources and
infrastructure.
Workstation Domain—This domain refers to the end
user’s desktop devices such as a desktop computer,
laptop, VoIP telephone, or other endpoint device.
Workstation devices typically require security
countermeasures such as antivirus, anti-spyware, and
vulnerability software patch management to maintain
the integrity of the device.
LAN Domain—This domain refers to the physical and
logical local area network (LAN) technologies (i.e.,
100Mbps/1000Mbps switched Ethernet, 802.11 family
of wireless LAN technologies) used to support
workstation connectivity to the organization’s network
infrastructure.
LAN-to-WAN Domain—This domain refers to the
organization’s internetworking and interconnectivity
point between the LAN and the WAN network
infrastructures. Routers, firewalls, demilitarized
zones (DMZ), and intrusion detection systems
(IDS) and intrusion prevention systems (IPS) are
commonly used as security monitoring devices in this
domain.
Remote Access Domain—This domain refers to the
authorized and authenticated remote access
procedures for users to remotely access the
organization’s IT infrastructure, systems, and data.
Remote access solutions typically involve SSL-128 bit
encrypted remote browser access or encrypted VPN
tunnels for secure remote communications.
WAN Domain—Organizations with remote locations
require a wide area network (WAN) to interconnect
them. Organizations typically outsource WAN
connectivity from service providers for end-to-end
connectivity and bandwidth. This domain typically
includes routers, circuits, switches, firewalls, and
equivalent gear at remote locations, sometimes under
a managed service offering by the service provider.
System/Application Domain—This domain refers to
the hardware, operating system software, database
software, client/server applications, and data that is
typically housed in the organization’s data center
and/or computer rooms.
The first step is recognizing that the potential for
compromise exists throughout an organization. The next
step is to comprehend the goals of network security.
Goals of Network Security
Network security goals vary from organization to
organization. Often, however, they include a few common
mandates:
Ensure the confidentiality of resources
Protect the integrity of data
Maintain availability of the IT infrastructure
Ensure the privacy of personally identifiable data
Enforce access control
Monitor the IT environment for violations of policy
Support business tasks and the overall mission of
the organization
Whatever your organization’s security goals are, to
accomplish them, you need to write down those goals and
develop a thorough plan to execute them. Without a written
plan, security will be haphazard at best and will likely fail to
protect your assets. With a written plan, network security is
on the path to success. Once you define your security goals,
these goals will become your organization’s roadmap for
securing the entire IT infrastructure.
How Can You Measure the Success of
Network Security?
An organization measures the security of its network by how
well its stated security goals are accomplished and its
security standards maintained. In essence, this becomes the
organization’s baseline definition for information systems
security. For example, if private information on the network
does not leak to outsiders, then your efforts to maintain
confidentiality were successful. Or, if employees are able to
complete their work on time and on budget, then your
efforts to provide system integrity protection were
successful.
If violations take place that compromise your assets or
prevent the accomplishment of a security goal, however,
then network security was less than successful. But let’s
face it, security is never perfect. In fact, even with well-
designed and executed security, accidents, mistakes, and
even intentional harmful exploits will dog your best efforts.
The perfect security components do not exist. All of them
have weaknesses, limitations, backdoors, work-arounds,
programming bugs, or some other exploitable element.
Fortunately, though, successful security doesn’t rely on
the installation of just a single defensive component.
Instead, good network security relies on an interweaving of
multiple effective security components. You don’t have just
one lock on your house. By combining multiple protections,
defenses, and detection systems, you can rebuff many
common, easy hacker exploits.
Network security success is not about preventing all
possible attacks or compromises. Instead, you work to
continually improve the state of security so that in the
future, the network is better protected than it was in the
past. As hackers create new exploits, security professionals
learn about them, adapt their methods and systems, and
establish new defenses. Successful network security is all
about constant vigilance, not creating an end product.
Security is an ongoing effort that constantly changes to
meet the challenge of new threats.
Why Are Written Network Security
Policies Important?
A clearly written security policy establishes tangible goals.
Without solid and defined goals, your security efforts would
be chaotic and hard to manage. Written plans and
procedures focus security efforts and resources on the most
important tasks to support your organization’s overall
security objectives.
A written security policy is a road map. With this map,
you can determine whether your efforts are on track or
going in the wrong direction. The plan provides a common
reference against which security tasks are compared. It
serves as a measuring tool to judge whether security efforts
are helping rather than hurting the accomplishment of your
organization’s security objectives.
With a written security policy, all security professionals
strive to accomplish the same end: a successful, secure
work environment. By following the written plan, you can
track progress so that you install and configure all the
necessary components. A written plan validates what you
do, defines what you still need to do, and guides you on how
to repair the infrastructure when necessary.
Without a written security policy, you cannot trust that
your network is secure. Without a written security policy,
workers won’t have a reliable guide on what to do, and
judging security success will be impossible. Without a
written policy, you have no security.
Planning for the Worst
Things invariably go wrong. Users make mistakes. Malicious
code finds its way into your network. Hackers discover
vulnerabilities and exploit them. In anticipating problems
that threaten security, you must plan for the worst.
This type of planning has many names, including
contingency planning, worst-case scenario planning,
business continuity planning, disaster recovery planning,
and continuation of operations planning. The name is not
important. What’s crucial is that you do the planning itself.
When problems occur, shift into response gear: respond,
contain, and repair. Respond to all failures or security
breaches to minimize damage, cost, and downtime. Contain
threats to prevent them from spreading or affecting other
areas of the infrastructure. Repair damage promptly to
return systems to normal status quickly and efficiently.
Remember, the goals of security are confidentiality,
integrity, and availability. Keep these foremost in mind as
you plan for the worst.
The key purpose of planning for problems is to be
properly prepared to protect your infrastructure. With a little
luck, a major catastrophe won’t occur. But better to prepare
and not need the response plan than to allow problems to
cause your business to fail.
Who Is Responsible for Network
Security?
Network security is the responsibility of everyone who uses
the network. Within an organization, no one has the luxury
of ignoring security rules. This applies to global corporations
as well as home networks. Every person is responsible for
understanding his or her role in supporting and maintaining
network security. The weakest link rule applies here: If only
one person fails to fulfill this responsibility, security for all
will suffer.
Senior management has the ultimate and final
responsibility for security. This is for good reason—senior
management is the most concerned about the protection of
the organization’s assets. Without the approval and support
of senior management, no security effort can succeed.
Senior management must ensure the creation of a written
security policy that all personnel understand and follow.
Senior management also assigns the responsibility for
designing, writing, and executing the security plan to the IT
staff. Ideally, the result of these efforts is a secure network
infrastructure. The security staff, in turn, must thoroughly
manage all assets, system vulnerabilities, imminent threats,
and pertinent defenses. Their task is to design, execute, and
maintain security throughout the organization.
In their role as overseers of groups of personnel,
managers and supervisors must ensure that employees
have all the tools and resources to accomplish their work.
Managers must also ensure that workers are properly
trained in skills, procedures, policies, boundaries, and
restrictions. Employees can mount a legitimate legal case
against an organization that requires them to perform work
for which they are not properly trained.
Network administrators manage all the organization’s
computer resources. Resources include file servers, network
access, databases, printer pools, and applications. The
network administrator’s job is to ensure that resources are
functional and available for users while enforcing
confidentiality and network integrity.
An organization’s workers are the network users and
operators. They ultimately do the work the business needs
to accomplish. Users create products, provide services,
perform tasks, input data, respond to queries, and much
more. Job descriptions may apply to a single user or a group
of users. Each job description defines a user’s tasks. Users
must perform these tasks within the limitations of network
security.
Auditors watch for problems and violations. Auditors
investigate the network, looking for anything not in
compliance with the written security policy. Auditors watch
the activity of systems and users to look for violations,
trends toward bottlenecks, and attempts to perform
violations. The information uncovered by auditors can help
improve the security policy, adjust security configurations,
or guide investigators toward apprehending security
violators.
All of these roles exist within every organization.
Sometimes different individuals perform these roles. In
other situations, a single person performs all of these roles.
In either case, these roles are essential to the creation,
maintenance, and improvement of security.
Examples of Network Infrastructures
and Related Security Concerns
As you design a network, you need to evaluate every aspect
in light of its security consequences. With limited budgets,
personnel, and time, you must also minimize risk and
maximize protection. Consider how each of the following
network security aspects affects security for large
corporations, small companies, and even home-based
businesses.
Workgroups
A workgroup is a form of networking in which each
computer is a peer or equal. Peers are equal in how much
power or controlling authority any one system has over the
other members of the same workgroup. All workgroup
members are able to manage their own local resources and
assets, but not those of any other workgroup member.
Workgroups are an excellent network design for very
small environments, such as home family networks or very
small companies. In most cases, a workgroup comprises
fewer than 10 computers and rarely contains more than 20
computers. No single rule dictates the size of a workgroup.
Instead, the administrative overhead of larger workgroups
encourages network managers to move to a client/server
configuration.
Figure 1-3 shows a typical workgroup configuration. In
this example, a switch interconnects the four desktop
workgroup members as well as an Internet connection
device and a wireless access point. Additional clients can
connect wirelessly via the access point or wired via a cable
connecting to the switch.
Workgroups do not have a central authority that controls
or restricts network activity or resource access. Instead,
each individual workgroup member makes the rules and
restrictions over resources and assets. The security defined
for one member does not apply to nor affect any other
computer in the workgroup.
FIGURE 1-3
An example of a typical workgroup.
Due to system-by-system–based security, a worker or a
workgroup member needs to have a user account defined
on each of the other workgroup members to access
resources on those systems. Each of these accounts is
technically a unique user account, even if it is created by
using the same characters for the username and password.
This results in either several unique user accounts with
different names and different passwords or several unique
user accounts with the same name and same password. In
either case, security is poor. In the former case, the user
must remember several sets of credentials. This often
results in the user writing down the credentials. In the later
case, an intruder need compromise only one set of
credentials.
This lack of central authority is both a strength and
weakness of workgroups. This characteristic is a strength in
that each user of each computer can make his or her own
choices about sharing resources with others. However, this
is at the same time a weakness because of the inconsistent
levels of access.
Workgroups are easy to create. Often, the default
network configuration of operating systems is to be a
member of a workgroup. A new workgroup is created by just
defining a unique name on a computer. Once one computer
names the workgroup, it now exists. Other computers
become members of the new workgroup just by using the
same name. Since workgroups lack a central authority,
anyone can join or leave a workgroup at any time. This
includes unauthorized systems owned by rogue employees
or external parties.
Most workgroups use only basic resource-share
protections, fail to use encrypted protocols, and are lax on
monitoring intrusions. While imposing some security on
workgroups is possible, usually each workgroup member is
configured individually. Fortunately, since workgroups are
small, this does not represent a significant amount of effort.
SOHO Networks
SOHO stands for small office, home office. SOHO is a
popular term that describes smaller networks commonly
found in small businesses, often deployed in someone’s
home, garage, portable building, or leased office space. A
SOHO environment can be a workgroup or a client/server
network. Usually a SOHO network implies purposeful design
with business and security in mind.
SOHO networks generally are more secure than a typical
workgroup, usually because a manager or owner enforces
network security. Security settings defined on each work-
group member are more likely to be consistent when the
workgroup has a security administrator. Additionally, SOHO
networks are more likely to employ security tools such as
antivirus software, firewalls, and auditing.
Client/Server Networks
A client/server network is a form of network where you
designate some computers as servers and others as
clients. Servers host resources shared with the network.
Clients access resources and perform tasks. Users work
from a client computer to interact with resources hosted by
servers. In a client/server network, access is managed
centrally from the servers. Thus, consistent security is easily
imposed across all network members.
Figure 1-4 shows a possible basic layout of a client/server
network. In this example, three servers host the resources,
such as printers, Internet connectivity, and file storage
shared with the network. Both wired and wireless clients are
possible. Switches interconnect all nodes. Client/server
networks are more likely to use hardware or appliance
firewalls.
Client/server networks also employ single sign-on
(SSO). SSO allows for a single but stronger set of
credentials per user. With SSO, each user must perform
authentication to gain access to the client and the network.
Once the user has logged on, access control manages
resource use. In other words, client/server authentication
with SSO is often more complex than workgroup
authentication—but it’s more secure. Users only need to log
on once, not every time they contact a resource host server.
Because of their complexity, client/server networks are
invariably more secure than SOHO and workgroup networks.
But complexity alone is not security. Instead, because they
are more complex, client/server networks require more
thorough design and planning. Security is an important
aspect of infrastructure planning and thus becomes
integrated into the network’s design.
FIGURE 1-4
An example of a typical client/server network.
Client/server networks are not necessarily secure
because you can deploy a client/server network without any
thought toward security. But most organizations understand
that if they overlook network security, they are ensuring
their ultimate technological downfall. Security is rarely
excluded from the deployment process. And some networks
are by nature more secure than others.
LAN Versus WAN
LAN stands for local area network. A LAN is a network within
a limited geographic area. This means that a LAN network is
located in a single physical location rather than spread
across multiple locations. Some LANs are quite large, while
others are very small. A more distinguishing characteristic
of a LAN is that all of the segments or links of a LAN are
owned and controlled by one organization. A LAN does not
contain or use any leased or externally owned connections.
WAN stands for wide area network. A WAN is a network
not limited by any geographic boundaries. This means that
a WAN network can span a few city blocks, reach across the
globe, and even extend into outer space. A distinguishing
characteristic of a WAN is that it uses leased or external
connections and links. Most organizations rely on
telecommunication service providers (often referred to as
telcos) for WAN circuits and links to physical buildings and
facilities, including the last-mile connection to the physical
demarcation point. Both LAN and WAN networks can be
secure or insecure. They are secure if a written security
policy guides their use. With a LAN, the owner of the
network has the sole responsibility of ensuring that security
is enforced. With a WAN, the leasing entity must select a
telco that has a secure WAN infrastructure and incorporate
service level agreements (SLAs) that define the level of
service and performance that is to be provided on a monthly
basis for the customer. In most cases, WAN data is secure
only if the data sent across leased lines is encrypted before
transmission. This service is the responsibility of the data
owner, not the telecommunications service provider, unless
this option is offered as a value-added service.
Thin Clients and Terminal Services
Thin client computing, also known as terminal services,
is an old computing idea that has made a comeback in the
modern era. In the early days of computers, the main
computing core, commonly called a mainframe, was
controlled through an interface called a terminal. The
terminal was nothing more than a video screen (usually
mono-chrome) and a keyboard. The terminal had no local
processing or storage capabilities. All activities took place
on the mainframe and the results appeared on the screen of
the terminal.
With the advent of personal computers (PCs), a computer
at a worker’s desk offered local processing and storage
capabilities. These PCs became the clients of client/server
computers. Modern networking environments can offer a
wide range of options for end users. Fully capable PCs used
as workstations or client systems are the most common. PCs
can run thin-client software, which emulates the terminal
system of the past. That means they perform all tasks on
the server or mainframe system and use the PC only as a
display screen with a keyboard and mouse. Even modern
thin client terminals can connect into a server or mainframe
without using a full PC.
Remote Control, Remote Access, and VPN
Remote control is the ability to use a local computer
system to remotely take over control of another computer
over a network connection. In a way, this is the application
of the thin client concept on a modern fully capable
workstation to simulate working against a mainframe or to
virtualize your physical presence.
With remote control connection, the local monitor,
keyboard, and mouse control a remote system. This looks
and feels as if you are physically present at the keyboard of
the remote system, which could be located in another city
or even on the other side of the world. Every action you
perform locally takes place at that remote computer via the
remote control connection. The only limitations are the
speed of the intermediary network link and the inability to
physically insert or remove media such as a flash drive and
use peripherals such as a printer.
You might consider remote control as a form of software-
based thin client or terminal client. In fact, many thin client
and terminal client products are sold as remote control
solutions.
Many modern operating systems include remote control
features, such as the Remote Desktop feature found in most
versions of Windows. Once enabled, a Remote Desktop
connection remotely controls another Windows system from
across the network.
Remote access is different from remote control. A
remote access link enables access to network resources
using a WAN link to connect to the geographically distant
network. In effect, remote access creates a local network
link for a system not physically local to the network. Over a
remote access connection, a client system can technically
perform all the same tasks as a locally connected client,
with the only difference being the speed of the connection.
Network administrators can impose restrictions on what
resources and services a remote access client can use.
Remote access originally took place over dial-up
telephone links using modems. Today, remote access
encompasses a variety of connection types, including ISDN,
DSL, cable modem, satellite, mobile broadband, and more.
In most cases, a remote access connection links from a
remote client back to a primary network. A remote access
server (RAS) accepts the inbound connection from the
remote client. Once the connection goes through, the
remote client now interacts with the network as if it were
locally connected.
Another variant of remote connections is the virtual
private network (VPN). A VPN is a form of network
connection created over other network connections. In most
cases, a VPN link connects a remote system and a LAN, but
only after a normal network connection links to an
intermediary network.
In Figure 1-5, a LAN has a normal network connection to
the Internet and a remote client has established a normal
network connection to the Internet as well. These two
connections work independently of each other. The LAN’s
connection is usually a permanent or dedicated connection
supporting both inbound and outbound activities with the
Internet. The remote client’s connection to the Internet can
be dedicated or non-dedicated. In the latter case, the
connection precedes the VPN creation. Once both endpoints
of the future VPN link have a connection to the intermediary
network (in this example, the Internet), then the VPN exists.
FIGURE 1-5
Common resource access connections.
FIGURE 1-6
A VPN established betweeen a remote client and a LAN over
the Internet.
In Figure 1-6, a new network connection connects the
remote client to the LAN across the intermediary network.
This new network connection is the VPN.
A VPN is a mechanism to establish a remote access
connection across an intermediary network, often the
Internet. VPNs allow for cheap long-distance connections
over the Internet, as both endpoints only need a local
Internet link. The Internet itself serves as a “free” long-
distance carrier.
A VPN uses tunneling or encapsulation protocols.
Tunneling protocols encase the original network protocol so
that it can traverse the intermediary network. In many
cases, the tunneling protocol employs encryption so that
the original data securely traverses the intermediary
network.
Boundary Networks
A boundary network is a subnetwork, or subnet, positioned
on the edge of a LAN. A boundary network isolates certain
activities, such as programming or research and
development, from the internal environment (private LANs),
which does not need to be externally accessible. External
users can also access resources hosted in a boundary
network. Such a subnet is known as a demilitarized zone
(DMZ).
A DMZ is a boundary network that hosts resource servers
for the public Internet. An extranet is a boundary network
that hosts resource servers for a limited and controlled
group of external users, such as business partners,
suppliers, distributors, contractors, and so forth.
A DMZ subnet is a common network design component
used to host public information services, such as Web sites.
A DMZ allows for anyone on the public Internet to access
resources. But at the same time, the DMZ provides some
filtering of obvious malicious traffic and prevents Internet
users from accessing the private LAN.
An extranet subnet provides companies that need to
exchange data with external partners a safe place for that
activity. An extranet is secured so only the intended external
users can access it. Often, accessing an extranet requires
VPN connections. An extranet configuration keeps public
users from the Internet out and keeps the external partners
out of the private LAN.
You can deploy both DMZ and extranet subnets in
different ways. Two of the most common designs are a
screened subnet using a three-homed firewall (Figure 1-7)
and N-tier deployment (Figure 1-8). A screened subnet using
a three-homed firewall creates a network segment for the
private LAN and a network segment for the DMZ or
extranet. The three-homed firewall serves as a filtering
device as well as a router to control traffic entering these
two segments.
FIGURE 1-7
A DMZ or extranet deployed as a screened subnet with a
three-homed firewall.
FIGURE 1-8
A DMZ or extranet deployed in an N-tier configuration.
The N-tier deployment creates a series of subnets
separated by firewalls. The DMZ or extranet subnet serves
as a buffer network between the Internet and the private
LAN.
Strengths and Weaknesses of Network
Design
You need to evaluate every network design or layout for its
security strengths and weaknesses. While there are no
perfect deployments, some provide better security for a
given set of parameters than others. For example, a
network with only a single connection to the Internet is
easier to secure than a network with multiple connections to
the Internet.
When you are designing a network, consider the paths
that malicious traffic could use to reach the interior of your
private LAN. The more potential pathways, the more
challenging securing the network will be. However, consider
redundancy as well. If your primary connection to the
Internet fails, do you have an alternate connection?
Remember, security is not just about preventing malicious
events but also about ensuring that users can perform
essential business tasks.
Try to avoid network designs that have a single point of
failure. Always try to have redundant options to ensure that
your mission-critical functions can take place. Keep in mind
that bottlenecks are still likely to happen even with
redundant pathways. Over time, monitor traffic and use
levels on every segment across the network to look for
trends toward reduced throughput or productivity. A
bottleneck may at first be a slight hindrance to high
performance and productivity, but it can later become a
form of a denial of service (DoS) attack.
Another consideration is traffic control and filtering.
Blocking or allowing traffic is an important element in
network security. You control what traffic enters or leaves
the network. Traffic filtering often takes place at network
chokepoints. A chokepoint is a form of bottleneck and is a
single controlled pathway between two different levels of
network trust where a firewall or other filtering devices
block or allow traffic based on a set of rules. Thus, rather
than being only a benefit for filtering, a chokepoint can slow
throughput or become a target for DoS attacks.
Another network design issue is the location of
authorized users. Often, you assume that valid users are
internal users. With the proliferation of telecommuting and
outsourcing, however, valid users can often be external
users as well. Realizing this, you must design networks to
support inbound connections from valid external users. This
can involve traditional remote access connections, but more
likely will use VPN links. VPNs provide connections for
remote users that function like local connections and
encryptions to keep the content of those connections
confidential.
Enhancing the Security of Wired
Versus Wireless LAN Infrastructures
Wired networks offer a form of security that wireless
networks lack. That security is the direct physical
connection to a wired or cabled network. A hacker requires
physical access to your facility or building. Usually, access
control of the building can sufficiently prevent most external
parties from accessing your private LAN.
Realize, however, that if you allow remote connection via
telephone modem, high-speed broadband, or even basic
Internet service, then you lose the advantage of a physical
access limitation. Once remote access is allowed, the
benefits of physical isolation disappear.
The same is true if you allow wireless connections into
the network. Wireless networking grants valid and unknown
users the ability to interact with the network. This
completely eliminates the need to be physically present in
the building to connect to the network. Many organizations
are allowing, even encouraging, employees, contractors,
and visitors to Bring Your Own Device (BYOD), a move that is
cost effective and often improves efficiency, but at the risk
of control of the end users’ devices. With the right type of
antenna, an attacker could be over a mile away from your
office building and still be able to affect your wireless
network.
To regain some of the security offered by physical
isolation, try to incorporate physical isolation into your
network design. Isolate all remote access and wireless
access points from the main wired network. You can achieve
this by using separate subnets and by filtering
communications using firewalls. While design does not offer
the same level of security as physical isolation, the
arrangement provides a significant improvement over
having no control over remote or wireless connections.
All remote connections should go through a rigorous
gauntlet of verification before you grant access to the
internal LAN. Think of a castle design in the Middle Ages
that used multiple layers of defense: a moat, a drawbridge,
thick riveted walls, an inner battlement, and finally, a strong
keep or inner fortress. Your multilayer defensive design
should include multi-factor authentication and
communication encryption, such as a VPN. Additional checks
can include verification of operating system and patch level,
confirmation of physical or logical location origin (such as
caller ID, MAC address, or IP address), limitations to time of
day, and limitations on protocols above the Transport Layer.
Any intruder would need to circumvent layer after layer,
making intrusion more and more difficult.
NOTE
An attack known as “Van Eck phreaking” allows an
attacker to eavesdrop on electronic devices from a
distance. This technique is not perfect or simple to
perform, but has been demonstrated on LCD and CRT
monitors as well as keyboard cables. With minor
shielding, you can eliminate most of the risk from such
an attack.
Internal and External Network
Issues
When deploying a new network or modifying an existing
infrastructure, carefully evaluate effects on security and
security’s impact on the infrastructure. When you or your
team overlook or sidestep standard security practices, good
business stops. Business interruptions can result not only in
lost profits, but also in lost opportunities and even in lost
jobs. If the compromise is serious enough, the business
might not recover.
The threats facing business are numerous and constantly
changing. Often, these issues arise daily. Malicious code,
information leakage, zero day exploits, unauthorized
software, unethical employees, and complex network
infrastructures are just a few of the concerns that every
organization and network manager faces.
Malicious code can make its way into a computer through
any communication channel. This includes file transfers, e-
mail, portable device syncing, removable media, and Web
sites. Precautions against malicious code include network
traffic filtering with a firewall, anti-malware scanning, and
user behavior modification.
Information leakage stems from malicious employees
who purposefully release internal documentation to the
public. It can also result from accidents, or can occur when a
storage device is lost, recycled, donated, stolen, or thrown
away. Or it occurs when users accidentally publish
documents to P2P file sharing services or Web sites.
Precautions against information leakage include doing
thorough background checks on employees, using the
principle of least privilege, detail auditing and monitoring of
all user activity, classifying all information and controlling
communication pathways, using more stringent controls on
use of portable devices, and practicing zeroization—
purging a storage device to be discarded by filling its space
with zeros.
Zero day exploits are new and previously unknown
attacks for which no current specific defenses exist. Think of
them as surprise attacks on your defenses. Zero day refers
to the newness of an exploit, which may be known in the
hacker community for some time, but about which vendors
and security professionals are just learning.
The zero day label comes from the idea that work to
develop a patch begins the moment a vendor learns of a
problem. The moment of discovery of the new exploit is
called “day zero.” No specific defenses against zero day
attacks exist, but general security management, use of
intrusion detection and intrusion prevention, along with
detailed logging and monitoring can assist in discovering
and preventing new attacks quickly. Once you know of an
attack or exploit, you can begin taking steps to contain
damage or minimize the extent of the compromise.
Unauthorized software is any piece of code that a user
chooses to run on a client system that was not approved nor
provided by the company. Not all unauthorized software is
directly problematic, but you should prevent its use for
many reasons. Such software might be a waste of time and
productivity that costs the company money, time, and
effort. The software could be a license violation. Software
could include hidden malicious components, known or
unknown to the user, which could compromise the security
of the network. Steps you can take to prevent the use of
unauthorized software should include limiting installation
privileges of normal users and using whitelists to block the
execution of any program not on the approved list.
Unethical employees purposefully violate the stated rules
and goals of the organization. These employees often
believe the rules are not important, do not really apply to
them, or are not really enforced. Most believe they will
never get caught. When users violate the mission and goals
of the organization, consequences could be catastrophic.
Users are the final link in security and are often the
weakest link in network security. If a user chooses to violate
a security policy and release information to the public or
execute malicious code, the results could devastate the
organization or land the perpetrator in court. Methods of
preventing unethical employees from doing damage include
better background screening, detail auditing and monitoring
of all user activity, and regular management oversight and
job performance reviews. When you discover a problematic
person, you might be able to grant the employee a second
chance after retraining, but in many cases, the safest choice
for the organization is to terminate employment.
Complex network infrastructures lend themselves to
complex vulnerabilities. The larger a network becomes, the
more servers, clients, network devices, and segments it
includes. The sheer number of moving parts almost
guarantees that something is bound to be misconfigured, be
improperly installed, lack current firmware or patches, have
a bottleneck, or be used incorrectly. Any of these conditions
could result in a vulnerability that internal or external
attackers can exploit. The larger and more complex a
network, the more thoroughly the security team needs to
watch over the infrastructure and investigate every
symptom, trend, or alert. Preventing complexity from
becoming a liability involves detailed planning, careful
implementation, regular security management, and
constant review of the effectiveness of the infrastructure.
Studies have shown that most threats come from internal
sources, but too many organizations focus on external
sources and discount the internal threats. A better stance is
to count all threats—regardless of their source—as worthy of
investigation. Once a potential threat is understood, its risk,
potential loss, and likelihood can be better understood and
evaluated.
One of the most obvious external threats is the Internet.
The Internet is a global network linking people and
resources with high-speed real-time communications.
Unfortunately, this wonderful infrastructure also makes
great abuse more possible. Once your company installs an
Internet connection, the world is at your door—or rather, at
the fingertips of every employee. That world includes both
potential customers and potential attackers.
Without a global communication infrastructure, hackers
had to be physically present—wired in—in or near your
building to launch attacks. With the advent of the Internet
and wireless technology, any hacker anywhere can initiate
attempts to breach your network security. It’s helpful,
therefore, to think of the Internet as a threat. It’s not one
that you should lightly dismiss, nor should you discard the
Internet as a powerful tool. The benefits of Internet access
are well worth the effort and expense you should expend to
defend against its negative features.
Some of the best defenses against Internet threats
include a well-researched, written security policy;
thoroughly trained personnel; use of firewalls to filter traffic
intrusion, detection, and prevention systems; use of
encrypted communications (such as VPNs); and thorough
auditing and monitoring of all user and node activity.
Again, perfect security solutions don’t exist. Some form
of attack, compromise, or exploit can get past any single
defense. The point of network security is to interweave and
interconnect multiple security components to construct a
multifaceted scheme of protection. This is often called
multiple layers of defense or defense in depth.
The goal is to balance the strengths and weaknesses of
multiple security components. The ultimate functions of
network security are to lock things down in the best way
possible, then monitor for all attempts to violate the
established defense. Since the perfect lock doesn’t exist,
improve on the best locks available with auditing and
monitoring. Knowing this, your next step is to understand
the common network security components and their uses.
Common Network Security
Components Used to Mitigate Threats
When considering the deployment of a network or the
modification of an existing network, evaluate each network
component to determine its security strengths and
weaknesses. This section discusses many common network
security components.
Hosts and Nodes
A node is any device on the network. This includes client
computers, servers, switches, routers, firewalls, and
anything with a network interface that has a MAC address. A
Media Access Control (MAC) address is the 48-bit
physical hardware address of a network interface card (NIC)
assigned by the manufacturer. A node is a component that
can be communicated with, rather than only through or
across. For example, network cables and patch panels are
not nodes, but a printer is.
A host is a form of node that has a logical address
assigned to it, usually an Internet Protocol (IP) address. This
addressing typically implies that the node operates at or
above the Network Layer. The Network Layer includes
clients, servers, firewalls, proxies, and even routers. But it
excludes switches, bridges, and other physical devices such
as repeaters and hubs. In most cases, a host either shares
or accesses resources and services from other hosts.
In terms of network security, node and host security does
vary. Nodes and hosts can both be harmed by physical
attacks and DoS attacks. However, a host can also be
harmed by malicious code, authentication attacks, and
might even be remotely controlled by hackers. Node
protection is mostly physical access control along with basic
network filtering against flooding.
Host security can be much more involved because the
host itself should be hardened and you will need to perform
general network security. Hardening is the process of
securing or locking down a host against threats and attacks.
This can include removing unnecessary software, installing
updates, and imposing secure configuration settings.
IPv4 Versus IPv6
Internet Protocol version 4 (IPv4) has been in use as the
predominant protocol on the Internet for nearly three
decades. It was originally defined in 1981 in a technical
specification known as RFC 791. IPv4 is a connectionless
protocol that operates at the Network Layer of the Open
Systems Interconnection (OSI) Reference Model. IPv4
is the foundation of the TCP/IP protocol suite as it exists
today.
IPv4 was designed with several assumptions in mind,
many of which have been proven inaccurate, grossly
overestimated, or simply non-applicable. While IPv4 has
served well as the predominant protocol on the Internet, a
replacement has been long overdue. Some of the key issues
of concern are a dwindling, if not exhausted, address space
of only 32 bits, subnetting complexity, and lack of
integrated security. Some of these issues have been
minimized with the advent of network address
translation (NAT), classless inter-domain routing (CIDR),
and Internet Protocol Security (IPSec). But in spite of
these advancements, IPv4 is being replaced with IPv6.
IPv6 was defined in 1998 in RFC 2460. The new version
was designed specifically as the successor to IPv4 mainly
due to the dwindling availability of public addresses. IPv6
uses a 128-bit address, which is significantly larger than
IPv4. Additionally, changes to subnetting, address
assignment, and packet headers, as well as simpler routing
processing, make IPv6 much preferred over its predecessor.
Another significant improvement is native Network Layer
security. Figure 1-9 compares an IPv4 address to an IPv6
address.
NOTE
If an IPv6 address has one or more consecutive four-
digit sections of all zeros, the sections of zeros can be
dropped and replaced by just a double colon. For
example: 2001:0f58:0000:0000:0000:0000:1986:62af
can be shortened to 2001:0f58::1986:62af. However, if
there are two sections of zero sets, only a single
section can be replaced by double colons.
Be Alert to These Attacks
A man-in-the-middle (MitM) attack occurs when a
hacker is positioned between a client and a server
and the client is fooled into connecting with the
hacker computer instead of the real server. The
hacker performs a spoofing attack in order to trick the
client. The result is the connection between the client
and server is proxied by the hacker. This allows the
hacker to eavesdrop and manipulate the
communications.
A hijacking attack occurs when a hacker uses a
network sniffer to watch a communications session to
learn its parameters. The hacker then disconnects one
of the session’s hosts, impersonates the offline
system, and begins injecting crafted packets into the
communication stream. If successful, the hacker takes
over the session of the offline host, while the other
host is unaware of the switch.
A replay attack occurs when a hacker uses a
network sniffer to capture network traffic, and then
retransmits that traffic back on to the network at a
later time. Replay attacks often focus on
authentication traffic in the hope that retransmitting
the same packets that allowed the real user to log
onto a system will grant the hacker the same access.
The security features native to IPv6 were crafted into an
add-on packet for IPv4 known as IPSec. While in IPv4, IPSec
is an optional add-on; it is a built-in feature of and used by
default with IPv6. This use is a significant change in the
inherent security issues surrounding networking and the use
of the Internet. With native Network Layer encryption, most
forms of eavesdropping, man-in-the-middle attacks,
hijacking, and replay attacks are no longer possible. This
does not mean that IPv6 will be free of security problems
but at least most of the common security flaws experienced
with IPv4 will be fixed.
FIGURE 1-9
Comparing a typical IPv4 address to an IPv6 address.
As you use and manage computers and manage
networks, use IPSec with IPv4 or switch over to IPv6. Most
protocols that operate over IPv4 will operate without issue
over IPv6. You will need to replace some applications that
embed Network Layer addresses into their application-level
protocol, such as FTP and NTP. But valid IPv6 replacements
already exist.
The complete industry transition from IPv4 to IPv6 will
likely take upwards of a decade, mainly because of the need
to upgrade, replace, or reconfigure the millions of hosts and
nodes spread across the world to support IPv6. During the
transition, many techniques are available to allow a host to
interact with both IPv4 and IPv6 network connections. These
include: Dual IP stacks—This is a computer system that
runs both IPv4 and IPv6 at the same time. Windows Vista
and Windows Server 7 both have dual IP stacks by default.
IPv4 addresses embedded into an IPv6 notation
—This is a method of representing an IPv4 address
using the common notation of IPv6. For example,
::ffff:192.168.3.125 is the IPv4-mapped IPv6 address
for the IPv4 address 192.168.3.125.
Note: The IPv6 address is 80 zero bits, followed by 16
one bits, then the 32-bit IPv4 address (in dotted
decimal notation), which adds up to 128 bits total.
Tunneling—This involves encapsulating IPv6 packets
inside IPv4 packets, effectively creating a VPN-like
tunnel out of IPv4 for IPv6.
IPv4/IPv6 NAT—This involves using a network
address translation service to translate between two
networks, one running IPv4 and the other IPv6.
Whatever the hurdles of transition, the benefits of native
Network Layer encryption are immeasurable. In short: When
you have the option to use IPv6, take it because you will be
helping the world IT community upgrade sooner rather than
later.
Firewall
Not all traffic on your network is from an authorized source,
so you shouldn’t allow it to enter or leave the network. Not
all traffic is for an authorized purpose, so you should block it
from reaching its destination. Not all traffic is within the
boundaries of normal or acceptable network activity, so you
should drop it before it causes compromises.
All of these protections are the job of a firewall. As its
name implies, a firewall is a tool designed to stop damage,
just as the firewall in an engine compartment protects the
passengers in a vehicle from harm in an accident. A firewall
is either a hardware device or a software product you deploy
to enforce the access control policy on network
communications. In other words, a firewall filters network
traffic for harmful exploits, incursions, data, messages, or
other events.
Firewalls are often positioned on the edge of a network or
subnet. Firewalls protect networks against numerous threats
from the Internet. Firewalls also protect the Internet from
rogue users or applications on private networks. Firewalls
protect the throughput or bandwidth of a private network so
authorized users can get work done. Without firewalls, most
of your network’s capabilities would be consumed by
worthless or malicious traffic from the Internet. Think of how
a dam on a river works; without the dam, the river is prone
to flooding and overflow. The dam prevents the flooding and
damage.
Without firewalls, the security and stability of a network
would depend mostly on the security of the nodes and hosts
within the network. Based on the sordid security history of
most host operating systems, having no firewall would not
be a secure solution. Hardened hosts and nodes are
important for network security, but they should not be the
only component of reliable network security.
You also install firewalls on client and server computers.
These host software firewalls protect a single host from
threats from the Internet and threats from the network
itself, as well as from other internal network components.
In any case, a firewall is usually configured to control
traffic based on a deny-by-default/allow-by-exception
stance. This means that nothing passes the firewall just
because it exists on the network (or is attempting to reach
the network). Instead, all traffic that reaches the firewall
must meet a set of requirements to continue on its path.
As a network administrator or IT security officer, you get
to choose what traffic is allowed to pass through the
firewalls, and what traffic is not. Additionally, you can also
determine whether the filtering takes place on inbound
traffic (known as ingress filtering), on outbound traffic
(called egress filtering)—or both.
Firewalls are an essential component of both host and
network security.
Virtual Private Networks
A virtual private network (VPN) is a mechanism to establish
a remote access connection across an intermediary
network, often over the Internet. VPNs allow for cheap long-
distance connections when established over the Internet,
since both endpoints only need a local Internet link. The
Internet itself serves as a “free” long-distance carrier.
A VPN uses tunneling or encapsulation protocols.
Tunneling protocols encase the original network protocol so
that it can traverse the intermediary network. In many
cases, the tunneling protocol employs encryption so that the
original data traverses the intermediary network securely.
You can use VPNs for remote access, remote control, or
highly secured communications within a private network.
Proxy Servers
A proxy server is a variation of a firewall. A proxy server
filters traffic, but also acts upon that traffic in a few specific
ways. First, a proxy server acts as a middleman between the
internal client and the external server. Or, in the case of
reverse proxy, this relationship can be inverted with an
internal server and an external host. Second, a proxy server
will hide the identity of the original requester from the
server through a process known as network address
translation (NAT) (see the following section).
Another feature of a proxy server can be content
filtering. This type of filtering focuses either on the address
of the server (typically by domain name or IP address) or on
keywords appearing in the transmitted context. You can
employ this form of filtering to block employee access to
Internet resources that are not relevant or beneficial to
business tasks or that might have a direct impact on the
business network. This could include malicious code, hacker
tools, and excessive bandwidth consumption (such as video
streaming or P2P file exchange).
Proxy servers can also provide caching services. Caching
is a data storage mechanism that keeps a local copy of
content that is fairly static in nature and that numerous
internal clients have a pattern of requesting. Front pages of
popular Web sites are commonly cached by a proxy server.
When a user requests a page from the Internet in cache, the
proxy server provides that page to the user from cache
rather than pulling it again from the Internet site. This
provides the user with faster performance and reduces the
load on the Internet link.
Caching of this type often results in all users
experiencing faster Internet performance, even when the
pages served to them are pulled from the Internet.
Obviously, such caching must be tuned to prevent stale
pages in the cache. Tuning is setting the time-out value on
cached pages so they expire at a reasonable rate. All
expired cached pages are replaced by fresh content from
the original source server on the Internet.
Network Address Translation
Network address translation (NAT) translates internal
addresses into external public addresses, and vice versa.
The network performs this conversion on packets as they
enter or leave the network to mask and modify the internal
client’s configuration. The primary purpose of NAT is to
prevent internal IP and network configuration details from
being discovered by external entities, such as hackers.
Figure 1-10 shows an example of a pathway from an
internal client to an external server across a proxy or
firewall using NAT. In this example, the external server is a
Web server operating on the default HTTP port 80. The Web
server is using IP address 208.40.235.38 (used by
www.itttech.edu). The requesting internal client is using IP
address 192.168.12.153. The client randomly selects a
source port between 1,024 and 65,535 (such as 13,571).
With these source details, the client generates the initial
request packet. This is step 1. This packet is sent over the
network toward the external server, where it encounters the
NAT service.
FIGURE 1-10
An example of how NAT functions.
STEP 1 Initial request:
S: 192.168.12.153: 13571
D: 208.40.235.38: 80
STEP 2 NAT creates entry in translation mapping
table:
Internal:
192.168.12.153: 13571 <- ->
External:
72.254.149.76: 27409
The NAT service creates an entry in its translation
or mapping table for the request. The table
contains the source IP address and port and the
translated IP address and port. The NAT server
uses its own public IP address as the translated IP
address and selects a random currently unused
port for the new source port for the packet. This is
Step 2.
STEP 3 Translated request:
S: 72.254.149.76: 27409
D: 208.40.235.38: 80
Step 3 is the construction of the new packet with
the translated source information, which is then
transmitted over the Internet to the external
server. The Web server receives a request whose
source seems to be the proxy/firewall system.
STEP 4 Response from external server:
S: 208.40.235.38: 80
D: 72.254.149.76: 27409
Step 4 is the response generated and transmitted
by the Web server.
STEP 5 Response sent to client by NAT:
S: 208.40.235.38: 80
D: 192.168.12.153: 13571
The proxy/firewall receives the response to the
Web server’s request. The NAT service uses the
translation table to return the original client’s
information into the packet header as the
destination. This is step 5. This process takes place
at wirespeed. It is usually transparent to the client
and server involved in the communication,
because they are unaware that the translation took
place.
Another purpose or use of NAT is to reduce the need for a
significant number of public IP addresses you need to lease
from an ISP. Without NAT, you’d need a single public IP
address for each individual system that would ever connect
to the Internet. With NAT, you can lease a smaller set of
public IP addresses to serve a larger number of internal
users.
This consolidation is possible for two reasons. First, most
network communications are “bursty” rather than constant
in nature. This means that computers typically transmit
short, fast busts of data instead of a long, continuous
stream of data. Some forms of network traffic, such as file
transfer and video streaming, are more continuous in
nature. But these tasks are generally less common on
business networks than home networks.
Second, NAT does not reserve a specific public address
for use by a single internal client. Instead, NAT randomly
assigns an available public address to each subsequent
internal client request. Once the client’s communication
session is over, the public address returns to the pool of
available addresses for future communications.
Additionally, NAT often employs not just IP-to-IP address
translation, but a more granular option known as port
address translation (PAT). With PAT, both the port and
the IP address of the client convert into a random external
port and public IP address. This allows for multiple
simultaneous communications to take place over a single IP
address. This process, in turn, allows you to support a
greater number of communications from a single client or
multiple clients on an even smaller number of leased public
IP addresses.
NAT enables the use of private IP addresses while still
supporting Internet communications. These addresses are
known as RFC 1918 addresses, from their technical
specification. Their ranges are as follows: Class A—
10.0.0.0–10.255.255.255/8 (1 Class A network)
Class B—172.16.0.0–172.31.255.255/12 (16 Class B
networks)
Class C—192.168.0.0–192.168.255.255/16 (256 Class
C networks)
RFC 1918 addresses are for use only in private networks.
Internet routers drop any packet using one of these
addresses. Without NAT, a network using these private IP
addresses would be unable to communicate with the
Internet. By using RFC 1918 addresses, networks create
another barrier against Internet-based attacks and do not
need to pay for leasing of internal addresses.
As mentioned, NAT is one of the technologies that have
allowed the extended use of IPv4 even after the depletion of
available public IP addresses. Now that the transition to IPv6
is underway, NAT is serving a new purpose in proving IPv4-
to-IPv6 translation. Many firewall and proxy devices may
include IPv6 translation services. This feature is a
worthwhile option that you might want to include on a
feature list when researching a firewall purchase or
deployment.
technical TIP
An interesting wrinkle on NAT and PAT is that most
devices and software products that support PAT
actually state in their documentation and in their
configuration interfaces that they support NAT. It
seems that NAT has been redefined to include the
functionality of port address translation, even though
an official acronym for that specific additional
technology already exists. Most certification exams
combine the two as well. Questions might use the NAT
acronym but actually refer to port translation (PAT).
Routers, Switches, and Bridges
Routers, switches, and bridges are common network
devices. While not directly or typically labeled as network
security devices, you can deploy them to support security
rather than hinder it.
A router’s primary purpose is to direct traffic toward its
stated destination along the best-known current available
path (see Figure 1-11). Routing protocols such as RIP, OSPF,
IGRP, EIGRP, BGP, and others dynamically manage route
selection based on a variety of metrics. A router supports
security by guiding traffic down preferred routes rather than
routes that might not be as logically or physically secure. If
a hacker can trick routers into altering the pathway of
transmission, network traffic could traverse a segment
where a hacker has positioned a sniffer. A sniffer, also
known as packet analyzer, network analyzer, and protocol
analyzer, is a software utility or hardware device that
captures network communications for investigation and
analysis.
While this is an unlikely scenario, it’s not an impossible
one. Ensuring that routers are using authentication to
exchange routing data and are protected against
unauthorized physical access will prevent this and other
infrastructure level attacks. Figure 1-11 depicts an example
of a routed network deployment.
FIGURE 1-11
An example of router deployment.
FIGURE 1-12
An example of switch deployment.
Switches provide network segmentation through
hardware. Across a switch, temporary dedicated electronic
communication pathways connect the endpoints of a
session (such as a client and server). This switched pathway
prevents collisions. Additionally, switches allow you to use
the full potential throughput capacity of the network
connection by the communication instead of 40 percent or
more being wasted by collisions (as occurs with hubs). See
Figure 1-12.
You can see this basic function of a switch as a security
benefit once you examine how this process takes place. A
switch operates at Layer 2, the Data Link Layer, of the OSI
model, where the MAC address is defined and used.
Switches manage traffic through the use of the source and
destination MAC address in an Ethernet frame. The Ethernet
frame is a logical data set construction at the Data Link
Layer (Layer 2) consisting of the payload from the Network
Layer (Layer 3) with the addition of an Ethernet header and
footer (Figure 1-13).
Switches employ four main procedures, labeled as
“learn,” “forward,” “drop,” and “flood.” The learn procedure
is the collection of MAC addresses from the source location
in a frame header. The source MAC address goes into a
mapping table along with the number of the port that
received the frame. Forwarding occurs once a frame’s
destination MAC address appears in the mapping table. This
table then guides the switch to transmit the frame out the
port that originally discovered the MAC address in question.
If the frame goes on the same port that the mapping
table indicates is the destination port, then the frame is
dropped. The switch does not need to transmit the frame
back onto the network segment from which it originated.
Finally, if the destination MAC is not in the mapping table,
the switch reverts to flooding—that is, a transmission of the
frame out every port—to ensure that the frame has the best
chance of reaching the destination.
By monitoring the activity of the switch—-specifically,
watching the construction and modification of the mapping
table and the variation of MAC addresses seen in frame
headers—you can detect errors and malicious traffic.
Intelligent or multilayer switches themselves or external
IDS/IPS services can perform this security monitoring
function.
When the switch procedures fail, the network suffers.
This could mean a reduction in throughput, a blockage
causing a denial of service, or a redirection of traffic
allowing a hacker to attempt to modify or eavesdrop.
Fortunately, such attacks are “noisy” in terms of generating
significant abnormal network traffic, and thus you can
detect them with basic security sensors. This benefit alone
is a significant reason to use switches rather than hubs.
FIGURE 1-13
An IEEE 802.3 Ethernet Type II frame.
FIGURE 1-14
An example of a MAC-layer bridge deployment.
Bridges link between networks. Bridges create a path or
route between networks, used only when the destination of
a communication actually resides across the bridge on the
opposing network. An analogy of this would be a city split in
two by a river. When people in that city want to visit a
location on the same side of the river that they are, then
they have no need to cross the bridge to get there.
The same is true of a network bridge. Bridges work in a
similar manner to switches in that they use several basic
procedures to manage traffic. Bridges use the process of
learn, forward, and drop. Thus, with these processes, only
traffic intended for a destination on the opposing network
will go by the bridge to that network. All traffic intended for
a destination on the same side of the bridge that received it
will be dropped since the traffic is already on the correct
network.
Bridges are used to connect networks, network
segments, or subnets whenever you desire a simple use-
only-if-needed link and the complexity of a router, switch, or
firewall is neither specifically required nor desired. See
Figure 1-14. Bridges can also link networks with variations in
most aspects of the infrastructure barring protocol. This
includes different topologies, cable types, transmission
speeds, and even wired versus wireless.
You can use bridges to detect the same types of traffic
abuses that switches do. In addition, both bridges and
switches can impose filtering on MAC addresses. Here you
can use a blacklist or whitelist concept, where you allow all
traffic except for that on the black/block list or you block all
traffic except for that on the white/allow list.
You can arrange to log activities across a router, switch,
and bridge. You should review traffic logs regularly, typically
on the same schedule as firewall and IDS/IPS logs. You will
note the signs of abuse, intrusion, denial of service, network
consumption, unauthorized traffic patterns, and more in
these common network devices not typically considered to
be security devices.
The Domain Name System
The Domain Name System (DNS) is an essential element
of both Internet and private network resource access. Users
do not keep track of the IP address of servers. So, to access
a file server on, say, a social networking site, users rely
upon DNS to resolve the fully qualified domain names
(FQDNs) into the associated IP address. DNS is similar to
the address book in your mobile phone. Instead of
remembering people’s phone numbers, you just look up
their names; the address book associates each person’s
name with the number to dial.
Most users don’t even realize that networks rely upon IP
addresses to direct traffic toward a destination rather than
the domain name that they typed into the address field of
client software. However, without this essential but often
transparent service, most of how the Internet works today
would fail. In such a case, users would need to maintain a
list of IP addresses of sites they wanted to visit or always go
to a search engine for a site’s IP address.
DNS is the foundation of most directory services in use
today, such as Active Directory and LDAP (see the following
section). Thus, DNS is essential for internal networks, as
much as it is for the external Internet.
DNS is vulnerable in several ways. First, DNS is a non-
authentication-query-based system. This allows a false or
“spoofed” response to a DNS query to appear valid. Second,
anyone can request transfers of the DNS mapping data
(called the zone file), including external entities if TCP port
53 allows inbound access. Third, DNS uses a plaintext
communication allowing for eavesdropping, interception,
and modification.
You can address some of the faults of DNS with local
static DNS mapping in the HOSTS file, filtering DNS on
network boundaries, and using IPSec for all communications
between all hosts. (A HOSTS file is a static file on every IP-
enabled host where FQDN-to-IP address resolutions can be
hard-coded.) However, these are defenses for DNS. DNS
does not protect the network; rather, it is an essential
service that needs protection.
NOTE
A few Internet index sites still exist, but they are not as
exhaustive (nor current) as most search engines. Think
of the difference between the Yellow Pages dropped on
your front porch each year versus dialing 411: One is
more current and relevant than the other.
Directory Services
A directory service is a network index. It helps users locate
resources within a private network. A directory service is
responsible for keeping track of which servers (sometimes
as clients) are online, as well as the resources these hosts
share with the network. A directory service operates much
like a telephone book does for phone numbers and
addresses.
Prior to directory services, less efficient methods of
tracking or locating available resources were in service.
These included local static or dynamic lists, which networks
maintained using broadcast announcements. Only
workgroup networks still use these outdated methods.
A directory service is another essential piece of modern
networks that does not itself provide obvious security
services. However, directory services need the protection
provided by other security services and devices. You should
limit access to directory services to authorized and
authenticated clients and users of the local network. Your
network should ignore all external requests for information,
with the exception of valid remote access or VPN links. If
possible, you should deploy IPSec so that you protect every
internal network communication.
Intrusion Detection Systems and Intrusion
Prevention Systems
Intrusion detection systems (IDS) and intrusion prevent
systems (IPS) have become popular topics of discussion in
the IT and security fields. The concept of an IDS is a system
that watches internal hosts or networks for symptoms of
compromise or intrusion. Effectively, an IDS is a form of
burglar alarm that detects when an attack is occurring
within the network.
An IDS serves as a companion mechanism to firewalls.
Once an IDS detects an intruder, it can send commands or
requests to the firewall to break a connection, block an IP
address, or block a port or protocol. You must configure the
firewall to receive these commands and authorize the IDS to
send them. Not all IDSs and firewalls are compatible in this
manner.
Eventually, the IPS concept appeared. The IPS strives to
detect the attempt to attack or intrude before it has the
opportunity to be successful. Once an attempt is detected,
the IPS can respond to prevent the success of the attempt
rather than waiting until after a successful breach to
respond. IPSs do not necessarily replace IDSs. Instead, they
are often used as a first or initial layer of proactive defense,
relegating the IDS to a reactive measure against those
events that the IPS misses or that internal personnel
perform.
IDSs and IPSs are important components of a complete
network security solution. However, they are not without
fault. IDSs and IPSs can create a false sense of security
under certain conditions. Two commonly discussed
conditions include unknown zero day attacks and false
positives.
When unknown zero day attacks threaten the network,
an IDS or IPS might not have the mechanism to detect it.
Thus, the lack of an alarm could cause administrators to
assume that no attacks are occurring. In most cases, the
lack of an alarm does mean that nothing malicious is
happening. So this assumption is not completely
unwarranted. But if an IDS never triggers an alarm, then you
should suspect a poor detection system rather than the
complete lack of compromise attempts or attacks.
False positives present the same result for the opposite
reason, namely too many alarms from benign occurrences.
After the first initial alarms turn out to be triggered by
benign activity, the urgency of responding to alarms
diminishes. After additional false positives, an administrator
might put off investigating alarms. Eventually, you ignore
the alarms altogether. Once this situation arises, you treat
even alarms for malicious events as false positives, once
again establishing a false sense of security.
Network Access Control
Network access control (NAC) limits access or admission
to the network based on the security compliance of a host.
NAC is essentially an enforcement tool to make sure that all
hosts connecting to the network have current and compliant
security components. With NAC, you can block or restrict
access if a computer does not have the latest antivirus
update, a certain security patch, or a host firewall.
NAC usually operates by placing an agent on each
authorized host. When the host connects to the network, the
agent contacts the master control program to find current
host requirements. If the host fails to meet those
requirements, then the NAC prevents the host from
accessing the network. A noncompliant host may be granted
access only to remediation servers. These remediation
servers can provide the patches and updates needed to
bring the host into full compliance.
Effectively, NAC is a method to enforce host-hardening
rules through an automated systemwide mechanism. With
NAC, systems must be in compliance or they are unable to
access general network resources. Only after you update
noncompliant systems are they allowed access to the
network.
CHAPTER SUMMARY
Because of the complexities and difficult questions
surrounding network security, you need to fully
understand the fundamentals of network security.
Once you have a firm grasp of these basic issues, you
will be able to put security into practice on your own
network.
A written security policy is the foundation of a
successful security endeavor. Without a written
policy, security will be chaotic and uncontrolled. A
security policy defines and assigns roles and
responsibilities to personnel within the organization.
Network infrastructure design can have a significant
impact on security. Administrators can employ
numerous network components and devices to
support a network security policy. These include
firewalls, VPNs, and IDSs/IPSs.
KEY CONCEPTS AND TERMS
Access control
Appliance
Asset
Auditing
Auditor
Authentication Authorization
Availability
Backdoor
Blacklist
Bottleneck
Breach
Bridge
Business task
Caching
Chokepoint
Client
Client/server network Confidentiality
Defense in depth Demilitarized zone (DMZ)
Denial of service (DoS) attack
Directory service Domain
Domain Name System (DNS)
Downtime
Egress filtering
Encapsulation
Encryption
Exploit
Extranet
Filtering
Firewall
Fully qualified domain name (FQDN)
Hacker
Hacking
Hardening
Hijacking
Host
HOSTS file
Ingress filtering
Integrity
Internet Protocol Security (IPSec)
Intrusion detection system (IDS)
Intrusion prevention system (IPS)
Job description
Local area network (LAN)
Log
Logging
Malicious code
Man-in-the-middle (MitM) attack
Media Access Control (MAC) address
Monitoring
Network access control (NAC)
Network address translation (NAT)
Network security
Node
Open Systems Interconnection (OSI) Reference
Model
Permission
Port address translation (PAT)
Privacy
Private IP address
Privilege
Proxy server
Public IP address
Redundancy
Remote access
Remote access server (RAS)
Remote control
Replay attack
Resources
RFC 1918 addresses
Risk Roles
Router
Security objective
Security policy
Senior management
Server
Single point of failure
Single sign-on (SSO)
Sniffer
SOHO (small office, home office)
Switch
Telco
Terminal services
Thin client computing
Threat
Trust
Tunneling
Virtual private network (VPN)
Vulnerability
Whitelist
Wide area network (WAN)
Workgroup
Zero day exploits
Zeroization
CHAPTER 1 ASSESSMENT
1. An outsider needs access to a resource hosted on your
extranet. The outsider is a stranger to you, but one of
your largest distributors vouches for him. If you allow
him access to the resource, this is known as
implementing what?
A. DMZ
B. Virtualization
C. Trusted third party
D. Remote control
E. Encapsulation
2. Which of the following are common security objectives?
A. Nonrepudiation
B. Confidentiality
C. Integrity
D. Availability
E. All of the above
3. What is an asset?
A. Anything used in a business task
B. Only objects of monetary value
C. A business process
D. Job descriptions
E. Security policy
4. What is the benefit of learning to think like a hacker?
A. Exploiting weaknesses in targets
B. Protecting vulnerabilities before they are
compromised
C. Committing crimes without getting caught
D. Increase in salary
E. Better network design
5. What is the most important characteristic of an
effective security goal?
A. It is inexpensive.
B. It is possible with currently deployed technologies.
C. It is written down.
D. It is approved by all personnel.
E. It is a green initiative.
6. What is true about all security components and
devices?
A. They are all interoperable.
B. They are all compatible with both IPv4 and IPv6.
C. They always enforce confidentiality, integrity, and
availability.
D. They are sold with pre-defined security plans.
E. They all have flaws or limitations.
7. Who is responsible for network security?
A. Senior management
B. IT and security staff
C. End users
D. Everyone
E. Consultants
8. What distinguishes workgroups from client/server
networks? (In other words, what feature is common to
one of these but not both?)
A. DNS
B. Centralized authentication
C. List of shared resources
D. User accounts
E. Encryption
9. Remote control is to thin clients as remote access is to?
A. NAC
B. VPN
C. DNS
D. IPS
E. ACL
10. What two terms are closely associated with VPNs?
A. Tunneling and encapsulation
B. Bridging and filtering
C. Path and network management
D. Encapsulation and decapsulation
E. Port forwarding and port blocking
11. What is a difference between a DMZ and an extranet?
A. VPN required for access
B. Hosted resources
C. External user access
D. Border or boundary network
E. Isolation from the private LAN
12. What is the primary security concern with wireless
connections?
A. Encrypted traffic
B. Support for IPv6
C. Speed of connection
D. Filtering of content
E. Signal propagation
13. What elements of network design have the greatest risk
of causing a DoS? (Select two.)
A. Directory service
B. Single point of failure
C. Bottlenecks
14. For what type of threat are there no current defenses?
A. Information leakage
B. Flooding
C. Buffer overflow
D. Zero day
E. Hardware failure
15. Which of the following is true regarding a Layer 2
address and Layer 3 address?
A. MAC address is at Layer 2 and is routable
B. Layer 2 address contains a network number
C. Layer 2 address can be filtered with MAC address
filtering
D. Network Layer address is at Layer 3 and is routable
E. Both C and D are true
16. Which of the following are not benefits of IPv6?
A. Native communication encryption
B. RFC 1918 address
C. Simplified routing
D. Large address space
E. Smaller packet header
17. What is the most common default security stance
employed on firewalls?
A. Allowing by default
B. Custom configuring of access based on user account
C. Caching Internet content
D. Denying by default, allowing by exception
E. Using best available path
18. What is egress filtering?
A. Investigating packets as they enter a subnet
B. Allowing by default, allowing by exception
C. Examining traffic as it leaves a network
D. Prioritizing access based on job description
E. Allowing all outbound communications without
restriction
19. Which of the following is not a feature of a proxy
server?
A. Caching Internet content
B. Filtering content
C. Hiding the identity of a requester
D. Offering NAT services
E. MAC address filtering
20. Which of the following is allowed under NAC if a host is
lacking a security patch?
A. Access to the Internet
B. Access to e-mail
C. Access to Web-based technical support
D. Access to file servers
E. Access to remediation servers
CHAPTER
2 Firewall
Fundamentals
TO SOME NETWORK ADMINISTRATORS, A FIREWALL is the key component of their infrastructure’s security. To others, a
firewall is a hassle and a barrier to accomplishing essential
tasks. In most cases, the negative view of firewalls stems
from a basic misunderstanding of the nature of firewalls and
how they work. This chapter will help dispel this confusion.
This chapter clearly defines the fundamentals of
firewalls. These include what a firewall is, what a firewall
does, how it performs these tasks, why firewalls are
necessary, the various firewall types, and filtering
mechanisms. Once you understand these fundamentals of
firewalls, you will be able to look beyond the unschooled
opinions, common mythology, and marketing hype
surrounding them, and the crucial benefits of effective
firewall architecture will become clear. Like any tool,
firewalls are useful in solving a variety of problems and in
supporting essential network security.
Chapter 2 Topics
This chapter covers the following topics and
concepts:
What a firewall is
Why you need a firewall
How firewalls work and what they do
What the basics of TCP/IP are
What the types of firewalls are
What ingress and egress filtering is
What the types of firewall filtering are
What the difference between software and
hardware firewalls is
What dual-homed and triple-homed firewalls
are
What the best placement of a firewall is
Chapter 2 Goals
When you complete this chapter, you will be able
to:
Define firewalls
Explain the need for firewalls
Describe types of firewalls, including network
router/interface firewall, hardware appliance
firewall, and host software firewall Explain
standard filtering methods, including static
packet filtering, NAT services, application
proxy filtering, circuit proxy filtering, dynamic
packet filtering, stateful inspection filtering,
and content filtering Define the meaning of
ingress and egress filtering
Compare and contrast software and
hardware firewalls
Illustrate on a typical business network
diagram possible placements for a firewall
Compare and contrast dual- and triple-
homed firewalls
What Is a Firewall?
A firewall is like a border sentry. A firewall is like a
gateway and is often called a “security gateway.” A firewall
is like a traffic control device. A firewall is a filtering device
that enforces network security policy and protects the
network against external attacks. A packet is a unit of
information that is routed between one point and another
over the Internet or any other network. The packet header
includes information such as source, type, size, and origin
and destination address. As a filtering device, a firewall
watches for traffic that fails to comply with the rules
defined by the firewall administrator. Firewalls can focus on
the packet header, the packet payload (the essential data
of the packet) or both; or on the content of a session, the
establishment of a circuit, and possibly other assets. Most
firewalls focus on only one of these. The most common
filtering focus is on the header of the packet, with the
payload of a packet a close second.
Filtering allows what you want on your network and
denies what you do not. Filtering relies on filtering rules.
Each rule has a pattern of concern and a response the
firewall will make if an incoming element matches the
pattern.
Firewalls follow a philosophy or stance of security known
as deny by default/allow by exception. All the rules on a
firewall are exceptions. Some exception rules define what
you allow. Some exception rules define what you wish to
deny. The final option, sometimes called the final rule, is
anything that did not match one of the exceptions is denied
by default.
Firewall filtering compares each packet received to a set
of exception rules. These rules state that content in the
packet is either allowed or denied. If the packet matches an
allow rule, it continues on to its destination. If the packet
matches a deny rule, then the packet is dropped. Hence, a
deny rule prevents the packet from reaching its destination.
If a packet fails to match any rule, then the firewall drops
the packet by default.
The filtering rules are the exceptions to the deny-all rule
that is the final and absolute rule of a firewall. In fact, if a
deny by default rule didn’t exist, the filtering device would
not be a firewall at all. Instead, it would be more like a
router or switch, allowing traffic to pass, even if it did not
match an expected pattern or rule. So, keep in mind the
security stance of deny by default/allow by exception. A
firewall is a filtering device that helps support this stance.
Think of a firewall as a sentry along the borders of a
country. The term firewall is not exactly the best term that
could have been selected for this device or service, which
performs essential security filtering for hosts and networks.
The term firewall comes from a building and automotive
construction concept of a wall that is built to prevent the
spread of a fire from one area into another. The firewall in a
building or car engine compartment is a physical block
against the spread of fire.
Network security administrators use the term firewall to
refer to a device or service that allows some traffic but
denies other traffic. This is not the same as a building’s
firewall, which allows a fire to spread only if the firewall fails.
In network security, firewalls allow traffic through that’s
considered safe—or at least authorizes traffic without the
entire firewall failing. Additionally, if a firewall does fail, it
fails into a secured state. This means that when the firewall
is offline, is locked or frozen, or otherwise experiences a
problem, it stops all traffic rather than allowing all traffic
through. This is known as fail-safe or fail-secure.
Better ways to envision the job of the firewall are a
sentry, doorman, or even border guard. These people
positioned at the entrance or exit of a building watch for
unauthorized attempts to enter the secure area. Some
people are allowed to enter; others are prevented. In the
event that the sentry isn’t present, the entry is locked, so
only those with a key can enter. Think of a firewall as a
border sentry.
A gateway is an entrance or exit point to access a
controlled space. People use gateways every day in a
variety of ways. An on-ramp is a gateway to the highway, a
doorway is a gateway to a building, and a personal
computer is a gateway to the Internet—and to your
organization’s network. You can also think of a firewall as
the gate at a gateway. The firewall stands at the entrance of
a network to block unwanted traffic.
Gateways are important because, typically, high levels of
traffic pass through a gateway. Thus, positioning a firewall
at a network gateway is an aspect of secure design. If the
gateway already exists in the network infrastructure, then
positioning the firewall at that point is an obvious security
improvement. A firewall so positioned watches over all
traffic crossing that gateway point.
Another place that firewalls are often deployed is in front
of (that is to say, on the public Internet side), behind (inside
the data center), or in load balancing systems, or, as they
are most often called, load balancers. Load balancers are
reasonably well named because that is what they do: They
take the load coming into a set of servers and ensure that
the load is balanced between or among the servers, based
on a variety of factors. It is a funnel point for traffic that is
an ideal place to enforce policy, and that is done through
the firewall.
If a network is still in its design phase, a network
designer might make the secure choice to create a gateway
in the network’s layout. However, in this situation, the
concentration point would be known as a chokepoint instead
of a gateway. If a gateway is an access point to other areas
of resources, a chokepoint is a specialized kind of gateway
that focuses on traffic to a single concentrated pathway to
simplify the process of filtering.
Whether labeled as a gateway for resource access or a
chokepoint to control security, the result is the same. A
firewall positioned at a gateway provides filtering services
across all traffic. The chokepoint provides filtered access to
resources. As a wise poet once said: “Good fences make
good neighbors.” So, too, do good gateways and well-
positioned firewalls make secure networks.
You can also think of a firewall as a traffic control device.
A significant amount of network security is little more than
controlling traffic. Authorized traffic passes through the
digital intersection, while unauthorized, unwanted,
abnormal, or obviously malicious traffic is blocked.
The very basic and original form of the modern firewall
was a screening router. Routers analyze traffic based on
destination address. The best-known available route to the
destination informs the forwarding decision. However,
screening routers added in additional rules that could
discard traffic based on destination or source address. Once
filtering expanded to address protocols and even ports, the
screening router became the basic static packet filtering
firewall.
In addition to filtering, firewalls can also offer routing
functions, which are a holdover from this router ancestry. A
multi-homed firewall can grant traffic access to one or
another interface or segment based on the results of
filtering. Traffic for a private LAN could traverse one
segment, while traffic destined for the DMZ could follow
another (see Figure 2-1). A firewall is an efficient, necessary
traffic control device on the highway that is your network.
FIGURE 2-1
A basic multi-homed firewall filtering and routing for two
network segments.
A firewall enforces your organization’s network security
policy. Specifically, a firewall enforces the network traffic
access control security policy. A firewall is the physical
embodiment of the security policy. It’s the most obvious or
direct enforcement of access control on your network’s
traffic. No device more than your firewall is as directly
involved in allowing authorized traffic and denying all else.
A security policy defines the goals, objectives, and
procedures of security. Every security policy focusing on
network security requires the deployment of a firewall. The
firewall’s job is to impose all restrictions and boundaries
defined in the security policy on all network traffic. A firewall
enforces your organization’s network security policy just as
a traffic policeman enforces the motor vehicle laws of a
town or state.
A firewall’s critical function is to protect your network
against external attacks. It’s no secret that external threats
are numerous. The onslaught of attacks is almost
unbelievable, like a constant flood against every Internet-
connected node. If it were not for vigilant hardening of hosts
and the use of firewalls, the Internet and private networking
could not exist as they do today.
It’s no accident that some threats to computer networks
are called viruses; external threats seem to continuously
change and evolve. Other attacks are targeted specifically
for your network or organization. Some attacks are
untargeted and random. Instead, they are directed toward
any host that happens to have a specific vulnerability.
Malicious code relentlessly infects and compromises
unprotected computer systems. Flooding attacks attempt to
interrupt timely Internet communications. And these are
only some of the external threats facing your organization’s
network.
A firewall stands as a sentry, as a front guard, as a
defense against all attacks and attempts at system
compromise. The good news is that many firewalls are well
hardened against all known-to-date attacks. These firewalls
can withstand the blitzkrieg of the attacks without faltering.
A firewall protects the network against the substantial asset
damage that external attacks can cause.
Understanding these definitions and distinctions is only
the beginning of understanding firewalls.
What Firewalls Cannot Do
A firewall is an essential part of network security. However,
it’s not the whole of network security. Don’t make the
mistake of deploying a firewall while ignoring other security
management activities. A firewall is only one piece of the
large complex puzzle of network security.
There are many things a firewall is not. Don’t be fooled
by the marketing. Some of these deficiencies can become
cloudy as vendors sell combination or multifunction
solutions. Often, these devices are designed for the SOHO or
home user and thus were never intended to provide
commercial-grade protections.
A firewall is primarily for network traffic filtering. It’s not
an authentication system. Firewalls aren’t designed to check
logon credentials, compare biometric scans, or even confirm
the validity of digital certificates. These are the functions of
an authentication service, typically hosted on a domain
controller or primary network server.
That said, you might find it necessary for a firewall to
allow authentication before granting access to a resource or
allowing a session. Some firewalls can have enhancement
features that provide for firewall-hosted authentication
services. However, in many cases, a better solution would
be to have the firewall offload that task to a dedicated
authentication server or service, such as 802.1x, public
key infrastructure (PKI), or directory services. Most
security experts do not recommend using a firewall to
authenticate users, or at least not as a replacement for a
network’s directory service or centralized authentication
solution. Firewalls are not authentication systems.
A firewall is not a remote access server. Connections
from remote users do not have an endpoint at the firewall.
Instead, the endpoint is a remote access server (RAS) or
network access server (NAS). A firewall may function before
or after the RAS/NAS to filter remote access traffic.
However, that doesn’t mean the firewall is the RAS/NAS
itself.
Your firewall should of course filter all remote traffic,
especially because remote traffic is much more likely to be
purposefully malicious or accidentally damaging than local
traffic. Why? An organization has much more control over
who can connect to its network locally than it does when it
allows remote connectivity. Remember: A firewall does not
replace a remote access server.
Unlike Superman, your firewall does not have X-ray vision
into encrypted traffic; in other words, it cannot see the
contents of encrypted traffic. A firewall can filter on the
header of traffic using transport mode encryption, since
the original header is in plaintext form. However, a firewall
cannot filter the original header of traffic using tunnel
mode encryption, since the only plaintext component is a
temporary tunnel header that only includes information
about the endpoints of the tunnel. It’s like trying tell what’s
in the boxcars of a train by observing only the locomotive
and the caboose.
Position your firewall where it can be most effective. If
the security design requires that all traffic content be
examined by a firewall, then you need to position the
firewall after encryption is removed from the traffic. If the
security design requires filtering only on non-encrypted
traffic, then positioning the firewall is not as critical.
Firewalls designed for use by Web e-commerce sites may
have an additional ability to act as the endpoint of a Secure
Sockets Layer (SSL) or Transport Layer Security (TLS)
tunnel from an Internet client. This grants the client
protection for its data as the information traverses the
Internet. This allows a firewall to filter the content of the
traffic before the Web server receives and processes the
information.
Encryption is one method to evade filtering. Users and
hackers can employ client-side encryption solutions that
encode the data before transmission or create unauthorized
encrypted encapsulation tunnels to prevent firewall filtering.
In this situation, your network security policy may stipulate
that the firewall needs to block encrypted transmission
initiated by clients, especially if the destination is on the
Internet. It’s important to remember that firewalls are
powerful, but they don’t have X-ray vision into encrypted
traffic.
A firewall is also not a malicious code scanner. Firewalls
are traditionally rule-based filtering products. These rule
sets usually have only a few dozen to at most a few
hundred rules. To filter malicious code, the rule list would
need millions of entries. As of December 2009, the AVG
Anti-Virus definition database #270.14.88/2538 was
tracking 24,303,360 malicious code infection definitions.
That number of entries is simply impractical to include in a
firewall rule set.
Some firewall products include an enhancement or add-
on module for malicious code scanning. Such an
enhancement is just an add-on component, not a core
feature of a firewall. In most cases, it’s more efficient and
more secure to use separate anti-malware scanners than to
add this function to your firewall.
Many firewall rules block traffic with spoofed addresses,
uncommon ports, unauthorized protocols, invalid header
constructions or values, etc. Such rules block a significant
amount of traffic caused by malicious code, but these rules
do not themselves directly block malware from entering or
leaving a network. Keep in mind that your firewall can do
many things, but it’s not a malicious code scanner.
A firewall is also not an intrusion detection system. An
intrusion detection system, or IDS, is a type of network
burglar or intruder alarm that detects and responds to
unauthorized activity inside your network. An IDS performs
this task by monitoring all network traffic. While an IDS can
be deployed on a network border or outside the network
against the Internet, most IDSs operate inside private
networks so that they can watch all internal network traffic.
A firewall can detect malicious traffic only when such
traffic enters one of the firewall’s interfaces. Firewalls
generally don’t watch over general interior network activity.
Either firewalls are border devices for networks and subnets,
or they are software products watching over a single host. In
either case, they cannot see the same traffic nor perform
the same tasks as an IDS. A firewall, therefore, is not
interchangeable with a good intrusion detection system.
A common misconception is that firewalls protect against
insider attacks. They cannot. A firewall can be a border
device or a firewall can be software on a host. A border
firewall can filter traffic entering or leaving a network or
subnet. So a border firewall is unable to see any interior
traffic (Figure 2-2). When an attacker from an inside client
attacks a target that is also an internal host, a border
firewall is not part of the communication and thus can
neither detect nor block the attack.
A host software firewall can only see the traffic entering
or leaving that one host. A host software firewall is unable to
see any other interior traffic Of course, if traffic does not
pass through its interfaces, a firewall cannot filter the traffic.
A firewall can filter only what it sees. If malicious or
unwanted traffic does not enter an interface of a firewall,
the firewall will not be able to filter that traffic (see Figure 2-
2). So you’ll want to place firewalls on each host, on every
border gateway or chokepoint, and between each significant
subnet or interior network division.
NOTE
IDSs can detect a plethora of unwanted activities, use
several methods of detection, and perform a wide
range of responses, both passive and active.
Another thing firewalls can’t do is protect against social
engineering. Social engineering is the category of attacks
that focus on the personnel of an organization. These
attacks get information from people just by asking for it in
clever ways or convincing someone to perform an action
that breaches network security. The only real protection
against social engineering is worker training and awareness.
A firewall cannot stop an attack stemming from social
engineering.
FIGURE 2-2
Border firewalls cannot filter internal communications.
A firewall can’t protect against the threat posed by
removable media. The widespread use of removable media
has been a significant threat to every computer in
existence, even those not connected to the Internet, an
external network, or even a single other computer through a
network link. Removable media include USB hard drives,
USB thumb drives, CDs, DVDs, Blu-ray discs, HD-DVD discs,
other optical discs, flash memory cards, FireWire storage
devices, tape media, e-mail attachments, and more.
Removable media can leak information out of an
organization or smuggle malicious code in. A firewall is not
involved in the use of removable media nor any of the
contents these devices may contain. A firewall cannot
protect your network against the ongoing threat posed by
removable media. Again, the best defense against this
threat is good company policy, worker training, and
awareness.
A firewall, of course, cannot protect against physical
incursions or attacks. Physical attacks bypass any and all
logical and electronic protection mechanisms. A firewall
does not protect against theft of devices, planting of
eavesdropping mechanisms, disconnection of cables,
connecting a rogue notebook to an open node, destruction
of equipment, dousing electronics with liquids, building fires,
or any other form of physical attack. Only effective physical
defenses can deter physical attacks. A firewall is not
designed or intended to thwart physical attacks.
Firewalls aren’t insurance against inept or ignorant
administrators. Computer equipment and software can do
only what it’s designed and programmed to do. If an
administrator misconfigures a security device, the device
doesn’t automatically compensate for that oversight. If a
security administrator fails to learn about all the features
and defaults of new equipment, the product cannot secure
itself autonomously. Security requires training, research,
careful planning, thoughtful implementation, and ongoing
review and maintenance. This process is known as security
management—and it takes work. The old expression was
never more true than today: “Garbage in, garbage out.”
What you put into network security is precisely what you will
get out of it. So remember that a firewall can’t compensate
for ineptitude or ignorance on the part of administrators.
In the same vein, firewalls can’t compensate for poor
security management. Proactive security management is
essential for the success of any security endeavor. Security
management is the process of reviewing, testing, tuning,
and updating an organization’s security policies and security
infrastructure. This is an ongoing effort that requires
knowledge, research, and vigilance. The threats and risks
facing an organization are constantly evolving to become
more persistent and virulent. Your security strategy should
be just as rigorous and purposeful in defense. Keeping up to
date on the most current threats to and trends in network
security is a big part of this job. Networking, conferencing,
and reading the latest industry literature are ways to keep
yourself and your security efforts sharp.
Keep in mind that a firewall is a focal point of security. It’s
an embodiment—a physical representation—of your
organization’s security policy. When you use them well and
wisely, firewalls provide reliable and consistent security
from external threats. However, firewalls have limitations
and are only part of the complete security strategy. By itself,
a firewall cannot protect a network against every threat. A
firewall cannot compensate for the lack of informed, state-
of-the-art security management.
Furthermore, and this follows from everything you have
read so far, firewalls are not a substitute for a solid written
security policy. A firewall is nothing but a reliable border
sentry. It is not the complete security infrastructure and
strategy. Even the decision to deploy a firewall is a
significant strategic undertaking that shouldn’t be taken for
granted. Thorough research and planning will help with the
design and deployment of an effective firewall. A firewall
policy ensures the success of your network’s firewall. A
company-wide security policy ensures the success of your
organization’s security infrastructure. Firewalls are in no way
a substitute for such a security policy.
Finally, firewalls are not a perfect solution. As noted, a
firewall is a border sentry, reliable but limited. A firewall can
filter only what it sees. It can perform filtering only
according to the rule sets defined by the security
administrator. It cannot self-adjust to changing conditions or
future threats. A firewall is only a part of a complete security
infrastructure. Firewalls are mostly software, even when
operating on dedicated hardware. They are software, written
by fallible humans; therefore, they can, and do, have bugs
and flaws. A firewall is never the perfect solution—but it is
part of the solution.
Fortunately, in spite of all the things a firewall is not, a
firewall is a solid filtering solution. A firewall can and should
protect the borders of networks and individual hosts. No
security strategy—or deployment—is complete without
properly installed firewalls.
Why Do You Need a Firewall?
Who needs a firewall? Anyone who uses a computer to
interact with and exchange resources with any other
computer! Your personal computer needs a firewall. Your
home network needs firewalls. Your company network needs
firewalls. Every network needs firewalls. They are a
fundamental of network communication.
High-speed Internet connectivity has become ubiquitous.
Most computer users now have high-speed access at home,
at work, and even on the go through mobile devices. Often,
these broadband connections are always-on connections.
This means computers and networks are online all the time
—and exposed to attacks. A drawbridge is easy to cross if
it’s always down. When a system is always connected, it can
be the focus of a concerted attempt to discover its
vulnerabilities and breach its security.
How likely is it that a computer will be discovered and
attacked over the Internet? Almost guaranteed. Most
systems are detected, scanned, and probed within minutes
of obtaining a public IP address. It is technical suicide to
connect your system to the Internet before installing a
firewall, as well as installing the latest vendor patches for
the hardware, OS, and installed applications.
Does this mean that there are armies of hackers just
waiting to find new targets to attack? Unfortunately, yes.
Not, however, in the way you might think. Malicious
programs perform most of the scanning and attacking
automatically. These are commonly known as agents,
robots, zombies, or just bots. Groups of malicious code,
known as botnets, scour the Internet for new victims
constantly.
Another wrinkle in being constantly online over a
broadband connection is the throughput speed. High-speed
links to the Internet enable high-speed attacks against your
system. On older, slower connections, the same risks
existed, but the attacks were slower or fewer simply
because the link to a targeted system throttled the speed of
the attack. With 10 Mbps and faster connections being
common, attacks can occur at near-lightning speed.
This is not to suggest that only slow-speed Internet links
are secure. On the contrary, you should take full advantage
of high-speed Internet connections. However, you need to
protect your systems with firewalls. A firewall will impose a
significant barrier to most attacks that originate from the
Internet.
With a firewall protecting your system from the Internet,
hacker scans will be nearly worthless. Responses to probing
packets will be filtered. An outsider will learn little about
your infrastructure. This, in turn, means they will discover
fewer vulnerabilities, thus wage fewer attacks. And even
then, those attacks will be more likely to fail.
Firewalls are not used only for Internet protection. Don’t
forget that significant levels of threat exist internally.
Firewalls stand guard against network segments inside your
private network (Figure 2-3). Think of a firewall as a tool to
prevent abuse or misuse of LAN resources. Each major
department, subnet, or other relevant distinction within an
organization should have firewall protection. This will ensure
that accidental compromises, as well as intentional abuses,
are minimized internally. All networks protect against both
internal threats and external ones.
FIGURE 2-3
An example of a private network using firewalls to securely
separate subnets.
Don’t overlook that, while a firewall has its origins in
routing, you still want to use a dedicated router for routing
and a dedicated firewall for filtering. In many cases, the
combination or multifunction devices offer lots of features,
but not necessarily best-of-breed performance and
efficiency. These may be money-savers for small networks,
but they are often cause for expense for larger networks. If
a device fails to perform at commercial levels when
necessary, the repercussions can cost more than deploying
the proper safeguards in the first place.
Firewalls should be used to protect a resource, no matter
where that resource resides on your network. A hardware
firewall can protect a single host or a network of hosts,
while a software firewall can protect only a single host.
Don’t limit your definition of a firewall to just a border sentry
device. Think of it, instead, as a sentry device in general,
able to protect anything placed behind its filtering service.
Host firewalls protect a host and protect a network
from the host. A host firewall’s job is to filter traffic entering
or leaving a single computer system. Attacks and malicious
traffic can come from the Internet or the local network. A
host firewall can protect the host against such threats.
However, the host itself could be compromised by malicious
code or be controlled by a malicious user. In this situation,
the host firewall protects the network from the threats
coming from the host.
Another way of looking at this is that a host firewall also
protects the network from a user in general. A user is the
most risky element in a network infrastructure. Even if every
other component, hardware or software, does what it was
programmed and configured to do, a user can decide to
violate security. Thus, the free will of human users is one of
the biggest risks to every computing environment.
Users can be ignorant, make mistakes, be tricked by a
Trojan horse, be the target of social engineering attacks, or
perform malicious actions on purpose. The security of a host
system, including general system hardening, anti-malware
scanning, Internet client restrictions, blocking of non-
approved software, and a host firewall, are all designed to
protect the network from the risk of human users.
Firewalls protect against Internet threats, protect against
internal network threats, protect resources generally, and
protect against the risk of users. These capabilities alone
might make installing a firewall on every host and on every
segment seem like the obvious follow through.
However, deploying firewalls everywhere has two
significant drawbacks: cost and over-dependence. Most
commercial-grade firewalls are costly. Even if they have no
purchase cost (due to promotions or being open source), the
ongoing maintenance costs of firewalls add up significantly
over time. With firewalls deployed on every host and on
every segment, the overhead of firewall management would
far exceed the total IT budget of most businesses.
A second drawback to ubiquitous deployment of firewalls
is over-dependence. Firewalls are only part of a complete
security solution, not a whole solution by themselves. By
deploying firewalls on every host and every segment, other
essential security endeavors might be overlooked or
deemed unnecessary. This would be a disastrous security
stance. Firewalls cannot compensate for poor security
policy, poor security management, or a lack of proper
system hardening.
With these concerns, how can your organization
determine how many firewalls to deploy and where to
deploy them? In most cases, this requires a process of risk
assessment and risk management. Risk assessment
involves examining values, threat levels, likelihoods, and
total cost of compromise versus the value of the resource
and the cost of the protection. While many other factors
affect risk assessment, this essential business and security
process is as follows: 1. Determine the overall value of the
resource or asset. Known as the asset value (AV), this
calculation should include both tangible and intangible
costs and value.
2. Determine the threats that face that asset. For
each threat, calculate the exposure factor (EF), or
the amount of potential harm expressed as a
percentage. This will create a list of asset-threat
pairs with a corresponding EF.
3. Calculate the single loss expectancy (SLE):
SLE = AV × EF. This is the amount of potential loss
that could be experienced due to a single
occurrence of compromise against this asset for a
specific threat. This will add an SLE value to each
asset-threat pair.
4. For each threat, calculate the potential number
of times the threat could be a realized attack within
a year’s time. This is known as the annualized rate
of occurrence (ARO).
5. Calculate the annualized loss expectancy
(ALE): ALE = SLE × ARO. This is the amount of
potential loss that can be experienced due to any
compromise of this asset for a specific threat within
a year. This will add an ALE value to each asset-
threat pair.
6. Sort the list of asset-threat pairs by the ALE.
The highest ALE is the biggest risk for this specific
asset/resource.
7. Take the asset-threat with the largest ALE and
determine the possible countermeasures that could
be used to protect against that threat. This creates
asset-threat-countermeasure triplets.
8. For each asset-threat-countermeasure triplet,
calculate a new ARO. The countermeasure should
reduce the ARO. A perfect countermeasure would
reduce the ARO to zero. There are few perfect
countermeasures.
9. With the new ARO, calculate a new ALE for each
asset-threat-countermeasure triplet.
10. For each asset-threat-countermeasure triplet, make
a cost/benefit analysis. The formula for this is:
(Original ALE – New ALE) – cost of the
countermeasure per year.
11. Sort the asset-threat-countermeasure triplets by
their potential cost/benefit. The triplet with the
greatest cost/benefit is the best choice.
In short, if the cost/benefit analysis for a particular asset-
threat suggests a firewall, then installing one is a good
business, security, and budget decision. If some other
countermeasure delivers greater benefit for less cost, then
that countermeasure is the better choice.
Performing detailed risk analysis is a complex task. Many
small companies or home network enthusiasts might not
want to spend the effort to perform a complex risk
assessment. This is understandable, but failing to perform a
full risk assessment doesn’t mean that you have no risk or
that you have no assets worth protecting.
At a minimum, you need to protect any and all data that
is personally identifiable. This includes personal
communications like e-mails; any custom crafted document,
picture, video, or other file type; all medical information; all
financial information; configuration settings; and passwords
and other credentials. Identity theft is one of the most
frequent and devastating crimes of the interconnected
world. Worrying only about your neighbors, the random
home burglary, or the pickpocket on the street is nothing
short of tunnel vision. Today, you must be concerned about
all would-be criminals across the globe attempting to gain
access to your electronic assets over the Internet.
Who needs a firewall? Everyone with a networked
computer needs a firewall. Why are firewalls necessary?
Firewalls are critical because threats and malicious entities
lurk on the Internet, on private networks, and possibly
within your own home!
What Are Zones of Risk?
A zone of risk is any segment, subnet, network, or
collection of networks that represents a certain level of risk.
The higher the risk, the more security you need to protect
against that risk. The less of a risk associated with a zone,
the less security is necessary because the threats of that
zone pose less chance of harm.
The flip side of zones of risk is zones of trust. Highly
trusted zones naturally require less security, while zones of
low trust require more security.
Each zone of risk needs to be clearly and distinctly
isolated from any other risk zone, especially if those zones
have different levels of risk. The primary tool used to isolate
zones from each other is the firewall.
Most networks have two to four zones of risk. These
include the private network, DMZ, extranet, and the
Internet. See Figure 2-4. The private network zone has the
lowest risk and is the zone of the highest trust. The Internet
zone has the highest risk and is the zone with the least
trust. A DMZ has less risk than the Internet, but is not as
trusted as the private network. A DMZ zone has medium-
high risk or medium-low trust. An extranet has more risk
than the private network and more trust than the Internet.
An extranet zone has medium-low risk or medium-high
trust. See Table 2-1.
FIGURE 2-4
An example of a private network with four risk or trust
zones.
TABLE 2-1 Risk and trust levels of common network
zones.
ZONE RISK LEVEL TRUST
LEVEL
LAN Low High
Extranet Medium–low Medium–
high
DMZ Medium–high Medium–
low
Internet High Low
Your organization’s written security policy should define
where these zones exist and dictate the security
requirements for each zone. Such requirements would
include traffic management, use of firewalls, use of VPNs to
cross the zone divisions, hardening of systems, malicious
code scanning, and so on. Firewalls are likely found at risk
zone divisions and may be the best cost/benefit security
countermeasure in some circumstances. The next step is to
understand what a firewall can do at these points and how it
performs these tasks.
How Firewalls Work and What
Firewalls Do
Firewalls work along a communication pathway. This can be
the gateway point of a network, a chokepoint within a
network, a point of zone transition, or on a host. In these
locations, the firewall interrupts the traffic flow to inspect
packets or sessions. If the traffic is authorized, it continues
to its destination. If the traffic is not authorized, it is blocked
and dropped.
When one thinks of a firewall, one generally pictures
some sort of hardware, when in fact it is more accurate to
think of the firewall as a function. There are really two broad
types of firewall implementations: bump-in-the-wire and
bump-in-the-stack. The bump-in-the-wire is a separate
hardware firewall implementation, and the bump-in-the-
stack is a firewall that is implemented via software.
Firewalls operate on a bastion host basis (Figure 2-5).
This is most obvious in the case of hardware firewalls, but
it’s true of host software firewalls as well. A bastion host
firewall stands guard along the pathway of potential attack,
positioned to take the brunt of any attack. A firewall acts as
the vanguard, as the front line of defense against any
attack. A bastion host can also be called a sacrificial host.
In the case of a host software firewall, the firewall will
attempt to prevent all malicious interactions to and from the
host. In the event that the firewall itself is compromised, it
usually disconnects the system from the network. While this
is a form of DoS, it’s often a preferred fail-safe/fail-secure
response over defaulting to an open unrestricted and
unfiltered connection. This is especially true if the
connection is directly to the Internet.
FIGURE 2-5
An example of a bastion host firewall deployment.
If the firewall is able to rebuff an attack, then the
resources are secure. If the firewall falls due to the attack, it
prevents any further communication with the resources
behind it. Think of a firewall as a dead-man switch. If the
firewall fails or goes offline, so does the connection it was
filtering.
The most common function of a firewall is to screen or
filter traffic. The firewall checks any packet received on its
interface against its rule set to determine whether to
forward or drop the packet. As you read earlier, firewalls
typically function on a deny-by-default/allow-by-exception
security policy.
The firewall performs most traffic filtering based on
information in a packet or segment header. This can include
the IP address of the source and destination, as well as the
source and destination port. Some firewalls can also filter or
block specific protocols or certain uses of protocols. For
example, a firewall could block all streaming media
protocols and block just the Internet Control Message
Protocol (ICMP) type 3 (destination unreachable) and 11
(timeout exceeded).
Firewalls differentiate between networks or subnets. A
firewall serves as a clear and distinct boundary between one
network area and another. By positioning a firewall between
network divisions or subnets, the network designer and
security administrators are using traffic management and
control for traffic attempting to cross that intersection.
Firewalls serve as boundary devices both on the edge of
networks facing the Internet as well as internally between
different divisions within an organization.
Open and unrestricted internal communications might
sound like a good idea, but in practice such traffic causes
severe degradation of overall infrastructure performance
and stability. By preventing or at least limiting
communications between certain divisions of an
organization, traffic efficiency increases. Additionally, traffic
control and management decrease risk.
For example, by blocking communications between the
programming group’s network and the production network,
unapproved versions of software cannot leak out.
Additionally, blocking general access to the accounting
subnet, the research and development subnet, the DMZ,
and the extranet from the production network protects
against data leakage, spread of malicious code, and other
forms of fraud and abuse.
Firewalls can act as a general filter for malicious activity
or as a one-way sieve. As a general filter, a firewall will allow
all normal benign traffic to pass through. This is the type of
firewall used to protect a DMZ or differentiate subnets
within a LAN. A general filter firewall works to stop malicious
activities.
A general filter firewall can allow communication using
any protocol on any port or limit communications to specific
protocols and ports (amongst other limitations). If only a few
specific resources hosted behind the firewall are to be
accessed by external users, the firewall can allow access to
those specific internal systems based on IP address and port
but block all other inbound requests.
A sieve firewall will only allow traffic to originate from the
private or trusted side. A sieve firewall will allow non-
malicious responses to return from the public or less-trusted
side, but it will generally block or prevent any initiation or
inbound communication request from the outside. A sieve
firewall typically protects a private LAN or an extranet.
Firewalls can support special inbound authorized
connections with the LAN, such as VPN links from
telecommuters. This is an important feature for an extranet,
as well, since VPN access is often the only method to reach
hosted resources through the Internet.
Firewalls can provide port-forwarding services. Port
forwarding is a form of static reversal of network
translation. In traditional or dynamic network address
translation (NAT), external entities cannot initiate
communications with internal systems because any packet
received by the outside interface of the NAT system will not
find a matching mapping in the translation table and will
therefore be considered invalid and dropped.
With port forwarding, a translation mapping is coded so
that an external IP address and port combination are fixed
and redirect traffic to a specific internal system, even if the
internal system uses a private IP address. The combination
of an IP address and a port number is known as a socket.
In Figure 2-6, the external port 208.40.235.38:8081 is
forwarded to an internal server’s port at 192.168.5.74:80.
Port forwarding can also be called static NAT, traffic
forwarding, service redirection, reverse proxy, and
“punching a hole through the firewall.”
The phrase “punching a hole through the firewall” points
out a very important concern: namely, that using port
forwarding reduces the effective security provided by the
firewall. Without port forwarding or other similar services, a
firewall can rebuff attempts to communicate with internal
systems. Using port forwarding, you create a pathway
across the primary border sentry. Several hacker exploits
can take advantage of port forwarding to reach other
internal systems on other ports than what was “allowed” by
the port forwarding settings. These attacks are usually
variations of fragmentation manipulation.
FIGURE 2-6
An example of port forwarding across a NAT system.
Managing and controlling traffic is a primary concern and
function of firewalls. Only authorized communications are
allowed; everything else is blocked. The act of determining
what to allow and what to block depends on the filtering
features of the firewall. These include packet inspection,
connection or state management, stateful inspection, and
others. (A state is a logical connection between a client and
a resource server.) These filtering concepts are defined later
in this chapter.
In addition, firewalls can block or filter outbound traffic.
This function can block spoofed traffic or anything with an
invalid IP address as the destination or source. Specific
protocols or ports can be blocked as well. And, of course,
specific domain names or destination addresses can be
blocked.
Firewalls can also filter based on content. The firewall can
intercept specific content in a packet leaving the network
before it reaches the outside. This could result in the packet
being discarded, an entire connection being dropped, or the
packet being edited to remove the blocked content and
replace it with something else. Content filtering can focus
on domain name, URL, filename, file extension, or keywords
in the content.
Another capability of firewalls is the ability to filter based
on encryption. A firewall can allow encryption without
restriction. Or, a firewall can be set to block encryption on
some ports and not others. Firewalls can also block
encryption from and to all internal IP addresses except for
servers, VPN devices, and RAS/NAS.
Firewalls can perform intermediary functions between
hosts where network administrators deem direct
communication too risky. This is the basic function of a
proxy. A proxy firewall positioned along a communication
path can hide the identity of one or both endpoints of a
communication from the participants. In most cases, proxy
services hide the identities of internal systems from external
entities.
Firewalls can perform address conservation through the
use of an address conversion or translation system. NAT is
the most common translation service supported by
networks. NAT translates between internal addresses and
public external addresses. NAT allows a private network to
use RFC 1918 private IP addresses. This, in turn, provides
additional security, since Internet hosts cannot address an
RFC 1918 system directly.
Through the combination of all their features, functions,
and capabilities, firewalls provide consistent, reliable
protection for an organization’s computer and electronic
resources. But firewalls are not perfect and should not be
the sole security component of a network infrastructure.
They are only one element—although an essential one—of a
network security strategy.
Firewalls can log events. Firewalls can be set to record
any action into a log file. In addition, they can record the
content of any malicious traffic into a log file. And they can
record any abnormal network activity, performance levels,
and traffic statistics into a log file. Logging events is an
invaluable feature of a firewall.
Since perfect security products don’t exist, you must rely
on monitoring to watch for attempts (and any successes) to
breach or violate security. Security is locking things down to
the best of your ability, and then watching for attempts to
breach your defenses. Lock, then watch. A successful
security strategy is not possible without both locking and
watching. Additionally, most security components should
include a locking and a watching aspect to them. Firewalls
are no exception. If a proposed firewall product is unable to
record a log of its actions and network activities, then you
need to seek out a different firewall product. Remember the
time-tested business adage: “You get what you inspect, not
what you expect.”
TCP/IP Basics
To fully understand the mechanisms of filtering employed by
firewalls, you need a solid understanding of the TCP/IP
protocol suite. Thorough knowledge of TCP/IP benefits a
security administrator not just in the area of firewall
management, but also in routing, switching, maintaining
availability, improving network performance, managing
network traffic, analyzing protocol, understanding
vulnerabilities and exploits, and even performing
penetration testing or ethical hacking.
Most networks, including the Internet, use the TCP/IP
protocol. The most prevalent version in use is IPv4.
However, IPv6 is gaining wider use across the globe. During
this transitional period, you should learn about both
versions of IP. If you need additional detailed information
regarding TCP/IP, please consult: Stevens, W. Richard, and
Gary R. Wright. TCP/IP Illustrated, Volumes 1–3. Addison-
Wesley Professional, 1994.
Kozierok, Charles. The TCP/IP Guide: A Comprehensive,
Illustrated Internet Protocols Reference. No Starch
Press, 2005.
Comer, Douglas E. Internetworking with TCP/IP, Vol 1
(5th Edition). Prentice Hall, 2005.
The ARIN IPv6 Wiki at http://www.getipv6.info.
OSI Reference Model
Most protocol discussions begin with the Open Systems
Interconnection (OSI) Reference Model. The OSI model is a
standard conceptual tool used to discuss protocols and their
functions. The OSI model has seven layers (Figure 2-7). Each
layer communicates with its peer layer on the other end of a
communication session. While the OSI model is helpful in
understanding protocols, most protocols are not in full
compliance with it.
Below is a brief description of the OSI model’s seven
layers. Each layer has unique responsibilities, functions, and
features. The OSI model defines what needs to take place at
each layer and leaves the actual process of accomplishing
those tasks to the protocols and, ultimately, to the protocol
programmers.
NOTE
The OSI model is the documented standard for
discussing and describing network protocols. However,
TCP/IP is the de facto or practical standard, as it was
actually in use before the OSI model was developed
into actual protocols. Few products can directly support
the OSI model or its derived protocols. Instead, most
products support TCP/IP, in spite of its not being the
official, documented standard from the International
Standards Organization.
Application Layer (Layer 7)—The Application
Layer (Layer 7) enables communications with the
host software, including the operating system. The
Application Layer is the interface between the host
software and the network protocol stack. The sub-
protocols of this layer support specific applications or
types of data.
Presentation Layer (Layer 6)—The Presentation
Layer (Layer 6) translates the data received from the
host software into a format acceptable to the network.
This layer also performs this task in reverse for data
going from the network to the host software.
Session Layer (Layer 5)—The Session Layer
(Layer 5) manages the communication channel,
known as a session, between the endpoints of the
network communication. A single Transport Layer
connection between two systems can support
multiple, simultaneous sessions.
Transport Layer (Layer 4)—The Transport Layer
(Layer 4) formats and handles data transportation.
This transportation is independent of and transparent
to the application.
Network Layer (Layer 3)—The Network layer
(Layer 3) handles logical addressing (IP addresses)
and routing traffic.
Data Link Layer (Layer 2)—The Data Link Layer
(Layer 2) manages physical addressing (MAC
addresses) and supports the network topology, such
as Ethernet.
Physical Layer (Layer 1)—The Physical Layer
(Layer 1) converts data into transmitted bits over the
physical network medium.
What You Should Know About Addresses
Logical addresses, such as IP addresses, create global
distinction. At least for public IP addresses, all
addresses used on the Internet are unique.
Assignment of a logical address is independent of
physical location. Logical addresses enable
communications between two hosts, regardless of
their physical proximity to each other.
Physical addresses, such as MAC addresses,
create local distinction. MAC addresses must be
unique only within the local subnet. This enables a
distinction between physically proximate systems that
are able to receive the same electronic signal. The
manufacturer usually performs physical address
assignment of the NIC and is thus dependent on the
physical hardware component itself.
MAC addresses are dependent on the physical NIC;
the manufacturer assigns these as a “permanent”
hardware address. However, modifying or spoofing
the effective MAC address is usually possible on most
systems. MAC changes are possible using native
commands, as with Linux, Unix, and Mac OS, or with
third-party utilities, such as required by Windows.
Tools for this include MAC Spoof, MAC Makup, and
MAC changer.
FIGURE 2-7
The process of encapsulation and the names of header and
payload sets at each OSI layer.
As data moves from a software application for transmission
over the network, it traverses the layers of the protocol
stack from top to bottom. As each layer receives data from
the layer above it, that data becomes the payload with a
layer-specific header (Figure 2-7). At the Data Link Layer
(Layer 2), where Ethernet resides, the data receives a
footer as well. This process is known as encapsulation. The
inverse, known as de-encapsulation, occurs when a
network communication is received. As this process takes
place, the data set being manipulated receives unique
names, depending on the layer it traverses. They are
Application Layer (Layer 7)—PDU (payload data unit)
(data obtained from the host software application)
Presentation Layer (Layer 6)—PDU
Session Layer (Layer 5)—PDU
Transport Layer (Layer 4)—Segment
Network Layer (Layer 3)—Packet
Data Link Layer (Layer 2)—Frame
Physical Layer (Layer 1)—Bits of data
The encapsulation process of adding headers (and a footer
at the Data Link Layer) enables data exchange between
layers on different systems. This is known as peer-to-peer
communications. The content of a header includes
information to be processed by the corresponding layer on
the receiving end of a network link.
The content of the headers, mainly from Layers 2–4, are
the greatest concern and focus of a firewall. Application
proxy firewalls and stateful inspection firewalls can also
examine the headers and the payload content of Layers 5–
7. You will learn more about the methods of filtering based
on this layer information later in this chapter.
Sub-Protocols
TCP/IP is not a single protocol, but a collection of protocols.
Often referred to as the TCP/IP suite, this collection includes
several core protocols, such as IP, Transmission Control
Protocol (TCP), and User Datagram Protocol (UDP), as
well as several commonly used protocols, such as ARP,
ICMP, HTTP, and TLS. In addition to these, tens of thousands
of other protocols can operate within the network
infrastructure created by TCP/IP.
A firm knowledge of the sub-protocols of TCP/IP is
assumed but not essential to grasping the scope of this text.
Headers and Payloads
Firewalls, specifically packet-filtering firewalls, inspect the
contents of headers to allow or deny frames, packets, or
segments. Depending on the type of filtering and the layer
or protocol focus of the filtering, the item examined and the
header it comes from can vary.
technical TIP
For a more complete list of the additional sub-
protocols, along with their port assignments, please
view the document hosted by Internet Assigned
Numbers Authority (IANA) at
http://www.iana.org/assignments/port-numbers. Nearly
every one of the 65,536 ports has one or more
protocols and applications associated with it.
For a list of ports used by malicious software, visit
http://www.glocksoft.com/trojan_port.htm or
http://www.neohapsis.com/neolabs/neo-ports/neo-
ports.html.
Packet filtering often focuses on four main headers:
The Ethernet header of the frame from the Data Link
Layer
The IP header of the packet from the Network Layer
The TCP header of the segment from the Transport
Layer
The UDP header of the segment from the Transport
Layer
Each of these four headers has numerous details that affect
a filtering action. These include MAC addresses, IP
addresses, TCP header flags, port numbers, and more.
Addressing
With regard to the basic differences in IPv4 and IPv6
addressing, the issues to focus on are not subnet masks or
the length of an address, both of which are important, but
rather the issues of source and destination, public and
private, known and unknown, and benign and malicious, as
well as real and spoofed addresses.
Many forms of filtering focus on the IP address and/or
port number to make an allow or deny decision. Such
decisions or rules can focus on either the source address or
the destination address found in the header of a segment,
packet, or frame. In other words, port number, IP address, or
MAC address can support filtering as a source and/or
destination concern.
Firewall filtering can focus on whether an address is
public or private in both the source or destination position in
the IP packet header. Generally, private addresses function
on the private network and do not reach the outside. NAT
will translate source-private addresses into a public address
if the packet is heading toward an external destination. On
the Internet, both routers and firewalls drop any IP packet
that has an RFC 1918 address in the header. Firewalls can
filter on whether an address is known or unknown. This
function filters against addresses used for the source and/or
the destination. Known addresses are usually trusted
addresses. Packets with only trusted and known addresses
are allowed to reach their destination. Unknown addresses
are potentially not trusted. Packets with unknown addresses
can be stopped in every case or further inspected before an
allow or deny decision is made.
Firewalls can filter on whether an address is known to be
benign or malicious, a variation of known and unknown
filtering. However, instead of known addresses being
trusted and unknowns not being trusted, this method twists
the idea. A benign address is a known, trusted address and
a malicious address is a known, not trusted address. But in
both cases here, the addresses are known. Any unknown
address encountered using this form of filtering will require
additional subsequent filtering that looks at other aspects of
the traffic.
Firewalls can also filter on whether an address is real or
spoofed. This form of filtering is not as clear and distinct as
the previous types. Whether a segment, packet, or frame’s
address is the real correct address or a spoofed falsified
address can be difficult to determine in every situation.
When an address is a real address, in the sense that it’s
within the subnet ranges of a network, the methods for
determining whether it’s a spoofed address are few.
One method is to compare against a use table, such as
that maintained by the DHCP, to see if the address is not
currently assigned to any authorized system. Another
method is to check the route, communication path, receipt
vector, or receiving interface of the source address against
what that aspect should be for a given address. For
example, if a source address typically arrives on port 4 but it
shows up on port 7, it’s likely a spoofed source address.
Spoofed addresses can also be detected at border sentry
points. When a source address comes from the opposite
side of the firewall, then it’s obviously a spoofed address.
One clear example is when an internal LAN address appears
as a source address in a packet on its way in to a network
from outside. This form of spoof filtering can be part of
ingress filtering.
Likewise, the same process can be used for packets
leaving a network. Any packet whose source address is from
the outside, such as an Internet address, but the packet is
received by a firewall from an interface in the private LAN,
must be from a spoofed address. This form of spoof filtering
can be part of egress filtering.
These are most of the mechanisms that a firewall can
use to filter or manage traffic based on addresses. The
following sections examine the various types of firewalls and
filtering methods.
Types of Firewalls
Listing the types of firewalls is almost like listing the
taxonomy of the animal kingdom in biology. The variations,
models, and versions are numerous. In addition, opinions
vary about what is and is not a firewall. Many experts begin
the discussion of firewall types by dividing the collective into
two simple, main groupings: personal and commercial.
A personal firewall is designed to provide protection to
a single system or a small network, such as a SOHO
network. To take full advantage of their features, most
personal firewalls do not require special training or
certification. Most personal firewalls offer user-friendly
interfaces that may be Web-based or graphical in nature
(that is, a graphical user interface, or GUI).
A commercial firewall is designed to provide protection
for a medium-to-large business network. Most commercial
firewalls are quite complex and often require special training
and certification to take full advantage of their features.
Most commercial firewalls use a Unix-like command line
interface (CLI) that, while powerful and efficient, is not
intuitive.
These two groupings do not, however, represent the
complete collective of firewalls, as several could easily fall
into either or both categories. Another common grouping
method, therefore, is to classify firewalls as either hardware
or software.
A hardware firewall is a dedicated hardware device
specifically built and hardened to support the functions of
the firewall software running on it. A hardware firewall is
also known as an appliance firewall. A hardware firewall
does not require any additional hardware or software for its
use. All it needs is one or more network connections and a
power source.
A software firewall is an application installed on a host.
A software firewall is also known as a host firewall. A
software firewall depends upon the host’s hardware and
operating system. If the host’s components are not properly
hardened, the software firewall will be less effective,
especially if there are other communication pathways or
attack points on the host. Software firewalls must compete
for resources among all other processes active on the host.
A software firewall is only able to protect a single host from
malicious network activity. A software firewall is only able to
filter traffic that reaches the network interface of its host.
With these two types of divisions, four potential
combinations exist:
Personal hardware firewall
Commercial hardware firewall
Personal software firewall
Commercial software firewall
A personal software firewall is a product used on individual
home systems, on SOHO systems, and even on client/server
network workstations and servers. Generally, a personal
software firewall is free or less expensive than commercial
software firewall products. A personal software firewall
operates on its own to protect a single host.
A commercial software firewall is a product used on
client/server network work--stations and servers. While they
can be installed on personal or SOHO systems, they are
usually expensive and are part of an overall security
management or NAC system. Most commercial software
firewalls can be used in an agent/console infrastructure
where each host’s firewall can be remotely administered
from a master management console.
A personal hardware firewall is part of an integrated
firewall product, such as a wireless access point or a
cable/DSL modem. Another variation of the personal
hardware firewall is the repurposing of a client or server
computer into a home-crafted open-source firewall. One
example of this is SmoothWall, a hardened bootable Linux-
based firewall.
A commercial hardware firewall is usually a device that
handles the complexity of larger organizational networks. A
commercial hardware firewall is often very expensive,
running in the range of $10,000 or more.
FYI
Two common but different dichotomies are free versus
paid and open source versus closed source. Free
means you do not need to pay for the firewall to use it.
Paid means you must pay a purchase price and/or a
licensing fee to use it. Many examples of both free and
paid firewall products are available. Open source
means the original source code is available for viewing
and modification. Closed source means the
distributed version is pre-compiled and the original
source code is undisclosed.
Firewall products, as well as any other form of IT
product, can be free and open sourced, free and closed
sourced, paid and open sourced, and paid and closed
sourced. You should not assume that, because
something is free, it is open sourced, or that because
something is commercial, it must be purchased.
The personal and commercial versions of software and
hardware firewalls might include different add-ons or
enhancements than their commercial equivalents. These
add-ons or enhancements include antivirus, password
management, registry protection, driver protection, VPN
gateways, remote access support, IDSs, IPSs, spam filtering,
and more. Usually these add-ons make the firewall products
more attractive to the potential buyer. However, most
commercial entities would generally avoid integrated
firewall solutions in favor of dedicated products to handle
their distinct security or management functions. An
integrated device might offer easier administration, but it
represents a single point of failure for multiple services.
Additionally, such bundled solutions are more difficult to
troubleshoot due to the complexity of the communications
they support.
Another variation of firewall, in fact the original variation,
is a screening router. Most appliance routers and many
software routers, such as the Routing and Remote Access
Service (RRAS) of Windows Server, are able to perform
firewall filtering services in addition to routing. Those
screening routers that perform firewall filtering might
provide enough sentry security for your needs. However, if
you want more advanced features, a screening router is
unlikely to be the best solution for your network.
Regardless of the type of firewall or implementation, it is
important to be certain that your firewall implements the
security and privacy policies that you want but, at the same
time, does not conflict with other security measures. If, for
instance, a remote system that you will access requires use
of a certain protocol or procedure that is blocked by your
local firewall, then you have a problem that must be solved
before you can access the remote system.
Ingress and Egress Filtering
Ingress and egress filtering is a common tool for spoof
filtering. A source address that comes from the opposite
side of the firewall than where it is assigned is obviously a
spoofed address. An example of this is when an internal LAN
address appears as a source address in a packet on its way
into a network from outside. This form of spoof filtering can
be part of ingress filtering.
Likewise, the same process can filter for packets leaving
a network. If a packet with a source address from the
outside such as an Internet address is received by a firewall
from an interface inside the private LAN, this is also a
spoofed address. This form of spoof filtering can be part of
egress filtering.
Ingress and egress filtering can expand beyond
protection against spoofing and include a variety of
investigations on inbound and outbound traffic. This can
include blacklist and whitelist filtering, protocol and port
blocking, and confirmation of authentication or authorization
before communications continue.
Unfortunately, if a packet’s spoofed addresses don’t
violate any of these concerns, the spoofed addresses might
not be as easy to detect. For example, if a client spoofs an
IP address to look like another client in the same subnet, the
rules just described to catch spoofing would fail to notice
this spoofed communication.
In addition to basic ingress and egress filtering, firewalls
can support additional forms of packet examination and
investigation.
Types of Filtering
Filtering is the primary function of a firewall. Through its
filtering services, most of the other benefits and capabilities
of firewalls apply. Firewalls can support many different forms
of filtering. Additionally, the terms for the type of filtering
and the type of firewall are often used interchangeably. For
example, a firewall that supports packet filtering is known
as a packet filtering firewall.
Static Packet Filtering
The most common form of filtering is static packet
filtering. Static packet filtering uses a static or fixed set of
rules to filter network traffic. The rules can focus on source
or destination IP address, source or destination port number,
IP header protocol field value, ICMP types, fragmentation
flags, and IP options. Static packet filtering is therefore
mainly focused on the Network Layer (Layer 3), but can also
include Transport Layer (Layer 4) elements. Static packet
filtering focuses on header contents and does not examine
the payload of packets or segments.
Static packet filtering is fast. Traffic matching a deny rule
gets dropped, while traffic matching an allow rule gets to
continue toward its destination. Static packet filters are
invisible or transparent to hosts and users unless their
traffic is blocked; then they will notice the actions of the
firewall on their communications. Static packet filtering
requires the firewall administrator to define and tune the
rule set. Most firewall rule sets, including static packet
filtering rule sets, are a first-match ordered system. Static
packet filtering can be problematic when the rule sets get
too large. If the rules are in the wrong order or in a chaotic
order, the rule set could create loopholes or unintentionally
discard authorized traffic.
The complexities of network communications, such as
accepting query responses and port shifts, can be difficult to
handle with static packet filtering. Static packet filtering
may allow the subsequent packets of a fragmented
message through, even though the lead packet was
dropped. This can result in a DoS on the destination system,
which would be waiting for the lead packet that never
arrives.
Additionally, static packet filters perform their analysis on
individual packets, regardless of the relationship or
correlation between previous or future packets in a
communication stream. This could allow complex
multipacket attacks to bypass the firewall if each individual
packet is not recognized as malicious on its own.
Static packet filtering should still be used as a first line of
defense in spite of its shortcomings. By using static packet
filtering as the first layer of defense, subsequent layers of
filtering will have less bulk to address and thus can operate
more efficiently.
Stateful Inspection and Dynamic Packet
Filtering
Stateful inspection addresses the issue of complex malicious
traffic. Stateful packet filtering determines whether or not a
current packet is part of an existing session, and allow/deny
decisions are made based on this determination. A state is a
session of communication. Often, state refers to the
Transport Layer (Layer 4) protocol TCP’s virtual circuits
established through the three-way handshake (using the
SYN, SYN/ACK, and ACK flagged segments). However,
stateful inspection systems can also track communications
in Layers 5–7. A stateful inspection firewall will keep track of
current sessions in a state table stored in memory.
As the firewall encounters each packet, it is analyzed to
determine whether the packet is part of an existing state or
not. If not, it’s likely to be dropped unless it’s a packet used
to help initiate a new authorized session. Such a stateful
investigation can be considered a dynamic packet filter as
well. With static packet filtering, rules had to be created to
allow the outbound requests and the inbound replies. With
dynamic packet filtering, once a session is established,
the filtering watches for packets that don’t belong to
authorized sessions. Using stateful inspection as dynamic
packet filtering allows for simpler rule sets. A rule allows an
outbound connection and the firewall’s state management
automatically allows the return traffic.
Unfortunately, stateful inspection can sometimes be
fooled through manipulation of header contents that makes
malicious traffic look like part of an existing valid session.
More advanced stateful inspection filters keep track of not
just the basic endpoints of a session, but also additional
details about the session, such as the sequencing and
acknowledgment numbers. This reduces the risk but does
not fully eliminate it, as a hacker can eavesdrop on a
session, learn the sequencing numbers, and predict future
valid sequences.
Another issue with stateful inspection is that not all
traffic uses states. Specifically, UDP and ICMP are
connectionless protocols. So, state management won’t
apply to them. For these protocols, the firewall acts as if a
state does exist and keeps track of the source and
destination from outbound packets. These are added to the
state table with a timeout value. If the timeout occurs
before a response is received, the state is removed from the
table. A hacker can fool this mechanism in the same way as
any stateful protocol like TCP.
NOTE
Stateful inspection is a form of dynamic packet
filtering. Dynamic packet filtering is the process of
automatically creating temporary filters. In most cases,
the filters allow inbound responses to previous
outbound requests, but on a limited timeout basis.
Both forms of state or session awareness, dynamic
packet filtering and stateful inspection are usually
interchangeable terms.
Network Address Translation (NAT)
Network address translation (NAT) is not exactly a form of
filtering, but is often included in lists of the filtering services
or options provided by firewalls. NAT translates internal
addresses into external addresses. NAT can perform this
service against IP addresses as well as port numbers. Any
firewall that supports NAT can be a NAT firewall. In most
cases, NAT is an additional translation service to the core
filtering functions of a firewall. NAT is a common, if not
standard, feature of modern firewalls.
Application Proxy
An application proxy, application firewall, or
application gateway is an application-specific version of a
packet filter. However, unlike a static packet filter that is
only able to inspect the header of a packet or segment, an
application proxy is able to inspect traffic fully at any layer,
including the application payload.
An application proxy, even if given the name firewall or
gateway, acts as the go-between or middleman between a
client and a server. All communications for the specific
application are proxied. This grants the application firewall
the ability to inspect application-specific elements of the
traffic. Application proxies are application-specific, so
specific products for e-mail, Web, file transfer, database
access, VoIP, and other TCP/IP sub-protocols are available.
When an application proxy is deployed, it usually requires
that all client software be reconfigured to point
communications to the proxy server rather than the actual
intended resource server. The application proxy will also
rebuild the request packet before sending it to the resource
server. This can include NAT services, but in most cases, it’s
just a process of proxying the communication. The
application proxy maintains two connections, one between
itself and the requesting client and a second between itself
and the resource server. Thus, application proxies are not
transparent filters because a client is aware the proxy is in
use. The client never establishes a direct connection
between itself and the resource server when a proxy is
involved.
Additionally, all other firewalls monitoring a network
border must deny access for the application protocols to be
managed by the application proxy. This prevents a user from
attempting to bypass the application proxy.
Application firewalls can filter on the content of the
application payload. This can include IP addresses, domain
names, URLs, sub-protocols, attachments, keywords, and
more. An application proxy can inspect every aspect of an
application’s communications. This is known as deep packet
inspection.
Application proxies can also perform caching services to
improve performance and reduce connection throughput
consumption.
The primary limitation of application proxy firewalls is
each unique application will need its own dedicated
application proxy. Generic proxy systems are usually
ineffective.
Circuit Proxy
A circuit proxy or circuit firewall focuses its filtering on
the initial setup process of a session, state, or circuit. This
form of filtering can focus on Layers 3–5. It functions
similarly to an application proxy, as it acts as a middleman
between a client and server. A circuit proxy prevents a
direct connection from existing between a client and server
to protect the network.
A circuit proxy makes an allow or deny decision on the
initiation of the session, state, or circuit. Once a circuit is
created, no further filtering takes place. If a client is allowed
to initiate communications with a resource server, then the
content of their communication is unfiltered and
unmonitored (at least by the circuit proxy).
The filtering rules of circuit proxies are similar to those of
static packet filtering in that a list of rules of IP addresses,
port numbers, domain names, networks, or even resource
providers determines what circuits or connections are
allowed and which are not. The filter set can be a deny all
but allow exceptions stance, or an allow all but deny
exceptions stance.
Content Filtering
Firewalls can also filter based on content. The firewall can
intercept specific content in a packet leaving the network
before it reaches the outside. This could result in the packet
being discarded, an entire connection being dropped, or the
packet being edited to remove the blocked content and
replace it with something else. Content filtering can focus
on domain name, URL, filename, file extension, or some
other form of keyword.
Content filtering is often a feature of application proxy
firewalls, stateful inspection firewalls, and dynamic packet
filtering firewalls.
Software Versus Hardware
Firewalls
A software firewall is an application installed on a host. A
hardware firewall is a dedicated hardware device specifically
built and hardened to support the functions of the firewall
software running on it.
A software firewall is also known as a host firewall. A
hardware firewall is also known as an appliance firewall.
A software firewall depends upon the host’s hardware
and operating system. If the host’s components are not
properly hardened, the software firewall will be less
effective if other communication pathways or attack points
on the host exist. A hardware firewall does not require any
additional hardware or software for its deployment. All it
needs is one or more network connections and a power
source.
Software firewalls must compete for resources among all
other processes active on the host. A hardware firewall has
dedicated hardware resources not shared with any other
service.
A software firewall is only able to protect a single host
from malicious network activity. A hardware firewall can
protect a single system or an entire network A software
firewall is only able to filter traffic that reaches the network
interface of its host. A hardware firewall can also only filter
traffic that reaches the network interfaces of its appliance.
However, a hardware firewall can be positioned on a
network at a choke-point or gateway to analyze and filter all
traffic.
A software firewall and a hardware firewall are both a
form of software, but the hardware firewall has a dedicated
appliance as its host, while the software firewall uses a
standard client or server as its host. In either case, software
flaws or bugs in programming can cause the firewall to fail.
A software firewall and a hardware firewall can both be
targets of attack. Exploits can compromise their software
component or physical attacks can harm their
host/appliance.
A software firewall is often less expensive than a
hardware firewall. A hardware firewall typically offers a
wider range of features and capabilities than a software
firewall.
Both software firewalls and hardware firewalls are options
you can use throughout a network infrastructure.
IPv4 Versus IPv6 Firewalls
No real distinction exists between a firewall designed for
IPv4 and one designed for IPv6. Many firewalls can already
support both versions of IP. If you are planning to migrate to
IPv6 or have already started the conversion process, be sure
your firewalls support IPv6.
A small issue affects filtering between IPv6 and IPv4
subnets. A protocol translation tool can support interaction
between networks using different versions of IP. This
translation tool is called Network Address Translation–
Protocol Translation (NAT-PT) and was defined in RFC 2766
by the IETF. Be sure your selected firewall supports NAT-PT if
you plan to communicate across an IP version barrier.
If you would like to read more on this translation issue or
gain further understanding about IPv6, please visit:
The ARIN IPv6 Wiki at http://www.getipv6.info
IPv6.com at http://www.ipv6.com
Dual-Homed and Triple-Homed
Firewalls
Firewalls, specifically hardware appliance firewalls, typically
have two or more network interfaces. A firewall with two
interfaces is known as a dual-homed firewall, while a
firewall with three interfaces is known as a triple-homed
firewall or a three-legged firewall.
The benefit of multiple interfaces is that the segments,
subnets, or networks connected to each firewall interface
are electronically isolated from each other. This prevents
unfiltered traffic from leaping from one segment to another
in an attempt to bypass firewall filtering.
However, for software firewalls using multiple interfaces,
you need to ensure that the TCP/IP protocol feature called IP
forwarding is disabled. IP forwarding is actually a router rule
that allows traffic from one interface to exit another
interface without needing to move any further up the
protocol static than where IP resides. In many cases, IP
forwarding allows packets to bypass filtering. If the system
is to be a firewall, you should disable this feature.
Software host firewalls are most often single-homed
firewalls since the host only has only a single NIC. This is
acceptable, since the software host firewall is not providing
sentry services between network segments, but between
the host and the network.
While firewalls with four or more interfaces are possible,
they are rarely deployed. Such a configuration requires
significantly more complex filtering and routing rules to
operate effectively. It’s also a significant single point of
failure and a bottleneck to traffic flow between multiple
network segments.
NOTE
If a system is to function as a router rather than a
firewall, IP forwarding might be a desirable function.
Placement of Firewalls
The placement of your network’s firewalls depends on
several key but subjective factors. No single correct answer
or deployment strategy is perfect for everyone. However,
several good general guidelines can be of help in planning
firewall placement.
First, understand the structure of your network. Where
are natural or organizational divisions on the network? Do
they correspond to distinct subnets or geographic/physical
locations? In many situations, placing a firewall between
each division or physical location (even different floors of a
building) can be beneficial. Do you have a DMZ or extranet?
You will need to isolate these from the private LAN and from
the Internet.
Second, know the traffic patterns of your network. What
are the common vectors and pathways of communication,
both between internal systems and between internal and
external systems? Consider positioning firewalls so that they
can filter all traffic. This may involve the creation of
chokepoints.
Third, is Internet connectivity essential to business tasks?
You should firewall-protect all Internet access points or
gateways. In fact, any external gateway or portal should
have a firewall.
Fourth, is any form of remote access in use, including
wireless? You should position a firewall between each RAS or
NAS and the private LAN. Assume all remote and wireless
connections are potentially malicious.
Fifth, based on previous compromises, what are the most
likely access pathways an internal or external hacker might
use to breach your network? Place firewalls along these
pathways.
Sixth, does any other unique aspect or feature of your IT
infrastructure warrant consideration for firewall protection?
Placing a firewall everywhere mentioned in these
guidelines may not be practical, cost effective, or secure. So
before any deployment, conduct a risk assessment to
determine whether a firewall is the best choice of
countermeasure. Review the section “Why Do You Need a
Firewall?” for more information on conducting risk
assessments.
CHAPTER SUMMARY
An essential element of network security, a firewall is
a filtering service used to protect your network and
hosts from a variety of threats, both internal and
external. Several types of firewalls are available,
including screening routers, hardware appliances, and
host software products. Each of these firewalls can
employ one or more features for ingress and egress
filtering. The common filtering features include static
packet filtering, stateful inspection or dynamic packet
filtering, NAT, application proxy, and circuit proxy.
KEY CONCEPTS AND TERMS
802.1x
Agent
Annualized loss expectancy (ALE)
Annualized rate of occurrence (ARO)
Appliance firewall
Application Layer (Layer 7)
Application firewall
Application gateway
Application proxy
Asset value (AV)
Bastion host
Border sentry
Botnet
Bots
Bump-in-the-stack
Bump-in-the-wire
Circuit
Circuit firewall
Circuit proxy
Closed source
Commercial firewall
Content filtering
Cost/benefit analysis
Data Link Layer (Layer 2)
Dead-man switch
De-encapsulation
Dual-homed firewall
Dynamic packet filtering
Exposure factor (EF)
Fail-safe/fail-secure
Frame
Gateway
Hardware address
Hardware firewall
Header
Host firewall
Intangible costs and value
Internet Control Message Protocol (ICMP)
IP address
Load balancer
Logical address
Network Layer (Layer 3)
Open source
Packet
Payload
Personal firewall
Physical address
Physical Layer (Layer 1)
Port forwarding
Port number
Presentation Layer (Layer 6)
Public key infrastructure (PKI)
Reverse proxy
Risk assessment
Risk management
Rule set
Rule
Sacrificial host
Screening router
Secure Sockets Layer (SSL)
Segment
Session
Session Layer (Layer 5)
Single loss expectancy (SLE)
Socket
Software firewall
Spoofing
State
Stateful inspection
Static NAT
Static packet filtering
Tangible costs and value
Transmission Control Protocol (TCP)
Transport Layer (Layer 4)
Transport Layer Security (TLS)
Transport mode encryption
Triple-homed firewall
Tunnel mode encryption
User Datagram Protocol (UDP)
Zombie
Zone of risk
Zone of trust
CHAPTER 2 ASSESSMENT
1. What is another term for the individual rules in a
firewall rule set?
A. States
B. Exceptions
C. Policies
D. Referrals
E. Sentries
2. Which of the following is not associated with a firewall?
A. Fail-secure
B. Sentry device
C. Fail-open
D. Chokepoint
E. Filtering service
3. A firewall is designed to allow what type of traffic to
traverse its interfaces?
A. Authorized
B. Non-benign
C. Unknown
D. Abnormal
E. Malicious
4. What is the first step in deploying a firewall?
A. Determining the filtering process
B. Defining rules
C. Selecting a security stance
D. Purchasing a license
E. Writing a security policy
5. Which of the following is the best description of a
firewall?
A. An authentication service
B. A remote access server
C. A resource host
D. A sentry device
E. A malicious code scanner
6. A border firewall cannot protect against which of the
following?
A. Flooding attacks
B. Insider attacking another internal target
C. Protocol abuses
D. Unauthorized inbound service requests
E. Port scans
7. All of the following are mistakes in firewall security
except:
A. Managing security poorly
B. Deploying too many firewalls
C. Using firewalls to provide filtering for networks and
hosts
D. Not writing a security policy
E. Failing to keep current with updates and patches
8. What is the primary reason a firewall is an essential
security product?
A. Low cost of deployment
B. Threats exist
C. High ROI
D. Native protocol encryption
E. Interoperability
9. What technique determines if a firewall is the best
countermeasure choice for a particular threat against a
specific asset?
A. Conducting a risk assessment
B. Reading blogs
C. Buying the least expensive option
D. Only using open-source products
E. Using products from a single vendor
10. Which of the following is not a common zone of risk?
A. An extranet
B. A DMZ
C. A private LAN
D. The Internet
E. Department subnets
11. Which of the following statements are true?
A. A firewall can be deployed as a bastion host.
B. Firewalls protect resources.
C. Firewalls are often the first line of defense for a
network.
D. Firewalls are part of an overall security strategy.
E. All of the above
12. When a one-way or sieve firewall protecting your
network allows external initiations of communications to
occur over a specific socket, this is known as: A. Static
NAT
B. Traffic forwarding
C. Port forwarding
D. Reverse proxy
E. All of the above
13. What is ingress filtering?
A. Restricting traffic to a specific subnet
B. Preventing traffic from leaving a network
C. Limiting host activities to that host
D. Monitoring traffic on its way inbound
E. Blocking access to external resource sockets
14. Content filtering can focus on the following aspects of
traffic except:
A. Source or destination IP address
B. Keywords in the payload
C. URLs
D. File extensions
E. Domain names
15. Which of the following will prevent firewall filtering from
blocking malicious content?
A. Speed of the network
B. User permissions
C. Not being positioned at a chokepoint
D. Encrypted traffic
E. Cable type
16. Which of the following is not a valid method for
determining whether a source address is spoofed?
A. Comparing against a use table
B. Verifying the route of reception
C. Checking the DHCP logs
D. Checking against RFC 1918
E. Performing ingress filtering
17. What form of filtering focuses on source or destination
IP address and requires separate rules for inbound and
outbound communications?
A. Stateful inspection
B. Static packet filtering
C. Application proxy
D. Circuit proxy
E. Dynamic packet filtering
18. Dynamic packet filtering is also known as:
A. Static packet filtering
B. Application proxy
C. Stateful inspection
D. Circuit proxy
E. Deep packet inspection
19. What method of filtering automatically keeps track of
sessions on a limited timeout basis to allow responses to
queries to reach internal clients?
A. Deep packet inspection
B. Static packet filtering
C. Application proxy
D. Dynamic packet filtering
E. Circuit proxy
20. What form of filtering allows communications
regardless of content once the session is established?
A. Dynamic packet filtering
B. Circuit proxy
C. Stateful inspection
D. Application proxy
E. Deep packet inspection
FIGURE 2-8
The seven domains of a typical IT infrastructure.
21. What type of firewall requires the presence of a host
operating system?
A. Appliance firewall
B. Personal firewall
C. Software firewall
D. Commercial firewall
E. Screening router
22. Based on the seven domains of a typical IT
infrastructure, all of the following locations (see Figure
2-8) are appropriate locations for firewall deployment
except: A. Between users and workstations
B. Between workstations and a LAN
C. Between a LAN and a WAN
D. Between remote access and a LAN
E. Between remote access and application servers
23. What activity performed by a triple-homed firewall
cannot be performed by a dual-homed firewall?
A. Filtering content
B. Physically isolating subnets
C. Supporting NAT proxy services
D. Deployment as an appliance
E. Deployment traffic from the Internet to either an
intranet or a DMZ
CHAPTER
3 VPN Fundamentals
VIRTUAL PRIVATE NETWORKS (VPNS) allow organizations to transmit private and sensitive data securely over public
intermediary networks. The Internet can serve as a cheap
long-distance carrier for WAN connections established using
VPNs. VPNs use native operating system features or third-
party software, as well as hardware devices, including edge
routers, firewalls, and VPN appliances. Remote access for
mobile users, linked multi-office intranets, and secured
access into an extranet are common VPN architecture
solutions.
The use of VPNs on networks ranging from small home
networks to corporate global networks has dramatically
expanded the ways people connect and do their work.
Through the use of VPNs, telecommuting employees,
business partners, traveling workers, suppliers, distributors,
and others can benefit from secured connectivity even while
geographically distant. With a basic understanding of VPNs,
you can begin designing and planning your own VPN
solution.
Chapter 3 Topics
This chapter covers the following topics and
concepts:
What a VPN is and what is it used for
What the benefits of a VPN are and why you
would deploy one What the limitations of a
VPN are
What the relationship between encryption
and VPNs is
What VPN authentication is and how is it
implemented
What VPN authorization is and why is it
necessary
Chapter 3 Goals
When you complete this chapter, you will be able
to:
Define VPNs
Explain the business and personal uses of
VPNs
Describe the pros and cons of VPNs
Illustrate deployment models or architectures
of VPNs, including an edge router, a
corporate firewall, a VPN appliance, a remote
access server, a site-to-site VPN and
supporting devices, and a host-to-host VPN
and supporting devices Differentiate
between a transport-mode VPN and a tunnel-
mode VPN
Describe the importance of encryption,
authentication, and authorization to VPNs
What Is a Virtual Private Network?
A short and direct definition is that a virtual private
network (VPN) is a mechanism to establish a secure
remote access connection across an intermediary
network, often the Internet. VPNs allow remote access,
remote control, and highly secured communications within a
private network. VPNs employ encryption and
authentication to provide confidentiality, integrity, and
privacy protection for network communications.
A more involved exploration of the phrase “virtual private
networks,” however, can reveal other import aspects that
such a succinct definition overlooks. The term VPN has its
origins in the telecommunications world. A telephone VPN
created a PBX-like system for businesses without the need
for deployment of true private branch exchange (PBX)
hardware. Instead, the system used a public telephone
service and the PBX services at the telco’s central offices.
This service/product sold under the name Centrex (a
combination of the terms central and exchange) in the
1960s through the 1980s.
After the proliferation of computer networks and Internet
connectivity, the term VPN evolved to refer to tunneling
connections across network links. Early computer VPNs
focused on the tunneling or encapsulation processes and
rarely included encryption services. Today, VPNs are almost
always secured using encryption. However, you should
never assume anything is totally secure, especially
connections over public networks. You should always
confirm that a product performs encryption properly before
depending on it for sensitive operations.
A VPN creates or simulates a network connection over an
intermediary network. But what makes a VPN private? At
least three possible mechanisms can work: When the
primary organization owns all of the network infrastructure
components, including switches, routers, and cables. A true
private VPN occurs when a single organization owns all of
the hardware supporting its VPN. However, few
organizations actually own all of the connections between
their locations, so this is usually impractical or prohibitively
expensive. This wholly owned and operated system
constitutes a trusted VPN.
When a dedicated set of channels is used across
leased telco connections. This method provides
physical isolation even on third-party equipment;
hence privacy is maintained. This type of system is
more practical, but is still expensive. This can also be
called a trusted VPN, since you must be able to trust
the owner of the hosting infrastructure to protect
network communications against eavesdropping.
When encryption ensures privacy even over public
networks, such as the Internet. This method is the
most reliable, as the other two options are still at risk
to eavesdropping. Additionally, encryption to provide
privacy is not only practical, it is the least expensive
option as well. This system can be called a secured
VPN.
A fourth type private VPN is possible, known as a hybrid
VPN. This form of VPN establishes a secure VPN over
trusted VPN connections. A trusted VPN allows an
organization to know and control the pathway of its
transmissions. However, a trusted VPN does not protect
against eavesdropping or alteration. A secure VPN protects
the confidentiality and integrity of data, but does not control
or ensure the transmission path. When you combine these
two VPN techniques, you create a potentially more secure
and practical solution. Two possible layouts of hybrid VPNs
are shown in Figures 3-1 and 3-2.
FIGURE 3-1
A hybrid VPN consisting of a secure VPN across an
intermediary trusted VPN.
FIGURE 3-2
A hybrid VPN consisting of a secure VPN segment within a
trusted VPN.
VPNs are often associated with remote access or remote
control. However, these associations need clarification to
have value. Remote control is the ability to use a local
computer system to remotely take over control of another
computer over a network connection. In a way, this process
is the application of the thin client concept on a fully
capable modern workstation to simulate working against a
mainframe or to virtualize your physical presence. This
application is generally the same as a VPN, which creates a
remote network connection rather than a remote control
session.
With a remote control connection in place, the local
monitor, keyboard, and mouse control a remote system.
This process looks and feels like you are physically present
at the keyboard of the remote system, which could be
located in another city or even on the other side of the
world. Every action you perform locally acts as if you were
physically present at that remote computer virtually via the
remote control connection. The only limitations are the
speed of the intermediary network link and the inability to
physically insert or remove media and peripherals.
You might think of remote control as a form of software-
based thin client or terminal client. In fact, many thin client
and terminal client products sell as remote control solutions.
Many modern operating systems include remote control
features, such as Remote Desktop found in most versions of
Windows. Once enabled, a Remote Desktop connection
remotely controls another Windows system from across the
network.
Remote access is different from remote control. A remote
access link enables access to network resources using a
WAN link to connect to the geographically distant network.
In effect, remote access creates a local network link for a
system not physically near the network. Over a remote
access connection, a client system can technically perform
all the same tasks as a locally connected client. Network
administrators can impose restrictions on what resources
and services a remote access VPN client can use.
Remote access and VPNs were originally supported over
dial-up telephone links using modems. Today, remote access
encompasses a variety of connection types including ISDN,
DSL, cable modem, satellite, mobile broadband, and more.
Due to the wide availability of high-speed Internet
connections, VPNs and other remote access solutions have
become very popular for both personal and business
purposes.
In many cases, a remote access connection is created
from a remote client back to a primary network. If the
remote client needs to connect directly to the LAN, such as
over a dial-up connection, a RAS server will host a modem
to accept the connection. If the remote client can use the
Internet to access the LAN, then a local Internet connection
is necessary. Once a normal LAN connection or Internet
connection runs from the client, the VPN link is possible.
Once the connection is established, the remote client can
interact with the network as if it were locally connected.
In Figure 3-3, a LAN and a remote client have a
connection to the Internet. These two connections are
independent of each other. The LAN’s connection is usually
a permanent or dedicated connection supporting both
inbound and outbound activities with the Internet. The
remote client can have a dedicated or non-dedicated
connection to the Internet. In the latter case, the
connection is established before a VPN can be created. Once
both endpoints have a connection to the intermediary
network, in this case the Internet, the VPN can be created.
In Figure 3-4, a new network connection is established from
the remote client to the LAN across the intermediary
network. This new network connection is the VPN.
VPNs can operate over standard Internet connections or
dedicated business communication circuits, such as ATM
and Frame Relay. However, the additional expense of a
dedicated, isolated, and even secured business circuit isn’t
necessary with a VPN. A VPN can operate securely over the
Internet and still provide high levels of security through solid
encryption. This allows inexpensive insecure links to replace
expensive business-leased lines without sacrificing security.
FIGURE 3-3
A corporate LAN and a remote client with Internet
connections.
FIGURE 3-4
A VPN established between a remote client and a LAN over
the Internet.
VPNs are one of the most efficient and cost-effective
means to provide secure remote connectivity. VPNs take
advantage of cheap long distance connections when
established over the Internet, since both endpoints need
only a local Internet link. The Internet itself serves as a
“free” long distance carrier. Because the speed of the VPN
depends on the speed of the local Internet link, you still
might want an optical carrier (OC) line (such as an OC-1
at 51.84 Mbps) for high-speed connectivity.
Connections from a LAN to an intermediary network can
support VPN traffic only or allow a combination of both VPN
and normal non-VPN traffic. The latter configuration is less
secure, but offers you flexibility as to whether all
communications must be VPN-secured or not. An Internet
connection reserved solely for VPN use, therefore, is not
necessary. An OC-1 line is more than capable of supporting
one or more VPN links in addition to numerous non-VPN
Internet sessions with no difficulty or latency.
Setting up VPNs can require extensive knowledge and
expertise on the part of the IT or security administrator. For
example, some important concerns of secure VPNs include:
All VPN traffic must be authenticated and encrypted. A VPN
without authentication is not private, and a VPN without
encryption is insecure.
All VPN endpoints must abide by the same security
parameters and algorithms. Each VPN tunnel must
have corresponding encryption key sets to securely
exchange encrypted content. Additionally, the same
security policy should govern all endpoints.
Proper encryption protocols must ensure that no
external third party can affect the security of the VPN.
Weak encryption makes a “secure” VPN worthless.
When you use a trusted VPN, you need to consider its own
unique concerns:
Only the trusted VPN provider should be able to modify
the channels or pathway of the VPN. A trusted VPN is
based on the provider’s ability to limit and control
access to the VPN’s content.
Only the trusted VPN provider can add, remove, or
change data in the trusted channel. Violating this
violates the trust the client places in the provider.
The addressing and routing performed within the
trusted VPN must be defined before the VPN goes
online. These services are usually pre-defined in the
SLA (service level agreement), but may be
dynamically modified for each VPN connection.
Even hybrid VPNs have an important focus for concern,
namely that the segments of the VPN that are trusted
versus secured need clear definition. Mistaking security for
trust—or vice versa—can have devastating results.
VPNs use tunneling or encapsulation protocols. Tunneling
protocols encase the original network protocol so that it can
traverse the intermediary network. In many cases, the
tunneling protocol employs encryption so that the original
data traverses the intermediary network securely. The
protocols that create VPNs include IPSec, PPTP, L2TP, SSL,
and TLS. The dominant forms of secure VPNs use IPSec or
SSL/TLS as the tunneling/encapsulation protocol.
Most VPNs use software that operates on top of the
operating system of a host. However, some VPN appliances
can support VPN connectivity without adding any software
to the host. In much the same way that a host firewall works
only on the host where it is installed, an appliance firewall
provides security services for the entire network. A host
VPN software product allows a single host access to VPN
services, while a VPN appliance allows an entire network
to access VPN services.
VPNs simplify many business networking problems by
providing an easy and efficient means to securely connect
headquarters, remote offices, traveling workers, and
telecommuters.
What Are the Benefits of Deploying a
VPN?
The reasons to deploy and use VPNs vary greatly among
organizations. Many of the obvious reasons are based on the
benefits of a VPN. Nevertheless, other reasons are based on
business or personal factors needing the solutions VPNs
readily provide.
Cost is always a significant factor in any business
decision. Budgets are never unlimited, so organizations
must shepherd their limited funds to accomplish their
missions and goals. One common goal is high productivity.
Granting workers the ability to access and use resources in
a timely and efficient manner assists in the completion of
work. When those resources are computer files or network
services, employees no longer need to be in the same
building as those resources. Remote access to resources,
therefore, is becoming more common than ever.
Secure remote access is essential. As the proliferation of
access and connectivity spreads from work to home to
portable/mobile devices, access to the Internet and private
LANs is becoming ubiquitous. Companies must use security
controls on resource access or suffer the consequences of
insecure access methods. With the removal of physical
limitations for access comes the loss of control over where
and how workers connect back into the private LAN.
Workers connect into the company LAN from mobile
phones, through Internet cafés, over hotel networks, and at
random Wi-Fi hotspots. Many use personally owned laptop
computers and hand-held mobile devices rather than
officially issued company systems. All of these are outside
the control of the company’s IT and security department.
The only option is to limit LAN connections to those that can
be secured. Thus, VPNs have become a necessity in the
brave new mobile and interconnected world.
VPNs support remote access from a wide variety of
complex devices, reduce risk caused by insecure access
locations, and enable interaction with all LAN resources.
Furthermore, flexibility, scalability, ease of administration,
reliability, and more make VPNs an obvious choice in the
face of modern connectivity risks and challenges.
FIGURE 3-5
A corporate network using dedicated leased lines versus
using VPNs over the Internet.
Does every worker and every organization need VPNs
and remote access? No. For many work situations, VPNs are
not the correct solution. These include any form of work that
requires special tools, physical access to equipment, or
close supervision by managers.
Remote access, mobile connectivity, and secured
communications are solid reasons to deploy and use a VPN.
But are these the only positive aspects of a VPN?
The most often touted benefit of VPNs is cost savings.
They are a great way to save on long distance charges for
telecommuters and traveling workers. They also create
huge savings for businesses that would need only local
Internet links for a VPN rather than a dedicated leased line
between each location (Figure 3-5). The farther away each
business location is and the more locations a company has,
the more of a cost savings a VPN can generate.
Additionally, to truly compare the connectivity that a VPN
offers to dedicated leased lines, you need a full mesh of
leased lines. A full mesh requires a line between each
business location. This allows for direct communication
between one site and another. Since a VPN across the
Internet would provide the equivalent site-to-site
communication capabilities, only a mesh network of
dedicated leased lines can truly compare. This solution is
obviously very expensive compared to a VPN’s significant
cost savings.
As corporations seek to reduce IT infrastructure costs, a
common technique is to allow employees to telecommute.
Telecommuting allows workers to access corporate
resources whether the employee works from home, while
traveling, or while on site with a customer. In the past,
telecommuting clearly implied the use of dial-up
connections to connect with the company LAN.
With the proliferation of high-speed broadband
connections and Wi-Fi, telecommuting has become more
plausible and realistic. Through the use of VPNs,
telecommuting enables a true remote office rather than just
a file exchange and communication system. VPNs make
telecommuting not only possible, but also practical and
secure. VPNs make expanding the workforce no longer a
geographically limited proposition.
Extranets are often deployed as businesses establish new
partnerships or seek more interaction with suppliers,
distributors, and other external entities. Extranets are
border networks, similar to a DMZ, where resources are
hosted for access by external entities. However, unlike a
DMZ, an extranet is not open for public use. Only a limited
and specific set of users is allowed to connect into an
extranet. Often, this limitation means that a specific VPN
configuration is necessary to access the extranet’s
resources. With VPNs, extranets are both possible and
practical.
VPNs allow system administrators to remotely manage
and control a network. VPNs allow employees to work from
anywhere. VPNs allow friends to create WAN links to support
multiplayer games. VPNs allow technical support to
remotely repair client systems. A VPN is the solution
anytime a network connection is needed between two
systems or two networks, but installing a direct cable
connection is unfeasible.
Often, the real benefits of a VPN are not from the VPN
itself, but from all the new possibilities for work, research,
learning, and play feasible because of a VPN. These benefits
include: Reduced equipment costs
Unlimited geographic connectivity
Increased flexibility and versatility of worker location
Improved privacy and confidentiality due to strong
encryption Verified transmission integrity
Fully scalable global infrastructure and architecture
Rapid deployment options
Flexible integration with existing networks and
technologies Faster return on investment (ROI) than
traditional WAN infrastructures Reduced dependence
on long-distance carrier solutions
Reduced support burden as ISP
Individuals and organizations that use VPNs and integrate
them in new and unique ways are sure to reap additional
benefits. History shows us that as new means of
communication are created, they often change and are used
in ways that were unpredictable at the beginning of their
adoption. However, VPNs are not perfect, and some very
real and challenging issues limit the use of VPNs.
What Are the Limitations of a VPN?
While the use of VPNs has many benefits, you need to
evaluate the very real and distinct limitations before you put
a VPN in place.
Although a VPN connection offers flexible secure
communication options, it does not ensure quality of
service. A VPN link is dependent upon the stability,
throughput, and availability of the ISP connection as well as
the intervening network connections between endpoints.
VPNs over the Internet can easily suffer from latency,
fragmentation, traffic congestion, and dropped packets.
This also results in a lack of dedicated bandwidth between
business sites because of the volatility of the Internet.
technical TIP
Encrypted traffic does not compress. Compression
reduces the size of a data set, removing redundancies
or repeated sections within the data set. Properly
encrypted data produces ciphertext that does not
contain redundancies or recognizable patterns. If
ciphertext did have these characteristics, it would not
be as secure. Thus, without these redundancies, it’s
not possible to compress encrypted data.
While VPNs are excellent solutions over nearly every
broadband connection option, a VPN can be difficult to
maintain over dial-up. VPN traffic is encrypted, and
encrypted traffic does not compress. Most dial-up modem
connections rely on compression—mainly hardware
compression—to improve connection speed. When
compression is not possible, a significant and noticeable
speed reduction occurs. Additionally, VPN tunnel
management can impose a significant increase in
management overhead because of changes in protocol
headers, potential authentication latency, and a prolonged
connection establishment negotiation.
Another area of concern is the minor risk or potential of
data exposure while in transit over the Internet. This is only
a real concern if the VPN does not use encryption, uses poor
encryption, or configures the encryption improperly. Proper
security management will eliminate this as a serious
concern.
Vulnerabilities exist at VPN endpoints. With a VPN, side
attacks against the encrypted link are nearly eliminated.
However, data entering or leaving the VPN is at risk. An end-
user computer could be infected by malicious code that can
traverse the VPN link into the company LAN. Also, private
and confidential data from the company LAN can be copied
across the VPN link to the end-user computer. On this
computer, that data is less secure and subject to a wider
range of threats.
You should also consider the increased difficulty in
providing technical support remotely. This is especially true
when the remote connection itself is not functioning. In
addition, it’s more difficult to keep remote systems in
compliance with security settings, conduct training, allow
supervisory oversight, enable HR management, and monitor
user activities.
Not every person is a good candidate for a remote user.
Those who are easily distracted, who are not motivated, or
whose home environment is not conducive to work are
prime examples of those who should stay in the office rather
than work from home.
technical TIP
The latest generation of traditional telephone modems
is often rated with a speed of 56 Kbps. Most of that
speed is the result of hardware compression. Without
compression, most modem speeds are significantly
slower—24 Kbps or less.
An even larger concern is granting open or blanket
unrestricted network-resource access to those connecting
via VPN. You must enforce stronger authentication and
authorization limitations on VPN users, especially on VPN
telecommuters. Remote users should have access only to
those resources necessary for their current tasks. Unlimited
access to network resources can quickly result in
exploitation and confidential data leakage if the remote user
or the remote computer is compromised.
If you understand these limitations and address them
properly, you can help to avoid catastrophic mistakes when
correctly installing and productively using VPNs. One of the
primary tools to accomplish this is the VPN policy.
What Are Effective VPN Policies?
Effective VPN policies are those that clearly define security
restrictions imposed on VPNs that align with the overall IT
mission and goals of your organization. VPNs can offer
numerous exciting possibilities of mobility and
interconnection. However, VPNs can also be a risk to the
confidentiality and stability of your organization’s
infrastructure.
Like all security policies, your VPN policy should derive
from a thorough risk assessment and analysis. Without fully
understanding the assets, processes, threats, and risks of
VPNs, you can’t effectively use or manage them.
Developing your VPN security policy is not a simple or
straightforward task. You need to plan for time and effort to
address a wide variety of issues and concerns. Some of the
aspects of design and planning of a VPN policy include (but
are not limited to): Considering the benefits and drawbacks
of software and hardware VPN solutions Imposing
stringent multifactor authentication on all VPN
connections Implementing strong access control
(authorization) restrictions on all VPN connections Defining
how the VPN will be managed, through what interfaces, and
by whom Exploring the complexities of patch management
over VPN
Defining the mechanisms of providing remote
technical support for VPN telecommuters Enabling
detailed auditing on all activities occurring across or
through a VPN
Defining distinct qualifications on granting user access
to telecommuting VPNs Prescribing the user training
requirements for all VPN activities VPN Deployment
Models and Architecture
One of the first decisions you face when deploying a VPN is,
which device will serve as the termination point of the
secured tunnel? You have several options, but often the
decision rests on where in the network infrastructure you
want to position the tunnel endpoint. Additionally, the
features the VPN device provides may be a factor in the
decision.
Such factors include deciding which devices have
sufficient processing power to maintain wirespeed even with
heavy traffic and complex encryption. Another concern is
whether NAT is present, as this can impose problems for
tunnel mode encryption.
The three primary VPN device models are edge router,
corporate firewall, and VPN appliance. In addition to the
selection of the VPN device, you have several architectural
decisions to make. These focus on the intended purpose,
function, or use of the VPN, such as remote access, host-to-
host, site-to-site, and extranet access.
Edge Router
With edge routers as the VPN termination point, the VPN link
exists only over the public intermediary networks, not within
the private LAN(s). This does require that the edge router
support VPN connectivity.
Edge router VPN termination ensures that a firewall can
filter the traffic exiting the VPN on its way into the LAN. This
method ensures that all traffic, regardless of transportation
means, complies with the firewall’s filtering rules. If the VPN
terminates inside the firewall, then traffic from the VPN
could potentially violate security because it was not firewall-
inspected.
VPN termination on edge routers is best suited for
controlled access into the DMZ. Such a configuration grants
business partners easy access to the DMZ without exposing
their traffic to the Internet or granting them unnecessary
access to the private LAN.
Corporate Firewall
Terminating the VPN at the corporate firewall is possible if
the firewall supports VPN services. Not all firewalls provide
this service, so this depends on your choice of make and
model of the firewall product. With a firewall-to-firewall VPN
across the public network, users from one network LAN can
access resources in another network LAN without additional
complexities. Primarily, this configuration treats the VPN link
between the firewall endpoints as just another route in the
LAN (actually WAN). The benefit here is that users don’t
need to re-authenticate or abide by additional firewall
restrictions when the VPN terminates at the corporate
firewall.
Corporate firewall termination of the VPN means that the
traffic entering or leaving the VPN does not pass through
the filtering restrictions of the firewall. Instead, the firewall
simply serves as a tethering point for the VPN tunnel
endpoint. Any traffic not associated with the VPN, however,
is subject to firewall investigation.
This configuration has a potential limitation. As the
number of VPN links or the traffic load of the VPNs
increases, the resulting increase in cryptographic
computations could interfere with the firewall’s wirespeed
filtering performance. In this case, perform a trend analysis
to monitor for this condition and improve firewall
performance before a bottleneck occurs.
VPN Appliance
A third device option is a dedicated VPN appliance. Unlike
an edge router or firewall termination point, a dedicated
VPN appliance specifically handles the load of a VPN instead
of VPN support being an add-on service.
You can position a VPN appliance outside the corporate
firewall, in a similar location to an edge router, so that all
VPN traffic passes through firewall filters. A VPN appliance
can also reside inside the corporate firewalls to prevent
firewall filtration. This deployment is similar to the corporate
firewall concept, at least in terms of not filtering VPN traffic.
This second deployment method also ensures that no
external entity can interfere with the endpoints of the VPN
tunnel.
FIGURE 3-6
A VPN used to connect a single LAN with remote mobile
users.
These techniques are useful when corporate firewalls
already exist that do not support the VPN technology or
architecture you want. So rather than replacing the firewalls,
you install an additional dedicated VPN appliance.
Remote Access
The first VPN architecture is basic remote access (Figure 3-
6). Remote access VPN is also known as host-to-site
VPN since it supports single-host VPN connections into a
LAN site. This design grants individual telecommuters or
traveling workers easy access into the private LAN. A single
LAN can support several remote users with any of the VPN
endpoint concepts: edge router, corporate firewall, or VPN
appliance.
Site-to-Site
A second VPN architecture is site-to-site (Figure 3-7). Site-
to-site VPNs are also known as LAN-to-LAN VPNs or
WAN VPN connections between LANs. Regardless of the
name, a site-to-site VPN supports secure connections
between LANs over intermediary public networks. When you
install it properly, a site-to-site VPN can be an inexpensive
mechanism to create a single distributed LAN (also known
as a WAN) for a multi-location organization. A site-to-site
VPN uses any of the VPN endpoint concepts: edge router,
corporate firewall, or VPN appliance.
FIGURE 3-7
A VPN used to connect multiple LANs.
A slight variation on the site-to-site VPN is the site-to-site
VPN with remote mobile users. This is a combination of the
site-to-site VPN concept with remote access VPNs (Figure 3-
8). The benefit of this architecture is the ability to add new
employees with secure connections to the LAN without
needing additional corporate facilities to provide on-site
workspaces.
FIGURE 3-8
A VPN used to connect a multiple LANs with remote mobile
users.
Host-to-Host
A third VPN architecture is host-to-host. Host-to-host VPNs
are also known as client-to-server, remote-to-office, or
remote-to-home VPNs. A host-to-host VPN is a direct VPN
connection between one host and another. This mechanism
operates over a public network or within a private network.
Over a public network, a host-to-host VPN provides a
connection that is secure from the public. Over a private
network, it provides an additional level of security for
mission-critical or highly sensitive transactions.
Host-to-host VPNs labeled as client-to-server VPNs
create secure client interaction with the services of a
resource host. This is similar to, but not exactly the same
as, a secure Web link between a Web browser and a Web
server. SSL can be used for application protocol security, as
it is with secure Web sessions, or as a VPN protocol. As a
VPN protocol, SSL operates at the Network Layer; as a Web
session security tool, it operates at the top of the Transport
Layer.
A remote-to-office VPN is a direct link between a
portable or home system and an office workstation. This
VPN link allows a user to work from home or while traveling
without sacrificing access to resources, services, or
applications that might only be installed (or licensed) for use
on the office workstation computer. This VPN can establish a
remote control session as commonly as a remote access
session.
A remote-to-home VPN connects a work computer or a
portable computer back to a home system, effectively the
opposite configuration of the remote-to-office. The remote-
to-home VPN grants you access to a home computer while
you are away from the house.
The host-to-host VPN variations usually depend on
software VPN solutions native to the operating system or
third-party applications installed on the host. However,
some VPN appliances are adaptable to these simpler host-
to-host connectivity architectures.
Extranet Access
A fourth VPN architecture is extranet access. With a VPN
tunnel endpoint positioned at or inside the perimeter of an
extranet, this option serves as a pathway for business
partners, distributors, suppliers, and so forth to gain access
to corporate resources without exposing their traffic to the
Internet or granting them unnecessary access to the private
LAN.
Additionally, a VPN linked into the extranet, as opposed
to the DMZ, provides greater security to the remote entities.
A VPN link to the DMZ exposes the remote entities to any
threats found in the DMZ. Since the DMZ is publicly
accessible, it’s risky. An extranet VPN grants the remote
entity secure communications without significant risks at
the VPN termination point.
VPNs commonly serve as a choke point to control which
external entities have access to the extranet. Only those
granted specific access, assigned user accounts, and
provided configuration details are able to configure and
establish a VPN link with an extranet.
Tunnel Versus Transport Mode
VPNs can use two main types of encapsulation encryption.
These are known as tunnel mode and transport mode
encryption.
Tunnel mode encryption protects the entire original IP
packet’s header and payload. This encrypted packet
becomes the payload of a new IP packet with a new IP
header. This form of encryption ensures that the identities of
the original endpoints of the communication are kept
confidential while the traffic traverses the secured link.
Tunnel mode encryption is commonly used by VPNs linking
network sites together or providing secure remote access.
Transport mode encryption protects only the original IP
packet’s payload. The encrypted payload retains its original
IP header. This form of encryption protects only the payload,
not the identities of the endpoints. Transport mode
encryption helps VPNs link individual computers together.
The Relationship Between Encryption
and VPNs
Encryption and a secure VPN are virtually inseparable. A
secure VPN exists only because its traffic is encrypted. But
some trusted VPNs may or may not use encryption. To fully
understand and appreciate the operations of VPNs, you
need a reasonable understanding of encryption.
Encryption is just one aspect of the larger topic of
cryptography. Cryptography is the art and science of
hiding information from unauthorized third parties.
Cryptography occurs through a complementary and
reversible process: encryption and decryption. Encryption is
the process of converting original usable form data, called
plaintext, into an unusable chaotic form, called ciphertext.
Decryption is the process of converting ciphertext back
into plaintext. A real-world communication product must
provide both encryption and decryption.
Modern cryptography is based on algorithms. An
algorithm is a set of rules and procedures, usually
mathematical in nature, that define how the encryption and
decryption processes operate. Algorithms are often very
complex. Many algorithms are publicly known and anyone
can investigate and analyze the strengths and weaknesses
of an algorithm.
technical TIP
Less than 10 years ago, 64 bits was considered strong
encryption. Today, 128 bits is the smallest symmetric
key length that can be considered strong. Is a key of
twice the size of the previous key length stronger?
Actually, while a 128-bit key is twice as long as a 64-bit
key in that it has twice as many digits, the former
creates a keyspace much more than twice the size of
the latter. Every time an additional bit is added to a key
length binary number, it doubles the size of the
possible keyspace. A 128-bit key creates a keyspace
that is doubled 64 times that of a 64-bit key. That is
2^64 or 1.8 × 10^19 times as large as that of a 64-bit
keyspace.
Encryption algorithms use a key. The key is a unique and
secret number that controls the encryption and decryption
processes performed by the algorithm. A key is a very large
binary number measured or defined in terms of its bit
length. The bit length of the key is the number of binary
digits that compose the key. For example, a key of 128 bits
is 128 binary digits long.
The bit length of an algorithm’s key defines that
algorithm’s keyspace. The keyspace is the range of keys
that are valid for use for that specific algorithm. Any key
created using the specific number of binary digits of the key
length is part of that algorithm’s keyspace. This keyspace
includes every number between a key of all zeros to a key of
all ones (remember this is binary code with only ones and
zeros as digits). This means that 2^128 number of keys are
available to an algorithm with a key length of 128 bits.
2^128 in decimal is over 3.4 × 10^38.
Three main types of algorithms operate within the realm
of cryptography: symmetric, asymmetric, and hashing.
Symmetric Cryptography
Symmetric cryptography is based on algorithms that use
a single, shared secret key. A common way to remember the
type of key used by symmetric is to remember a synonym
for symmetric: same. The same key must encrypt and
decrypt data and the same key must be shared with all
communication partners of the same session.
Symmetric cryptography is very fast in comparison to
asymmetric cryptography, typically 10,000 times as fast
with similar key length and message size. Generally, the
longer the length of a symmetric key, the stronger the
encryption produced. Most algorithms have one or only a
few key length options, so picking an algorithm with a
longer key often ensures stronger encryption. Keys shorter
than 128 bits are considered weak, keys of 128 to 256 bits
are considered strong, and keys longer than 256 bits are
considered very strong. That’s why when you select a
symmetric cryptography product, you should only use
solutions employing 128-bit or longer keys.
Selecting a strong algorithm is more involved than just
key length; you also need to consider other issues, such as
use of random numbers, use of the avalanche effect, and
resistance to reverse engineering attacks. Most weak
algorithms do not survive long once released to the public,
so most consumers do not need to focus as much on the
details of the algorithm as to look for algorithms that
support longer keys. The general rule (which does gloss
over some of the details) is that longer keys are better. For
more information on cryptography, selection of algorithms,
and the internal workings of algorithms, please consult
Schneier’s Cryptography Classics Library or Introduction to
Modern Cryptography.
NOTE
Hypothetical communication partners Bob and Alice
are commonly used to describe and discuss the
functions of cryptography.
FIGURE 3-9
The symmetric cryptography process.
Symmetric cryptography works as follows (Figure 3-9):
1. Bob and Alice exchange a symmetric key (K1).
(This process is normally performed by an
asymmetric process or out of band
communication.) 2. Bob encrypts a message with
the shared symmetric key.
3. Bob transmits the message to Alice.
4. Alice decrypts the message using the shared
symmetric key.
The security service provided by symmetric cryptography is
confidentiality. Symmetric encryption, with a reasonably
long key, prevents unauthorized third parties from accessing
or viewing the contents of communications or stored data
files. Symmetric cryptography protects files on storage
devices, as well as data in transit. In fact, due to its strength
and efficiency, symmetric cryptography is the preferred
method to secure data in storage or in transit of any size.
Some examples of symmetric cryptography algorithms or
systems include DES, 3DES, AES, CAST, RC4, RC5, RC6, RC7,
IDEA, Twofish, and Blowfish.
VPN solutions employ symmetric cryptography to protect
communications in transit. This protection prevents
unauthorized eavesdropping or midstream modifications.
Asymmetric Cryptography
Asymmetric cryptography is based on algorithms that
use either key pairs or some other special mathematical
mechanism. Asymmetric cryptography that uses key pairs is
commonly known as public key cryptography. All public
key cryptography is asymmetric, but some asymmetric
algorithms are not public key algorithms. A common way to
remember the types of keys or non-keys that are used by
asymmetric cryptography is to remember a synonym for
asymmetric: different. Different keys are used for different
purposes, different keys are used by different members of
the communication session, and some systems use
something different from keys altogether.
technical TIP
Keep in mind that an average 2,048-bit asymmetric
key is not just 8 times as long as a very strong 256
symmetric key; in fact, it has a keyspace that is
doubled 1,792 times that of the keyspace of a 256-bit
key, an astronomically large number: 2^1,792 or 2.79
× 10^539 times that of a 256-bit keyspace. Numbers
of this size are very hard to manage, much less run
through complex mathematical computations.
Asymmetric cryptography is very slow in comparison to
symmetric cryptography. This is due to the complexity of the
math used by these algorithms, as well as the length of
asymmetric keys (when there are keys). Public key
cryptography uses keys that are 1,024 to 8,192 bits long
(and sometimes longer).
Asymmetric cryptography also uses math based on a
concept known as one-way functions. A one-way function
is a mathematical operation performed in one direction
relatively easily, but impossible or nearly so to reverse. This
type of math was formalized into cryptographic algorithms
only in the late 1970s.
Asymmetric cryptography, therefore, is slow in
comparison to symmetric due to its extremely long keys and
its extraordinarily complex mathematical functions. Thus,
asymmetric is generally not suitable for encrypting bulk
data for storage or transmission; instead, this type of
encrypting is best suited for identity proofing and key
exchange.
The protections provided by asymmetric cryptography
are authenticity and nonrepudiation. Authenticity is a
term used to convey the combination of authentication and
access control. Based on usage, especially with public key
cryptography, asymmetric solutions can prove the identity
of the source of a message (authentication) or control the
destination or receiver of a message (access control).
Additionally, when used properly, asymmetric cryptography
may provide proof that a sender sent a message and
prevent that sender from being able to credibly deny
sending it. This is known as nonrepudiation.
Public key cryptography, a subset of asymmetric
cryptography, is based on key pairs. Each participant in a
communication or community has a discrete key pair set.
The key pair set consists of a private key and a public
key. The private key is kept secure and private at all times.
The public key is put out for open public access and use.
The key pairs work together as opposites. The encryption or
encoding that one of the keys performs can only be undone
by the opposite key of the pair.
One mechanism afforded by asymmetric cryptography is
a digital envelope. It works as follows (Figure 3-10):
FIGURE 3-10
The asymmetric cryptography process of digital envelope.
1. Bob obtains Alice’s public key.
2. Bob encodes a message with Alice’s public key.
3. Bob sends the message to Alice.
4. Alice decodes the message using her private
key.
The encoded message is readable only by Alice, who has
the corresponding private key. A digital envelope ensures
that the message is accessible only by the intended
recipient, namely the owner of the corresponding private
key. The mechanism of digital envelope exchanges
symmetric keys between communication partners. In this
mechanism, one side of the conversation performs key
generation, and then exchanges that key securely. This is
the mechanism VPNs use to exchange keys securely.
Another mechanism afforded by asymmetric
cryptography is a digital signature. A digital signature
proves the identity of the sender. It works as follows (Figure
3-11): 1. Alice uses her private key to encode a message.
2. Alice sends the encoded message to Bob.
3. Bob accesses Alice’s public key.
4. Bob uses Alice’s public key to unlock the
encoding.
This process proves to Bob that the message came from
Alice. This is authenticity. A digital signature does not
prevent others from viewing the message or confirming the
source of the message. A digital signature is not encryption;
it does not provide confidentiality protection. VPNs use
digital signatures, but they usually employ the version that
uses hashing as part of the process (see the next example).
FIGURE 3-11
The asymmetric cryptography process of digital signature.
This mechanism of digital signatures improves through
the addition of hashing. (Hashing is described in more detail
in the next section.) A digital signature using hashing is a bit
more complex, and uses the following procedure (Figure 3-
12): 1. Alice computes the hash value of a message.
2. Alice encodes the hash value with her private
key. This encoded hash is the digital signature.
3. Alice adds the encoded hash to the message.
4. Alice transmits the message.
5. Bob strips off Alice’s digital signature.
6. Bob hashes the original message to compute its
hash.
7. Bob obtains Alice’s public key.
8. Bob decodes Alice’s digital signature to reveal
Alice’s original hash.
9. Bob compares Alice’s original hash to the hash
Bob calculated.
If the hashes are the same, Bob accepts the message as
retaining its integrity. This has also proved that the message
was from Alice (authenticity). Furthermore, this process
ensures that Alice cannot deny having sent it
(nonrepudiation). VPNs commonly employ this form of
digital signature to prove the identity of the endpoints and
confirm the integrity of transmissions.
FIGURE 3-12
The asymmetric encryption process of digital signature with
hashing.
Some examples of asymmetric cryptography algorithms
or systems that are not public key cryptography are Diffie-
Hellmann, El Gamal, and elliptical curve cryptography (ECC).
The most common example of an asymmetric cryptography
algorithm or system that is public key cryptography is
Rivest-Shamir-Adleman (RSA).
VPN solutions employ asymmetric cryptography to
secure symmetric key exchange (via digital envelopes),
authenticate VPN link endpoints or users (via digital
signatures), and, when used in conjunction with hashing,
verify source and integrity of transmitted messages (also
digital signatures).
Hashing
Hashing is the cryptographic function that takes the input
of a file or message and creates a fixed length output. The
input can be of any size, but the output is a fixed length
based on the hashing algorithm used. Hashing does not
modify or alter the original data in any way; it simply uses
the original data to generate a hash value as a new data
item. Common hash value output lengths include 128 bits
(such as those produced by MD5), 160 bits (such as those
produced by SHA-1), and even 512 bits or more (such as
those produced by various members of the SHA-2 family).
The output of a hash algorithm can be called a hash, a
hash value, a message digest, a message authenticating
code, a fingerprint, a digital value, or a checksum.
Hashing checks integrity. Hashing computes a hash value
upon storage or transmission of a file or message, then
computes another hash value at the end of the storage
period or upon receipt of the transmission. If the before and
after hash values are the same, then the message has
retained its integrity. If the before and after hash values are
different, then the message has lost its integrity and is no
longer trustworthy or usable.
Hashing verifies integrity based on the complex
mathematical functions used in the hashing algorithm itself.
A central component or feature of these functions is the
avalanche effect. This effect ensures that small changes in
the input data produce large changes in the outputted hash
value. A single binary digit change in a file should produce a
clearly recognizable difference in the resultant hash value.
Hashes are a one-way function. A hash value cannot be
reversed directly back into the original data file from which
it was calculated. Thus, if an attack obtains a hash value,
the data is not at significant risk of being extracted from the
hash.
Some examples of hashing algorithms or systems include
MD5, HAVAL, SHA-1, and the SHA-2 variants (SHA-256, SHA-
384, SHA-512, etc.).
VPNs employ hashing, often as part of digital signatures,
as a method to confirm that transmitted data has retained
its integrity. Any mismatching of hash values discards the
received data and requests a retransmission. This ensures
that either end of a VPN connection accepts only fully valid
and true data.
Establishing VPN Connections with
Cryptography
Now that you know about symmetric cryptography,
asymmetric cryptography, and hashing, let’s take a look at
the overall process VPNs use to provide secure
communications. A basic VPN setup process occurs as
follows: 1. Bob computes the hash from a message (Figure
3-13).
2. Bob encodes the hash using his private key to
create a digital signature.
3. Bob generates a random symmetric key (K1).
4. Bob uses K1 to encrypt the message.
5. Bob obtains Alice’s public key.
6. Bob encodes K1 with Alice’s public key to create
a digital envelope.
7. Bob sends the digital signature, the encrypted
message, and the digital envelope to Alice.
8. Alice uses her private key to decode the digital
envelope to reveal K1 (Figure 3-14).
9. Alice uses K1 to decrypt the message.
10. Alice computes the hash of the message.
11. Alice obtains Bob’s public key.
12. Alice decodes the digital signature with Bob’s
public key to obtain Bob’s hash value.
Alice compares the pre- and post-hash values. If the hash
values are the same, then the message has retained its
integrity. Thus, the correct public key decoded the digital
signature. Bob’s identity is verified (authenticity and
nonrepudiation).
This exchange enables the symmetric key to secure
subsequent messages from Bob to Alice or from Alice to Bob
(Figure 3-15). Once a VPN has been established between
Bob and Alice, an exchanged session key (K1) exists at both
endpoints. Using this shared session key, Bob can encrypt
messages (envelope #1) to send to Alice and Alice can
encrypt messages (envelope #2) to send to Bob (Figure 3-
15).
FIGURE 3-13
The overall cryptographic process of establishing a VPN
connection (1/3).
FIGURE 3-14
The overall cryptographic process of establishing a VPN
connection (2/3).
Variations on this basic VPN session establishment are
possible. One variation would be to encrypt both the
message and the digital signature with K1. Another variation
would have Bob digitally sign K1 with his private key before
using Alice’s public key to encode it into a digital envelope.
This initial symmetric key exchange establishes the
encryption that will protect all subsequent messages for the
current communication session. When this session ends and
a new VPN session begins, a new symmetric key will initiate
the process. However, as long as the current session lasts,
the same symmetric key applies.
FIGURE 3-15
The overall cryptographic process of establishing a VPN
connection (3/3).
Reusing a symmetric key poses a slight risk, even for
multiple messages in the same session or conversation. To
minimize or reduce this risk, some VPNs use rekeying
processes. Rekeying discards the current in use key and
generates and exchanges a new symmetric key. Rekeying
comes in several types: Time rekeying—Rekeying
triggers at a specific time.
Idle rekeying (lag or delay)—Rekeying triggers
when a specific amount of idle, lag, or delay in the
conversation occurs.
Volume rekeying—Rekeying triggers when a specific
amount of traffic is transmitted.
Random rekeying—Rekeying triggers at random time
intervals.
Election rekeying—Either member of a VPN session
can elect to rekey at any time If a VPN solution
performs mid-session rekeying, you may or may not
have an administrative configuration option to manage
the rekeying processes. Rekeying may be embedded in
the encryption algorithms. One-time pad encryption
systems are also possible. A one-time pad system uses
a unique and random symmetric key for each segment
of a communication. This is a more complex system,
but offers greater security. Attempting to crack a
multi-random-key encryption scheme is one of the
most difficult attacks against encryption known.
NOTE
Technically, computers provide pseudo one-time pads,
as they are currently unable to produce true random
numbers. Instead, a pseudo random number
generator (PRNG) is used. A PRNG uses a complex
algorithm and the timing chip to produce seemingly
random numbers. The result is very good, but not truly
random.
Digital Certificates
You can increase the reliability of authenticity and
nonrepudiation by using digital certificates instead of
plain public and private keys. A digital certificate is a public
key and private key pair digitally signed by a trusted third
party. This third party is a certificate authority (CA). The
CA first verifies the identity of the person or company, then
crafts and issues the digital certificates.
In addition to improved reliability, certificates also
resolve a scalability issue with public key cryptography
systems. Without certificates, each system has to manage
an ever-expanding library of public keys. With a third-party
certificate-based system, each system no longer needs to
retain public keys. Instead, they are exchanged at the
beginning of each session with the assistance of the CA.
Each host stores only the trusted public keys of the CA.
The CA’s public keys are stored in the trusted roots list
(TRL). Any certificate issued by a trusted CA is accepted as
valid, providing the certificate has not expired and has not
been revoked.
The process is similar to the overall cryptographic
process to establish a VPN connection. The primary
difference is that instead of a sender’s generic private key,
the sender’s digital certificate encodes the message. Then,
the recipient uses the CA’s public key to start the unpacking
process. The CA’s public key decodes the CA’s private key
encoding around the sender’s public key. (This is the
sender’s digital certificate.) This confirms the identity of the
sender through the CA’s issued digital certificates. Then, the
recipient uses the sender’s public key to decode the
sender’s private key encoding on the message.
The use of digital certificates adds a few additional steps
to the overall process, but this improves the identity
verification of the participants in the secured
communication. Once a communication session ends, the
recipient can discard the sender’s public key. Each time a
new session starts, the sender’s public key will be re-
exchanged via the digital certificate process. This reduces
the burden of public key management and makes any
secure communication service, including VPNs, much more
scalable.
What Is VPN Authentication?
Authentication is the process of confirming or proving the
identity of a user and is of significant importance for VPNs.
Since VPNs allow external entities to connect to and interact
with a private network (or system), verifying the identity
before granting access is paramount. VPN authentication
takes place on two levels: connectivity and user.
When a VPN link starts, the hardware and software
components at each endpoint must authenticate to
establish the connection. Once the communication link
begins, the user performs a separate and distinct
authentication process. If either of these identity proofs fail,
the VPN is severed.
The actual mechanism of authentication used in either
case can vary. Options include username and password,
smart cards, token devices, digital certificates, and even
biometrics. As a rule of thumb, you should avoid username-
and password-only solutions and lean toward multifactor
authentication options. Password-only authentication is
notoriously exploitable and is not reliably secure enough for
a VPN.
The VPN services, whether software or hardware, may
support authentication directly or indirectly when offloaded
to dedicated authentication servers. Offloading can point to
any number of widely used authentication,
authorization, and accounting (AAA) services or
technologies, including RADIUS, TACACS, 802.1x, LDAP, and
Active Directory.
When selecting an authentication solution for a VPN,
consider the strengths and weaknesses of the
authentication factors independently of their VPN
integration. If an authentication factor has weaknesses on
its own, these are not relieved when used with a VPN.
VPN authentication should be scalable and support
interoperability among potential connecting hosts. Don’t use
authentication that cannot support more than a few dozen
users or hosts. Likewise, using a form of authentication that
is available on only one platform or operating system will
impose limitations difficult and expensive to resolve later.
VPN Authorization
Authorization is controlling what users are allowed and not
allowed to do. Authorization is also known as access control.
You must establish clearly defined policies as to what
activities will and will not be supported for VPN connections.
An initial concern is defining who is and who is not
allowed to establish a VPN connection. By considering VPN a
resource rather than just a method of connectivity, clearly
not all users should have access to all resources. If VPN
connectivity is neither essential to nor conducive of a
worker’s assigned tasks and responsibilities, he or she
should not be allowed to open or use VPN connections.
Authentication can help enforce this access control issue.
Whenever a user account that is not authorized to use VPN
attempts to authenticate across a VPN, that attempt should
fail. In fact, automatically locking such an account is a
reasonable security response. Users should have a clear
understanding of whether or not they have been granted
the privilege of VPN use. Any access of a non-VPN approved
user across a VPN, therefore, is either a sign of a policy-
violating employee or an outside intrusion attempt.
In addition to locking down use of the VPN itself, you
should restrict access to resources across a VPN, even for
authorized users. A VPN does establish a network
connection indistinguishable except for speed from a local
direct-wired connection, but that does not mean that the
same level of authorization is necessary, required, or even
recommended.
A stronger application of the principle of least privilege is
needed with VPN connectivity. Not all of the tasks and
resources employees use when on site are necessarily
required for activities they perform remotely. A user should
have one level or sphere of access when on site and a
different, smaller sphere of access when connecting through
a VPN. This, of course, will depend upon the assignments of
the worker and the sensitivity of the resources needed to
carry out those assignments, but thoroughly consider this
issue before granting default or wholesale access.
Mission-critical resources, processes, and information
may be at risk if they’re exposed to users connecting over a
VPN. Since a remote user’s computer is potentially less
secure than workstations on site, the additional risk may be
significant. Does a telecommuter or traveling worker
actually need access to a specific resource? If not, block
access.
Should a remote VPN user be able to transfer sensitive,
private, or valuable data to the remote host? This is the risk
of information leakage. Once data leaves the LAN, the
corporate security infrastructure loses its ability to fully
control and protect the information. On a remote host, once
the VPN disconnects, the LAN’s security protections
disappear. The only remaining security left is on the host
and practiced by the user.
Remote access is inappropriate or just impractical for
some resources. For example, consider preventing printer
access by remote VPN users. Do traveling workers need to
print documents they are unable to physically handle? Yes,
in some situations, remote printing makes sense. But should
you allow every local activity over a VPN just because it’s
possible?
Another authorization concern is whether or not to allow
Internet communication for VPN users. If local LAN users are
able to access the Internet, then technically so can VPN
users. But should they? Is this an additional risk or just an
additional bandwidth consumption burden?
If VPN users are unable to access the Internet from the
LAN through the VPN, can they access the Internet
simultaneously over the same ISP link as their VPN link to
the LAN? This configuration is known as a split tunnel.
Many organizations see this as a significant risk. This
scenario makes it possible for an Internet attack to breach
the remote host, and then use the VPN to access the private
LAN. This would be a nearly unrestricted pathway between
the Internet and the LAN. Most organizations employ VPN
connection solutions that prevent simultaneous local VPN
and Internet connectivity on remote hosts.
Even with these VPN authentication issues, the overall
process of enforcing access control is essentially the same
for both local and remote hosts. In most cases, access
control is defined on the resource itself, regardless of where
the users are. Keep this in mind as you craft policies
defining the parameters of VPN management and use.
CHAPTER SUMMARY
VPNs are mechanisms to remotely connect LANs and
mobile hosts. VPNs save money and offer worker
flexibility. VPNs secure communications over public
intermediary networks. VPNs should be used
whenever infrastructure costs are high or you need
mobile access and flexibility. VPNs can’t guarantee
quality of service over the Internet or protect against
endpoint device/host vulnerabilities. You should
deploy VPNs based on thoroughly researched VPN
policies.
VPNs offer many advantages, including a wide range
of implementation choices. Various devices and
software products support VPN connections. VPNs’
endpoints can be inside, on, or outside a firewall.
VPNs can support remote access for mobile hosts,
create links between individual systems, and support
channels between networks. VPNs can employ either
tunnel-mode or transport-mode encryption. They can
use the same authentication and authorization
techniques that you deploy elsewhere for general
network security.
KEY CONCEPTS AND TERMS
Algorithm
Asymmetric cryptography Authentication,
authorization, and accounting (AAA) services
Authenticity Avalanche effect
Certificate authority (CA)
Channel
Ciphertext
Client-to-server VPN
Compression
Corporate firewall
Cryptography
Decryption
Dedicated connection
Dedicated leased line
Digital certificate
Digital envelope
Digital signature
Distributed LAN
Eavesdropping
Edge router
Extranet VPN
Fragmentation
Hardware VPN
Hash
Hash algorithm
Hash value
Hashing
Host-to-host VPN
Host-to-site VPN
Host VPN
Hybrid VPN
Identity proofing
Intermediary network
Key or encryption key
Key exchange
Key pair
Keyspace
LAN-to-LAN VPN
Leased line
Multifactor authentication
Non-dedicated connection
Nonrepudiation
One-time pad
One-way function
Optical carrier (OC)
Out of band
Private branch exchange (PBX)
Private key
Pseudo random number generator (PRNG)
Public key
Public key cryptography
Public network
Rekeying
Remote access VPN
Remote-to-home VPN
Remote-to-office VPN
Scalability
Secured VPN
Site-to-site VPN
Software VPN
Split tunnel
Symmetric cryptography
Telecommuting
Traffic congestion
Trusted third party
Trusted VPN
Virtual private network (VPN)
VPN appliance
WAN VPN
CHAPTER 3 ASSESSMENT
1. Which of the following is not a valid example of a VPN?
A. A host links to another host over an intermediary
network.
B. A host connects to a network over an intermediary
network.
C. A network communicates with another network over
an intermediary network.
D. A host takes control of another remote host over an
intermediary network.
E. A mobile device interacts with a network over an
intermediary network.
2. Which of the following is not ensured or provided by a
secured VPN?
A. Confidentiality
B. Quality of service
C. Integrity
D. Privacy
E. Authentication
3. Which of the following techniques make(s) a VPN
private?
A. A single organization owning all the supporting
infrastructure components
B. Leasing dedicated WAN channels from a telco
C. Encrypting and encapsulating traffic
D. Both A and B
E. Items A, B, and C
4. What is the primary difference between a VPN
connection and a local network connection?
A. Speed
B. Resource access
C. Security
D. Access control models
E. Authentication factors
5. Which of the following is not a true statement?
A. VPN traffic should be authenticated and encrypted.
B. VPNs require dedicated leased lines.
C. Endpoints of a VPN should abide by the same security
policy.
D. VPNs perform tunneling and encapsulation.
E. VPNs can be implemented with software or hardware
solutions.
6. What is a hybrid VPN?
A. A VPN with a software endpoint and a hardware
endpoint
B. A VPN supporting remote connectivity and remote
control
C. A VPN consisting of trusted and secured segments
D. A VPN supporting both symmetric and asymmetric
cryptography
E. A VPN using both tunneling and encapsulation
7. What is the most commonly mentioned benefit of a
VPN?
A. Cost savings
B. Remote access
C. Secure transmissions
D. Split tunnels
E. Eavesdropping
8. Which of the following is a limitation or drawback of a
VPN?
A. Intermediary networks are insecure.
B. VPNs are not supported by Linux OSs.
C. VPNs are expensive.
D. VPNs reduce infrastructure costs.
E. Vulnerabilities exist at endpoints.
9. On what is an effective VPN policy based?
A. A thorough risk assessment
B. Proper patch management
C. Business finances
D. Flexibility of worker location
E. Training
10. What form of VPN deployment prevents VPN traffic from
being filtered?
A. Edge router
B. Extranet VPN
C. Corporate firewall
D. Appliance VPN
E. Host-to-site VPN
11. What form of VPN deployment requires additional
authentication for accessing resources across the VPN?
A. Site-to-site VPN
B. Corporate firewall
C. Host-to-site VPN
D. Edge router
E. Remote access VPN
12. Which of the following is not a name for a VPN between
individual systems?
A. Client-to-server
B. Host-to-host
C. Remote-to-home
D. Host-to-site
E. Remote-to-office
13. Which of the following is the primary distinction
between tunnel mode and transport mode VPNs?
A. Whether or not it can support network to network
links
B. Whether or not the payload is encrypted
C. Whether or not it can support host-to-host links
D. Whether or not the header is encrypted
E. Whether or not it supports integrity checking
14. What VPN implementation grants outside entities
access to secured resources?
A. Edge router VPN
B. Corporate firewall VPN
C. Site-to-site VPN
D. Extranet VPN
E. Remote control VPN
15. What form of cryptography encrypts the bulk of data
transmitted between VPN endpoints?
A. Symmetric
B. Hashing
C. Public key
D. Transport mode
E. Asymmetric
16. What components create a digital signature that
verifies authenticity and integrity?
A. Public key and session key
B. Private key and hashing
C. Hashing and shared key
D. Session key and public key
E. Shared key and hashing
17. By what mechanism do VPNs securely exchange
session keys between endpoints?
A. Digital envelope
B. Digital forensics
C. Digital encapsulation
D. Digital certificate
E. Digital signature
18. What are the two most important characteristics of VPN
authentication?
A. Single factor and replayable
B. Scalable and interoperable
C. Transparent and efficient
D. Interoperability and single factor
E. Replayable and scalable
19. What VPN access control issue can be enforced through
VPN authentication?
A. Blocking unauthorized VPN users
B. Restricting access to the Internet
C. Limiting access to files
D. Filtering access to network services
E. Controlling access to printers
20. When designing the authorization for VPNs and VPN
users, what should be the primary security guideline?
A. Scalability
B. Multifactor
C. Distributed trust
D. Principle of least privilege
E. Grant by default, deny by exception
21. All of the following statements about a host-to-host VPN
are true except:
A. A host-to-host VPN is commonly supported by the
host OS.
B. A host-to-host VPN must be implemented with VPN
appliances.
C. A host-to-host VPN can be interoperable between
different OS products.
D. A host-to-host VPN usually employs transport mode
encryption.
E. A host-to-host VPN can be established within a private
network.
FIGURE 3-16
The seven domains of a typical IT infrastructure.
22. All of the following are commonly used in supporting a
site-to-site VPN except:
A. VPN appliance
B. Commercial firewall
C. Client VPN software
D. Edge router
E. VPN gateway proxy
23. A VPN used to connect geographically distant users
with the private network is located within which domain
from the seven domains of a typical IT infrastructure
(Figure 3-16)?
A. LAN Domain
B. User Domain
C. System/Application Domain
D. Remote Access Domain
E. LAN-to-WAN Domain
24. What feature or function in tunnel mode encryption is
not supported in transport mode encryption?
A. The header is encrypted.
B. The payload is encrypted.
C. The source address is encrypted, but not the
destination address.
D. A footer is added to contain the hash value.
E. It provides encryption protection from the source of a
conversation to the destination.
25. All of the following statements are true except:
A. Encryption ensures VPN traffic remains confidential.
B. It is possible to have a private VPN without
encryption.
C. VPN authentication ensures only valid entities can
access the secured connection.
D. Authorization over a VPN consists exclusively of
granting or denying access to file resources.
E. VPN authentication can include multifactor options.
CHAPTER
4 Network Security
Threats and Issues
NETWORK SECURITY IS UNDER CONSTANT ATTACK by threats both internal and external, ranging from disgruntled
employees to worldwide hackers. There’s no perfect defense
because hackers are able to bypass, compromise, or evade
almost every safeguard, countermeasure, and security
control. Hackers are constantly developing new techniques
of attack, writing new exploits, and discovering new
vulnerabilities. Network security is a task of constant
vigilance, not a project to complete. It’s a job that’s never
done.
Why is understanding hacking, exploitation,
vulnerabilities, and attacks critically important? As the sixth
century B.C. Chinese military strategist and philosopher Sun
Tzu stated in his famous military text The Art of War: “If you
know the enemy and know yourself you need not fear the
results of a hundred battles.” Once you understand how
hackers think, the tools they use, their exploits, and their
attack techniques, you can then create effective defenses to
protect against them. Understanding hacking not only
improves network security; it also maintains security at a
high level of readiness.
Chapter 4 Topics
This chapter covers the following topics and
concepts:
What motivates hackers to attack computer
networks
Which assets attackers frequently target
Which internal or external threats networks
are vulnerable to
What common IT infrastructure threats are
What the various types of malicious code
(malware) are and what the security
concerns about them are
What fast growth and overuse are
What wireless and wired connections are
What the risk of eavesdropping is
What a replay attack is and how it is
performed
What an insertion attack is
What fragmentation attacks, buffer
overflows, and XSS attacks are
What man-in-the-middle, session hijacking,
and spoofing attacks are
What covert channels are and how a hacker
uses them
What threats to network and resource
availability are
How a denial of service (DoS) functions
What a distributed denial of service (DDoS) is
What some common hacker tools are
Who is at risk from social engineering
Chapter 4 Goals
When you complete this chapter, you will be able
to:
Describe the motivations of hackers and
other malicious computer network intruders
Compare and contrast threats from internal
and external sources
Describe how accidents, natural disasters,
and ignorance affect network security
Explain the risk posed by malicious code
Express the effects of wired and wireless
connectivity on network security
Describe common network security exploits
and attacks, including replay attacks,
insertion attacks, fragmentation attacks,
buffer overflow attacks, XSS attacks, man-in-
the-middle attacks, hijacking attacks,
spoofing attacks, covert channels, DoS,
DDoS, botnet attacks, and social engineering
attacks Demonstrate how hacker tools
exploit vulnerable targets
Hacker Motivation
What motivates hackers to attack computer networks? Why
does anyone get involved in illicit activity outside the
mainstream? The motives are as numerous as there are
ways of conducting the computer attacks: Many do it for the
sheer thrill of hacking, for the sport of it. Some hackers
consider hacking their hobby. Some love a challenge. Some
are victims of peer pressure or are seeking social validation.
To still others, hacking is a status trip. And finally, many
hackers pursue their exploits for power and financial gain.
Take a look at some of these motives in more detail to see if
you can begin to understand the hacker mentality.
Many criminal hackers are in it simply for the money.
There are many ways of gaining financially from attacking
computer networks. These range from theft of credit cards
and financial statements to blackmail and black markets.
Some monetary gain is immediate. Hackers might be able to
transfer funds out of a target account, for example. Other
methods are more involved, such as stealing corporate
documents and selling them to competitors or hijacking
data using encryption and holding it for ransom. Hackers
can become involved in selling their services, including
distributing spam, eavesdropping, cracking passwords, and
generating DoS events.
Demonstrating the ability to compromise a target,
especially if the target is reasonably secure, is a way for
hackers to prove they are more powerful than the
defenders. If you can control something, you have power
over it. If a hacker can control your computer remotely, then
the hacker has power over your computer, and in some
ways has power over you as well. Hackers sometimes hack
as an ego boost. If they can wage a successful attack, then
they are showing dominance over their target.
For many hackers, it’s an exciting challenge to find new
vulnerabilities, develop new attack code, or discover new
security breaches. Some hackers attack targets for the
same reasons some people climb mountains—because it’s
there, because they can, and because they want to beat it.
Some hackers continually seek out new, more difficult
targets to improve their skills and increase the level of the
challenge.
Some hackers enjoy the sheer risk of attacking a
network. As with any crime, the risk of being caught is
always a possibility. A target network might have
honeypots, IDSs, IPSs, firewalls, and other technical
defenses that the hacker will need to detect and evade.
Security professionals are always looking to discover new
attack techniques and learn the identity of hackers. With
every attack, therefore, the hacker is at risk of getting
caught and prosecuted.
Hacking can be thrilling. Think of the way a treasure
hunter on private property feels. The combination of power,
challenge, risk, and potential pursuit along with discovering
potentially valuable assets is a thrill for some hackers. The
thrill of getting away with it motivates many hackers to
continue their attacks once they figure out how to
successfully hack into a network.
Some hackers have few exciting or engaging aspects of
their life and they resort to hacking as an attempt to be
entertained or distracted from their boredom. A successful
system breach will usually initiate a response, often a cat-
and-mouse game that is more entertaining for hackers than
anything else they can think of at the moment.
Hackers have peers and social groups just like everyone
else. Peer pressure can be a powerful motivator to fit in,
show off, or demonstrate loyalty to a group. Peer pressure is
often a motivator for those in the lower levels or rankings of
hacker communities. New or inexperienced hackers feel
encouraged to perform attacks to maintain their
membership in their peer group.
Hacking can also be a mechanism to validate someone
socially, such as proving a qualification to join a group.
Some attacks are performed as an initiation or rite of
passage from a potential hacking group member to an
actual full member.
Hacking can help the hacker achieve or maintain status.
Hackers may be seeking to achieve status in the eyes of
hacking peers, in the judgment of other hacking groups, or
in the perspective of the world at large. Some hackers try to
cause a media story and to get their name in the news.
Other hacks are performed to instill fear and compliance in
current and future targets.
Hackers perform hacks for many reasons, and this list is
likely incomplete. These motivations drive them to do
unethical activities. You might or might not completely
understand the hacker mindset. It’s important for you to try,
however; the results, regardless of the motivation, can be
devastating for companies and individuals alike.
Favorite Targets of Hackers
In terms of security, the things you want to protect are
known as assets. An asset is anything used to conduct
business over a computer network. Any object, computer,
program, piece of data, or other logical or physical
component employees need to complete a task is an asset.
Among a hacker’s favorite targets are easy assets—ones
that pay off quickly. Easy targets are IT infrastructures and
elements not properly secured. Systems with well-known,
exploitable holes exposed to the world are “easy pickin’s”
for hackers.
Targets that pay off quickly are those that earn the
hacker some form of monetary or barter gain. Credit cards
and bank accounts can be a solid monetary score. In other
cases, gaining access and control of networks, especially
those with high-speed Internet links, is valuable. Such a
network could be saddled with malicious code that transmits
spam, eavesdropping, file exchange, encryption cracking,
and so on. The hacker can then trade or sell these services
to others.
Some hackers, however, do not seek the easy targets;
instead they look for unique targets, new challenges, and
complex infrastructures to test and improve their skills.
Expert and highly experienced hackers often want to
continue to improve their abilities rather than waste their
time on targets that any amateur hacker, or script kiddie,
could compromise.
What valuable assets do attackers most frequently
target? Every hacker is different, just as with any individual
member of any subculture. While many agree on what is
valuable, such as money and access, others might find
corporate finances, secret formulas, medical history, credit
reports, court records, accounting logs, and so on preferable
as their target of choice. For example, why do some people
collect toys while others collect cars, Coke bottles, or
pictures of Elvis?
To better understand possible targets hackers might
choose, review the seven domains of a typical IT
infrastructure (Figure 4-1): User Domain—Any user,
worker, employee, contractor, consultant, or individual can
be a target. Social engineering is a hacker attack against
people. This type of attack attempts to fool people through
clever wording, lying, misdirection, relationship
manipulation, fear, psychological tricks, and confidence
games. The results of social engineering attacks can include
users giving away private information or performing actions
on a computer that causes a reduction in network security.
Workstation Domain—The workstation, client, or
standalone home system can be a target. These types
of hosts are often less secure than LAN servers. This is
not on purpose, because most security focuses on core
components of the infrastructure, rather than those
seemingly on the periphery. Many times the security
measures on a workstation are old, out-of-date, or
improperly installed and configured.
LAN Domain—The private LAN, from SOHOs to large
corporations, is a common target. A LAN often consists
of dozens to thousands of hosts. The odds that all
individual systems are highly secure are unlikely. Once
a hacker gains access to one system on the network,
the rest of the LAN is vulnerable to attack. The
compromise of a single host can lead to the
compromise of the entire infrastructure.
LAN-to-WAN Domain—The WAN connections
between LAN locations, especially those controlled by
third-party entities, are targets. Transition interfaces
between a private LAN and a WAN connection can be
potential weak points. If a compromise is successful
against a WAN connection, the malicious traffic
inbound across the WAN/LAN interface is unlikely to be
filtered.
Remote Access Domain—Remote access is always a
popular target of hackers. Remote access removes the
need for the hacker to be physically present to access
and attack the LAN. Hackers anywhere in the world
with an Internet or telephone connection can still
reach out to attack any seemingly isolated target.
Remote access is an invitation to hackers to try to
breach your defenses.
WAN Domain—WAN domains are networks, such as
ATMs or Frame Relays, owned by a telco or a carrier
network company that leases access to corporations.
Often, the privacy of these WAN connections is
electronic isolation rather than encryption. Hackers
focusing on a specific target may attempt to breach
the electronic isolation of the carrier network rather
than focusing on the endpoint LANs themselves.
System/Application Domain—Collections of servers
hosting applications, virtualized systems, or databases
are valuable targets. Sometimes the data hosted is the
target. Sometimes the computing power of the servers
is the resource the hacker wishes to seize.
FIGURE 4-1
The seven domains of a typical IT infrastructure.
Assets do not have to be expensive, complicated, or large.
In fact, many assets are relatively inexpensive,
commonplace, and variable in size. For most organizations,
including SOHO (small office, home office) environments,
the assets of most concern include business and personal
data. If this information is lost, damaged, or stolen, serious
complications can result. Businesses can fail. Individuals can
lose money. Identities can be stolen. Even lives can be
ruined.
Valuable resources abound on individual computers as
well as on IT infrastructures comprised of interconnected
LANs. Hackers seek out targets based on a variety of goals
and motivations, as well as perceived value of a resource.
But who are the hackers?
Threats from Internal Personnel and
External Entities
What violates network security? The answer includes
accidents, ignorance, oversight, and hackers. Accidents
happen, including hardware failures and natural disasters.
Poor training promotes ignorance. Workers with the best of
intentions damage systems if they don’t know proper
procedures and lack the necessary skills. Overworked and
rushed personnel overlook issues that can result in asset
compromise or loss. Malicious hackers can launch attacks
and exploits against the network, seeking to gain access or
just to cause damage.
“Hacking” originally meant tinkering or modifying
systems to learn and explore. However, the term has come
to refer to malicious and possibly criminal intrusion into and
manipulation of computers. In either case, a malicious
hacker or criminal hacker is a serious threat. Every network
administrator should be concerned about hacking.
While historically two-thirds or more of security violations
have been the direct result of outsiders, the balance is
changing, and very dramatically. As a result of more
automated breaches, more hacking, and increased criminal
and terrorist activity, the percentage of “inside” computer
crime has shrunk as low as single digits, while even small
and medium-sized businesses and small government
agencies experience hundreds of thousands or more attacks
daily. This has markedly increased the need for trained
computer security professionals in organizations of all sizes.
According to the Verizon Data Breach Investigations Report
(http://www.verizonenterprise.com/DBIR/2012/), 98 percent
of data breaches stemmed from external agents.
Hackers are people. Misguided, unethical, ingenious, and
criminal, but still people. The major threat to network
security is mostly because of human intervention. While
designing security, keep in mind that the threat is ultimately
and mostly human. This awareness should lead to better
selections of deterrent, detection, and response.
Employees and external entities represent differing levels
of risk you need to address. An external entity does not start
off intrusion attempts with physical or logical access.
Initially, the risk from an external attacker is low. Outside
attackers must seek out and discover methods of gaining
logical or physical access. Without access, hackers must
resort to attacking external interfaces such as Web servers,
VPN devices, firewalls, and RAS. If these are secure, then
their default or fallback position is to wage a DoS attack,
attempt a burglary, or perform social engineering against
insiders.
FIGURE 4-2
Internal and external hackers.
An on-site employee has physical access to the facility
and logical access to the network. An employee may only
have a standard or normal user account, but some level of
logical access can be parlayed into greater levels of access
(known as privilege escalation). Threats from insiders,
whether physical or logical, are serious. You must address
such threats in your security policy, network design,
infrastructure deployment, and ongoing system and security
management.
The people who represent the most common threats to
an organization’s network security include disgruntled
employees, contract workers, recreational hackers,
opportunistic hackers, and professional hackers.
Disgruntled employees believe that they have been
wronged somehow by the organization. Whether the wrong
is real or perceived, their actions can cause severe
disruption of mission-critical operations. Disgruntled
employees may attempt to embezzle, steal supplies, waste
time, deposit malicious code, leak confidential data,
interrupt other workers, or derail projects.
Contract workers are outsiders brought in to perform
work on a temporary basis. Contract workers can be
consultants, temporary workers, seasonal workers,
contractors, even day-laborers. Outsiders do not necessarily
share the same loyalty to the organization that most full-
time employees exhibit. Thus, if the opportunity affords
itself to compromise the organization for personal gain,
contract workers are more likely to act unethically. Such
criminal outsiders don’t worry about long-term stability or
viability, or the fate of regular employees. Instead, they take
advantage at the expense of others.
Recreational hackers are those who enjoy learning and
exploring, especially with computing technology. However,
they might make poor choices as to when to use their
newfound skills. Bringing in unapproved software from
home, experimenting on the company network, or just
trying out an exploit to see if it works are all potential
actions of recreational hackers. Some hackers might not
fully consider that their hobby can be dangerous and their
actions are in violation of the company security policy.
Opportunistic hackers are hackers who are timid and not
likely to initiate an attack. For whatever reason, they are
unwilling to purposefully plan out and wage intrusions.
However, if the circumstance presents itself for an attack
that can be easily performed with little potential for
discovery or consequence, the opportunistic hacker may
take advantage of the fleeting moment. That moment could
arrive when someone happens to work late and ends up
being the only one left in the building. That moment could
be when a fire drill drives everyone else out of the facility.
Or it could be when a random power outage occurs and half
the workforce leaves for home. That moment could arrive
when he or she notices a certain office door is left open and
no one else is watching.
Professional hackers are criminals whose sole career
objective is to compromise IT infrastructures. Whether
operating as individuals, offering mercenary hacking
services, or functioning as a member of a criminal ring,
professional hackers focus all their time and energy on
conducting the best security assault possible. When people
spend years learning and practicing in one primary area of
interest, they can develop expertise and skills to rival all
defenses. The perfect unbreachable security solution does
not exist. Professional hackers have the time, stamina, skill,
patience, and backing to keep up an assault against a target
until they succeed. They are to a network what termites are
to a wooden building. You can deter them; you can keep
them out most of the time. But they will always be nearby
and eager to gnaw into the foundations if you drop your
guard for a moment.
These descriptions are not meant to imply that all
humans are by nature malicious. Instead, they offer a
realistic perspective on who might be an unethical person,
where potential human-based compromises exist, and what
precautions you should take to protect your organization
from both internal and external threats.
The Hacking Process
As much as IT professionals dislike the practice, hacking can
be a fascinating process. Hackers’ activities often appear
chaotic and random, at least when observed from the
mainstream IT industry. Hackers don’t have to follow any
fixed procedures or recognize any established boundaries.
Instead, they are seeking out vulnerabilities on a selected
target using any and all means at their disposal. For them,
chaos is both a methodology and a defense mechanism.
Generally, hacking falls into five main subgroups of
events or activities. This categorization can represent
hacking, but does not actually control or prevent hacking.
These five categories are (Figure 4-3): reconnaissance,
scanning, enumeration, attacking, and post-attack
activities. This order of phases occurs if an attack is
successful. If an attack is not successful, the hacker can
instead attempt a fallback position.
Reconnaissance
The initiation of the whole process of hacking is called
reconnaissance. Reconnaissance means the act of
inspecting or exploring and can also be called footprinting,
discovery, research, and information gathering. This phase
is the first of three pre-attack phases in which hackers learn
as much as possible about a target before attempting the
first actual attacks. Reconnaissance consists of collecting
data about the target from all possible sources online and
offline. The hacker is careful to avoid tipping off the target
that it’s being probed for information.
FIGURE 4-3
Five phases of hacking.
Reconnaissance can include:
Researching old versions of a target organization’s
Web site at archive.org
Examining search engine contents
Reviewing the live Web site
Investigating the background of personnel
Performing location mapping
Reading job postings
Checking insider information leak sites
Looking at newspaper and magazine articles or
mentions
Perusing press releases
Searching USENET newsgroups, chat archives,
blogs, and forums
Auditing financial records or reviewing public filings
Reviewing court cases and other public records
Querying whois, domain registrations, and public IP
assignments
Eavesdropping on e-mail and other conversations
Visiting a physical location
These are just a few of the possible reconnaissance
activities a hacker can perform. Information gathering is
limited only by the time, resources, and imagination of the
hacker. Once the hacker has built and organized a
reasonable portfolio of information about the target, the
next step is scanning.
Scanning
Scanning is the activity of using various tools to confirm
information learned during reconnaissance and to discover
new details. Scanning is aimed at discovering live and
active systems. Scanning can include wardialing,
wardriving, ping sweeps, and port scanning.
Wardialing is an older tactic that uses the telephone
system to locate any active and answering modems. Using a
modem, a hacker’s computer automatically dials target
phone numbers. The hacker obtains phone numbers during
reconnaissance or by dialing all the numbers in an area
code or prefix.
Wardriving, a term derived from wardialing, is the
technique of using a wireless detector to locate wireless
networks. Hackers used to drive around cities or
neighborhoods with laptop computers to discover wireless
networks. Today, driving is not necessary and smartphones
detect wireless networks automatically.
Ping sweeps are used to discover systems over network
connections that will respond to Internet Control Messaging
Protocol (ICMP) echo requests. Hackers commonly use ICMP
for network health and testing. The ping command or
network mapping utilities send ICMP echo requests to all
possible recipients within an IP address range or subnet.
ICMP echo responses from system indicate their IP address
and that they are up and running.
FIGURE 4-4
Basic TCP and UDP port scanning.
Hackers perform port scanning by sending various
constructions of TCP or UDP packets to ports (Figure 4-4). If
the system is not already known to exist, then a port scan
can determine the existence of a system at a specific IP
address as well as whether a port is open, closed, or filtered.
A TCP port is known to be open if a full TCP three-way
handshake can establish a virtual circuit. A UDP port cannot
be confirmed being open, since the default response from
an open port is always silence.
technical TIP
Ports exist at the Transport Layer (Layer 4) of the OSI
model. TCP and UDP use ports to support multiple
simultaneous communications, connections, or
sessions over a single Layer 3 IP address. There are
65,535 ports, but most systems can only support a few
hundred concurrent transactions.
A port is open if an active service is ready to process
data through the specific port. A port is closed if no
service is associated with a specific port.
When communications elicit error messages or
abnormal responses from a port, a firewall can filter out
these responses. This will result in a port being visible
for valid and normal communications. A firewall can
block any attempt to elicit errors or abnormal
responses.
Scanning is the process of sending out probes to elicit
responses. When a hacker performs scanning, it’s
detectable. Reconnaissance is generally silent, secretive,
and unobtrusive. You are also unlikely to detect scanning to
verify individual data items, such as a single open or closed
port. But when hackers scan to discover all possible IP
addresses in use and all possible open and closed ports, it’s
very noticeable. Scanning for confirmation is to scanning for
discovery as a sniper firing a single bullet is to a Gatling gun
destroying a forest. One activity might or might not draw
attention, but the other will be hard to ignore.
Hackers perform scanning until they discover one or
more targets. Since scanning uncovers only a system and
the open ports, hackers learn very little about the targets.
Hackers stop scanning and move on to enumeration, the
next step toward attacking, whenever they want, based on
the purpose of their attacks. Keep in mind that an attacker
needs only a single vulnerability to gain access. Once
hackers can access one machine, moving on toward
attacking it quickly is the most common escalation.
Enumeration
The enumeration phase is the third pre-attack phase.
Enumeration is the hackers’ process of discovering sufficient
details about a potential target to learn whether a
vulnerability exists that they can successfully attack.
Enumeration often starts with operating system
identification, followed by application identification, then
extraction of information from discovered services.
Enumeration, then, is the discovery and listing of potential
attack targets.
Hackers perform OS identification by probing an open
and closed port of a target. The responses from these ports
identify the OS. This ID is possible because of the
idiosyncrasies of different programmers writing
interoperable code. Each OS uses a different group of
programmers to write their network protocol stack. Even
though the resultant protocol stack may be in compliance
with IEEE standards, the defaults and reactions of the stack
often differ from one OS to the next. These differences are
known and maintained in a small database, which is coded
into most network scanning and probing tools, such as
nmap.
FIGURE 4-5
A banner grabbed from a Web server.
Each open port has a service running behind it. Banner
grabbing is the activity of probing those services to obtain
information (Figure 4-5). Once a connection has begun, a
service may send an announcement of connection or
communication confirmation. This announcement is called
the banner. The banner may contain additional details such
as the product name and version number of the service.
The information in the banner can be used by a hacker
for reconnaissance purposes—to gain the intelligence
needed to form the basis of an attack. One method of
protection that can be employed at low cost is to change
the banner in such a way as to mislead hackers. A little bit
of experimentation will allow banners to be created that
mislead hackers into using the wrong exploits against the
server but still allow the service on the given port to
perform its duties. In some cases, banners are not actually
used, so they may be greatly shortened; in other cases,
advanced features that are not used may be abandoned in a
trade-off that results in better security.
Once hackers have identified the service, they can
request additional information. The information request may
be secure and nothing goes out. But if insecure, the service
may return volumes of data to the hacker. Depending upon
the service and the queries the hacker performs, the
extracted information could include system name, network
name, user names, group names, share names, security
settings, resources available, access control settings, and
more.
Enumeration provides the hacker with identified,
potential attack points. After reviewing vulnerability
databases, such as MITRE (http://cve.mitre.org) or
National Institute of Standards and Technology
(NIST) (http://nvd.nist.gov), hackers evaluate the potential
vulnerabilities. Once the hacker selects an attack target, he
or she collects exploit tools and wages the attack.
One aspect that characterizes modern attacks is the
amount of time that passes before the reconnaissance
phase and the attack phase. In the past, a matter of
minutes may have separated the two, but the more modern
attack might go weeks, months, or longer before it is
unleashed. Such an attack, the highly targeted advanced
persistent threat (APT), will be discussed in more depth
later in this chapter.
Attacking
Attacking is the fourth phase of hacking. Although this
seems to be the phase that attracts most of the hype about
hackers, in fact, it’s the briefest phase of the overall hacking
process. A successful attack, based on solid research and
preparation, can take just seconds.
If an initial attack fails, hackers can modify their exploits,
tune their payloads, adjust their shell code, reset their
vectors, and relaunch the attack. Once hackers figure out
that an assumed vulnerability doesn’t exist or has been
secured, they return to their enumeration results to select a
new point of assault. Again, think of termites: If they can’t
get into the house structure through a doorjamb, they will
just as eagerly try to enter through a window sill. They are
relentless.
Repeated attacks will either lead to an eventual
successful breach or to the frustration of a successful
defense by the target. If successful, the attacker moves on
to post-attack activities. If unsuccessful, the attacker can
elect to move to alternative fallback attacks.
Post-Attack Activities
In a successful attack, the hacker usually has breached the
target’s security to gain some level of logical access. This
could be the credentials of a standard user account or a
command shell accessed through a buffer overflow
exploit. In any case, some common post-attack activities
usually take place. These include privilege escalation,
depositing additional hacker tools, pilfering data, and
removing evidence.
Privilege escalation is the action of attempting to gain
higher levels of access or privilege over the target. This can
occur using a keystroke logger, known OS exploits to steal
administrator or system access, manipulation of scheduled
tasks, social engineering, Trojan horses, remote control
programs, and other mechanisms. The result is that the
hacker gains access to a user account or a command shell
that operates as an administrator, root, or the system itself.
With privileged access, the remaining post-attack activities
are much easier.
Depositing additional hacker tools gives the hacker more
power over the compromised system. Tools may enable
additional abilities unavailable through the current
connection method. Tools may assist in pilfering data. Tools
may also assist in removing evidence. Or tools may assist in
maintaining or regaining access in the future.
Pilfering data is just that: scouring storage devices
looking for files of interest. Hackers look for anything they
can turn into cash immediately. They also look for things
that would be fun or interesting to disclose to the public.
They look for items they can use to blackmail or coerce
users. And, of course, they are on the lookout for potentially
valuable information for bartering or trading with other
hackers or criminals. Dumping the user account database
and password hashes is often a priority as well. Cracking the
passwords of other users will help if accessing the system
again in the future.
Removing evidence of the compromise and subsequent
activities is an important step for the hackers. Failing to
cover their tracks could lead to apprehension and
prosecution. Allowing the IT and security staff to discover
the intrusion will only lead to heightened levels security.
Discovery makes future returns more difficult, if not
impossible, depending on the hacker’s skill set.
Once the hacker performs evidence cleanup, the attacker
can claim to have owned (or pwned, in leetspeak,
hackers’ secret code language) a system. The hacker has
demonstrated his or her skills through the discovery,
tracking, and penetration of a target. This is often the goal
of a hacker: to successfully penetrate a target. However,
such successes are not always easy, or common. If the
attacks fail, the hacker always has fallback attack options.
Fallback Attacks
Fallback attacks are the other options for mayhem a hacker
can deploy after unsuccessful breach attempts against a
target. Common alternatives to intrusion include DoS,
eavesdropping, breaking and entering, social engineering,
malicious code, session hijacking, man-in-the-middle
attacks, wireless hacking, SQL injection, Web site attacks,
and more. The following sections of this chapter discuss
these and other attacks.
Common IT Infrastructure Threats
Some important aspects of security stem from
understanding the techniques, methods, and motivations of
hackers. Once you learn to think like a hacker, you may be
able to anticipate future attacks. This enables you to devise
new defenses before a hacker can successfully breach your
organization’s network.
So how do hackers think? Hackers think about
manipulation or change. They look into the rules to create
new ways of bending, breaking, or changing them. Many
successful security breaches have been little more than
slight variations or violations of network communication
rules.
Hackers look for easy targets or overlooked
vulnerabilities. They seek out targets that provide them the
most gain, often financial rewards. Hackers turn things over,
inside out, and in the wrong direction. They attempt to
perform tasks in different orders, with incorrect values,
outside the boundaries, and with a purpose to cause a
reaction. Hackers learn from and exploit mistakes and
anomalies, especially mistakes of network security
professionals who fail to properly protect an organization’s
assets.
The more you understand about the various threats and
risks to network security, the more defenses you can mount
against attacks. Threats to network security include hacker
exploits, as well as Mother Nature, device failures, and even
normal business activities.
Hardware Failures and Other Physical
Threats
Network security is not just about protection against
hacking. Many other threats face computer systems on an
ongoing basis. Computer equipment is complex and
sometimes fragile. Hardware failures are the most common
cause of unexpected downtime. Most equipment operates
well beyond its expected lifetime in normal environments.
Some forms of technology, however, are more prone to
failure than others.
One of the most commonly discussed causes of
unexpected downtime is hard drive failure. A hard drive is
one of the few common computer components that has
moving parts. While optical drives, tape drives, mice, and
keyboards have moving parts, these devices seem to outlast
hard drives by a significant margin. Hard drive failure can
occur unexpectedly or with reasonable warning. The
warning is usually a grinding, whining, or clicking noise
coming from the drive as it begins to fail. These noises are
clear signs that the end is near.
The best defense against hard drive failure, as well as
hardware failure in general, is to be prepared. Being
prepared includes consistent periodic backups, using
redundant array of independent disks (RAID),
performing general cleaning and maintenance, and having
spare parts on hand for the inevitable. Another method to
avoid downtime and a loss of availability is to replace
equipment before it fails. Most devices have a mean time
to failure (MTTF) or mean time between failures
(MTBF) that can determine the statistical likelihood of a
failure. It is a good practice to replace the device before that
period expires. While you will be replacing some devices
long before their actual failure, this technique keeps the
statistics on your side. Though planned downtime is costly,
it is less costly than unplanned downtime.
Another physical threat is heat. Too much heat damages
computer equipment. Systems that experience severe
temperature cycles, such as very hot to very cold, can have
incidents of chip creep or warping and cracking of materials.
Chip creep is caused by the expansion and contraction of
metal because of temperature changes. Severe temperature
cycling can even break soldered connections. The traditional
debate about turning computers off at night or over
weekends and leaving them in a running state speaks to the
effects of these temperature changes. A running computer
is at its optimum functioning temperature.
Static electricity discharge (SED) from dry conditions
can destroy most circuits. Frayed wires caused by rubbing
against sharp metal edges can cause a short circuit.
Moisture due to high humidity in the air or liquid spills is
always bad for electrical devices. Excessive vibration can be
damaging to computer equipment. Vibrations caused by
nearby heavy construction or regular passing of trains,
subways, and airplanes can cause damage over time. Any
obvious physical damage caused by devices falling, being
knocked over, having heavy objects dropped on them, and
so on can result in broken equipment.
You can eliminate or significantly reduce most physical
risks and threats with reasonable precautions and common
sense in proper handing, care, and storage of electronic
equipment.
One such risk is intentional electromagnetic
interference (IEMI), in which an intentional discharge is
made that damages or destroys electronic equipment from
cell phones and video surveillance to computers and
servers. IEMI discharges have been recorded up to two miles
away and pose no risk of damage to living creatures. While
IEMI and related technologies have been used by the
military for years, IEMI is just now becoming a threat to
computer security.
One final physical threat is theft. Physical facility
protections ensure that an IT infrastructure is not
threatened by unauthorized outsiders (or insiders) walking
away with storage devices or other critical components.
Natural Disasters
Mother Nature is unpredictable and quite powerful. All sorts
of serious weather events damage or destroy IT
infrastructures. Knowing the types of severe weather
common in your area will suggest the correct precautions,
such as special insurance, structural reinforcements,
lightning protection, surge protectors, bilge pumps, and so
on. No matter what the potential disaster, the best
protection for data is a reliable regular backup stored in a
secured, offsite facility.
Accidents and Intentional Concerns
Accidents happen. Whenever humans are involved, things
will go wrong. Murphy’s Law states, “Anything that can go
wrong will.”
An IT infrastructure is a large, complex, but fragile entity.
And it is completely at the mercy of human beings.
Accidental damage in the wrong location or at the wrong
time can have devastating results. Accidents include spilling
liquids on equipment, tripping over cables, pulling out the
wrong power cord, tripping the building’s circuit breaker,
setting off the water sprinklers, placing candles on top of
warm devices, knocking over a computer, turning off a
system prematurely, installing the wrong driver, removing
the wrong cable, and so on.
The best precautions and protections against accidents
are backups, configuration documentation, and training.
With some commonsense adjustments to worker activity,
paying closer attention to activities they perform, and
watching out for precarious circumstances, you can avoid
many “common” accidents.
Unfortunately, accidents are not the only concern when
humans are around. Another threat to network security is
intentional damage or sabotage. Disgruntled employees,
dismissed contract workers, opportunistic janitorial staff,
unhappy managers, and even careless visitors can wreak
havoc in moments if they have access to sensitive
equipment or information. Proper personnel screening,
perceptive supervisory oversight, escorts, background
checks, security cameras, training, paying attention to the
corporate culture, giving in on some indulgences (such as
an occasional long lunch or casual Fridays), and providing
competitive pay scales can go a long way toward preventing
intentional disruption or destruction of IT equipment and
resources.
Malicious Code (Malware)
Malware is the shortened term for malicious software.
Malware is unethical code hackers write to cause harm and
destruction. Malware gains access to a system in myriad
ways, usually without the consent or knowledge of the user.
The most common vectors of this computer contaminant are
portable storage devices and Internet communications. A
wide range of types of malware exist, including the virus,
the worm, the Trojan horse, keystroke loggers, spyware,
adware, the rootkit, the logic bomb, the trapdoor, the
backdoor, dialers, URL injectors, and exploits. The
number of unique malicious code examples is astounding. In
April 2012, Symantec reported that its virus definitions file
contained 17.7 million separate signatures—although as
ZDNet blogger Ed Bott noted, some of them are of more
concern than others.
Just like a biological virus, a computer virus needs a host
object to infect. Most viruses infect files, such as
executables, device drivers, DDLs, system files, and
sometimes even document, audio, video, and image files.
Some viruses infect the boot sector of a storage device,
including hard drives, floppies, optical discs, and USB drives.
Viruses spread through the actions of users. As users open
infected files, the virus spreads to other files. As users send
infected files to other systems, the virus spreads there, as
well.
Unlike viruses, which spread from file to file, worms
spread from system to system. Because human interaction
isn’t necessary for propagation, they can (and do) spread
much more quickly than viruses. Today, nearly every threat
described as a virus is really a worm. Hackers design worms
around specific system flaws. The worm scans other
systems for this flaw, and then exploits the flaw to gain
access to another victim. Once hosted on another system,
the worm spreads itself by repeating the process. Worms
can be carriers to deposit other forms of malicious code as
they multiply and spread across networked hosts.
A Trojan horse is actually a mechanism of distribution or
delivery more than a specific type of malware. During the
Trojan War, the Greeks built a huge, hollow wooden horse,
hid warriors inside, and seemingly departed the area. The
Trojans took the horse into their citadel and were massacred
overnight when the Greek warriors emerged from hiding.
The concept now embeds a malicious payload within a
seemingly benign carrier or host program. When the host
program runs, the malware is delivered.
The gimmick of a Trojan horse is the act of fooling
someone (a type of social engineering attack) into accepting
the Trojan program as safe. Any program can be converted
into a Trojan horse by embedding malware inside it, in the
same way that any food can be poisoned by adding a toxic
substance to it. In fact, hackers have specialized tools
designed for the express purpose of building Trojan horses
called wrappers or Trojan horse construction kits.
Keystroke loggers record the keyboard activity of a user.
Hackers can deposit software keystroke loggers onto a
victim’s system through a variety of techniques, including a
worm or a Trojan horse. Once a system is infected, the
keystroke logger periodically transmits key logs to the
originating hacker through e-mail, FTP, or instant message
(IM). Hardware keystroke logger attacks can come through
the keyboard cable. These are hard to detect because they
are so small and are a parasitic link to the keyboard cable.
Spyware is an advancement of keystroke logging to
monitor and record many other user activities. Spyware
varies greatly, but can collect a list of applications launched,
URLs visited, e-mail sent and received, chats sent and
received, names of all files opened, recording of network
activity, periodic screen captures, and even recordings from
a microphone or images from a Web cam.
Adware infiltrates advertisements. Spyware and adware
are often linked together in a symbiosis, since the
information learned about a target from spyware helps in
selecting materials the adware will push through. Adware
can push advertisements as pop-ups, as e-mail messages,
or by replacing existing legitimate ads on Web sites as they
display in the browser.
Rootkits are malicious camouflage that function as
invisibility shields for anything a hacker wants to hide on a
computer. A rootkit acts like a device driver and positions
itself between the kernel (the core program of an operating
system) and the hardware. From there, the rootkit can
selectively hide files on storage devices and active process
in memory from being viewable, accessible, or detectible by
the OS. Rootkits hide other forms of malware or hacker
tools. Rootkits can include other malware functions in
addition to their stealth abilities.
A logic bomb is an electronic land mine. Once a hacker
embeds a logic bomb in a system, it remains dormant until
a triggering event takes place. The trigger could be a
specific time and date, the launching of a program, the
typing of a specific keyword, or accessing a specific URL.
Once the trigger occurs, the logic bomb springs its malicious
event on the unsuspecting user.
Trapdoor and backdoor malware are two terms for the
same type of malware. A backdoor or trapdoor program
opens an access pathway for a hacker to gain easy access
into a compromised system. The access could be the
creation of a new user account with credentials the hacker
has defined; a rogue Web, telnet, or SSH server that gives
the hacker remote command prompt access; or a source
that enables full remote control over the victim’s machine
(sometimes just by turning on Remote Desktop on a
Windows host). Many other possible trapdoor or backdoor
manipulations can grant access to external hackers.
A dialer is a rogue program that automatically dials a
modem at a pre-defined number. Sometimes this process
auto-downloads additional malware to the victim or uploads
stolen data from the victim. In other cases, the dialer calls
premium rate telephone numbers to rack up massive long
distance charges. If the user normally connects to the
Internet over a dial-up link, the dialer to could dial a rogue
proxy site instead of the ISP. This site would act as a man-in-
the-middle and be able to eavesdrop on all communications.
URL injectors replace URLs in HTTP GET requests for
alternative addresses. These injected URLs cause a different
Web page to appear in the browser than the one requested
by the user’s click. These replaced Web pages could present
advertisement sites, generate traffic to falsify search engine
optimization (SEO), or lead to spoofed sites.
Exploits are any form of malware designed to take
advantage of a flaw in programming, timing,
communication, or storage. Hackers often embed exploits
into other forms of malware to assist in their infection and
distribution. Exploits also exist on their own, usually as tools
employed by hackers to wage attacks, cause damage, and
perform intrusions.
Spam is any unwanted and unsolicited message. Spam is
not technically malicious software, but spam can have a
series negative effect on IT infrastructures. Experts estimate
that 80 to 95 percent of e-mail Internet traffic is spam and
other forms of malicious messages. Hackers can easily use
spam to wage DoS attacks through flooding and commonly
use it to wage social engineering attacks such as phishing.
Malware is spread through the same communication
channels as legitimate, benign data. The difference is that
hackers design malware to cause distress and destruction. A
growing area of risk for the spread of malware is mobile
code. Mobile code is software that hackers write for easy
distribution over communications networks, such as the
Internet and mobile phone networks. Hackers design mobile
code to download to a host, then execute on the host.
Because of a lack of proper precautions and awareness by IT
professionals, malware under the guise of mobile code is
spreading more rapidly than ever.
Advanced Persistent Threat
For many years, it was common for the general public, and
even many knowledgeable security professionals, to call
every type of malware a virus. It has become just as
common for every type of malware to now be called an
advanced persistent threat (APT). And it is just as wrong.
While the occurrence of APTs has increased dramatically,
they still represent a small percentage of attacks. It is true
that APTs represent the next generation of malware in that
they sit quietly on a target machine until they are activated.
However, APTs are highly targeted, with the targeting
intelligence often gleaned from other types of attacks, from
phishing to social engineering. Historically, most attacks
have been opportunistic attacks seeking the lowest-hanging
fruit, the weakest systems to break in to. As we see a shift
from financially motivated attacks to state-sponsored
espionage and hacktivism, or politically motivated hacking,
it follows that we are likely to see the continued growth of
targeted attacks such as APTs.
Even with all the variations of malware that currently
exist and those that will exist in the future, you can choose
from only a few common defenses: antivirus software, anti-
malware scanners, integrity checking scanners, and user
awareness. Antivirus software actively searches for viruses,
worms, Trojan horses, and other similar destructive forms of
malware in memory and on storage devices. Anti-malware
scanners look for spyware, adware, dialers, and so forth that
an antivirus software might not address. An integrity
checker keeps a database of hash values for all system and
application files and reports when unauthorized changes
occur to those files. You can improve user awareness by
offering training that encourages responsible action with
regard to security. Training will also encourage users take
reasonable precautions against infection and attack both at
work and at home.
Fast Growth and Overuse
Granted, network security is not always an organizational
priority. Some organizations are more concerned with profits
and rapid growth than spending time on network security.
Security is sometimes viewed as an annoying overhead
expense that consumes resources without providing any
return to compensate for the outlay. While this mindset is
common among senior management, it’s a poor and
incorrect understanding of the return on investment
(ROI) of the crucial investment in network security.
Network security—in fact, most forms of security—
protects the organization so that its profit centers can
function without interruption or interference. Without
network security, the capability and availability of the IT
infrastructure would be unstable, especially during periods
of accident, infection, attack, or hardware failure. Network
security reduces the occurrences of downtime and damaged
or lost resources. What could be more important to an
organization’s bottom line?
Organizations that fail to address security issues as they
experience explosive growth are more likely to experience
catastrophic failure. By failing to protect assets
(communications, data stores, intellectual property,
customer data, financial records, and private personnel
data), any level of hacker breach could result in
organizational implosion.
Racing to get ahead, without proper planning and
preparation, usually ends in failure. When constructing a
skyscraper, the top of the structure isn’t built until each
floor below it is properly erected. Growing a company too
fast without adequate network security protections is like
attempting to build the penthouse before the lower floors
are completed. The rise to the top floor may be exhilarating,
but the subsequent crash will be unavoidable. What goes up
too fast will inevitably come down faster.
A slightly slower growth rate to build network security
concurrently with the expansion of the organization is a
much smarter plan. Such a deliberate approach is more
likely to provide sustained growth and longevity than one
based on an unbridled push for forward momentum without
considering the risks.
Another potential oversight is an organization’s pushing
equipment, software, and connectivity beyond a reasonable
load level. Trying to pull a yacht with a sports car comes to
mind. It looks sexy, but what’s at risk? Modern IT equipment
is able to perform at astounding levels. But even the best
equipment can do only so much before it exceeds its peak
operational limitations—and starts trending toward failure.
The growth of most organizations is predictable.
Predictable growth can help plan for expansion of
infrastructure before the infrastructure becomes a
bottleneck. As growth passes 60 percent capacity of the
current infrastructure, you should already be planning for
expansion. As growth passes 80 percent capacity, take
steps to implement expansion. As growth passes 90
percent, accelerate your efforts to complete the expansion.
If the company reaches 100 percent capacity before it
completes expansion, a bottleneck inhibiting growth will
result. This obstacle can create a bounce-back effect, in
which interrupted growth could shrink the organization,
making the return to growth more difficult. Equipment,
storage space, memory capacity, backup capabilities,
communication bandwidth, and processing capabilities
should never reach maximum use or consumption. You
should reserve sufficient overhead for the occasional spike
above normal maximum activity.
Wireless Versus Wired
The security implications of a wireless network compared to
a wired network are often exaggerated. The biggest
difference is the mechanism and proximity of the attack.
With wired networks, a hacker must gain physical proximity
to a target to make direct contact with it. Once connected to
the wired network, the hacker can attempt various attack
and exploits.
With wireless networks, the hacker doesn’t have to be
physically close. Hackers can attempt network breaches
from a mile or more away from the access point (Figure 4-6).
In most real-world situations, however, the range is often
under a thousand feet with a small but powerful directional
antenna.
In either case, wired or wireless, the hacker must first
obtain a network connection with the target network to
attack if the hacker’s goal is to gain access to user accounts
or data stored on the network. If the hacker is mainly
interested in destruction and DoS, then logical network
access isn’t necessary.
FIGURE 4-6
Wired networks require local attacks; wireless networks
allow for remote attacks.
Eavesdropping
Eavesdropping is listening in on communications.
Eavesdropping can be the recording of network traffic using
a packet capturing tool, generically known as a sniffer
(Figure 4-7). Hackers can eavesdrop against data packets or
against voice traffic. Eavesdropping can occur over wired or
wireless connections.
Any communication performed in plain and directly
usable data forms is subject to interception and recording.
You can prevent eavesdropping by using encrypted
protocols. Only cryptographically encoded messages are
safe from outsiders learning the content of the conversation.
Replay Attacks
Replay attacks are also known as playback attacks. A
replay attack is the retransmission of captured
communications. The goal of a replay attack is to gain
interactive or session access to a system. The traffic
captured and retransmitted for a replay attack is
authentication packets (Figure 4-8). In this type of attack,
the hacker captures traffic between a client and server, and
then later retransmits it against the same server as the
original communication.
FIGURE 4-7
Eavesdropping on an existing session between client and
server.
FIGURE 4-8
Replay attacks collect authentication packets, and then
retransmit them later.
The goal of this attack is to replay the credential packets
so that the hacker gains access to the user’s account on the
target host. Another type of replay attack is resending a
transaction, such as “Send a $10 refund check.”
Fortunately, you can thwart most replay attacks by using
one of several common communication improvements.
Many authentication transactions include a non-replayable
random challenge-response dialogue. This dialogue consists
of one endpoint generating a random seed value sent to the
other endpoint. The second endpoint uses a mutual secret
known by both endpoints to compute a response using a
one-way computation. The response returns to the original
endpoint, where the response was predicted. If the received
and predicted responses match, the user is authenticated.
Another defense against replay attacks is time stamps.
Some authentication exchanges have encoded time details
that are difficult to reproduce or modify without detection.
Additionally, the use of one-time pad or session-based
encryption can make replay attacks impossible.
Insertion Attacks
Insertion attacks come in many forms, but all of them
involve the introduction of unauthorized content or devices
to an otherwise secured infrastructure. Three common
insertion-based attacks include SQL injection, IDS
insertion, and rogue device insertion.
SQL injection is an attack that inserts a hacker’s code
into a script hosted on a Web site. SQL injection attacks can
give the hacker access to the back-end database of a Web
application. The technique exploits a weakness in common
Web communications that treats certain characters
differently because they are assigned a special meaning or
purpose rather than just treated as text. These are called
metacharacters and act as programming markup. If you
don’t write a script defensively to block out or ignore
metacharacters, then injection attacks can effectively
rewrite the script based on content a hacker submits. The
injected code can perform just about any possible command
line task imaginable.
IDS insertion is a form of attack that exploits the nature
of a network-focused IDS to collect and analyze every
packet to trick the IDS into thinking an attack took place
when it really hasn’t. The common purpose of IDS insertion
attacks is to trick signature- or pattern-matching detection
of malicious network events. By interspersing attack traffic
with packets that the target host will reject but the IDS will
view, the IDS fails to see the attack pattern, but the attack
still takes place. For example, suppose an attack is
composed of four packets, A, B, C, and D, and the IDS
signature is a packet stream of ABCD. If the hacker
transmits the attack as AXBCYD, where X and Y are invalid
packets rejected by the target, then the IDS doesn’t
recognize the pattern. After X and Y are discarded, the ABCD
attack occurs against the target.
Rogue device insertion is a physical form of insertion
attack where a hacker inserts an imposter device into an
infrastructure. The most common example of this is the
insertion of a rogue wireless access point configured
similarly to the real, authorized access point. Some users
might be fooled into connecting to the rogue access point.
This would constitute a man-in-the-middle attack where the
hacker would intercept all transactions from the
compromised system.
Each insertion attack method requires that you create a
unique defense. You can prevent SQL injection attacks by
defensive programming and filtering input. Squelch IDS
insertion attacks by using modern IDS techniques such as
anomaly, behavioral, and heuristic detection. You can derail
a rogue device insertion through encrypted
communications, pre-configured network access, prohibited
wireless networking, user training, and regular site surveys.
Fragmentation Attacks, Buffer
Overflows, and XSS Attacks
Fragmentation Attacks
Fragmentation attacks are an abuse of the fragmentation
offset feature of IP packets. Fragmentation occurs when
there are many different network links connected to
construct a global infrastructure. Some network segments
support smaller datagrams (another term for packet or
frame) than others, so larger datagrams are fragmented
into the smaller, more compatible size. When the
fragmented elements of the original datagram reassemble,
manipulations of fragmentation can cause several
potentially malicious reconstructions, such as overlapping
and overrun. Think of the transporter on Star Trek: If
anything gets in the way of the reassembly of the person
being transported, you might end up with an evil Mr. Spock
with a goatee.
Overlapping can cause full or partial overwriting of
datagram components creating new datagrams out of parts
of previous datagrams. Overrun can result in excessively
large datagrams. Other fragmentation attacks cause DoS or
confuse IDS detection and firewall filtering.
Protections against fragmentation attacks include
modern IDS detection and firewall filtering features, as well
as performing sender fragmentation. Sender fragmentation
queries the network route to determine the smallest
maximum transmission unit (MTU) or datagram size.
The sender then pre-fragments the data to ensure that no
fragmentation needs to occur en route. “Beam me up, Mr.
Scott—and make sure I get back all in one piece.”
Buffer Overflows
A buffer is an area of memory designated to receive input.
Buffers are of a specifically determined size set by the
programmer, since only a finite amount of memory resides
on a host. A buffer overflow is an attack against poor
programming techniques and a lack of quality control.
Hackers can inject more data into a buffer than it can hold,
which may result in the additional data into the next area of
memory.
This overflow could be totally ignored, could trigger an
overflowing crash or freeze, or could result in arbitrary
code execution. In the latter case, the hacker crafts the
input stream so the overflowed data is a command-line code
statement executed with system-level privileges.
Programmers can prevent buffer overflows. Using
defensive programming techniques, such as input limit
checks and avoiding programming language functions that
do not check boundary limitations, buffer overflows become
a useless form of attack.
XSS (Cross-Site Scripting) Attacks
Cross-site scripting (XSS) is similar to SQL injection, but
the results attack future visitors to a Web page rather than
grant the hacker access to the back-end database. An XSS
attack submits script code to a Web site. XSS can result in
persistent malicious modification of Web source files. This
causes all future visitors to the site to receive compromised
content.
XSS attacks can include e-mails to victims with falsified
hyperlinks that point the script injection to a target site
when the victim clicks on the e-mail’s embedded links. Such
an attack can grant the hacker access to the seemingly
secured Web transaction of the victim. This form of attack is
non-persistent since it affects only those who click on the
links in the malicious e-mail.
XSS attacks are generally preventable if you use
defensive coding techniques and metacharacter filtering.
For end users, defenses include cookie management and
disabling scripting support in browsers and e-mail clients.
Man-in-the-Middle, Session Hijacking,
and Spoofing Attacks
Man-in-the-Middle Attacks
Man-in-the-middle (MitM) attacks occur when a hacker
intervenes in a communication session between a client and
a server. The attack usually involves fooling or tricking the
client into initiating the session with the hacker’s computer
instead of with the intended server (Figure 4-9). This form of
attack is also called an interception attack, a proxy
attack, or a monkey-in-the-middle attack.
FIGURE 4-9
Man-in-the-middle attacks fool clients into initiating sessions
with the hacker instead of the target server.
MitM attacks involve a pre-attack element, in which the
client is given false information that leads the client to
request a session with the hacker’s computer rather than
the real server. The hacker can accomplish this using one of
several methods: ARP spoofing—Address Resolution
Protocol (ARP) is a non-authenticating broadcast query
service that requests the MAC address from a system using
a specific IP. If a hacker running an ARP spoofing tool
sends a false response to the requester before the real
response returns, then the sender will use the false MAC
address. Subsequent frames go to the rogue MAC address,
which the hacker’s computer uses. ARP spoofing must occur
within a subnet.
MAC spoofing—The hacker’s computer uses a
server’s MAC address; while the server is flooded, the
hacker’s system receives traffic instead of the
intended server. MAC spoofing must occur within a
subnet.
DNS poisoning—To perform DNS poisoning, a
hacker compromises a DNS server and plants false
FQDN-to-IP mapping records. The DNS source will feed
subsequent user queries false data.
DNS spoofing—DNS is a non-authenticating query
service that requests the resolution of a FQDN into its
related IP address. A hacker hosting a rogue DNS
spoofing tool can send back false DNS responses.
technical TIP
When a non-authenticating query service is in use,
it does not confirm the source or the validity of any
response received. Thus, if you receive a fake, spoofed,
or rogue response, the system accepts it as genuine
and the query session ends. If the real response
arrives, the system rejects it as an invalid or stray
packet because it will no longer correspond to any
open query session.
ICMP redirect—On subnets with multiple routers,
ICMP redirects can cause a host to alter its routing
table. This attack could redirect traffic along a different
route than the default, expected, or optimal one.
Proxy manipulation—To perform proxy
manipulation, a hacker reconfigures a client’s proxy
configuration. Requests for services go to the hacker’s
system that acts as a MitM proxy.
Rogue DHCP—A rogue DHCP is a false DHCP server
that can provide IP address configuration leases for a
unique subnet and define the default gateway since
the hacker’s computer acts as a MitM router/proxy.
Rogue access point—To create a rogue access
point, a hacker configures a rogue wireless access
point similarly to the real authorized access point that
can fool users into connecting, which then serves as a
MitM proxy.
Defenses against MitM attacks include IDS and IPS solutions
that monitor for common network abuses or abnormal
network activity. Additionally, strong multifactor
authentication and mutual authentication can reduce the
success of MitM attacks.
Session Hijacking
Session hijacking occurs when a hacker is able to take over
a connection after a client has authenticated with a server
(Figure 4-10). To perform this attack, a hacker must
eavesdrop on the session to learn details, such as the
addresses of the session endpoints and the sequencing
numbers. With this information, the hacker can
desynchronize the client, take on the client’s addresses, and
then inject crafted packets into the data stream. If the
server accepts the initial false packets as valid, then the
session has been hijacked.
FIGURE 4-10
Session hijacking steals a connection from a client.
In a session hijack, the attacker does not directly learn
the credentials of the client. If the hacker loses the
connection, he will have to look for another session to
hijack. The client who lost the session will be aware that the
connection was lost, but will not necessarily be aware that
the disconnect was a hijack attack.
Session hijacking sometimes employs DNS spoofing,
poisoning, ARP spoofing, ICMP redirects, and rogue DHCP to
alter the route or pathway of a session. The hacker uses this
pathway alteration to make the session hijacking attack
easier by forcing the target session to travel over a more
accessible network segment.
Any host that uses TCP/IP without encryption is
vulnerable to session hijacking. Even with complex or
pseudo-randomized packet sequence numbering, a little
eavesdropping is all that is necessary for hackers (or the
hackers’ tools) to predict future sequence values. The only
true protection against session hijacking is encryption, such
as a VPN.
Spoofing Attacks
Spoofing is falsification of information. Most spoofing is a
falsification of the identity of a source. E-mail addresses,
MAC addresses, and IP addresses are all easily spoofed.
Spoofing tricks a user or a host into believing a
communication originated from somewhere other than its
real source. This is a common tactic in the transmission of
spam. Spoofing impersonates an authorized entity, such as
MAC spoofing to bypass wireless access-point MAC filtering.
Spoofing is difficult to prevent and somewhat hard to
detect. Most spoofing detection occurs when you watch
normal traffic and look for addressing anomalies. For
example, if a switch sees that a specific MAC address is the
source address for frames received on switch port 6, and
that MAC address also appears as the source address for
frames received on switch port 9, that’s a symptom of MAC
spoofing (Figure 4-11). In another example, if a firewall
receives a packet on its external interface and the source IP
address is an internal LAN address, spoofing could be going
on.
FIGURE 4-11
Spoofing of a client’s MAC address by a hacker’s computer.
technical TIP
The alternate data streams (ADS) of NTFS are a
feature added to this file system to support files from
POSIX, OS/2, and Macintosh. This feature was added
to NTFS in the mid-1990s to drive government
purchase of Windows NT. However, even with POSIX
and OS/2 support now dropped from Windows and
Macintosh hierarchical file system (HFS) support no
longer needed, NTFS has retained this feature. ADS is
the ability of a file to contain multiple resource forks.
The result of NTFS support for ADS is that not just
additional resources, but complete additional files, can
hide below any normal file object.
A normal file object, including directories, can contain
numerous additional files underneath itself. The
number of additional files is limited only by the total
amount of free space on the drive and the size of the
hidden files. Once a file stores as an ADS, it’s no longer
visible or easily accessible by the OS itself. Several
hacking tools can create and manipulate ADS. Only a
few scanning tools, such as Streams from
sysinternals.com, and only a handful of malware
scanners can specifically explore a drive for ADS
hidden code.
Spoofing is something to watch and filter for, but no real
or direct prevention of spoofing exists. Additionally, hackers
can intercept and modify data already in transit from a real
source if it’s not encrypted. Thus, spoofed data does not
always originate as falsified communications.
Covert Channels
Covert channels are hidden, unknown, unique, atypical
pathways of information transfer. The channel is covert
because it is unknown and unseen. Hackers use covert
channels for secretive communications, often to leak data
out of a secured environment. Covert channels are insecure
pathways of transmission. If the pathway were known, it
would be an overt channel and likely blocked, filtered, or
otherwise secured.
Two main forms of covert channels exist: timing and
storage. A timing channel conveys information through
timed and synchronized activities. A few potential examples
of timing covert channels include: Blinking lights to
distribute information in Morse code
Manipulating a fan’s speed so the higher and lower
pitched noise creates binary transmission
Throttling the bandwidth consumption on an Internet
link so that at a specific interval a utilization
measurement reads a value below 60 percent as a
zero and a value above as a one for binary
communications A storage covert channel conveys
information through unseen or undiscovered storage
locations. A few potential examples of storage covert
channels include: Using the unpartitioned space
of a hard drive to store data written via a hex editor
Using a firmware flash memory on-board chip to store
data
Using the alternate data streams of new technology
file system (NTFS) to hide files
Using the slack space of a hard drive to store data
The best defenses against covert channels include IDS and
IPS, as well as thorough monitoring of all aspects of an IT
infrastructure for aberrant or abnormal events of any type.
Predicting covert channels is difficult because by their very
nature they are unknown and unseen.
How Hackers Hijack Slack Space
A hard drive contains segments known as sectors. A
sector is the smallest fixed-size block of storage space
of a drive and is 512 bytes. When a file system is
applied to a partition, clusters are created out of
one or more sectors. Slack space is the unused
portion of the last cluster only partially consumed by
a stored file. The cluster:sector ratio typically ranges
from 1:1 to 1:128 for clusters of 512 bytes to 64 KB.
A file system has a fixed maximum number of
addresses assigned to clusters. Larger drives have the
same number of clusters as smaller drives, but the
clusters are larger. It’s a little like shoes: kids’ shoes
are one pair to a box, just like adults’ shoes, but the
box containing adults’ shoes is bigger. A cluster is the
smallest consumable element of storage space and
can contain data from only a single file. No native
mechanism addresses sub-cluster divisions in
standard file system formats.
When a file writes to a drive, it consumes as many
clusters as necessary to contain all of the data of the
file. All clusters but the final or last cluster containing
the file are filled. The last cluster is fully consumed
only if the file happens to be an exact multiple of the
cluster size (which is not very common). The unused
portion of the last cluster is known as slack space
(Figure 4-12). Slack space is effectively unusable,
wasted storage space.
Hackers have developed special file manipulation
tools that can locate and hijack the slack space and
use it to create hidden volumes on a hard drive.
These volumes are nearly impossible to detect
because they are not contained, referenced, or
addressed by the file system of the storage device.
Instead, the slack space drive exists only because
special software can address sub-cluster storage
locations. The slack space drive software operates
independently of the OS and the file system.
FIGURE 4-12
Slack space is the unused portion of the last cluster only
partially consumed by a stored file.
technical TIP
Web servers, or at least Web sites, appear on the
Internet in a least four different architectural
deployment options: reverse proxy, DMZ, co-location,
and hosting. Reverse proxy uses a static NAT mapping
or port forwarding to allow outside visitors to initiate
communications with an internal server. This is the
poorest security choice because it could grant hackers
access to the entire intranet if the Web server is
compromised.
Hosting a Web server in a DMZ is a more secure
solution. However, if compromised, a DMZ Web server
gives the hacker a weapons platform just outside of the
private network’s front door. Co-location is placing a
Web server host directly on an ISP network within a
facility. Hosting is leasing access to space on an
existing Web server owned and managed by the
hosting entity (squarespace.com is a great example).
These last two options are the most secure; if the Web
server/site is compromised, the hacker gains no
location benefit to breach the private network.
Network and Resource Availability
Threats
To be successful, many exploits and attacks require special
access on a private network. Some exploits will function
against an Internet facing Web server, but such a server
might not directly connect to a private network. If a hacker
is unable to find an exploitable vulnerability that gains
access or control over the targeted systems, a fallback or
final resort option is to launch availability attacks.
An availability attack aims at preventing legitimate
access or use of resources to delay or interrupt business.
Generally, this is known as denial of service (DoS) attack.
Denial of Service (DoS)
A denial of service (DoS) attack interrupts the normal
patterns of traffic, communication, and response. A DoS
attack interferes with timely processing and reply to
legitimate requests for resources. A DoS attack can be of
two primary forms: flaw exploitation or traffic generation.
FIGURE 4-13
Denial of service flooding attack against a client.
Flaw exploitation DoS attacks take advantage of a
programming bug, flaw, or convention. The DoS exploit
results in the system freezing, crashing, rebooting, or failing
to respond to external communications. You can mitigate
flaw exploitation DoS attacks through the application of a
patch and the use of an IDS or IPS system. Once you apply a
patch, the DoS will no longer be effective. Flaw
exploitation attacks are usually specific to a software
version.
Traffic generation DoS attacks flood a target with traffic
(Figure 4-13). The traffic consumes available bandwidth and
processing, preventing legitimate communications. No
patches exist to mitigate traffic generation DoS attacks.
Instead, traffic filtering is the only effective response.
Upstream filtering, however, is more effective than edge
device filtering.
Upstream filtering occurs when a parent network, usually
the ISP, provides filtering for traffic before it enters the child
network to which individual and business customers
connect. Edge device filtering will prevent malicious traffic
from entering the private network, but not prevent a
successful DoS. Only upstream filtering will reduce or
eliminate the DoS traffic and allow legitimate
communications to continue.
Distributed Denial of Service (DDoS)
Distributed denial of service (DDoS) attacks advance
DoS attacks through massive distributed processing and
sourcing. The foundation of DDoS is the agent, bot, or
zombie. Agents, bots, and zombies are malicious code
implanted on victim systems across the Internet. These
mobile agents may create their own peer-network
interaction or connect into a public communication medium,
such as an Internet relay chat (IRC) channel. The
resultant network is known as a botnet army or zombie
army.
The hacker remotely controls the botnet and directs it to
perform various malicious activities, including flooding
attacks, against selected targets. Generally, the main
targets of the botnet are known as primary victims, while
the compromised systems hosting the botnet’s agents are
known as secondary victims. This form of DoS is distributed
because the bots are disseminated across numerous
secondary victims and the resulting attacks originate from a
plethora of source vectors.
A hacker distributes the bots, agents, or zombies to
many secondary victims located throughout the Internet.
The bots then connect back to some form of communication
server, commonly a chat service like IRC, where they can
receive instructions from the hacker. Once the hacker sends
attack instructions, the bots launch attacks against the
primary target (Figure 4-14).
A botnet can perform a wide range of malicious actions
including flooding, spamming, eavesdropping, intercepting,
MitM, session hijacking, spoofing, packet manipulating,
malware distributing, phishing site hosting, password
stealing, encryption cracking, and more.
Several botnets have appeared in the last few years,
such as Storm and Conficker, which had an estimated
secondary victim base of 75 to 100 million systems.
FIGURE 4-14
Distributed denial of service flooding attack against a
primary target.
Defenses against DDoS focus on either avoiding
becoming a secondary victim or protecting against primary
victim onslaughts. To avoid becoming a secondary victim,
you should use measures including current antivirus and
anti-malware scanning, user behavior modification, firewall
filtering, and IDS/IPS solutions. Protection against primary
victim onslaughts includes firewall filtering, honeypots, and
IDS/IPS solutions.
Hacker Tools
Hacker tools include a wide variety of software, from
mundane native OS utilities to commercial applications to
custom coded exploits. Generally, any software put to a
malicious or unauthorized (according to company security
policy) use is a hacking tool.
Hacking tools perform hacking activities. All of the exploit
concepts mentioned in this chapter are possible through a
wide variety of hacking tools and utilities.
No master list of hacker tools exists to search for or block
access to protect IT systems. Just about every legitimate
program can be put to some illicit task. To defend generally
against hacker tools, consider using a whitelist restriction
system.
A whitelist restriction system incorporates a list of
software executables authorized for use. A user can launch
any application on the list. You block from running all
executables not on the list. A whitelist cannot focus on just
authorized filenames; this process uses a hash value, as
well, to prevent easy bypassing of the limitation through
simple file renaming.
In addition to whitelisting, you can reduce the threat of
hacking tools through limiting Internet downloads and file
exchanges, controlling use of portable storage devices
(especially those used on external systems), filtering e-mail
attachments, installing IDS/IPS solutions, and providing user
education.
Social Engineering
Social engineering is the art of manipulating and exploiting
human nature. Social engineering is the craft of
manipulating people into performing tasks or releasing
information that violates security. Social engineering is an
exploit that can almost always be performed against a
target organization. This is due to the presence of humans.
Humans are the primary targets of social engineering.
Humans are the weakest link in most security solutions
because humans are the only element in an organization
with free will. Every other element can perform only within
its programming and design. In addition, humans can be
tricked or fooled, while hardware and software can perform
only in accordance with its design and programming.
Social engineering can take place over any
communication method, including face-to-face, telephone,
e-mail, IM, and Web sites. Social engineering may focus on
extracting information from a target or convincing the target
to take action that alters the security status of a host or
network.
Many social engineering attacks stem from some form of
relationship, from initial and casual to business professional
to long-term and highly developed. The more in-depth and
long-term the relationship, the more leverage the hacker
can exploit to turn, trick, or abuse the target.
Social engineering can involve a wide range of
techniques, including impersonating a position of authority,
reciprocating favors, using social validation, and creating
urgency through scarcity. Often these attacks become more
successful if the hacker can impersonate an insider.
Gaining access to inside information is often the first
element of a social engineering attack. Dumpster diving,
using reconnaissance, and cold calling are techniques to
learn about the internal culture of the target. As a hacker
learns more and more terminology, processes,
organizational hierarchy, policies, events, gossip, social
occurrences, calendars, project scheduling, and so on, the
more that hacker is able to simulate being an insider. Once
a hacker fools a target into believing that he or she is just
another employee, the initial attack is successful. With the
standing gained, the hacker manipulates the target into
revealing more internal information, reconfiguring systems,
or downloading tools from questionable Internet locations.
Social engineering may be the first wave of hacker
attacks or could be the last-resort fallback plan if attempts
to perform logical intrusion or physical burglary fail. Some
hackers are naturally gifted at social engineering, while
others must practice to obtain workable competency at the
craft. These skills of social engineering are not unique to
this unethical activity; instead, they are the same skills most
people use in normal social situations when trying to get
their way, convince someone to go out on a date, ask for
help, improve social status, get out of trouble, lead a group,
sell and market, create advertising, and so on. The
difference is that hackers have an unethical goal in their use
of these skills.
Social engineering, primarily attacks against people, is
invulnerable to typical IT countermeasures. Instead, the
best defense against social engineering is thorough user
training and awareness. Once personnel are aware that they
are, have been, and will be targets of attack, they can adopt
a slightly suspicious and cautious outlook. Employees
should skeptically evaluate any activity, question,
interaction, or relationship that seems odd or out of place.
You can help reduce the threat of social engineering by
using security policies that employ information classification
with related restrictions on communication methods. If you
limit the communication channels that specific classes of
information traverse, you will reduce information leakage
caused by social engineering. For example, if you restrict
the use of passwords over the telephone or by e-mail, then
anyone who requests a password will be obviously
attempting to violate security. Employees should be trained
to report all such requests to the network security staff.
CHAPTER SUMMARY
Hackers are consistently seeking to take advantage of
anyone or any system not prepared or properly
secured. Understanding the various means of attacks
hackers commonly employ directly improves
awareness and overall network security.
Hackers often seek monetary gain through attacks
against individuals and organizations. Hackers can be
employees or outsiders. Compromising situations are
not limited to hacker attacks, but can also include
accidents, oversights, hardware failure, rapid growth,
and severe weather. Hacker tools and techniques
include malicious software, exploiting wireless
connections, eavesdropping, replay, insertion,
fragmentation, buffer overflow, XSS, man-in-the-
middle, session hijacking, spoofing, covert channels,
and the availability attacks of DoS and DDoS. You
should take action to restrict or limit hacker tools and
use caution and training to avoid social engineering.
Other hacking attacks and techniques than those
listed here are exist. This chapter offers a generic
description of the hacking process, not a definitive or
exhaustive examination. However, from this
foundation, you can develop a greater understanding
of hacking and the threats posed by hackers (as well
as other sources of threat and risk), leading to
improved security design, policy, and
implementation.
KEY CONCEPTS AND TERMS
Advanced persistent threat (APT)
Adware
Alternate data stream (ADS)
Arbitrary code execution
ARP spoofing
Banner
Banner grabbing
Blog
Botnet army
Buffer overflow
Chip creep
Cluster
Cold calling
Command shell
Contract worker
Covert channel
Cross-site scripting (XSS)
Deterrent
Dialer
Disgruntled employee
Distributed denial of service (DDoS) attack
DNS poisoning
DNS spoofing
Domain registration
Dumpster diving
Enumeration
Flaw exploitation attack
Flooding
Footprinting
Hacktivism
Hierarchical file system (HFS)
Honeypot
ICMP redirect
IDS insertion
Insertion attack
Instant message (IM)
Intentional electromagnetic interference (IEMI)
Interception attack
Internet relay chat (IRC)
Keystroke logger
Leetspeak
Logic bomb
MAC spoofing
Maximum transmission unit (MTU)
Mean time between failures (MTBF)
Mean time to failure (MTTF)
Metacharacter
MITRE
Mobile code
Monkey-in-the-middle attack
National Institute of Standards and Technology
(NIST)
New technology file system (NTFS)
Nmap
Non-authenticating query service
Opportunistic hacker
OS/2
Partition
Phishing
Ping sweep
Playback attack
Port scanning
POSIX
Privilege escalation
Professional hacker
Proxy attack
Proxy manipulation
Pwned
Reconnaissance
Recreational hacker
Redundant array of independent disks (RAID)
Return on investment (ROI)
Rogue access point
Rogue DHCP
Rootkit
Scanning
Script kiddie
Sector
Session hijacking
Shell code
Slack space
Social engineering
Spam
Spyware
SQL injection
Static electricity discharge (SED)
Trapdoor
Trojan horse
Unpartitioned space
Upstream filtering
URL injector
USENET newsgroups
Virus
Wardialing
Wardriving
Whois
Worm
Wrapper
Zombie army
CHAPTER 4 ASSESSMENT
1. All of the following are common or likely motivations for
a hacker except which?
A. Ego boost
B. Social validation
C. College credit
D. Challenge
E. Adventure
2. Which of the following potential hackers represents the
greatest threat because they likely already have
physical and logical access to a target?
A. Consultant
B. Competitor
C. Overseas black hat for hire
D. Customer
E. Recreational hackers under 16 years old
3. Which of the following is not a significant threat to
availability?
A. Natural disasters
B. Hardware failure
C. Accidental spills
D. Stateful inspection filtering
E. Lack of proper training
4. Which of the following is not a potential consequence of
a malware infestation?
A. Corruption of data
B. Leaking of confidential information
C. Crashing of systems
D. Identity theft
E. Improved throughput
5. What is the primary difference in network security
between a wired connection and a wireless connection
to a private LAN?
A. Inability to access all network resources
B. Lack of realistic throughput
C. Needing to be inside the building to access the
network
D. Ability to support encrypted sessions
E. Support for multi-factor authentication
6. Most exploits are based on the existence of which?
A. Encryption
B. Filtering
C. Humans
D. System anomalies
E. Synchronization
7. What is the first stage or step in the hacking process?
A. Scanning
B. Penetration
C. Enumeration
D. Privilege escalation
E. Reconnaissance
8. Which form of attack captures authentication packets to
retransmit them later?
A. Insertion
B. Hijacking
C. Replay
D. Interruption
E. Spoofing
9. Which form of attack can potentially evade an IDS?
A. Virus
B. Insertion
C. Man-in-the-middle
D. ARP poisoning
E. Rogue DHCP
10. Which exploit takes advantage of variable MTUs?
A. Spoofing
B. Hijacking
C. Covert channels
D. DoS
E. Fragmentation
11. Which form of attack submits excessive data to a target
to cause arbitrary code execution?
A. Buffer overflow
B. DDoS
C. Insertion
D. Interruption
E. Fragmentation
12. Which attack exploits a Web site to poison its dataset
so future visitors receive corrupted content?
A. Cross-site scripting
B. Proxy manipulation
C. Rogue DHCP
D. SQL injection
E. Hijacking
13. Which attack uses rogue DHCP, ARP poisoning, or ICMP
redirect?
A. Fragmentation
B. Injection
C. Man-in-the-middle
D. Social engineering
E. Buffer overflow
14. Which attack is preceded by eavesdropping?
A. SQL injection
B. Hijacking
C. IDS insertion
D. Covert channel
E. XSS
15. Which attack is based on the impersonation of a
legitimate host?
A. DoS
B. Replay
C. Fragmentation
D. Spoofing
E. Hijacking
16. Which method of communication is unseen, unfiltered,
and based on timed manipulations?
A. Buffer overflow
B. Man-in-the-middle
C. DDoS
D. Covert channel
E. IDS insertion
17. Which form of attack is based on malware distributed
by Trojan horse or worm and can generate massive
levels of traffic toward a primary target from numerous
source vectors?
A. Fragmentation
B. Hijacking
C. DDoS
D. Playback
E. XSS
18. Which attack uses non-technical means to achieve
results?
A. Spoofing
B. SQL injection
C. Buffer overflow
D. Covert channels
E. Social engineering
19. A hacker writes an exploit to compromise targets due to
the presence of which?
A. A vulnerability
B. Multi-factor authentication
C. Sufficient throughput
D. A bot army
E. Traffic filtering
20. What is the primary benefit to network security of
knowing hacker attacks and exploits?
A. Training contract workers
B. Improved antivirus detection mechanisms
C. Defending against specific threats
D. Alterations of network subnet organization
E. Reduced infrastructure cost
PART TWO
Technical Overview of
Network Security,
Firewalls, and VPNs
CHAPTER
5
Network Security Implementation
CHAPTER
6
Network Security Management
CHAPTER
7
Firewall Basics
CHAPTER
8
Firewall Deployment
Considerations
CHAPTER
9
Firewall Management and Security
CHAPTER
10
Using Common Firewalls
VPN Management
CHAPTER
11
CHAPTER
12
VPN Technologies
CHAPTER
5 Network Security
Implementation
IMPLEMENTATION is the act of designing, installing, deploying, and configuring network security. This chapter
focuses on the foundations of network security essential to
every organization, from an individual computer at home to
a multinational corporation’s network. The foundations of
security apply universally no matter the size, purpose, or
function of computers and networking.
The foundations of network security include layered
defenses, proper use of protocols, communication
management, system hardening, and more. Based on some
common, often simple, principles, you can significantly
improve your organization’s computer systems. Following
the suggestions in this chapter will reduce the risk of system
compromise from accident, oversight, Mother Nature, or
malicious intent.
Chapter 5 Topics
This chapter covers the following topics and
concepts:
What the seven domains of a typical IT
infrastructure are
What network design and defense in depth
are
What protocols and topologies are
What common types of addressing are
How to control communication pathways
How to harden systems
Which method to use for selecting
equipment
What authentication, authorization, and
accounting are
What communication encryption is
What the best architecture is: local hosts
only or remote and mobile hosts
What redundancy is
What node security is
Chapter 5 Goals
When you complete of this chapter, you will be
able to:
Describe elements of network security
design
Compare and contrast public and private
addressing as well as static and dynamic
addressing
State the importance of system hardening
Describe why authentication, authorization,
accounting, and encryption are essential for
network security
Identify the security concerns of local hosts
as well as remote and mobile hosts
Define the elements of node security
Seven Domains of a Typical IT
Infrastructure
Seven domains are commonly found in the typical IT
infrastructure (Figure 5-1) of moderate-sized to large
organizations. These seven domains were introduced in the
first chapter, but in the context of network security
implementation, they require more detail and focus.
Hackers look for every opportunity to exploit a target. No
aspect of an IT infrastructure is without risk or immune to
the scrutiny of hackers. When designing and implementing
network security, you need to analyze every one of the
seven domains of a typical IT infrastructure for potential
vulnerabilities and weaknesses. Security measures must be
detailed, focused, and exhaustive. You must consider every
possible avenue of attack, assess risk, and if the risk is
sufficient, apply a countermeasure. Failing to do so will
leave an open pathway for a hacker. A hacker needs only
one crack in your defenses to begin chipping away at the
security of the entire network.
Each of the seven domains of a typical IT infrastructure
has unique aspects that need security improvements. A
quick list of important foundational network security issues
related to these seven domains is pertinent here:
User Domain—This domain refers to the actual users,
whether they be employees, consultants, contractors,
or other third parties. Any user who accesses and uses
the organization’s IT infrastructure should review and
sign an acceptable use policy (AUP) prior to being
granted access to the organization’s IT resources and
infrastructure. This domain should also be the focus of
training, strong authentication, granular authorization,
and detailed accounting. Additionally, many of the
protections added to other domains provide additional
protections for and against the user domain.
FIGURE 5-1
The seven domains of a typical IT infrastructure.
Workstation Domain—This domain refers to the end
user’s desktop devices such as a desktop computer,
laptop, VoIP telephone, or other endpoint device.
Workstation devices typically require security
countermeasures such as antivirus, anti-spyware, and
vulnerability software patch management to maintain
the integrity of the device. System hardening,
communication protection, and positioning of work
stations are critical to security.
Local Area Network (LAN) Domain—This domain
refers to the physical and logical local area network
technologies used to support workstation connectivity
to the organization’s network infrastructure. Protocols,
addressing, topology, and communication encryption
provide security for this domain.
LAN-to-Wide Area Network (WAN) Domain—This
domain refers to the organization’s internetworking
and inter-connectivity point between the LAN and the
WAN network infrastructures. Switches, routers,
firewalls, proxies, and communication encryption are
important aspects of security for this domain.
Remote Access Domain—This domain refers to the
authorized and authenticated remote access
procedures for users to remotely access the
organization’s IT infrastructure, systems, and data.
Remote access solutions typically involve SSL 128-bit
encrypted remote browser access or encrypted VPN
tunnels for secure remote communications. Knowing
where a host is located helps determine the types of
security necessary on that host.
WAN Domain—Organizations with remote locations
require a wide area network to interconnect them.
Protocol selection, addressing schemes, and
communication encryption are elements of securing
this domain.
System/Application Domain—This domain refers to
the hardware, operating system software, database
software, client-server applications, and data that are
typically housed in the organization’s data center
and/or computer rooms. Network design,
authentication, authorization, accounting, and node
security are important security concerns for this
domain.
Network administrators need to recognize that the potential
for compromise exists throughout an organization. This
recognition leads the need for adequate network security
throughout an organization. Starting from the knowledge
that risk exists and threats loom, network security
administrators can design and implement appropriate
countermeasures and safeguards.
Network Design and Defense in Depth
Every network is different. However, common security
principles apply to any network, regardless of its unique
elements. One of these common principles is secure
network design. Secure network design embeds core
protections and improvements into an IT infrastructure
before it is implemented. Design comes from planning.
Planning comes from sufficient knowledge and
understanding.
Common security goals include confidentiality, integrity,
availability, privacy, authentication, authorization,
nonrepudiation, and accounting. To efficiently accomplish
these goals, informed planning assists you in designing the
network before deployment.
An underlying fundamental of network security design is
that no security solution is perfect. Any single security
protection, countermeasure, and safeguard is insufficient.
Hackers will use some method, technique, or exploit to
bypass, evade, or render useless a security protection. The
potential concerns include placement, programming flaws,
default settings, maximum values, processing capabilities,
memory capacity, backdoors, malicious code, social
engineering, and physical attacks. This list is not
exhaustive, but represents the key issues. In theory, no
security solutions are sufficient and complete.
Thus, you need to use multiple security components. This
is known as defense in depth or multiple layers of defense
(Figure 5-2). If you follow a defense-in-depth design concept,
numerous safeguards will protect each asset. As one
defense tool interlocks with another, they overlap and
improve the overall security. The strengths and benefits of
one countermeasure supplement or compensate for the
weaknesses and limitations of another.
Defense in depth leads many security professionals to
two additional guidelines. First, avoid single points of failure.
Second, divide and conquer. A single point of failure is any
element, component, or aspect of a system that could lead
to failure or compromise of the entire system. Divide and
conquer is the process of separating a large project into
multiple smaller and more manageable pieces.
FIGURE 5-2
An example of defense in depth around an asset.
Avoiding single point of failure must take place on
multiple fronts. A hacker needs only a single flaw or
weakness to exploit a target. Efforts should focus on finding
and eliminating as many vulnerabilities as possible to
remove the single points hackers seek to exploit.
Good design filters every user interaction with an asset
multiple times. This filtering should include authentication,
authorization, content filtering, and context filtering. Only
relying upon a single filter or check system is a form of a
single point of failure. Always assume that any one service
or function is flawed or will fail.
Effective network design monitors and examines all
activities against an asset using multiple techniques. This
could include object auditing, server monitoring, client
monitoring, network monitoring, and so on. Only using a
single monitoring viewpoint could be a single point of
failure. Everyone has seen video footage from a single
perspective that guides the viewer into seeing or believing
one thing, but from another camera angle the truth, the
trick, or an alternate explanation becomes clear.
Divide and conquer is not just a tactic for waging actual
war; it is also a tactic in the war against network security
breaches. By dividing up a larger project or task into
manageable components, you can focus on and care for
each component to ensure accuracy and completeness in
addressing network security concerns. Attempting to tackle
the security of a network as a whole is often a recipe for
disaster. Evaluating the big picture is always a good idea,
but working exclusively on the whole may lead to
overlooking details or missing subtle nuances only
perceived upon close detailed inspection.
A layered security approach throughout the IT
infrastructure works best: slow, methodical,
compartmentalized, and thorough. Properly designed
network security should support timely delivery of
information and adequate response during transactions. A
properly secured network provides reliable and stable
communications. Well-designed security adapts to changing
conditions. Well-designed security anticipates future growth
and expansion.
Designing network security is neither a simple nor a
short-term task. Thorough network security design must
include adequate research, thorough planning, and
extensive modeling and testing. The process of security
design must evaluate a wide range of technologies
performing an astounding number of functions.
Ultimately, good network security design produces a
blueprint to guide the construction of a securely functioning
network infrastructure. The blueprint is the foundation for
your organization’s security policy. Most network designs
have limitations. These limitations include budget, internal
politics, regulations, standards, and industry practices.
Network design should focus on providing the best security
possible within prescribed budgetary boundaries.
One method to reduce compromise by hackers is to keep
them from finding your network as a target. By staying
offline and only using trusted communication pathways,
your organization can avoid significant levels of risk.
However, this form of technological hide and seek is not
perfect, nor does it eliminate all issues. External hackers
might not be able to hack a non-Internet-connected intranet
from the outside; however, the risk from disgruntled
employees and other internal users is still present.
The idea of hiding from danger is commonly known as
security through obscurity. While it’s true that if you are
not found, you cannot be attacked, the issue is often a false
hope if obscurity rather than actual countermeasures and
safeguards protect the network. Being obscure or difficult to
locate may be a good thing, but it’s not itself a form of
reliable security. Use only direct and real security defenses
when you are designing network security.
Security is essential to the long-term survival of any
modern organization. Without security, logical, physical, and
social breaches would render most companies vulnerable to
failure. But security cannot work without balance. You can
over-secure an infrastructure to the point where security
interferes with work tasks. Usability and security must be in
balance. Usability will not survive long without security, and
too much security can cripple usability. Good network
security design balances security and usability.
One goal of most organizations is to expand and grow.
They often seek to attract new customers, support more
clients, sell more products, offer more services, make more
money, and so forth. But growth can be a two-edged sword.
While growth can lead to a more reliable and assured future,
it can also cause growing pains. For any organization,
growing pains occur when the existing infrastructure,
facilities, and even personnel are pushed to the limit or
beyond to support the additional workload caused by
growth.
Growth can be expected, unexpected, gradual, or abrupt.
A proper network design process evaluates and predicts
potential growth scenarios and plans contingencies for each.
One contingency for growth is to build additional capacity
into the current infrastructure. If slow growth is expected,
then 20 percent additional capacity may be sufficient, while
rapid growth may consume 50 percent additional capacity in
a short time (Figure 5-3).
FIGURE 5-3
Rate of growth used to predict needed additional capacity.
Growing too fast is as much of a burden as shrinking. As
an organization stretches beyond its capacity to support,
sell, create, maintain, respond, produce, and so forth, small
problems quickly snowball into avalanches. Steady,
controlled, limited growth is often a method of ensuring
long-term viability and stability. This is true in general
business management and it’s true in network security
design.
During the network design phase, consider the scalability
of all technologies you select for deployment. Does a
component or system have a maximum value or limitation it
will quickly reach? Can the component or system expand
without compromising efficiency, cost effectiveness, and
security? Will the component or system need replacement
by a scalable solution once moderate growth occurs? If so,
why not use the scalable solution now? Planning for growth
will reduce problems associated with outgrowing function
and security capacity.
No security endeavor will succeed without the active
involvement of senior management. In fact, without its
explicit approval and support, any security effort is likely
doomed to fail. Senior management has the responsibility to
dictate the strategic goals and plans of the organizations
and, hence, its IT infrastructure and integrated security.
Senior management must approve budgetary funding,
encourage compliance, and support security, even when
problems occur.
Throughout the entire design and implementation
process for network security, senior management monitors
and approves progress reports. Senior management steers
the organization and its security planning through the
changing business environment. But secure network design
isn’t only about following the leader; it’s also about
integrating every employee into the overall security design
process. Security is the responsibility of everyone in the
organization, not just managers and executives.
The elements of secure network design touch on every
aspect of an IT infrastructure. This includes hosts, nodes,
communications, encryption, local and remote systems,
redundancy, and more. Often, the process of designing
security starts by focusing a central or core element found
throughout the infrastructure. Examples of distributed core
components are networking protocols and topologies.
Protocols
A significant portion of network security is about making the
right technology choices without falling into easy traps or
defaults. One common trap is to continue doing the same
thing or using the same product. You need to re-evaluate old
technologies and existing solutions on a regular basis. Most
organizations choose to perform a security design
evaluation annually. When performing a security evaluation,
rethink every aspect of the infrastructure, including network
protocols.
Most networks use Transmission Control Protocol/Internet
Protocol (TCP/IP) as their primary network protocol.
Specifically, most networks still use IPv4 as opposed to IPv6.
Using IPv4 is not an open invitation for hackers, but it does
have numerous commonly exploited weaknesses and
concerns. IPv4 typically defaults to a plaintext form of
transmission, while IPv6 can be set by default to encrypt
transmissions. IPv4 can be encrypted using IP Security
(IPSec) or other virtual private network (VPN) protocols.
Other issues to consider include:
Is the current protocol easy to compromise?
Are there numerous exploits for this protocol available
for novice hackers?
Can encryption be applied?
Is the process of adding encryption complex or costly?
Will encryption interfere with other technologies such
as IPSec and network address translation (NAT)?
Is there an alternative or replacement available?
Is the alternative backward compatible?
Is the alternative supported by all current hosts and
nodes?
This is only a partial list of questions you need to consider
when assessing the currently deployed networking protocol
for possible replacement. The point is to give serious
consideration to this issue on a regular basis. Most of the
elements of a network’s security are based on the protocol
in use. If the protocol has changed or improved, this could
cause sweeping changes throughout the production
environment—most importantly in the security of that
environment.
As a general rule of thumb, if most hosts and software
are less than five years old, then upgrading to IPv6 is likely
possible with minimal complication. However, if IPv4 with
IPSec or other forms of encryption are functioning well
within performance and security parameters, there’s no
strong need to upgrade to IPv6.
When you consider a protocol upgrade, you’ll need to
thoroughly research and test every aspect of the production
and security environment to confirm compatibility with IPv6.
Any transition is going to have some hurdles, and certainly
switching the main network protocol is a candidate for major
hurdles. Perform the rollout of a protocol change in stages,
only after piloting in a lab, and consider running dual
protocols for a transition period.
TCP/IP, or at least IP itself, is not the only protocol in use
on most networks. Every single protocol across every
theoretical layer of the OSI model network protocol stack
needs re-evaluation on a regular basis. Do you still want to
continue using Simple Mail Transfer Protocol (SMTP)
and Post Office Protocol (POP)? What about File
Transfer Protocol (FTP), Network News Transfer
Protocol (NNTP), and telnet? If a protocol operates in
plaintext, consider using a protocol with native encryption
or investigate the possibility of encapsulating it inside an
encrypting tunneling protocol, such as IPSec or SSL/TLS.
Are AppleTalk, Internetwork Packet
Exchange/Sequenced Packet Exchange (IPX/SPX),
Systems Network Architecture (SNA), NetBios
Extended User Interface (NetBEUI), or other protocols
still present on the network? Are they still necessary? Have
the older systems requiring them been replaced or
removed? Can newer secure alternatives replace these older
and insecure protocols? Can any system still using a legacy
protocol be replaced to gain host security and remove the
protocol?
Don’t let tradition, personal bias, or sunk cost get in the
way of making a smart security design decision. Just
because something has always been done a certain way
doesn’t mean it should continue to be done that way,
especially if the old way was insecure. Personal bias in
terms of likes, dislikes, comfort, and familiarity are not good
business reasons to avoid moving on to more secure
solutions.
Sunk cost is the money or investment already made in
the past, as opposed to prospective costs that are
investments likely in the future. Often, those managers
overly concerned with wasting resources already invested
will make poor decisions. Avoiding loss is a good principle of
business, but just because you have already spent some
money, time, and effort does not mean you should continue
on a set path. Often, throwing good money after bad is
compounding the loss due to sunk cost. If the future benefit
of an existing system, solution, or product is not assured,
then no amount of sunk cost justifies its continued use. In
most cases, you should analyze only future costs and
benefits in making a decision. Already incurred expense
(sunk cost) should not influence future choices.
Common Types of Addressing
Addressing is the assignment of a logical numbering system
to the hosts on a network for the purposes of efficient traffic
routing. Addressing is more than just a system imposed by a
network topology; it’s often a means to control traffic. Traffic
managing through routing and traffic filtering are possible
through the use of logical addresses.
The most common protocol in use worldwide is TCP/IP.
This network protocol dictates the most common addressing
scheme. The addressing schemes of IPv4 and IPv6 are quite
different. Some common elements, security concerns, and
management techniques remain consistent, however.
Internal IP addresses can be public addresses, private
addresses, or a mixture of both. A public address is an
address issued by the IANA, monitored by RIRs, and leased
directly through ISPs. The Internet Assigned Numbers
Authority (IANA) (http://www.iana.org/) is the entity
responsible for global coordination of IP addressing, DNS
root, and other Internet protocol resources. A Regional
Internet Registry (RIR) is one of five regional
organizations that oversee and monitor the use and
assignment of IP addresses (both IPv4 and IPv6). An Internet
service provider (ISP) may randomly assign or
semipermanently lease an IP address to an individual or
organization. Public addresses are those obtained from an
ISP.
A public address also implies that it communicates
directly with resources on the Internet. The Internet itself
uses only public addresses. Without a public address, it’s
impossible to communicate to or receive responses from an
Internet-hosted resource.
NOTE
In the past, it was possible to purchase or own IP
addresses, specifically large groups or an entire class
of addresses. However, this practice is mostly no
longer possible, not because ownership of IP addresses
is prohibited, but because of the lack of available IP
addresses to sell. Many of the original Class A and
Class B subnet owners still own, control, and use their
purchased address. Some of these are actually ISPs
that now lease out subsets of their owned IP address
ranges. Today, most public IP addresses are leased
rather than sold or owned.
Public addresses are assigned from Class A, B, and C
ranges of the IPv4 address spectrum (as Class D and E are
reserved for multicasting and experimentation,
respectively). Public addresses for IPv6 are most of the
2^128 addresses, except for the fc00::/7 address block.
In a technical specification called RFC 4193, IANA set
aside the fc00::/7 address block for use as private addresses
for IPv6, similar to RFC 1918 for IPv4. RFC 1918, which
provides for private IPv4 addresses, sets aside three class
ranges for private use:
Class A—10.0.0.0–10.255.255.255/8 (1 Class A
network)
Class B—172.16.0.0–172.31.255.255/12 (16 Class B
networks)
Class C—192.168.0.0–192.168.255.255/16 (256 Class
C networks)
technical TIP
A DHCP reservation is the pre-assignment of a specific
IP address to a host by reserving it using the target
host’s MAC address. Reservations ensure that the same
address is always issued to a specific host. It can also
simulate static addressing, but retain centralized
control of address assignment.
A private address is used only within a private network.
Individuals and organizations without approval or a fee from
an outside entity can use private addresses. However, using
private addresses requires NAT services to communicate
with Internet resources. All Internet routers automatically
drop any packet with a private address in its header.
Private addresses serve as a basic isolation security
measure, as external entities with public addresses cannot
directly communicate with internal privately addressed
hosts. But a NAT server allows communication with Internet
resources.
You should review your organization’s choice to use
private or public addresses internally. The issue is not only
about saving money. Private addresses are free, while public
addresses are usually leased. Private addresses require
translation, while public addresses do not. Private addresses
are natively isolated from the Internet, while public
addresses are not. It’s even possible to mix private and
public addresses on an intranet.
Another addressing concern is whether to employ static
or dynamic addressing. Static addressing pre-assigns a
specific IP address to each host, while dynamic addressing
hands out IP addresses to hosts from a pool. Dynamic
addressing does not guarantee that a host will always have
the same address assigned to it, unless a reservation is
created for the host.
Static addressing typically requires that the IP address be
configured on each individual host. This ensures that a host
always uses the same IP address. However, if changes to
the network configuration or topology occur, manual
changes to IP addresses on a host-by-host basis involve a
significant amount of additional administrative overhead.
Because of this, most organizations use dynamic
assignment, typically using a Dynamic Host Configuration
Protocol (DHCP) system. If static addressing is preferred,
then DHCP reservations can simulate static addressing while
maintaining centralized control. With reservation based
static addressing, changes can be made by editing the
reservations on the DHCP server, without needing to
manually adjust each host individually.
When addresses are assigned dynamically, it may be
possible for a rogue system to come online and receive a
valid IP address just by asking. If addresses are assigned
statically, then the attacker will need to discover a valid but
unused IP address and manually configure his or her system
to use it. Similarly, if DHCP reservations are used, the
attacker will either statically assign his or her own address
manually or spoof a Media Access Control (MAC) address to
“borrow” an IP address from another offline system.
IPv6
While only a small percentage of global Internet addressing
is done with IPv6 addresses, and an equally small
percentage of exploits take advantage of it, it is important
for the security professional to stay up-to-date, and a
familiarity with IPv6 is important. IPv6 varies from IPv4 in
two important ways. Their packet headers differ in structure,
and an IPv6 address has a different size and construction
from that of an IPv4 address. There are also a handful of
transition mechanisms that allow IPv4 to ride inside of IPv6
packets and vice versa. The transition mechanisms make
the job of going between IPv4 and IPv6 easier but can be a
nightmare for security and policy enforcement.
An IPv6 address consists of 128 bits, as compared to the
32 bits of the IPv4 address. Addresses are classified into
various types for applications in the major addressing and
routing methodologies: unicast, multicast, and anycast
networking. In each of these, various address formats are
recognized by logically dividing the 128 address bits into bit
groups and establishing rules for associating the values of
these bit groups with special addressing features. There is
no Class A, Class B, etc. in IPv6 as there is in IPv4.
A unicast address identifies a single network interface.
The Internet Protocol delivers packets sent to a unicast
address to that specific interface.
An anycast address is assigned to a group of
interfaces, usually belonging to different nodes. A
packet sent to an anycast address is delivered to just
one of the member interfaces, typically the nearest
host, according to the routing protocol’s definition of
distance. Anycast addresses cannot be identified
easily, they have the same format as unicast
addresses, and differ only by their presence in the
network at multiple points. Almost any unicast address
can be employed as an anycast address.
A multicast address is also used by multiple hosts,
which acquire the multicast address destination by
participating in the multicast distribution protocol
among the network routers. A packet that is sent to a
multicast address is delivered to all interfaces that
have joined the corresponding multicast group.
IPv6 does not implement broadcast addressing. Broadcast’s
traditional role is subsumed by multicast addressing to the
all-nodes link-local multicast group ff02::1. However, the use
of the all-nodes group is not recommended, and most IPv6
protocols use a dedicated link-local multicast group to avoid
disturbing every interface in the network.
Address management is an important concern of network
security. Another concern is the management of
communication pathways.
Controlling Communication Pathways
Controlling the flow of information is a key element of
network security. This involves ensuring that data travels
along pathways isolated, secured, and controlled, and not
along pathways that are public, insecure, and uncontrolled.
Part of communication pathway control is about topology
selection, but it’s also about router configuration, encrypted
protocols, physical access management, and filtering.
Routers are the primary network devices administrators
use to control the pathways that communications traverse.
Failing to design router configuration and deployment with
security in mind is a serious oversight. Routers make real-
time determinations of the best available path to a
destination. However, the information available to a router
to make those decisions can be true and accurate or
incorrect, falsified, and misleading.
Secure network design includes protections for routers,
routing protocols, and routing information. Physical isolation
of a router is important to ensure that only authorized router
administrators can access the device itself. Failing to protect
routers physically means that the logical activities and the
resulting routes selected will not be trustworthy.
Routers employ routing protocols to exchange
information about routes and connected pathways. This
information calculates the best path to guide a packet
toward its destination. Depending upon the make and model
of router, the routing protocol, and the related
configurations, a hacker can spoof or manipulate routing
data through false Internet Control Message Protocol (ICMP)
type 5 redirect messages. Configure routers to accept
routing information only from other known routers through
authentication of the source. Consider also encrypting all
communications between routers.
Encrypted protocols are another important aspect of
communication pathway security. Even the best design,
proper installation, and reasonable physical isolation are not
guarantees that a wired or wireless communication channel
will not be the target of an eavesdropping, interception, or
man-in-the-middle attack. Assuming that physical access is
under your control all the time is naïve. The possibility of an
internal malicious entity or of the planting of a socially
engineered listening device always exists.
To thwart eavesdropping and related attacks based on
eavesdropping, you should encrypt all traffic over a network
communication link. This especially applies to any traffic
traversing a network segment physically accessible from
outside your organization’s facilities. But it also applies to
physically isolated and internal connections, as well.
Compromise of every physical connection is always
possible, so the best defense against content eavesdropping
is encryption.
Physical access management should always be a part of
communication pathway security. Even with encrypted
protocols, hackers can gain significant information by
eavesdropping on a network segment. Even if you encrypt
every single packet (which is often not the case),
eavesdropping can still glean a wide variety of information
about the protected communications.
Such gleaned information can include a count of the
number and size of packets. This can estimate the size of
the payload delivered, which in turn can extrapolate the
likely type of data, such as e-mail transmission, Web surfing,
file exchange, or database synchronization.
Eavesdropping can also glean the identity of the
endpoints of the secured communication. If the transaction
is using transport mode encryption, then the endpoints are
the actual sending and receiving hosts. If the transaction is
using tunnel mode encryption, then the endpoints are either
both VPN gateways or one end is a remote host.
Eavesdropping can also glean the general identity or
purpose of each endpoint discovered, based on the timing
of and volume of traffic sent to and from each discovered
endpoint. This can allow an outside user to reliably predict
which endpoint is a server, a client, or a VPN gateway.
Generally, data gathering through eavesdropping on
communications, whether encrypted or not, is known as
traffic and trend analysis. Such analysis can reveal many
important details about internal processes and the
importance, value, or criticality of systems. Thus, even with
encryption, prevention of physical access to communication
cables and wireless signals is paramount.
Filtering is another important part of communication
pathway security. The movement of data between
departments, subnets, WAN-connected LANs, and the
Internet requires that you monitor and filter communications
to prevent violations of disclosure, intrusion, and malicious
code infection.
Covert channels are a risk for many organizations in
communication pathway security and control. Covert
channels are pathways of communication unknown to or
uncontrolled by security systems or personnel. Covert
channels, whether timing- or storage-based, can leak
information out or bring malicious content in.
The best defenses against covert channels include IDS
and intrusion prevention system (IPS), as well as thoroughly
watching all aspects of an IT infrastructure for aberrant or
abnormal events of any type. Uncovering covert channels is
difficult because their very nature is to remain unknown and
unseen.
While planning and designing communication pathway
security, evaluate the protections you’ll need for inbound
and outbound traffic and how to manage internal-only,
external-only, or border-crossing communications.
You’ll need to examine inbound traffic by asking several
key questions. Is the inbound communication a response to
a previous request from an internal entity or is it a
communication that originates from an outside source?
Responses are often allowed, unless the initial request itself
was for a resource that’s off limits. Restrictions along these
lines include blocked protocols, IP addresses or domain
names, unauthorized services and applications, or users
without sufficient or correct authorization.
If the communication has external origins, rather than
being a response, is the communication generally allowed or
not? If the communication is for a resource offered to the
public, then the communication could be allowed. However,
if no public resources exist, the communication is more
likely unauthorized.
Is the source address in the communication from a
known or unknown location, and if known is it known to be
malicious or questionable? If the latter, then blocking the
traffic is more likely the proper security stance. Is the traffic
obviously spoofed? Does the traffic match any known
malicious patterns, have any construction anomalies, or
have questionable content? Can it otherwise be classified as
abnormal or atypical? In most of these cases, the packet
should be dropped rather than allowed to continue on to its
claimed destination.
You should subject outbound traffic to the same
investigations and analysis as inbound. Does the outbound
communication take place over an abnormal protocol or
port? Does it attempt to communicate with a blocked or
prohibited host or service? Is the traffic spoofed, does it
have abnormal time stamps, is it a clone of another packet,
or is it part of a flood?
Fortunately, inbound and outbound traffic filtering is the
primary function and purpose of firewalls using ingress- and
egress-focused filters. Secure communications pathway
management often requires the use of firewalls. Firewalls
are an essential element in secure network design.
One final area of concern for communication pathway
security is the difference between traffic management
based on whether the traffic is internal-only, external-only,
or border-crossing. Generally, internal-only traffic is more
trustworthy than any other form of traffic. In most cases,
internal traffic originates from a trusted internal host and
terminates at a trusted internal host. However, because the
possibility always exists of a rogue internal host or a
malicious insider, blindly trusting traffic just because it
originates internally is a security blunder.
A good practice is to treat all traffic with caution. Trust
nothing until it’s proven to comply with security policy and
not to match any known malicious patterns. Monitoring and
filtering of internal communications is as important as
monitoring external and border crossing communications.
Naturally, external-only communications are more likely
to be malicious, but since they do not end or originate from
an internal source, there’s usually little need for concern.
Malicious activity that does not attempt to breach your
network borders is not really your problem. However, if
external only communications are defined as those that do
not interact with your intranet but which may interact with
your DMZ or extranet, then you should be concerned.
With this definition of external only communications, you
must filter, monitor, and block the most obvious malicious
packets and events, but still allow any conforming
communication request even if the origin or source is
unfamiliar.
Border-crossing communications are those that either
leave the intranet heading to the Internet or enter the
intranet from the Internet. In either case, an increased risk
of compromise exists. Inbound communications could be
carrying malicious code or an intrusion attempt. Outbound
communications could be revealing internal secrets or
distributing confidential files. While these are extreme
examples, they’re not uncommon. Most border-crossing
traffic is benign, but since the risk of malicious traffic is
greater at border crossings, you need additional filtering,
monitoring, and blocking.
Controlling communication pathways is an important part
of managing and designing network security. But another
important piece of the security puzzle is management of
hardened systems between which the secured
communications take place.
Hardening Systems
Hardening systems focuses on improving security of hosts
and nodes. Hardening is the process of reducing the attack
surface of a potential target by removing unnecessary
components and adding in protections. While each
organization usually creates its own custom and internal
hardening processes and procedures, most hardening
guidelines have common elements and components.
Some of the common recommendations to improve the
security or harden a host include:
Remove all unnecessary protocols.
Uninstall all unnecessary applications and services.
Define a complex password for all accounts; do not
leave any account with a default password or a blank
password.
Configure account lockout and define a logon warning
banner.
Install all available final release updates, patches,
fixes, service packs, and so on for the operating
system and every remaining application and service.
Update all hardware device firmware or BIOS with the
latest final release from the vendor.
Install the latest final releases of all device drivers.
Install and update antivirus and anti-malware
scanners.
Configure communication encryption.
Install and configure a host firewall.
Use a file system that supports file level permissions
and auditing.
Configure system monitoring and auditing.
Synchronize the clock.
Run vulnerability assessment tools against the host,
such as HFNetChkPro and Nessus.
Configure regular backups.
Impose any organization-specific security limitations,
such as blocking USB drives or using whitelist
execution management. This is often performed using
a security template file.
In Windows, disable the guest account, and rename
the Administrator account. In Unix, establish policies
whereby the root account is never used directly, but
administrators must use the su command to obtain
root access (thus creating a log of their events).
In addition to these hardening suggestions, organizations
add additional steps to their securing procedures based on
the purpose of the system, the criticality of the system, and
the risk present in the environment.
Once you’ve hardened your system, you must maintain it
over time. On a regular schedule, re-examine every host
against your organization’s hardening policies to ensure
compliance. Remove from service any system out of
compliance with hardening policies until you are able to
bring it into compliance. Then investigate the cause of the
security noncompliance and take countermeasures to
prevent a re-occurrence.
Equipment Selection
Equipment selection is a commonly overlooked aspect of
secure network design. The general belief that any
hardware capable of performing an IT function is suitable for
deployment is, unfortunately, not the case. Both cheap and
expensive products may have well-known or not-yet-
discovered security flaws.
Arbitrarily or automatically choosing the least expensive
or the most expensive products isn’t a winning security
strategy. You should carefully evaluate each piece of
computer equipment, from network device to host system,
for its native security defenses or lack thereof, regardless of
its cost.
As you select, purchase, and deploy equipment, consider
the vulnerabilities introduced and any protections or
improvements to the infrastructure’s security stance. Every
piece of equipment will either improve security or reduce it
in some way. Some equipment adds new weak points or
expands the organization’s attack surface, while other
equipment will act as a countermeasure, protecting weak
points of other components and reducing the attack surface.
Whenever possible, select equipment providing greater
improvement to security rather than acting as a detriment.
This seems an obvious guideline, but you can only follow it if
you are conscientious about evaluating the security profile
of each device. Failing to evaluate the security of a new
device properly could mean that you inadvertently introduce
new vulnerabilities into the organization’s network and
systems.
Some of the security concerns regarding equipment
include:
Electricity consumption—Excessive energy use can
cause not only increased electric bills, but also
increased temperature within the device and on
electrical distribution systems. A circuit drawing too
much power can cause a breaker overload. A tripped
breaker causes downtime and may cause data loss
and equipment damage.
Heat produced—The more heat a device produces,
the more the heating, ventilation, and cooling (HVAC)
system must work to keep the temperature of the
room within acceptable boundaries. Excessive heat-
producing devices can also increase the risk of fire.
Reset button—A reset button is used to return a
device to the default factory settings. Any defined
security configuration on the device is lost if someone
presses the reset button. When possible, select
equipment without a reset button or a button that can
be disabled to provide physical security for the device.
Easy-access power switch—If the power switch is
easily accessed or triggered, casual contact with the
device could cause power interruption. Additionally, an
easy-access power switch allows a malicious person to
power off equipment or trigger a reboot.
Easy-access management console port or
interface—If device can be reconfigured through an
LCD screen and a few buttons (such as a printer) or if
a console or terminal port allows quick access to a
configuration or management interface (such as a
wireless access point, router, or switch), then use
caution when deploying the device and assess the
level of physical access security.
Removable media—Equipment with removable
media bays (such as tapes, optical discs, floppies, and
so on) or external peripheral ports (such as universal
serial bus [USB], firewall, Ethernet, and so on) may be
easier to compromise than those with fewer or none of
these access points.
Removable case—The easier it is to remove or open
the case of a device, the easier it is to hack into the
device, plant a listener, or modify its functions.
Portability—Is the device small enough to fit into a
pocket, purse, or backpack, making it easy to steal?
Rack mountable—A rack-mounted device is less
likely to be stolen once screwed into a rack case,
which can be locked.
BIOS/firmware flashing—Being able to change the
embedded software of a device is both a benefit and a
problem. Flashing to an updated, more secure version
of firmware is a positive benefit. However, being able
to replace firmware with a third-party version or an
older version with flaws could be a problem if a hacker
can perform this easily.
Remote connection—If remote connectivity to a
device is possible, then risk increases. Limit, encrypt,
and monitor remote connections.
Plaintext protocols—The more a device defaults to
or only supports plaintext protocols, the less secure it
is. Choose equipment than supports encryption.
Many other aspects of equipment security are important
when evaluating the deployment of a new device. Whether
a high-end server, a user’s notebook, a smartphone, a
network router, or anything else, consider the security of
equipment thoroughly and don’t just make purchasing
recommendations based on equipment cost.
Keep in mind those devices that are cheap or free up-
front may cost considerably more to manage and secure
over time than a more expensive device. However, just
because something has a high cost doesn’t ensure that it
has a low security management requirement. Money alone
is rarely the true measure of the security of anything.
Authentication, Authorization, and
Accounting
Security ultimately is supported and enforced by
authentication, authorization, and accounting (AAA). AAA is
part of field of security commonly referred to as identity
and access management (IAM). Without all three of
these security fundamentals properly implemented, real
security cannot exist.
Authentication is the verification or proof of someone or
something’s identity. The most common form of
authentication is the use of a password. While passwords
are the most common, they are also one of the weakest
forms of authentication. People typically pick passwords that
are easy to guess or that are somehow predictable. They
often reuse the same passwords on multiple systems.
Passwords reside in account databases in hashed form,
which means the original password can’t be recovered from
the hash value. However, by hashing large numbers of
potential passwords, password-cracking techniques can
potentially match a password hash to the target hash.
Password-cracking techniques including dictionary
password attacks, brute-force password attacks, and
hybrid attacks can often reveal poorly constructed
passwords.
technical TIP
Password cracking typically focuses on generating and
hashing large numbers of passwords with the goal of
matching a stolen or captured password hash.
Dictionary password cracking uses a pre-created list of
potential passwords. Each password from the list is
hashed using the same hashing algorithm as the
target/stolen password. If a match is found before the
list is exhausted, the attack is successful.
A brute-force password attack builds potential
passwords out of a selected character set, creating
ever longer and longer passwords using every possible
valid combination of characters. The hacker hashes
each crafted password and compares it to the target
hash until a match is found or the attack is abandoned.
Given enough time and the right character set, a brute-
force attack will eventually be successful.
A hybrid attack uses a dictionary list as seed
passwords that are then brute-force-modified. First the
hacker makes all possible one-character modifications,
then two, then three. This technique is often more
successful, since many people pick an easy-to-
remember word and then make only a few character
modifications, such as changing an “a” to an “@” or an
“l” to a “1” or just adding one or two characters.
The best defense against password-cracking
techniques is to select a long password. For example,
using at least 15-character passwords on Windows
systems avoids the weakness of the backward-
compatible (and vulnerable to brute-force cracking)
LANMAN hash of passwords 14 character or less.
Adding complexity (mixing multiple character types:
uppercase, lowercase, numbers, and symbols) and
using multiple words or phrases instead of a single
base word also improve password strength.
A dynamic password token is a device with a display
screen that shows a seemingly random non-repeating
one-time use password. The password displayed on the
token must be included in the logon process, usually
with a separate Type 1 PIN or password. This two-part
mechanism is a form of multifactor authentication.
Multifactor authentication is significantly more secure
than any single factor form of authentication. Passwords are
but one example of the first type of authentication factor.
Three commonly recognized authentication factors are:
Type 1—Something you know
Type 2—Something you have
Type 3—Something you are or do
Something you know can be anything you memorize so that
you can type, write, or speak it when asked to authenticate.
Passwords are the most common example of a Type 1
authentication factor.
Something you have can be anything you must physically
carry with you, such as a device or token. These can include
metal keys, smart cards, radio-frequency identification
(RFID) chips, ID badges, or electronic devices known as
dynamic password tokens.
Something you are or do is commonly known as
biometrics. Some part of the human body is used as an
element in an authentication process. This can include
fingerprints, retina scans, facial geometry, palm scans,
signature dynamics, keystroke dynamics, and voice-pattern
analysis.
A mixture of two or more authentication factors is
multifactor authentication. Multifactor authentication is
much more secure than single-factor. With single-factor
authentication, an attacker only needs to have a single skill
or exploit to successfully log on with a compromised user
account. With multifactor authentication, an attacker needs
to have multiple skills or exploits to successfully log on with
a compromised user account.
Strong authentication prevents unauthorized entities
from gaining easy access to the internal workings of an
organization’s infrastructure. Apply strong authentication to
the logical environment as well as the physical environment.
Authorization, commonly known as access control,
defines what actions a user can and can’t perform. Proper
granular use of authorization ensures that authorized users
perform only authorized activities.
The principle of least privilege is often a good guideline
on which are the most appropriate authorization settings to
make. This principle states that you should grant users the
fewest capabilities, permissions, and privileges possible to
complete their assigned work, without additional
capabilities. In other words, you grant users enough power
and access to perform their assigned work, but no additional
capabilities beyond their job descriptions are necessary.
Accounting is the activity of logging, monitoring, and
auditing the environment, focusing both on users as well as
system activities, to check for security policy compliance.
Accounting is the process of holding users and systems
accountable for their actions and activities. Through the use
of thorough accounting and detailed auditing, you can
detect and respond to any violations, attempts to violate, or
trends towards violations.
Remember, security is locking things down, and then
watching for attempts to breach the lock. Authentication
and authorization are forms of locking, and accounting is
the watching. However, these are not the only forms of
locking and watching on a secure network. Another
important area of network security is communication
encryption.
Communication Encryption
Communication encryption is the use of encryption
protocols to secure the contents of communications. Use
encryption anytime a transaction occurs with an outside
entity. Use encryption when a communication crosses a
segment that is at risk of eavesdropping. You should also
use encryption internally whenever the potential for loss or
compromise, even by internal personnel, would cause
significant harm to the organization.
You can protect transactions by encryption in two main
ways. One is to use encapsulating intermediary protocols
that provide encryption, such as IPSec and SSL/TLS; another
is to encrypt data before it goes to a network protocol.
Protocol encryption ensures that all or most data sent
over the network is safe from eavesdropping, modification,
and other forms of compromise. A widely used mechanism
of protocol encryption is that of a VPN. VPNs can function
between individual systems or between entire networks or
any other combination of endpoints.
Data encryption, performed either by the client or server
software, ensures that even if the protocol encryption fails
or is compromised, the data itself is safe by its own
encryption. Software or data encryption is not as
interoperable as protocol or VPN encryption, but it can be a
viable option when both endpoints of the transaction are
using compatible software components.
When in doubt, always encrypt. While not a perfect
solution (indeed, no perfect security solution exists),
encryption offers significant protections from outside
eavesdropping and modification. However, encryption fails if
the selected algorithm is poor, if key management is
insecure, if either endpoint of the communication has been
compromised (such as by hacker intrusion or planting of
malicious code), or if intermediary network nodes that
decrypt and reencrypt fail.
Choosing to encrypt by default is an excellent network
security rule of thumb. This guideline does not imply that
the same encryption protects both internal-only
communications as well as those that cross the network’s
boundaries. In deciding what encryption to use, it’s
important to consider where the hosts are located.
Hosts: Local-Only or Remote and
Mobile
When designing network security, focus on the function of
each device as well as the physical and logical location of
the device. When a host is local and communicates only
with other local hosts, then you can use slightly less
stringent security on internal communications. However,
when a host is remote or mobile or otherwise outside of the
private network, use significant additional precautions.
Once you allow remote access, you lose the benefit of
the physical access controls. Once you support remote
connectivity, a hacker or intruder need no longer be
physically present in a facility to launch an attack. Thus,
remote access itself is a risk, and it lowers the overall
security of an environment. To compensate for this security
reduction, you should impose more rigid limitations in terms
of authentication, authorization, and accounting.
As security is designed and deployed, consider the
purpose or function of each device, especially clients and
servers, as well as its location in one (or more) of the seven
domains of a typical IT infrastructure (refer to Figure 5-1).
Then, consider what other devices will need to communicate
with it. The more vulnerable the communications pathways,
the more security you will need to impose.
If both endpoints are physically located in the same
facility, but the network pathway linking them involves any
exterior segments, then the transaction demands greater
security than a local-only communication. If the endpoints
are geographically distant, then you need to use encrypted
communications.
Remote and mobile devices are inherently more risky as
they are exposed to a greater number of potential threats.
Inside the office, most threats are known, controlled, and
monitored. But mobile and remote devices are potentially
exposed to unknown, uncontrolled, and unmonitored
situations, data, software, and users. Being outside of the
organization’s facility also means less strictly controlled
physical access to the device.
technical TIP
Location-aware anti-theft software periodically collects
IP information and any available location data and
uploads it to a centralized site. If the owner of a system
reports the item lost or stolen, this automatically
posted data might help recover the device. However, if
the thief reformats the hard drive, then the anti-theft
software might be removed.
These changes to security and potential exposure to risks
require additional protections on remote and mobile
devices. These devices should continue to host antivirus
scanners, anti-malware scanners, and host firewalls. But
they can also benefit from whole hard drive encryption,
multifactor authentication, and location-aware anti-theft
software.
Remote and mobile devices are most likely to be out of
compliance with security requirements, such as patch levels
or application of security templates. A Network Access
Control (NAC) system can isolate and quarantine devices
until they have installed all the necessary patches and
updates.
Even with good host management, whether local,
remote, or mobile, consider redundancy requirements. Is
one of something enough or just enough to cause a
significant problem when it goes offline?
Redundancy
Security is not complete without adequately addressing
preparedness. Redundancy is at the heart of preparedness.
Can your organization survive downtime, blackouts,
communication loss, server crashes, hard drive failure,
floods, building eviction, virus infection, or any other
potential threat? In most cases the ability to answer, “Yes,
the organization can survive,” depends on the level of
preparedness of that organization.
Preparedness is also known as business continuity
planning or disaster recovery planning. The purpose of such
planning is to ensure a plan exists to recover from any
realistic threat. Assess each serious threat to the stability
and function of the organization. Then, develop procedures
to respond to the threat. The procedure can focus on
prevention or recovery (or a combination of both).
A core element throughout this form of planning is
redundancy. Redundancy is the act of avoiding single points
of failure by building in multiple elements, pathways, or
methods of accomplishing each mission-critical task.
Redundancy works in many ways. Redundant Array of
Inexpensive Disks (RAID) is a form of redundancy for hard
drives. RAID protects against drive failure. Uninterruptible
Power Supply (UPS) is a form of redundancy for power. UPS
devices provide temporary power in the event of a brownout
or blackout. A UPS can trigger a graceful shutdown to
prevent loss of data if facility power is not restored
promptly.
Redundancy can apply to communication pathways.
Good network design requires at least two pathways to
every important resource. Redundant links to and from
clients may not be a strong need in most cases, but having
multiple pathways to reach resources is often essential.
Redundant communication links for voice and data are
also important considerations. Construction workers could
accidentally dig in the wrong location and sever the primary
wire bundle supporting the organization. Redundant lines to
service providers could make the difference between a
nuisance and a company-ending event. Do you want to
leave the power of terminating your organization in the
hands of outsiders?
Redundant firewalls, proxies, routers, switches, servers,
and databases begin to make security and financial sense
once they become an essential or mission-critical element
of the IT infrastructure. Don’t entrust the viability of an
organization to any single component. Always have a
secondary option or backup plan.
Failing to plan is planning to fail. Hardware failures,
mistakes, accidents, or intentional damage will occur in
every system in an organization at some point. No
organization is immune. The difference is whether an
organization is prepared for the problem with a ready-to-use
response solution, or will be caught off guard, scrambling to
recover in a panic.
Endpoint Security
Implementing network security is about both the big picture
and the granular details. Infrastructure design, topology,
and redundancy are all important big-picture items. But do
not overlook the details that need attention on a node-by-
node basis.
A node is any device on the network, even those without
an IP address. Node security focuses on the tasks for each
type of networking device to improve its security. Node
security or node hardening takes the generic
recommendations of system hardening and expands them
with additional node/host specific improvements.
Clients
Clients are the devices directly controlled by people. Thus,
clients must protect the network from the user and vice
versa. Thinking of clients as two-way interfaces can assist in
proper security design and implementation for this
command and essential IT infrastructure component.
Every client needs the following security elements:
Antivirus and anti-malware scanners
Host firewall
Secured Internet client software such as browser, e-
mail, file transfer, and chat
Password-protected screen saver with auto timeout
Ability to encrypt network communications
Ability to encrypt storage devices
Auditing of all user activity
An integrity checking system that monitors for
unauthorized file changes using hash value
comparison
Clients should be subject to NAC procedures to prevent an
insecure client from compromising the rest of the network.
Use multifactor authentication whenever possible to
minimize the risk of an unauthorized person gaining access
to the client and hence the entire network.
Another recent shift for organizations is to allow, even
encourage, employees and contractors to Bring Your Own
Device (BYOD). The use of an individual’s personal cell
phone, tablet, personal laptop, or similar device lowers the
cost to the organization but also raises many different
security questions, which range from policy to
implementation. For instance, who is responsible for the
applications that are run on the device and their security?
Who owns and is responsible for the content and protection
of the files created on the device? What if the specific
device is incapable of running specific organization-decreed
security software such as antivirus or even VPN software? Or
what if the owner of the device just doesn’t want to allow a
security scan or to run certain software? BYOD brings along
with it a yet-to-be understood array of security problems—
problems that are growing in importance each day,
especially because of the growing population of BYODs and
because those devices are wireless.
Servers
Servers are the backbone of any IT infrastructure. Whether
a file server, database host, e-mail server, proxy server, or
authentication server, a server is usually supporting an
essential or mission-critical function for the organization.
Servers need protection against downtime. This can include
redundancy in terms of RAID, duplicate servers, and/or
clustering.
Duplicate servers means having two identically
configured systems running side by side, but only one is
performing services live for the network. The second system
is acting as a backup and receives all data changes as they
occur. In the event of the primary server failure, the
secondary server can take over supporting the services for
the network.
Clustering is having two or more identically configured
systems running as a collective. All the systems share in
supporting the live service to the network. If any member of
the cluster goes offline, the remaining members continue
supporting the service. Clustering allows for a service to be
available consistently while still allowing for scheduled
maintenance and occasional individual server downtime.
Servers need strong multifactor authentication to ensure
that only administrators ever have the ability to log into
them at the keyboard. You should sequester servers in a
dedicated room or vault to prevent casual or intentional
access by unauthorized users. Lock and monitor the server
vault at all times.
Routers
Routers are an essential traffic-management device of any
network. Network router security is primarily about
preventing unauthorized access. First and foremost, a router
should be physically inaccessible to any non-administrator.
All router configuration or management interfaces must
require strong authentication. Some environments have
elected to eliminate local accounts on the routers
themselves and rely upon Terminal Access Controller
Access-Control System Plus (TACACS+) for router
authentication and access.
Limit management interface access to a direct console or
terminal cable connection only, rather than allowing in-
network access. Require that all management interface
communications and router-to-router communications be
encrypted.
If a password is stored in a configuration file for the
router, be sure to use an encoding scheme that is not easily
cracked or reverse engineered. For example, the Cisco IOS
password 7 hashing method uses a weak reversible
algorithm and can be cracked easily using software tools
dating back to 1997.
Generally, configure the following on the router:
Block all directed IP broadcasts.
Drop all packets from the Internet using an RFC 1918
source address or any other internal address.
Disable the TCP and UDP small services of echo,
chargen, discard, and daytime.
Enable a warning banner for all attempted connections
to the router, especially to the management interface.
If SNMP is used on the network, require the use of SNMP v3,
which allows for encrypted transactions and authentication
of SNMP sessions. Then, use custom community names
rather than the default public or private communities.
Consider the software or firmware of the router. Only
install full final releases, never beta or partial firmware. If
you are concerned that the latest release has not been
thoroughly tested in the real world, sticking with a previous
release is acceptable, provided there are no published
reports of critical security flaws.
Try to limit the use of a router as a filtering device. Keep
the router table focused on traffic routing and implement
firewalls to provide content filtering and blocking of
suspicious or malicious traffic. Protect any router considered
a border router with a firewall.
Switches
Switch security is similar to that of router security. Maintain
control over who can physically reach the switch. Limit
access to management consoles and require strong
authentication to access the management interface. If a
password is stored in a configuration file for the switch, be
sure to use an encoding scheme not easily cracked or
reverse engineered.
If SNMP is used on the network, require the use of SNMP
v3, which allows for encrypted transactions and
authentication of SNMP sessions. Then, use custom
community names rather than the default public or private
communities.
Consider the software or firmware of the switch. Only
install full final releases, never beta or partial firmware. If
you are concerned that the latest release has not been
thoroughly tested in the real world, sticking with a previous
release is acceptable, provided there are no published
reports of critical security flaws.
Consider deploying switches that support IDS-like
features such as watching for MAC spoofing and ARP
flooding. MAC spoofing tricks a switch into thinking a
hacker’s computer is actually a legitimate host. The hacker
steals or spoofs a legitimate MAC address. If a switch is
monitoring for MAC addresses that change ports, then MAC
spoofing ceases to be a serious threat unless a hacker can
physically access the port connection of the MAC he or she
is trying to spoof.
ARP flooding overloads a switch’s mapping table so that
instead of forwarding packets out the correct port, the
switch will default into flooding mode and transmit packets
out all ports. This type of attack is part of active sniffing.
Active sniffing is an attempt to eavesdrop on switched
networks.
Use switch features such as Virtual Local Area Network
(VLAN) support and auditing ports. VLANs are hardware-
imposed network segmentation. VLANs control traffic. Using
VLANs to manage traffic is often cost-effective, since it does
not require re-cabling or changing of IP addresses; all of the
VLAN configuration takes place within the switch.
The audit, mirror, or IDS port on a switch connects an IDS
or IPS to monitor all the traffic traversing the switch. Since a
switch only transmits data out the port where its intended
destination resides, attempting to monitor all traffic on a
switched network is not possible without the use of the
auditing port.
Also, disable all unused switch ports. This prevents the
easiest method of adding rogue devices to a network—
namely, plugging into an open port.
Firewalls and Proxies
Firewalls and proxies defend the network, but you need to
secure them as well. Otherwise, if a hacker can compromise
the firewall, then the security it provides is unreliable.
Firewalls and proxies, as with routers and switches, need
physical access protection. No non-administrative user
should be able to gain direct physical contact with a firewall
or proxy. Limit access to management consoles and require
strong authentication to access the management interface.
If a password is stored in a configuration file for the firewall
or proxy, be sure to use an encoding scheme not easily
cracked or reverse engineered.
If simple network management protocol (SNMP) is used
on the network, require the use of SNMP v3, which allows for
encrypted transactions and authentication of SNMP
sessions. Then, use custom community names rather than
the default public or private communities.
Consider the software or firmware of the firewall or proxy.
As noted earlier, only install full final releases, never beta or
partial firmware. If you are concerned that the latest release
has not been thoroughly tested in the real world, sticking
with a previous release is acceptable, provided there are no
published reports of critical security flaws.
A firewall should drop all packets addressed directly to
the firewall, as the firewall does not host traditional services
accessed in this manner. The same is generally true of a
proxy server, but some instances apply where the proxy
server is either directly communicated with or that hosts
additional accessible resources.
Make a final security evaluation of any device, including
firewalls, proxies, switches, routers, servers, and clients. You
can perform this evaluation using an automated
vulnerability scanning tool or a custom manual penetration
test. The goal is to find any remaining vulnerabilities in
these devices so they can be made as secure as possible, as
quickly as possible.
CHAPTER SUMMARY
Network security implementation relies on a thorough
understanding of your organization, its goals, its risks,
and the technologies employed within your IT
infrastructure. Before you can properly deploy
network security, you must first design it. Most
network security designs include layers of defense as
well as sufficient capacity for growth.
Network security includes an evaluation of the
protocols and topologies your organization uses. If
the current design is insufficient, replace it with a
design that addresses productivity and security. You
need to assess the addressing schemes in use,
whether public or private, static or dynamic, in light
of how they improve or detract from security.
Other important components of network security
design and deployment include controlling
communication pathways; hardening systems; and
selecting proper equipment, authentication,
authorization, accounting, communication encryption,
types of hosts, redundancy, and node security
specifics.
KEY CONCEPTS AND TERMS
AppleTalk
Attack surface
Bring Your Own Device (BYOD)
Brute-force password attack
Dictionary password attack
File Transfer Protocol (FTP)
Hybrid attack
Identity and access management (IAM)
Internet Assigned Numbers Authority (IANA)
Internetwork Packet Exchange/Sequenced
Packet Exchange (IPX/SPX)
Modeling
NetBIOS Extended User Interface (NetBEUI)
Network News Transfer Protocol (NNTP)
Piloting
Post Office Protocol (POP)
Regional Internet Registry (RIR)
Security through obscurity
Simple Mail Transfer Protocol (SMTP)
Sunk cost
Systems Network Architecture (SNA)
Telnet
CHAPTER 5 ASSESSMENT
1. Which of the following is not an important factor when
included as part of network design?
A. Usability
B. Capacity
C. Obscurity
D. Growth
E. Defense in depth
2. All of the following are elements of network design
except:
A. Satisfying security goals
B. Understanding of the seven domains of IT
infrastructure
C. Implementing multiple layers of defense
D. Thorough research and planning
E. Utilizing a single vendor
3. Which IT infrastructure domain does not require
firewalls to be included as part of its network design?
A. Workstation Domain
B. LAN Domain
C. User Domain
D. Remote Access Domain
E. System/Application Domain
4. Which of the following is a benefit of private addressing
that is not present in public addressing?
A. Isolation from the Internet
B. Subnetting
C. Use of IPv6
D. Routing traffic
E. Filtering by source and designation address
5. Why would a network implement public addresses
internally instead of private addresses?
A. To avoid the use of NAT
B. To be able to custom subnet
C. To maintain isolation from the Internet
D. To prevent external initiation of communications with
internal hosts
E. To reduce costs
6. How can static addresses be simulated with DHCP?
A. Round robin assignment
B. Manual configuration on each host
C. Duplicate MAC addresses
D. Reservations
E. DNS reverse lookup
7. Which of the following is a flaw or weakness that both
static and dynamic addressing share?
A. The assignment server can go offline.
B. Changes require manual modification on each host.
C. Public queries will fail.
D. Hackers can spoof valid addresses.
E. The first half of the address identifies the NIC vendor.
8. What is a primary benefit of system hardening?
A. It reduces user performance.
B. It increases network throughput.
C. It decreases the attack surface.
D. It improves host ROI.
E. It tracks attempted intrusions.
9. All of the following are elements of system hardening
except:
A. Removing unnecessary protocols, services, and
applications
B. Implement ingress and egress filtering against
spoofed addresses
C. Installing patches and updates
D. Configuring encryption for storage and
communication
E. Installing antivirus and a host firewall
10. All of the following are true statements about system
hardening except:
A. System hardening is a one-time process that does not
need to be repeated on the same host.
B. System hardening removes or reduces many known
vulnerabilities.
C. System hardening is different for each system with a
unique function.
D. System hardening is dependent on the location or
placement of a host within the seven common
domains of an IT infrastructure.
E. Any system discovered to be out of compliance with
system hardening guidelines should be quarantined
until it can be repaired.
11. System hardening should be applied to all of the
following except:
A. Clients
B. Servers
C. Switches
D. Routers
E. Cable adapters
12. Which of the following is not usually part of the system
hardening process?
A. Updating hardware firmware or BIOS
B. Installing additional RAM
C. Configuring a backup process
D. Configuring account lockout
E. Replacing outdated device drivers
13. What is the essential purpose or function of
authentication?
A. Controlling access to resources
B. Monitoring for security compliance
C. Watching levels of performance
D. Verifying entity identity
E. Preventing distribution of malware
14. What is the essential purpose or function of
authorization?
A. Granting or denying access to resources
B. Checking policy compliance
C. Identifying entities
D. Monitoring levels of utilization
E. Detecting spoofed content
15. What is the essential purpose or function of
accounting?
A. Detecting intrusions
B. Proving identity
C. Controlling access to assets
D. Recording the activities and events within a system
E. Throttling transactions
16. What is the essential purpose or function of encryption?
A. Verifying integrity
B. Proving the identity of endpoints
C. Protecting content from unauthorized third parties
D. Maintaining performance
E. Validating parking
17. A remote host has all of the following additional
security issues or concerns in comparison with a local
host except:
A. Potential exposure to unfiltered Internet
B. Poor end user training
C. Greater risk of physical theft
D. Possible lack of patches and updates
E. Additional interaction with external entities
18. Which of the following is a protection against a single
point of failure?
A. Encryption
B. Filtering
C. Auditing
D. Redundancy
E. VPNs
19. When performing node security on a router, all of the
following are important concerns, except:
A. Blocking all directed IP broadcasts
B. Disabling echo, chargen, discard, and daytime
C. Watching for MAC spoofing
D. Dropping RFC 1918 addressed packets from the
Internet
E. Enabling a warning banner for all attempted
connections
20. When configuring node security on a switch, all of the
following are important elements except:
A. Enabling keystroke logging
B. Limiting access to management interfaces
C. Monitoring for ARP flooding
D. Upgrading to SNMP v3
E. Using a final version of firmware
CHAPTER
6 Network Security
Management
COMPUTER NETWORK SECURITY is not a final solution or a task to be completed. Security is a continuous journey.
Safeguards and infrastructures that worked before might
offer little or no protection against future attacks. You must
constantly develop and deploy new defenses against new
exploits. This vigilance is the essence of network security
management.
Network security management strives to maintain
established security, adjust the infrastructure to future
threats, and respond to breaches in a timely manner. Using
a variety of techniques and tools, including incident
response, host security, backup and recovery, checklists,
and security assessment, network security management is a
complex, but essential component of long-term, reliable
security.
Chapter 6 Topics
This chapter covers the following topics and
concepts:
What best practices for network security
management are
What fail-secure, fail-open, and fail-close
options are
What the important elements of physical
security are
Why is it essential to watch for compromise
What incident response is
How to trap intruders and violators
What containment is
How to impose compartmentalization
How to use honeypots, honeynets, and
padded cells
What some essential host security controls
are
How to properly implement backup and
recovery
What the importance of user training and
awareness is
What some important network security
management tools are
How to create and use a security checklist
What the basics of network security
troubleshooting are
What compliance auditing is
What security assessment is
What a configuration scan is
What vulnerability scanning is
What the purpose of penetration testing is
Why post-mortem assessment review is
important
Chapter 6 Goals
When you complete this chapter, you will be able
to:
List examples of network security best
practices
Describe the importance of physical security
Compose a procedure for incident response
Enumerate key components of an effective
network security installation
Describe the methods of network security
assessment
Network Security Management Best
Practices
Network security management best practices are
recommendations, guidelines, or standard operating
procedures for obtaining reasonable security on a real-world
budget. Best practices are usually not specific
recommendations for products or tools; instead, they are
recommendations for philosophies, stances, or concepts to
use. The following items are suggested best practices.
These might not apply to every environment, although you
should consider, adapt, or adopt each when appropriate.
The foundation of any security endeavor and the start of
security best practices is having a written plan. A written
security policy has no substitute. Any other method, any
other process, and other attempted procedure for defining,
implementing, and managing security will fail. Only a
written security policy has the potential to succeed.
To have a plan, you must thoroughly understand your
organization’s infrastructure, its mission and goals, and the
processes necessary to produce its products and services.
This means understanding what technology your co-workers
need and use, what assets are involved, what resources are
consumed, where everything resides, and how users access
the infrastructure. Consider larger and more complex
environments in light of the typical IT infrastructure.
A written security policy establishes a documentation
trail that everyone in the organization can subscribe to. To
write a comprehensive security policy, you must first
thoroughly inventory and examine every component of the
IT infrastructure. Only when you fully understand the
environment can you create a comprehensive and effective
security policy.
To create a useful and relevant security policy, perform a
risk assessment. The process of understanding assets,
vulnerabilities, threats, and likelihoods is at the heart of risk
assessment.
Once you have designed and deployed a written security
policy, regularly review the policy. Investigate whether the
overall quality and reliability of the existing security is
sufficient or in need of improvement. Verify that assets are
still properly protected. Evaluate whether prevention,
deterrence, and response have been adequate and
effective. Wherever you discover a deficiency, act to
improve and rectify the situation immediately.
Security cannot succeed without the solid endorsement
and support of senior management. Executives should
support the security policy, follow the limitations
themselves, and stand behind the decisions made by you
and the IT staff. When the security staff and the executives
are focused on the same goal, solutions will follow. When
these two groups are not working in concert, time, money,
and effort go to waste, and network security fails.
Establish a no-exceptions policy. Every device connecting
to the company network must be in full compliance with the
security policy and current with approved patches and
updates. Block any device not in compliance with these
restrictions from interacting with the network. This
effectively is the function of a NAC (network
access/admission control) service. But it should also be a
written element of the security policy. Define “no
exceptions” in writing, and then use technology to enforce
this element of the plan.
Maintain physical control over all personnel access to IT
equipment. Block access to all servers or networking
equipment to all non-administrative users. Limit access to
client systems to authorized personnel within each
department. Ensure that departments are separated by
locked doors. Limit visitor, consultant, and other authorized
non-employee access primarily through a mandatory escort
system. More suggestions about physical security are
included in a later section in this chapter.
Limit and filter Internet connectivity. In spite of many
users’ desire for an unrestricted, unmonitored Internet
connection for personal use, the Internet poses a significant
risk for most organizations. An unrestricted or unfiltered
Internet connection is a pathway for malicious code, social
engineering attacks, and intrusion attempts. If an Internet
service, protocol, domain, or IP address is not essential to a
necessary business task, block it. Computer access to the
organization’s network and assets is for work tasks, not
personal activities.
Install antivirus scanners, anti-malware scanners, and
firewalls on every host. Every portable device, every
desktop workstation, and every server should have these
malicious code and malicious traffic protections. No system
is immune to malware and malicious communications; basic
filters and barriers to known issues prevent easily avoidable
compromises and downtime. Antivirus and other host
essentials are discussed further later in this chapter.
FIGURE 6-1
An example of defense in depth around an asset.
Do not rely upon single or individual defenses. Attempt to
interlock and layer defenses. Implement defense in depth or
a multiple-layered defense wherever possible (Figure 6-1).
By following a defense-in-depth design concept, you will
protect each asset with numerous safeguards. As one
defense tool interlocks with another, they overlap—like
medieval armor plate—and improve the overall security. The
strengths and benefits of one countermeasure can
supplement or compensate for the weaknesses and
limitations of another.
When possible, avoid remote access. Limit access to local
direct connections only. When remote access is necessary,
require a virtual private network (VPN). Once you allow
remote connectivity, you allow the possibility of remote
hacking. Remote hacking attempts to breach security
without the need to be physically at or within the target’s
facilities. Requiring VPNs for all remote connections reduces
this threat by preventing open connections or
communications vulnerable to eavesdropping.
Any device that is portable or easily accessible by a non-
employee should use whole hard drive encryption or at
least file encryption. While not absolutely foolproof,
encrypting an entire hard drive makes accessing the data on
a portable device much more complex. If a system is stolen
when powered off, the hard drive’s encryption typically
presents an insurmountable barrier. If the equipment is
running when stolen, a hacker might bypass the hard drive
encryption by hacking the encryption key out of active
memory. However, this is an unlikely attack.
Require encryption of all internal network
communications. Use Internet Protocol Security (IPSec) to
secure all intranet communications. This is often an easy
and cost-effective means to quickly reduce the risk of
eavesdropping, man-in-the-middle, replay, and many other
forms of network attacks. Well-encrypted data is much less
likely to fall into the hands of hackers, thieves, and
unauthorized personnel.
Harden internal hosts as well as border devices. Do not
focus exclusively on one area or issue of security to the
exclusion of all others. Provide consistent and thorough
security throughout the IT infrastructure. All networked
devices are at risk—perhaps from different threats, but still
at risk.
Always test new code before deployment onto a
production system. No matter what the source of new code,
you must test it. Even if an internal programmer wrote the
code, you must test it. Even if the code addresses a
mission-critical issue, you must test it. Test all new code
without exceptions. Any and all untested code is
unauthorized and should be blocked from all production
systems.
Implement multifactor authentication whenever possible.
Single-factor authentication, especially password-based
authentication, is no longer a truly secure or sufficient
method of protecting the logon process. Adding at least one
additional factor significantly increases the authentication
security of the environment. Once multifactor authentication
begins, allow no exceptions that fall back on single-factor
solutions. Otherwise, intrusion efforts will focus on the
single-factor pathway.
Back up, back up, back up: Backups are the best form of
insurance against data loss. Don’t store backups on the
same system or even in the same locale as your other
assets. Store backups on separate storage devices. While
you can store backups both onsite and offsite, offsite is the
preferred secure location in the event of natural or
manmade disasters. Backup and recovery are covered in
more detail later in this chapter.
If an asset is worth the time and effort to secure, then it’s
worth monitoring as well. Lock each asset as necessary, and
then watch for attempted breaches of that security. No
perfect security solutions exist; thus, to improve security,
prepare to respond immediately when you detect breaches.
Lock, then watch. Failing to watch a secured asset means
that when a compromise occurs, you won’t notice
immediately. Watching for compromise is discussed further
later in this chapter.
Have an intrusion and incident response plan. Bad
things and failures will happen. Breaches will take place. Be
prepared. Evaluate and examine the realistic threats facing
your assets. But plan for the worst. Define procedures to
respond to any situation. Incident response is addressed
further later in this chapter.
Do not overlook making a business continuity plan
and a disaster recovery plan. Above and beyond security
breaches are business-terminating events in the form of
natural and manmade disasters. Building collapse, flooding,
earthquakes, hurricanes, fire, sabotage, blackouts, malware
infection, criminal activities, and so on can end your
organization’s operations. If alternate means of
accomplishing mission-critical tasks are not available, your
organization will cease to exist. Plan to recover from
disasters and do business in the future.
KISS—Keep It Simple: Security. Security is complex
enough without purposefully imposing additional complexity.
Focus on designing security that the average user can
comply with easily and simply. The more arcane and cryptic
procedures become, the greater chance that users will
misunderstand, fail to comply, or purposefully subvert.
Simplicity encourages compliance.
Focus on balancing security and usability. Security does
not need to make all work difficult. Likewise, essential work
functions need not compromise security. Finding a balance
between these two extremes is important. The focus should
be on reducing risk to the infrastructure while enabling
users to perform authorized work with a minimum of hassle.
Prioritize. Security concerns can always overwhelm
available time, effort, or budget. Focus on the big impact
and big result issues first rather than attempting to swat
every minor annoyance that arises. Security is constantly
changing; the goal is to maintain reasonable rather than
perfect security. (Remember, this is an unattainable goal
anyway!)
Always be fully and truly aware of the state of the
organizational security. Don’t make assumptions. If you are
not positive that an aspect of the organization is secure, find
out. Assuming security exists leads to a false sense of
safety. A lack of knowledge about the security status can
lead to complacency. By assuming nothing is wrong, you
feel no urgency to investigate and rectify problems. Do not
fall into the “I thought it was protected” trap; if you do not
know or are not sure, take the time to investigate and be
sure.
Look for the weakest link. Every system or structure has
a weak point, and a security structure is no different. It
might be power, it could be humans, it might be a coding
issue, it could be processing capacity, or it could be any
number of other potential culprits. In any case, some
weakest link exists in the security chain. Think like a hacker
and look for it. Find it. Improve it. Then, go looking for the
next weakest link.
Focus on known, real, probable threats rather than on
unknown, imagined, or possible threats. You don’t have
enough time, energy, or budget to protect against
everything. Perform a risk assessment and focus on current,
significant issues.
Develop a standardized, procedural-based process for
hardening new systems. You should subject every new piece
of host equipment, including switches, routers, firewalls,
servers, and clients, to a rigorous and thorough hardening
process before it is deployed onto the production network.
In fact, having a dedicated, isolated, new system-testing
network will protect the existing production network from
new systems, as well as protect new systems from threats
from the existing production network.
Develop and implement an efficient patch
management system. You need to promptly analyze,
evaluate, and install every new patch released from your
vendors, whether for hardware or software. Never short-
circuit the test-all-code-before-deployment policy, and never
implement code based on fear. Instead, have a focused and
efficient process for testing and approving new updates so
that they can be rolled out to production systems quickly.
Keep every system current on patches; remember, however,
that pushing out a patch too soon and without proper
testing is just as bad as delaying patch approval because
you lack the time to examine it.
User training and behavior modification is essential.
Technology cannot solve or remedy all security concerns.
Technology cannot compensate for the human factor. Be
sure to train all authorized personnel on general security
concepts as well as task-specific security concerns. Train
users on what policy expects, define what policy prohibits,
and encourage buy-in and support of the overall
organizational security effort. User training is addressed
further later in this chapter.
FIGURE 6-2
National Institute of Standards and Technology (NIST):
National Vulnerability Database.
Stay current on security and vulnerability research. You
can’t protect against existing, new, and upcoming threats
unless you know what they are. You need to seek out this
information, because most general news sources, even
those focusing on technology, don’t address most of the
security vulnerabilities, exploits, or compromises that arise
daily. Find good resources-related security and vulnerability
research (Figure 6-2) and consult it religiously. Knowledge is
often one of the best weapons in the fight for security.
Develop a security checklist. Periodically review it for
completeness and accuracy, such as every quarter. Confirm
every element on the checklist on a regular and frequent
basis, such as once a week or once a day. You can automate
this to an extent, but checking often requires human effort
to test and confirm that every security mechanism is in
place, active, armed, and effective. Security checklists are
discussed further later in this chapter.
Perform regular self-assessments. Numerous security
groups and government/military agencies post security
implementation guidelines, manuals, and checklists. You can
use these documents, commonly known as Security
Technical Implementation Guides (STIGs), to review
and assess your organization’s status and state of security.
A self-assessment attempts to take an external, unique, or
independent viewpoint in evaluating security. This is why
using external security guidelines, standards, and
measurements can reveal oversights in an existing security
infrastructure.
Perform internal compliance audits. Thinking you are
secure isn’t enough; the laws in many industries, such as
finance and medicine, now require compliance. Ensuring
that you are in full compliance with all federal and state
laws and regulations is not only good security management;
it will keep your company officials out of jail. Using external
auditors is often a poor substitute for internal self-
verification.
Implement the principle of least privilege. All users,
including administrators, require only the privileges, access,
and permissions necessary to accomplish their assigned
work. Any abilities beyond this minimum increase the
potential for compromise and abuse.
Isolate and compartmentalize administrative privileges
through the implementation of separation of duties. This
is also known as split knowledge. Administrators are given
limited administrative power over a limited area of the IT
infrastructure. No single administrator has full or total power
over the entire environment. This limits the scope of
potential abuse and harm by disgruntled administrators, as
well as by hackers who compromise administrative
accounts.
Test all security measures for sufficiency. Perform
verification scans of all deployed countermeasures to
ensure their correct functioning. Improper installation or
misconfiguration can render a well-meaning safeguard
worthless. Test every new security control when you install it
and every time you reconfigure it.
Perform regular vulnerability assessments. Use
automated tools with updated databases of security tests
and exploit simulations. These tools should confirm patches
and updates, verify security configurations, and probe for
known vulnerabilities and exploit weaknesses. Quickly
resolve any issues discovered by the scans.
After you have improved and fine-tuned your security
infrastructure, put it to the ultimate test: Perform
penetration testing. Hire or develop an ethical hacking team
to test the strengths and weaknesses of the IT security as
well as the security of the facilities and the employees.
Ethical hackers use the same tools and attack techniques as
criminals, but without the intention to cause actual damage.
Professional security assessors can customize attacks,
modify exploits, and react in real time to fully stress security
defenses.
Focus on the core security services when designing
security: confidentiality, integrity, and availability. Failing to
properly and adequately buttress these essential security
services will result in damage, data loss, and downtime.
Confidentiality is the prevention of unauthorized access
while supporting authorized access. Integrity is the
protection against unauthorized modifications. Availability is
the assurance that resources are accessible in a timely
manner.
Consider designing security, especially physical security,
around three central functions: deterrence, detection, and
delay. Deterrence is the use of security to convince the
potential attacker that the efforts to compromise a system
are not worth it. The attack may be perceived as too hard or
too complex, the attempt too easy to detect, and the
consequences too severe. Detection is to watch for the
attempts at breaching security so as to respond promptly.
Delay is to slow down the attack so that even successful
breaches give the defenders time to respond in order to
apprehend the attacker or prevent further intrusion.
Another common trio of parameters for security design
and implementation is prevention, detection, and response.
Prevention is the use of safeguards to thwart exploitation or
compromise. It is usually more efficient, easier, and cost
effective to prevent intrusions and breaches than to react to
them. Immediate detection of attempted and successful
security breaches is important. The longer the time span
between a malicious action and an authoritative response,
the greater the likelihood the perpetrator will get away
without consequence. Response means being prepared to
contain damage, restrict further compromise, and effect
repairs to return the system to normal.
Don’t overlook the importance of authentication,
authorization, and accounting. These services are essential
to a secure infrastructure. You must control who is allowed
into a facility and onto the network. Place limitations on
what authorized users can do. Hold all entities—even upper-
level management—accountable for their actions, activities,
and results.
Focus on establishing a philosophy of default deny
rather than default allow. By blocking everything as a
starting point, only those features, services, protocols, ports,
applications, and users that you judge and deem safe and
appropriate can be enabled by exception. A default-permit
stance means you must create a never-ending stream of
explicit denials as you detect new compromises or malicious
events. Deny by default/allow by exception is always the
preferred security stance.
Implement whitelist application control. A whitelist is a
list of allowed exceptions against a background of default
deny. By configuring a system with a whitelist, you block all
executables unless they are on the list of allowed
exceptions. A whitelist consists of the application name, its
file name, and the file’s hash value. This prevents spoofing
by malicious or unapproved applications that simply rename
the executable.
This collection of network security management best
practices should serve as a starting point for the
development of your effective security endeavors. Other
valid and useful guidelines exist, so don’t assume this list of
recommendations—or any other list from any other source—
is exhaustive. You always have new lessons to learn, new
challenges to face, and new wisdom to obtain.
Fail-Secure, Fail-Open, and Fail-Close
Options
Failure is not an option; it’s a certainty. At some point in the
life of your organization, failure will happen. Will you be
prepared to handle it properly, and how much harm will the
failure cause?
A failure can be due to hardware ceasing to operate
properly because of an unknown flaw in materials or
construction. A failure can be due to the accidental
discharge of static that damages circuits. A failure can be
due to atypical weather that floods the building.
A failure can be due to a malware infection that crashes
a server. A failure can be due to a zero-day exploit that
compromises security from outside.
Failure means problems, downtime, loss, and
consequences. However, failures do not have to mean
bankruptcy, going out of business, jail time, or catastrophic
loss. The difference between calamity and mere
inconvenience is planning. As with most aspects of security,
proper and extensive planning can assist in designing an
infrastructure that can prevent or effectively survive any
issue or concern.
Planning for failure is planning how to respond to and
recover from failures. The goal is to fail into a state of
security or safety rather than into a state of insecurity or
chaos. This is known as fail-secure. A fail-secure state
reverts to a condition where little or no harm, or at least no
further harm, is likely to happen. Depending on the
situation, a fail-secure state could be fail-open or fail-close.
To fail-open is to revert to a state of being open,
available, or unlocked. In the case of the physical world, fail-
open is important for the safety of personnel. Fail-open
doors allow people to leave a building easily. However, such
easily opened doors might represent a weakness that an
intruder could exploit to access secured internal areas. In
the case of IT, fail-open is to revert to a state of unfiltered
communication or data access.
To fail-close is to revert to a state of being closed,
unavailable, or locked. In the case of the physical world, to
fail-close is to prevent a doorway or container from being
opened during an emergency or compromise. In the case of
IT, fail-close blocks access to communications and other
digital resources.
Either state, fail-open or fail-close, can be the fail-secure
or fail-safe option depending on the circumstances. In any
case, you should carefully consider and plan the type of
default response you will use, especially during an
emergency, intrusion, compromise, or system failure.
Physical Security
There is no security without physical security. Logical
protections can protect only against logical attacks. Physical
protections protect against physical attacks. With just a few
moments of physical contact, a hacker can overcome or
bypass most logical security.
Physical security is the prevention of direct physical
contact, access, or influence of an unauthorized person to a
sensitive component of an IT infrastructure. Any well-
designed network security solution will include physical
security components. If you fail to address physical security
adequately, you fail to understand the threats facing your
organization.
Physical security includes a facility that resists forcible
entry. Select, improve, or build facilities that prevent and
deter unauthorized physical intrusion. If physical breaking
and entering is possible and potentially profitable for a thief,
it’s more likely to take place.
Physical security should include the monitoring of all
personnel activity. Solid physical access control includes
keeping track of when an employee enters and exits every
secured or sensitive area. Good physical access control
blocks outsider access and enforces escorts for visitors.
Physical security should include card key entry, burglar
alarms, motion detectors, and security cameras. Use the
best available technology to both deter and detect physical
security violations.
Watching for Compromise
Everyone in your organization is part of the physical security
effort. All individuals are responsible for staying within the
security boundaries themselves. They are also responsible
for reporting violations or suspicious activity. Security is
about locking and watching. Not every employee can assist
in the process of locking things down, but all can and should
assist with watching for violations and suspicious behaviors.
Use all available technologies in addition to human eyes
to look for security violations. Use auditing, IDSs and IPSs,
security cameras, motion detectors, and so on when
appropriate. Proper network security management includes
proper design to watch for violations.
Violations can occur in the physical world as well as
within the logical world of computers, networking, and the
Internet. Don’t assume that just because a violation causes
no direct physical harm, the issue is not worth knowing
about or pursuing. A crime is still a crime whether it’s a
physical crime or a logical one. Design and implement
detection mechanisms to notice, log, and monitor suspicious
or abnormal activities.
Incident Response
Incident response is the planned reaction to negative
situations or events. Inevitably, security breaches, or at
least attempts to breach security, are going to occur. When
those events affect the organization or its abilities to
perform its tasks in any way, incident response is triggered.
The goals of incident response are to minimize downtime,
minimize loss, and restore the environment back to a
secured normal state as quickly as possible.
Most incident response solutions include six primary
steps or phases:
1. Preparation—Select and train security incident
response team (SIRT) members, allocate resources.
2. Detection—Confirm actual breaches.
3. Containment—Restrain further escalation.
4. Eradication—Resolve the compromise.
5. Recovery—Return to normal operation.
6. Follow-up—Review the process and improve
future responses.
An incident response plan is an important element of
network security management.
Trapping Intruders and Violators
Security often aims at prevention and deterrence. When an
intrusion or security violation takes place in spite of the
precautions, the next stage or level of security must
respond. The next stage of security is detection. Knowing if
and when a security violation occurs is essential to a timely
and adequate response to a breach.
Once you detect a breach, you must immediately initiate
a response. The first stage of response is containment. The
goal of containment is to prevent further spread of a known
malicious event. Containment is a mindset, a plan of action,
and an element of design. As a mindset, containment is the
focus of first responders or members of the SIRT. Their goal
is to prevent any expansion or spread of the compromise to
other systems.
Why Containment Is Important
Containment can be as simple as unplugging a network
cable from a compromised system. This effectively cuts off
any communication to and from the suspect host. You can
also impose containment by disabling user accounts,
stopping services, adding entries to filtering devices, and so
on. Whatever the vector or source of the malicious event, its
source or target should be cut off from causing continued
harm.
The act of containment should interrupt or interfere with
the continued spread or operation of the unwanted event.
This type of initial response is often effective against
malicious code, remote access, backdoor control, a
compromised user account, social engineering, and many
other forms of network or system compromise.
Containment is often considered a form of response.
Containment is the action taken by a first responder.
However, even before you experience a security breach, you
can employ another preventative measure similar to
containment known as compartmentalization.
Imposing Compartmentalization
Compartmentalization is the element of infrastructure
design that takes into account the likelihood of a security
breach by malicious code or some other intruder.
Compartmentalization distinctly separates a network into
areas or zones of access. Often, these zones are around
departments or entities that commonly interact over the
network. Any entity that does not commonly interact is
separated by default using network security access control
devices such as routers, switches, and firewalls.
The purpose of compartmentalization is to create small
collectives of systems that support work tasks while
minimizing risk. The typical risk is that if one system is
compromised, the breach can quickly lead to other systems
being compromised. This is especially true of malicious
code, which distributes rapidly. But it can also apply to
remote hacker intrusion as the hacker attempts to leap from
system to system, searching out valuable resources.
Network compartmentalization is similar to the
bulkheads on ships. In the event of a hull leak, the bulkhead
doors of the affected compartment close and seal. This
prevents the entire ship from being sunk by a single breach.
The same is true for computer network
compartmentalization. When you detect a breach, you can
sever the links between network compartments to prevent
any further malicious communication to or from the affected
sections.
Using Honeypots, Honeynets, and
Padded Cells
Another specific intruder trap you can add to a security
infrastructure is a honeypot. A honeypot is a hacker or
intruder trap. A honeypot is a system or network that
appears to contain valuable information, and appears to be
part of a legitimate organizational network, but in fact is a
specially designed trap. The purpose of a honeypot is to
trap hackers/intruders, detect new attacks, or simply serve
as a decoy to deflect attacks from reaching the actual
primary network.
A honeypot can be a single system or a network of many
systems constructed to look, act, and operate like a real
network environment, containing seemingly attractive but
actually fake resources. For a honeypot to be effective, it
must look and act just like a real target. Otherwise, hackers
will quickly uncover that it is fake and search harder to find
the real targets. A honeypot often includes extensive focus
auditing and recording capabilities to thoroughly capture all
activities that take place within it.
Honeypots can be single systems or multiple networked
systems. A network of honeypots is sometimes called a
honeynet. Both honeypots and honeynets are decoy
systems that are always operating in the hopes of attracting
would-be hackers and intruders. Another form of honeypot
is the padded cell. The padded cell is turned on only after
you detect an intruder; you then lure the intruder into
entering the padded cell.
Configure and situate honeypots so that they do not
interfere with authorized users performing authorized
activities. However, you need to position them along
common pathways of access that an outsider or intruder
might take, in much the same way a hunter will hide along a
game trail in the forest. A honeypot should be attractive and
interesting enough to persuade a hacker to attack it, but not
too attractive as to trigger that voice in the back of the
hacker’s mind that says, “It’s a trap.”
A honeypot has value in two primary circumstances.
First, if the organization’s primary goal is to learn about new
hacking exploits, then a honeypot can serve as a laboratory
for that purpose. Second, if the organization’s primary goal
is to prosecute criminals, then a honeypot may assist in the
discovery, identification, and apprehension of suspects.
However, if neither of these two purposes is a primary goal
of the organization, then deploying a honeypot is generally
not a worthwhile endeavor.
Essential Host Security Controls
Every host needs protections from its users as well as from
the network it communicates with. There are always risks,
even within a private network, from authorized users.
Precautions include equipping host devices with reasonable
defenses against known potential avenues of compromise.
Every host needs an antivirus scanner. While malicious
code is not as serious a threat in some operating systems as
in others, hackers create malware for every platform. You
can no longer safely claim immunity based on your
operating system selection alone.
An antivirus scanner needs to be current. The scanner
engine, the core mechanisms for malware detection, should
be less than a year old. Typically, a deployed antivirus
should have the current year in its name or as its build date.
Any antivirus scanner more than a year old is too out of
date with new and current scanning technologies, malicious
embedding techniques, and cleanup and removal
procedures.
An antivirus scanner needs to have its database of
definitions updated at least once per day. This should be an
automated process so that as soon as the vendor releases a
new update, it is downloaded and applied. Using a scanner
with an old database is just as bad as using an old scanner.
An antivirus product provides protection only against known
threats, so don’t allow your antivirus software to develop
amnesia from delayed updates.
An antivirus scanner must be configured to perform
constant, consistent, and automatic scans. Monitor the
memory, processing stack, and any other active element of
a computer system in real time for symptoms of malicious
code compromise. When malware reaches a host, it can
infect that host and distribute its spawn in moments.
Without real-time monitoring for infections, serious damage
can take place long before a periodic scan notices the
breach.
An antivirus scanner should be configured to perform
complete, systemwide, low-level scans across all memory
and storage devices on a periodic basis, every day or at
least once a week. By scanning the entire system on a
regular basis, you can detect and remove malware that was
able to gain access through some unmonitored or covert
channel.
In addition to an antivirus scanner, hosts should benefit
from an anti-malware scanner. An anti-malware scanner is
also known as a spyware or adware scanner. These are
companion scanning products to antivirus software in that
they find other forms of malicious, nuisance, or suspicious
code that might not qualify as a virus or worm. Their targets
include spyware, adware, keystroke loggers, rootkits, hacker
tools, backdoors, Trojan horses, malicious/abnormal cookies,
suspicious mobile code, bots, zombies, and so on. Don’t let
the names fool you. All of these things represent the
potential for real network damage.
Every host should be equipped with a software host
firewall. A host firewall provides filtering services for data
entering and leaving the local box. A host firewall can limit
network connectivity for local applications as well as allow
or deny access to resources from external entities.
Most hosts can benefit from the added security of whole
hard drive encryption. This ensures that all data on the drive
is secured. Depending on the product and technology you
employ, whole hard drive encryption can be unlocked
through a boot password or the use of a hardware device,
such as a USB drive or a Trusted Platform Module (TPM)
chip. Whole hard drive encryption essentially prevents a
hard drive from being read by another system if it is stolen.
Some forms of system and file damage occur from
activities that are not malware related. Using a hash
integrity checking mechanism to watch for unauthorized file
changes can assist in tracking down abnormal sources of
compromise. Monitor every system file and device driver.
Any change not associated with installation of a valid
update is likely a symptom of malicious activity.
You should configure and review auditing on all hosts, not
just servers. Malicious activities and communications can
take place on any system. Configure every host to audit,
monitor, and log local and network events. Then, using an
intrusion detection system (IDS) or other form of security
auditing tool, scan the log files for symptoms of concern.
What you do not know can harm you, so arm yourself with
as much knowledge as possible.
Backup and Recovery
Back up. Back up. Back up. There is no excuse for lacking a
backup solution. Backups are the only insurance against
data loss. Failing to make a backup is planning for failure
and data loss. A single data loss incident, such as a failed
hard drive, could be enough to cause the failure of an
organization. Do not lose data because of carelessness;
implement a backup process immediately.
Backups are not difficult. They just take a bit of planning.
First, plan where you want to store the backups. The three
main choices are online, offsite, or onsite.
Online or cloud backup storage is growing in popularity,
availability, and cost effectiveness. Online backups offer
access to your data from any Internet connection, making
recovery possible from anywhere. However, online backups
put your data on someone else’s hardware, making you
dependent on that party’s security, confidentiality
assurance, and reliability. Plus, backup transfer speeds are
dependent on the local Internet link speed, which is usually
much slower than most local media backup options.
Offsite and onsite storage employ the use of backup
media. Backup media can be tapes, optical disks, hard
drives, and solid state drives/cards. Physical media require
space for storage and are subject to physical threats,
namely theft, damage, and destruction. Offsite storage is
the better option when faced with major catastrophes. This
protects your backup media from damage by problems
occurring at your primary work location. Onsite storage
provides for quick recoveries around minor issues.
Midsize to large organizations often elect a multistage
backup solution that provides both onsite and offsite storage
benefits. One possible configuration is to use banks of
rewritable high-speed optical storage devices to host a live,
online, onsite backup. Then perform periodic backups from
the optical storage set to portable media, such as tapes, for
secure storage offsite.
This configuration provides for fast backup from the
original systems to the optical media, then provides a
convenient process for creating tape copies quickly. It also
allows for fast restoration of data from the online, onsite
optical backup, while providing major disaster protection
with the offsite secure storage of tapes.
As much as possible, automate the backup process to
ensure that it happens. If the act of backing up the
network’s data interferes with production, then install a
secondary network to exclusively support data transfer for
backups. This will require a second network interface in
every system protected through the backup process.
The offsite storage location for backup media should be
secure and reasonably protected from disasters, especially
severe weather. If your organization is large enough to have
multiple locations, rather than the same building or even
buildings within a few blocks of each other, then offsite
storage can switch from third-party storage to internal
storage at distant branch locations.
User Training and Awareness
User training is an essential part of any security endeavor.
Not every worker in an organization is automatically an IT or
technology expert, nor should you expect them to be.
Security training and awareness aims at providing all users
with basic security knowledge as well as job-specific
security information.
To hold users accountable for their actions, first clearly
define the network security policy boundaries and
limitations. Having a set of rules and restrictions without
informing personnel of their existence won’t enforce policy
and can lead to employee grievances. Training and
awareness is necessary to educate users on their
responsibilities and the consequences for violating
organizational policy.
Without adequate security education for users,
maintaining a secure environment is difficult, if not
impossible. However, many organizations fail to support end
user training adequately. This results in users not
understanding the importance, need, and benefits of
security. Additionally, it will result in an increase in
violations, most of which are benign and accidental, but
incidents that you will nonetheless need to investigate and
resolve.
A few common end user security mistakes or problems
caused by a lack of security training include:
Opening e-mail attachments from unknown sources or
from a known source with an unexpected or unusual
attachment
Preventing updates and patches from installing, even
when approved and recommended by the security
staff
Installing unapproved software on work computers,
including games, screensavers, utilities, instant
messaging clients, and browser plug-ins
Installing software on work computers that you have
not verified as safe and free from malicious code
Failing to make backups of personal data or work data
on work computers
Using a modem or wireless connection from a desktop
or notebook work computer while still connected to
the company LAN
Using a password storage/tracking utility that does not
encrypt its database
Walking away from computers while still logged in
Connecting unknown and unapproved devices to a
work computer
Using portable media and storage devices from an
external source on a work computer
Installing remote-control or remote-access software on
work computers without obtaining approval
Using the same password on multiple systems
Leaving portable devices in locations outside of work
where they could be easily stolen, such as in a car’s
backseat
These are just some examples of common security problems
caused by untutored users. You can avoid or at least
minimize most of these issues with reasonable user security
education. However, it’s also common for IT staff to make
security mistakes, even though they are much more
knowledgeable about technology. Just because someone is a
“tech guy” or might be considered a computer geek does
not necessarily imply he or she is security smart as well.
Some mistakes made by technology experts (who really
should know better) include:
Using the same password on multiple systems
Allowing new systems to go online before they are
properly hardened and/or tested
Failing to keep current with available patches and
upgrades, especially those related to security
Using remote system and device management
mechanisms that are convenient but not secure, such
as telnet, HTTP, and FTP
Discussing passwords over the phone, including
changing passwords based on over-the-phone requests
Failing to properly check identity, authority, and
permission before giving out information or access to
resources
Failing to implement a proper backup solution
Not verifying and testing that backups are working
properly
Assuming something is secured or properly configured
without specifically checking and verifying
Allowing unnecessary and potentially insecure
applications, services, and protocols to remain on a
system
Using security and network devices with their default
settings, such as firewalls, proxies, routers, and so on.
Failing to understand all of the security configuration
options on a new software or hardware product
Putting new software or hardware into production
before thoroughly testing and gaining approval
Allowing anti-malware defenses to become out of date
or go stale
Allowing sensitive information to be communicated
without an encrypted channel
Even a knowledgeable technical professional can learn how
to be more secure through proper training and awareness
education. Every single person throughout an organization
has security responsibilities. These need to be defined,
explained, and taught. Users will improve their behaviors
when they understand what the risks are, what is at stake,
and how their behavior will affect them if they fail to support
security.
The goal of security-related training is user behavior
modification. Users need to take steps to change their
regular activities from those that place themselves and their
workplace at risk to those that avoid risk. Risk is easy for
most people to understand, but they need to be made
aware of risk to trigger a change in their actions.
Good user training will cause an improvement in user
compliance with the standards, policies, procedures, and
guidelines of your organization. Often, the beginning of
security training is awareness. Awareness is introductory,
foundational, and ubiquitous security information that
applies to all employees. Awareness aims at establishing a
common baseline of security understanding for the entire
organization.
The principal means of awareness training is in a
classroom setting. It should, however, include a wide variety
of communications, including online videos, interactive Web
sites, posters, e-mail reminders, regular memos or
newsletters, wall banners, coffee mugs, sticky notes,
manager review meetings, loudspeaker announcements,
screensavers, mouse pads, and even voice mail messages.
The point is to inform users about basic security essentials,
then reinforce those basics while they are at work.
Awareness is important for all personnel, in all job
positions, at every level of access, from the top to the
bottom of an organization. Everyone should understand
basic security issues. These often focus on general
responsibilities, liability, seeking to avoid waste and fraud,
reduction of unauthorized activities, and looking out for
abnormal or suspicious events.
User Education
Every organization should have a written security
policy, but that is not enough. In order to ensure that
an individual knows the policy, the individual should
be made to read the policy and sign a statement that
he or she has read the policy and will abide by the
policy. The individual should also read and
acknowledge that he or she will abide by changes to
the policy as they are published. These requirements
apply not just to salaried and hourly employees, but
to anyone given electronic or physical access to the
premises of the organization and to the assets of the
organization in transit as the assets are transported
outside of the physical facility. This could include
contractors, suppliers, and others. And it requires
constant monitoring. It could even require a test or
security certification, background check, or other
means of determining ongoing compliance. One
means of encouraging users to comply with policies is
to ensure they are aware of the consequences of
noncompliance. No one given permission to access
assets of the organization is exempt from the security
policy.
It’s important for employees to see through both words
and deeds that security is important. This means that even
top executives must be held accountable to the same basic
principles enforced throughout the general employee
population. If employees see evidence of compromise or
compliance avoidance by senior management, then they
get the impression that the rules are not important enough
for anyone to follow. You don’t want employees to be
frustrated and confused by a “Do as I say, not as I do”
management model.
After awareness comes training. Training focuses on
security issues and topics more closely related to specific
job tasks. Training consists, therefore, of job-specific
security information. Security training of this type assists
users in accomplishing their individual work tasks while
staying within the boundaries of the security infrastructure.
Most organizations offer in-house awareness and
training. This is common because such training directly
reduces incidents and the associated costs of handling and
responding to internal accidental and ignorance-based
breaches.
Beyond training is security education. This form of
learning has a broader scope than just a job description or
even the organization as a whole. The purpose of security
education is to obtain extensive knowledge about security
and related subjects, even if they don’t directly apply to
current work responsibilities or tasks. Education is for the
advancement of the individual, perhaps to improve his or
her career outlook.
Education is usually obtained outside of an organization.
A company might perceive education as either a threat to
employee retention or a benefit to keep employees happy.
Most organizations want to improve the skills of their
personnel. Either way, security education improves the
knowledge and skill of the individual.
Security awareness, training, and education are
beneficial for any security endeavor. Including and funding it
in your organization’s overall security solution will improve
your odds of success.
Network Security Management Tools
The best network security management tools are neither
commercial nor open-source products or solutions. Instead,
the best network security management tools are quite
simple and obvious. The best tools are:
A written security policy
A complete inventory of all hardware and software
A physical cabling layout and device location map
A logical organization, addressing, and subnetting map
Complete configuration documentation for every
device
Change documentation and log
Backup and restoration procedures
A business continuity and disaster recovery strategy
Troubleshooting guidelines
Hardware and software documentation
Personal knowledge and skill
Access to online resources
Security management is not about having the most
expensive products or the most automated configuration.
Instead, good security management is rooted in a solid
understanding of the infrastructure and having the tools to
improve, respond, and repair as necessary. Focusing on the
glitz of shiny products can even distract from the basics of
security management.
Security management should always center on
protecting assets, supporting authorized activities, and
responding to threats as you discover them. It may be more
efficient or cost-effective to use off-the-shelf security
management products, but using them is no substitute for
addressing the organization’s core security concerns.
Security Checklist
Security is fragile. Hackers need discover only a single flaw
in your defenses to mount an attack. Changes to the
infrastructure, whether physical or logical, could open new
holes not previously present. Additionally, users and
personnel may intentionally or accidentally breach security.
One method to maintain the efficacy of security is
through regular verification and validation checks of every
single countermeasure, safeguard, security control,
deterrent, prevention, and defense. This requires an
inventory of all security measures. This inventory can then
become a checklist.
Physical security and logical security each need a
separate list focusing on their respective areas of concern. A
security guard or a security tech investigates every physical
security measure to ensure that it is still in effect, active,
and unmodified. Such tasks at the level of logical security
are best left to security techs with proper administrative
access.
A security checklist shakedown should occur regularly
and often, once a day at most to once a week at least. Every
single item on the checklist should be physically visited and
inspected. If any issues or concerns arise, document them
and immediately bring them to the attention of the security
team. Employ remedial measures promptly and investigate
to track down the root cause of the concern.
A physical security checklist should include every
security control deployed for facility control. These include:
Checking every window lock
Checking every door lock
Checking every external wall
Inspecting access points to raised floor areas
Inspecting access points to drop ceilings
Ensuring that cabinets or containers are locked
Verifying that security cameras are pointed in the
correct direction
Verifying that all light bulbs are of the correct type and
are functioning
Checking motion detectors
Testing alarm systems
Interviewing security guards and confirming
compliance with procedures
Depending on the industry and specialization, many more
components can make up the physical security of an
organization. This list is just a sample of what the typical
physical security checklist should contain. Look for any
modification, destruction, or general failure of every
element of physical security. A single bad window lock or a
door that does not fully close automatically can result in
easy access for a burglar intent on computer mischief.
A logical security checklist should include every security
control deployed for computer and network control. These
include:
Checking authentication
Checking authorization and access control
Auditing systems
Verifying firewalls and other filters
Checking proxies and other communication
management solutions
Verifying encryption, including key management
Updating antivirus software and scanners
Backing up and storing archival information securely
Many more elements exist in a well-designed security
infrastructure for an exhaustive logical security checklist.
Again, this list is just a sample of some common elements
found in most secure organizations. Poor configurations,
overlooked defaults, and out-of-date systems can leave
gaps that a probing hacker will discover and exploit.
Never assume you are secure. Check and verify
everything regularly. No one else will do it for you.
Use the security checklist with the intention of
maintaining effective security over time, in spite of change,
accidents, and human nature. However, even a complete
checklist cannot resolve problems caused by poor design
and implementation. To ensure that your checklist is truly a
benefit and not just reorganizing deck chairs on a sinking
ship, consider the following common oversights or issues:
Do not assume that a service or protocol is secured by
some other layer or service. Verify that the data
traversing a network segment is encrypted or
otherwise secured.
Know the limitations of security products. Each
security mechanism addresses a single or small set of
issues within a specific context. The presence of
security in one location does not cause a magical
blanket of security to exist in other locations. Be sure
specific and relevant security solutions are in place
where necessary. For example, use of IPSec for
network encryption does not imply that data stored on
clients is encrypted.
Do not rely on authentication at session initiation
alone. Session hijacking is a serious threat on most
commonly used protocols. Use solutions that support
periodic midstream reauthentication, as well as
communications encryption.
Assume programs are inherently insecure. Security is
not often a priority or a requirement in programming.
When possible, use secure programming quality
assurance.
Plan for handling failures, errors, intrusions, and
downtime. Focus on what to do when bad things occur.
The goal should be a fast and efficient recovery. Failing
to plan is planning to fail.
Assume you may become a victim of a denial of
service (DoS) attack. Every communications system is
vulnerable to DoS. Do not forget that physical damage
can be an effective DoS.
Learn from your mistakes. When a problem is
uncovered, when a design flaw is revealed, when a
process is shown to be ineffective, lean in, take the hit,
own up to the responsibility, and then deal with it.
Improve the environment to resolve the issue. Review
the process and learn from it.
A security checklist can be an effective tool in managing
and maintaining network security. Make it a point to start
your list now and use it in real-world review immediately.
Network Security Troubleshooting
Security troubleshooting aims at recovering from problems
related to the countermeasures. Problems will occur with the
defense mechanisms themselves. Downtime of a security
control is as critical as downtime of a core business process
or asset. Troubleshooting failures of security controls is an
important part of network security management.
As with most concerns, prevention is always preferable to
repair or response. By working to ensure that failures do not
occur, or at least do not occur as often, maintaining
effective security will be easier and less costly in terms of
both budget and manpower.
Network security troubleshooting is often about triage—
deciding which issues or problems are of the most imminent
concern. The more a security component affects a mission-
critical process, the more important rapid response and
repair becomes. When security is down, the previously
protected assets are put at greater risk for compromise.
Minimizing the length of time consumed by the response is
important to minimizing long-term losses.
One of the most effective preventative techniques in
network security troubleshooting is installing patches and
updates. As with patches and updates to production
systems, always test the new code thoroughly before
deployment. Once tested and approved for application,
apply updates when downtime would cause the least
number of problems. Always be prepared with a redundant
option if the updating process itself causes further security
control problems.
Possible complications from the application of patches
and updates include resetting to factory defaults, loss of
some but not all configuration settings, and “bricking” (that
is, making it non-functional) the control. If the security
control resets back to factory defaults, then it will need to
be fully reconfigured. If a recent configuration backup is
available, restoration might be a swift repair. Otherwise,
manual resetting will be necessary. To facilitate this process,
always have complete documentation of all settings of all
security controls.
If you lose some but not all configuration settings, then
the security control is unlikely to operate as you expect.
Restore or reconfigure the settings promptly. The update
itself may have added or modified settings that need testing
and verification for function and compatibility. If a new
feature interferes with a business task, you might find it
necessary to disable the feature or roll back the update.
If the update process causes a complete failure of the
security control, the real possibility exists that the product is
useless. This is known as bricking—turning a useful device
into a worthless brick. In some cases, a hard reset can
revive a seemingly bricked device, while there may be more
esoteric repair and recovery options for other devices. If the
vendor does not provide an unbricking solution, search the
Internet for user groups or discussion forums for a home-
grown solution.
Configuration errors might be the cause of a security
control malfunction. Configuration errors may be caused by
human error, oversight, or ignorance, as well as by updates,
power fluctuations, and physical damage. When a security
control is improperly configured, it does not provide the
expected security. Troubleshooting this situation can be as
simple as reverting to a previously saved configuration or
manually reapplying the settings.
However, a more serious concern arises when
configuration errors are not easily fixed. A recent patch or
update may have rendered the product unstable, or a patch
or update might be needed to stabilize it. If the
configuration error reappears after every power cycle, then
the device might be defective, it might need additional
memory (or need defective memory replaced), or it might
need to be attached to an uninterruptible power supply
(UPS) to reduce the number of unplanned power
fluctuations.
Physical damage should be repaired expeditiously. If
unrepairable, you may need to replace the device. Install
preventative measures that will prevent the reoccurrence of
the physical damage.
In some situations, the problems with security are not
with the security components themselves, but with the
overall infrastructure design. Perform a reassessment of the
design on a periodic basis, such as once a year, to judge
whether the current infrastructure continues to meet the
security needs of your organization. Since security changes
over time, the security design might need to evolve to meet
the demands of new risks, threats, and concerns.
Power faults can take place for many reasons. If the
building’s power grid is not reliable, if sags and spikes occur
on a regular basis, the focus of the long-term repair should
be on improving the building’s power distribution systems.
Short-term responses can include surge protectors, UPSs,
and generators.
If a device encounters a power fluctuation due to
overheating, investigate whether the room where the device
is operating has adequate HVAC service. The average
temperature for a room dedicated to housing computer
equipment should be at or below 70 degrees Fahrenheit with
moderate relative humidity to avoid generating static
electricity. In rooms where people work with computers, the
temperature should remain below 80 degrees Fahrenheit.
Also, check the device to see if it has sufficient internal
airflow to maintain appropriate internal operating
temperatures. Don’t forget to check filters and vents for
accumulation of dirt or dust.
Power faults can include power supply or power grid
variances. In this situation, the only responses are surge
protectors, UPSs, and generators, as customers are unable
to affect the quality of the power company’s electricity by
themselves. If switching power suppliers is an option,
investigate this to determine the reliability of other
providers, as well as the expense and hassle of switching.
Sometimes actively and publicly “shopping” power suppliers
can result in improved service from your present supplier.
Static electricity is also a concern. Electrostatic discharge
(ESD) or static-electric discharge (SED) can easily damage
equipment, including security equipment. The amount of
electricity discharged between someone’s finger and a
doorknob when you can see the spark jump is more than
enough voltage to destroy most computer chips. Take
precautions to prevent static damage.
Physical damage can be a concern requiring
troubleshooting. Damage might be caused through
intentional destruction, accidents, or Mother Nature. If the
damage is superficial or cosmetic, the device can be
returned to service. However, if the damage prevents the
security device from operating properly, then in most cases
you need to replace it. Address the cause of the physical
damage to reduce the likelihood of a reoccurrence.
Network security troubleshooting focuses on whether an
intruder can bypass a security defense or restriction. A
security control that can be bypassed is worthless. Once you
discover that a security control can be bypassed, you need
to investigate the method or mechanism of the bypass.
Then, if possible, remove or block the method of bypass. If
the flaw is a design or infrastructure concern, consider
revising the design to remove the loophole.
From time to time, hackers find flaws in the programming
of a security control. Once an exploit is written, the security
control can be rendered useless through taking advantage
of the flawed code. Vigilance in reviewing vulnerability
databases and research, paying attention to vendor
information, and watching the log files of the organization’s
network should alert you when an exploit succeeds.
Defending against an exploitation focusing on a security
control is the same as when one focuses on any other
aspect of a network. If possible, reconfigure the control to
minimize the effectiveness of the exploitation. Consider
removing the component until you can implement a new
defense. Apply a patch or update from the vendor as soon
as it becomes available.
A final concern in relation to network security
troubleshooting is hardware failure. While not a common
occurrence, hardware can fail. Over the life of an
organization, you are almost guaranteed downtime caused
by hardware failure. When that hardware is a security
control, the downtime is more severe in that it places the
rest of the environment at greater risk.
Manage hardware failure by having replacements on
hand or being able to obtain them quickly. Reduce downtime
through redundant infrastructure design. Monitoring
ongoing performance metrics might enable the detection of
a future hardware failure as performance degrades.
However, abrupt hardware failures are difficult to predict.
Thus, being prepared with alternatives and replacement
parts is often the best troubleshooting solution.
Compliance Auditing
Compliance auditing is a type of assessment that judges
how well an organization is accomplishing set goals or
requirements. These goals and requirements can be internal
or set by government, industry, and other regulatory
agencies. Compliance auditing is an important part of
maintaining a business, especially growing businesses, as it
ensures that the organization is following all necessary
security guidelines.
Compliance auditing may be a legal requirement for
some industries, such as finance and medicine. Independent
external auditors perform compliance audits to ensure that
a target organization is fully abiding by the rules and
regulations imposed by the government. This audit is a
comprehensive investigation and review of the ongoing
business processes. The audit requires a review of the
security policy, access controls, risk management
processes, and historical log files.
The focus of compliance audits varies based on industry,
information type, and whether the organization is public or
private. Auditors investigate an organization through
documentation analysis, interviewing personnel, and
combing through audit logs. Compliance auditing can
examine recent security breaches, evaluate incident
response, interview ex-employees, judge user access levels,
interview executives over critical security concerns, and
more.
Organizations are usually distinctly aware when
compliance auditing is a mandated periodic occurrence. In
those cases, companies should prepare for audits by
collecting the various types of information and creating the
appropriate records as needed by the auditor. In fact,
establishing a standard practice of producing and archiving
the necessary information is prudent. The goals of these
actions are not to manipulate the data, but to provide
adequate access to the facts and historical activities.
Organizations that do not have mandated compliance
audits should consider self-imposed audits. The process of
thoroughly investigating the compliance level with the
stated security policy can improve the long-term stability
and security of every organization. The act of self-
assessment and improvement is a common characteristic of
most successful IT organizations.
Security Assessment
Security assessment is the judging, testing, and evaluation
of a deployed security solution. The state of the world, in
terms of security, is constantly changing. The hacking
community is actively developing new techniques,
methodologies, and exploits to compromise targets. The
defenses and strategies that worked yesterday might not be
as effective tomorrow.
Security assessment is the ongoing process of evaluating
security so that you can improve it. Security is established
through the act of performing a risk assessment. The results
of the assessment are formulated into a policy that guides
the implementation of the initial security infrastructure.
From that point forward, security management takes over.
Security management is the process of watching for
breaches, tuning existing security, and evaluating the need
for improvements to security. It is this latter area of concern
that is the focus of security assessment. Security
assessment employs several techniques to appraise the
effectiveness of deployed security.
Configuration Scans
A configuration scan probes a system to determine the
current state of configuration and settings. This scan
determines which available vendor patches are installed or
missing. This scan also evaluates numerous system
configuration settings against a database of
recommendations. Depending on the tool you use to
perform the configuration scan, you may find different levels
of recommendations based on the function of the system or
the general level of desired security.
One well-known example of a configuration scan tool is
Microsoft Baseline Security Analyzer (MBSA). MBSA scans a
Windows system and produces an easy-to-read report
(Figure 6-3). This tool provides a fast evaluation of the
overall security stance of a single system. To download the
MBSA tool, go here: http://www.microsoft.com/en-
us/download/details.aspx?id=7558.
MBSA is a great tool for small offices and end users to
employ to quickly check their systems for well-known patch
and security setting configuration compliance. However, this
is just a first step; it should not be the only tool you employ.
You’ll need other tools, especially non-Microsoft software,
that focus on broader issues to obtain a complete and
thorough configuration scan.
FIGURE 6-3
An MBSA scan report.
FIGURE 6-4
A Nessus scan report.
Vulnerability Scanning
The next step or stage in security assessment is
vulnerability scanning. Vulnerability scanning focuses on
locating known exploitable weaknesses or vulnerabilities in
deployed systems. You perform this type of scanning by
using an automated tool with an updatable database of
exploitations and test scripts. A vulnerability scan will reveal
problems with configuration, installation, and product code.
A scan of this type is only as reliable as the product itself
and how current its testing database is.
A popular and well-known vulnerability scanning product
is Tenable Network Security’s Nessus. Nessus is available in
a free version for home use and a paid version for
commercial use. Nessus is a powerful scanning engine with
a massive database of exploitation plug-ins that offers
excellent reporting capabilities (Figure 6-4).
NOTE
Nessus can be found online at http://www.nessus.org/.
Penetration Testing
The third and final step or stage in security assessment is
penetration testing. Also known as ethical hacking, this
process is the application of hacking techniques,
methodology, and tools in the hands of trusted ethical
security experts. The purpose of penetration testing is to
evaluate the resiliency of current security infrastructure and
recommend improvements. Penetration testing is performed
by a team of professionals who can customize and adapt
exploits on the fly.
Penetration testing typically consists of five main phases
or steps: reconnaissance, scanning, enumeration, attacking,
and post-attack activities. The steps or components of
criminal hacking and ethical hacking are the same. The
difference is the goal and abiding by ethical restrictions and
contractual boundaries.
Post-Mortem Assessment Review
Even with adequate security assessment using the three
main techniques (configuration scans, vulnerability scans,
and penetration tests), you may still have a need for one
additional form of security assessment. This additional form
is the port-mortem assessment review.
A port-mortem assessment review is the self-evaluation
performed by individuals and organizations after each
security assessment task. The purpose of a port-mortem is
to learn from mistakes. This will improve the process in
future events and avoid the reoccurrence of the same
mistakes. It’s true that practice makes perfect. If you
practice the same tasks repeatedly, each time improving
upon the previous performance, you’ll eventually master the
task.
Port-mortem reviews provide incremental improvements
on a consistent basis along with the rare revolutionary
improvement. A review of this type can include numerous
elements of appraisal focus, including:
The process as a whole
Each performed step
The order of the steps
Whether steps might be missing
What other actions could be taken
Whether participants were properly trained
Whether additional resources were needed
Whether resources were wasted
Whether additional people were needed
Whether too many people were involved
Whether reporting was sufficient or insufficient
What was missing
What could be improved next time
Many other queries could be posed as long as the goal is
to improve future applications of the assessment processes
and tools. A post-mortem review is a beneficial process
when used consistently.
CHAPTER SUMMARY
Network security management focuses on vigilance.
Vigilance to remain current in terms of technology.
Vigilance to remain knowledgeable about new threats
and exploits. Vigilance to respond promptly to
downtime and compromise. Vigilance to restore,
repair, and update security on a regular, consistent
basis.
A wide number of activities make up the realm of
network security management, including fail-secure
responses, maintaining physical security, detecting
compromise, preparing for incident response,
trapping intruders, host security components, backup
procedures, user training, management tools,
checklists, troubleshooting, compliance auditing, and
security assessment.
KEY CONCEPTS AND TERMS
Awareness
Backup
Business continuity plan
Compliance audit
Default deny
Default allow
Disaster recovery plan
Education
Fail-open
File encryption
Honeynet
Incident response plan
Mission-critical
Padded cell
Patch management
Principle of least privilege
Security Technical Implementation Guides
(STIGS)
Separation of duties
Single-factor authentication
Training
Trusted Platform Module (TPM)
Vulnerability scanning
Whole hard drive encryption
CHAPTER 6 ASSESSMENT
1. All of the following are examples of network security
management best practices except:
A. Writing a security policy
B. Obtaining senior management endorsement
C. Filtering Internet connectivity
D. Providing fast response time to customers
E. Implementing defense in depth
2. All of the following are examples of network security
management best practices except:
A. Avoiding remote access
B. Purchasing equipment from a single vendor
C. Using whole hard drive encryption
D. Implementing IPSec
E. Hardening internal and border devices
3. All of the following are examples of network security
management best practices except:
A. Using multifactor authentication
B. Backing up
C. HavBacking up a business continuity plan
D. Prioritizing
E. Spending each year’s budget in full
4. A firewall host that fails and reverts to a state where all
communication between the Internet and the DMZ is cut
off displays a type of defense known as:
A. Default permit
B. Explicit deny
C. Fail-close
D. Egress filtering
E. Security through obscurity
5. The purpose of physical security access control is to:
A. Grant access to external entities.
B. Prevent external attacks from coming through the
firewall.
C. Provide teachable scenarios for training.
D. Limit interaction between people and devices.
E. Protect against authorized communications over
external devices.
6. A complete and comprehensive security approach
needs to address or perform two main functions. The
first is to secure assets and the second is:
A. Watch for violation attempts.
B. Prevent downtime.
C. Verify identity.
D. Control access to resources.
E. Design the infrastructure based on the organization’s
mission.
7. Incident response is the planned reaction to negative
situations or events. Which of the following is not a
common step or phase in an incident response?
A. Containment
B. Recovery
C. Eradication
D. Detection
E. Assessment
8. All of the following are elements of an effective network
security installation except:
A. Backup and restoration
B. User training and awareness
C. Compliance auditing
D. Security checklist
E. Unplanned downtime
9. The task of compartmentalization is focused on
assisting with what overarching security concern?
A. Limiting damage caused by intruders
B. Filtering traffic based on volume
C. Controlling access based on location
D. Supporting transactions through utilization
E. Assessing security
10. Which of the following types of security components are
important to install on all hosts?
A. Firewall
B. Antivirus
C. Whole hard drive encryption
D. Spyware defenses
E. All of the above
11. What is the only protection against data loss?
A. Integrity checking
B. Encryption
C. Traffic filtering
D. Backup and recovery
E. Auditing
12. All of the following are common mistakes or security
problems that should be addressed in awareness
training except:
A. Opening e-mail attachments from unknown sources
B. Using resources from other subnets of which the host
is not a member
C. Installing unapproved software on work computers
D. Failing to make backups of personal data
E. Walking away from a computer while still logged in
13. The best network security management tools include all
of the following except:
A. Complete inventory of equipment
B. Written security policy
C. Expensive commercial products
D. Logical organization map
E. Change documentation
14. The purpose of a security checklist is:
A. To keep an inventory of equipment in the event of a
disaster
B. To create a shopping list for replacement parts
C. To ensure that all security elements are still effective
D. To complete the security documentation for the
organization
E. To assess the completeness of the infrastructure
15. Which of the following is not a potential hazard when
installing patches or updates?
A. Resetting configuration back to factory defaults
B. Reducing security
C. Bricking the device
D. Installing untested code
E. Improving resiliency against exploits
16. Which of the following is a true statement with regard
to compliance auditing?
A. Compliance auditing is a legally mandated task for
every organization.
B. Compliance auditing ensures that all best practices
are followed.
C. Compliance auditing creates a security policy.
D. Compliance auditing is an optional function for the
financial and medical industries.
E. Compliance auditing verifies that industry specific
regulations and laws are followed.
17. Which of the following is not typically considered a form
of network security assessment in terms of how well
existing security stands up to current threats?
A. Configuration scan
B. Compliance audit
C. Vulnerability assessment
D. Ethical hacking
E. Penetration testing
18. Which of the following cannot be performed adequately
using an automated tool?
A. Checking for current patches
B. Confirming configuration settings
C. Vulnerability assessment
D. Scanning for known weaknesses
E. Ethical hacking
19. What is the key factor that determines how valuable
and relevant a vulnerability assessment’s report is?
A. Timeliness of the database
B. Whether the product is open sourced
C. The platform hosting the scanning engine
D. The time of day the scan is performed
E. The available bandwidth on the network
20. What is the primary purpose of a post-mortem
assessment review?
A. Reducing costs
B. Adding new tools and resources
C. Placing blame on an individual
D. Learning from mistakes
E. Extending the length of time consumed by a task
CHAPTER
7 Firewall Basics
A FIREWALL IS A KEY COMPONENT of a complete security infrastructure. And while common, a firewall is by far not a
simple security measure. You must understand the
complexities of a firewall to design a firewall’s security
policy, build the firewall, and configure it properly.
This chapter discusses the foundations of firewall rules,
authentication, and authorization. You will learn how these
relate to monitoring and logging, interpreting firewall logs
and alerts, intrusion detection, firewall limitations,
improving firewall performance; how encryption relates to
firewalls; how to evaluate various firewall enhancements;
and how to think about security concerns related to firewall
management interfaces.
Chapter 7 Topics
This chapter covers the following topics and
concepts:
What constitutes good firewall rules
What authentication and authorization are
What monitoring and logging are
How to understand and interpret firewall logs
and alerts
What intrusion detection is
What the limitations of firewalls are
How to improve firewall performance
What the downside of encryption with
firewalls is
What firewall enhancements are
How to use firewall management interfaces
Chapter 7 Goals
When you complete of this chapter, you will be
able to:
Construct examples of common firewall rules
Design a policy to guide effective firewall
monitoring and logging
Discuss the limitations and weaknesses of
firewalls
Describe methods to manage firewall
performance
Define the concerns of encryption related to
firewalls
Evaluate the benefits and drawbacks of
firewall enhancements
Demonstrate how to access and use firewall
management interfaces
Firewall Rules
Firewalls filter traffic using rules or filters. All firewalls, of
whatever type—static packet filtering, stateful inspection,
application proxy, circuit proxy, or content filtering—use
rules to filter traffic. Rules are instructions that evaluate and
take action on traffic traversing the network.
Generally, two main philosophies or security stances
govern the use of rules: default deny or default allow.
Default deny is also known as deny by default or deny all.
Default allow is also known as allow by default or allow all.
These two rules define the foundation for rules governing
traffic crossing the firewall.
A default-deny stance assumes that all traffic is
potentially malicious or at least unwanted or unauthorized.
Thus, everything is prohibited by default. Then, as benign,
desired, and authorized traffic is identified, an exception
rule grants it access. This is known as deny by default/allow
by exception. This method of rule creation allows security
administrators to focus on what is wanted or needed rather
than watching out for all possible forms of unwanted or
malicious activity.
A default-allow stance assumes that most traffic is
benign. Thus, everything is allowed by default. Then, as
malicious, unwanted, or unauthorized traffic is identified, an
exception rule blocks it. This is known as allow by default,
deny by exception. This method of rule creation forces the
security administrator to be on constant watch for new and
different forms of unwanted, unauthorized, and malicious
activity.
Most security experts agree that deny by default/allow
by exception is the more secure stance to adopt. This
stance automatically prevents most malicious
communications by default, while the opposite allow-by-
default stance allows most malicious communications by
default. In most situations, fewer exceptions are required for
a default-deny solution than for a default-allow system.
Firewall rules are used to control what traffic enters or
leaves a secured network area. Depending on where the
firewall is positioned, this mechanism can protect the
private network from the public Internet or filter traffic
between internal subnets or departments. The security
administrator or the dedicated firewall administrator
configures firewall rules in accordance with the
organization’s security policy.
Most firewalls, both hardware and software varieties,
usually come pre-configured with rules above and beyond
their default rule. Firewalls are normally factory-configured
in a deny-by-default stance with some common exception
rules thrown in for end user/customer convenience (Figure
7-1). Often, these rules allow the most common forms of
communication to occur across a new firewall without
requiring you to fully configure the firewall upon initial
installation. Some of the more common factory default rules
allow for Web, e-mail, IM, and file transfer through common
Internet services on default ports.
While this can be a convenience, it’s never in your best
interest to rely upon a third party’s assumptions about your
environment or guesses as to what types of traffic you do or
do not want to cross your firewalled boundaries. Always take
the time to review any factory-installed rules before
deploying them in the production environment. Delete or
disable any rule that you do not need or want. With regard
to any rules that you do want or need, you should double-
check to make sure they are in line with your security policy.
If you need rules that are not present by default, add them
carefully and double-check your work as you go.
FIGURE 7-1
SonicWall’s default rule configuration interface, showing a
default deny as the last rule (rule 11).
Your organization will need to decide which rules to
define; this is an essential part of its security policy. If the
appropriate sections related to firewalls do not pre-define
what rules to define on a new firewall, then perform the
following procedure:
1. Inventory all essential business processes and
communications that will cross the checkpoint.
2. Determine the protocols, ports, and IP
addresses of valid traffic for both internal and
external hosts.
3. Write out the rules on paper or using a firewall
rule designer/simulator.
4. Test the rules in a laboratory environment.
5. Obtain written approval for the rule sets from a
change approval board.
6. Document the rules into a security policy
procedure amendment and submit the amendment
to the security policy management team for
inclusion in the official document.
Ultimately, this is the basic process for creating any new
element of security. The goal always is to have a written
security policy for every security component. If no current
policy or procedure defining the steps to take for the
deployment of a new security element exists, then you must
write, test, and get approval for a new policy or procedure.
Once a procedure exists, use it to judge successful
deployment.
The exact rules to add to a new firewall are completely
dependent upon the business processes that are unique to
every organization. However, some common types of rules
are found on most firewalls. These include:
Access to insecure Internet Web sites (HTTP)
Access to secure Internet Web sites (HTTP over SSL or
TLS)
Access to other Internet Web site protocols (SQL, Java,
and so on)
Inbound Internet e-mail
Outbound Internet e-mail
If other Internet services are essential to a business task,
rules allowing or enabling such communications would be
needed. Try to keep the number of rules to a minimum,
however. Grant access only to traffic that is essential. For
each rule added to a firewall, you are increasing its attack
surface—and therefore its security vulnerability.
Keep in mind that most network communications are
two-way transactions, exchanges, or sessions. Often, an
internal client makes an initiation request to an external
server. The server responds and sets up a communication
channel, often called a virtual circuit (at the Transport Layer
based on TCP) or, more generically, a session. Traffic can
traverse the session in either direction. Thus, most rules
should allow inbound responses to initial outbound requests.
Depending upon the firewall, a single rule can sometimes
define both the outbound and inbound communication
parameters. Other firewalls need two separate rules—one
rule for the initial outbound request and a second rule to
handle the resultant inbound response. In either case, each
desired session-based communication service must be
supported or allowed through proper two-way rule
construction.
In addition to rules that allow traffic based on internal
user initiation, consider rules that manage inbound
communications for externally initiated communications.
When a firewall is to allow an external host to request
access to internal resources, you need to create an inbound
rule or ingress filter. Define rules that allow inbound
initiations only if external entities need to access services
and resources hosted internally.
Otherwise, allow the firewall to serve its primary purpose
and prevent outsiders from gaining easy access to internal
systems. Most firewalls deny by default all access to internal
resources from external entities. This is done either by
ignoring all requests received on a specific interface (such
as on dual-homed or triple-homed firewalls) or by having a
specific rule (or a set of rules) that filter out all traffic
originating from non-internal IP addresses.
A firewall rule can also be called a filter or an access
control list (ACL). These terms are often used
interchangeably in documentation, in books, and in the
firewall’s own configuration or management interfaces.
Don’t be confused by this. A rule is a written expression of
an item of concern (protocol, port, service, application, user,
IP address) and one or more actions to take when the item
of concern appears in traffic. A filter is the same thing as a
rule, but the point or purpose of using this term is to stress
the intention to block or deny unwanted items of concern.
The use of the term ACL stresses the intention to grant or
deny traffic on an access control/authentication basis. An
ACL focuses on controlling a specific user or client’s access
to a protocol or port.
Rules allow traffic to pass unhindered or block or deny
traffic to prevent it from reaching its intended destination. A
rule can also include a logging element so the traffic can be
logged whether allowed or denied. The concept of firewall
logging and monitoring is discussed later in this chapter.
technical TIP
Use your firewall to ensure that only properly
originated communications are authorized. Unless you
are running internal services (such as a Web server),
external entities should never be able to initiate a
connection.
technical TIP
Most session-based communications will use a well-
known default port for the destination port where the
service or resource resides. They will use a randomly
selected higher order port (any port above 1,023) for
the client source port. Most firewalls, especially those
capable of stateful inspection, will automatically handle
and adjust for the random source port when
establishing a session. If this is not the case with a
specific firewall, you may need to create a custom rule
or consider replacing the firewall with a better product.
Setting up or defining rules for a home, portable host, or
SOHO environment can be fairly easy if the number of
different types of access is minimal. But, as the number of
controls, limitations, restrictions, and exceptions increases,
defining rules properly can become more complex.
Obviously, larger networks with more advanced
infrastructures and communications require more intricate
sets of rules.
The basics of defining or crafting rules are the same (or
at least similar) across all firewall products. However, some
firewalls support editing or writing the rules directly while
others employ a graphical interface or use a design wizard
to accomplish this task. Software host firewalls, especially
those designed for end users, typically use a graphical
wizard–based system, while hardware firewalls typically
expose the raw rule itself.
Most rules have six main elements or components (Figure
7-2):
Base protocol—Set as TCP, UDP, ICMP, and
potentially other Layer 2, 3, or 4 protocols.
Source Address—Set as a specific IP address, a
subnet, a range of addresses, or ANY for all possible
addresses.
Source port—Set as a specific port, a set of ports, a
range of ports, ports less or greater than, or ANY for all
possible ports.
Target address—Set as a specific IP address, a
subnet, a range of addresses, or ANY for all possible
addresses.
Target port—Set as a specific port, a set of ports, a
range of ports, or ANY for all possible ports.
Action—The two standard actions are Allow and Deny.
Some firewalls include Log and Alert actions that allow
additional actions in a single rule.
FYI
Some firewall rule systems include application protocol
designations in the rule set. This is usually a human-
friendly naming convention pointing out the Application
Layer protocol rather than an element of the filter used
to select traffic. However, some firewall interfaces will
substitute a common protocol name for the destination
port. For example, port 80 would be displayed as HTTP
and port 25 as SMTP. However, these are usually for
human viewing; the port number itself is still used in
the actual protocol-level filtering activity.
FIGURE 7-2
SmoothWall’s rule configuration interface.
Depending upon the firewall, TCP and UDP rules (as well as
ICMP, IGMP, ARP, and other OSI Layer 2, 3, or 4 protocols)
may be defined in the same place or within different
interfaces, pages, or rule sets. When all rules are defined in
the same place, use an additional rule element designating
TCP, UDP, ICMP, and so on. All of the following examples of
rules assume TCP-based communications, unless otherwise
noted.
The common rule structure is:
When defining outbound rules, the source address and
port are often set as ANY unless the rule is to apply to a
specific system(s) or port(s). For example, a rule that allows
any internal client on the 192.168.42.0/24 subnet to access
any insecure Internet Web site would be:
A rule to allow access to any secured Internet Web site
would change the destination port 80 to 443:
A rule to block internal clients from accessing Internet
based FTP sites would be:
FYI
Keep in mind that firewall vendors may have crafted
unique management interfaces that display firewall
rules differently than the basic line form discussed
here. For example, some firewalls have a configuration
page for allow rules and a separate page for deny
rules. In that example, the rules on each page would
not include an Allow or Deny action, as the page they
are defined on implies the action.
When defining inbound rules, the source address and
port address are often ANY unless the rule is to apply to a
specific system(s) or port(s). For example, a rule that allows
any external host client to access an insecure Web site
hosted on the 192.168.42.98 would be:
An inbound rule to deny external hosts access to a telnet
server hosted on the same internal system as the Web
server would be:
Generally, inbound rules are needed only when an
internal resource is specifically hosted for the purposes of
being accessed by external entities. This type of rule is
commonly found on DMZ and extranet firewalls, but
shouldn’t be used on intranet border firewalls. The only
common inbound rule that might be required is one that
allows responses to previous internal client requests to
resources outside of the network. A stateful inspection
firewall usually allows response traffic automatically, but
static filtering firewalls might require a specific respond rule
set, such as:
When a UDP rule set needs to be defined, you must
either switch to a different rule set interface on the firewall,
or change the protocol designation from TCP to UDP.
Assuming a firewall interface with a leading protocol
designation for each rule, a rule set allowing user queries
with an internal DNS server at 192.168.42.104 by external
entities, but blocking attempts to perform DNS zone
transfers, could be:
To write a firewall rule controlling ICMP, change the
protocol designation to ICMP (or change interfaces) and
define an ICMP type. The port designations are dropped
completely (as they are not used by ICMP at OSI Layer 2).
Multiple ICMP rules can be defined for various sub-types to
allow some ICMP traffic and a deny-all catchall rule for
everything else. For example, to block only inbound ICMP
Echo_request packets, use the following filter:
technical TIP
The ICMP protocol’s header defines the purpose of the
protocol’s control message through the use of
numbered types. There are dozens of defined types.
The most commonly used are Type 8 Echo Request,
Type 0 Echo Reply, Type 3 Destination Unreachable,
and Type 11 Time Exceeded. Many types are further
specified with the use of a numbered code. For
example, Type 3 Code 3 is destination port
unreachable.
For a more exhaustive presentation of the ICMP types
and codes, please read RFC 2939 at
http://www.iana.org/assignments/icmp-parameters.
When defining firewall rules, keep a few basic guidelines
in mind:
Keep the rule set as simple as possible.
Document every rule.
Use a change control mechanism to track rule
modifications.
Always confirm the default deny before using
changed/updated rule sets.
A simple rule set is a set with as few rules as possible.
Fewer rules mean fewer complications. Fewer rules mean
less chance for a loophole. Fewer rules are easier to test.
Fewer rules are harder to attack and compromise.
Every rule enforced by a firewall should be written in the
security policy. Only rules in the written security policy
should be enforced by a firewall. Anytime you need to
change a firewall rule, first update the security policy, then
reconfigure the firewall to match the settings defined in the
security policy. Always fully document the rules actively
filtering traffic.
Do not just document that a rule exists and what the
basic rule structure is; also include a description of the
intention or purpose of the rule. Sometimes, a rule written in
a way that appears straightforward may not perform the
intended purpose. When other security administrators
review the documentation and examine the rules, they may
see the discrepancy and correct it. Get in the habit of
making notes about intentions, thoughts, and concerns.
Often, these stray comments will lead to solutions or assist
in future troubleshooting.
A change control mechanism tracks and monitors the
changes to a system. It does this by recording every
change, modification, or adjustment. Often, a change
management solution requires manual change logging;
thus, it must be enforced and followed by a written
component of the security policy. The change control
process produces historical documentation of the state of
security components. Change documentation is often
essential in troubleshooting and repair.
Most firewalls operate on a default-deny stance, but it
may be possible to modify this stance. Stance modification
may be a general setting in the overall configuration of the
firewall, or it might just be the last rule in the rule set. If it’s
just a rule, be sure that the final rule is always default deny
and that the default-deny rule is never edited or modified. A
default-deny rule should look like or enforce filtering as
follows:
Since a firewall is a first-match-apply rule-based system,
rules are ordered on the firewall. Traffic is compared with
each rule starting from the top rule. If a rule matches the
traffic, the rule’s action is applied. Once a matching rule’s
action is applied to the traffic, no further rule matching is
attempted. If the traffic does not match any rule except the
final rule, then it will be denied by default. All rules previous
to the default deny can be either exceptional Allow actions
or specific Deny actions. No matter what the structure of the
rules or the number of rules in the set, always ensure that
there is a default rule.
Here is an example of a basic TCP rule set:
FYI
All of the firewall rule examples are using the default
common port for common services as defined by
http://www.iana.org/assignments/port-numbers.
This collection of seven rules performs the following
filtering functions:
Allow response to TCP connections to internal hosts.
Prevent the firewall (192.168.42.1) from directly
connecting to anything.
Prevent external hosts from directly accessing the
firewall.
Allow internal hosts to access external resources.
Allow external hosts to send e-mail inbound to the e-
mail server at 192.168.42.55.
Allow external hosts to access an internal Web server
at 192.168.42.98.
Apply a default-deny rule to all traffic not matching a
previous exception.
Building a rule set is not complex, but it does take focus on
the details. Be sure to use a single IP address for a single
host and the correct subnet or range designation for a
collection of hosts. Specify the port when possible;
otherwise, use a valid port range. Include specific Deny
rules when needed. Remember that in the first-match-apply
system that is a firewall, order matters.
To grant every system but a few specific ones access to a
resource, you need a rule to block the few and allow the
rest. Position the Deny rule of this set before the Allow rule
of the rest since the Allow rule will likely be an ANY-based
rule instead of naming all of the many that are granted
access.
When the wrong rule is positioned first, this creates a
potential loophole. A loophole is a flaw in the logic of
filtering that will allow an unwanted action to occur. A
firewall can perform only the operations for which it is
programmed, and the specifics of and the order of the rules
are a form of programming. Take the time to evaluate, test,
and verify that you have defined all firewall rules correctly
and placed them in the best order.
If getting the rules in the right order seems daunting, the
following general rule of thumb usually results in less access
rather than greater access: List specific Deny rules first,
then the Allow exceptions, and always keep the default-
deny rule last. At best, this will result in exactly what you
want and expect. At worst, more things will be blocked than
you intended, but that is usually a better security stance
than allowing more things than you intended.
As rule sets get larger, they become more complex.
Often, the complexity stems from having explicit Allow rules
with additional Deny specifications. This results in rules that
overlap. Overlapping is acceptable when you understand it
and use it on purpose. When overlapping occurs
accidentally, it can result in undesired loopholes. Again, the
solution is to keep the rule set as simple as possible,
document every rule with its intentions, and test the rule
thoroughly before deployment.
With this basic understanding of rules, your next step in
understanding and deploying firewalls is to consider the
options for authentication and authorization across the
firewall.
Authentication, Authorization, and
Accounting
Authentication is the process of verifying the digital identity
of an entity—for example, an employee, a customer, a
server, an application, a Web site, a smart meter, a cell
phone, or a security guard. Authentication is also commonly
called logging on. Authorization is the process of defining
which resources can be accessed by an electronic entity and
what level or type of access is granted. Authorization is also
commonly called access management or privilege
management
Authentication can take place at the firewall itself or be
passed through the firewall to take place beyond the
firewall. Authentication at the firewall takes place when the
allow/deny decision is dependent upon the identity of the
host or user. Authentication beyond the firewall happens
when the allow/deny decision is not dependent upon the
identity of the host or user; instead, the firewall filters for
traffic characteristics and leaves authentication up to the
internal host receiving the connection.
When authentication takes place at the firewall, the
firewall itself serves as the gatekeeper, allowing
communication beyond the firewall (or not). Whenever
different types or levels of port, protocol, or circuit access
are granted based on individual user identity or membership
in specific groups, authentication at the firewall takes place.
When authentication takes place at the firewall, the
firewall itself can perform the logon process or it can
forward the task to a dedicated authentication service.
Native firewall authentication methods can be basic, such as
supporting a username and password online, or complex,
such as supporting credit card payments or the use of smart
cards. However, most firewalls have a limited number of
authentication options.
Generally, authentication on or at a firewall supports only
one—or at best a few—options. At-firewall authentication
often requires defining credentials on the firewall separately
and distinctly from any identity on the network. Thus, most
at-firewall authentication solutions do not integrate into a
network’s single sign-on system. For this reason, large
organizations rarely employ at-firewall authentication.
FIGURE 7-3
A firewall handing off authentication tasks via 802.1x to a
dedicated authentication server.
When a firewall hands off the authentication task to a
dedicated authentication service that performs the logon
process on behalf of the firewall (Figure 7-3), a much wider
assortment of authentication options becomes available. A
common use of this mechanism is IEEE 802.1x. IEEE 802.1x
is known as port-based network access (admission)
control (PNAC). In this term, port is not referring to a port
number in OSI Layer 4; instead, it refers to a more generic
reference of a connection point to a network infrastructure.
IEEE 802.1x is commonly found on many network
devices, including firewalls, switches, routers, and wireless
access points. It also has the nickname of “portal
authentication.” An 802.1x device establishes the initial
electronic connection or virtual circuit between the
requesting host and itself, but before communication to a
host beyond the portal device takes place, authentication
must occur. 802.1x can support RADIUS, TACACS, Kerberos,
certificates, passwords, smart cards, biometrics, special
access codes, and even credit cards as means of
authentication.
Handoff authentication, such as when 802.1x is used, is a
fully scalable architecture. You can use it to manage at-
firewall authentication for any number of users or hosts. The
only limitation to 802.1x is the scalability of the
authentication server that takes over the responsibility of
managing logons on behalf of the firewall.
When authentication takes place beyond the firewall, the
firewall makes allow/deny decisions based on traffic factors
rather than user- or host-identification factors. In this
configuration, the firewall is not involved in the
authentication process. Instead, the host beyond the firewall
that receives the communication handles any necessary
authentication.
For example, a firewall can protect a DMZ. Most DMZ
firewalls do not perform at-firewall authentication. Instead,
the Web servers hosted in the DMZ can provide both
anonymous content and authenticated content to visitors.
Visitors log on using any means of authentication supported
by the Web server, the protocols in use, and the visiting
client. Commonly, this is forms-based authentication
secured through an SSL or TLS encrypted session.
When any form of authentication takes place, whether at
or through the firewall, you should always encrypt all
authentication-related communications. Non-encrypted or
plaintext authentication traffic is subject to eavesdropping
and thus theft of credentials. Encrypted authentication
traffic is resistant to eavesdropping as well as replay attacks
and in some circumstances even man-in-the-middle attacks.
Many different authentication protocols, both encrypted
and plaintext, can be employed by at-firewall or beyond-
firewall authentication. Whatever the solution, evaluate all
authentication options in light of their native security and
inherent risks. If you are using authentication encryption,
realize this does not ensure that subsequent data
exchanges are automatically encrypted. Select solutions
that provide protection for authentication traffic as well as
data traffic.
You can avoid authentication completely with anonymous
connectivity. In an anonymous connection, the user and/or
host identity is unknown and access is granted or denied
based exclusively on the traffic content and the proper
formation of resource requests. For example, public Web site
access can be anonymous, such as at Wikipedia
(http://www.wikipedia.org), which supports mostly
anonymous connections to its online community
encyclopedia.
Authorization takes place after authentication.
Authentication determines, within established parameters,
who you are. Once that is known, it is possible to determine
whether you are allowed to do what is requested.
Authorization, like authentication, can take place either at
the firewall or beyond the firewall. When authorization takes
place at the firewall, the firewall itself makes a decision on
allowing subsequent communications across the firewall.
This is sometimes known as controlling the circuit. If the
authenticated user does not have access to a resource, the
firewall will block or drop the connection. If the
authenticated user does have access to a resource, then the
firewall allows and supports the connection.
Usually, the firewall is involved only in authorization of
the connection or circuit. Any content within the subsequent
communication might be subject to content filtering, but
that’s a distinct and separate service and function of the
firewall. This form of authorization control is the same as a
circuit proxy.
When authorization takes place beyond a firewall, just as
with beyond-firewall authentication, the destination host
controls what is and is not accessible to users. The firewall is
involved only in monitoring for abuses or potentially filtering
content. When the firewall performs content filtering on a
communication not managed by the at-firewall
authorization, this is the same as an application proxy.
While authentication and authorization are commonly
used together to control users’ access based on their
identity, they can be employed independently. For example,
a firewall performing at-firewall authentication does not
need to also provide separate authorization. If users
authenticate, then they have access to whatever is beyond
the firewall. If users fail to authenticate, then they do not
have access. In this example, the authentication process
itself is a form of authorization.
Similarly, a firewall can perform at-firewall authorization
without authentication. This is the basic or normal function
of firewall rules. Authentication is assumed when addresses
and ports in traffic headers “identify” the communications;
the rule sets themselves provide authorization restrictions.
If a port is closed, access is denied. If a source address is
blocked, access is denied.
Authentication and authorization are important
components of a complete network security structure. Use
these services on a firewall or beyond the firewall as
necessary. Additional important services related to firewall
security are monitoring and logging of traffic and events
that occur on or across a firewall.
The third A in AAA is accounting. It is different from
financial accounting in that it logs what a user has done on
the system. In other words it keeps track of who did what to
which assets via one or more log files.
NOTE
One example of a device able to record all traffic within
a sliding period is the Solera DS series of network
forensic appliances. For more information on this type
of advanced network monitoring product, visit Solera’s
Web site at http://www.soleranetworks.com/.
Monitoring and Logging
Monitoring and logging are the watching and recording of
events and traffic that take place on or across a firewall.
While in theory you can record every packet traversing a
firewall, this is usually impractical because the storage
space required would be immense. Certain products can
maintain a sliding window of recorded traffic encompassing
hours of communications using multiple terabytes of
storage. However, these devices are for advanced security
management and beyond the scope of this chapter.
FIGURE 7-4
An example of SmoothWall’s firewall logging display
interface.
Firewall monitoring and logging are about recording
events that take place on or across a firewall (Figure 7-4).
You can use various approaches to logging. You can log
everything, or you can log only events of seeming
importance. Generally, you will fine-tune logging through
real-world experience over time. Most security professionals
recommend capturing everything initially. Later, you can
tune logging and reduce it once you’ve identified specific
types of information, traffic, or events as having no forensic,
evidentiary, or historical value.
Firewall logging ensures that the defined filters or rules
are sufficient and functioning as you expect. By watching
traffic coming through a firewall’s filtering scheme, you can
discover traffic the firewall should have blocked, but for
which an effective rule was not defined (or properly
defined). Firewall logging helps to confirm that the
restrictions imposed by the firewall are functioning as you
expect and the security you assumed the firewall would
provide is actually present.
Generally, record every connection allowed by the
firewall as well as every packet dropped or blocked. This
stance of “log and monitor everything” ensures that nothing
goes unnoticed and that future investigations of log file
contents will reveal complete data. You can always throw
out extra and unnecessary data later, but you can’t recover
important data not recorded during the actual event.
Firewall logging can take place on the firewall itself or
offload to a dedicated logging system. In either case, the
firewall itself collects the event and/or packet you want to
record. The difference is whether the information goes into a
log file stored locally on the firewall or moves across a
network connection to a dedicated logging server.
One well-known and widely used centralized logging
system is syslog. Syslog is a standard for forwarding log
messages from a client device (the firewall in this situation)
to a centralized server. Linux and Unix systems have
supported syslog capabilities for decades. Windows systems
prior to Windows 7 required third-party products to interact
with syslog services. Most network devices, including
firewalls, switches, proxies, and so on, natively support
syslog.
Firewall logging:
Creates a historical record of activity for traffic and
trend analysis as well as growth prediction
Tracks usage levels and times for load balancing,
accounting, or even back-charging users
Discovers new methods or techniques of attack,
especially those based on network packet
manipulation
Detects intrusions or attempts to breach security
Creates legally admissible evidence for use in
prosecution
Having a firewall log of all events produces a significant
amount of recorded information. Always track available
remaining storage capacity to ensure sufficient space
remains to store new logged events. As a current storage
device reaches capacity, back up and move the records into
long-term archival storage. In a future investigation, you can
never know how far back you’ll need to look to discover
evidence of a security breach. Your organization’s written
retention policy should define how long you will retain logs.
In addition to juggling the storage requirements, you will
need to be able to analyze logged data. Log file analysis is
not usually an exciting proposition for most people. Long
and tedious, it can be mind-bendingly boring. Fortunately, a
growing field of automated analysis tools can reduce the
time and burden of log file investigation. Firsthand
knowledge, understanding, and experience are always the
best tools for interpreting and understanding firewall log
contents.
Upon infiltrating your network, one of the first steps most
experienced hackers take is to remove all evidence of their
activities. They normally do this by deleting log files or
surgically editing log files with specialized tools. For
example, WinZapper is a tool that edits Windows log files
and removes only those entries matching a keyword such as
an IP address or username. To combat this potential threat,
use a write-once read-many (WORM) storage device to
save all log files. Intruders cannot edit data written to a
WORM device.
If you make the decision not to record everything taking
place across the firewall, here’s a short list of essential
things to log:
All connection attempts rejected by the firewall
All traffic directed at the firewall
Any access to internal resources by external hosts
Any access to external resources by internal hosts
Any modification or disabling of firewall rules and
filters
All firewall reboots, storage device shortages, or other
abnormal operational events
Every firewall management interface is different. Thus, the
methods and mechanisms you employ to configure your
specific logging and monitoring will be different as well.
Always be sure to consult the firewall’s documentation
about the type of logging and what types of events are
logged before deploying a firewall.
Define firewall logging in the firewall security policy
included in your organization’s written network security
policy. The logging and monitoring features of a firewall are
as essential as the rule and filter mechanism you use to
allow or deny traffic. Configuring and recording logs is
important, but understanding how to interpret firewall logs
is more important.
Understanding and Interpreting
Firewall Logs and Alerts
Enabling firewall logging is often a fairly simple task.
Recording traffic and events into a file is not really a
complex task. But deciding which events warrant the
triggering of an alert and what the contents of a log file
actually mean is not always so straightforward.
An alert is the automated notification of an
administrator when a specific event affects the firewall.
Some software host firewalls are preconfigured with a wide
number of pop-up messages triggered each time one of the
all-too-common activities occurs. For example, each time a
new application attempts to communicate with the network,
a firewall pop-up alert might notify the user of this event
and prompt an action (Figure 7-5).
FIGURE 7-5
An example of a Windows Firewall pop-up alert.
Appliance firewalls and those generally designed to
protect a network rather than a single host are not as
commonly configured with pre-set default alerts. Instead,
the firewall administrator makes choices about what events
actually need alerts. Some common events that usually
warrant alerts include:
A firewall reboot
A connection attempt with the firewall host itself.
Communications to or from a pre-identified IP address
or subnet
Detection of some or all attack attempts
Detection of any successful intrusion or security
breach
Ultimately, the organization’s security stance and the level
of risk determine which events require alerts as opposed to
simply recording them in a log file. A common
recommendation is to alert only on those events likely to
require an administrator’s immediate response or action.
Everything, or nearly everything, should go into a log, but
not everything warrants an alert.
With or without alerts, a firewall’s logging system creates
a massive amount of raw data that isn’t useful. You can
perform analysis of a log file either in real-time or in periodic
batches. You can hire a large staff of professionals whose
primary task is to perform real-time log file analysis, or you
can use an automated analysis or IDS/IPS tool. In most
cases, automated log file analysis tools both reduce the
strain on manpower and leverage the power of high-speed
computing against the massive volumes of information
collected by network firewalls.
Through careful analysis of firewall logs, you can detect
several different types of unwanted or malicious activities,
including worms, Trojan horses, remote control tools, port
scans, and directed intrusion attempts. When you perform
manual log analysis, the first hurdle is to gain access to the
log file content.
Many firewalls record their log files in binary or
obfuscated form so that they are difficult for external or
unauthorized users to access. Such log files require
administrators to access the log contents through a log
reading interface. Some third-party products function as
alternative management interfaces and can also interpret
the log file format for viewing.
Once you obtain access to the log contents, either
directly or through an interpretation interface, the next
hurdle is to ensure you are viewing the correct log. Several
different types of log files can operate on your system,
including traffic logs, audit logs, alert logs, console logs, and
even a host device’s OS logs for software host firewalls.
Another nuance is that the firewall device itself, a
management host, or a centralized logging server might
store its own logs. Finally, several dated versions of a log
might exist. Be sure to open or access the most recent log—
or whatever date range is of relevance to a specific
investigation.
Of course, the key to interpreting and understanding the
contents of a firewall log lies in understanding how network
communications function. Every communication session
involves two hosts, each with its own IP address and port
number. Some forms of communications have less
information, such as blocked connection attempts,
connectionless traffic, and Layer 3 protocols such as ICMP
and IGMP.
By examining each established session to evaluate the
source and destination IP addresses and the port numbers
in use, you can quickly determine whether the transaction
was valid or invalid. If the addresses are known—or at least
not known to be malicious—and the ports are for acceptable
services, then the communication is most likely benign.
However, if an address is a known malicious host or an
invalid address (such as an unassigned internal address) or
you discover a known malware port, these are signs of
unwanted and potentially malicious communications (or at
least attempts to communicate).
IANA and some security vendors maintain a list of well-
known port numbers and the associated applications. They
often list known malicious software and their commonly
used port numbers. Search for “malicious ports” or “Trojan
ports” to find current lists.
To examine and interpret firewall logs, you might:
Identify and discard all packets involved in benign
sessions between valid hosts and valid ports.
Identify and discard all valid UDP transmissions from
and to valid hosts and ports.
Identify and discard all valid ICMP (and other
authorized protocols) to and from valid hosts.
Identify any communication from known malicious
addresses. (This is a symptom of communications from
known malicious hosts).
Identify any communication from unauthorized or
unassigned internal addresses. (This is a symptom of
rogue internal hosts.)
Identify any communication to an unknown or
unauthorized port on an internal host. (This is a
symptom of rogue internal services.)
Identify any patterns of serial communication attempts
across a sequential or randomized set of addresses
and/or ports. (This is a symptom of scanning or
probing.)
Identify significant volumes of non-session traffic of
the same or similar construction to one or a small
group of internal addresses. (This is a symptom of
flooding.)
Identify any packet of invalid size or invalid header
construction. (This is a symptom of scanning, probing,
or an exploitation attempt.)
Identify any packet with configured source routing.
(This is a symptom of attempted intrusion or traffic
shaping.)
Identify packets destined to non-resource-sharing
systems, such as firewalls or routers. (This is a
symptom of probing, network scanning, or an
exploitation attempt.)
This is just the start of a firewall log file analysis procedure.
For each and every threat, exploit, attack, or concern that
an organization wishes to identify, add a step to search log
contents for the appropriate symptoms. Remember that
many symptoms are shared across a wide variety of
malicious activities.
Keep in mind that hackers can perform malicious
activities within seemingly benign traffic. This is especially
true when the payload of traffic is the malicious content
itself. Firewalls can detect malicious or abnormal
characteristics based on header information and packet
construction oddities, but many types of malicious payloads
are not firewall filterable. For example, password guessing
against a logon prompt is typically not a filterable activity.
An intrusion detection system (IDS) or an intrusion
prevention system (IPS) could potentially detect online
password guessing, but a firewall cannot.
This brings up an important issue discussed previously,
but it bears repeating: Firewalls are not perfect. Firewalls are
only part of a security infrastructure; they are not the
totality of security in and of themselves. Even when you use
them properly, firewalls have limitations. For example, they
are of no help in protecting against an insider attack.
Firewall limitations are discussed further later in this
chapter.
The best tool for interpreting the contents of a firewall
log is solid and thorough familiarity with the normal and
expected traffic that occurs across a network. By knowing
what is normal and expected, you are much better prepared
to detect and identify the abnormal and unexpected. Keep
complete configuration documentation and actively seek
direct, hands-on knowledge and experience to improve your
ability as a firewall administrator to examine, interpret, and
take action on the contents of log files.
Intrusion Detection
A firewall is a border sentry device. A controlled network
border sentry device filters any traffic attempting to cross.
However, not all traffic that needs monitoring crosses a
network border guarded by a firewall. That’s where an
intrusion detection system comes into play. An IDS or an IPS
monitors internal hosts or networks, watching for symptoms
of compromise or intrusion. Effectively, an IDS is a form of
burglar alarm that detects when an attack is occurring
within the network.
An IDS serves as a companion mechanism to a firewall.
Once an IDS detects an intruder, it can send commands or
requests to the firewall to break a connection, block an IP
address, or block a port or protocol. You must configure the
firewall to receive these commands and authorize the IDS to
send them. However, not all IDSs and firewalls are
compatible in this manner.
Eventually, security professionals developed the IPS
concept. The IPS strives to detect the attempt to attack or
intrude before it can be successful. Once detected, the IPS
can respond, preventing the success of the attempt, rather
than waiting until after a successful breach to respond. IPSs
do not replace IDSs. Instead, they are often used as an
initial layer of proactive defense, relegating the IDS to a
reactive measure against those events that the IPS misses
or that internal personnel perform.
IDS and IPS are important components of a complete
network security solution. However, they are not without
fault. IDS/IPS solutions can create a false sense of security
under certain conditions. Two commonly discussed
conditions include unknown zero day attacks and false
positives.
When unknown zero-day attacks threaten the network,
an IDS or IPS might not have the mechanism to detect
them. Thus, the lack of an alarm could cause administrators
to assume that no attacks are occurring. In most cases, the
lack of an alarm does mean that nothing malicious is
happening. So this assumption is not completely
unwarranted. But if an IDS never triggers an alarm, you
probably have a poor detection system rather than the
complete lack of compromise attempts or attacks.
When an IDS fails to detect an attack, whether it’s a zero
day or a known attack that was simply overlooked, this is
called a false negative. A false negative is one of the most
problematic issues with an IDS, as it can lull the
organization into a false sense of security. When alarms are
not going off, it’s common to assume that no malicious
events are taking place. If that’s a false assumption, then
real attacks are occurring and the security staff is unaware.
This is the worst type of security breach.
False positives may create a false sense of security for
the opposite reason—namely too many alarms from benign
occurrences. Remember the story of the little boy who cried
wolf? After the initial alarms turn out to be benign activity,
the urgency of responding to alarms diminishes. After
additional false positives, an administrator might put off
investigating the alarms. Eventually, you ignore the alarms
altogether. Once this situation arises, you treat even alarms
for malicious events as false positives, once again
reinforcing a false sense of security.
IDS and IPS can use rule-based detection mechanisms
similar to those of a firewall, but they can also employ
detection mechanisms borrowed from antivirus technology.
For example, some IDSs and IPSs have a database of
signatures or patterns of known malicious activity. This is
known as signature-based detection, database-based
detection, or knowledge-based detection. Any attack
within the database can be detected in live activity by the
IDS.
Another form of detection is anomaly based. Anomaly-
based detection systems look for abnormalities. To do
that, you have to first define “normal.” Normal can be
defined by rules or filters that prescribe all of the valid
packet constructions and header contents. Then, anything
that fails to match the definition of normal is an anomaly.
Since mistakes, errors, and poor network application
programming can occur, an anomaly is not necessarily
malicious or an intentional attack.
Yet another detection mechanism is behavioral based.
Behavioral-based detection looks for differences from
normal based on a recording of real-world traffic that
establishes a baseline. A normal baseline can be recorded
over hours or days. Once recorded, it’s the yardstick to
measure all future activities. Any future event not similar to
behaviors in the baseline set represents a possible violation.
As with anomaly detection, behavioral-based detection
has its own limitations. For example, all forms of benign
behavior may not have occurred during the behavior
recording time. Or, during the recording period, malicious
events might have taken place. In either case, future
situations can generate false positives (mistaking benign
behavior as malicious) or false negatives (mistaking
malicious behavior as benign).
Some IDSs and IPSs can import and interpret firewall logs
as another source of information in their efforts to detect
unwanted activity. Thus, in addition to reviewing log files
manually or with separate investigation tools, they can also
benefit IDSs and IPSs and improve their scope and
effectiveness.
IDS and IPS are not substitutes for firewalls, but are
potential supplemental or companion solutions that might
expand the effective detection methods already available.
When you are considering an IDS and/or IPS to improve the
filtering already provided by a firewall, carefully consider
deployment options and thoroughly plan out the improved
infrastructure. Compare the plan to a typical IT
infrastructure and consider where the placement of an IDS
and/or IPS makes the most sense for your organization.
Limitations of Firewalls
Firewalls are essential components of security. Systems
ranging from standalone home systems to global IT
infrastructures all need firewalls as part of their overall
security solution. However, firewalls are not perfect
solutions. In fact, when it comes to firewalls, you need to
account for several well-known limitations in their design
and management.
Firewalls are ultimately software code written by humans.
In either a host firewall or an appliance firewall, the logic
and controlling mechanisms of the firewall are software
code. Software code is designed and written by people.
Whenever people are involved, the possibility exists that
they will make mistakes or oversights. Fortunately, most
firewall products are rigorously and thoroughly tested as a
counterbalance to this threat. But nobody should assume
that the firewall software code is inherently perfect.
It doesn’t happen often, but it has happened—and will
happen again—that administrators and hackers discover
software coding bugs or flaws in real-time use. Hackers are
constantly using scanning, testing, and probing tools to
discover exploitable weaknesses. Once a vulnerability
appears, a hacker will create an exploit that takes
advantage of the flaw. Some exploits have caused firewalls
to freeze or crash, while others have given hackers the
ability to read or adjust filtering rules.
Some exploits are based on buffer overflows. A buffer
overflow is a condition whereby a memory buffer exceeds
its capacity and extends its contents into adjacent memory.
Hackers often use this as an attack against poor
programming techniques or poor software quality control.
Hackers can inject more data into a memory buffer than it
can hold, which may result in the additional data
overflowing into the next area of memory. If the overflow
extends to the next memory segment designated for code
execution, a skilled attacker can insert arbitrary code that
will execute with the same privileges as the current
program. Improperly formatted overflow data may also
result in a system crash.
Once the firewall vendors become aware of an exploit in
the field, they quickly develop and release a patch. By
having an effective security management and patch
management system, you can quickly test and install such
new updates for the firewalls protecting your production
environment. If the release of a patch or the application of a
patch is delayed, the window of opportunity for hackers to
compromise your environment remains open.
Firewalls can sometimes be vulnerable to fragmentation
attacks. Fragmentation attacks are an abuse of the
fragmentation-offset feature of IP packets. Fragmentation
may occur in a network where many different network links
join to construct a global infrastructure. Some network
segments support smaller datagrams (another term for
packet or frame) than others, so larger datagrams fragment
into the smaller size. When the fragmented elements of the
original datagram reassemble, reassembly of the fragments
can cause several potentially malicious reconstructions,
such as overlapping and an overrun.
Overlapping can cause full or partial overwriting of
datagram components, creating new datagrams out of parts
of previous datagrams (Figure 7-6). An overrun can cause
excessively large datagrams to be constructed. Other
fragmentation attacks are designed to cause DoS or attempt
to confuse IDS detection or firewall filtering.
Protections against fragmentation attacks include using
modern IDS and firewall filtering features, as well as
performing sender fragmentation. Sender fragmentation
queries the network route to determine the smallest
maximum transmission unit (MTU) or datagram size. Then
the sender pre-fragments the data to ensure that no en-
route fragmentation will occur.
Firewalking is another known firewall limitation.
Firewalking is a technique to learn the configuration of a
firewall from the outside. The technique uses a valid IP
address of an internal host. Then, from an external system,
a hacker attempts to establish a communication session
with the internal host over a multitude of different ports.
Effectively, this is a form of port scanning, but with the
addition of the known internal host, the hacker can learn not
only which ports are open, but also which ports actually
allow communications with an internal system. Effectively,
firewalking discovers the rules or filters on a basic packet
filtering firewall. Modern stateful inspection firewalls are
usually not as vulnerable to firewalking, as they can detect
this mechanistic activity.
FIGURE 7-6
Fragmentation and overlapping
Internal code planting is another known firewall
limitation. Firewalls are often deployed as border sentries.
They are intended to protect internal systems from
communications that originate from external entities.
Unfortunately, some security administrators use only
inbound firewall filtering, leaving outbound traffic
uncontrolled and unfiltered.
In this situation, if a hacker can plant code internally or
trick a user into running code, or an employee brings in
code of his or her own, the possibility exists that outbound
connections to malicious external entities could occur. Many
hacker tools are based on this technique, such as Loki, Back
Orifice, NetBus, and event netcat. A hacker creates a server
of sorts that is hosted on an external host. The automatic
connection client utility executes on an internal host. The
client utility establishes the connection, and then the
external host is able to send data or commands back to the
internal client. Often, this form of attack results in a hacker
gaining modest to complete remote control over the
compromised internal host.
Denial of service (DoS) is another common problem that
reveals a limitation of a firewall. A DoS attack, specifically a
flooding- or traffic-based DoS, sends massive amounts of
data to a target victim. If that victim has a firewall, then the
firewall can detect and discard the potential DoS traffic. The
firewall’s filtering service can usually prevent the DoS traffic
from breaching the network’s perimeter and affecting
internal systems.
However, since the firewall has to collect, analyze, and
respond to every packet received on its interfaces, a well-
organized DoS can consume all available bandwidth of the
connecting segment to the firewall as well as consume all of
the processing capabilities of the firewall. This in turn
prevents any legitimate traffic from reaching the network.
Thus, even with a firewall protecting the internal network, a
DoS flooding attack can still successfully disconnect or
interfere with external communications.
The vulnerability to DoS flooding is the one limitation or
weakness of firewalls that you cannot fix, improve, or repair
by either upgrading the firewall or applying a patch.
Upgrading to a stateful inspection firewall addresses
fragmentation, firewalking, and even internal planting of
code. Patching will address programming bugs and buffer
overflows. Upstream filtering is one possible
countermeasure to prevent flooding attacks from reaching
an Internet-facing firewall, but this technology requires
cooperation from Internet service providers (ISPs) and other
third parties.
Knowing these limitations, as well as recognizing the
likelihood of there being others, brings the security
administrator back to basics. Security management is
mandatory to maintain any semblance of security in any
environment. Keep systems current with patches, use a
hardened configuration, stay knowledgeable about new
exploits, and monitor the environment for successful and
attempted compromise. These are the essential, long-term
strategies for maintaining security.
Improving Performance
Using a firewall is mainly about establishing and maintaining
border security, but security managers must also look into
other areas of importance and concern beyond just security.
One of these additional non-security areas is performance.
Since the goal of security is to protect the production
environment, installing security measures that severely
hinder capabilities necessary to accomplish work is
counterproductive.
One of the most common concerns with the use of
firewalls is network communication speed. When selected
and installed properly, a firewall should function at
wirespeed. Functioning at wirespeed means the firewall
does not introduce any delay or latency in communications
because it operates at the same speed as the network. If
there is a 1,000 Mbps network, then a 100 Mbps–capable
firewall is too slow.
Two primary means can help you to improve firewall
performance above and beyond purchasing a firewall
suitable for the network’s known transmission speed. These
two means are caching and load balancing.
Caching is a technique to seemingly improve
performance by borrowing from proxy servers. In fact,
adding caching to a firewall effectively transforms it into a
proxy server for whatever service you configure the caching
to supplement. Caching is the holding of often-accessed
content in storage or memory on the firewall. Then, when a
future request for the same content is received, the cached
copy goes into service rather than the original external
source. This does require that the content be relatively
static and that a staleness value be used to trigger a
content refresh.
technical TIP
Router load balancing traffic management can use a
variety of scheduling algorithms, such as round robin
or fair queuing. Round robin simply hands out tasks in
a non-priority sequence. For example, with three
firewalls and five transactions, transaction one is sent
to firewall one, transaction two to firewall two,
transaction three to firewall three, transaction four to
firewall one, and transaction five to firewall two. Fair
queuing operates by sending the next transaction to
the firewall with the least current workload.
Unfortunately, caching is beneficial only on two main
services: Web and file transfer. If the potential or actual
bottlenecks to performance across a firewall are not due to
these two types of communication, then caching is not a
good solution.
Load balancing is the distribution of the firewall filtering
workload across multiple parallel firewalls. You can use this
as shown in Figure 7-7 with a phalanx of two or more
firewalls deployed in parallel between routers that perform
load balancing traffic management on both inbound and
outbound communications. Load balancing allows for
deeper packet inspection while maintaining wirespeed
performance using parallel-distributed firewall processing.
The use of load balancing often has additional benefits,
such as redundancy and fault tolerance. Both of these
improve the availability of the firewall filtering service for
network communications. Having a fail-safe or fail-secure
plan to disconnect communications if the firewall is
compromised is essential. However, a more secure and
productivity-friendly solution is to maintain continued
communication with filtering by having redundant pathways
with duplicate firewalls.
FIGURE 7-7
Firewalls deployed in a load-balancing configuration.
The Downside of Encryption with
Firewalls
Encryption is a common security mechanism you can
employ to protect data in storage and in transit. When used
properly, encryption provides confidentiality protection.
Encryption prevents unauthorized third parties from gaining
access to secured content. With the risk of eavesdropping
and data theft constantly increasing, the use of encryption
is becoming not just a good idea, but also an essential
element of storage and transaction security.
However, encryption does have a downside relative to
firewalls. A firewall is typically not the intended destination
or direct communication partner of a communication,
especially an encrypted communication. Thus, any
encrypted data cannot be filtered by a firewall. However,
just because packets are encrypted does not automatically
mean that nothing about the packet remains in plaintext.
Transaction or communication encryption takes two main
forms: tunnel mode and transport mode. Tunnel mode
encrypts the entire original payload and header, while
transport mode encrypts only the payload. In tunnel mode,
a temporary header goes with the encrypted packet to
guide its path across the VPN tunnel. In transport mode, the
original header remains in plain text.
A firewall can still view and filter on the contents of the
tunnel mode header or the transport mode header.
However, the tunnel mode header contains details only
about the endpoints of the tunnel, not the endpoints of the
actual communication itself. So, tunnel mode header
filtering is not very useful as a filter against malicious traffic.
Filtering on the transport mode header is a viable option,
because the header in the packet in transport mode is not
encrypted. Thus, any header-only filtering rules could still
apply to transport mode–encrypted communications.
However, any filtering that required an examination of the
payload will be rendered null.
When building or designing firewall filtering rules, you
must make a choice about how to handle encrypted
content. Consider both the valid and invalid reasons for
content encryption. The organization can choose to support
or allow encryption of specific types over specific protocols
or ports, but disallow and prevent encrypted
communications elsewhere. Encryption for Web
communications and e-mail exchanges are often
acceptable, while other transactions with the Internet might
not be encrypted.
When designing the firewall rules, the management of
encrypted traffic can range from full allowance to full denial.
Whether to allow encryption over a specific port but not
another and whether to allow encryption all the time, for
only certain users, or for no one are common issues your
organization needs to address and plan for.
No ultimate right or wrong decision about whether to
allow encryption across a network border is possible. Decide
based on the security stance of your organization, the risk
presented by both encrypted and plaintext transactions, and
the types of communications essential for your particular
business tasks.
A growing trend in secure deployments, especially for
DMZ or other hosted resources designated for public access,
is to support encrypted communications but have the
encrypted tunnel end at or on a firewall. This allows you to
examine the contents of the communications before they
reach the actual destination. This is becoming a common
infrastructure design component for public facing Web sites.
Figure 7-8 shows an example of a configuration where SSL
or TLS links from external Internet clients end at the firewall;
then, they traverse the last segment in the clear to reach
the destination Web server.
FIGURE 7-8
A firewall deployed as an SSL/TLS endpoint to allow for Web
traffic filtering.
Another concern is that when encrypted traffic crosses a
firewall, the firewall is usually unable to perform NAT. This is
dependent on the encryption system in use, but it’s worth
investigating before deployment. If the encryption
mechanism hashes the header, even if it remains in
plaintext, the modification to the header by NAT will cause
the hash verification process to fail, thus rendering the
transmission void. With an encrypted header, NAT will be
unable to modify the addresses. Be sure to select encryption
protocols that are NAT-compatible if this is a necessary
function of the network’s infrastructure.
Firewall Enhancements
Firewalls emerged from basic router traffic control systems
into full-featured content filters. However, throughout this
evolution, firewalls have remained focused on their primary
purpose—namely, detecting unwanted, unknown, or
malicious traffic and blocking it. The filtering mechanisms
have typically been identification-based. Whether IP
address, port, protocol service, MAC address, content
keyword, or even user authentication, the Allow and Deny
decisions relied directly on easily definable elements.
Modern firewalls now offer a variety of enhancements,
improvements, or add-on features that some organizations
might find attractive. You should consider the value of these
enhancements in light of the ability of the device to
continue to perform the essential services of firewall
filtering. Do not let the snazzy up-sell add-ons distract you
from obtaining and deploying a reliable filtering device.
It seems that all vendors dream up new enhancements to
add to their product line each time they refresh, update, or
make a product revision. So, be sure to thoroughly research
any newly offered enhancement before making a purchase.
Just because the bumpers are shiny does not mean the
engine runs.
A common or popular firewall enhancement is malware
scanning. Adding an antivirus, anti-spyware, anti-Trojan,
anti-whatever scanner to a firewall is not a significant
stretch of the core firewall’s capabilities, especially for
application proxies and stateful inspection firewalls. The
main concerns should be whether such an enhancement can
maintain wirespeed performance and whether the firewall’s
anti-malware abilities are on par with existing standalone
malware protections.
If you are considering a firewall malware scanning
enhancement, pay attention to the details. Important
considerations are the detection engine and the mechanism
of periodically updating virus signature definitions.
Firewalls can also offer IDS and IPS features. In fact, the
merging of intrusion detection and prevention is a logical
combination. The ability of a single device that can filter
traffic as well as watch for and defend against intrusions is
attractive. But the question remains: Does the combination
device perform both tasks at the same level of exellence as
common independent products? If not, then the combination
is more of a detriment than a benefit. Also, does the firewall
maintain its ability to operate at wirespeed?
Some firewalls are equipped to function as a VPN
endpoint. When designing a firewall and VPN architecture,
this might be an attractive option, but as with every firewall
enhancement, you should evaluate its features and
performance against that of standalone solutions.
Unified threat management (UTM) is the deployment
of a firewall as an all-encompassing primary gateway
security solution. The idea behind UTM is that you can use a
single device to perform firewall filtering, IPS, antivirus
scanning, anti-spam filtering, VPN endpoint hosting, content
filtering, load balancing, detailed logging, and potentially
other security services, performance enhancements, or
extended capabilities. UTM has its advantages, mainly in the
ability to deploy a single product and manage multiple
security services from a single interface.
Any given UTM can be a jack-of-all-trades product and a
master of none. With many of the larger firewall and
security product vendors developing product lines
supporting UTM, however, it’s possible to deploy a reliable
single-device solution. But even a reliable UTM product
remains a single point of failure.
UTMs are obvious improvements to environments that
use simple or outdated firewalls and those that lack
independent coverage in the non-firewall security
categories. An all-in-one UTM device can quickly and
effectively improve your organization’s security.
As the trend toward virtualized networks, hosts, and
applications continues, the need for security within
virtualized networking environments increases as well. Just
because the virtual hosts exist in memory alone does not
imply that they are immune to hacking or exploitation. In
fact, they may be at even greater risk. Include firewalls in
the construction of virtualized networks.
You can still use a hardware firewall when traffic between
virtual hosts crosses a physical network segment. However,
when virtual host communications occur within memory
alone, a virtualized firewall is necessary. A virtualized
firewall is really the same as a virtualized host; it’s a
software construct of a hardware environment that hosts
the operating system so it can function in memory rather
than on actual physical devices. You can install a software
firewall into a virtual host to act as a firewall for virtual
network connections. When designing and using a
virtualized network, make the effort to include virtual
firewalls as part of the infrastructure.
Management Interfaces
You must configure firewalls for them to perform the
security functions you expect of them. Every firewall has a
management interface used to configure its functions and
features. Through the management interface, you can
control and define all aspects of a firewall.
A firewall’s management interface may be command-line
based (Figure 7-9) or graphical based (Figure 7-10). A
graphical user interface (GUI) might be a standalone client
application you must install onto a host, or it may be a Web
interface hosted on the firewall’s own internal mini-Web
server.
FIGURE 7-9
Examples of accessing a firewall (SmoothWall) via command
line (SSH).
FIGURE 7-10
An example of a GUI firewall interface (SmoothWall).
A firewall’s management interface may or may not offer
encrypted access by default. If the firewall does not offer
encryption of the management interface, then you should
replace it with a firewall that does. Always enable the
encryption so that all future access to the management
interface is protected from eavesdropping, interception, and
session hijacking. Encryption of the session accessing a
firewall’s management interface is the most important and
critical aspect of management interface configuration.
Secure a firewall’s management interface both physically
and logically. This implies that direct physical contact with
the firewall device (or firewall host) will be limited and
restricted to authorized administrative personnel only.
Prohibit any physical contact or proximity to external or
unauthorized entities.
Secure all logical access to the firewall’s management
interface through a strong authentication process. If
multifactor authentication is supported, use it. If not, require
long and complex passwords. Ensure that administrators do
not reuse the same password on any other system.
Administrators, as well as all users, should never reuse an
old password on any system once it expires. Passwords are
like milk—they last only so long, even with proper care and
storage, and once expired, they can never be reused.
Limit the methods to access a firewall’s management
interface. Manufacturers often enable all possible avenues
of access to ensure ease of installation upon initial
deployment. However, you should disable all methods of
accessing the management interface except for the sole
secure mechanism selected for use by your organization.
Potentially available avenues of access include telnet,
encrypted telnet, Web, encrypted Web, SSH, and other
proprietary options. Select one of the secure options and
disable the rest.
Also, consider the communication pathways for
accessing the management interface. Usually, the physical
cable connection port, often labeled as CON for console, TER
for terminal, or ADM for administration, cannot be disabled
through software. This port is a dedicated port used for
direct physical connection management and not for any
other purpose (in most cases). A crossover cable or a
special console cable (often RS-232 based) is necessary to
connect a computer directly to the firewall to gain access to
the management interface.
However, most in-network or over-the-network logical
access pathways can be disabled. Be sure to disable access
to the management interface on every physical network
interface or port that faces outward. In other words, the
less-secure NIC ports should not support access to the
management interface.
If more than one NIC port exists on the secure side, then
limit access to only one of those two ports. If the firewall is a
multifunctional device that also supports wireless
connectivity, disable management interface access over a
wireless connection. The resulting configuration should
allow management interface access only via the physical
CON connection and one logical pathway. Disable all other
methods of access.
Configure the firewall to record every attempted and
successful connection to the management interface into a
log file. It might also be a good idea to record all subsequent
configuration changes made via the management interface.
This log can serve as a component of change
documentation and will assist with future troubleshooting,
investigations, and reconfiguration.
CHAPTER SUMMARY
Firewalls are essential to maintaining security, such
as supporting valid communications and blocking
malicious traffic. However, firewalls are often more
than just simple filtering tools. The standard and
enhanced features of firewall products require
knowledge and skill if you are to properly employ
them.
This chapter discussed building firewall rules,
ordering rule sets, configuring authentication and
authorization based on the presence of a firewall,
configuring firewall logging, making sense of the
contents of firewall logs, expanding firewall functions
with intrusion detection, dealing with the limitations
of firewalls, maintaining high-speed network
performance with a firewall, managing encryption
across a firewall, evaluating firewall enhancements,
and handling firewall management interfaces.
KEY CONCEPTS AND TERMS
Access control list (ACL)
Alert
Anomaly-based detection
Behavioral-based detection
Centralized logging system
Database-based detection
Deny by default/allow by exception
Fair queuing
False negative
False positive
Filter
Firewalking
Knowledge-based detection
Load balancing
Management interface
Port-based network access (admission) control
(PNAC)
Round robin
Signature-based detection
Unified threat management (UTM)
Wirespeed Write-once read-many (WORM)
CHAPTER 7 ASSESSMENT
1. Which of the following is a firewall rule that prevents
internal users from accessing public FTP sites?
A. TCP ANY ANY ANY FTP Deny
B. TCP 192.168.42.0/24 ANY ANY 21 Deny
C. TCP 21 192.168.42.0/24 ANY ANY Deny
D. TCP ANY ANY 192.168.42.0/24 21 Deny
E. TCP FTP ANY ANY Deny
2. Which of the following is a default-deny rule?
A. TCP ANY ANY ANY ANY Deny
B. TCP 192.168.42.0/24 ANY ANY ANY Deny
C. TCP ANY 192.168.42.0/24 ANY ANY Deny
D. TCP ANY ANY 192.168.42.0/24 ANY Deny
E. DENY TCP ANY ANY ANY ANY
3. The default-deny rule appears where in the rule set?
A. First
B. After any explicit Allow rules
C. Anywhere
D. Last
E. After any explicit Deny rules
4. What mechanism allows a firewall to hand off
authentication to a dedicated service hosted on a
different system?
A. IEEE 802.11
B. RFC 1918
C. IEEE 802.1x
D. RFC 1492
E. IEE 802.3
5. When an organization first deploys a firewall and
chooses to begin logging activity, what should you
include in the log file?
A. Only malicious traffic
B. Only DoS traffic
C. Only dropped packets
D. Only allowed packets
E. All events
6. You can use firewall logging to perform all of the
following activities except:
A. Discovering new methods or techniques of attack
B. Creating a historical record of activity used for traffic
and trend analysis
C. Tracking usage levels and times for load balancing
D. Stopping intrusions
E. Creating legally admissible evidence for use in
prosecution
7. All of the following events appearing in a firewall log
warrant investigation by an administrator except:
A. Firewall host reboot
B. A connection attempt to the firewall host
C. Detection of an attack attempt
D. Inbound packets with spoofed internal source
addresses
E. An internal user accessing a public Web site
8. Which of the following is a highly recommended
method or technique for keeping firewall logs secure
and uncorrupted?
A. Storing them in binary form
B. Using 15,000 RPM hard drives
C. Recording only important events
D. Centralized logging
E. Using timestamps
9. Which of the following is an event found in a firewall log
file that is a symptom of a rogue host operating within
the private network?
A. Packets from a known malicious address
B. Packets from an unassigned internal address
C. Packets to an unknown port on an internal host
D. Packets in a serial grouping that attempt to access a
sequential series of ports
E. Packets in a very large grouping that are all exactly
the same directed toward a single target
10. What is the biggest issue or problem with an IDS?
A. False positives
B. Failing to operate at wirespeed
C. False negatives
D. Keeping the pattern database current
E. Using anomaly detection
11. Which of the following is not a limitation or potential
weakness of a firewall?
A. Firewalking
B. Software bugs or flaws
C. Using first match apply rule systems
D. Fragmentation attacks
E. Internal code connecting to an external service
12. When a firewall is able to process packets, filter
malicious code, and transmit authorized
communications onward to their destination without
introducing latency or lag, this is known as operating at
________ .
13. Which of the following is not related to improving or
maintaining the performance of a firewall?
A. Native antivirus scanning
B. Round-robin task assignment
C. Caching
D. Fair queuing session management
E. Load balancing
14. What form of encryption allows a firewall to filter based
on the original source and destination address? (Assume
the firewall is located along the path between session
endpoints.)
A. Tunnel mode
B. VPN remote access encryption
C. Transport mode
D. VPN LAN-to-LAN encryption
E. Header encryption
15. The performance of what type of communication
session can be improved using caching on a firewall?
A. Instant messaging
B. Remote access
C. E-mail
D. Time synchronization
E. Web
16. Which of the following limitations or potential
weaknesses of a firewall cannot be fixed or corrected
with the application of an update or patch?
A. Programming bug or flaw
B. Firewalking
C. Buffer overflow vulnerability
D. Fragmentation
E. Denial of service due to traffic from external sources
17. What is the primary factor used to distinguish a great
firewall enhancement from a marketing gimmick used to
drive up sales?
A. Does the enhanced firewall cost the same or less than
separate products?
B. Does the enhancement affect the operating speed of
the firewall?
C. Does the enhancement operate as well as or better
than the original firewall?
D. Does the enhancement require the purchase of a new
firewall, or can it be added to existing products
already deployed?
E. Does the enhancement have a reoccurring license or
subscription fee?
18. What is the name of a single device that is based on a
firewall but that has been expanded and improved to
perform a wide variety of services, such as filtering, IPS,
antivirus scanning, anti-spam filtering, VPN endpoint
hosting, content filtering, load-balancing, and detailed
logging?
A. Load balanced filtering
B. Port based network access (admission) control
C. Unified threat management
D. Multifactor authentication
E. IEEE 802.1x
19. The most important configuration element related to a
firewall’s management interface is:
A. Access over wireless is prevented.
B. Access through a network interface is enabled.
C. Access is encrypted.
D. Access through a CON port is allowed.
E. Physical access to the device is controlled.
20. All of the following avenues of accessing a firewall’s
management interface should be limited, restricted, or
disabled except:
A. Wireless
B. Telnet
C. Public facing NIC interface
D. Port 80 Web
E. Private network NIC interface
CHAPTER
8 Firewall Deployment
Considerations
FIREWALLS CAN BE COMPLEX security solutions. You should plan the deployment of a firewall carefully, whether
it’s for a small home office or a large corporation. Evaluate
as many firewall deployment considerations as possible
before ramping up.
Make a clear determination as to what types of traffic
you will allow to cross the network border and which types
you want to block. Evaluate common security strategies.
They include security through obscurity, principle of least
privilege, simplicity, defense in depth, defense diversity,
chokepoint, weakest link, fail-safe, and forced universal
participation. Determine which strategies you want to use
and integrate them into the organization’s security policy
and its firewall deployment.
Evaluate the purpose and content of the firewall policy.
Clearly define the software and hardware firewall options
you will use when adopting the firewall policy. Determine
whether features such as reverse proxy and port forwarding
are necessary to the infrastructure’s network
communications. Weigh the benefits of bastion host OSs
before using new firewalls. Make sure to order firewall rules
properly and use the least number of rules possible to
enforce security goals.
Every organization is different and must evaluate its own
business and security needs. Determine which tasks are
essential, which are optional, which are personal, and which
are malicious. Use firewalls and other controls to support
what’s necessary and block everything else. Security
administrators are responsible for evaluating needs and
solutions and for preparing a response when security and
business interfere with each other.
Chapter 8 Topics
This chapter covers the following topics and
concepts:
What should you allow and what you should
block when using a firewall
What common security strategies for firewall
deployments are
What essential elements of a firewall policy
are
What the software and hardware options for
firewalls are
What the benefit and purpose of reverse
proxy are
What the use and benefit of port forwarding
are
Which considerations aid in selecting a
bastion host operating system (OS)
How to construct and order firewall rules
How to evaluate needs and solutions in
designing security
What happens when security gets in the way
of doing business
Chapter 8 Goals
When you complete this chapter, you will be able
to:
Compose a firewall policy defining what to
allow and what to block
Describe various firewall security strategies
Define the pros and cons of reverse proxy
and port forwarding
Explain the importance of a bastion host
Assess the business impact of security over
availability and performance
What Should You Allow and What
Should You Block?
The most commonly asked question when installing a
firewall is, “What should be allowed and what should be
blocked?” This question assumes a distinct and definitive
answer. The answer, however, is subjective and variable.
A single security stance or filtering configuration that
works for every situation, every organization, and every
system doesn’t exist. Network security managers must
investigate the needs and threats to make informed
decisions about what traffic to allow and what traffic to
block.
The first stage in making this determination is to perform
a complete inventory of all needed or desired
communications. This should include every transaction
between internal systems, as well as any interaction with
external systems. As part of this inventory, indicate the
protocol in use, the port(s) in use, and the likely source and
destination addresses.
A possible inventory of network communications could
look like Table 8-1.
This is not an exhaustive table, but it shows the basic
idea of an inventory of network communications. Notice that
some communications are internal only, while others cross
the network boundary. Based on a complete and exhaustive
inventory of your network’s communications, you can
establish a potential rule base.
From the inventory, block from crossing the network
border all communications that should only be internal. In
most cases, the default-deny rule of a rule set will block
those communications from doing so. However, when a port
or protocol is in common, it’s possible that an Allow rule for
a valid external communication would also allow external
entities access to an internal-only communication.
In Table 8-1, an example of this issue is the e-mail
protocol SMTP operating over port 25. By defining an allow-
exception rule, you could create a loophole that threatens
the internal communication on this same port. Reduce or
eliminate this risk by using a very specific rule or by adding
an additional Deny exception.
A very specific rule in this example would allow external
communication over port 25 only if it originated from the
internal e-mail server at 192.168.42.115. With this rule
defined, if any other internal host attempted an external
SMTP communication on port 25, it would not be allowed
because the IP address would not match this specific rule.
The communication would instead be blocked by the default
deny.
TABLE 8-1 A partial list of communications occurring on
a network.
If an allow-exception rule for external communications
also applies to internal communications, you can add a
specific deny-exception rule just prior to the Allow rule. The
Deny exception can specifically block internal
communications from crossing the network border, but still
allow the subsequent Allow exception to grant access to the
valid transactions.
After you complete a thorough inventory of network
communications, you should determine which
communications are mission-critical, important, optional, for
personal recreational use, or actually malicious. Block any
traffic you deem malicious or just unwanted, whether
through an explicit Deny or via the catchall default deny.
Evaluate all other forms or types of traffic against several
factors, including policy. If it’s not in support of the business,
is it really needed? Are communications for personal
entertainment or nonbusiness functions permitted by policy
or considered a waste of resources? Are any
communications duplicated or redundant? Is this a waste of
resources, an expansion of the attack surface, a valid
redundancy, or avoidance of a single point of failure? Are
any of the communications no longer necessary? If so,
should you disable or remove them?
Base your evaluation of the many other possible
questions or issues on your organization’s policy
statements, including mission and goals. Take the time to
understand the communication needs of your network, then
design the filtering rule set accordingly. Remember that the
firewall is often the front sentry or the first line of defense
against malicious communications originating from outside
networks. Leaning toward caution and locking things down
is a more effective security stance than leaving
communications open and hoping detection mechanisms
will notice malicious events.
Traffic Inventory
A common, and free, network protocol analyzer (or
sniffer) for doing a traffic inventory is Wireshark
(www.wireshark.org). Wireshark can be used in the
absence of a firewall, with a firewall set to allow all
traffic, or even in the presence of a firewall to
inventory all traffic on the network. Traffic can then be
partitioned into traffic that needs to cross the firewall
and traffic that should not cross the firewall. Use of a
sniffer tool in general, or Wireshark specifically, for
traffic inventory is done to highlight all traffic and
make sure that the firewall rules have a better chance
of being accurate. During the traffic inventory, you
can uncover a lot of previously hidden information
about the network. You can find out which
applications and users are the top consumers of
bandwidth. You can find out which protocols are
actually in use on the network. And you can surface
malicious uses that you haven’t known about before.
Some of the more advanced firewalls also have this
functionality built-in.
While some exceptions to these suggestions will arise
from your organization’s business model or strategies, the
following items are commonly considered communications
to block in most, if not all, circumstances:
All Internet control message protocol (ICMP) traffic
originating from the Internet
Any traffic directed specifically to the firewall
Any traffic to known closed ports
Any traffic to known ports of known malware, such as
31337, used by Back Orifice
Inbound Transmission Control Protocol (TCP) 53 to
block external domain name system (DNS) zone
transfer requests
Inbound User Datagram Protocol (UDP) 53 to block
external DNS user queries
Any traffic from IP addresses on a blacklist
Any traffic from internal IP addresses that are not
assigned
As an organization manages its security over time,
especially as it reacts to intrusion attempts, experiences
scanning, and becomes the target of hacking and flooding,
it must create additional communication filtering rules to
respond to real-world conditions. Security does not stand
still. Hacker attacks are constantly changing. Thus, the
filtering rules that work well today may be insufficient in the
near future.
Networks can be very large and very complex. Be fully
aware of the communications taking place across your
network to know what to allow and what to block. In
addition to this knowledge, having established a security
strategy through a written security policy will direct and
guide the deployment of firewall rules, as well as other
aspects of your security infrastructure.
Common Security Strategies for
Firewall Deployments
A security strategy is a guideline, philosophy, or approach to
using security for firewalls, as well as the entire
organizational security infrastructure. Many different
strategies are available. Some organizations focus on a
single strategy, while others combine several strategies into
a custom policy.
Security Through Obscurity
Security through obscurity is the idea of gaining protection
by using abnormal configurations. This is both a positive
security action and a poor one. It simply depends on the
type of obscurity involved. A poor choice for security
through obscurity would be to use alternative configurations
for standard products.
With a network environment based on standard products,
whether operating systems, network services, or security
solution, just modifying basic configuration settings does
not actually provide true security. For example, a service
typically operating on one port that’s reconfigured to use a
different port is not good security. Also, changing names,
addresses, network size, subnetting, bandwidth
consumption, or even spoofing banners, headers, or identity
does not provide true security but may provide some
protection against elementary attacks.
Some common mistaken examples of obscurity-based
security include:
Hiding your front door key under a rock in a flower bed
Connecting to the Internet with the assumption that
your system is one in 300 million and therefore won’t
be noticed
Hiding money in a mattress
Keeping an encryption algorithm secret
Hiding your car keys behind your bumper while at the
park or beach
Changing the default service port of a network service
Hiding your financial records among the audio files on
your MP3 player
All attempts to provide network security based on hide-and-
seek can be overcome or bypassed with basic network
scanning techniques. When a hacker can discover or breach
a host, service, or network just by looking hard enough, no
real security exists. Hiding might work for keeping colored
eggs and candy secure, but a security solution employed by
bunnies has no place in a modern IT environment.
Security through obscurity is problematic for several
reasons. First, if it’s the only form of security employed, no
real security exists. Second, the obscurity method employed
might not actually be as obscure as you think. Hiding a key
under a flowerpot is not as obscure as burying it in an
unmarked location in the middle of a field. Third, it often
distracts from accurately assessing the true state of security
provided by other measures. Fourth, obscurity can instill a
false sense of confidence.
True security through obscurity relies on using obscure
and nonstandard technologies. If everyone knows the most
common or most popular operating system or software
product is insecure, it can be a security improvement to use
a more obscure product instead. This doesn’t guarantee that
other flaws or vulnerabilities won’t be present on the
alternative system, but usually the exact same exploit or
compromise won’t be a risk.
However, switching to an alternative technology is a
security improvement only if the same flaw does not also
exist there. It must provide actual security in and of itself.
Switching technologies, such as changing operating
systems, does not eliminate the need for security
management. It simply moves the security concerns to
other areas.
Generally, security is obtained through obscurity only
when hackers are unable to determine which technologies
you are using. The less hackers know about your software,
configuration, deployment, addressing, infrastructure
design, patching schemes, and so on, the less successful
their attempts to compromise security will be. Obscuring
information about the internal IT environment itself is a
primary defense against their hide-and-seek mentality.
Least Privilege
The principle of least privilege is one of the basic concepts
of network security. The idea behind the principle of least
privilege is that users should have the minimum level of
access to resources needed to complete assigned tasks. Any
abilities, access, or privileges beyond that necessary
minimum increase the risk of compromise and lead to
wasted time, effort, and focus.
In most environments, most users need not access every
host, every system, every resource, every file, every
network service, and every Internet resource. Within a
default-deny environment, you block all access to all
resources, internal and external, by default. You use the
principle of least privilege by adding explicit and specific
allow-exceptions only when necessary based on job
descriptions.
However, the drawback to least privilege is the need to
control every user’s access individually. Each worker will
need individually defined resource and activity permissions.
This represents a significant increase in user administration.
Because of this extra overhead, many organizations only
partially use least privilege.
A common practice is to group users into collections of
similar job functions or security levels, granting permissions
to the group as a whole. This gives users additional
privileges beyond what is strictly necessary for their work,
but not enough to present a serious risk to the
organization’s security, stability, or confidentiality. Instead,
this small security tradeoff considerably cuts down on
administrative overhead.
An extension of the principle of least privilege known as
separation of duties specifically addresses administrative
users. A lazy and insecure approach to network security is
to grant some high-end users full administrative privileges
across the entire IT infrastructure. This is a recipe for
disaster. If an administrator makes a mistake, then he or she
can accidentally harm the entire organization. If an
administrator becomes disgruntled, feels wronged by the
company, or is marked for layoff or forced retirement, he or
she can deliberately harm the organization and would have
the systemwide power to do it. If another user or an
external intruder compromised such an administrator’s
account, a hacker could use the administrator’s advanced
access to cause significant havoc.
A safer approach is to apply the principle of least
privilege to all users, especially administrators. Under the
label of separation of duties, divide the collection of all
administrative tasks into small sets of privileges, focusing
on a single task, system, service, or issue. Then, assign
administrators subtasks within one of these focused areas
and permissions only within the scope of their assigned
tasks. This compartmentalizes administrative functions and
provides a type of firewall or blockage against accidents,
sabotage, and intrusion.
The result of applying separation of duties is that you
eliminate godlike systemwide administrators. Instead, each
administrator has sufficient privileges only within a limited
scope of responsibility. Some areas may have multiple
administrators and some administrators may have powers
in multiple areas, but overall the compartmentalization of
administrative privileges significantly increases security and
decreases risk.
Keep in mind that the principle of least privilege applies
to both users and systems alike. Controlling which resources
and communication pathways a service or device can touch
will directly reduce the potential for abnormalities, abuse,
and compromise.
Simplicity
Keeping things simple is an important part of security. It
makes them easier to understand, manage, and
troubleshoot. When things are too complex, they are much
more difficult to understand, much harder to manage, and
much more complicated to troubleshoot. Furthermore, it’s
harder to verify that a complex system is providing
adequate security.
The more complex a solution, the more room for
mistakes, bugs, flaws, or oversights to creep in undetected
by security administrators. The more complex the system,
the more likely a hacker can find a vulnerability unseen by
the system designers and network managers.
Simple is not always possible, however, especially when
it comes to software and network infrastructures. But when
you have a choice between a simpler solution and a more
complex one, the simpler option may provide a more
realistic and verifiable level of security. As someone once
said, “Keep things as simple as possible, but no simpler.”
Keep in mind that too simple has the same flaws as too
complex. Avoid sacrificing security for the sake of simplicity.
Defense in Depth
Installing a security infrastructure requires numerous
systems to interact and interlock. The goal of any security
solution is to prevent unwanted events while supporting
authorized and necessary ones. A reliable security
infrastructure is typically not a single control, a single
defense, or a single countermeasure. Instead, multiple
security safeguards provide complete and exhaustive
coverage.
One aspect of infrastructure security design is to think of
the defenses as multiple layers or barriers to access secured
resources. This is known as layered defenses or defense in
depth. When designing security, consider the net result if
any component of the security system were to fail. If a
single component failing results in a compromise or
intrusion, the environment has a single layer of protection.
When defense in depth is used, a single component failure
does not result in compromise or intrusion. Instead, each
component has a backup, an alternative, or a supplemental
component. Depending on a single security product as the
sole component of a security solution is a bad idea. Firewalls
are great products, but firewalls alone cannot provide
complete security. They are only one component, one piece
of a complete security infrastructure. A proper security
infrastructure has numerous components interlocked and
deployed in layers or levels.
Another aspect of defense in depth is to deploy multiple
subnets in series to separate private resources from public.
This is known as an N-tier deployment. N represents the
number of subnets under private control. Figure 8-1 shows a
common construction of a three-tiered deployment using a
demilitarized zone (DMZ), a database subnet, and the
private local area network (LAN).
When properly implemented, defense in depth ensures
that multiple security controls are involved in every
communication, connection, and transaction, regardless of
its source or destination. Through the use of multiple or
redundant security systems, any attempt to compromise or
breach security becomes substantially more difficult, not
only for the external intruder, but for the internal saboteur
as well.
FIGURE 8-1
An example of an N-tier deployment.
Diversity of Defense
Diversity of defense is similar to defense in depth—it
supports multiple layers of security. The difference is that
each (or at least most) of the layers uses a different security
mechanism. Thus, the diversity of defense comes from
using a collection of diverse security solutions.
Multiple firewalls in a series is defense in depth, but not
defense diversity. Adding tools such as an intrusion
detection system (IDS), antivirus, strong authentication,
virtual private network (VPN) support, and granular access
control converts a monolithic defense in depth to a more
substantial, multilayered, diverse type of security.
It might be tempting to claim that having multiple
firewalls from different vendors (or any security mechanism
from different vendors) constitutes diversity of defense.
While using different products from different vendors will
reduce some forms of risk, it’s not as beneficial as true
diversity—not just of vendors but also of security
component types.
Using a variety of vendors will reduce the likelihood that
a single flaw in one product is present in every other
product from different vendors. For example, using three
different vendor antivirus products is a reasonable idea.
Having one vendor for clients, one vendor for internal
servers, and a third vendor for border devices will increase
the likelihood of detecting malicious code and decrease the
threat from undetected malware. However, relying
exclusively on antivirus and using no other type of security
mechanism is a poor security solution.
Proper defense in depth will include diversity in both
vendor selection and security component types. Be aware,
though, that focusing too heavily on vendor diversity can
increase management and administration complexity. It’s
difficult enough to manage single-vendor solutions, but
when two, three, or more different vendor products of the
same product type are involved, the complexity of
management increases significantly.
When selecting products, whether by type or vendor,
keep in mind the overall infrastructure design, such as
parallel versus serial connections, as well as redundancy
options. In some circumstances, using two different
defenses can result in a larger rather than reduced attack
surface. For example, if two different products each have a
different vulnerability when they are deployed in parallel,
then both weaknesses are vulnerable simultaneously, giving
the hacker the option of one or the other. Were they to be
deployed in series, the hacker would have to compromise
the first layer of defense successfully before attempting to
breach the second. Consider whether the planned diversity
is truly a security improvement, since poor design can lead
to reduced security when you employ diversity improperly.
When investigating and designing an infrastructure to
include diversity of defense elements, keep the following
concerns in mind:
Some companies resell their products, technology, or
intellectual property through other vendors. Private-
label or relabeled products from company B might be
the same product from company A with a different
name or packaging.
Security systems configured by the same security
administrator can potentially have the same
misconfiguration or design weakness. Consider using a
team of security administrators, or at least have
several security experts review and check all
configurations.
Many products come from a single original code base
or standard. Product version 2.0 from company A and
product version 5.0 from company B might both
include the same protocol stack code borrowed from
an open-source or creative commons–licensed code
base. Don’t automatically assume that products from
different vendors, even with different build versions,
represent 100 percent different programming.
Many systems of the same type will all have the same
inherent weaknesses in the underlying technology,
design, and security concept.
When implementing diversity, ensure that you are using
actual diversity-improving security rather than false or
misguided diversity that reduces security. All security
designs and perceptions should withstand the scrutiny of
evaluation and testing.
Chokepoint
A chokepoint forces all traffic, communications, and
activities through a single pathway or channel. This pathway
can be used to control bandwidth consumption, filter
content, provide authentication services, or enforce
authorization. The purpose of a chokepoint is to ensure that
the security device at the control location controls
everything. No traffic, user, or data passes unchecked.
Other names for a chokepoint include checkpoint, filter
pathway, or bottleneck. A chokepoint can be used to force
network traffic along a single pathway monitored or filtered
using security devices, including routers, switches, firewalls,
IDS/intrusion prevention system (IPS), antivirus, network
access control (NAC), and so on. A choke-point can also
control user activity, such as requiring authentication and
enforcing access control.
As a security measure, a chokepoint has value only if it’s
hard to bypass or avoid the bottleneck itself. If a hacker can
interact with a target without going through a chokepoint’s
filtering system, then the chokepoint is worthless.
If the security of a network has chokepoint infrastructure
components as a central part of the infrastructure, be sure
to evaluate and consider all possible alternative pathways a
hacker might employ. For example, a firewall is less effective
as a chokepoint if outsiders can access wireless access
points, physical connection ports, or dial-up modems.
In many cases, a single chokepoint won’t be enough.
Using multiple chokepoints may be the only effective means
of ensuring that your network evaluates and filters all
traffic. Some potential chokepoints can include any crossing
of a network domain boundary into another. By using
chokepoints across the boundaries of a typical IT
infrastructure, you filter most pathways of communications
that could host malicious interactions.
Consider potential indirect routes that might bypass
“standard” chokepoints. For example, if a VPN link is
established between two sites, whether branch offices or
business partners, the Internet connection of one site could
be an alternate pathway into the second site. This breach is
possible if one site uses strong chokepoint security while the
other does not. And even though it may be old fashioned,
don’t forget to check for dial-up access to a LAN’s servers or
other components. Dial-up access can serve as a backdoor
for hackers to circumvent the security protections prepared
to block them at the front door.
Weakest Link
Any chain is only as strong as its weakest link. A security
infrastructure is only as strong as its weakest component.
You must know your security infrastructure thoroughly to
have an understanding of where the weakest point lies.
Once you’ve identified the weakest link, replace or remove
it.
The weakest link security stance is an ongoing process
of locating the least secure element of an infrastructure and
securing it. Once you’ve secured the current weakest link,
it’s no longer the weakest link, and therefore a new weakest
link exists. Repeat the cycle by seeking out the next weak
point and improving it.
The idea behind this security stance or process is that
hackers are performing this exact task as they seek out
vulnerabilities to compromise. Ultimately, hackers discover
and break the weakest links to gain access and entry into a
secured environment. By actively and consistently seeking
out vulnerabilities and weak points to secure them, you
reduce the potential of a hacker finding and exploiting a
weak link.
Weakest links are inevitable. But a strong weakest link is
always better than a frail weakest link. Using a find-it-then-
secure-it mentality helps build security that can withstand
most common exploitation and intrusion attempts.
Fail-Safe
Fail-safe, fail-secure, fail-open, and fail-closed are not only
design elements of firewalls and other security controls. Fail-
safe is also an overarching security stance to drive an
organization’s security. The fail-safe security stance is not
just about using fail-safe security devices, but about
designing the overall infrastructure with fail-safe as a core
focus.
When any aspect of security fails, the best result of that
failure is to fail into a state that supports or maintains
essential security protections. Generally, this means to
maintain confidentiality and integrity protections. However,
most fail-safe solutions will sacrifice availability protection
to retain confidentiality and integrity.
Fail-safe does not need to be a standalone security
stance. You can integrate fail-safe notions into any security
perspective. Keep in mind the ultimate goals and policies of
your organization. If availability is the top priority, then fail-
safe may not be as viable an option as for environments
where you can sacrifice availability to support other security
protections.
Forced Universal Participation
It almost goes without saying that for security to be
effective, everyone must work within the limitations
established by your organization’s written security policy. If
you make exceptions—for upper level managers, for
instance, who see themselves as being above the rules,
able to do whatever they want without consequences—then
you have only an assumption of security. No true security is
present. Security works only when you employ forced
universal participation.
Every worker, every manager, every senior executive,
every temporary worker, every consultant, every vendor,
every customer, every business partner, and every outsider
must be forced to work within the security policy’s
limitations. Yes, exceptions often are necessary in the real
world, but when exceptions become the norm, security is
lost. When it’s easy to bypass, avoid, or even ignore
security controls, an attacker can use that same pathway to
compromise the entire security environment.
Universal participation is not just about official
configurations and designs. Every enterprise that cares
enough about security to write a security policy has official
configurations and designs that assume everyone follows
the same rules. When it’s unwritten policy to violate security
to accomplish work tasks, an obvious disconnect exists
between security and productivity. In this situation,
reexamine both security and productivity goals. Security
should support productivity, not impede it.
Universal participation is not just about paying lip service
to the rules, however. It’s also about ensuring that everyone
abides by security limitations. Potentially, users have many
ways to purposefully violate security. This often occurs in
environments where workers perceive the security
limitations as too restrictive or when newly imposed rules
strongly limit freedoms they enjoyed previously. The less
workers believe in and buy into the organization’s security
policy, the more likely they are to violate rules they perceive
as unfair.
Examples of users purposefully avoiding or violating
security—that is, not actively supporting and participating in
security—include:
Choosing poor passwords
Sharing accounts with others
Using personal computer equipment on the company
LAN
Installing an unauthorized wireless access point
Using personal removable media on company
equipment
Using proxy tools to bypass firewall filtering
Configuring a dial-out modem connection to establish
unfiltered Internet access
Using Internet based remote-access/remote-control
tools to access their workstation from an external
system without authorization
Installing unapproved software
To achieve universal participation in the security efforts,
either workers must believe that compliance is in their best
interests, or you must force compliance through
consequences for violations. In most cases, voluntary
compliance is better, because it causes workers to support
the security effort rather than setting up employees to be
adversaries pitted against the security infrastructure.
Essential Elements of a Firewall
Policy
A firewall policy is a security policy that focuses on the
deployment of firewalls within the organization’s IT
infrastructure. The first step in deploying a firewall is
constructing a firewall policy. Once you’ve established a
firewall policy, deploy subsequently installed firewalls in full
compliance with the firewall.
A written firewall policy provides several benefits and
serves several purposes, such as:
A guide for installation
A guide for configuration
A tool to assist in troubleshooting
A guideline to detect changes and differences
A mechanism to ensure consistent filtering across all
firewalls
A firewall policy should address several specific issues and
contain specific configuration details. One of the first
important elements of a firewall policy is defining and
designating security zones. Every network has different
zones of risk and zones of trust. Often, zones are
differentiated along the same lines as a typical IT
infrastructure. Create clear descriptions of what each subnet
does, its level of risk, and its level of trust. Based on this
information, you can formulate a basic firewall deployment
strategy.
A firewall policy should define specifically what type of
firewall you need. It may even prescribe the specific vendor,
make, and model of firewalls at each zone transition or
interface. Firewall types include static packet filtering,
proxy, and stateful inspection.
For each prescribed firewall, define a complete firewall
rule set. Define each rule in full detail, not just the
configuration settings to make on the firewall’s interface.
Support each rule with justifications and reasons why you
defined or selected it. Give a clear indication of the orders of
the rules.
A firewall policy should also prescribe host software
firewalls for deployment on clients and servers. This should
include configuration settings and rule sets as well. Design
and configure host firewalls to complement appliance
firewall security.
The firewall policy should also address:
What to log
How logging happens
Where to store log files
How often to review log files
What add-ons or enhancements to use
Who is responsible for firewall administration
How to access firewall configuration interfaces
Where to physically and logically locate the firewall
What level of physical access control is necessary
What form of backup or redundancy is present
How to manage encryption and where to use or
disallow it
How to deploy and configure IDS/IPS to interact with
firewalls
As with every security policy, the firewall policy must be as
exhaustive as possible. It should address and define every
aspect of firewall design, deployment, implementation,
management, tuning, repairing, recovery, troubleshooting,
and monitoring. A firewall policy should be the first and last
authority on all things firewall within the organization.
The first draft of a firewall policy will probably not be
exhaustive or accurate. So, review and improve your firewall
policy periodically, just as you do with the rest of your
organization’s security policy. Each review period should
assess whether the firewall is meeting the security needs
and how to improve it so it continues to provide sufficient
security. Work all improvements into the written security
policy. Then adjust the deployed infrastructure to comply
with the written security policy.
Software and Hardware Options for
Firewalls
Remember that most real-world solutions include a
combination of software and hardware firewall options.
Since technology changes and advances so swiftly, it’s
not wise to make specific product recommendations here.
Many products can go through significant upgrade or
generational change in as little as six months. So, this
discussion will focus on software and hardware options in
more generic terms.
Many operating systems include host software firewalls
as part of their standard installation build. Microsoft
Windows XP is one well-known example. Beginning with
Service Pack 2, Windows XP has included the Windows
Firewall as a standard security component. Other operating
systems may offer optional firewall products. A software
host-based firewall has benefits on both client systems and
servers.
You can usually replace a native or default software
firewall product found within a general-purpose operating
system (OS) with a third-party option. Many open source,
free, and commercial host software firewalls are easily
available. When considering third-party options, especially
when replacing the native firewall, consider whether
investing time, effort, or money in an alternative host
software firewall is as effective an investment as using an
appliance firewall to enhance or supplement a host firewall.
Home users, SOHO environments, and small companies
may benefit from a firewall on their Internet connection
devices. Most DSL and cable modem devices include basic
to moderately capable firewall options. Evaluate the
included firewall in an Internet connection device rather
than automatically discarding it as insufficient or inferior.
Many current Internet service provider (ISP) devices include
firewalls that are more than adequate for small network
environments.
Most wireless access points, both consumer and
commercial grade, include some form of firewall to provide
filtering services for wireless clients and physical cable
connections as well. Many wireless access points could be
accurately labeled as routers and/or switches, especially
when they include two to six extra-wired connection ports.
If a separate dedicated firewall device is necessary in
addition to an ISP device or a wireless access point, consider
building a firewall using leftover hardware. Building your
own hardware firewall can be a way to obtain firewall
appliance control and security on a shoestring budget.
technical TIP
It’s often possible to replace an appliance or device
firewall’s OS with a third-party alternative. This can
apply even to ISP devices and wireless access points.
Some of the better-known device firmware
replacement options are DD-WRT, Open WRT, and
Tomato.
The final step up in terms of firewall options is the
appliance firewall, which is a dedicated hardware device
functioning as a black-box sentry. Appliance firewalls can
range from low-end consumer-grade to very expensive high-
end, commercial-grade solutions. In most mid-sized and
larger organizations, a dedicated hardware firewall is a
necessity. Whether you buy that firewall as a pre-built
component or build it depends on your organization’s
knowledge, skill, and budget.
Keep in mind that security is not about always
purchasing the most expensive, the best-known, the most
efficient, or even the most secure option. Budgets are not
infinite. Your goal should be to deploy security that is
adequate and effective for the environment within the
confines and limitations of your budget, knowledge, and
skill. Getting sufficient security at the best price possible is
usually everyone’s priority.
Benefit and Purpose of Reverse Proxy
Reverse proxy is a firewall service that allows external users
access to internally hosted Web resources. This service
takes the traditional proxy function and inverts it. Instead of
hiding the identity of the client reaching out to the Internet,
reverse proxy hides the identity of the Web server accessed
by the Internet (or external) client.
External users direct their queries to a public Internet IP
address and a default or assigned port number as when
accessing any service. However, the IP address is the
address of a proxy server, not the actual Web server hosting
the requested resource. The proxy server then performs
network address translation (NAT) on the request to convert
the destination address to the internal (likely private)
address of the resource host.
You can deploy reverse proxy to support load balancing
or load distribution across multiple internal resource hosts.
This allows clients to use a single public address to access a
cluster of internal Web servers.
Other common reasons to deploy reverse proxy include:
Reverse caching—Reverse caching allows static
content to be cached and served by the proxy rather
than requiring that each request for the same content
be served by the Web server itself.
Security—Using a reverse proxy adds an additional
layer of protection and control between Internet-based
users and internally hosted servers. Proxying allows
the real identities of the internal servers to remain
unknown or at least obfuscated.
Encryption—The proxy server itself can serve as the
endpoint for Secure Sockets Layer (SSL) or Transport
Layer Security (TLS) encryption tunnels. This can allow
a firewall or IDS to monitor and filter the contents of
the traffic before it reaches the Web servers. Proxy-
based encryption can also benefit from hardware and
software acceleration to maintain high-performance
communications.
Reverse proxy does not have to function solely on the
private network’s borders. It can also operate internally
between subnets or departments, especially within IT
infrastructures of very large corporations. Reverse proxy is
also useful in an extranet or a DMZ. Just because a Web site
is hosted for public access does not mean security
precautions should vanish. Indirect access by reverse proxy
can often be a significant security benefit when you deploy
and manage it properly.
Use and Benefit of Port Forwarding
Port forwarding is a firewall, proxy, and routing service that
can receive a resource request on an interface at one port,
then forward the request to another address on the same or
different port. Port forwarding is used in reverse proxy, but
only for Web traffic. Port forwarding itself can support any
service on any port.
Port forwarding is a variation or enhancement of NAT.
When a request reaches an outward-facing interface to a
specific port, the request goes to an internal host. The
routing is controlled by a static NAT mapping that defines
which internal IP address and port will receive
communications sent to an external IP address and port.
Port forwarding does not support caching, encryption
endpoint, or load balancing. Only a single internal machine
can use a forwarded port at a time. The internal receiving
(destination) host will perceive the source of the
communications as the port-forwarding device because the
translation service will rewrite the source address as its
own. Thus, the destination system will not know the real
originator of a communication.
You can find port forwarding services on almost any
service or device that supports NAT. This includes most
firewalls (hardware and software), wireless access points,
and Internet connection devices (such as DSL and cable
modems). Port forwarding is also an essential element in the
Internet Connection Sharing (ICS) service of Windows that
allows multiple systems to share a single Internet
connection through the primary connected computer.
Considerations for Selecting a
Bastion Host OS
A bastion host OS is a system designed, built, and
deployed specifically to serve as a front-line defense for a
network. A bastion host is the first (or nearly so) host
accessed by external entities on their way to access DMZ,
extranet, or private network resources. The bastion host
withstands the brunt of any attack attempt to provide
protection for hosts behind it.
Bastions were the highly fortified sections of medieval
castles designed to assist with defense. The bastion was
located along the castle perimeter wherever access
attempts were likely, such as around the main gateway or
entrance, any side or back entrances, or natural landscape
pathways of approach. The bastion areas usually had
thicker, stronger walls, room for additional warriors, and
special defensive features. These special defensive features
might have included slits for shooting arrows, holes for
ramming spears or pushing away ladders, and pots of
boiling oil to pour on attackers.
On modern computer networks, a bastion is a fortified
computer device—possibly a host, firewall, or router—placed
in the line of fire between privately owned and controlled
networks and the public Internet. The purpose of a bastion
host is to provide frontline filtering and defense against
typical attacks. Most firewalls, especially appliance,
hardware, or device firewalls, operate as bastion hosts.
Software firewalls can also be bastion hosts if the host is
properly locked down and hardened.
Knowing that firewalls are commonly deployed as bastion
hosts raises the question of what type of operating system
(OS) you should use as the host OS on a bastion host
firewall. Two main categories or divisions of bastion host OSs
are proprietary OSs and general purpose OSs.
Proprietary OSs are operating systems built exclusively to
run on a bastion host device. Most appliance firewalls
employ a proprietary operating system. This includes
commercial firewall devices as well as many ISP connection
devices and wireless access points. These proprietary
bastion host OSs support the functions or services critical to
security (or their other primary purposes) and little else. An
example of a proprietary bastion host OS is Cisco IOS.
A firewall device’s bastion host OS supports only firewall
functions. An ISP connection device’s bastion host OS
supports firewall services and connectivity services. A
wireless access point’s bastion host OS supports firewall
services, wired connectivity services, wireless connectivity
services, and possibly other services, such as 802.1x.
General purpose OSs include Windows, Linux, Mac OS,
UNIX, and others. These are operating systems that support
a wide variety of purposes and functions, including serving
as client or server host OSs. When used as a bastion host
OS, they must be hardened and locked down. Otherwise, an
insecure host OS can render the security provided by a
firewall worthless. If an attacker can crash the firewall host
or bypass the firewall filtering, then the firewall is not
providing effective security.
It’s possible to reasonably harden a general purpose OS
for use as a bastion host OS, but this takes specific and
detailed modifications. Most software firewall products
include a guide to perform OS hardening to improve the
security of the bastion host and reduce the vulnerabilities
and backdoors that might permit firewall compromise.
Some firewalls include a prehardened version of a
general purpose OS as the bastion host OS. This is the case
for many Linux-based firewalls, such as SmoothWall.
The benefit of using a general purpose OS as a bastion
host OS is that such OSs are widely available. Some are free
—mostly Linux variations. Also, you can leverage your
current knowledge and skill with a general purpose OS when
you are using it as a bastion host OS. Keep in mind,
however, that general purpose OSs are much more widely
attacked and the risk of new exploits is high.
The benefits of a proprietary OS as a bastion host OS are
fewer known attacks and less risk of future exploits.
However, proprietary OSs might be significantly different
from other OSs in the environment and may require learning
a completely new system to properly and securely
administer the firewall. Also, most proprietary OSs are
officially released only on the bastion host hardware. This
makes them more difficult to obtain and more expensive in
most cases (at least in comparison to free and open source
alternatives).
Constructing and Ordering Firewall
Rules
As you begin to seriously consider the options for firewall
deployment, a close examination of firewall rules is critical
to success. The most important aspect of a firewall rule set
is its order.
Getting rules out of order causes unexpected and
unwanted consequences. This can include traffic you want
to block and other unwanted traffic crossing the checkpoint.
Rule-set ordering is critical to the successful operation of
firewall security.
The first and most basic rule-set-ordering convention is
that the universal Deny rule should be the last and final
rule. The use of deny by default or default denial rests on
the premise that the last rule is the catchall rule to block all
traffic not allowed access due to a previous rule-based
exception.
Another common guideline to rule-set ordering is to place
critical Deny exceptions first or early in the rule set. When
specific internal or external IP addresses or ports, or even
entire protocols, are to be absolutely blocked, you may need
a Deny exception rather than relying upon the default-deny
final rule. Some of the previous Allow exceptions might
inadvertently permit communications due to universal
application (with the use of ANY). By using a preemptive
specific enforced denial before any of the Allow exceptions,
you eliminate the possibility of accidentally allowing a
known malicious or unwanted communication.
Whenever possible, use fewer rules rather than more
rules. Even with proper ordering, the more rules you have,
the greater the likelihood of configuring something
incorrectly or creating a loophole. One issue that causes
more rules rather than fewer is infrastructure design
specifically related to addressing. A need for more rules
arises if a range of IP addresses is allowed access, but
within that range, some addresses are refused access. For
example, compare two scenarios.
First, a network has a host address range of
192.168.42.140–190. All hosts except for 188, 189, and 190
are allowed access to a certain port. A single rule allowing
hosts 140–187 is all that is necessary because the default-
deny rule takes care of blocking the remaining non-included
hosts.
Second, a network has a host address range of
192.168.42.140–190. All hosts except for 165, 171, and 188
are allowed access to a certain port. You need multiple rules
to use this configuration. One or more rules must define
Deny exceptions for 165, 171, and 188, followed by the
Allow rule of the 140–190 range. If the firewall allows only a
single address or a range of addresses per rule rather than
allowing a list of nonsequential addresses, then three Deny
rules would be necessary in this scenario.
In this example, network design and addressing can be
used to make firewall rule-set construction either larger and
more complex or shorter and more distinct and compact.
The latter is preferred for administrative purposes as well as
security and efficiency. If the process of creating rules
requires a significant number of special exceptions to
modify or adjust ranges of addresses or ports, consider
reconfiguring the network rather than using a too complex
or too long rule set. When designing or writing firewall rules,
especially when writing pairs or sets of rules, consider using
a single rule or a simpler rule set if the network’s addressing
scheme, infrastructure design, or subnet layout is adjusted.
As another guideline to ordering rule sets, consider
placing rules related to more common traffic earlier in the
set rather than later. Comparing traffic to the rule sets takes
time; each check of each rule takes some finite amount of
time. The fewer rules you need to check before you grant an
Allow, the less delay to the traffic stream. Prioritize in the
rule-set list the more commonly used forms of traffic,
whether by
IP address, port, or protocol. Put the less commonly used
forms of traffic further down in the rule-set list.
Ultimately, rule sets are about enforcing security relevant
to the organization. The rule set should reflect the
guidelines prescribed in your written security policy,
specifically the firewall policy. The goal of designing, writing,
and ordering rules for a firewall should be to focus on
obtaining the necessary security. Elegance and speed are
dividends, but not as essential as blocking the bad and
allowing the good. Never lose focus on the primary goal:
filtering traffic in accordance with your security policy.
Evaluating Needs and Solutions in
Designing Security
Any organization larger than a single person will generate
multiple opinions about what should and should not be
allowed across the firewall. Almost everyone would agree on
allowing (at some level) the necessary protocols,
applications, and services essential for mission-critical or at
least operationally necessary business tasks to cross the
firewall-secured network boundaries.
Opinions may differ about what constitutes a necessary
business task, but if it’s a necessary task, the organization’s
security solution should make the task possible.
Restrictions, limitations, filtering, and logging of even
necessary business communications must occur. The point,
however, is making a determination about what should and
should not cross a firewall.
Generally, four main types of communications take place
within a business environment: business-essential, business-
wanted, personal, and malicious. Business-essential
communications must take place or the business itself will
suffer. Blocking critical transactions will directly cause
problems for the business by impeding the production and
distribution of products, inhibiting customer service,
reducing profits, and so on. The security infrastructure must
support business-essential communications.
Business-wanted communications are not essential to the
core function or purpose of the organization. The failure of
these business communications might be inconvenient or
reduce quantity or quality, but the essential business
functions will go on. Business-wanted communications help
the business do what it does better, faster, cheaper,
cleaner, more efficiently, or in a flashier way. But when
those wants are not available for whatever reason, the
business’s core activities still function sufficiently.
Personal communications are those transactions between
individuals inside the company and with external entities
not directly related to business tasks. If you eliminated
personal communications, all business functions would
continue unhindered. However, that’s in a perfect world. In
the real world, stifling human communications can lead to
low job satisfaction, feelings of isolation, and even worker
disaffection. This, in turn, causes a reduction in productivity
and quality.
Most organizations must strike a balance between
allowing only business communications and allowing all
communications. Obviously, allowing every communication
is a bad idea from a security standpoint as well as a
productivity one. Often, a modest level of Web site access,
filtered e-mail access, and potentially other nonthreatening
services as forms of personal communications can travel on
and over company equipment during work hours with a
reasonable amount of security.
But no clear or distinct boundaries define what level of
personal communication will maintain worker morale and
job satisfaction. It’s often fairly obvious when restrictions
are too tight because job performance suffers or breaches of
security increase. Part of the solution to this problem is
educating users or workers about what is acceptable and
unacceptable behavior on the company’s network. This
includes defining what types of communications to allow or
block, whether for business or personal use.
Malicious traffic, the fourth common type of network
traffic, should always be blocked. This is a widely held
security stance and the whole point of using security in the
first place. However, it’s not easy to identify all malicious
traffic, and it can sometimes appear to be one of the other
three common forms of communications. Improving security
over time is essential to maximizing protections against
malicious communications while at the same time
supporting necessary, desired, or benign personal
communications.
Every organization must define its own parameters and
justifications for each type of transaction allowed across any
security perimeter, whether network traffic or physical
access. Whatever the determination, clearly spell out the
designations for valid versus invalid transactions in your
organization’s written security policy, and then implement
them in the security infrastructure.
Once you’ve defined necessary transactions and
prescribed the desired security, use these concepts in actual
security-enforcing software and hardware solutions. This is
where your understanding of the goals of security, the
organization’s mission, and the budget is critical. There is
always a product that costs more, but more expensive does
not always mean better security. In fact, in many cases,
cheap or free solutions can offer equivalent or better
security than the most expensive product available.
Using security is an essential part of the risk assessment
and management process. Part of evaluating security is
understanding the threats, attacks, and risks as well as the
available countermeasures. One aspect of understanding
countermeasures is performing a cost/benefit analysis to
obtain the best security solution for the invested dollar.
Don’t just purchase the most expensive solution; that’s
never a reliable measure of security quality.
Also, don’t automatically purchase the product your
cost/benefit analysis says is the best option. You must also
evaluate each proposed solution in light of all other
elements of the security infrastructure as well as the size of
your budget. It’s usually not the right choice to spend 50
percent or more of the budget on a single security
component. Instead, devise a spending plan or ratio tool to
guide the procurement of security solutions.
One possible method is to allocate 10 percent of the
budget to each of the 10 major sections or divisions of
security addressed. This assumes you can divide the overall
security of your organization into just 10 compartments—
you might need 30 sections or maybe you can get by with
just four. Whatever the number of divisions you use, grant
each an equal or weighted portion of the budget based on
risk. When a solution costs more than is available within a
certain section, you can then shift funds between sections
as needed.
The purpose of this system is to make security
administrators and designers more aware of the cost of
security and to prevent overspending in one area and
underspending in another. You should spend security funds
somewhat evenly to secure the overall organization, rather
than over-securing one area and neglecting another. If a
hacker or intruder encounters a highly fortified defense, he
or she is likely to go looking for a less secure backdoor.
Ultimately, you should treat your security budget just like
any other budget. Categorize and prioritize expenses.
Outline spending on paper before writing the first check or
swiping the plastic. Allocating funds based on needs and
importance, then adjusting those allocations based on
market conditions or changing threats, is all part of proper
security management (as well as security budget
management).
What Happens When Security Gets in
the Way of Doing Business?
Organizations exist to perform tasks such as producing
products or providing services. When the security
infrastructure interferes with essential business tasks,
something has to change. Security should prevent
compromise while supporting and allowing business
functions. When security changes or when business tasks
change, the security policy and the business should adjust.
Absent this adjustment, security can interfere with
business operations. Many organizations will never face this
situation, but every business must have a response plan in
place in case it does. When business tasks are at odds with
security protections, what should you do?
A few short-term options are available, none of them
optimal. One short-term option is disabling security so the
business tasks go forward. Whether the security is disabled
for a short period or permanently, you provide the
opportunity for compromise, intrusion, or sabotage. Using
this shortsighted solution might not immediately cause
harm to the infrastructure, but it establishes a pattern and
mindset that security is not important.
Organizations might get away with turning off security
defenses. Hackers might not ever notice the reduction of
defense or might not happen to time their probing or
attacks to correspond to the period of disabled security.
However, even if no actual attacks occur due to the security
reduction, the real damage is done.
The real damage is the change in mentality toward
security, a shift from viewing security as essential and
mandatory to optional and nonessential. Once an
organization believes that security can be turned off when
inconvenient, then security suffers, and it’s only a matter of
time before a catastrophic compromise occurs. Security
depends on vigilance. Once the commitment to vigilance is
lost, so is real security.
Another short-term option is not to perform the task that
security is blocking. If the task is not essential, it might be
possible to move forward as an organization without
performing that specific task again. However, if it’s an
essential or critical task, failing to support it will negatively
affect the organization.
There is another way. The preferred and secure long-term
response is to reevaluate the business task in the light of
the security infrastructure. Design a new security solution or
modify how the task is accomplished. Support both security
and business functions. They are both essential to the long-
term stability and vitality of an organization.
CHAPTER SUMMARY
Never deploy firewalls hastily. Instead, use careful
investigation and planning in the design and use of
firewalls. Consider numerous firewall deployment
issues.
Some important concerns include deciding:
What to allow and block
Which security strategies to integrate
Whether the firewall policy is sufficient
Which hardware or software options to use
Whether you need reverse proxy
Whether to configure port forwarding
Which bastion host OS to use
How to order the firewall rule sets
What the essential firewall needs are
How the firewall will interact or interfere with
business processes
KEY CONCEPTS AND TERMS
Bastion host OS
Diversity of defense
General purpose OS
Proprietary OS
Reverse caching
Security stance
Universal participation
Weakest link
CHAPTER 7 SUMMARY
1. When crafting firewall rules, determining what to allow
versus what to block is primarily dependent on what
factor?
A. Traffic levels
B. Business tasks
C. Bandwidth
D. User preferences
E. Timing
2. The first step in determining what to allow and what to
block in a firewall’s rule set is:
A. Reviewing vulnerability watch lists
B. Polling users for what services they want
C. Reading blogs about best practices for firewall rules
D. Recording traffic for 24 hours
E. Creating an inventory of business communications
3. What is the purpose of including rules that block ports,
such as 31337?
A. To prevent users from accessing social networking
sites
B. To prevent DNS zone transfers
C. To stop ICMP traffic
D. To block known remote-access and remote-control
malware
E. To allow users to employ cloud backup solutions
4. What security strategy is based on the concept of
locking the environment down so users can perform
their assigned tasks but little else?
A. Simplicity
B. Principle of least privilege
C. Diversity of defense
D. Chokepoint
E. Weakest link
5. What security strategy reverts to a secure position in
the event of a compromise?
A. Fail-safe
B. Universal participation
C. Defense in depth
D. Security through obscurity
E. N-tier deployment
6. Which security stance most directly focuses on the use
of firewalls or other filtering devices as its primary
means of controlling communications?
A. Universal participation
B. Weakest link
C. Fail-safe
D. Chokepoint
E. Simplicity
7. A firewall policy performs all of the following functions
except:
A. Assisting in troubleshooting
B. Placing blame for intrusions
C. Guiding installation
D. Ensuring consistent filtering across the infrastructure
E. Detecting changes in deployed settings
8. Which of the following is not a viable option for an
enterprise network that needs to control and filter
network traffic?
A. Virtual firewall
B. Appliance firewall
C. Physical firewall
D. Host firewall
E. Software firewall
9. A reverse proxy is useful in which of the following
scenarios?
A. To grant outside users access to internal e-mail
servers
B. To support internal users accessing the public Internet
C. To allow private hosts to access external Web servers
D. To offer external entities access to an internal Web
server
E. To cache file transfers for peer-to-peer exchange
protocols
10. All of the following are true statements with regard to
port forwarding except:
A. It is a variation of NAT.
B. It is limited to Web traffic only.
C. It hides the identity of internal hosts.
D. It allows the use of nonstandard ports for publicly
accessed services.
E. Internal servers do not see the identity of the real
source of a communication.
11. Which of the following statements is true with respect
to reverse proxy?
A. Reverse proxy cannot be used in conjunction with
secured Web sites.
B. Reverse proxy can be used with tunnel mode IPSec
VPNs.
C. Reverse proxy can only support SSL tunnels.
D. Reverse proxy caches client requests and archives
them for load balancing purposes.
E. The reverse proxy server can act as the endpoint for a
TLS tunnel.
12. Which of the following is not a true statement with
regard to port forwarding?
A. Port forwarding services can be found on almost any
service or device that supports NAT.
B. Port forwarding is an essential element in the Internet
Connection Sharing (ICS) service of Windows.
C. Port forwarding is used in reverse proxy, but only for
Web traffic.
D. Port forwarding supports caching, encryption
endpoint, and load balancing.
E. Port forwarding is a variation or enhancement of NAT.
13. Which of the following is not considered a viable option
as a bastion host OS?
A. UNIX
B. Linux
C. Android
D. Mac OS
E. Windows 7
14. You are selecting a new appliance firewall for
deployment in the company network. You are concerned
with OS flaws and exploits appearing not only on your
hosts but also on the firewall. To minimize that risk,
what bastion host OS should you choose?
A. Cisco IOS
B. Windows 7
C. UNIX
D. Mac OS
E. Linux
15. What is the most important aspect or feature of a
bastion host OS?
A. Leveraging existing OS administrative knowledge
B. Ease of use
C. Remote administration
D. Resistance to attacks and compromise attempts
E. Support of a wide range of services
16. What is always the most important element within a
firewall rule set?
A. Using specific addresses instead of ANY
B. Listing Deny exceptions after Allow exceptions
C. Listing inbound exceptions before outbound
exceptions
D. Having a final rule of default-deny
E. Blocking every known malicious port
17. Which of the following examples of complete firewall
rule sets is the most valid?
A.
B.
C.
D.
E.
18. Which of the following guidelines is most important?
A. Include all specific denials for known malicious
remote-control tools after explicit Allow rules.
B. Include every possible address and port in a rule
within the set to ensure an explicit callout exists for
every type of communication.
C. There should be more inbound rules than outbound
rules.
D. Place explicit Deny rules for individual systems before
explicit Allow rules for ranges that include those
individual systems.
E. Place universal Allow rules before universal Deny
rules.
19. When considering the security response triggered by a
firewall detecting unwanted traffic, what is the main
factor in choosing between a response that protects
confidentiality and integrity and a response that
protects availability?
A. Traffic load
B. Number of external clients
C. Port in use
D. Business mission and goals
E. Whether the breach takes place during non-business
hours
20. When security mechanisms and business
communications are at odds, what is the best and most
secure response?
A. Disable security to allow the business communication.
B. Modify the security policy to protect the business
communication.
C. Disable both security and the offending business
communication.
D. Disable business communication to maintain security.
E. Do nothing.
CHAPTER
9 Firewall Management
and Security
FIREWALL MANAGEMENT is about focusing on the essential security goals of the environment and making sure the
deployed firewalls assist in fulfilling those goals. Following
general best practices with care and due diligence will help
ensure compliance. Realize that while a firewall is very
important, even essential, firewalls are not the totality of
security; you’ll need other security safeguards to create a
complete solution.
When selecting a firewall, focus on the purpose and
needs of your organization. Find a product that meets the
real needs of your organization’s network environment, not
the most popular or cheapest solution. Consider whether
building your own firewall device rather than purchasing a
ready-made appliance makes better sense.
But even with an appropriate, properly configured
firewall, ongoing security concerns will invariably arise. Plan
on the inevitable attacks, exploits, and threats to the
security provided by a firewall. Hackers might attempt to
use tunneling or virtual private network (VPN) services as a
mechanism to bypass firewall filters. Be aware of these
issues and be prepared to deal with them. Have an incident
response plan in place.
Firewall management also includes testing, monitoring,
and troubleshooting. Many excellent tools can help simplify
or automate these processes. But even the best tools
require solid information and a working knowledge of your
environment. Detailed implementation plans can also be a
significant benefit to maintaining reliable security.
Chapter 9 Topics
This chapter covers the following topics and
concepts:
What best practices for firewall management
are
What some security measures in addition to
a firewall are
How to select the right firewall for your
needs
What the difference is between buying and
building a firewall
How to mitigate firewall threats and exploits
What the concerns related to tunneling
through or across a firewall are
How to test a firewall’s security
What some important tools are for managing
and monitoring a firewall
How to troubleshoot firewalls
What the procedure is for proper firewall
implementation
How to respond to incidents
Chapter 9 Goals
When you complete this chapter, you will be able
to:
Describe firewall management best practices
Select the best firewall for a given network
scenario
Demonstrate the use of tools for managing
and monitoring a firewall
Troubleshoot common firewall problems
Write a firewall installation plan
Best Practices for Firewall
Management
Firewall management best practices are recommendations,
guidelines, or standard operating procedures for obtaining
reliable firewall security on a real-world budget. Best
practices are usually not specific recommendations for
products or tools. Rather, they are recommendations for
philosophies, stances, or concepts on how to proceed. The
following items are suggested best practices. These might
not apply to every environment, although you should
consider each and adapt or adopt when appropriate.
A written firewall policy establishes a documentation trail
that everyone in the organization can read, consider, and
follow. To write a firewall policy, learn about and thoroughly
examine every communication, transaction, and service
within, across, and through the IT infrastructure. You can
write a comprehensive and effective firewall policy only
when you know and understand your operating
environment.
NOTE
The foundation of every firewall implementation is to
have a plan. There is no substitute for a written firewall
policy. Any other method, process, or procedure for
configuring, using, and managing a firewall will fail.
Only a written firewall policy can guide you toward a
successful and reliable firewall deployment.
To have a plan, you must thoroughly understand your
organization’s infrastructure, its mission and goals, and the
processes necessary to produce its products and services.
This means understanding your organization’s technology
use, assets availability, and resources consumption, in
addition to where everything resides and how users work
with the infrastructure. Consider larger and more complex
needs in light of the typical IT infrastructure.
Once you understand your operating environment
thoroughly, you can then decide where a firewall is
necessary. In most cases, every host should have a local
software firewall, every border communication point should
have a firewall, and every transition between subnets of
different trust, risk, or purpose should have a firewall.
Firewalls provide communications control; deploy them
liberally.
To create a useful and relevant firewall policy, perform a
risk assessment. The process of understanding assets,
vulnerabilities, threats, and likelihoods is risk assessment.
Only through a proper risk assessment can you determine
the threats and risks facing your environment and its
communications. This in turn will guide the configuration of
a firewall for maximum benefit.
Once a firewall policy is in place, regularly review the
policy. Investigate whether the overall quality and reliability
of the existing firewall security is sufficient or needs
improving. Verify that all services are still properly
protected. Evaluate whether prevention, deterrence, and
response have been adequate and effective. Wherever you
discover deficiencies, strive to improve and rectify the
situation immediately.
Establish a no-exceptions policy. Every service, every
transaction, every communication must pass through one or
more firewalls, filtered according to the guidelines of the
firewall policy. Terminate any communication found to take
place without firewall filtering immediately.
Maintain physical security over all personnel access to
firewalls. No one except the firewall administrator should
have physical access to the firewall devices. Firewalls are
concentrations of security and often the main embodiment
of communications security. The risk of compromise from
unauthorized access is significant.
Limit and filter Internet connectivity. In spite of a user’s
desire for an unrestricted, unmonitored Internet connection
for personal use, the Internet is a significant risk for most
organizations. An unrestricted or unfiltered Internet
connection is a highway for malicious code, social
engineering attacks, and intrusion attempts. If an Internet
service, protocol, domain, or IP address is not essential to a
necessary business task, block it. Work assets are for work
tasks, not personal activities. Configure the firewall
accordingly.
Install antivirus scanners, anti-malware scanners, and
firewalls on every host. Every portable device, every
desktop workstation, and every server should have these
malicious code and malicious traffic protections. No system
is immune to malware and malicious communications;
prevent easily avoidable compromises and downtime with
basic filters and barriers to known issues.
Don’t rely upon a single or individual firewall. Attempt to
interlock and layer firewalls along the pathways of
communication and transactions. Use defense in depth or a
multiple-layered defense wherever possible. If you do,
numerous filtering events will shield each asset.
When possible, avoid remote access. Limit access to local
direct connections only. When remote access is necessary,
require a VPN. Remote connectivity enables remote hacking.
Remote hacking attempts to breach security without the
need to be physically at or within the target’s facilities.
Requiring VPNs for all remote connections reduces this
threat somewhat by preventing open connections or
communications vulnerable to eavesdropping. All
communications crossing the firewall are potential
vulnerabilities.
Require encryption of all internal network
communications. Use Internet Protocol Security (IPSec) to
secure all intranet communications. This is often an easy
and cost-effective means to quickly reduce the risk of
eavesdropping, man-in-the-middle, replay, and many other
forms of network attacks. Well-encrypted data is much less
likely to fall into the hands of hackers, thieves, and
unauthorized personnel. Configure firewalls to allow IPSec,
VPNs, and other forms of encrypted communications where
appropriate, but don’t universally allow encrypted
communications. Encryption can obfuscate malicious
activities. Strongly authenticated endpoints are less likely to
be sources of malicious actions.
Harden both internal firewall hosts and border firewalls.
Use hardened firewalls against compromise regardless of
their network location. Provide consistent and thorough
security throughout the IT infrastructure. Protecting the
stability and reliability of firewalls will, in turn, protect the
security of the network as a whole.
Always test new code before you deploy it onto a firewall.
No matter who the source of new code is, test it. Even if the
code addresses a mission-critical issue, test it. Test all new
code without exception. All untested code is unauthorized
and you should block it from all production firewalls.
Back up, back up, back up. Security includes the
guarantee of availability. Failing to have a backup increases
the risk that if data is lost, damaged, or corrupted, it will
never be available. Backups are the best form of insurance
against data loss. Don’t store the backups for any given
system on the same system or even in the same locale.
Store them on separate storage devices, both onsite and
offsite. Remember that offsite is more secure in the face of
larger disasters. Don’t allow the only copy of a firewall
configuration to be in memory on the firewall. Always make
a backup.
If an asset is worth the time and effort to secure, then it’s
worth monitoring as well. Configure each firewall as you
deem necessary, and then watch for attempted breaches of
that security. Perfect security doesn’t exist. To improve
security, be prepared to respond when breaches happen—
and they will. Lock, then watch. Failing to watch a secured
asset just means that when the compromise occurs, you
won’t notice it immediately. Firewalls can be the focus of an
attack, just as much as any other host. Being aware of and
prepared for such an attack gives you the edge to respond
promptly.
Have an intrusion and incident response plan. Bad things
will occur. Failures will happen. Breaches will take place.
Firewalls can fail. Malicious traffic goes overlooked. But be
prepared, nevertheless. Evaluate and examine the realistic
threats facing your environment. Plan for the worst. Define
procedures to respond to any and all situations.
Don’t overlook business continuity planning and disaster
recovery planning. The greatest threats to organizations are
not necessarily security breaches, but threats that represent
business-terminating events. Building collapse, flooding,
fire, sabotage, blackouts, malware infection, criminal
activities, and so on shut down an organization’s operations.
If alternate means of accomplishing mission-critical tasks
aren’t available, then the organization will soon cease to
exist. Plan to recover from disasters so that your
organization survives to do business in the future.
Recovering a business process does not mean leaving it
unprotected; redeploying firewalls is just as essential as
restarting business processes themselves.
Keep it simple: security (KISS). Firewalls are complex
enough without purposefully imposing additional complexity.
Focus on designing and configuring firewalls that use simple
and direct rule sets. The greater the complexity involved,
the greater the chance for misconfiguring, incorrectly
ordering rules, or creating loopholes in protection.
Focus on balancing security and usability. Firewall
filtering does not need to make all work tasks difficult.
Likewise, essential work functions need not compromise
security. Finding a balance between these two extremes is
important. Focus on reducing the risk to the infrastructure
while enabling users to perform authorized tasks with
minimal hassle.
Prioritize. Security concerns always threaten to
overwhelm available time, effort, and budget. Focus on the
big impact and big result issues first rather than attempting
to swat at every minor annoyance that arises. Security is
constantly changing; the goal is to maintain reasonable
security rather than keep perfect security. (Remember, this
is unattainable anyway!) The deny-by-default/allow-by-
exception philosophy should keep minor nuisances to a
minimum.
Always be fully and truly aware of the state of the
organizational security, especially in regard to firewall
performance and function. Don’t make assumptions. If you
are not positive that an aspect of the organization is secure,
find out. Assuming security exists is a false sense of safety.
A lack of knowledge about the security status could lead to
complacency. Assuming nothing is wrong removes the
urgency to investigate and rectify problems. Don’t fall into
the “I thought it was protected” trap; if you don’t know or
are not sure, take the time to investigate and know. Testing
is relatively cheap; recovering from intrusion damage can
be disastrously expensive.
Develop a firewall checklist. Review it for completeness
and accuracy on a periodic basis, such as every quarter.
Confirm every element on the checklist on a frequent
regular basis, such as once a week or once a day. You can
automate this to an extent, but it often requires human
effort to test and confirm that every security mechanism is
in place, active, armed, and effective.
Perform regular self-assessments. Numerous security
groups, government, and military agencies post security
implementation guidelines, manuals, and checklists.
Commonly known as STIGs (Security Technical
Implementation Guides), these documents can help you to
review and assess your organization’s status and state of
security. A self-assessment attempts to take an external,
unique, or independent viewpoint in evaluating security.
This is why using external guidelines, standards, and
measurements of security can reveal oversights in an
existing security infrastructure.
Perform internal compliance audits. It’s no longer
sufficient to think you are secure; compliance audits are
now the law in many industries, such as the financial and
medical sectors. Ensuring that you are in full compliance
with all federal and state laws and regulations is not only
good security management; it also keeps company officials
out of jail. Using external auditors is often a poor substitute
for internal self-verification.
Test all uses of the firewall for sufficiency. Perform
verification scans of all deployed firewall settings to ensure
they are functioning. Improper installation or
misconfiguration can render even well-meaning safeguards
worthless. Test every new security setting or rule on
installation and at every reconfiguration.
Perform regular vulnerability assessments. Use
automated tools with updated databases of security tests
and exploit simulations. These tools should confirm patches
and updates, verify security configurations, and probe for
known vulnerabilities to exploits and weaknesses. Quickly
resolve any issues the scans uncover.
After you’ve improved and tuned firewall security, put it
to the ultimate test: Perform penetration testing. Hire or
develop an ethical hacking team to test the strengths and
weaknesses of the firewalls. Ethical hackers use the same
tools and attack techniques as criminals, but without the
intent to cause actual damage. Professional security
assessment teams can customize attacks, modify exploits,
and react in real time to fully stress security defenses.
Focus on establishing a philosophy of default deny rather
than default allow. By blocking everything as a starting
point, only those features, services, protocols, ports,
applications, and users you deem safe and appropriate can
proceed by an exception. Using a default-allow stance forces
a never-ending stream of explicit denials as new
compromises or malicious events arise. Deny by
default/allow by exception is always the preferred security
stance.
This collection of firewall management best practices
should serve as a starting point for the development of an
effective firewall deployment. Other valid and useful
guidelines deserve consideration, so don’t assume this list
of recommendations, or any other list from any other
source, is exhaustive. There are always new lessons to
learn, new challenges to face, and new wisdom to obtain.
Security Measures in Addition to a
Firewall
A firewall is an essential part of any security infrastructure.
Every single host needs a firewall. Every single network
needs border firewalls. Firewalls are concentrations of
security, and are easily recognizable embodiments of an
organization’s security policy. A firewall is an incomplete
security solution on its own, however.
FIGURE 9-1
Firewalls: Only part of the security puzzle.
A complete security solution requires many more
components (Figure 9-1) than just a firewall. Proper
understanding of the organization’s essential processes,
threats, and goals will guide you toward the creation an
effective security plan. Without a proper risk assessment,
however, recommendations for safeguards and
countermeasures are just guesses.
Several common elements characterize most properly
designed security systems. These include:
Multifactor authentication
Anti-malware scanning
Full hard drive encryption
Communications encryption
Detailed logging and auditing of events
Intrusion detection and prevention systems
Network segmentation and traffic management
Private IP addresses and NAT proxies
VPNs for remote access
Network access control
While these are often excellent security components, they
are not all necessarily applicable and required in every
environment. Addressing your environment’s specific risks is
always more preferable than deploying a security product
just because it seems like a good idea.
Selecting the Right Firewall for Your
Needs
Choosing the best firewall for your specific environment
requires knowledge of firewall options and understanding of
the security needs of your network environment.
Automatically selecting the most expensive option, the
cheapest one, or an open source solution fails to properly
assess the situation. Firewalls are essential elements of
security. They are concentrated security. It would be
careless to select a product without due diligence.
NOTE
Selecting and purchasing the right firewall for your
organization’s situation requires careful evaluation. As
with any big decision, first find the longest poles in the
tent: Always resolve important aspects of the process
sooner rather than later. For example, first familiarize
yourself with the budget for the purchase.
Knowing the amount of money available for firewall
protection helps you quickly eliminate those products
clearly outside your price range. Don’t automatically discard
every product above the budget limit, but realize that
anything more than about 15 percent of your maximum
allowance is probably out of reach.
Next, consider whether an open-source solution is a
viable option for your corporate culture. Some organizations
are philosophically opposed to open-source solutions, while
others embrace and encourage such endeavors.
Do you want to include the option to build your own or
focus on only off-the-shelf, ready-to-deploy options? Making
this decision early will help guide you toward a viable
choice.
Familiarize yourself with the wirespeed of the network,
general traffic levels, the types of filtering desired, types or
forms of recent attacks, and future growth and expansion
plans. Armed with these pieces of information, you can
begin a serious hunt for the most appropriate firewall
solutions.
The firewall technology advances quickly. Often, new
attacks and exploits crafted by hackers drive these
advancements and upgrades. A specific recommendation
for a specific model, product line, or even vendor has a
finite life. Suggestions you hear today are likely to be out of
date, superseded, or compromised in a few short months.
Products at the top of the market one year might not even
place in the next.
Seek out current firewall reviews both online and in
technical publications and trade journals. Find firewall
options that fall within the parameters you laid out based on
your understanding of the network and known threats.
Some general guidelines will assist you in this process:
If speed, flexibility, and simplicity are priorities, then
select a packet filtering firewall or a stateful inspection
firewall.
If real-time applications and high-bandwidth
communications are priorities, then select a dedicated
application-specific proxy firewall.
If strong authentication is a priority, then select an
application gateway firewall or a dedicated
application-specific proxy firewall.
If detailed logging is a priority, then select an
application proxy firewall.
If customized, unique, or complicated filtering options
are a priority, then select a dedicated application-
specific proxy firewall or a stateful inspection firewall.
If stopping internal attacks is a priority, then select a
dedicated application-specific proxy firewall or a
personal host firewall.
A single firewall product rarely satisfies every need.
However, you should be able to find one or more firewall
solutions that address the primary security concerns of your
organization.
The Difference Between Buying and
Building a Firewall
Carefully consider the choice of whether to buy a ready-to-
deploy firewall versus building it yourself. An off-the-shelf
firewall that you simply plug in can be an attractive solution.
However, an out-of-the-box product will generally cost more
than an equivalent do-it-yourself system. In addition, most
pre-configured systems are not as flexible or expandable as
a custom-built version.
That’s not to say that a do-it-yourself firewall is always
the best answer, either. A self-constructed firewall can be
less expensive and provide a wider variety of features and
options. However, when an in-house, custom firewall
experiences a problem, you can usually find little formal
technical support beyond a user-community discussion
forum.
If you are prepared to fully research and understand a
firewall product to install, configure, and manage it yourself,
then a do-it-yourself firewall can be a great cost-saving
solution. However, if your organization’s IT staff is already
stretched and overworked, then home-built solutions will
likely cause more problems than they solve.
A pre-built, off-the-shelf firewall is more likely to work
right out the box, requiring only that you plug it in, set the
configuration, and connect the network cables. A build-it-
yourself firewall may require additional hardware
manipulation, juggling of device drivers, hardening of a host
OS, and so on. Ask yourself: Is custom-built worth the
hassle?
Don’t automatically reject either buy or build firewall
options before you research and assess the options. You
might be surprised at the low cost and feature richness of a
boxed product or caught off guard by the complexity,
instability, or high-cost of a do-it-yourself product. Always
look for the best firewall solution for your specific needs and
current threats.
NOTE
Build-it-yourself firewalls are usually less costly
because they usually don’t include dedicated hardware
and often use open-source (free) source code.
However, the tradeoff for the savings to successfully
deploy a reliable border sentry solution is that you
need to know more about firewalls generally and your
specific software and/or hardware.
Mitigating Firewall Threats and
Exploits
Firewalls are one of the most important components of a
complete security solution. However, they are not without
their own issues, threats, and concerns. Exploits will cause a
firewall to fail. Remember that a firewall is software that
sometimes includes dedicated hardware and a host
operating system. Any software product is prone to flaws
and errors in programming. Simply calling it a firewall does
not eliminate this concern.
Ultimately, firewalls are software code written by human
beings. In either a host firewall or an appliance firewall, the
logic and controlling mechanisms of the firewall are software
code. Software code is designed and written by people. And
whenever people are involved, mistakes or oversights are
possible.
Coding errors are not as common in firewall products as
in operating systems or other forms of software. But don’t
think they don’t occur. Most firewall programmers and
vendors take extra care to comb through and test every line
of code to exacting quality control and security standards.
Standard industry practice requires considerable pilot
testing of firewall code before release into the commercial
environment.
In spite of these precautions, firewalls have in the past
been released to market with software coding errors later
discovered and exploited. Hackers are constantly using
scanning, testing, and probing tools to discover exploitable
weaknesses. When a vulnerability appears, hackers take
advantage of the flaw. Some firewall exploits have caused
firewalls to freeze or crash, while others have given the
hacker the ability to read or adjust filtering rules. In most
cases, vendors quickly release updates and patches to
correct these problems. When selecting a firewall, check the
version and patching history. Firewall products with lots of
patches might not be as reliable in the future as a product
with fewer patches.
How long does the vendor typically take to release a
patch once a flaw or exploit for the product becomes public
knowledge? The longer the vendor takes to release a fix, the
longer you will be left insecure waiting for the update.
Some exploits cause buffer overflows. In a buffer
overflow, a memory buffer exceeds its capacity and extends
its contents into adjacent memory. Hackers often use this
attack against poor programming techniques or poor
software quality control. Hackers inject more data into a
memory buffer than it can hold, which results in the
additional data flowing over into the next area of memory. If
the overflow extends to the next memory segment
designated for code execution, a skilled attacker can insert
arbitrary code that will execute with the same privileges as
the current program. Improperly formatted overflow data
may also cause a system crash.
When the firewall vendor becomes aware of an exploit in
the wild, it quickly develops and releases a patch. An
effective security- and patch-management system will
enable you to quickly test and update the firewalls
protecting your production environment. A delay in the
release of a patch or its application keeps the window of
opportunity for hackers to compromise your environment
wide open.
A good rule of thumb is to avoid the first generation or
first release of a firewall product. Version 1.0 is bound to be
more prone to programming errors than later releases. If the
first version of a product seems better than any other
product from any other vendor, then wait at least six
months after its initial release before deployment. This gives
other people, good and bad, a reasonable time to find flaws,
test exploits, and trigger release updates by the vendor.
Once you’ve chosen a firewall product, always install
every available patch and update from the vendor. Always
test updates first—no exceptions—but then get them
installed as quickly as your testing process will allow. Install
only full and final releases of a firewall patch. Never deploy
alpha, beta, pre-release, release candidate, or test-build
patches on a production firewall.
Another potential concern of firewall security is the
filtering it uses. Understand that no perfect security
measures exist. Each form of firewall filtering or traffic
management is vulnerable in some way. The easiest is basic
packet filtering.
Basic packet filtering uses a simple and static rule set.
Numerous allow- and deny-explicit exceptions compromise
the rule set’s final deny-all rule. Rules can focus on the IP
address and port number of the source and/or destination,
as well as the protocol in use. A firewall testing and probing
technique known as firewalking can potentially discover
some or all of the rules on a static packet filtering firewall.
Firewalking sends basic Transmission Control Protocol
(TCP) virtual circuit initiation packets (synchronization-
flagged packets) to a known internal target system. The
firewalking tool manipulates the parameters of the IP and
TCP headers using a brute force technique. This process
sends a wide variety of packets toward the internal target in
the hopes of discovering a packet configuration that
succeeds in passing the restrictions of the firewall rule set.
Once a hacker knows the packet constructions that make
it past the firewall, he or she can use that knowledge to
attack the known internal target or discover and attack
other internal targets.
Other forms of firewall filtering are vulnerable if they do
not perform content filtering or deep packet inspection.
Non-content-filtering firewalls do not examine the contents
of packet payloads. Thus, once an attack establishes what
seems like a benign connection to an internal target,
subsequent communications can contain malicious
payloads.
Even when stateful inspection, content inspection, and
deep packet inspection are present, hackers can employ
fragmentation and overlapping attacks. These attacks use
packets crafted to seem benign when analyzed individually,
but once received by the destination, the fragmentation
offset values cause an abnormal reassembly that overlaps
packets to craft new payload and/or new header content.
Such attacks can change target ports or deliver a malicious
payload past a filtering sentry.
Fragmentation attacks are an abuse of the fragmentation
offset feature of IP packets. Fragmentation may occur in a
network where many different network links join to
construct a global infrastructure. Some network segments
support smaller datagrams (another term for packets or
frames) than others, so larger datagrams fragment into the
smaller size. When the fragmented elements of the original
datagram reassemble, manipulations of fragmentation can
cause several potentially malicious reconstructions such as
overlapping and an overrun.
FIGURE 9-2
Fragmentation and overlapping.
Overlapping can cause full or partial overwriting of
datagram components creating new datagrams out parts of
previous datagrams (Figure 9-2). An overrun can create
excessively large datagrams. These and other forms of
fragmentation attacks cause DoS or attempt to confuse IDS
detection or firewall filtering.
Fragmentation is a supported function of IP packets.
Packets fragment when they encounter network segments
that support a smaller maximum transmission unit (MTU).
When packets reassemble, the fragments usually return the
data to its original configuration. However, overlapping
attacks can abuse the fragmentation offset value in the IP
header causing reassembly overlap. Reassembly overlap
can create new payloads or headers. For example, if a
payload of “EVIL PAYS BLUE LOAD” fragments into “EVIL
PAYS BLUE” and “LOAD,” an overlap reassembly could result
in the creation of “EVIL PAYLOAD.”
Protections against fragmentation attacks include using
modern IDS detection and firewall filtering features as well
as performing sender fragmentation. Sender fragmentation
queries the network route to determine the smallest MTU or
datagram size. Then the sender pre-fragments the data to
ensure that no fragmentation needs to occur en route.
The only reliable method of stopping these attacks is to
deploy a dynamic filtering system that performs virtual
reassembly. Virtual reassembly will piece together both
fragmented packets and the original payload. The
reassembled payload is analyzed, and then only if it is
deemed non-malicious are the original packets transmitted
to the internal network. Virtual reassembly is not a
completely foolproof technique, but it does greatly reduce
the risk of these exploits.
The most common method of exploiting and/or bypassing
a firewall is internal code planting. Firewalls are often border
sentries. They protect internal systems from
communications that originate from external entities.
Unfortunately, some security administrators use only
inbound firewall filtering, which leaves outbound traffic
uncontrolled and unfiltered.
In this situation, if a hacker can plant code internally or
trick a user into running code, or if an employee brings in
code of his or her own, outbound connections to malicious
external entities might be possible. Frequently, laptops that
pick up malware connect to the internal network, placing
the malware behind the firewall. Many hacker tools rely on
this technique, such as Loki, Back Orifice, NetBus, and even
Netcat. A server of sorts is hosted on an external host and
the automatic connection client utility runs on an internal
host. The client utility establishes the initial connection as
an outbound connection (thus allowed by the firewall), and
then the external host is able to send data or commands
back to the internal client through this connection. Often,
this form of attack results in a hacker gaining modest to
complete remote control over the compromised internal
host.
Denial of service (DoS) is another common threat to
firewalls and networks as a whole. A DoS attack, specifically
a flooding or traffic based DoS, sends massive amounts of
data to a target victim. If that victim has a firewall, then it
will detect and discard the DoS. The firewall’s filtering
service can usually prevent the DoS traffic from breaching
the network’s perimeter and affecting internal systems.
However, since the firewall has to collect, analyze, and
respond to each and every packet received on its interfaces,
a well-managed DoS attack can consume all available
bandwidth of the connecting segment to the firewall, as well
as consume all of the processing capabilities of the firewall.
This, in turn, prevents any legitimate traffic from reaching
the network. Thus, even with a firewall protecting the
internal network, a DoS flooding attack can still successfully
disconnect or interfere with external communications.
A firewall’s vulnerability to DoS flooding is the one
limitation or weakness that you can’t fix, improve, or repair
by either upgrading the firewall or applying a patch.
Upgrading to a stateful inspection firewall addresses
fragmentation, firewalking, and even internal planting of
code. Patching will address programming bugs and buffer
overflows. Although highly specialized tools are available
that can perform partial upstream DoS detection and
filtering, in general, no fixes to prevent flooding attacks
from reaching an Internet-facing firewall exist.
Knowing these threats and exploits, as well as realizing
the probability of others, should remind security
administrators to be proficient at the basics. Security
management is mandatory to maintain any semblance of
security in any environment. Your essential long-term
strategies for maintaining security include keeping systems
current with patches, using a hardened configuration,
staying knowledgeable about new exploitations, and
monitoring the environment for successful and attempted
compromise.
Concerns Related to Tunneling
Through or Across a Firewall
Hackers tunneling through or across your firewall
deployments are a serious threat to your organization’s
network security. Tunneling is the creation of a
communication channel similar to the creation of a VPN. In
some cases, it uses actual VPN solutions and protocols.
Tunneling can create either a covert channel or a known
channel that’s unfiltered.
Tunneling uses two techniques. One method is installing
a server component on an internal system, and then an
external client component initiates the connection. This
technique requires the firewall to allow inbound initiation
connections to internal systems. A second method is to
install a server component on an external system, then use
an internal client component to initiate the connection. This
technique requires the firewall to allow outbound
connections.
Most firewall deployments strictly limit or restrict inbound
initiation of communications to specific ports and services.
Thus, a tunneling setup using an inbound connection must
“hijack” an existing open port or reconfigure the firewall to
open another port for use by the tunnel. If the perpetrator of
this security violation has the ability to reconfigure the
firewall, you have much more serious security concerns to
address than tunneling.
Firewalls commonly allow most outbound
communications with little or no restrictions. While not the
best security stance, it is convenient and easy. Proper use of
a deny-by-default stance should limit both inbound and
outbound connections to those explicitly allowed. If the
firewall freely allows outbound connections, then internally
initiated tunnels are extremely easy to establish.
Tunnels can potentially use almost any protocol,
including IP, ICMP, TCP, UDP, and most application protocols.
Specialized tunneling server/client applications can replace
traditional payload content with whatever content the
hacker wishes. Effectively, this can convert almost any
protocol at any layer of the OSI model into an encapsulation
or tunneling protocol (Figure 9-3).
Tunneling is an obvious abuse and violation of protocol
rules. However, if a firewall is not investigating the payload
of a frame, packet, segment, and so on, then a hacker can
set up a tunnel using a protocol not designed to perform
encapsulation.
FYI
Once a tunnel is open, data can move in either
direction. The directionality of the connection has little
to do with which end of the tunnel is the controller and
which is the ultimate target or victim.
FIGURE 9-3
A tunnel across a firewall.
The problem gets worse when the tunneling system
employs encryption. This makes payload investigations
more difficult because the firewall will be unable to decipher
the content or purpose of the encoded payload. To combat
this complexity, set the firewall to either block all
encryption, allow only encryption that originates or
terminates at the firewall, or allow encryption only on
certain ports (potentially limiting communications to and
from specific IP addresses as well).
Encrypted tunnels across a firewall are not inherently or
automatically malicious in nature. VPNs are encrypted
tunnels that commonly and widely create security for
personal and business communications across the Internet
and within private networks. However, most VPNs use well-
known VPN protocols, such as IPSec and SSL, on
standardized ports, with predictable header constructions
and characteristics. Unauthorized or rogue tunneling
mechanisms often use odd protocols for encapsulation and
can operate on any port, use invalid packet constructions,
and violate communication standards.
In addition to the standard VPN protocols used for this
purpose, such as IPSec, SSL, TLS, OpenVPN, PPTP, L2F,
L2TP, and so on, several other legitimate and subversive
services, products, and protocols can configure
unauthorized tunnels. These include:
Loki—Loki uses ICMP as a tunneling protocol.
Netcat—Netcat can create TCP and UDP network
connections to or from any port.
Cryptcat—Cryptcat is a version of netcat that creates
encrypted connections.
NetBus—NetBus is a malicious remote control tool.
Back Orifice—Back Orifice is a malicious remote
control tool.
SubSeven—Subseven is a malicious remote control
tool.
Remote Desktop Protocol (RDP) and Remote
Assistance—These are native features of Windows
OS. RDP is disabled by default, and Remote Assistance
requires an invitation.
TOR (The Onion Router)—This is a double-blind
encapsulation system that enables anonymous, but
not encrypted, Internet communications.
JanusVM—This is Linux software powered by VMware
that creates SSH encrypted tunnels used in
combination with TOR.
PacketiX VPN—This is an encrypted Web proxy
service.
HotSpotShield—This is an encrypted Web proxy
service.
HTTP Proxy—This is a Web proxy service.
GoToMyPC, GoToAssist, LogMeIn, and other
similar services—These are third-party remote
desktop control services.
This list of products, services, solutions, and protocols used
to create illicit tunnels across a firewall is not exhaustive.
Several of these are legitimate services with valid uses, but
when a hacker employs them without permission, especially
across nonstandard ports, they represent a serious threat.
Any ability to breach a firewall to allow unfiltered, full-duplex
communications is cause for concern and response.
The best defense against these tunneling exploitations is
to strictly enforce deny by default for both inbound and
outbound communications. Clearly define in the acceptable
use policy (AUP) which tools are unauthorized and which are
considered security breaches. Use network and host IDS/IPS
monitoring. Deploy whitelist controls to prevent the
installation of unapproved software. Limit mobile code such
as ActiveX, Java, Flash, Silverlight, and JavaScript in
browsers to minimize the possibility that a Web-only form of
tunneling might use an authorized Web client.
Testing Firewall Security
Firewall tests are an important and integral part of the build
and management process. Standard security management
practice is to test security to confirm proper configuration,
performance, and strength against attacks and exploits.
Failing to test a firewall is a serious breach of this best
practice.
Because a firewall is one of the most important parts of
your security infrastructure, is a concentration of security
controls, and is your first line of defense against inbound
attacks, failing to test a firewall thoroughly practically
ensures you will have a breach or intrusion.
Every update, change, or alteration to any aspect of your
firewall or the network segments connecting to a firewall
should trigger another round of firewall testing. Test a
firewall as if you were practicing for the Olympics. Repeat
the testing again and again, striving to push the limits and
improve with each drill. Strive to ensure your firewall
deployment is the best it can possibly be.
technical TIP
Testing a firewall involves the use of several tools and
techniques. These include automated vulnerability
assessment tools, exploitation frameworks, and rogue
hacker attack tools.
One tool you can use is a simulated firewall test. Such a
test uses an attack simulator to transmit attack packets to
the firewall. You can locate the attack simulator inside or
outside the firewall to simulate an internal attack or an
external attack. An attack simulator can verify that a
specific weakness is present on a firewall, without actually
causing damage or interrupting production. Most simulator
tests are secure by design.
Creating a virtualized network environment using a
virtualization tool, such as VMware, performs virtual firewall
tests. A virtual intranet is created, a virtual firewall bastion
host goes up, and virtual external systems become active.
The administrator then works through a variety of scenarios
of attack, both from internal attackers and external ones.
Logically, the virtualized environment functions like the real
one, but you can test it using techniques that might
otherwise damage or interrupt the production network.
Laboratory tests run in non-production subnets where
you’ve configured a duplicate of the production
environment. The laboratory setup mirrors each system,
including the firewall. Test-run in the lab environment
anything that might interfere with production or might
cause data loss or system damage.
Laboratory tests and virtualized testing are similar, but
both are useful mechanisms; use them both rather than
forgoing laboratory tests in favor of using virtual testing
exclusively. The actual physical devices of firewalls and
systems might reveal weaknesses not present in the
virtualized versions.
Any of these testing configurations can benefit from the
use of fuzzing tools. Fuzzing tools use a brute-force
technique to craft packets and other forms of input directed
toward the target. Fuzzing tools stress a system to
determine whether it will react improperly, fail, or reveal
unknown vulnerabilities. Fuzzing tools can discover coding
errors, buffer overflows, race conditions, remote exploit
flaws, injection weaknesses, and so on. The downside to
using fuzzing tools is that they can take a significant amount
of time to discover anything interesting.
Using a variety of testing methods to put a firewall
thoroughly through its paces is an important part of security
management. To maximize your network’s security
effectiveness, plan, design, deploy, test, and then fine-tune.
Important Tools for Managing and
Monitoring a Firewall
Proper security management requires that you manage and
monitor the firewalls in your infrastructure. As with every
type of security, you can’t just install firewalls and forget
them. Every security safeguard must be locked down,
tuned, and monitored over time. Once the firewall has been
installed and configured, the work of managing it begins.
Firewall management is about understanding that new
threats are coming from hackers on a constant basis, and
that the defenses and settings that work successfully today
might not be the best defense against new attacks
tomorrow. Firewall management is the essential task of
maintaining a firewall in spite of these new threats.
Firewall management includes verifying that the
configuration settings of the firewall remain in place and
don’t change without authorization. Device failures,
electrical fluctuations, and unexpected reboots can delete
or corrupt firewall configurations. So, regularly verify that
the desired settings remain active on the firewall.
Firewall management includes applying updates and
patches to the firewall. Always test updates before
deployment. Back up firewall configurations before applying
new and tested updates. Once you apply an update, confirm
that the application of the update didn’t reset the
configuration to the default settings.
Firewall management includes testing the resistance of
the firewall to attacks. This can include the use of a variety
of automated and manual attack tools and techniques.
Effectively, firewall testing is the application of penetration
testing or ethical hacking against the firewall as the primary
target. Using the tools and methodology of criminal hackers
in an ethical and boundary-limited manner is an excellent
way to verify the ability of a firewall to withstand known
attacks.
Firewall management includes the use of monitoring
tools to watch over the performance and reliability of a
firewall over time. Properly use any valid tool in this
endeavor. Some recommended tools to consider include:
Nmap—This is a network mapper, port scanner, and
OS fingerprinting tool. It can check the state of ports,
identify targets, and probe services.
Netstat—This is a simple command line tool to list the
current open, listening, and connection sockets on a
system.
TCPView—This is a GUI tool to list the current open,
listening, and connection sockets on a system as well
as the service/program related to each socket.
Fport—This is a command line tool to list the current
open, listening, and connection sockets on a system as
well as the service/program related to each socket.
Snort—This is an open-source, rule-based IDS that can
detect firewall breaches.
Nessus—This is an open-source vulnerability
assessment engine that can scan for known
vulnerabilities.
Wireshark—This is a free packet capture, protocol
analyzer, and sniffer that can analyze packets and
frames (Figure 9-4) as they enter or leave a firewall.
Netcat—This is a hacker tool that creates network
communication links using UDP or TCP ports that
support the transmission of standard input and output.
It commonly creates covert channels to control a
target system remotely or to bypass a firewall. It can
test a firewall’s ability to detect and block covert
channels. Cryptcat offers similar capabilities using
encryption.
Backtrack—This is a Linux distribution that includes
hundreds of security and hacking tools, including
Nessus and Metasploit. It can perform attacks against
or through a firewall for testing purposes.
Syslog—This is a centralized logging service that
hosts a duplicate copy of log files. It provides a real-
time backup of every log on every participating host.
FIGURE 9-4
Wireshark.
These are only a few of the excellent tools to manage and
monitor a firewall. But more important than the tools you
use is ensuring that the careful management, monitoring,
and tuning of your firewalls actually take place.
Troubleshooting Firewalls
Firewall troubleshooting, like any form of troubleshooting, is
about the process more than the actual result. Most firewall
problems can be relatively easy to troubleshoot if you’ve
planned a detailed troubleshooting procedure with extensive
documentation. The foundation of successful
troubleshooting is preparation.
When trouble arises in or around the security of the
network, especially in regard to the firewall, you must act
promptly to resolve the issues at hand. Troubleshooting is
both an art and a skill set to systematically diagnose and
eliminate problems whatever the source. Although
troubleshooting might sometimes sound exciting, in reality
it’s a fairly lengthy and tedious process. Knowing a few
procedures and commonsense guidelines can improve your
troubleshooting skills and help keep downtime and security
breaches to a minimum.
You can never have too much useful troubleshooting
information. Information, data, documentation, resources,
and so on are the primary tools you can use to find and
resolve problems. Useful troubleshooting information
includes:
Complete hardware and software inventory (relative to
firewalls)
Paper and electronic copies of configuration settings
Firewall policy
Change documentation
Previous troubleshooting logs
Activity, error, and alert logs
Maintenance logs
Any information about the current problem
Once you have this information in hand, you can begin the
overall troubleshooting process. Don’t wait until a problem
occurs to collect this essential information, however.
Instead, maintain this collection of documentation as a
normal, regular, essential element of system maintenance
and management. The best time to document the
environment and configuration is when you do not urgently
need it. When problems do arise, you want to be able to
focus on resolving the issue, not collecting resources and
tools. Pre-assemble the tools and resources you’ll need for
troubleshooting so that you will be ready for action.
Murphy’s Law dictates that when things go wrong, and
they will, they will go bad at the least convenient time. To
combat this, be prepared before the problems arise. That
way, when the firewall fails, locks up, freezes, lets through
unwanted traffic, or falls to a hacker, you can focus on
dealing with the stress, time crunch, data loss, and
downtime ramifications without also having to deal with
collecting the essential materials to resolve the problem.
Being prepared is always a solid first step. Next, develop
a troubleshooting plan, technique, or procedure. While some
problems are predicable and have a known method of
resolution, many situations will require off-the-cuff
brainstorming to craft a new solution. Most solutions come
from a liberal application of common sense. The following
are several commonsense elements you need to integrate
into your troubleshooting planning:
Have patience—Keeping your cool and taking your
time will pay off by allowing you to find a solution
quickly without making mistakes, overlooking essential
details, or making the problem worse.
Know your firewall thoroughly—The more you
already know about the firewall hardware and
software, the more you will know how it functions. You
can immediately use that knowledge to seek out a
solution.
Isolate the problem—Whenever possible, isolate
elements or components of the firewall system that
are functioning correctly to narrow the range of
suspects of potential problem sources.
Simplify—Disable or disconnect software and
hardware not essential to the function of the firewall.
This will reduce the complexity of the situation and
may assist in uncovering the cause.
Focus—Seek to find a solution to the current most
critical problem. Don’t waste time fixing, repairing,
upgrading, resetting, or configuring any other problem
or aspect of the firewall system until you’ve resolved
the primary problem. You can become distracted by
minor details that “only take a second” to address;
make a list of these smaller issues and come back to
them later.
Review change documentation—Could a recent
change be responsible for the unwanted activity? If so,
try to undo the change to see if the problem stops.
Review previous troubleshooting logs—Consider
whether the current problem is the same as or similar
to recent problems already in the log. Try repeating
successful solutions.
Update the troubleshooting log—Record every
action attempted, whether successful or not. Record it
into the troubleshooting log and use it as a journal.
Think of something, then write it down. Then try the
solution, and write that down. Then test for
effectiveness, and write that down. Next, repeat the
failure fix, and write that down. Repeat until resolved,
writing down the successful solution and making note
of any other thoughts, ideas, or observations.
Try the quick and easy fixes first—Try the fast and
easy stuff before the hard and complicated options.
You might be lucky, but if not, undoing easily
attempted failed solutions will be simpler than undoing
more complex options.
Avoid destructive or irreversible solutions until
last—Attempting to use an irreversible fix is a poor
idea early in the troubleshooting Process. Only after
reversible and/or safe solutions have failed should you
attempt more drastic measures.
Try the free options before the costly ones—
Always try to perform repairs and fixes in-house using
tools and resources that you already own or can obtain
free. Hold off on purchasing new resources or hiring
technical support until you’ve exhausted other
options.
Let the problem guide and direct you—The more
you understand how your firewall operates and what
the problem is, the more the problem will direct you
toward the affected area or the source of the issue.
Make fixes one at a time—Try only one fix or repair
option at a time. Attempting multiple fixes at once is
more complex and might mask the successful
resolution.
Test after each attempt—After each fix is made,
test the repair to see if it was successful.
Reverse or undo solution failures—If a fix does not
resolve the issue, undo it to return to the previous
state. Leaving failed fixes in place may cause other
problems or may intensify the main problem.
Repeat the failure—Sometimes causing the failure
to repeat can assist in identifying the cause. However,
do so only when the repetition will not cause further
harm or loss.
Perform a post-mortem review—The most valuable
result of a problem, especially a resolved problem, is
your ability to learn something from the event. Always
review the entire troubleshooting response process.
Look for ways to improve the response to future
problems.
Use these commonsense highlights to create an official how-
to procedure that your IT and security staff can follow when
a firewall problem arises. Firewall problems won’t wait;
strive to understand and resolve them quickly. Otherwise,
your network will be at risk or productivity can suffer.
Neither is beneficial to the long-term viability of your
organization.
Proper Firewall Implementation
Procedure
Successful firewall implementation comes from a written
plan. As with every aspect of security, a written procedure is
essential for a reliable and trustworthy deployment. If a
firewall policy does not exist in your organization, then your
first step should be to craft one.
A firewall implementation procedure should prescribe the
systematic process to properly install and configure a
firewall. Since each firewall product is different and each
type of deployment is likely different (a border firewall
versus an internal host firewall, forinstance), you may even
find that you need several firewall implementation guides.
The specifics of an implementation guide are different for
each organization. Customizing a plan for your specific
environment is essential to obtain the best security from the
deployed firewall. However, every plan should have certain
common elements. Whether you are developing your own
firewall implementation policy or revising an existing one,
use the following plan components to make yours the best
possible policy for your organization.
Every firewall procedure should clearly define the
requirements for the firewall. A generic description of a
firewall is insufficient. Don’t just indicate that you need a
software firewall or an appliance firewall. Instead, dictate
the specific capabilities, features, and requirements to
accomplish the tasks and security goals. You can include a
specific example of a vendor’s exact make and model.
However, products change, are revised, are replaced, and
are retired by vendors on a rather frequent basis. So,
include an inventory of features and specifications, even if
you focus on a certain off-the-shelf product.
Specify the network design that the firewall will
complement. To be effective, network firewalls (as opposed
to host firewalls) must be at chokepoints or transition points.
The design of the network is an essential element of
effective firewall deployment. Define and even map out the
network structure that should exist along with pinpointing
exactly where the firewall is, down to the logical
configuration and the physical cables connecting to it. Your
network design will change over time, but this can always
change in the future when you perform change
documentation and guidelines revision.
Write the plan down. Write out step by step, point by
point, every action to take from the moment the firewall
arrives on site through the point of enabling the filtering of
production traffic. Include hardening of the bastion host,
applying patches, updating firmware, changing defaults
(especially passwords), locking down management
interfaces, changing configuration settings, defining the rule
sets, configuring interfaces, installing the physical
components, backing up the configuration, testing at
startup, testing for stress and load, documenting
performance and stability, obtaining approval from senior
management, and initiating filtering of production traffic.
Prescribe the process of shopping for and purchasing (or
otherwise obtaining) the firewall. Not all firewalls have a
purchase cost, such as those that are free, open source, or
obtained through bartering. Nonetheless, document a
procurement process. Consider purchase price; consider
whether the product is new, used, or reconditioned;
understand the return policy; look for discounts; investigate
the warranty; and know what levels of technical support are
free or available for a fee. If the product must be shipped to
you, either verify that it’s in stock or determine the backlog
waiting period. Consider overnight shipping and insuring the
package against shipping damage and loss. Don’t spend
hundreds or thousands of dollars on a product that may
arrive damaged without having recourse to a claim with the
shipping company.
Document, document, document. Write down every
aspect of firewall use before deployment. Journal every step
performed from start to finish of deployment, and then
record into the documentation every action in managing,
administering, monitoring, and troubleshooting the firewall
for the remainder of its deployment life. No action or event
is too insignificant to record relative to your firewall
deployment. This comprehensive firewall documentation is
essential to management, troubleshooting, recovery, and
incident response.
Responding to Incidents
Incident response is a key part of every security
infrastructure. Incident response is the planned reaction to
negative situations or events. Security breaches, or at least
attempts to breach security, will occur. When those events
affect the organization or its abilities to perform its tasks in
any way, incident response triggers. The goals of incident
response are to minimize downtime, minimize loss, and
restore the environment to a secure, normal state as quickly
as possible. This applies to breaches of a firewall as well as
every other aspect of security.
Most incident response solutions include six primary
steps or phases:
Preparation—Select and train security incident
response team (SIRT) members and allocate resources.
Detection—Confirm actual breaches.
Containment—Restrain further escalation.
Eradication—Resolve the compromise.
Recovery—Return to normal operation.
Follow-up—Review the process and improve future
responses.
Incident response is an important element of firewall
management.
CHAPTER SUMMARY
Firewall management involves addressing all security
concerns related to the security provided by a
firewall. This includes following recommended best
practices, knowing that a firewall is only part of a
complete security infrastructure, picking the right
firewall for the environment, considering the options
of building versus buying a firewall, being prepared to
mitigate firewall threats and risks, dealing with
tunneling across a firewall, firewall testing, using tools
for management and monitoring, troubleshooting
problems, planning out use, and being prepared with
an incident response policy.
KEY CONCEPTS AND TERMS
Fuzzing tools
CHAPTER 9 ASSESSMENT
1. All of the following are considered firewall management
best practices except:
A. Have a written policy.
B. Provide open communications.
C. Maintain physical access control.
D. Don’t make assumptions.
E. Develop a checklist.
2. All of the following are firewall management best
practices except:
A. Lock, then watch.
B. Back up, back up, back up.
C. Keep it simple.
D. Perform penetration testing.
E. Implement fail-open response.
3. You are the security administrator for a small medical
facility. To be in compliance with federal HIPAA
regulations, you need to deploy a firewall to protect the
entire office network. You are concerned that a firewall
failure could result in compliance violations as well as
legal costs due to client court cases. Which of the
following is the best choice of firewall for this situation?
A. Deploy a client system with a native OS firewall.
B. Select any open source firewall product.
C. Use the firewall provided by the ISP connection
device.
D. Deploy a well-known commercial firewall from the
approved products list.
E. Use a multifunction device, such as a wireless access
point.
4. From the following options, what is the most important
factor in selecting a firewall?
A. Biometric authentication
B. Types of traffic to be filtered
C. Sales or discounts
D. Bastion host OS
E. Built-in antivirus scanning
5. A well-designed and configured firewall provides more
than sufficient security protection without any additional
safeguards.
A. True
B. False
6. Which of the following is a benefit of buying a ready-to-
deploy firewall over using a build-it-yourself firewall?
A. Minimal setup time
B. Less expensive
C. Repurposing existing hardware
D. Using open-source software
E. More complex troubleshooting
7. Which of the following is a benefit of using a build-it-
yourself firewall over buying a ready-to-deploy firewall?
A. More costly
B. On-site technical support
C. Greater flexibility and customization
D. Product warranty
E. Requires skill and knowledge to deploy
8. Which of the following is not one of the possible but
rare attacks or exploits against a firewall?
A. Coding flaw exploitation
B. SMB share exploitation
C. Buffer overflow attacks
D. Firewalking
E. Fragmentation
9. The exploit or attack known as ________ can be used to
cause a DoS, confuse an IDS, or bypass firewall filtering.
A. Obfuscation
B. Trojan horse
C. SQL injection
D. Fragmentation overlapping
E. Spoofing
10. Although successful attacks and exploits against
firewalls are rare, what is the best response or
resolution to such compromises?
A. Deploying anti-malware scanning
B. Adding rules to the set
C. Positioning the firewall on a non-chokepoint
D. Increasing the transmission frequency
E. Patching and updating
11. Tunneling across or through a firewall can be used to
perform all of the following tasks except:
A. Using a closed port for covert communications
B. Bypassing filtering restrictions
C. Using any open port to support communication
sessions
D. Allowing external users access to internal resources
E. Supporting secure authorized remote access
12. Which of the following statements is false?
A. ICMP can be used as a tunneling protocol.
B. Encryption prevents filtering on content.
C. Outbound communications don’t need to be filtered.
D. Tunnels can be created using almost any protocol.
E. Tunnels can enable communications to bypass firewall
filters.
13. Which of the following provides anonymous, but not
encrypted, tunneling services?
A. Cryptcat
B. JanusVM
C. TOR
D. PacketIX VPN
E. HotSpotShield
14. What is the best way to know that a firewall is
functioning as expected?
A. Review the documentation.
B. Presume it is until a patch is received from the
vendor.
C. Test it.
D. Check the configuration.
E. Watch the log files.
15. Which method of testing a firewall grants the tester the
greatest range of freedom to perform tests that might
cause physical or logical damage to a firewall?
A. Live firewall tests
B. Virtual firewall tests
C. Laboratory test
D. Simulation tests
E. Production firewall tests
16. Which of the following tools tests and probes whether a
port is open or closed?
A. Nmap
B. Netstat
C. TCPView
D. Fport
E. Wireshark
17. Which of the following testing tools is an open-source
vulnerability assessment engine that scans for known
vulnerabilities?
A. Snort
B. Nessus
C. Wireshark
D. Netcat
E. Syslog
18. What is always the best tool for firewall
troubleshooting?
A. Source code
B. Crimping tool
C. Vulnerability scanner
D. Information
E. Fuzzing tool
19. Which of the following is not a recommended
commonsense element of troubleshooting?
A. Isolating the problem
B. Setting it aside and return to it later
C. Reviewing change documentation
D. Making fixes one at a time
E. Having patience
20. Which of the following is not part of a successful firewall
use?
A. A written plan
B. Specific requirements
C. Purchasing guidelines
D. User survey of preferences
E. Documentation
CHAPTER
10 Using Common
Firewalls
THE ACTUAL DEPLOYMENT of a firewall is a fairly straightforward process. This process begins with
understanding the network environment, includes selecting
a product that satisfies security needs, and ends with a
more secure network infrastructure. Toward that end, this
chapter examines a few of the remaining concepts that are
often part of the decision-making process.
Firewalls are useful in many different situations. Every
network infrastructure can benefit from proper use of a
firewall. This chapter presents additional concerns and
decision points for small and large network environments,
host software firewalls, native operating system (OS)
firewalls, third-party OS firewall alternatives, Internet
service provider (ISP) connection device firewalls,
commercial firewall options, open-source firewalls, hardware
firewalls, and virtual firewalls.
Chapter 10 Topics
This chapter covers the following topics and
concepts:
What some options are for individual and
small office/home office (SOHO) firewalls
What common uses for a host software
firewall are
How to use Windows 7’s host software
firewall
How to use a Linux host software firewall
How to manage the firewall on a connection
device from an Internet service provider (ISP)
What commercial software network firewalls
are
What open-source software network firewalls
are
What appliance firewalls are
What virtual firewalls are
What some simple firewall techniques are
Chapter 10 Goals
When you complete this chapter, you will be able
to:
Configure the Windows Firewall on Windows
7
Set up a broadband connection device
firewall
Individual and Small Office/Home
Office (SOHO) Firewall Options
Firewall options for the individual or for those running a
small office range from native OS firewalls to special-
purpose devices. Most individuals and small office/home
office (SOHO) users are concerned about security but don’t
want to spend more than really necessary. Obtaining a
reasonable level of security for most home or small office
environments is actually quite easy and cost effective.
First, an understanding of the common threats facing
such an environment suggests that firewall options can be
simple and inexpensive. While the Internet is not a safe
place, interacting with Internet resources is not an
automatic recipe for damage and destruction. Common
sense and use of basic security tools greatly reduces the
likelihood that a significant compromise from the Internet
will take place.
Generally, Internet threats fall into two main categories:
passive and active. Passive threats are those you must
seek out to be harmed. For example, you have to visit a
Web site to be harmed by malicious code embedded in that
site. Likewise, downloading infected content occurs only
when you elect to click on a download link. Users can avoid
most passive threats by making good and safe choices as to
where to go and what to do on the Internet.
To address passive threats, modern Web browsers
include pop-up blockers, cookie filters (Figure 10-1), and
malicious site managers to limit exposure. The use of
antivirus scanning, an anti-spyware scanner, and anti-spam
filters addresses other common threats. Adding a firewall to
your security stance protects against most of the passive
threats on the Internet that might be casually triggered.
While it’s still possible to go looking and find trouble, most
well-known and popular sites take security seriously and
strive to make accessing their resources as secure as
possible.
NOTE
Installing a handful of security tools doesn’t mean that
you can throw caution to the wind and randomly
explore the entire Internet safely. Instead, by using
simple security tools along with common sense, most
threats are either blocked or avoided. Potential
exceptions can always affect this rule, of course, such
as when a trusted site is compromised and your next
visit results in the transfer of malware to your hard
drive.
FIGURE 10-1
The Privacy section of Firefox’s Options dialog box. Note the
cookie settings.
The other category of Internet threat is active. An active
threat is one that takes some type of initiative to seek out
a target to compromise. This can be a hacker, an intruder,
or an automated worm. In any case, an active threat seeks
out vulnerable targets. If you do not have reasonable
security deployed and an active threat discovers your
system, you might be at risk for a compromise.
Fortunately, most individuals and small office
environments are not significant or primary targets of most
hacker activity. There just isn’t enough value or benefit in
spending the time and effort to compromise a moderately
secured single computer or small network. If your business
is getting lots of traffic and orders or you happen to be
hosting hundreds of systems, then you naturally become a
more valuable target to hackers.
In most circumstances, the average home user and most
small offices (such as those operating a dozen or fewer
computers in a network) can obtain reasonable security
protection from very simple and inexpensive firewall
options.
The first firewall option to consider is any native
firewall of the operating system. Most OSs include a default
or native firewall. If yours does, investigate its features and
options before automatically tossing it aside. Many of the
firewalls found in the latest releases of operating systems
are as good as or better than most commercially available
third-party host software firewall options.
One of the best-known examples of a native operating
system firewall is Windows Firewall. Windows Firewall made
its debut in the Windows OS as part of Service Pack 2 for
Windows XP. Initially, Windows Firewall was panned because
it imposed security, restrictions, and control on the Windows
OS where none existed before. Many applications and
services failed to function with Windows Firewall. Ironically,
many of these “failures” were caused not by Windows
Firewall, but by a service performing insecure and unfiltered
activities blocked by the security provided by the new OS
firewall.
Since its initial release, Windows Firewall has matured. It
appeared as a standard native feature in Windows Vista and
Windows 7 (Figure 10-2). The measure is likely to remain a
key OS component in future versions of Windows. The
feature set and uses of Windows 7 Firewall are discussed in
a later section in this chapter.
Other OSs may or may not have a firewall as well
recognized as Windows Firewall, but you should still
investigate the standard options and feature set provided
natively before seeking out alternatives. After all, you would
never custom turbo-charge a brand new car until you had
driven it and road tested its standard features.
FIGURE 10-2
Windows 7’s Windows Firewall Control Panel screen
FYI
Current industry nomenclature gives most ISP
connection devices a name that includes the word
“modem.” Don’t be fooled by this label; the term
modem comes from the function of a device that
modulates and demodulates (hence, mo-dem) digital
information into analog signals. Most ISP connections,
including cable, DSL, satellite, and long-range wireless,
are digital signaling systems that don’t employ analog
signals or information of any type. So, the use of the
term “modem” is a merchandising ploy to make the
device sound familiar and comfortable, rather than
complex and scary.
Linux distributions do not automatically come with a
native software firewall. And even when Linux does provide
a native firewall, it’s not likely to be enabled or configured
by default. Due to the wide range of variations in Linux
distributions, Linux provides a range of firewalls. Linux
firewalls include older products such as ipchains and
iptables, as well as newer options such as PF, Netfilter, and
Vyatta.
In addition to the free or native OS firewall options,
another simple and easy firewall that individuals and SOHOs
can use is firewalls hosted by ISP connection devices or
wireless access points. Most ISP connection devices,
including cable modems, digital subscriber line (DSL)
modems, satellite modems, and wireless modems, include
firewall features. A firewall feature may or may not
represent a fully functional firewall. Some are basic filtering
tools that block IP addresses, ports, or protocols using a
simple blacklist technique.
If the ISP connection device provides firewall services,
obtain a copy of the original manufacturer’s user manual for
the device. This will provide the best initial information on
accessing and configuring the device’s firewall, since your
ISP has probably chosen to lock down access to the
connection device. The use of an ISP connection device
firewall is discussed later in this chapter.
An ISP connection device may or may not offer wireless
connectivity. If the provider does not offer a wireless option
or requires you to pay extra for wireless via their equipment,
you should consider deploying your own wireless access
point. Most wireless access points for consumers and SOHO
environments cost under $100 and offer firewall services as
well as wireless connectivity.
The use of native host OS firewalls and a hardware
firewall provided by an ISP connection device or wireless
access point is usually more than sufficient filtering security
for a home user or a small office network. However, if you
want to explore other options or you have a larger, riskier,
or more sensitive environment, consider the other firewall
alternatives.
Uses for a Host Software Firewall
The next step up from a native OS firewall (or even an OS
without a firewall) is a third-party host software firewall.
These options include both open-source and commercial
software firewalls for most operating systems.
You can use a host software firewall in several situations.
The first and most obvious use is simply to protect a client
system. This is the original and intended purpose of a host
software firewall. Keep in mind that a host software firewall
provides protections for both inbound and outbound
communications. A host software firewall protects the client
from compromises on the network and protects the network
from compromises on the client.
NOTE
Before installing any third-party software firewall,
always double-check for full compatibility with your
current operating system version and patch level. If the
firewall’s documentation does not specifically list your
operating system as being fully compatible, don’t
assume that the measure will work properly. Firewall
security is not something to leave to chance.
Use a host software firewall as an additional layer of
protection on a server system. Most server operating
systems do not include a host software firewall. Therefore, a
dedicated firewall appliance often deploys on the network. A
host software firewall on a server is never a substitute for an
appliance firewall. However, it can be a supplement.
A host software firewall can provide firewall filtering
services in relation to a virtual private network (VPN). Just
because the VPN link itself may be encrypted does not
guarantee that the other end of the VPN connection is as
secure as you might desire. Using a host software firewall in
conjunction with either a software host VPN (such as a
transport mode VPN or a remote access VPN) or an
appliance VPN adds an additional layer of protection against
compromises that could traverse the VPN connection.
NOTE
When installing a third-party software firewall, make
sure all native or other firewalls are disabled or
uninstalled. Do not attempt to run two software
firewalls simultaneously on the same computer
system. It’s acceptable to run different software
firewalls on different systems and to even use one or
more appliance hardware firewalls. Just do not attempt
to use two software firewalls on one system.
A host software firewall can provide modest protection
for small networks. Home networks, gaming networks, and
small office networks are sometimes constructed using a
primary system connected to the Internet that shares that
connection with a small network off of a secondary network
interface. On a Windows system, the Internet Connection
Sharing service makes this type of network configuration
simple. Use a host software firewall and provide the
secondary network with modest firewall filtering services.
A host software firewall likely has many other uses. Don’t
limit your imagination or deployment options to those
discussed in books, described in manuals, or prescribed by
the vendor. Use host software firewalls in any network
configuration. The goal is to establish additional layers of
security, not conform to static notions of design and
implementation.
Examples of Software Firewall Products
Software firewall products are important options to consider
when designing and deploying a security solution for home
environments as well as corporate IT infrastructures.
However, as with any type of software, the available
products change constantly. Updated versions of software
firewalls are released frequently; some products disappear
from the marketplace, while new firewall products appear on
the scene all the time.
Before selecting a specific firewall product, do research
to confirm that the firewall is still a fully supported and
maintained solution. You don’t want to buy into a product
that has already been marked for retirement or phase-out,
or be invested in the installation of a version imminently at
risk of being superseded. Verify that the vendor is still
supporting the firewall product. Check on the revision
history and, based on previous time frames, estimate if the
current version release is it a bit stale or a bit tardy for a
revision.
Beware the textbook answer. Most authors are reluctant
to recommend specific current products. Books typically
take six to twelve months to reach the hands of readers
once the author completes the manuscript; coincidentally,
six to twelve months is the life span of many product
versions. A product an author recommends might no longer
be the best option by the time that recommendation
reaches readers.
Take caution when following any specific “textbook”
advice about a specific product, especially a specific version
of a product. Question a product’s shelf life. Gather fresh
information. Always double-check the facts, reviews, and
suggestions via current Internet search resources, vendor
Web sites, IT association blogs and discussion forums,
industry journals, and mass market computing magazines.
Like milk and cheese, most computer software products
have an effective “use by” date that you should be familiar
with.
All that being said, a host of third-party software firewalls
are worth considering. Here are just a few of the more
widely known options:
Check Point ZoneAlarm Pro (free and retail)
Comodo Firewall Pro (free)
eConceal Pro (retail)
Injoy Firewall (retail)
Jetico Personal Firewall (retail)
Lavasoft Personal Firewall (retail)
Look ’n’ Stop (retail)
Norman Personal Firewall (retail)
Outpost Firewall Pro (free and retail)
PC Tools Firewall Plus (free)
PrivateFirewall (free)
Sphinx Software Windows 7 Firewall Control (free and
retail)
Tall Emu Online Armor Personal Firewall (free and
retail)
In addition to standalone, third-party firewalls, some
firewalls come packaged as part of a security suite. These
suite-member firewalls are not available as standalone
products. However, the collection of security applications
might be worthwhile if you don’t already have existing
solutions. Some security suites to consider include:
BullGuard Internet Security
Computer Associates Internet Security
F-Secure Internet Security
Kaspersky Internet Security
McAfee Personal Firewall Plus
MicroWorld eScan Internet Security Suite
Microsoft Security Essentials
Norton Internet Security and Norton 360
Panda Internet Security
Trend Micro Internet Security
Webroot Internet Security Essentials
How fresh are these lists? These products were current and
available as of spring 2013. The lists are not exhaustive and
include only well-known products. As you read this, new
firewall options might now be available and some of the
listed products might have been terminated. If you want to
search for more or current options, search using keywords
such as software firewall, and review.
Using Windows 7’s Host Software
Firewall
The native Windows Firewall of Windows 7 (Figure 10-3) is a
sufficient security measure for many situations. Before
rushing to replace this free security component, take the
time to evaluate the benefits of this capable firewall option.
The version of Windows Firewall in Windows 7 is available
only in Windows 7 and is a host software firewall. However,
it can be used in a variety of situations and network
configurations for most home, SOHO, and mobile
environments.
Windows Firewall in Windows 7 includes configuration
profiles, so you can create custom firewall configuration
settings for work, home, and public connections. This allows
strict limitations in public, modest settings at work, and
more options available when accessing from home (or
whatever your preferences). The benefit is that, once
configured, the firewall will adjust its settings based upon
the network connection each time you’re connected to a
known, previously accessed network.
Windows Firewall in Windows 7 creates a password-
protected homegroup or work-group that allows file and
printer sharing between systems authorized by a password.
This is an improvement over previous versions of the
Windows Firewall, which often encouraged users just to turn
off the whole firewall rather than properly configure file and
printer sharing access rules. In addition, this applies not just
to Windows systems, but any devices or computers
recognized as media sharing devices (such as an Xbox 360).
FIGURE 10-3
Windows 7’s Windows Firewall with Advanced Security
configuration dialog box.
Other Windows Firewall improvements in the Windows 7
version include a more granular control and configuration
management interface, more extensive logging, and
extended ability to be managed from a command line (using
the “netsh advfirewall firewall” command instead of the
previous “netsh firewall” command).
While not revolutionary, and still lacking a few features
such as being a true two-way personal firewall with program
control, Windows Firewall for Windows 7 is a worthwhile host
software firewall for most clients in most network situations.
That said, you should still explore how this product fits your
own computing environment and security needs.
Using a Linux Host Software Firewall
A Linux system can benefit from a host software firewall or
can support a software firewall for a network. The first idea
is simply to install a host software firewall for the benefit of
the local user. This is the same idea as the Windows Firewall
on client versions of Windows. A variety of open source and
commercial host firewall options are available for Linux,
including:
IPCop
IPFire
m0n0wall
pfSense
SmoothWall (Figure 10-4)
FIGURE 10-4
SmoothWall, a Linux host software firewall.
If you selected Linux for its low cost of entry, then selecting
an equally low-cost host software firewall is often an
attractive option. However, paying for commercial host
firewall products might offer a greater range of functions or
services, along with better technical support.
Using a Linux software firewall as a replacement for a
commercial firewall appliance can be a very cost-effective
solution. Linux often can repurpose computer hardware
that’s no longer sufficient to support larger, bulkier, more
resource-intensive operating systems, such as Windows.
Linux can often extend the useful lifetime of computer
hardware by several years. A repurposed computer system
running Linux is a great option for use as a software firewall
host.
Managing the Firewall on an ISP
Connection Device
In addition to the free or native OS firewall options, another
simple and easy firewall that individuals and SOHOs can use
is firewalls hosted by ISP connection devices, routers, or
wireless access points. Most ISP connection devices,
including cable modems, DSL modems, satellite modems,
and routers, include firewall features. A firewall feature may
or may not be a fully functional firewall. It could be a basic
filtering tool that blocks IP addresses, ports, or protocols
using a simple blacklist technique.
An ISP connection device is any hardware connecting a
local network—or even a single computer—to a telco’s
carrier network to access the Internet. Common ISP
connection devices include DSL modems and cable modems
(remember that these are modems in name only; they are
really routers). This definition can also include a wide range
of other broadband devices, including routers, switches, and
wireless access points, especially when required by the ISP
to establish an Internet connection.
Most ISP connection devices use a Web interface. To
initiate access to the management interface, point a Web
browser to the IP address of the device. In most cases, the
device’s IP address is the default gateway address, DHCP
address, or possibly DNS address of the client’s interface
directly connected to a physical port on the device.
TIP
If the ISP connection device provides firewall services,
obtain a copy of the original manufacturer’s user
manual for the device. This documentation will provide
the best initial information on accessing and
configuring the device’s firewall.
Attempting to open the configuration interface is likely to
result in a prompt for authentication credentials. The
vendor’s user manual should indicate the device defaults for
these. If not, search the Internet using keywords such as
“default password” along with the device name, make, and
model. If that fails, try username “admin” with a password
of “admin” or “password.” It’s shocking how often these are
correct.
Your ISP has likely chosen to lock down access to the
connection device. This is sometimes done as a precaution
against the uninitiated, who might cause increased
technical support hassles. If you discover that your ISP
connection device is locked down, try calling your ISP and
asking them to grant you access (often by their revealing
the credentials to log into the device).
If they refuse to offer this information, then you have four
choices. First, you can accept their refusal as “just how it is”
and employ some other device as a hardware firewall.
Second, you can change ISPs or service providers to a
carrier that will grant you access to configure the device.
Third, you can try to replace the carrier’s device with one
that you own and fully control. Fourth, you can seek out ISP
and device-specific information on the Internet, which might
include bypass or hacking details. However, be very
cautious when choosing this last route; it’s often
unproductive, is probably a violation of the ISP terms of
service, is unethical, and may even be illegal.
NOTE
Cable providers are generally less likely to allow you
access into their connection device, while most DSL
providers seem willing to grant at least partial access.
If you are unable to find a legitimate path to accessing
the configuration interface of your ISP connection device,
hacking the device should be your last and final option.
Hacking an ISP-provided device will void your contract and
could make you liable for the cost of the device plus fines
and possible legal action. A more ethical solution would be
to replace the device with one you own and control, or
switch ISPs altogether.
If all else fails, add your own firewall between the ISP
connection device and your first networked system. With
this configuration, you are still gaining the benefit of an in-
line firewall without violating any contracts or flirting with
legal troubles. In most cases, you’ll want to supplement or
disable an ISP connection device’s firewall anyway. Thus, if
your ISP blocks access to it, just design your security as if
the device offered no firewall protection to begin with.
NOTE
Be careful about searching for Web sites that offer
information on how to hack or bypass ISP equipment.
Often the sites are booby trapped with malware to trap
the unsuspecting visitor. In addition, some ISP
equipment may be leased, not sold, and attempting to
access internal features may violate the contract, if not
the law.
Converting a Home Router into a Firewall
Many home routers have sufficiently robust features that
you can configure them to function as firewalls. To ensure
ease of use (and minimize product returns), these devices
are usually shipped with all security features turned off.
Because “plug and play” results in immediate connectivity,
many users never go back to configure their equipment for
security. Thus, hackers and malware often are able to
intrude easily into home networks. You can prevent that by
understanding what is available in this class of products.
To access a home router, type into your browser the IP
address of your gateway. To determine that on a Windows
machine, choose Start > Run, type Command, and at the
C:\> prompt, type ipconfig. Most routers ship with a default
address of 192.168.1.1. If you remember, 192.168.X.X is a
non-routable range of IP addresses, which means that traffic
inside that address range will not be shared with addresses
outside that range.
Once logged in, consider changing a number of settings
(Figure 10-5). First, if the router is a wireless device, change
the service set identifier (SSID) from the default setting. You
do not want to be one of eight access points named
“Linksys” in your neighborhood. Why is this important? Most
PCs will grab the strongest wireless signal from a known
SSID. If you have standard SSIDs such as Linksys in your
wireless access table, you may find yourself on a neighbor’s
(or hacker’s) system someday without realizing it. Another
good idea is to change the default IP address range to
something else other than 192.168.1.X. This creates a
custom range for your own network. If you hard-code your
internal network range to something like 10.20.30.X, you’re
less likely to stumble into that situation.
FIGURE 10-5
The initial configuration screen on a Cisco Linksys wireless
router.
Most routers enable Dynamic Host Configuration Protocol
(DHCP) by default. You could lock down your network by
either hard-coding IP addresses into each authorized
machine (and turning off DHCP) or setting a strict upper
limit on the number of devices permitted to have DHCP
leases (most default settings are 100). If you have five
devices, limit the number of connections to five. (Don’t
forget about the Xbox 360 or PS3—they need IP addresses
too!)
NOTE
Don’t forget to change the default administrator
password of your device.
For firewall settings, most routers will have a
configuration page to block services or control port access.
Determine what ports you need to access the Internet, and
then block all of the rest. Note this setting restricts
outbound traffic. So why block it if it originates from within?
Malware, zombies, bots, and other hostile applications
usually have to connect to the outside to do their damage. If
you accidentally download dangerous malware onto your
laptop at your favorite coffee bar, and then connect to your
home or office network behind the firewall, that malware
may have access to all of your peer systems. However, if
you are blocking all nonessential outbound traffic, then most
malware won’t be able to exfiltrate your sensitive
information or ask for evil instructions. Only those
applications that use a common port (like 80) will be able to
get through.
Which outbound ports should you block? First, consult
your policy, or determine what programs you are using. For
the most part, you’ll want to allow the following outbound
ports to be open at all times:
Port 25—SMTP (outbound mail)
Port 53—DNS
Port 80—HTTP
Port 110—POP (initiate request for inbound mail)
Port 443—HTTPS
Ports 465 and 995—SMTP and POP (if you’re using
Gmail)
Port 1024–1035—DCOM ports for downloading files
(increase number of ports based on number of
systems protected; 10 is usually sufficient for a home
network)
Beyond port 1035, you may not need to allow outbound
traffic, unless you are using cPanel to access an externally
hosted Web site on port 2083, or port 11371 if you’re
looking up PGP keys. By blocking all other high ports, you’ll
also quickly hear from people who may have been using
some of these ports, which are dedicated to gaming
software. At home, you might want to allow (or set time
limits); at work, you probably want to block these ports.
In general, you should not accept any connections that
originate from outside your firewall. Your policy may permit
exceptions, such as remote access tools, so be careful about
blocking everything. Some home firewalls don’t provide a
direct way to block specific incoming ports, but most allow
you to do port forwarding. A clever way to use this to thwart
external attacks is to forward to a nonexistent port. So, for
example, if your local network range goes from 10.20.30.40
to 10.20.30.49, you might forward incoming connection
requests to port 10.20.30.99—where no one is listening!
Ports you might consider forwarding are:
Ports 20 and 21—FTP-data and FTP. Prevent external
connections from downloading your files.
Port 23—Telnet. Prevent external connections from
insecurely logging into your internal systems.
Port 53—DNS. Prevent external entities from
poisoning your DNS cache.
Port 80—HTTP (unless you are running a Web server
from behind your firewall, which is a bad idea).
Ports 81 and 82—Often used as “overflow” for port
80. No valid use, so block them.
Ports 137, 138, 139—NetBIOS. Often exploited by
malware, this provides access into Windows systems.
Port 443—HTTPS (unless you are running a secure
Web server from behind your firewall, which is still a
bad idea).
Port 445—NetBIOS for Windows 2000 and later.
Port 3074—Xbox game port. Don’t allow strangers to
connect to your Xbox while you’re away. Remember—it
“lives” on your internal network.
An excellent way to test your configuration is to go to Steve
Gibson’s http://www.grc.com Web site and run his free
ShieldsUP! port scanning tool (Figure 10-6). Most people end
up scoring poorly. If you can achieve 100 percent stealth,
you’ve done a great job.
FIGURE 10-6
ShieldsUP! port scan result confirming a well-configured set
of home router firewall rules.
FYI
A commercial product is simply one that’s for sale
rather than given away without cost. Commercial is not
necessarily the antonym of open source or a synonym
of closed source. Additionally, commercial is not
necessarily the opposite of free.
An open-source product is one where the source code
can be obtained and viewed by anyone. A closed-
source product has its source code protected so that
the public cannot view it. A commercial product can be
either open-source or closed-source. However, most
commercial software is closed-source. This is viewed as
a means to protect intellectual property and allow the
vendor to continue to charge for the product.
Free can mean both no price or having liberty. Free
software can have no cost, which makes it non-
commercial. Free software can also be commercial
software that grants liberties to its users.
For further discussion on free software, please visit
GNU organization’s site at www.gnu.org.
Commercial Software Network
Firewalls
Commercial software network firewalls install onto your own
hardware and provide network-level security services. Some
commercial software network firewalls install on top of
existing operating systems, such as Windows. Others are
complete OS replacements, many of which are Linux-based.
As with any firewall selection, know your environment
and understand your security needs before shopping for a
firewall solution. It’s bad security to purchase a product
because it’s on sale, is prominently advertised, or is
recommended by a salesperson (or even an author).
Instead, match your security needs with the product that
best suits, fulfills, or satisfies those needs.
Open-Source Software Network
Firewalls
An open-source software network firewall is a product that is
usually available at no monetary cost and whose source
code is available for review. An open-source solution often
can be a cost-effective option. However, just because a
product is free does not ensure its reliability or
trustworthiness. Additionally, being able to review the
source code doesn’t warrant the reliability of a product.
You should thoroughly review and test every security
product, including firewalls, before purchase and
deployment. Seek out a product that meets your specific
organizational security needs, rather than selecting
something just because it’s open source or free of charge.
Appliance Firewalls
Appliance firewalls, whether called device or hardware
firewalls, are common and nearly essential elements of
every moderate to large network infrastructure. A hardware
firewall is a dedicated hardware device that has been
specifically built and hardened to support the functions of
the firewall software running on it. A hardware firewall is
also known as an appliance firewall.
A hardware firewall does not require any additional
hardware or software for its deployment. All it needs is
network connections and a power connection. A hardware
firewall has dedicated hardware resources not shared with
any other service. A hardware firewall can protect a single
system or an entire network.
A hardware firewall can filter only traffic that reaches the
network interfaces of its appliance. However, you can
position a hardware firewall on a network at a chokepoint or
gateway to analyze and filter all traffic.
Firewalls, specifically hardware appliance firewalls,
typically have two or more network interfaces. A firewall
with two interfaces is known as a dual-homed firewall, while
a firewall with three interfaces is known as a triple-homed
firewall or a three-legged firewall.
The benefit of multiple interfaces is that the segments,
subnets, or networks connected to each firewall interface
are electronically isolated from each other. This prevents
unfiltered traffic from leaping from one segment to another
in an attempt to bypass firewall filtering.
However, for firewalls using multiple interfaces, ensure
that you disable the TCP/IP protocol feature IP forwarding. IP
forwarding is actually a router rule that allows traffic from
one interface to traverse to another interface without
needing to move any further up the protocol stack than
where IP resides. In many cases, IP forwarding allows
packets to bypass filtering. If you’re using the system as a
firewall, be sure to disable this feature.
A personal hardware firewall can be part of an integrated
firewall product, such as a wireless access point or a
cable/DSL modem. Another variation of the personal
hardware firewall is the repurposing of a client or server
computer into a home-crafted, open-source firewall. One
example of this is SmoothWall, a hardened bootable Linux-
based firewall.
A commercial hardware firewall usually handles the
complexity of larger organizational networks. A commercial
hardware firewall is often very expensive—$10,000 or more
is not uncommon.
The personal and commercial variants of software and
hardware firewalls might include different add-ons or
enhancements than their commercial equivalents. These
add-ons or enhancements include antivirus, password
management, registry protection, driver protection, VPN
gateways, remote access support, IDS, IPS, spam filtering,
and more. Usually, these add-ons make the firewall products
more attractive to the potential individual buyer. However,
most commercial entities would generally avoid integrated
firewall solutions in favor of dedicated products to handle
the distinct security or management functions. An
integrated device might offer easier administration, but it
represents a single point of failure for multiple services.
Additionally, such devices are more difficult to troubleshoot
due to the complexity of the communications supported.
A variety of manufacturers and vendors make and
service appliance firewalls. The specific products in this
category change constantly, so including a list of exact
make and models would be outdated within months.
(Remember the “use by” date on that carton of milk?)
Instead, to find the best products available for either SOHO
or enterprise-sized environments, visit the vendor’s
technical review sites for updated product discussions, blogs
and discussion forums, and buyer’s guides. Some of the
major vendors/brands to consider include:
Barracuda
Cisco
D-Link
Fortinet
Juniper Networks
Linksys (now owned by Cisco)
NetGear
SonicWALL
WatchGuard
ZyXEL
When selecting a hardware or appliance firewall, keep a few
important points in mind. Commonsense or basic concerns
include ease of use, secured management interfaces, port
filtering support, stateful inspection filtering, and the ability
to be firmware/software upgraded.
Never skimp on throughput. Firewalls often represent
bottlenecks to network bandwidth and thus should be
selected to maintain wirespeed. Be sure a hardware firewall
can more than handle the current network speeds and allow
for future growth. If you are currently pushing a 1 Gbps
network, consider a firewall capable of filtering at 2.5 Gbps
wirespeed or higher.
For larger networks, centralized and remote
management options are often essential. If firewall
management requires direct physical contact or if you can
configure only a single firewall at a time, you may find these
significant hindrances to managing very large networks. An
important part of a realistic firewall solution for enterprise
networks can be multiple device management, including
simultaneous configuration synchronization features.
Consider whether add-ons, upgrades, or extras are
available and whether that’s important to your decision.
Some firewall devices convert to firewall-plus devices or
true multifunctional devices. Additional features may
include e-mail scanning, message quarantine, attachment
stripping, virus scanning, mobile code filtering, anti-
spyware, intrusion detection system (IDS) and intrusion
prevention system (IPS) features, spam filtering, compliance
monitoring, and network access control. Products that
support expansion or firewall additions are known as unified
threat management tools or may fall under the heading of
advanced intrusion detection and prevention systems.
Whatever the options presented by a vendor, always
consider them in light of your actual current and future
network needs. Just because a product is expensive does
not guarantee it will work better than a free, build-it-yourself
alternative.
Virtual Firewalls
The term “virtual firewall” describes a variety of firewall and
firewall-like concepts. This can include virtualized software
firewalls that provide filtering services for a standard
physical network as well as firewalls running between
virtualized client and server operating systems. In theory,
the use of a software firewall as a replacement for a network
appliance could work as long as the host OSs network
communication is routed through the virtual firewall before
leaving the host’s network interface controller (NIC).
This is a relatively new and growing area for firewall
deployment. Virtualization offers numerous benefits over a
traditional single OS to a single hardware box deployment.
Virtualization allows for rapid development, quick
prototyping, isolation, traffic management, quick recoveries,
testing, and so on. By virtualizing firewalls along with
operating systems, you can craft new network architectures
that do not or could not exist in the traditional network
architectural concepts.
For example, with a virtualized firewall, you could route
every communication between every virtualized OS through
the filtering services. This would be the equivalent of
deploying an appliance firewall between every system, but
without the hassle, expense, or complexity.
Virtual firewalls are not a panacea. Virtual firewalls will
not be useful in every situation, but they are an interesting
new option for deployment to monitor, manage, and filter
network traffic over traditional or virtualized network
segments.
Simple Firewall Techniques
A few mundane concerns affect every firewall user when
employing a firewall of any type. In most cases, these issues
are common sense or at least well known, but they are often
overlooked, forgotten, or discounted. For this reason, they
are included here.
After writing a firewall security policy, obtaining approval,
and obtaining the firewall to install, the first step in
deploying a new firewall is to change the default password
of the administrator account. Better yet, modify every pre-
defined user account and every default access code of any
type. Use something unique, original, and difficult to predict.
Testing is essential. No change or alteration of
configuration is so minuscule that testing is inappropriate.
Every change should trigger a test to confirm that the
change took effect and caused no unintended
consequences.
Many firewall appliances can be quickly reset to factory
defaults with the simple press of a button. Some devices
have a reset button prominently located and labeled so that
anyone with a finger can casually revert to default status.
However, such an obvious button has disadvantages, such
as accidental or innocent hand movements.
Fortunately, a growing number of devices that still offer
button-based reset options have receded the button behind
a tiny pinhole. A straightened paper clip (or an expensive
tiny screwdriver) depresses the reset button. Often, a single
quick press is insufficient to reset the device; a series of
presses or a prolonged 10- or 30-second depress may be
necessary to trigger a reset. This feature makes accidental
depression impossible but also makes intentional resetting a
bit of a challenge. Be sure to consult the user manual for
instructions that may not be obvious or intuitive.
Keep a printed or written copy of all rule sets and
settings on hand. Periodically, verify manually that all
settings remain as you want them. This is done by viewing
the configuration or management interfaces and comparing
the live settings to those defined in your documentation.
Whenever you discover a discrepancy, investigate and
repair it at once.
Finally, regularly visit the vendor’s Web site and
discussion forums (including non-vendor-supported ones) for
news and information about your firewall product. Keep
current with announcements of updates, problems with
updates, newly discovered holes or exploits, alternative
configuration ideas, troubleshooting options, and more.
CHAPTER SUMMARY
Firewalls are useful in many different situations. Every
network infrastructure can benefit from proper use of
a firewall. When making a choice about what firewall
to deploy, consider a breadth of options, including the
needs of both small and large network environments,
host software firewalls, native OS firewalls, third-party
OS firewall alternatives, ISP connection device
firewalls, commercial firewall options, open-source
firewalls, hardware firewalls, and virtual firewalls.
KEY CONCEPTS AND TERMS
Active threat
Cookie filter
Native firewall
Passive threat
Pop-up blocker
CHAPTER 10 ASSESSMENT
1. What types of Internet threats are considered passive,
in the sense that the user must seek them out to be
harmed? (Select all that apply.)
A. Malicious Web sites
B. Worms
C. Downloaded content
D. Spam
E. Trojan horse
2. Average home users and workers at a large corporation
can both benefit from which of the following:
A. Open-source hardware firewall
B. Gateway server firewall
C. Commercial appliance firewall
D. Host firewall
E. Proprietary device firewall
3. In what locations is a home or SOHO user likely to find a
firewall by default? (Select two.)
A. A self-installed software firewall
B. Hosted by the operating system
C. A build-it yourself appliance firewall
D. Hosted by the ISP connection device
E. A commercial firewall device
4. Windows operating systems are the only operating
systems that include a native or default host firewall.
A. True
B. False
5. What is the maximum number of host software firewalls
that should be operating on a single computer at any
point in time?
A. One
B. Two
C. Three
D. Four
E. None
6. Firewalls are designed to provide protection for both
________ and ________ communications.
7. An organization should consider purchasing last year’s
model firewall instead of this year if they receive a
significant discount.
A. True
B. False
8. When considering the deployment of a firewall, which of
the following should be considered? (Select all that
apply.)
A. Commercial firewalls
B. Legacy firewalls
C. Open-source firewalls
D. Beta firewalls
E. Do-it-yourself (DIY) firewalls
9. Windows Firewall for Windows 7 includes an easy-to-
configure new feature that allows file and printer
sharing between systems authorized by a password.
This feature no longer encourages users to just turn off
the whole firewall rather than figure out how to properly
configure file and printer sharing access rules. What is
this feature called?
A. Internet Connection Sharing
B. Quick config
C. Homegroup
D. Shared computing
E. Microsoft Easy Access Firewall
10. What is the command line tool used to configure
Windows Firewall for Windows 7?
A. route firewall
B. netsh advfirewall firewall
C. new use firewall
D. firewall config
E. netsh firewall
11. Using a Linux software firewall as a replacement for a
commercial firewall appliance can be a very cost-
effective solution. Linux often can repurpose computer
hardware that is no longer sufficient to support larger,
bulkier, more resource-intensive operating systems.
A. True
B. False
12. The firewall configuration on an ISP connection device
is most commonly accessed through what type of
management interface?
A. SMTP
B. HTTP/HTTPS
C. SSH
D. FTP
E. RSH
13. If your ISP refuses to grant access to configure their
connection device, what legal options are available to
you as alternatives? (Select all that apply.)
A. Live without configuring it.
B. Hack into it.
C. Deploy your own hardware firewall alternative.
D. Purchase your own connection device.
E. Change ISPs.
14. What is the command line utility used to display the IP
configuration of your Windows computer?
A. ifconfig
B. net use network
C. netconfig
D. ipconfig
E. netstat
15. When configuring a wireless access point to provide
firewall services, which of the following are important
configuration actions to take? (Select all that apply.)
A. Change the default administrator password.
B. Block unwanted ports.
C. Change the SSID.
D. Turn off SSID broadcasting.
E. Change the default IP address range.
16. In general, you should not accept any connections that
originate from ________ your firewall.
17. If your home firewall device is unable to block ports,
use ________ instead to route data to nonexistent hosts.
18. It is best to pick a firewall based on:
A. Actual network security needs
B. Recommendations of a salesperson
C. The list of awards given the product
D. The price
E. Prominent advertisement
19. Appliance firewalls are only and always commercial
firewalls.
A. True
B. False
20. When selecting a firewall, especially a hardware
firewall, never skimp on ________.
CHAPTER
11 VPN Management
VIRTUAL PRIVATE NETWORK (VPN) MANAGEMENT is a critical component in your organization’s computer security.
VPNs extend the internal network beyond the perimeter
secured by firewalls and other security technologies. Proper
management of a VPN requires an understanding not only of
VPN technologies, but also the business requirements
driving VPN implementation.
Using the wrong type of VPN or a VPN that doesn’t meet
your organization’s requirements can create security
problems where none previously existed. Before selecting a
VPN product or technology for your organization, create a
detailed requirements document. This should factor in not
only the security requirements for the VPN, but business
requirements as well. Although security is important, keep
in mind that security exists to support your organization’s
goals, not the other way around.
As soon as you have a set of prioritized requirements,
start looking for a solution that meets as many of these
requirements as possible. You may not be able to find a
single product that meets all requirements. When that
occurs, choose the solution that best fits the highest priority
requirements. In some cases, using multiple solutions to
meet all the requirements may be the right solution.
Good research is crucial to selecting the appropriate VPN.
Don’t rely solely on Web sites, technical magazine reviews,
or an attractive sales pitch. Depending on your
requirements, you may want to explore robust public
domain solutions rather than an off-the-shelf commercial
product.
Keep in mind that VPNs are a security technology, but
they may also degrade your security perimeter. Putting a
VPN in place is just the beginning of the project; you’ll need
to address a number of additional factors for a successful
VPN deployment.
Chapter 11 Topics
This chapter covers the following topics and
concepts:
What VPN management best practices are
How to develop a VPN policy
How to develop a VPN deployment plan
What common VPN threats and exploits are
What the tradeoffs are between commercial
and open source VPNs
What the differences are between personal
VPNs and network VPNs
How to balance anonymity and privacy
How to protect VPN security to support
availability
What the importance of VPN user training is
How to troubleshoot VPN issues
Chapter 11 Goals
When you complete this chapter, you will be able
to:
Describe VPN best practices
Write a VPN policy
Describe the issues involved with
deployment, placement, and implementation
of a VPN
Appraise the threats and attacks against
VPNs
Contrast the needs and features of personal
and enterprise or network VPNs
Compare anonymity and privacy
Compose an introductory VPN training
program for users
Formulate a procedure for troubleshooting
VPNs
VPN Management Best Practices
First, familiarize yourself with the recommendations,
guidelines, and procedures that will allow you to manage
your VPN securely, efficiently, and as cost effectively as
possible. These techniques and recommendations are
known collectively as “best practices” and are generally
developed and published or shared by experts in the field.
VPNs have been around since the late 1990s. That means a
significant amount of real world experience is available in
the industry for your reference.
A best practice is generally not a tool, but rather the
collected wisdom of fellow security practitioners sharing
what they have learned. One of the great things about
working in the information security field is that numerous
experts are generally willing to share their experience. Be
warned, however: Security experts tend to have very strong
opinions, so any time you are reviewing a best practice, be
sure to keep the needs and requirements of your own
environment in mind. A process that works great in a
25,000-employee global manufacturing company may not
work nearly as well in a 50-employee medical records
processing company.
That said, you might well be able to adapt a process from
another company to fit your environment. The key to
getting the most out of best practices is to consider them
with your specific environment and requirements in mind.
Keep what works, modify what you can adapt, and ignore
what doesn’t make sense. After some time in the business,
you will be the person other people come to for advice.
Provide redundancy, because everything, including VPNs,
can break. If your organization will be relying on your VPN
for remote access, encrypting and securing data, or
providing a business partner access to your extranet, you
will find out quickly how critical your VPN is on the day it
breaks. Most commercial VPN products offer a failover or
load-balancing capability so that in the event one device
fails, the other will pick up the traffic.
Often, VPNs are provided via a cloud implementation. In
this case, be sure that a level of redundancy is built in and
that the redundancy is clearly spelled out, and guaranteed,
in the contract or service level agreement (SLA), as it
will otherwise be out of your direct control. The good news
about anything implemented as a cloud application is that
someone else takes responsibility for the exact
implementation. This is also the bad news, especially for
security practitioners.
Alternatively, keep a spare VPN product on your shelf,
configured and ready to go live in the event of a failure.
Generally, waiting for tech support or ordering a spare part
can take more time than your organization is willing to wait
for restored service. You’ll learn more on this later in the
chapter.
Choosing the right VPN product is critical to the long-
term success of your VPN deployment. Take your time,
document your requirements, carefully evaluate the
capabilities of each VPN product you review, check with
peers if available, and review appropriate industry literature.
A security magazine review of VPN products is a valuable
tool for starting your search—or even narrowing the field
once you have your requirements documented—but don’t
select your solution solely based on who won last year’s
Editor’s Choice award from your favorite industry magazine.
While the editors and reviewers at most industry magazines,
Web sites, and blogs are technically capable and spend a lot
of time looking at products, they don’t have to support the
product in your environment. Ultimately, you will be
responsible for meeting your organization’s requirements
and maintaining support.
Beware the vendor with the slick PowerPoint presentation
offering a free lunch. Avoid purchasing products based on
promises rather than proven capabilities. Slideware, also
sometimes known as vaporware, is any product that
appears in a vendor’s PowerPoint presentation, but is not
yet available for sale. When possible, road-test a product in
your environment before purchasing. It’s always a good idea
to see what a product can do firsthand.
Finally, when looking for a product, consider using
resellers and consultants. A good reseller can do some of
the legwork for you by narrowing the search to a smaller
pool of products. While some resellers work much like a
standard department store, selling whatever is on the
shelves, many will go the extra mile to ensure you get a
product that will work in your environment. This saves them
the challenge of trying to support a poor product after
they’ve sold it, and if you like the solution, they have the
opportunity to sell you additional products in the future.
A VPN policy (often referred to as a remote access policy)
documents your organization’s rules for using the VPN. You
will read about creating a VPN policy at length later in this
chapter. Recognize, however, that proper policy framework
is a key best practice when dealing with security
technologies, especially those offering remote access to
your computing environment.
The client is a critical component of your VPN solution.
For the most part, VPN technology is both mature and
secure. VPNs are subject to denial of service (DoS) attacks,
but VPN servers are rarely hacked. Nevertheless, VPNs
remain a viable vector for someone who wants to attack
your network. The target of these attacks is typically the
weakest link of the VPN chain—the client. A typical VPN
client runs an operating system that needs to be patched at
least once a month, runs applications that may need to be
patched almost as often, and is vulnerable to viruses,
spyware, and other attacks. Be sure to install antivirus
software, anti-malware software, and a software firewall on
every client that will be connecting to your network through
the VPN.
Split tunneling is a configuration setting that allows
simultaneous access to both an untrustworthy network (like
a home network) and a secured VPN network connection.
This may not sound like a bad idea at first—after all, why
wouldn’t you want someone connected to the VPN to access
the Internet or their home network (or another network) at
the same time? The reason split tunneling is a bad idea is
that it potentially opens a door into your network that you
can’t control. This is known as hairpinning, because
malicious code can enter from the non-secure network,
make a hairpin (or sharp) turn, and enter your secure
network with little or no trouble because it is entering from
a secure and verified endpoint.
If the client machine is compromised by a virus that
permits remote control of the system by an attacker, and
that client machine connects to the VPN, the attacker will
have access to your internal network from anywhere on the
Internet. If you prohibit split tunneling, however, then even
if the attacker can compromise the client, the external
connections terminate as soon as the VPN connects,
ensuring your network is secure (even if the client is not).
If it doesn’t belong to the company, it shouldn’t connect
to the company’s network. One of the challenges of working
with remote access VPNs is making sure that the client at
the other end of the connection is secure. Remote access
VPNs permit access to a secure network from a remote
location across an untrustworthy network. If the client
system is not secure, you run the risk of compromising your
secure network.
Fortunately, you have some control over your
organization’s computers. You can require antivirus, anti-
malware, IDSs, and firewall software on any computers your
company owns. With systems not owned by the
organization, you cannot require anything. As a result, if you
don’t prohibit non-company systems from connecting to the
network, you cannot control whether those systems are
secure, meaning you can’t ensure that your network
remains secure. It’s very easy for an end user to load a VPN
client on a home PC and connect to your network. While
some VPN solutions offer techniques to prevent uncontrolled
systems from successfully connecting, it’s important that
you lay the groundwork by prohibiting the practice.
This is a problem that must be dealt with if the
organization has a Bring Your Own Device (BYOD) policy and
a virtual private network. How should BYO devices be
admitted to the VPN, and what are the policy and technical
guidelines for connection? How much security is the
organization willing to give up to gain the financial and
operational benefits of BYOD? In many cases, cloud-based
providers will offer support for a wider variety of client OS
types and versions than a traditional VPN product. Maybe it
is time to consider a cloud-based solution. These are all
factors your organization must take into account when
considering your VPN and the security, or insecurity, of your
information.
Effective vulnerability management can help manage
your remote clients. These are the technology and business
processes used to identify, track, and mitigate known
weaknesses on hosts or applications within a computing
environment.
Remember, everything is vulnerable to attack. UNIX,
Windows, routers, network printers, and even your VPN
solution will have vulnerabilities. Examples of vulnerabilities
include software coding errors, improper configurations, and
poor password choices. The danger with a VPN is that it
expands your network from systems you can closely control
to include systems in a home office, a branch office, a hotel,
a Starbucks, or even a business partner’s network.
Vulnerability management is a combination of tools and
processes that allow you to reduce risk in your computing
environment, including VPN-connected systems and
networks. Use tools that periodically test your environment,
including the VPN systems, for missing patches,
configuration issues, known exploits, and other
vulnerabilities. This will ensure that your remote systems as
well as your local systems are secure. Scan often and
address issues when you find them.
technical TIP
When addressing vulnerabilities in your environment,
be efficient. If you are using a tool that ranks
vulnerabilities from Level 1 to Level 5, where Level 1 is
informational and Level 5 is critical, you might be
tempted to address the Level 5s first, and then come
back and address Level 4s next, then Level 3s, and so
on. But this would be similar to having a keyboard with
several broken keys. You wouldn’t fix the “E” key first,
then come back later to fix the “U” key because it’s
less critical—you’d fix them all at once. Take a similar
approach with vulnerabilities. Determine what level of
vulnerabilities you want to address in your
environment (all Level 3 and above, for example), then
tackle them, system by system. While this approach
may leave some Level 5s in the environment a little
longer, it will take a lot less time to secure the entire
environment, since you will not need to touch the
systems multiple times.
Your VPN is only as secure as your authentication
method. One of the easiest ways to compromise a VPN is by
compromising the authentication credentials. All it takes is
one user with a password of “password” to open a direct
connection to your network. A best practice is to use two-
factor authentication for VPN access. This is a method of
proving identity using two different authentication factors.
Authentication factors are something you know, something
you have, or something you are. Examples include a smart
card (something you have) with a PIN (something you
know); a biometric device (something you are) coupled with
a password (something you know); or a proximity card
(something you have) that activates a fingerprint reader
(something you are).
If you fail to plan, you plan to fail. Document your
implementation plan! You can’t simply find an open rack in
the data center, run a cable, plug in a device, and keep your
fingers crossed that it will work. Document your
implementation and support plans. You’ll learn more on this
later in the chapter.
Monitoring the availability of the VPN can be a lifesaver.
The typical (and worst) method to discover issues with your
VPN is when users start calling for help. This can be
particularly challenging when the callers include members
of your organization’s senior management team. A corollary
of Murphy’s Law may be, “The likelihood that a senior
management team member will be trying to access the
network over the VPN is directly proportional to the
likelihood that the VPN will fail.” It’s far better to alert senior
management to temporary problems than to be informed by
them that something isn’t working. Since VPNs are network
components, you can generally use the same monitoring
equipment that you use to monitor routers, switches, and
other network gear.
NOTE
Vendors can be very helpful when your equipment is
down. Many technical and information security
professionals believe they can fix anything, and
sometimes they will work on a problem for long hours
before finally reaching out to tech support. While tech
support can be problematic, especially when wading
through the first level of support, the vendor can be
invaluable when the problem is in the VPN equipment
or software.
Once you have your VPN deployed, regularly review
usage. If you notice there are employees who don’t use the
VPN, you may want to remove their access. If you see
employees who have multiple concurrent connections, you
may have a security issue, and should investigate further.
Back up your VPN configuration regularly. This is a good
practice for any network equipment, but in the event your
VPN hardware fails and needs replacement, you’ll want to
be able to restore your last known working configuration
quickly. Rebuilding a VPN configuration from the default
settings can be a long and challenging task— not to mention
making post-incident review meetings an unpleasant
experience.
Patch regularly. Vendors typically release patches and
updates to VPN code throughout the life of the product.
These patches address security issues, fix bugs, or provide
additional functionality. In an ideal environment, you will
have a development VPN that you can use to test patches
and updates. In most environments, however, you will not
have the luxury of a development VPN and will have to test
when you implement in production. In either circumstance,
work closely with your vendor to make sure you receive
prompt notice of patches and updates, and establish an
operational process and maintenance window to apply
patches and updates in a timely fashion.
Your VPN solution may end up being a critical component
of the organization’s business continuity planning and
disaster recovery planning. In the event of an incident that
prevents employees from getting to their work location, a
VPN that provides work-from-home support is a key
component of many recovery plans. Events such as
earthquakes, snowstorms, tornadoes, floods, and other
natural disasters can make working remotely a viable
alternative to standard operations.
This collection of VPN management best practices is
meant to serve as the starting point for your successful VPN
deployment. It’s not meant to be comprehensive, but
instead to offer some common practices and processes to
help you with your VPN deployment. Depending on your
VPN solution, your environment, your business
requirements, and your experiences, you may find that you
will use every one of these—or use only a few. The key is to
ensure that you are doing what works in your environment.
If you need help, don’t be afraid to reach out to your peers
for advice and suggestions. You will find, over time, that you
will develop your own set of best practices as you gain more
experience as a security practitioner, and soon others may
be asking you for advice.
Developing a VPN Policy
If you are implementing or supporting a VPN solution, use a
VPN policy to ensure your users understand the
requirements for computing on the VPN. A VPN policy is
sometimes called a remote access policy, a term used when
dial-up lines and modems were the primary means to
access the network remotely. Keep in mind that a VPN policy
should be a part of your overall policy framework, and not a
standalone. If you try to develop your VPN policy in isolation
from the overall policy framework, you may find that you
are duplicating information, or potentially writing VPN policy
that conflicts with other aspects of your overall policy
framework. For example, if you put a requirement in your
VPN policy that user passwords must be 10 characters long
and the password policy says they have to be eight
characters long, you will confuse end users.
The components of a solid VPN policy include:
Introduction—State the policy by name and tell how
it fits into the organization’s policy framework.
Purpose—Describe the issues the policy addresses
and how the policy should be used. Include references
to any applicable governance, risk, or compliance
issues, as well as any specific legal or regulatory
requirements supported by the document.
Scope/binding nature statement—Describe the
systems, networks, or people covered by the policy.
Describe penalties associated with not following the
policy. The phrase “disciplinary action up to and
including termination” is common in security policies.
Definitions/acronyms—Define technical terms or
acronyms used in the policy.
Document—Include the document creator, creation
date, version, document status (for example, draft,
template, policy, and guidelines), as well as any
version tracking information.
Policy—This is the actual policy language. Be very
clear in this section, leaving as little open to
interpretation as possible.
Optional elements
Summary—If your policy is very long, you may
want to summarize it in a bulleted list at either the
beginning or end of the policy. This provides
employees a quick method to check for policy
statements.
Roles and responsibilities—If your document is
lengthy, or you need to document who does what
under the policy, include roles and responsibilities.
For example, a policy dealing with infrastructure
might include roles for the system manager, system
architect, end user, developer, or other key people
within the organization.
Some specific topics to include in your VPN policy are:
Restrict remote access to the organization’s VPN
solution.
Prohibit split tunneling.
Define what classes of employee can access the
network by VPN. This could include regular employees,
vendors, contractors, and temps, or it could be
restricted to only home office workers, depending on
business requirements.
Define what types of VPN connections will be
permitted.
Define authentication methods permitted.
Prohibit sharing of VPN credentials.
List the configuration requirements for remote hosts,
including current virus protection, anti-malware, host-
based intrusion detection system (HIDS), and a
personal firewall. Some VPN solutions include the
ability to check for these types of configurations.
Prohibit the use of non-company equipment or, if
personal systems may connect to the VPN, define the
minimum standards for those connections.
Define required encryption levels for VPN connections.
If you will be using your VPN for network-to-network
connections, define the approval process and criteria
for establishing a network-to-network connection.
Have your policy reviewed and approved by your
communications, legal, and human resources departments
before release. Document the appropriate approvals in the
document status portion of the policy, then communicate
the policy to your employees. Posting the policy to an
information security or security policy intranet Web site is a
common practice. Once it’s available on the intranet, you
can use standard communications methods to make
employees aware of the policy requirements. These
methods can include e-mail, a structured awareness
program, inclusion in new-hire training, or even
FYI
Before selecting and purchasing a VPN solution,
consider a number of factors. One that is too frequently
ignored is the budget for the solution. Carefully
consider your criteria and evaluate your options,
always keeping in mind that you need to live within
your budget. When budgeting, be sure to look at not
only acquisition costs, but also the ongoing support
and maintenance costs for at least the first three
years.
Web-based or in-person policy training. The method you
select will be based on your organization’s size, locations,
and requirements. They key with any type of awareness
training is to structure your communications to the correct
audience. A group of engineers will require a very different
introduction to a technical policy than a sales team might.
These are just some of the factors in developing a VPN
policy for your organization. While they should form the
basis for the development of your organization’s policy, be
sure to cover all applicable requirements. One sure way to
alienate your employees is to release a policy that makes no
sense to them or that you have to revise too soon to cover
things you didn’t think of the first time through. Take your
time, consider all the requirements, and you will end up with
a usable VPN policy.
Developing a VPN Deployment Plan
Now that you have an understanding of best practices and
VPN policy, you’ll look at how to select, place, and use a
VPN.
Consider these criteria during your search:
What types of VPN connections does the solution
support (user access, site-to-site, or both)?
What encryption protocols are supported?
How many VPN connections are supported?
How well does the VPN perform compared with a high-
speed network?
How well does the VPN interoperate with your existing
network infrastructure?
What are the support options available from the
vendor?
How easy or difficult is the VPN to set up?
What are the management capabilities available with
the VPN?
What additional features does the VPN offer?
Does the VPN support failover or high availability
configurations?
How scalable is the VPN?
Once you have gathered this information, you can start to
narrow your selection based on how well these features
meet your criteria.
Next, consider where you will deploy the VPN on your
network. Three common architectures typically accompany
VPN solution deployments.
Bypass Deployment
A bypass architecture (Figure 11-1) deploys the VPN so that
traffic to the VPN and from the VPN to the internal network
is not firewalled in any way.
This was a common architecture when VPNs were first
introduced to the market. The logic behind this deployment
architecture is that the since the VPN will accept only
encrypted connections on a specific port, the security is
adequate without additional firewalling. An additional
consideration is that since the traffic is encrypted, it doesn’t
require additional protection. Even if you did place a firewall
on the Internet-facing VPN connection, the firewall would
not be able to analyze the encrypted VPN traffic. This
architecture also considers anyone connected to the VPN as
a trusted host. Finally, passing traffic across a firewall
always causes concerns about performance impacts, and
justifiably so.
Two significant issues arise with this implementation
model. First, VPNs are like any network device—they can
have a variety of vulnerabilities. As a result, they are still
vulnerable to an attack against the device itself. The second
issue is that the uses for VPN have expanded greatly since
the technology first appeared, and it’s not uncommon in
today’s environment to leverage a VPN to provide
untrustworthy hosts access to portions of the network.
These could be customers accessing an order management
portal, vendors supporting systems on the internal network,
or suppliers who are transferring invoices to your internal
systems. While some controls (usually routing table–related)
are available in most VPN solutions, terminating a VPN
directly on your internal network is a very dangerous
practice. As a result, the circumstances where a bypass VPN
architecture is still a viable solution are limited, unless your
risk tolerance is pretty high.
FIGURE 11-1
A bypass VPN implementation.
FIGURE 11-2
An internally connected VPN.
Internally Connected Deployment
An internally connected architecture (Figure 11-2) deploys
the VPN so that traffic to the VPN and from the VPN to the
internal network is not firewalled in any way.
An internally connected VPN architecture recognizes that
the VPN is vulnerable to attack if placed directly on the
Internet, so it places the Internet-facing VPN connection
behind a firewall. Selecting the appropriate firewall for this
solution is critical to a successful implementation. The VPN
then connects any remote users or site-to-site connections
directly to the internal network.
While this is an improvement over the bypass
architecture, it still doesn’t address the potential security
issues associated with untrustworthy VPN connections. This
architecture is not recommended, although it will work if the
only hosts connecting are trusted hosts.
DMZ-Based Implementation
A demilitarized zone (DMZ)–based implementation (Figure
11-3) addresses the main shortcomings of the previous two
architectures.
This architecture features a firewall in front of the VPN to
protect it from Internet-based attacks, as well as a firewall
behind to protect the internal network. The firewall on the
inside can be configured to protect important infrastructure
like finance department or research department servers,
restrict business partners to only the systems to which they
need access or even limit vendor access to only those
systems that they support.
The largest negative in this design is the cost of
deploying multiple firewalls for the implementation.
However, many companies already have DMZs set up in this
configuration, so it may be just a matter of leveraging the
existing infrastructure for your needs.
After selecting the ideal VPN and determining where
you’re going to place it in your infrastructure, it’s time to
work up your deployment plan.
Before you look at the components of a successful
deployment plan, keep in mind that your environment is
unique to your organization. Some elements you will read
about won’t apply to your deployment. These are, rather,
just some common elements found in most typical VPN
deployment plans. Just as with the other topics discussed
here, review these while thinking of the requirements of
your organization.
To deploy your VPN successfully, you need to:
Plan the physical location of the VPN. This is commonly
rack space in your data center.
Ensure your selected location meets power and
cooling requirements. Get information on power and
cooling requirements from your VPN’s technical
specifications.
NOTE
You can use a project management application to plan
your VPN rollout, or use something as simple as a word
processing or spreadsheet application. The purpose of
this plan is to allow you to structure your deployment
more formally than a plan written on the back of a
cocktail napkin.
FIGURE 11-3
A VPN implemented in a DMZ.
Plan your IP addressing for the external and internal
network connections on the VPN, as well as a pool(s)
of addresses assigned to clients when they connect to
the VPN. Plan for peak usage when assigning these
pools to the VPN. While an average number of users is
an excellent use benchmark, peak use determines the
maximum number of IP addresses to ensure that all
users can connect. If this is a site-to-site connection,
your IP addressing plan will not be as complex, but will
still be important when setting up the tunnel.
If you are using firewalls as discussed in the previous
section, plan the rules you’ll need on the firewalls to
permit the VPN to work. Generally, IPSec VPNs will
require UDP port 500 for the IKE packets and TCP port
443 for the IPSec traffic. SSL VPNs use port 443
exclusively. Most VPN rule sets permit ICMP packets
from the Internet. If you are experiencing issues with
the VPN, it’s frequently useful during troubleshooting
to determine if the user can reach the VPN server
using tools like ping or traceroute.
Configure the VPN server by setting up the IP address
pools, assigning IP addresses to the interfaces,
establishing your banner message, and disabling split
tunneling. It’s also a good idea to have the vendor
review your configuration before going live to ensure
you haven’t missed anything in your planning. In some
cases, you might even want to have the vendor install
the VPN for you while you concentrate on client
rollouts, policy communications, and other related
tasks.
Set up the authentication mechanism. Ideally, this will
be a token-based authentication solution, but it could
also be RADIUS-based authentication or, in some
smaller environments, user accounts set up on the
VPN itself.
Follow your organization’s change management
policies when deploying the VPN. If your organization
doesn’t have a formal change management process,
be sure to inform management of your planning
schedule to avoid surprises. The last thing you want is
to bring the VPN online during the same weekend the
accounting department is doing a major upgrade to
your organization’s financial systems. If there’s a
problem with their upgrade, you can count on at least
one person blaming it on your VPN rollout.
Once the VPN is up and on the network, create a pilot
group to test the deployment. Address any issues
before you roll out to a larger user pool. Minimize any
issues that employees might face with the new
solution. The best way to doom a new solution is to
deploy it with lots of problems. You may find some
employees will have a low tolerance for issues.
Develop your operations manual, which will document
the configuration, operations procedures, change
planning processes, and change history.
Develop your user documentation. Include how to
install the client (if a manual install is required), how to
log on, whom to call for support, frequently asked
questions, and any other information you think will
make the user’s experience with the VPN easier.
Develop your support processes. Who gets the first call
when there’s an issue? What is the escalation path if
the issue can’t be resolved?
Communicate the rollout plan to management and
affected employees. Let them know the timing,
benefits of the new solution, and anything else that
you believe will help you have a successful
deployment.
Install the VPN client for any remote access users. If
this is a site-to-site deployment, configure the tunnel
connection.
Distribute authentication credentials, tokens, and so
on.
Train your users.
Go live—and enjoy a successful VPN rollout.
You now should be able to select, plan, and successfully
deploy a VPN for your organization.
VPN Threats and Exploits
Consider the threats and attacks against your VPN, and how
to mitigate them. A VPN can be a critical component of your
information security infrastructure. A properly implemented
VPN addresses a number of common attacks against your
infrastructure, including eavesdropping, man-in-the-middle,
replay, and others. However, while your VPN can mitigate
attacks, it also opens up an entirely new set of security
issues.
Remember, VPNs are essentially network devices and
subject to many of the same security issues you would find
in a router or a switch. If you are running a software VPN,
then your VPN can have many of the issues you find on your
network’s servers.
A hardware VPN solution can suffer from a number of
security vulnerabilities, including:
Weak default password
Insecure default configuration or misconfiguration by
the installer
One of the most common and easily exploited vulnerabilities
on any hardware network device is the default password.
Vendors set an initial password on their equipment. Usually,
all it takes to discover this password is a quick search on the
Internet. Often, it’s not even particularly hard to guess. Try
the vendor name, “admin,” or “password,” and odds are
good that you’ll be able to log on. It seems like a sensible
mechanism—the vendor doesn’t want to distribute its
equipment without a password, so it sets a standard
password that’s easy for the installer to remember.
The potential problem occurs when the installer forgets
to change that password. It’s not uncommon for an installer
to leave the password in place for the duration of the
installation. Typing in “admin” after each reboot is much
easier than typing in “$$Th!s!sAS3cur3P@ssw0rd!!” every
time you make a change requiring a reboot. The problem
occurs when either the installer forgets to change the
password when the work is done, or an attack occurs while
the installer is in the middle of the installation.
Imagine the installer has a couple of additional settings
to change, but it’s 6:00 p.m. on a Friday and he’s ready for
the weekend. He decides to come in early Monday to finish
up the configuration. So for the entire weekend, the VPN
you’re counting on to provide secure access to your network
is on the Internet with the password “admin.” The best way
to address this type of vulnerability is through stringent
system configuration procedures and strong awareness
training for your support staff and contractors. Disciplinary
action when an installer fails to follow the instructions is
also remarkably effective at getting the message across.
The second common issue with hardware VPNs is a
device that is installed in the default configuration. Very few
network devices come out of the box in a fully secure
configuration. For example, an important configuration
setting is disabling split tunneling. A default VPN
configuration might not disable that setting without
modifying the configuration. If you are completing your first
install, it’s very tempting to just change enough of the
configuration to get the VPN up and running and stay away
from any unfamiliar settings.
A related issue occurs when an inexperienced installer
modifies the configuration without understanding the
impact of the changes. For example, an installer with a
limited understanding of encryption protocols might decide
that using the DES algorithm for VPN encryption would be
“good enough” and would improve performance over a
higher encryption algorithm like 3DES. The installer
probably read somewhere that the longer the key length
used for encryption, the higher the impact on performance.
This is often true, but longer key lengths usually mean more
secure communications. Installer-induced security threats
are some of the hardest to track down. Since they were
caused by someone with a limited understanding of what he
or she was doing, the installer’s ability to help you track
down the issues is equally limited.
To mitigate the risk of these issues, make sure that you
train your installer (or yourself) before installing the VPN. If
you do not have the time or justification for training on the
product, then engage a vendor or systems integrator to
assist with the install or even complete it for you. Once the
installation goes online, it pays to have an expert perform a
vulnerability or penetration test against your VPN. It never
hurts to have an expert check your work.
A software VPN solution can suffer from the following
vulnerabilities:
Operating system vulnerabilities
Operating system misconfiguration
Application conflicts
Instability
Viruses and malware
While software VPN solutions are not typical in corporate
environments, they are not uncommon in smaller
organizations, academic environments, and other areas
where a hardware VPN does not meet the business
requirements. The main threats to software VPN solutions
arise in the operating system. Operating systems like UNIX
or Microsoft Windows consist of highly complex coding. They
are designed to support a number of business-related tasks,
and are more highly complex than the operating systems
found on hardware-based VPNs. As a result, the software-
related threats can also be much more complex.
Operating systems contain millions of lines of software
code, and as with anything written by people, they always
contain mistakes. Those mistakes are what attackers seek
to exploit when attacking an operating system. Exploits may
include buffer overflows, privilege escalation, or any number
of other issues. As a result, if you run your VPN on a
general-purpose operating system, your VPN becomes
susceptible to the same software vulnerabilities as your
operating system. In addition, software VPNs have many
more possible operating system configuration errors than
hardware VPNs.
Some organizations run VPN software on a server that
supports multiple applications. For example, the VPN server
might also be a SQL server, a Web server, or a file server. If
this is the case in your environment, be aware of potential
vulnerabilities created by application conflicts. This could be
a matter of two applications that contend for resources on
the servers causing issues, but it could also be the chance
that one of the applications opens a new vulnerability in the
VPN software. Think about a VPN server that is also a Web
server. If the Web server is configured incorrectly, you could
expose VPN configuration files to an attacker through the
Web server interface. In that case, you could configure your
VPN server securely just to have an attacker pull a copy of
your configuration files out of a Web directory, bypassing
your security.
Another potential threat associated with software VPNs is
instability. Many information security professionals are
reluctant to run software VPNs due to the challenges of the
operating system crashing and taking the VPN with it. Many
security professionals wouldn’t ever want to run a VPN that
could be taken out by a “blue screen of death”—the
nickname for the Microsoft server crash screen.
Finally, operating systems are vulnerable to viruses and
other forms of malware. These would include Trojan horses,
rootkits, or any of the other destructive malware currently
active on the Internet. Any of these infections could
compromise the security of your VPN, as well as your
internal network.
If you are planning to run a software VPN, be sure to run
it on a dedicated server, double-check both the operating
system configuration and the VPN configuration, and keep
the operating system fully patched and up to date. When
your VPN is fully configured, run a vulnerability
management tool against it, or have a professional come in
and conduct a penetration test. Moreover, be sure to install
and maintain current antivirus and anti-malware software on
the server. It’s a good idea to install a firewall application
and an intrusion detection/prevention application to ensure
that your VPN remains secure.
Credential Sharing
Credential sharing is sharing a logon and password, or
other security credentials with others. A person may
share credentials with another authorized user such
as a boss, secretary, or coworker, or even with a
family member. A person may also share credentials
for reasons such as unofficial outsourcing all or a part
of his or her job, such as data entry or coding,
unbeknown to the employer. The practice doesn’t
necessarily result in compromising the system, but
often it does.
Vulnerabilities common to both hardware and software
VPN implementations include:
Denial of service attacks
Missing patches
Backdoor attacks
Unpublished vulnerability in the code
Weak client security
Weak authentication
Hairpinning
Credential sharing
In a denial of service (DoS) attack, the attacker is trying
to crash or overload the VPN, essentially to deny access to
the VPN service. Attackers use specially crafted packets
designed to crash the VPN or, more likely, direct a flood of
traffic at the VPN in an attempt to overload it. This is not a
very common attack because of the large amounts of traffic
required to overload most companies’ network
infrastructures. Generally, you will not see a VPN targeted
with a DoS, as attacks against VPNs are typically designed
to allow the attacker access to the internal network. DoS is
more common against popular Web sites like Twitter or
Facebook, where there is significant publicity, or against
online merchants, who are subject to blackmail. When your
Web site is a significant source of revenue, a DoS attack can
be very expensive.
Any hardware or software platform that can run VPN
software is vulnerable. That’s the nature of any computer
technology. When these vulnerabilities are discovered, the
vendor will typically develop a patch or an update to
address the issue. If you do not keep your VPN current, you
leave your network open to these issues, and attackers will
try to exploit known vulnerabilities with your VPN.
A backdoor account attack is pretty rare, but can happen
in some instances. An example of the traditional backdoor
attack was featured in the movie War Games, where the
system developer left a user account and password on a
secure system in case he needed to get back in. This
account was exploited by an attacker (in the movie, a kid
just looking to play games)—nearly causing the end of the
world. Needless to say, the issues in your environment will
not be quite as dramatic, but they are still of concern. Code
running on VPNs and operating systems is closely
scrutinized, so system developers are less likely to be a
threat, but what about a system administrator who thinks
he’s about to be fired? Or a vendor who comes in to support
your VPN and creates an account for support that he or she
forgets to delete before leaving? The best way to mitigate
this type of attack is through scheduled auditing of all
accounts on your VPN, as well as strong, documented
procedures for how and when accounts are created and
deleted. This particularly applies to accounts with elevated
privileges or on systems accessible from the Internet.
One of the trickiest (and fortunately rarest) security
threats is an unpublished vulnerability in the VPN code.
Researchers or potential attackers can discover an
unpublished vulnerability. If it’s unpublished, it means the
vendor is not yet aware of it, and thus has not yet
developed a patch or an update. These are probably the
most difficult threats you will face because there isn’t a lot
you can do beyond following security best practices,
creating a layered security environment, and monitoring the
behavior of your environment for anomalies. Should you
encounter this issue, be sure to follow your incident
response process and work with the vendor to identify the
issue and create a patch.
Another vulnerability is not directly on the VPN, but in the
devices connecting to the VPN. VPNs offer significant
security advantages, but if the client at the other end of the
connection is not secure, then your network is at risk. To
mitigate this risk, have a standard client configuration,
which includes antivirus, anti-malware, firewall, and maybe
even intrusion-detection software. Also make sure that the
only clients connecting to the VPN are company-owned.
Permitting personal assets to connect to your network opens
a number of additional issues, since you are not able to
supervise the configuration of those systems. All it takes is
one employee whose daughter clicks on the video link that
her friend sent her (generally with a comment like “check
out this video I took of you”), and you could end up with a
virus on your network when Dad connects to the VPN using
the same system.
A final vulnerability to consider is the challenge of weak
authentication. Your VPN is really only as secure as your
authentication mechanism. If you are authenticating via
user ID and password, you run the risk of someone guessing
or stealing those credentials and accessing your network
without permission. To mitigate this risk, rely on either
token-based or biometric authentication methods instead of
—or in addition to—a user ID and password. If you must use
a user ID and password for authentication, be sure to coach
users in the use of strong passwords.
A familiarity with the various threats, attacks, and
mitigations is critical to the long-term support of your VPN
and your total network. Be aware that no list of threats and
attacks can be all-inclusive because attackers are constantly
developing new methods for compromising your network. In
the absence of specific threats and attacks, rely on good
security practices to keep things safe.
Commercial or Open Source VPNs
When looking at VPN solutions, decide if you want to include
the option to leverage open source VPNs. If so, be aware of
some of the tradeoffs you will encounter when leveraging an
open source VPN product.
A commercial solution offers the following benefits:
Ease of installation and management
Available management tools
Access to vendor support
Available hardware maintenance
The benefits of an open source solution include the
following:
Low cost
Flexibility
Ability to run on existing hardware
Access to Internet-based support
Both commercial and open source solutions pose some
challenges. Commercial solutions are typically easier to
implement, but that ease of installation comes at a cost. Not
only are commercial solutions more expensive than open
source solutions, but also they are typically less flexible.
Open source solutions like OpenVPN (www.openvpn.net)
offer significant flexibility, but generally require significantly
higher skill in installation and support of the product. You
rarely have access to vendor support, as open source
solutions usually rely on the knowledge of the user and the
development community. When you have an issue, you can
normally post it on a discussion board, and the community
will assist you in resolving your issue.
While weighing the pros and cons of open source VPN
solutions, take into account a couple of other factors. First,
many organizations have policies about the use of open
source software. These policies derive from the company’s
tolerance for risk, the open source licensing agreements,
and intellectual property implications of open source. If your
organization embraces open source, an open source VPN is
probably worth considering.
The best VPN application still comes down to identifying
your requirements and finding the best solution for your
organization. If you’re on a low budget or have access to
solid technical resources, an open source solution could be
the best choice for your needs.
Differences Between Personal and
Enterprise VPNs
Much of the information in this chapter has dealt with VPNs
deployed in support of an enterprise or at least a midsized
or large network. Another class of VPN applications—the
personal or individual VPN—is sometimes referred to as the
small-office or home-office VPN solution. Many home routers
will include support for VPN connections, and open source
VPNs are also very popular in this space. Shrew Soft
(www.shrew.net) offers an open source VPN client that will
connect to many standards-based VPN gateways like
OpenSWAN (www.openswan.org). The value of these
personal VPNs is twofold. First, implementing a personal
VPN provides you secure access to your home network.
Even better, implementing a personal VPN provides you
with some valuable experience with VPNs that you can then
transfer to your organization’s enterprise VPN.
Balancing Anonymity and Privacy
A key concept to understand about VPN technologies is the
difference between anonymity and privacy. Anonymity is
the ability of a network or system user to remain unknown.
Tools that support anonymous access include Tor
(www.torproject.org), an open software and network to
anonymously surf the Web. A hardware solution that
leverages the Tor network for anonymity is JanusVM
(www.janusvm.com). The problem with solutions for
anonymity is that they don’t always protect your privacy. In
many cases, the traffic carried anonymously by these
applications is unencrypted, which means an attacker can
read it with access to the right part of the network. If you
are passing user IDs and passwords, credit card numbers, or
other information that you would like to keep private, these
are not the correct solutions for you.
Privacy, on the other hand, is keeping information about
a network or system user from being disclosed to
unauthorized people. If you want to protect your
information, a VPN connection does an excellent job of this
by encrypting the data that it carries. Leverage VPNs
whenever you are connected to an untrustworthy network
and want to send sensitive information. Wireless networks
are a particularly ripe environment for attackers trying to
get private information from a public network. VPNs do not
offer any anonymity, however, as you are always able to
track the endpoints of a VPN connection. That information is
needed to maintain the VPN connection.
Protecting VPN Security to Support
Availability
One of the design decisions you made when selecting your
VPN was whether you needed a highly available solution.
Once your users expect to access the network from a hotel,
from a customer location, from Starbucks, or from home
when they have a sick child, you will find they have little
tolerance for outages. A downed VPN means none of your
remote workers can do much work, and in some
organizations that can mean a majority of the company
could be off the network until the VPN is back up and
running. A highly available solution makes a lot of sense.
technical TIP
When considering VPN availability, don’t overlook the
little things. Put your VPNs in separate racks,
connected to separate power supplies. Nothing’s more
embarrassing than explaining to your manager that the
VPN was down for two hours because someone
accidentally switched off a power strip.
The most common method for implementing a highly
available VPN is pretty simple. You buy two VPN hardware
units (or implement two open source VPNs) and then
configure them as a highly available pair using the vendor’s
high-availability mechanisms. Cisco offers the Hot Standby
Router Protocol (HSRP), for example, which allows
configuration of a pair of Cisco VPNs so that in the event the
primary VPN fails, the backup takes over seamlessly. If
configured correctly, end users don’t even notice the
cutover. A more industry-standard protocol that offers
similar functionality is the Virtual Router Redundancy
Protocol (VRRP). You also have the option to use a third-
party solution. Many of today’s load balancers offer the
ability to load-balance VPNs. When one VPN fails, the load
balancer automatically directs all traffic to the remaining
gateway.
In addition to ensuring your VPN is highly available, also
ensure that your Internet circuits have similar redundancy.
You don’t want to end up with your VPN up and your one
Internet connection down. The net result is still unhappy
users who cannot access the network. In the event of circuit
outages, the user will typically need to reconnect to the
VPN. This is still better than not being able to connect at all.
When you are considering a highly available VPN
solution, be sure to consider not only the acquisition costs,
but also the ongoing maintenance costs over the following
three to five years. It’s important to capture the full cost of
the solution rather than just the purchase price.
The Importance of User Training
Now that your VPN is up and running, you must train your
users on how to use it. One of the most common challenges
with IT infrastructure deployments, especially with security
infrastructure like a VPN, is for the IT team to assume that,
since they understand how the solution works, their end
users understand it as well. That’s almost always a bad
assumption. It can turn a successful rollout into an
unsuccessful one.
To develop good user training, start by setting
appropriate training goals. One of the first mistakes security
practitioners make when developing training is jumping past
any planning and starting with taking screen shots, typing
up documentation, and scheduling meetings. However,
much like a successful VPN deployment, the first part of
successful training is planning. Determine the following
before designing your user training:
Who is your target audience for the training? Before
you start writing your training, understand who will be
learning.
What is the technical awareness level of your
audience? Are you training tech-savvy IT professionals,
or salespeople who just want to turn on their PCs and
start working?
Where is your audience? Is your audience in one
central location, or spread out regionally—or even
nationally? This will affect the choice of media you use
to train users.
What level of training are you trying to deliver? Will
users need to install the client software? Do you want
to include basic troubleshooting in the training? Are
you trying to sell features or do you just want to train
them on how to log on? Should you include additional
security issues in this training?
Once you gather the appropriate information, determine the
best mechanism for delivering the training. You may
distribute some written instructions, have a conference call,
or even hold a Web conference. For high-profile users, or
users who require significant support, hold classroom
training. If you decide to go with live training, definitely plan
to do additional information security training. After all, you
have their attention for the period of the training; you
should maximize the benefit not only to your users, but also
to your company. Remember that well-trained employees
tend to be the most secure computer network users.
Other things to keep in mind as you do user training:
Make sure your training plan includes how you will train new
employees. Will your training post to an intranet Web site or
load onto a DVD that new hires can watch? Will you offer
new-hire training at a regular interval to ensure everyone
understands how to use the VPN?
Finally, don’t forget your support staff. If a user with VPN
issues is supposed to call the help desk, make sure the help
desk knows how to help.
VPN Troubleshooting
To successfully troubleshoot and resolve VPN issues, you
must be organized, methodical, and prepared. Like anything
else on your network, your VPN at some point will
experience an issue. The preparations you undertake during
installation and maintenance will prove to be critical
components of your troubleshooting process.
Before you start troubleshooting your VPN issue, have
access to the following information:
A network diagram showing the placement of the VPN
and other key network components like firewalls,
routers, and switches
A copy of the current VPN configuration
Any error, system, or alert logs
An operations guide
Maintenance logs and change management records
technical TIP
When troubleshooting issues with a VPN, or any
network equipment, be sure to review all recent
changes to the environment, not just changes to the
VPN. An update to a DNS server, the replacement of a
router, or changes to IP addressing can affect your
VPN.
Now that you have your basic information, you can start
troubleshooting. There’s no one way to troubleshoot an
issue, particularly a VPN issue. What you can do is
determine what works best for you, and stick with that
process. Some people like to start at the far end and work
back to the local VPN server. Others will start at the network
level and work their way up to the application. The actual
process is not as critical as having an established process
and sticking with it. One way to tackle this process is the
following:
1. Identify the symptoms—Frequently, when
you are dealing with a user-reported issue, the
reported item will bear little resemblance to the
actual problem. Users tend to generalize with
statements like “No one can get on the VPN” or
“The intranet is down from the VPN.” You need more
specifics before you start correcting an issue.
Ideally, you will receive an automated alert from
your monitoring system, which generally permits
you to track down issues much more quickly than a
help desk ticket.
2. Determine the scope of the problem—Know
whether your problem is bigger than a breadbox or
a 747. Do you have one user who cannot connect,
100 users, or the entire company? Not only will this
help you get a handle on the urgency of the issue,
but it also gives you valuable clues to what the
problem might be. If it’s one user, the odds are
pretty good that it’s a client issue, or possibly a
network issue on the user’s end, and the help desk
can probably assist with the issue. If a large group
but not everyone is affected, you can look for
commonalities. Do all the users belong to the same
VPN group? Do they all connect from the same part
of the country (indicating it could be an ISP issue)? If
you have multiple VPNs, are the problems all on one
VPN?
3. Look for changes—Before you assume
something is broken, see if anything has changed. If
the issue is with a single user, did he or she install a
new application like Skype or Tor that could be
interfering with the VPN? If the VPN is unreachable
from the Internet, was someone working on your
Internet connection? Did you do a code upgrade
over the weekend? The importance of formal
change management is critical to successfully
maintaining a production computing environment.
When you are troubleshooting, determine what has
changed. Be aware that sometimes the toughest
part of chasing down change-related issues in a
complex environment is figuring out which of the 20
or 30 changes performed during a weekend change
window is causing your problem.
4. Call the vendor—It’s never a bad idea to call
the vendor and see if it has seen your issue before.
If you don’t have phone support with the vendor,
visit its Web site and check its knowledge base. The
Internet is an invaluable tool for helping with
troubleshooting.
5. Try the most likely solution—As the resident
expert, once you have gathered all the information
and reviewed the likely issues, try a fix. Record
these fixes not only in your operations guide, but
also in your change control process.
6. Test it—You made a change; test to see if it
worked. If not, back out the change you made and
repeat the previous step with the next most likely
fix. Repeat the process until the problem is solved.
Do not keep trying fix after fix without backing out
previous fixes; you could end up making so many
changes that you won’t be able to easily get back to
a stable configuration.
7. Check to see if you broke anything else—
This is a critical step. Changes to the environment—
even if you are trying to fix something—can have
unpredictable effects. The last thing you want is to
assume the problem is solved, just to get a call later
saying no one can get to the Internet.
8. Document, document, document—This is
probably the most important part of the process. If
you don’t write processes and procedures down, it’s
as if you didn’t even do them. When the next expert
comes along to troubleshoot and your changes
aren’t documented, he or she will have to start with
incorrect information or guesswork. And if you
encounter the same problem 12 months later, you’ll
be glad you can refer to your previous process to
speed up the second recovery. Create a section in
your operations guide just for this kind of
documentation.
Now that you have a general troubleshooting process,
consider some other things when troubleshooting a
situation:
Don’t panic—During a major outage, people tend to
panic. They will start sending e-mails to large
distribution lists, sending alerts, escalating issues, and
doing a variety of other things that are not particularly
helpful to you while you’re troubleshooting an issue.
Keep your cool, work on the problem at hand, and
keep management informed of the progress you make.
Don’t overcommit or make promises you can’t
keep—If you don’t know what the issue is, don’t tell
your manager that the network will be back up in an
hour.
Focus on the problem at hand—Getting sidetracked
when troubleshooting a complex issue is easy. Be sure
that the problem at hand is the one you are working to
address. If you identify other potential issues unrelated
to the current outage, document them and handle
them under your change control process. But don’t go
off on a tangent and delay addressing the immediate
issue.
NOTE
When you are troubleshooting a VPN issue,
management will often require frequent status
updates. The worst place for you to be when the VPN is
down is spending all your time on conference calls
fielding questions like, “When will it be fixed?”
Management needs to be educated to the concept that
things won’t be fixed until you get off the phone and
back to working on the problem.
You can do a couple of quick and easy tests if you are
having a major VPN outage and you just want to be sure
that your VPN is still on the network. Generally, your VPN
will have two interfaces. One will be accessible from the
Internet, and the other will be the connection to your
internal network (possibly through a firewall). In the event of
a major outage, start by verifying that both of those ports
are functioning.
To verify the internal port is available, you can use the
ping command from the Windows command prompt or from
a UNIX command line. See Figure 11-4 for an example of a
successful ping response.
Once you’ve validated the internal port, also validate the
external port. This is frequently a challenge because in most
organizations, a direct connection to outside the network is
not readily available. In some larger organizations, you may
have a DSL Internet connection dedicated for testing, but if
you don’t have that type of access, a number of Internet
sites will let you run network diagnostics from their Web
sites. See Figure 11-5 for a sample Internet traceroute
command from www.network-tools.com. If you do an
Internet search on “network tools,” you can find a number of
sites that offer a similar capability.
FIGURE 11-4
Troubleshooting a VPN issue using PING.
FIGURE 11-5
Using Internet-based traceroute tools to determine if your
VPN is accessible from the Internet.
You now have the tools to create your own
troubleshooting process for your VPN, using some or all of
the steps and tips discussed. You just need to determine
what works best in your environment. Be methodical, don’t
panic, keep focused on the issue, and you will be very
successful in quickly addressing VPN issues in your
environment.
CHAPTER SUMMARY
VPN management is a complex activity that requires
attention to detail and good documentation. A variety
of best practices may assist you in your VPN
deployment and ongoing support. Selecting and
deploying a VPN solution that meets your business
requirements is essential. This includes deciding
between open source and commercial VPN solutions
when selecting your product. Understanding the
threats, attacks, and mitigations and ensuring your
VPN is available are key components of success. In
addition, you must understand the difference
between privacy and anonymity, know the difference
between personal/individual and enterprise/network
solutions and, finally, be able to train your users well.
Once you have mastered all these facets of
successful VPN rollout and support, you’ll be ready to
move on to other security topics.
KEY CONCEPTS AND TERMS
Anonymity
Hairpinning
Service level agreement (SLA)
Slideware
Two-factor authentication
Vulnerability management
CHAPTER 11 ASSESSMENT
1. Which response contains the three most common VPN
deployment architectures?
A. Bypass, encrypted, OpenVPN
B. DMZ, OpenVPN, internally connected
C. DMZ, encrypted, OpenVPN
D. Encrypted, OpenVPN, internally connected
E. Bypass, DMZ, internally connected
2. All of the following are considered VPN management
best practices except:
A. If one is good, two is better.
B. Patch regularly.
C. Permit split tunneling.
D. Do not allow employee-owned computers to connect.
E. Review usage.
3. Three of the threats common to both software and
hardware VPNs include ________, ________, and ________.
4. The two different types of VPN commonly used for
remote access VPN are ________ and ________.
5. Pick two advantages of using an open source VPN
solution instead of a commercial solution.
A. Low cost
B. Good vendor support
C. Less installation and configuration time
D. Use of existing hardware
E. Ease of troubleshooting
6. The ability of a network or system user to remain
unknown to adversaries is ________.
7. Which of the following are benefits of using a
commercial VPN instead of an open source VPN
solution? (Multiple answers may be correct.)
A. More costly
B. Less flexible
C. Product support
D. Greater skill needed to deploy and support
E. Dedicated hardware
8. A document that details the requirements for using a
VPN is called a ________.
9. Which of the following are vulnerabilities common to
both software and hardware VPN solutions? (Multiple
answers may be correct.)
A. Default password
B. Unpublished vulnerability in the code
C. Weak client security
D. Weak authentication
E. Blue screen of death
10. Which of the following are components of a VPN policy?
(Multiple answers may be correct.)
A. Introduction
B. Scope
C. VPN configuration settings
D. Definitions
E. Backup strategy
11. Keeping information about a network or system user
from being disclosed to unauthorized people is known as
________.
12. Recognizing that vulnerabilities will be found with both
hardware and software VPNs, be sure to ________
frequently.
13. Which of the following are not VPN best practices?
(Multiple answers may be correct.)
A. Back up your configuration.
B. Pick the solution that gets the best reviews.
C. Don’t permit split tunneling.
D. Use vulnerability management.
E. Secure your endpoints.
14. The best authentication method for client VPNs is
________.
15. When protecting the availability of your VPN, it is a
good practice to have ________ VPN gateways in your
environment.
16. Which of the following are protocols that can be used
for high availability with VPNs? (Multiple answers may
be correct.)
A. IPSec
B. 3DES
C. HSRP
D. VRRP
E. SSL
17. If you want to verify that the VPN is on the network,
what is the simplest tool you can use?
A. Snort
B. Ping
C. Traceroute
D. VPN Monitor
E. Syslog
18. When troubleshooting a VPN issue, which of the
following are valid troubleshooting steps? (Multiple
answers may be correct.)
A. Don’t panic.
B. Gather the symptoms.
C. Run a vulnerability scan.
D. Review changes to the environment.
E. Upgrade the VPN software.
19. Your VPN policy should address which of the following
topics? (Multiple answers may be correct.)
A. Defining authentication methods permitted
B. Defining the VPN platform
C. Defining required encryption levels for VPN
connections
D. Defining the troubleshooting process
E. Defining how to respond to incidents
20. In addition to redundant VPNs, also make sure to have
redundant ________ for your VPN to be truly available.
CHAPTER
12 VPN Technologies
VIRTUAL PRIVATE NETWORK (VPN) is a general industry term that actually covers many different technologies. Ask
anyone who works in a large company and needs to access
a corporate network remotely and he or she will probably
confirm using a VPN to connect to the network and get to
his or her e-mail, intranet, and other corporate applications.
Ask him or her how that VPN works, however, and you will
almost always get a blank stare. End users are typically
interested only in the result of a solution, not in how it
works. For you, the information security practitioner,
however, just how a VPN works is as important as what
benefits a VPN provides your organization.
VPNs are deployed in a number of different ways,
leveraging a variety of technologies, platforms, and
protocols. Determining which VPN is the right fit for your
organization requires successfully gathering and
interpreting your business requirements. Once you’ve
documented those requirements, it’s up to you as the
security practitioner to understand the various options and
capabilities to fit the VPN technology to the appropriate
business requirements.
A variety of technical factors affect the selection and
installation a VPN solution. Some VPNs are available as
software installed on a workstation or a server. Other VPNs
are software components of other devices, like a router or a
firewall. Finally, dedicated VPN hardware appliances provide
secure remote connectivity.
A variety of underlying protocols can provide different
functions, features, and levels of encryption. When a vendor
starts talking about L2TP, IPv6, SSL and SSH, or IPSec, you’ll
need to speak the lingo and make the right technology
decision for your organization.
Finally, other infrastructure considerations you need to
take into account when working with VPN technologies
include how things like network address translation (NAT),
Internet Protocol (IP) version, and the use of virtualization
can affect how you deploy, maintain, and troubleshoot a
VPN.
Chapter 12 Topics
This chapter covers the following topics and
concepts:
What the differences are between software
and hardware solutions
What the differences are between Layer 2
and Layer 3 VPNs
What Internet Protocol Security (IPSec) is
What Layer 2 Tunneling Protocol (L2TP) is
What Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) are
What the Secure Shell (SSH) protocol is
How to establish performance and stability
for VPNs
How to use VPNs with network address
translation (NAT)
What some types of virtualization are
What the differences are between Internet
Protocol (IP) versions 4 and 6
Chapter 12 Goals
When you complete this chapter, you will be able
to:
Contrast hardware and software VPN
solutions
Describe VPN protocols, their uses, their
features, and their problems
Explain the problem of using VPNs with NAT
Evaluate hardware VPN devices
Differences Between Software and
Hardware Solutions
A key topic in discussing VPN technologies is the differences
between software and hardware solutions. The following
definitions help reveal those differences:
Software VPN—Software-based VPNs are sold either
as part of a server operating system, as part of an
appliance operating system, or as a third-party add-on
software solution.
Hardware VPN—A hardware VPN is a standalone
device, dedicated to managing VPN functions such as
authentication, encapsulation, encryption, and
filtering.
NOTE
In the early days of VPNs, VPN software commonly ran
on a Windows or UNIX server. Today, server-based
implementations show up mostly in small
environments because of the poor scalability and
reliability of the operating system. Most software VPNs
act as a component of a firewall or router, not as an
add-on to a server.
While the functionality of software and hardware VPN
solutions is essentially the same, providing a secure remote
connection on demand points out some important
differences.
Software VPNs
When evaluating whether or not to deploy a software VPN,
consider two types of software VPNs:
Operating system–based VPN—An operating
system–based VPN solution is an application that runs
on a Windows or UNIX operating system. These are
generally used in smaller companies, as they tend to
be less scalable and less stable than other VPN
solutions. They are generally less expensive,
especially as they are running on a shared server,
which may be running other applications. Many of
these solutions are open source, which further reduces
the cost, although it can increase the complexity of
the solution.
One potential security issue with this solution is that
the server communicates with the public network
(generally the Internet) for the connections to occur.
Any time you connect a server and the associated
operating system to a public network, you increase the
security risk, since you are exposing it to a much
larger pool of attackers. You can mitigate this risk by
limiting the ports open to the server, and, if you are
doing just site-to-site VPN connections, you can
sometimes restrict the connections to specified IP
addresses. You can also add a firewall to the VPN
server, which adds to the overhead on the server, but
will provide additional protection to offset the
increased exposure.
Module-based VPN—A module-based VPN runs as a
component on a larger system. These are sometimes
included as part of the overall feature set, or in other
cases may require the purchase of additional licenses
to use the VPN. An example of this would be the VPN
capability included with many firewalls. Many routers
also offer this type of capability, which permits the
easy encryption of WAN links for security-conscious
companies. The benefit of this type of VPN solution is
reduced complexity of the environment, since you
have fewer discrete devices to manage. VPN modules
are also typically less expensive than hardware VPN
solutions. Some vendors also offer hardware
accelerators for improving overall performance of this
solution.
Hardware VPNs
Hardware VPNs are dedicated appliance-based solutions,
generally based on a router-type platform. Hardware VPNs
are the most common type of VPN deployed in corporations
today. While hardware VPNs can be complex to deploy, they
are typically more scalable than their software counterparts,
and can be easily deployed in a redundant manner.
Hardware VPNs can increase the complexity of an
environment, because you are deploying additional
equipment. The good news is that you can usually manage
this additional hardware with the same types of network
management tools you use to manage the routers and
switches in an environment.
Hardware VPNs can create some security issues, largely
related to potential vulnerabilities in the VPN software code
on the appliance itself. A number of security alerts related to
VPN vulnerabilities have appeared in recent years.
Fortunately, you can manage this issue fairly easily by
keeping current on your vendor’s security alerts and by
upgrading VPN code in a timely fashion. A good rule of
thumb is to run the N21 version of code, where N is the
current version of code, unless a known issue with that
previous version of the code has been published.
Ultimately, the requirements of your business will drive
your selection of a software or hardware VPN. The good
news is that many options are available to you in your
search for the best solution.
NOTE
You must make a risk-based decision on whether to
accept the possibility of undiscovered bugs in a new
version of hardware or to live with the known bugs in a
previous version. If an upgrade is issued primarily for
fixing security flaws, you may be better off with the
new version, surprises and all.
Differences Between Layer 2 and
Layer 3 VPNs
One distinguishing component of current VPNs is that they
use a variety of transport protocols to establish their
connections. This is helpful not only because the protocols
have different capabilities, encryption strengths, and
authentication mechanisms, but they also can run at
different layers of the Open Systems Interconnection (OSI)
Reference Model. The OSI model is the standard seven-layer
conceptual tool that describes protocols and their functions.
Each layer communicates with its peer layer on the other
end of a communication session. While the OSI model is
helpful in discussing protocols, most protocols are not in full
compliance with it.
In the case of VPNs, the protocols used by the vast
majority of solutions work at Layers 2 and 3 of the OSI
model.
Layer 2 of the OSI model is the Data Link Layer. The Data
Link Layer is the protocol layer that transfers data between
adjacent network nodes. In the case of a VPN, this protocol
transfers data from one VPN endpoint to the other.
An example of a protocol that communicates using Layer
2 would be Layer 2 Transport Protocol (L2TP).
Layer 3 of the OSI model is the Network Layer. The
Network Layer is responsible for end-to-end packet delivery
and includes the ability to route packets through
intermediate hosts.
An example of a VPN protocol that communicates at
Layer 3 is IPSec.
technical TIP
SSL/TLS and SSH are protocols that operate at Layer 7
of the OSI model, the Application Layer.
technical TIP
An RFC is a request for comments. These “requests”
are published by the Internet Engineering Task
Force (IETF). The IETF is the standards body for
Internet-related engineering specifications. The IETF
uses RFCs as a mechanism to define Internet-related
standards. (See www.ietf.org for more information.)
Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) is a standards-based
protocol suite designed specifically for securing Internet
Protocol (IP) communications. IPSec authenticates and
encrypts each IP packet in an IP data stream. In addition,
IPSec has protocols that can establish mutual authentication
and cryptographic key negotiation during a session. IPSec
operates at the Network Layer of the OSI model.
The IPSec standard utilizes three major components:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)
Authentication Header (AH) provides integrity protection
for packet headers and data, as well as user authentication.
It can optionally provide replay protection and access
protection. AH cannot encrypt any portion of a packet. In the
initial version of IPSec, the ESP protocol could provide only
encryption, not authentication, so AH and ESP were often
used together to provide both confidentiality and integrity
protection for communications. Because authentication
capabilities were added to ESP in the second version of
IPSec, AH has become less significant; in fact, some IPSec
software no longer supports AH. However, AH is still of value
because AH can authenticate portions of packets that ESP
cannot. Also, many existing IPSec implementations use AH.
Encapsulating Security Payload (ESP) is the second
core IPSec security protocol. In the initial version of IPSec,
ESP provided only encryption for packet payload data.
Integrity protection was provided by the AH protocol if
needed. In the second version of IPSec, ESP became more
flexible. It can perform authentication to provide integrity
protection, although not for the outermost IP header.
technical TIP
Why does the layer matter? Because IPSec operates at
Layer 3 of the OSI model, it can encrypt any traffic in
Layers 4 through 7 of the OSI model. That means IPSec
can be used to encrypt any application traffic.
Therefore, in all but the oldest IPSec implementations, ESP
can provide encryption only, encryption and integrity
protection, or integrity protection only. This chapter mainly
addresses the features and characteristics of the second
version of ESP.
NOTE
IPSec supports the Data Encryption Standard (DES), a
56-bit encryption protocol, and 3DES (data is
encrypted three times using DES), which effectively
yields a 168-bit encryption protocol.
Internet Key Exchange (IKE) negotiates, creates, and
manages security associations. Security association (SA) is
a generic term for a set of values that define the IPSec
features and protections applied to a connection. You can
also create SAs manually, using values agreed upon in
advance by both parties, but because these SAs cannot be
updated, this method does not scale for real-life large-scale
VPNs. In IPSec, IKE provides a secure mechanism for
establishing IPSec-protected connections.
IPSec supports two different modes:
Transport mode (host-to-host)—In transport mode,
only the data packet payload is encapsulated, while
the packet header is left intact. In this mode, the
destination host decapsulates the packet. This is the
mode used in a Microsoft Windows environment to
secure a client-to-server connection using IPSec.
Tunnel mode (gateway-to-gateway or gateway-
to-host)—In tunnel mode, the IP packet is entirely
encapsulated and given a new header. The
host/gateway specified in the new IP header
decapsulates the packet. This is the mode used to
secure traffic for a remote access VPN connection from
the remote host to the VPN concentrator on the
internal network. (A VPN concentrator decrypts
information coming from a remote user over the
Internet, and encrypts information sent back over the
Internet to the remote user.)
IPSec is a little different from some of the other protocols. It
provides high-quality, interoperable, cryptographically
based security for IPv4 and IPv6. As a result, the protocol
supports a comprehensive set of security services,
including:
Access control
Connectionless data integrity checking
Data origin authentication
Replay detection and rejection
Confidentiality using encryption
Traffic flow confidentiality
IPSec-based VPNs have been the dominant VPN platform for
many years, although in recent years SSL-based VPNs have
been making significant inroads. IPSec is so popular for
three reasons:
It supports all operating system platforms.
It provides secure, node-on-the-network connectivity.
It offers a standards-based solution, permitting easier
interoperability between different devices and
vendors.
For more information on IPSec, see
http://tools.ietf.org/html/rfc4301. While RFC 4301 provides
the main IPSec standard definitions, separate RFCs exist for
some IPSec features. The full set of RFCs defines the entire
standard.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) is an older protocol
largely replaced by IPSec and SSL/TLS-based VPNs in
production environments. You will still encounter references
to the protocol in current VPN literature, however, and it
may still be in use in some older environments, where
backward compatibility could still be an issue. L2TP was
used extensively in early VPN solutions but lost its
popularity as other protocols proved to be more usable as
industry standards developed.
L2TP is a combination of the best features of Point-to-
Point Tunneling Protocol (PPTP), a Microsoft proprietary
protocol, and the Layer 2 Forwarding (L2F) Protocol,
which was an early competing protocol for PPTP, developed
by Cisco Systems. Like PPTP, L2TP was an extension of
Point-to-Point Protocol (PPP) to allow PPP to be tunneled
through an IP network. L2TP support was first included in a
Microsoft server product with the release of Windows 2000
Server. Prior to Windows 2000, PPTP was the only supported
protocol. A number of hardware VPN vendors, including
Cisco, also supported it.
One of the challenges with L2TP is that it only provides a
mechanism for creating tunnels through an IP network. It
doesn’t provide a mechanism for encrypting the data being
tunneled. As a result, L2TP was typically used in conjunction
with IPSec protocol’s ESP for encryption. For this reason, you
may sometimes see L2TP referred to as L2TP/IPSec.
RFC 3193 defines the use of IPSec to secure an L2TP
implementation.
For more information on L2TP, see
http://tools.ietf.org/html/rfc2661. While RFC 2661 provides
the main L2TP standard definitions, separate RFCs for some
other implementations and features exist. The full set of
RFCs defines the entire standard.
Remember that you may never encounter L2TP in a
production environment, but you should know the basic
aspects of this protocol when looking at tunneling and VPN
protocols in general.
technical TIP
PPP was defined in the late 1990s to provide a
standard transport mechanism for point-to-point data
connections. This was used largely in conjunction with
modem connections and has been phased out as high-
speed Internet connections have replaced modem
connections.
Secure Sockets Layer (SSL)/Transport
Layer Security (TLS)
One of the key VPN protocols today is SSL/TLS, which is the
main alternative for a VPN solution if you don’t want to
leverage an IPSec solution. However, before you consider
this protocol in conjunction with VPNs, it’s important to
understand the origin of this protocol.
If you have ever surfed the World Wide Web, you have
used the Hypertext Transfer Protocol (HTTP) to connect to a
Web site. One of the drawbacks of HTTP is that is does not
include the ability to encrypt or otherwise protect the data
stream between the client and server. This wasn’t an issue
until the early 1990s, when the need to protect against
eavesdropping on communications became critical to the
ultimate success of the World Wide Web. While several
technologies have addressed this need, one solution has
rapidly become the industry standard: Secure Sockets Layer
(SSL).
HTTPS is the Web protocol that utilizes SSL to encrypt
HTTP, and is used worldwide today for secure Web
communications. (See Figure 12-1.)
NOTE
SSL supports 128-bit encryption, while TLS supports
the Advanced Encryption Standard (AES) with keys up
to 256 bits.
FIGURE 12-1
A secure browser session using SSL. Note the “https” in the
address bar.
FIGURE 12-2
A certificate used to authenticate a server in an HTTPS
connection.
SSL was originally proposed as a standard by Netscape.
Version 1.0 had serious security flaws, which were corrected
in versions 2.0 and 3.0. As this protocol has become more
widely used, it has been formalized in the IETF standard
known as Transport Layer Security (TLS). The SSL/TLS
protocol provides a method for secure client/server
communications across a network. SSL/TLS prevents
eavesdropping and tampering with data in transit. SSL/TLS
also provides endpoint authentication and communications
confidentiality through encryption.
In typical end user/browser usage, SSL/TLS
authentication is one-way. Only the server is authenticated
when the client compares the information entered to access
a server to information on the SSL certificate on the server.
The client knows the server’s identity, but not vice versa;
the client remains unauthenticated or anonymous. See
Figure 12-2 for an example of the information in a server
certificate.
technical TIP
The terms SSL and TLS sometimes confuse people. In
practical terms, they are the same thing. While the
IETF standard refers to the protocol as TLS, the
industry still uses the acronym SSL when referring to
the protocol used to secure browser communications.
FYI
While SSL/TLS is supposed to authenticate servers, it
hasn’t been as robust as originally planned. Phishing
attacks—that is, attacks that direct a user’s browser to
a counterfeit Web site—are a major problem for
security professionals. Users typically do not check to
see if a site is encrypted or if the certificate information
matches their destination Web site. Newer versions of
browsers check encryption status for the user and warn
of a mismatch between a certificate and the domain
presenting it.
SSL/TLS can also perform bidirectional authentication by
using client-based certificates. This is particularly helpful
when using this protocol to access a protected network, as it
adds a layer of authentication to the access.
SSL/TLS and VPNs
As you learned in the section on IPSec, a VPN creates a
secure tunnel through a public network like the Internet.
While SSL VPNs still leverage the concept of tunneling, they
create their tunnels differently than IPSec. An SSL VPN
establishes connectivity using the SSL protocol. IPSec works
at Layer 3 of the OSI model, while SSH functions at Layers 4
and 5. SSL VPNs can also encapsulate information at Layers
6 and 7, which makes SSL VPNs some of the most flexible
available.
On additional function of an SSL VPN is that it usually
connects using a Web browser, whereas an IPSec VPN
generally requires client software on the remote system.
SSL VPNs create predominantly remote access VPN
connections, where a client connects to applications on an
internal network. This is different from a site-to-site
connection, where two gateways connect disparate private
networks across the Internet.
SSL/TLS VPNs benefits over IPSec VPNs include:
Less expense—Since an SSL VPN is typically
clientless, you don’t have the costs of rolling out,
supporting, and updating client software.
Platform independence—Since the access to an SSL
VPN comes through the standard SSL interface, which
is a component of virtually every Web browser,
virtually any OS that runs a browser is supported.
While the operating system (OS) support for VPN
clients is good for common OSs, a significant lag can
exist in client development following the release of a
new OS or the release of a new client version. You may
see a Windows client 90 to 180 days earlier than the
Mac version.
Client flexibility—As a general rule, IPSec clients are
installed only on corporate systems. Due to the
additional configuration flexibility, SSL VPNs allow
access from a variety of clients, including corporate
systems, home systems, customer or supplier
systems, or even a kiosk machine in a library or an
Internet café. This wider accessibility tends to increase
employee satisfaction with the technology.
No problems with network address translation
(NAT)—Historically, NAT caused issues with IPSec
VPNs. As a result, virtually all IPSec vendors have
created workarounds. With an SSL VPN, you don’t have
these issues because SSL works at a higher layer than
IPSec and, as a result, is not affected by NAT.
Granular access control—This is a benefit or a
drawback, depending on your environment. SSL VPNs
require a greater granularity of access than a typical
IPSec VPN because instead of creating a tunnel from
the host to the internal network, SSL VPNs require
explicit definition of each resource accessed. The
upside is that, unless you have defined it explicitly, an
SSL VPN user cannot access the resource. Although
this barrier has significant security benefits, in a
complex environment, this could add significant
overhead to your VPN support.
Fewer firewall rules required—To access an IPSec
gateway across a firewall, you need to open several
ports to support the individual protocols for
authentication and the tunnel. With an SSL VPN, you
need to open only port 443, which is easy because of
the prevalence of the HTTPS protocol.
For more information on TLS, see
http://tools.ietf.org/html/rfc5246.
Secure Shell (SSH) Protocol
The Secure Shell (SSH) protocol is a method for secure
remote logon and other secure network services over a
public network such as the Internet. SSH services a number
of applications across multiple platforms including UNIX,
Microsoft Windows, Apple Mac, and Linux.
You can use SSH:
For logon to a shell on a remote host, replacing telnet
and rlogin (see Figure 12-3 for an example of an
application that uses SSH for this application)
For executing a single command on a remote host,
replacing rsh
For file transfers to a remote host
In combination with rsync to back up, copy, and mirror
files securely
In conjunction with the OpenSSH server and client to
create a full VPN connection
The SSH protocol consists of three major components:
Transport Layer Protocol, which provides server
authentication, confidentiality, and integrity with
perfect forward secrecy
User Authentication Protocol, which authenticates the
client to the server
Connection Protocol, which multiplexes the encrypted
tunnel into several logical channels
For more information on SSH, see
http://tools.ietf.org/html/rfc4251.
FIGURE 12-3
PuTTY is an application that leverages SSH to provide secure
connections to hosts.
Establishing Performance and
Stability for VPNs
Now that you have an in-depth understanding of the many
options available to you for VPNs as well as other secure
access protocols, it’s time to discuss some of the challenges
you might encounter when supporting your VPN. For your
VPN rollout to be successful, consider two factors:
performance and stability.
Performance
Some critical factors can affect the performance of your
VPN:
VPN type—When considering the performance of your
VPN, consider the type of VPN you’ve chosen. The
performance characteristics of a VPN supporting
remote clients can be very different from the
performance characteristics of a VPN supporting site-
to-site connections, or even a mixture of remote
clients and site-to-site connections.
Protocol—The performance characteristics associated
with an IPSec VPN can be very different from what you
may find with an SSL VPN implementation. How you
apply IPSec and SSL/TLS in a VPN solution can affect
your VPN’s performance. Validating the performance
specifications of the solution before you roll out should
allow you to address any performance issues
associated with the protocol startup.
Load—The number of remote access or site-to-site
VPNs will affect the overall performance of your VPN
rollout. The challenge in addressing this issue,
particularly in an environment supporting a large pool
of remote clients, is that the performance issues will
tend to crop up during peak use. To appropriately
diagnose these issues, you’ll need to be able to report
on use in a way that tracks the peaks. Many of the
current reporting tools available for VPNs tend to show
averages over time, which can hide peaks and valleys
in your use numbers. Be sure you fully understand
these performance reports.
Client configuration—In a remote VPN connection,
much of the performance is actually related to the
client’s capabilities. If the remote client is running on
old hardware with limited memory and an
underpowered processor, the overhead associated
with encrypting the traffic will affect performance of
the VPN connection. Another factor contributing to
overhead is what else is being done with the remote
PC. If the user is running a memory-intensive
application such a photo editing suite, you may find
that this resource impact reduces the performance of
the VPN.
NOTE
Don’t forget time-of-day considerations when
investigating load-related performance issues. You will
generally find your peak times for VPN use will be first
thing in the morning, as employees get started for the
day; after lunch, when everyone comes back from the
break; and at the end of the business day. If
performance issues arise, be sure to note the times of
day to help correlate the data and identify root causes
or at least common factors.
Bandwidth—The bandwidth available to your VPN can
have a significant impact on its performance and can
vary widely among the remote hosts and gateways. If
your VPN is supporting site-to-site VPNs connecting
two locations, the bandwidth allocated at either (or
both) ends of the connection may affect performance.
You may find, for example, that an unreliable DSL
connection at a remote client location creates
unacceptable delays for the user.
Topology—Depending on the location of your VPN
endpoints, the topology may affect performance. For
example, if your VPN connection has to traverse a
firewall or a proxy server, you may find reduced
performance depending on how well those devices
handle the VPN traffic.
Encryption level—The higher the encryption level,
the greater the impact on the memory and processor
of the endpoint devices. That being said, you should
always run the highest encryption available. If you
suspect encryption is causing performance issues, you
can look into either a dedicated processor for handling
encryption or upgrading the processing capabilities of
the central processor.
Traffic—An issue related to bandwidth is traffic loads.
If, for example, the sales department likes to watch
streaming video baseball games on Wednesday
afternoon, and you have VPN performance issues
during that time, increasing bandwidth may fix the
problem, but does not really address the root cause,
which is a traffic spike rather than too little bandwidth.
To diagnose a performance issue related to traffic,
devise some way to look at the traffic on your network.
Another facet of this issue is what the traffic load looks
like across the VPN. Do your remote users store their
documents on servers in the core network? If you are
running your VPN with split tunneling disabled, are
remote users doing Web browsing through the VPN
connection? Optimizing traffic both within the VPN as
well as outside network traffic can go a long way to
ensuring you don’t encounter performance issues.
Client version—Sometimes, the version of the client
can affect performance. Managing older versions on
remote devices can be very difficult depending on how
your organization manages those devices. Keep your
clients up to date, and you should be able to avoid any
performance issues related to client versions.
Stability
To ensure a successful VPN deployment, the implementation
must be stable. Some factors that can affect VPN stability
include:
Configuration—Ultimately, how you configure your
VPN will have a major impact on your VPN
deployment. Not only should you check your internal
VPN configuration, but also factor stability into your
initial design. If access to the network through the VPN
is mission-critical, you should ensure you use a
configuration that includes some level of high
availability or failover.
Location—Consider where you have placed your VPN
in the network. If the VPN connection has to traverse
three firewalls, multiple local routers, and a proxy
server, you may find that the connections are not as
stable as you need them to be.
Software version—The version of VPN software (or in
the case of a hardware VPN, the concentrator code)
can have a significant impact on the stability of your
rollout. Be sure to keep your VPN software up to date.
Updating too quickly can also be a source of stability
issues, so a good rule of thumb is to keep your
software version one less than the latest version
number of the VPN software. That model allows you to
keep your VPN relatively current, so you avoid any
issues contained in older versions of code, but also
keeps you from being the vendor’s beta tester for new
code, which is never a good idea in a production
environment.
Underlying OS—The OS on which you run your VPN
can definitely affect the stability of your VPN
implementation. A VPN running on an old Windows
operating system might have issues with the dreaded
blue screen of death. A hardware-based VPN could run
into challenges if there are firmware or OS issues,
although those problems are typically less common
than with an OS-based solution. The number of lines of
software code needed to run a hardware VPN are quite
a bit less than the current OS coding. The leaner the
software, the less risk you run of issues with the OS.
While these lists contains many of the most common
sources of performance issues you may encounter, be sure
to reference your troubleshooting processes and procedures
when diagnosing VPN performance and stability issues.
Using VPNs with Network Address
Translation (NAT)
VPNs and network address translation (NAT) have
historically suffered from some conflicts when used
together. NAT is an Internet standard that allows you to use
one set of IP addresses on your internal LAN and a second
set of IP addresses for the Internet connection. A device
(usually a router or firewall) stands between the two
connections and provides NAT services, managing the
translation of internal addresses to external addresses. This
allows companies to use large numbers of unregistered
internal addresses while needing only a fraction of that
number of addresses on the Internet, thus conserving the
addresses. This is similar to a company that may have
hundreds of phones in a building but pays for only a small
number of connections to the phone switch, as it is unlikely
that every employee would pick up the phone at the exact
same time.
NAT was created as a workaround to IP addressing
issues. Since the Internet relies on the TCP/IP protocol for
communications, it also relies on the IPv4 addressing that is
an integral part of the TCP/IP protocol suite. The explosive
growth of the Internet threatened to exhaust the pool of
IPv4 IP addresses. Without unique addresses, the Internet
would be unable to successfully route TCP/IP traffic. This was
clearly unacceptable because the Internet was fueling the
explosive growth of many businesses. As a result, NAT was
proposed and adopted widely as a way to conserve critical
IPv4 addresses.
In the early days of the Internet, when IP addressing was
being created, developers believed the 32-bit addressing
scheme (known as IPv4) to be more than adequate for any
potential network growth. Theoretically 4,294,967,296
unique addresses were available using 32-bit addressing
and, even discounting the reserved ranges, more than 3
billion addresses were possible. At the time, that was
enough addresses to provide one for every person on the
planet.
Unfortunately, the designers of the addressing scheme
dramatically underestimated the explosive growth of the
Internet, as well as the popularity of TCP/IP in business and
home networks. There are no longer enough addresses to
go around. IPv6 is contains an addressing scheme that
allows for a dramatically larger pool of addresses, but is
receiving very limited deployment in corporate networks
and on the Internet today. This is due in large part to the use
of NAT. For more information on NAT, see RFC 3022 at
http://tools.ietf.org/html/rfc3022.
Two main types of NAT are available:
Static NAT—This version of NAT maps an unregistered
IP address on the private network to a registered IP
address on the public network on a one-to-one basis.
This is used when the translated device needs to be
accessible from the public network. For example, a
Web server on your private network might have an
unregistered address of 10.10.10.10, but a NAT
address of 12.2.2.123. A user trying to connect to that
Web site can enter 12.2.2.123, and the router or
firewall at the other end will translate that address to
10.10.10.10 when the packet reaches it.
Dynamic NAT—This version of NAT maps an
unregistered IP address to a registered IP address from
a group of registered IP addresses. This is more
commonly used when large pools of systems on the
internal network need to access the Internet and don’t
have a requirement for a static address. The
workstation’s address is translated to the next
available registered address as soon as it initiates a
connection to the public network.
The critical thing to remember about NAT is that due to
limitations in the IPSec standard, IPSec has issues traversing
a translated network. VPN vendors have addressed this
issue, but the workaround they have put in place can create
challenges for troubleshooters. If possible, run your IPSec
VPNs on untranslated addresses or deploy an SSL VPN.
Because SSL runs at a higher level in the OSI model, it’s not
affected by NAT.
NAT traversal is a general term for techniques that
establish and maintain TCP/IP network and/or UDP
connections traversing NAT gateways.
For IPSec to work through NAT, configure the firewall to
permit the following protocols and ports:
Internet Key Exchange (IKE)—User Datagram
Protocol (UDP) port 500
Encapsulating Security Payload (ESP)—IP protocol
number 50
Authentication Header (AH)—IP protocol number
51
Types of Virtualization
A number of definitions and types of virtualization are
available to businesses today. Operating system
virtualization is the emulation of an operating system
environment hosted on another operating system. A virtual
machine exists logically, but does not have an associated
dedicated physical device. Thus, a single physical machine
can host multiple virtual machines. Virtualization of storage
allows a storage manager to abstract the underlying
physical storage technologies and manage storage at a
logical level. Network virtualization allows you to run
multiple logical switches within a single physical switch
chassis. Some SSL VPNs support VPN virtualization.
All of these technologies can potentially affect your VPN
environment.
Desktop Virtualization
Desktop virtualization (sometimes called client
virtualization) is a concept that separates the personal
computer desktop environment from the physical desktop
machine by using a client/server model of computing. This
model is reminiscent of the thin client client/server
architectures of years ago, where the operating system was
run centrally. This generation of the model offers
significantly more business benefits. A virtualized desktop is
hosted on a remote central server instead of on the local
hardware of the remote client. This allows users to work
from their remote desktop client, while all of the programs,
applications, processes, and data used are kept and run
centrally.
This has an immediate impact on your VPN in ensuring
the compatibility of your VPN client with the virtualized
desktop. The possibility always exists that the virtualization
of the client might cause issues with the client or complicate
troubleshooting of any issues with the VPN. The best
approach to working in a virtualized desktop environment is
to test your VPN applications carefully before the virtual
implementation goes into production.
Another issue that can come up in conjunction with the
VPN is how you publish the virtual desktop to a remote
client that is not connected to the network. One model
would be to make the VPN connection first, then publish the
virtual desktop across the VPN connection. This is an
environment that lends itself well to SSL VPNs, due to the
lack of dedicated client software. With an IPSec VPN
deployment, you need to get a working VPN client on the
remote desktops before publishing the virtual desktop,
adding to the complexity of your VPN environment. The
other model is to publish the virtual desktops natively from
a DMZ environment across the Internet, and then connect
back to the network via VPN, publishing the VPN client (if
using IPSec) as part of the virtual desktop image.
Some limitations of desktop virtualization include:
Additional security risks associated with the complex
network and desktop image environments used when
working with remote virtual desktops.
Loss of employee privacy as all storage and processing
is centralized.
Maintaining your VPN clients in the virtual images.
Increased downtime in the event of network failures.
Outages can also affect a greater number of
employees.
The concept of virtualization is becoming more popular
among enterprise customers. For SSL VPNs, the need for
virtualization is natural. Enterprises like to provide different
remote access VPN presences to different user groups, such
as partners and different departments of employees. The
following section covers some of the basic capabilities you
should consider for a “virtualized” SSL VPN deployment.
SSL VPN Virtualization
Virtualized SSL VPNs provide a unique virtual VPN
configuration for each individual user group. Much like other
types of virtualization, a virtualized SSL VPN allows you to
separate the physical and logical sides of the VPN.
Some benefits of a virtualized SSL VPN environment
include:
Greater flexibility—A virtualized SSL VPN gives you
the ability to create custom authentication methods
and VPN group policies for different user groups.
Delegation of management—Virtual VPNs allows
the delegation of management roles for each virtual
instance. If one virtual VPN instance allows a business
partner to connect to an internal application, the
management of that virtual VPN can go to someone
supporting that business partner.
Added security when working in a multigroup
environment—Virtual VPNs provide a total logical
separation of the VPN’s instances in terms of system
resources, routing tables, user databases, and policy
management interfaces.
The use of virtualized VPNs is especially attractive to
companies that provide VPNs as a service. Being able to
create completely separate environments and resource
pools is critical to a successful service provider. Setting up
dedicated hardware environments for each customer does
not allow a service provider to take advantage of the
economies of scale offered by a single implementation.
Differences Between Internet
Protocol Version 4 (IPv4) and Internet
Protocol Version 6 (IPv6)
One of the critical topics associated with today’s VPN
implementations has to do with IPv4 versus IPv6. A quick
look at the history of the Internet Protocol (IP) will be helpful
first.
The Internet has driven the development of the TCP/IP
suite, and TCP and IP remain tightly coupled. TCP/IP has
always been at the root of the Internet; today, you are using
TCP/IP in your corporate network because of the success of
both the Internet and TCP/IP. In the early days of computing,
multiple protocols ran on corporate networks, and you had
to worry about how to tunnel other protocols across the
VPN. Today, most networks run TCP/IP exclusively.
The TCP/IP Suite
The TCP/IP suite is composed of a large number of protocols,
defined in a series of RFCs. Each of the protocols in the
TCP/IP suite provides a different function, and together they
provide the functionality known as TCP/IP.
The TCP/IP suite got its name from the two main
protocols in the suite: TCP (Transmission Control Protocol)
and IP (Internet Protocol). TCP is responsible for providing
reliable transmissions from one system to another, and IP is
responsible for addressing and route selection. IP defines
how computers communicate over a network. IP version 4
(IPv4), the currently prevalent version (defined at
http://tools.ietf.org/html/rfc791), contains just over four
billion unique IP addresses. IPv6 offers a newer numbering
system that provides a much larger address pool than IPv4,
among other features.
IPv4 Challenges
The largest challenge with IPv4 is address exhaustion. While
IPv4 addressing has kept the Internet and corporate
networks running since the early years of the Internet, the
industry is running out of addresses. The judicious use of
NAT has extended the life of IPv4 far beyond its expected
life span; however, currently less than 10 percent of total
IPv4 address space remains. Organizations will soon need to
start adopting IPv6 to support applications that require
ongoing availability of contiguous IP addresses.
TIP
The assignment of both IPv4 and IPv6 addresses is the
domain of suborganizations of a global organization
called the Internet Assigned Numbers Authority (IANA).
To find out more about IANA, go to www.iana.org. In the
U.S., the suborganization is the American Registry for
Internet Numbers (ARIN); for more information, visit
www.arin.net.
FIGURE 12-4
Comparison of IPv4 and IPv6 addresses.
IPv6
IPv6 is the next-generation IP version and has been
designated as the successor to IPv4, the first
implementation used in the Internet. The main driving force
for the redesign of Internet Protocol is the foreseeable IPv4
address exhaustion. IPv6 was defined in December 1998 by
the IETF with the publication RFC 2460. IPv6 is documented
in several requests for comments (RFCs) starting with
RFC 2460.
Some benefits of IPv6 include:
Increased address space—IPv6 supports 340
undecillion (3.40282E38) IP addresses for network
devices.
More efficient routing—The routing functionality of
IPv6 has been enhanced.
Reduced management requirement—A more
robust protocol, IPv6 requires less management. In
contrast, IPv4 required significant management due to
new requirements after the introduction of the
protocol.
Better quality of service (QoS) support for all
types of applications—Support for QoS is built into
IPv6, whereas it was an add-on in IPv4.
Security—IPv6 includes a native information security
framework (IPSec) that provides for both data and
control packets.
Plug-and-play configuration with or without
DHCP—IPv6 permits hosts to automatically configure
themselves when they connect to an IPv6 network by
querying the local routers with a multicast message. If
the routers are configured correctly, they will respond
with the appropriate configuration information. If this
mechanism is not appropriate for a specific
environment or application, support is available for an
IPv6 version of DHCP. It also supports static
configurations.
Three mechanisms currently exist for the transition from
IPv4 to IPv6. It’s important to understand that when the IPv6
standard appeared, the expectation was that the two
protocols would need to coexist in the network for 20 to 30
years, allowing for a gradual transition period. Three of the
proposed migration strategies are:
Dual-stack—With this transition solution, both IPv4
and IPv6 protocol stacks coexist in the same terminal
or network equipment. This would allow the network to
communicate using both protocols, but adds
significant overhead to the network infrastructure.
Tunneling—This solution allows two IPv6 hosts to
create a tunnel for traffic between two IPv6 hosts
through an IPv4 network, or vice-versa, as IPv4 starts
to phase out. This could add significant configuration
overhead.
Translation—This solution enables an IPv4 host to
talk to an IPv6 host. This solution will require
additional development, as currently IPv6 does not
include this capability.
IPSec and IPv6
IPSec is a mandatory component for IPv6, and is used to
natively protect IPv6 data as it is sent over the network. The
components of IPSec in IPv6 are not dramatically different
from IPSec, which industry has been using since the 1990s.
In IPv6, IPSec uses the AH and the ESP extension header.
The IPv6 IPSec is a set of Internet standards that uses
cryptographic security services to provide the following:
Confidentiality—IPSec traffic is encrypted and cannot
be deciphered without the appropriate encryption key.
This should be easier to use in conjunction with IPv6,
since it’s a native component of the protocol.
Data origin authentication—Ipv6 IPSec uses a
cryptographic checksum that incorporates a shared
encryption key so that the receiver can verify that it
was actually sent by the apparent sender. This
prevents spoofing of transactions.
Data integrity—The cryptographic checksum can
also be used by the receiver to verify that the packet
was not modified in transit.
You can find more information about IPv6 in RFC 2460 at
http://tools.ietf.org/html/rfc2460.
CHAPTER SUMMARY
You should now be familiar with the different VPN and
related protocols and their uses, such as IPSec, Layer
2 Tunneling Protocol (L2TP), Secure Sockets Layer
(SSL)/Transport Layer Security (TLS), and SSH. You
should also understand the advantages and
disadvantages of hardware and software solutions,
and be able to determine which solution would be
appropriate in your environment.
You learned how some of the challenges associated
with establishing performance and stability for VPNs
can affect the performance and stability of your VPN.
You learned about the issues network address
translation (NAT) can present when rolling out a VPN,
as well as the impact of both client and VPN
virtualization on your VPN.
You took a detailed look at Internet Protocol version 4
(IPv4) and Internet Protocol version 6 (IPv6), including
challenges and benefits associated with the rapidly
approaching migration to IPv6.
KEY CONCEPTS AND TERMS
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Engineering Task Force (IETF)
Internet Key Exchange (IKE)
Layer 2 Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Point-to-Point Protocol (PPP)
Point-to-Point Tunneling Protocol (PPTP)
Requests for comments (RFC)
Secure Shell (SSH)
CHAPTER 12 ASSESSMENT
1. What are the two modes supported by IPSec? (Multiple
answers are correct.)
A. Transition
B. Tunnel
C. Encrypted
D. Transport
E. Internally connected
2. Which of the following are not considered IPSec
services? (Multiple answers may be correct.)
A. Access control
B. Encryption
C. NAT interoperability
D. Replay rejection
E. Support for AES encryption
3. The strongest encryption protocol currently supported
by IPSec is ________.
4. The two different protocols commonly used for remote
access VPN are ________ and ________.
5. Pick two advantages of using an IPSec-based VPN
solution instead of an SSL-based solution. (Multiple
answers are correct.)
A. IPSec provides a direct connection to the network.
B. Since IPSec works at Layer 3, it can support virtually
all network applications.
C. IPSec requires the configuration of each application
being accessed via the VPN.
D. IPSec is a clientless solution.
6. A solution that permitted industry to extend the life of
IPv4 addresses is ________.
7. Which of the following are benefits of using an SSL
VPN? (Multiple answers may be correct.)
A. More costly
B. Less flexible
C. Support for NAT
D. Fewer firewall rules required
E. Used for secure logons
8. SSL VPNs are considered ________ because access is
granted through SSL, which is supported by Web
browsers on virtually all platforms.
9. Which of the following can affect the stability of your
VPN? (Multiple answers may be correct.)
A. Number of users
B. VPN configuration
C. Code revision level
D. Operating system
E. Encryption level
10. Which of the following are types of network address
translation? (Multiple answers may be correct.)
A. On demand
B. Dynamic
C. Secure
D. Static
E. Encrypted
11. The mechanism used by the IETF to document Internet
standards is the ________.
12. Separating the physical devices from the logical
devices is known as ________.
13. Which of the following are uses for the SSH protocol?
(Multiple answers may be correct.)
A. Secure remote logon
B. Secure file transfers
C. Secure access to a Web site
D. Encrypting data on backup tapes
E. Creating a VPN connection
14. The L2TP protocol was created by the combination of
these two protocols: ________ and ________.
15. When you need to securely connect to a router for
remote logon, ________ would be the recommended
protocol.
16. Which of the following are protocols that can be used
for a VPN connection? (Multiple answers may be
correct.)
A. IPSec
B. 3DES
C. SSH
D. IETF
E. SSL
17. When working with IPSec in an environment using
network address translation, which protocols and ports
need to be open for IPSec to communicate? (Multiple
answers may be correct.)
A. IKE/UDP port 500
B. IKE/UDP UDP port 500
C. ESP/IP port 50
D. SSL/TCP port 443
F. AH/IP protocol number 51
18. When designing a VPN solution, which of the following
areas could affect VPN performance? (Multiple answers
may be correct.)
A. Available bandwidth
B. Client configuration
C. Client patch level
D. Traffic
E. Topology
19. Which of the following are benefits of IPv6? (Multiple
answers may be correct.)
A. IPSec is defined as a native protocol.
B. Support for SSL included in the standard.
C. IPv6 has the ability to address a limit of 4.3 billion
hosts.
D. IPv6 allows plug-and-play configuration with or
without DHCP.
E. IPv6 defines how to respond to incidents.
20. The ability to traverse a firewall using network address
translation on port 443 is a component of which VPN
protocol ________?
PART THREE
Implementation,
Resources, and the Future
CHAPTER
13
Firewall Implementation
CHAPTER
14
Real-World VPNs
CHAPTER
15
Perspectives, Resources, and the
Future
CHAPTER
13 Firewall
Implementation
THE LOCAL AREA NETWORK (LAN) ADMINISTRATOR oversees all aspects of Internet and Web security
administration. This chapter is for those professionals who
don’t have enough time to dig into the more technical
aspects of Internet and Web security, but need reliable
options for Internet protection. Here are practical
instructions to get a firewall up and running at your
organization.
Chapter 13 Topics
This chapter covers the following topics and
concepts:
How to construct, configure, and manage a
firewall
What SmoothWall is
How to examine your network and its
security needs
What the hardware requirements for
SmoothWall are
How to plan a firewall implementation with
SmoothWall
How to install a firewall with SmoothWall
How to configure a firewall
What the elements of firewall deployment
are
How to perform testing with SmoothWall
How to troubleshoot a firewall with
SmoothWall
What some additional SmoothWall features
are
What firewall implementation best practices
are
Chapter 13 Goals
When you complete of this chapter, you will be
able to:
Install a host software firewall
Constructing, Configuring, and
Managing a Firewall
Say you want to protect a small office, home office (SOHO)
network of about 25 computers. Many firewall products are
available for small businesses and those working from
home. SOHO VPN hardware firewalls are often built on a
secure virtual private network (VPN) connection to the
company network to transfer e-mail and sensitive files.
In many cases, the SOHO firewalls have additional
features such as an antivirus tool, IP filtering, Web content
filtering, router options (router/firewall combinations),
intrusion detection, and DDoS/DOS attack detection. Some
of the firewalls come with a Linux or Linux-like operating
system and use ipchains to manage their filter rules.
A SOHO VPN hardware firewall is the best solution when
you already have a working network and want to provide
remote access. For example, you may already connect your
personal computers within your office. If you want to open a
new office in another location, you could connect both
offices with a SOHO VPN firewall at each office. It will create
a secure connection to transfer sensitive data (bank
information, customer information, or company-related
information) from one office to the other. Another example
is a mobile worker such as a salesperson working in the
field. The salesperson could use the VPN’s secure
connection to access company files and presentations or
customer-related information directly from the company
office, even when working in the field.
Recall that a firewall allows you to restrict unauthorized
access between the Internet and an internal network. It
exists to block unauthorized connections and keep outside
attackers from penetrating the internal network. It also
prevents inside connections from reaching out to the
Internet without authorization. By monitoring inside users,
firewalls can prevent them from sending out to the Internet
sensitive information, such as personally identifiable
information or sensitive corporate data.
SmoothWall
You have many choices for firewall applications. This section
discusses one possible choice: SmoothWall, which supports
many different network types and is a practical solution for
just about any organization. SmoothWall uses colors to
differentiate networks. A green network interface card (NIC)
is a private, trusted segment of the network, while an
(optional) orange NIC is not trusted, but does share the
Internet connection. A red interface is a connection to the
Internet. This could be a conventional Ethernet adapter, a
dial-up modem, an Integrated Services Digital Network
(ISDN), or a USB asymmetrical digital subscriber line
(ADSL) or a conventional Ethernet adapter. Figure 13-1
illustrates this scenario. A purple interface indicates a
wireless connection.
FIGURE 13-1
A typical SmoothWall network interface setup.
Key features of the SmoothWall firewall include:
Compatibility with a wide range of hardware and
systems
Flexibility and ease of use
Support for multiple network zones—client local
network (green), demilitarized zone (DMZ) for hosting
servers (orange), wireless client (purple), and external
(red)
Comprehensive reporting and logging capabilities
POP3 e-mail antivirus proxy
Web proxy support
Snort IDS support
Static and dynamic Domain Name System (DNS)
support
Remote access and VPN support
DHCP and network time server support
Powerful traffic graphs and bandwidth bars
Inline proxy support for instant messaging (MSN, ICQ,
Yahoo!, AOL) and VoIP with logging capabilities
Universal Plug and Play support (UPnP)
Bandwidth management
Real-time graphs and traffic stats per IP
System updates
Outbound traffic blocking with time-based controls
Examining Your Network and Its
Security Needs
According to the National Security Agency (NSA),
attacks to systems connected to the Internet are becoming
more and more complex and dangerous. For instance,
hackers can penetrate computer systems using a variety of
techniques to exploit weaknesses hidden in the complex
code of many operating systems and applications.
NOTE
Tim Berners-Lee started the World Wide Web while at
CERN (the European Laboratory for Particle Physics).
The project sought to build a “distributed hypermedia
system.” The Web is a large collection of
interconnected Web pages providing dynamic content
documents, accessible throughout the world. Berners-
Lee is still working on this project, now under the
auspices of the W3 Consortium at MIT.
What to Protect and Why
Internet-facing servers are accessible to people anywhere in
the world who have Internet access, and these servers are
often targets of attacks. They include Web servers, e-mail
servers, File Transfer Protocol (FTP) servers, and more. If a
server has a public IP address, it’s a potential target for
hacker attack. Firewalls provide protection for Internet-
facing servers. Firewalls also provide protection for internal
clients. They provide a layer of protection to limit the ability
of attackers to exploit system weaknesses—both hardware
and software.
Imagine an organization that sells products over the
Internet and processes credit card transactions. Customers
insist that the merchant protect their credit card data. To do
this, organizations need to address two distinct security
areas:
Network security—Computers, hard disks,
databases, and other computer equipment attached
directly or indirectly to the Internet need protection.
Firewalls serve an important role in this aspect of
network security.
Transaction security—Web servers must be able to
securely complete private transactions with other
entities in databases accessible on the Internet.
Hypertext Transfer Protocol Secure (HTTPS) is an
important tool used to encrypt the transactions.
Additionally, firewalls provide protection for the data.
For example, it’s common for a Web server to stand
behind one firewall. The database server stands
behind a second firewall that restricts access to the
database to only the Web server. In this scenario, the
area where the Web server operates is called a
demilitarized zone (DMZ).
Network security and transaction security have four
overlapping types of risk:
Risk that unauthorized individuals can breach
the server’s document tree—Depending on what
data resides on the server, this threat can compromise
the confidentiality of documents stored there.
Risk that transaction data can be intercepted—
This threat can include personal data, financial data,
or credit card information.
Risk that information about the server can be
accessed—If attackers learn details about the server,
such as the type of server and its operating system,
they may be able to identify and exploit its known
vulnerabilities.
Risk of denial of service (DoS) attacks—Many
different types of DoS attacks are possible. A simple
SYN-flood attack withholds the third packet in the TCP
three-way handshake, for example. Hundreds of these
incomplete sessions in a short time can consume
substantial resources on a server and even crash it.
If your organization conducts business on the Internet, you
need to take steps to protect those transactions. E-
commerce requires a zero tolerance for failure. Protection is
not optional.
Protecting Information and Resources
An organization must protect against attackers trying to
access information and resources within the internal
network, such as servers and workstations. Servers can host
massive amounts of data that’s invaluable to attackers.
Database servers may host personally identifiable
information (PII) about customers, including their credit card
data. Domain Name System (DNS) servers host information
such as the IP addresses and names of all systems in the
network.
Protecting Clients and Users
Most organizations have a written security policy that
outlines specific security requirements. A firewall can be
useful in upholding the security policy by providing
perimeter security. In other words, the firewall limits the risk
of attack from hackers outside the internal network.
However, if you want to guarantee the security of an
organization’s network and protect its clients’ and users’
interests, you should do the following as well:
Treat private messages as confidential—Private
messages should be encrypted to ensure the message
remains confidential. Encryption prevents the
unauthorized disclosure of the private message.
Maintain integrity of information—Integrity
methods verify that data has not changed. For
example, hashing is often used to verify the integrity
of messages. A hash is simply a number calculated
using an algorithm on a message. No matter how
many times you calculate the hash, it will always be
the same as long as the data has not changed. The
hash is calculated at the source and sent with the
message. The hash is recalculated at the destination
on the received message and compared with the hash
sent with the message. If they’re both the same, the
integrity of the message is ensured.
Use strong authentication and nonrepudiation
methods for all transactions—Digital signatures
commonly accompany both authentication and
nonrepudiation. For example, a sender can sign a
message with a digital signature. The receiver can use
this signature to verify the identity of the sender. In
other words, the digital signature provides
authentication. Additionally, since it was digitally
signed, the sender can’t later deny sending it. In other
words, the digital signature also provides
nonrepudiation.
Preserving Privacy
It’s more difficult to preserve a user’s privacy on the
Internet than in the physical world. Usually, you can close
your door when seeking privacy or whisper something so
that others can’t hear you. But the digital era has changed
things. There’s no such thing as whispering on the Internet.
When data is sent or received by a user surfing the
Internet, that information can be intercepted and collected.
Much of this data is stored in databases and can be made
available for sale to others. Data mining methods are then
used to help build customer preference profiles. From the
perspective of an organization selling products, this data is
valuable for identifying an individual’s buying habits and
targeting advertising. However, this data can be easily
misused.
The Electronic Privacy Information Center (EPIC)
was established in 1994, in Washington, DC. Its goal is to
alert the public on emerging privacy issues relating to the
National Information Infrastructure (NII), such as the
Clipper chip, the Digital Telephony Proposal, medical
record privacy, and the sale of consumer data. EPIC’s
mission is to preserve the right of privacy in the electronic
age as well as to give individuals greater control over
personal information, and to encourage the development of
new technologies that protect privacy rights. EPIC can
provide valuable information to IT professionals on emerging
cyber laws and other privacy threats.
Preserving privacy on a corporate network may require
more stringent security if you have users accessing
resources from all over the world. While administrators are
responsible for setting up security policies to guarantee
users’ privacy, each user accessing the company’s network
is responsible for browsing the Web with ethical regard for
others. They also should be aware of information they may
reveal while accessing resources from outside of the
network.
Typically, most network servers (and Web servers) log all
the hits they receive. This log usually includes the IP
address and/or the host name. If the site uses any form of
authentication, the server will also log the username. If the
user filled out any form during the session, all the values of
any variable from that form will be also recorded. The status
of the request, the size of data transmitted, the user’s e-
mail address, and so on can also be logged. Moreover, Web
servers can make all this information available to Common
Gateway Interface (CGI) scripts. Since the majority of
Web browsers are running on single-user PCs, very likely all
the transactions can be attributed to the individual using
the PC.
TIP
If you want to know more about EPIC, you can check
out its Web page at http://epic.org/.
Revealing any of this information can harm the user. This
is especially true if the user has logged any PII. Attackers
can use PII for identity theft. Some PII may allow an attacker
to access bank accounts or fraudulently charge credit cards.
As a subtler example, if a user researches a job opening
opportunity at a site, it may indicate that the user is
searching for a new job. Browser lists, hotlists, and caches
can also reveal certain patterns about the user.
A proxy server, for instance, will track every single
connection outside the Web by IP address and the URL
requested. If you install a proxy server within an
organization, data needs to be protected so that only
authorized individuals have access to it.
Firewall Design and Implementation
Guidelines
When deciding to install a firewall, you should consider
several basic decisions before going ahead with the project.
Before you start thinking about the type of firewall you
want to use, where to install it, and how to deploy it, you
should make sure you have a guideline in hand. You need a
policy that will set the security standards for the network,
including the rules users and system administrators will
follow and the security strategy configuration you plan to
deploy.
Many security policies have a special section just for the
firewall, outlining how to configure and use it. For example,
many organizations recognize that every service and
protocol allowed through the firewall represents a risk. By
blocking traffic that isn’t needed to support the
organization, these risks are eliminated. A simpler route is
to just monitor the activity at the network and Web server,
but it may subject the network to risks you can easily avoid.
Be prepared to face a situation where the final design of
the firewall may involve political issues from upper
management and other departments of the company. For
example, the security policy may state that the Network
News Transfer Protocol (NNTP) is not essential for the
organization. You would then design the firewall to block all
NNTP traffic. But even though it may not be essential, upper
management may decide to allow the traffic.
Once you decide on the design, then you need to identify
a firewall that can meet your needs. You’ll need to consider
several items including:
Suitability—Can the firewall implement the policy?
Flexibility—Is it easily reconfigurable?
Training—Is training required and if so, what is the
cost?
Need—Make a list of traffic you want to allow, filter, or
block. This is often derived from the organization’s
security policy.
Risk—Make a separate list of all the risks in the
network based on the traffic allowed.
FIGURE 13-2
Simple firewall solution.
Cost—Add the “need” and “risk” lists up and find out
how much it will cost to provide everything. You then
need to divide this result by available financial
resources, and you will have a clear picture of how
much it will cost to implement your ideal firewall
system. The result may even point out the likely type
of firewall you must purchase. Many times, you’ll find
you must reevaluate your needs so that the plan is
more realistic, from both the security and financial
perspectives.
You can recommend a firewall solution that costs almost
nothing or a solution that may cost hundreds of thousands
of dollars. You need to balance the security needs with the
resources within your organization.
On the technical side, you need to decide how you want
to configure the firewall and what strategy you’ll use. Figure
13-2 shows a simple firewall solution with one network
firewall and all resources placed behind it.
This method is generally not recommended for
organizations that host Internet-facing servers such as e-
mail servers or Web servers. These servers can go behind
this single firewall and you can configure the firewall to
direct Internet traffic to the servers using port forwarding.
However, this exposes the internal network to potential
threats from the Internet. If you instead put your Internet-
facing servers directly on the Internet, you expose them to
threats of attack from anywhere in the world.
An alternative for organizations that have Internet-facing
servers is to use a perimeter network. Figure 13-3 shows
one example. The firewall has three connections: one to the
Internet, one to the internal network, and one to the
perimeter network. This is also known as a bastion host.
In this solution, the firewall will direct traffic destined for
the Internet-facing servers to the servers on the perimeter
network. Unrequested traffic from the Internet will be
blocked from entering the internal network.
FIGURE 13-3
Multi-homed firewall used for a perimeter network.
The third solution uses two firewalls to create a DMZ as
shown in Figure 13-4. This provides several benefits. The
two firewalls provide an additional layer of security for the
internal network. If the Web server accesses a database, the
database server can go in the internal server for better
protection. Internet users won’t be able to access the
database server directly.
Many organizations use two different brands for their
different firewalls. If a flaw or vulnerability appears in one,
it’s unlikely the second firewall will be vulnerable at the
same time. Additionally, an attacker may be an expert on
one brand of firewall, but it’s less likely that the attacker has
the same level of expertise for two separate brands.
Remember, though, you need to balance the needs of
the organization with the security requirements. While it’s a
true a DMZ provides more protection than a single firewall,
it also costs more.
FIGURE 13-4
Two firewalls used to create a DMZ.
Selecting a Firewall
Before you select a firewall, you should make sure that your
organization has created a written security policy. You would
then select the firewall that can fulfill and comply with the
policy. When evaluating firewalls, take the time to evaluate
the levels of security they provide. Quite simply, some are
better than others, and a high cost doesn’t necessarily
mean high quality.
The basic concept of any firewall is the same, so you
should evaluate a firewall based on the level of security and
features it offers. First and foremost, the firewall should be
able to fulfill and comply with your security policy. Some
other characteristics to consider are:
Security assurance—Independent assurance that
the relevant firewall technology meets its
specifications.
Privilege control—The degree to which the product
can impose user access restrictions.
Authentication—The ability to authenticate clients
and allow different types of access control for different
users.
Audit capabilities—The ability to monitor network
traffic, generate logs, and provide statistical reports.
Logs may include both authorized traffic and
unauthorized attempts and may be able to trigger
alarms in response to certain events.
When considering the features, consider the product’s
ability to meet the needs of the organization. A good firewall
product should provide:
Flexibility—The firewall should be open enough to
accommodate the security policy of your organization,
as well as allow for changes. Security policies can
change, and security procedures should also be able
to change and adapt to different needs.
Performance—A firewall should be fast enough that
users don’t notice the screening of packets. The
volume of data throughput and transmission speed
associated with the product should be reasonable and
consistent with the organization’s network bandwidth
to the Internet.
Scalability—Firewalls should be able to handle
additional workload. The additional workload can be
due to growth within the organization or due to
increased use of the Internet connection.
When considering integrated features, consider the ability of
the firewall to meet your network and users’ needs. This
includes:
Ease of use—The firewall product should ideally have
a graphical user interface (GUI), which simplifies the
job of installing, configuring, and managing it.
Customer support—Vendors that sell firewalls
provide support for them. This includes providing
prompt access to technical expertise for installation,
use, and maintenance. It also includes training.
FIGURE 13-5
SmoothWall topology.
Hardware Requirements for
SmoothWall
As mentioned previously, one of the main advantages of
SmoothWall is that it will run on a variety of hardware. It’s
recommended you use a machine that is 166 MHz or faster.
In any case, you will need at least two network cards (NICs)
in your SmoothWall machine, as firewalls traverse two or
more network connections. You may or may not need a
crossover cable as well. The Dell Powerconnect 2650 switch
performs auto-sensing, so there is no need to use a
crossover cable. This is common with many switches today.
Figure 13-5 depicts the topology of SmoothWall.
The minimum requirements for a computer running
SmoothWall are:
Processor running 166 MHZ or greater
512 MB PC133 synchronous dynamic random
access memory (SDRAM)
20 GB hard drive
Two NICs
Planning a Firewall Implementation
with SmoothWall
As a software appliance, SmoothWall will convert a
computer server or PC into a dedicated hardware security
appliance, running the security-hardened Linux operating
system and all other necessary software. When planning a
firewall, you should use standard hardware, typically from
major manufacturers such Dell, HP, or IBM, which will
provide you with considerable benefits including:
Flexibility—You can easily add RAID, redundant power
supplies, additional RAM, and a range of network
interface cards.
Performance and value for the money—The
average desktop PC will have many times the
processing power and memory complement of most
mid-range hardware firewall appliances. Office PCs
have become a commodity, offering exceptional value
for the money.
Support—The major PC manufacturers can support
their products virtually anywhere in the world,
including rapid, on-site repair or replacement if the
customer requires. Alternatively, in most major cities,
several computer support companies also support
such hardware. In contrast, the support available for
smaller manufacturers’ equipment is often limited to
repairs done after you’ve had to ship the machine
back to the factory.
What kind of firewall is right for an organization? Truthfully,
no single correct and definite answer exists. A security
policy developed by a Fortune 500 company certainly will
not be suitable for a small business owner (and vice versa).
The following are brief fictitious scenarios to illustrate
different firewall designs to meet different needs.
Firewalling a Big Organization: Application-
Level Firewall and Package Filtering, a
Hybrid System
Employees at Other People’s Money, Inc. (OPM) access the
Internet on a daily basis for a wide variety of different
business purposes. Additionally, they host a Web server that
has a high volume of access from OPM customers. Finally,
mobile workers use a VPN server to access internal
resources.
OPM might decide a DMZ with two application-level
firewalls and packet filtering is adequate for its needs. The
Web server and VPN server would go in the DMZ so that
they are accessible from the Internet, but the internal
network has additional layers of protection.
Firewalling a Small Organization: Packet
Filtering or Application-Level Firewall, a
Proxy Implementation
Imagine a smaller organization that requires Internet access
by employees, but doesn’t host a Web server or a VPN
server. All users in the organization require access to the
Internet, and they need a layer of protection against
Internet-based attacks.
A proxy server or a firewall such as SmoothWall would be
enough. All users could access the Internet through the
SmoothWall firewall, and it would provide protection against
external attacks. While SmoothWall was the example
examined in depth in this chapter, many other products can
provide the same level of service for a small organization.
Firewalling in a Subnet Architecture
Imagine a larger organization with multiple subnets. They
may want to limit specific types of traffic within subnets. For
example, they may want to ensure that traffic within a
specific subnet is encrypted with IPSec. Additionally, they
may want to allow NNTP traffic on one subnet, but not on
others.
You can configure routers to provide basic packet
filtering. In other words, they can block or allow traffic based
on IP addresses, ports such as port 119 for NNTP, and some
protocols such as ICMP or IPSec.
If the organization wants to protect subnets within the
network, basic packet filtering provided by routers might be
the most appropriate choice. This model supports each type
of client and service within the internal network. No
hardware or software modifications or special client software
would be necessary. The access through the routers used as
packet-filtering firewalls is transparent for both the user and
the applications. The existing routers can handle the packet
filtering. This solution doesn’t require the purchase of a host
or firewall product. Buying an expensive UNIX host or
firewall product would be unnecessary.
Installing a Firewall with SmoothWall
The installation of SmoothWall is easy. As long as you ensure
you have the computer BIOS set to boot from a CD, the
installation process will begin automatically. SmoothWall
Express runs on a workstation with a bootable CD-ROM
drive. After booting, it will automatically check the
workstation and hardware components.
The common interfaces on the installation screen of
SmoothWall are listed below:
Red—Internet. This interface is protected by the
iptables firewall rules.
Orange—Filtered/special purpose. This is commonly
used for a DMZ or other special section you want to
allocate.
Green—Trusted network. All traffic is permitted to and
from this interface.
WARNING
During the installation process, SmoothWall will delete
all data you may have on your hard disk. So, before
you start the installation, ensure that all valuable data
is safely backed up.
Note the green + red configuration. The green interface
card connects to the internal network and the red interface
to the external network. If you have a different setup or
hardware, please use the appropriate configuration.
At this point, you should read the information that
appears on the following screen and press the Enter key on
your keyboard.
Next, you should see the screen alerting you that your
hard drive will be prepared for installing the firewall.
If you have two of the same NICs, you may want to pay
attention to the Media Access Control (MAC) addresses so
you know which cable to connect to the modem and which
one goes to your switch. If your red interface connects to an
ISP, ensure you configure it based on the requirements of
the ISP. For example, some ISPs will assign manual
IP addresses, while others use DHCP. When DHCP is used,
all the Transmission Control Protocol/Internet Protocol
(TCP/IP) configuration information such as DNS, gateway,
and IP address happens automatically.
The green interface should have a static IP (such as
192.168.0.1) to connect to the internal network. Once you
have the interfaces set up correctly, it’s time to reboot the
computer. Also, it’s very important that you power-cycle the
modem. Often, ISPs will assign a different IP when the MAC
address of the device attached to the modem changes.
When configuring the NICs for the green and red
interfaces, you can use static IP addresses for both
interfaces.
Now you will need to set up the DNS and default gateway
accordingly.
Next, enter the SmoothWall admin password. You will
need it for logging into the Web interface later. Then, set up
the root password.
At this point, the setup of SmoothWall is complete and
your network should be protected. You should see a screen
showing that the installation is complete. Remove the CD
and restart SmoothWall.
TIP
An excellent Web site is available that will walk you
step by step through SmoothWall installation:
http://www.linux-tip.net/cms/content/view/316/26/.
Configuring a Firewall with
SmoothWall
Once you have finished installing SmoothWall, you will have
to configure the firewall via a Web browser. The interface is
clean and well laid out, and works well with Mozilla Firefox,
Google Chrome, and Microsoft Internet Explorer. Once you
reboot the computer, you can access it via a browser from a
Web interface (usually https://192.168.0.1:441) to start
configuring the firewall. SmoothWall Express version 2.0
added the ability to use HTTPS. You can also access it using
port 81. Without logging in, you should be able to see part
of the management menu, the version, and load averages.
Since the install connected the red interface to the
Internet, your first access of the home page should lead you
to the following message: “There are updates available for
your system. Please go to the ‘Updates’ section for more
information.” You will find the Updates menu item under
Maintenance.
At this point, if you want to verify or change anything,
you must log in. During the configuration process you were
asked to specify some passwords. To log in to the Web
interface, you must use admin as the username and the
password you specified. Logging in as root will work only
over Secure Shell (SSH) or from the console. You cannot log
in as root using the Web interface.
For most scenarios, the out-of-the-box SmoothWall
installation should work without any additional
configuration. But additional customization can bring out the
real power of SmoothWall features. The Services tab allows
you to monitor each advanced feature, including time,
remote access, intrusion detection, dynamic DNS updates,
and proxy services. Some services such as SSH access
services are not started by default. Interestingly, ICMP is
configured to reply to both external and internal ping
requests, making the firewall susceptible to DoS attacks.
The Networking tab exposes the interface settings, IP
address blocking, timed access, and traffic rules. Incoming
and outgoing rules are easy to create and maintain. You can
view the status of the system at all times with various
options. Configuration and resources appear in text form.
You can also view a summary screen of all the services
running on the SmoothWall system (computer).
In the quality of service (QoS) configuration section, you
can use drop-down boxes to select upload and download
connection speeds and enable the service. The QoS engine
prioritizes different types of traffic to make the connection
speed seem faster. The settings are combo boxes, which
makes them understandable even to non-technical users. By
default, instant messaging traffic is set to low priority, VPN
traffic to normal, and gaming traffic to high.
Elements of Firewall Deployment
At this point, you should start thinking about deploying the
firewall and about the services you want it to run. You
should pay special attention to the Services tab. You have
the ability to run:
Web cache/proxy (SQUID)
DHCP server
DDNS (for dynamic IPs)
Intrusion detection system (Snort)
Secure Shell (Open SSH)
To enable the Web proxy, you must select it by checking the
box. The Web proxy information needs to be changed.
The Transparent option simply means that every client on
the network will be forced to connect through the proxy
server. Browser settings will not need to be changed, and
the clients will not even know they are using the proxy. You
should change the cache size from 50 to 5000 MB. You
shouldn’t change the other options, as caching objects too
large or too small can create problems.
One of the great features of SmoothWall is the ability to
view network usage. You can view graphs of network traffic
generated by RRDtool (round robin database tool)
every five minutes.
You can also view the logs of Web usage through the
proxy. You can even dig further by filtering the log by IP. This
way, you can see all the Web sites visited by a certain IP (or
user).
Performing Testing with SmoothWall
To test SmoothWall’s ability to mitigate attacks, you can
enable Snort intrusion detection software and run a few
attacks against the firewall over the red interface. For
example, you can use Nmap, the Metasploit framework, and
some other port scanning and attacking tools. In all cases,
the firewall should be able to deal with them. The Snort and
firewall logs should identify most types of attacks, the IP
address of the attacker, and the time and date of the attack.
SmoothWall’s IP lookup feature can determine and report
the origin of an attacker.
TIP
ICMP may be blocked by the host you ping. If the ping
fails, consider pinging another host that you know will
respond.
Once SmoothWall is up and running, the next step is to
test its ability to access Internet resources. You should first
ensure you can access the Internet from the SmoothWall
box. To do this, run the following command: ping
www.google.com
ping www.google.com
If you get a successful reply, it means your host can access
the Internet.
Now, if you have an internal client configured, try to ping
one by running the command, substituting the actual IP
address of an internal client. An example would be:
ping 173.16.0.1
You can also test a client’s ability to traverse the firewall.
Start a Web browser on a client system and enter the IP
address of the SmoothWall router. For example, if the IP
address for the green NIC on the SmoothWall machine is
172.16.1.95, then you would enter http://172.16.1.95 in the
location bar of the browser. You should be able to see the
SmoothWall startup screen. If you see the screen, then the
firewall is up and running. Next, try to access any Web site
to confirm that you can surf the Internet. If you encounter
problems accessing the Internet, try the following:
Check the TCP/IP settings on the SmoothWall host.
Make sure all of the addresses and subnet masks are
correct.
Make sure the NIC accessing your ISP (red) is the
correct card. Some ISPs will provide access only when
the MAC address on the NIC is correct.
Check the TCP/IP settings on the client computer.
Firewall Troubleshooting
Sometimes, right after installing SmoothWall, you may have
problems being able to SSH into the system. This is typically
because port 22 is not open. In this case, you should make
sure that SSH is enabled and that port 22 or 222 is open.
This enables you to tunnel different SSH connections at the
same time.
One small disadvantage of using SmoothWall from the
console is that some traditional Linux tools are modified. For
example, some shell commands such as whereis and locate
are not included, which can make it a little hard to find
items. Also, config files are stored in non-traditional Linux
locations, and partitions are not named according to
standards. For instance, the snort.conf file is stored in /etc
and the squid.conf file is stored in /var/SmoothWall/proxy.
If you are still having trouble with the networking aspect
of the firewall during the configuration process, you still
have access to traditional tools such as ping, traceroute,
and tcpdump. They are all useful in determining what your
network problem may be. Another factor to watch for is the
crossover cable. Some networking devices require a
crossover cable when they are connected together, while
others have auto-sensing capabilities and will automatically
switch to crossover mode even when you’re using a regular
cable. The cable from your green interface may or may not
need to be a crossover cable.
While SmoothWall does not natively contain an FTP
server, you can still transfer files to and from the system via
SCP/SFTP. To do so, you simply need to connect to port 22 or
222 with a client such as WinSCP3, which is nearly the same
as using another FTP client.
Additional SmoothWall Features
SmoothWall is a versatile product that gives power to
network security administrators, allowing them to decide
how to control their networks by making it easy to do so.
The Web-based GUI is clean and easy to read, and provides
a wealth of information about the status of a network’s
traffic and security. The Web-based interface is organized
into broad areas with tabs that allow navigation for specific
features. You can run SmoothWall as a proxy server or a
DHCP server, forward ports to machines in the green zone,
and more. You can even set up advanced proxy server
features such as per-user authentication and delay pools.
Larger organizations may want to use a dedicated proxy
server to get these functions, however.
You can configure the address range, WINS server, and
static hosts for the DHCP server. You can specify dynamic
DNS, offer remote access for SHH, and synchronize with a
Network Time Protocol server. SmoothWall also lets you
enable Snort, a popular open source intrusion detection
system.
Some of the network settings you can control include:
Port forwarding—This allows you to forward a port
from the firewall to a machine inside the green or
orange zones. You can use this feature to hide your
Web servers behind a single IP address.
External service access—You can access any
services running on the SmoothWall machine by
opening the ports you need.
DMZ pinholes—As the name implies, this allows you
to open a pinhole from the DMZ to the green zone.
This is useful if your external servers need to
communicate with servers inside the green zone. For
example, your Web server may need to communicate
with a database server inside the green zone.
PPP settings—You can set up various profiles,
configure up to four modems, and use dial on demand.
IP block—You can ban specific IP addresses or ranges.
Firewall Implementation Best
Practices
You must keep the firewall and your protected network
logically secure. Sound security logic should be the starting
point in putting together a security policy that will use
secure systems such as Kerberos, IPSec, and many others.
The requirements to run a secure firewall, such as
SmoothWall, also include a series of good habits that
administrators should cultivate. It’s a good policy to try to
keep the strategies simple so that the system is easier to
maintain.
Most bastion hosts and firewall applications have the
capability to generate traffic logs. You can record user-
browsing patterns on these servers. This may include
information about the users, their connections, their
address, or even specifications about their organization.
These logs usually include:
The IP address
The server/host name
The time of the access
The user’s name (if known by user authentication or,
with UNIX, obtained by the identd protocol)
The URL requested
The data variables submitted through forms users
usually fill out during their session
The status of the request
The size of the data transmitted
CHAPTER SUMMARY
Firewalls provide protection from Internet threats to
servers and workstations. They can be configured to
allow only specific traffic based on what an
organization wants to allow. Organizations typically
define what traffic is acceptable in a comprehensive,
written security policy. IT professionals then identify a
firewall solution that can fulfill and comply with the
policy within the established budget.
SmoothWall Express is an Internet firewall that can
protect an organization’s network. This chapter
demonstrated how to configure and use a firewall
such as SmoothWall using a Web-based GUI.
SmoothWall is an open source firewall, requiring no
knowledge of Linux to install or use. SmoothWall
turns any typical PC into a network appliance whose
sole function is to route network traffic to and from
the Internet, assign IP addresses, and protect the
private side of the network from intrusion.
KEY CONCEPTS AND TERMS
Asymmetric digital subscriber line (ADSL)
Clipper chip
Common Gateway Interface (CGI) script
Electronic Privacy Information Center (EPIC)
Integrated Services Digital Network (ISDN)
Kerberos
National Information Infrastructure (NII)
National Security Agency (NSA)
RRDtool (round-robin database tool)
Synchronous dynamic random access memory
(SDRAM)
tcpdump
traceroute
CHAPTER 13 ASSESSMENT
1. The following are all key features of SmoothWall,
except:
A. POP3
B. Static and dynamic DNS support
C. Cybercash support
D. Snort IDS support
E. DHCP and network time server support
2. According to the ________ ________ ________ , attacks to
systems connected to the Internet are becoming more
and more complex.
A. National Systems Agency
B. National Security Agency
C. Central Intelligence Agency
D. Navy Security Agency
E. Federal Bureau of Investigation
3. Firewalling involves two distinct areas that must be
protected:
A. Network and transaction security
B. Access and controls
C. File sharing and printing capabilities
D. Access to the Internet and from the Internet
E. None of the above
4. The ________ was created to alert the public to the
emerging privacy issues relating to the National
Information Infrastructure.
A. EDIP
B. EPIC
C. NII
D. CERN
E. W3C
5. The following are characteristics you should be looking
for in a firewall, except:
A. Security assurance
B. Privilege control
C. Digital switches
D. Authentication
E. Audit capabilities
6. A good firewall product should provide:
A. Flexibility
B. Performance
C. Scalability
D. All the above
E. A and C
7. The following are all characteristics of SmoothWall
firewall, except:
A. It is a simple Linux kernel.
B. It cannot use iptables to control and route traffic.
C. It is built to run as a dedicated firewall/router.
D. It provides a way to gain extra capability with NAT.
E. It runs on a variety of hardware.
8. The following are all common interfaces used by
SmoothWall, except:
A. Green: Trusted network
B. Blue: DMZ connection
C. Red: Internet
D. Orange: Filtered/special purpose
9. The following are attributes of a minimum hardware
specification to run SmoothWall, except:
A. 512 MB PC133 SDRAM
B. 20 GB hard drive
C. 10/100 on-board NIC
D. AMD Duron 1100
E. Flat LCD screen
10. To install SmoothWall, you need to make sure the
computer BIOS is set to boot from a CD. True or False?
11. In a typical SmoothWall firewall installation the green
interface should have:
A. A static IP
B. Software bugs but not flaws
C. Dynamic addressing
D. Proxy servers connected to it
E. Internal code connecting to an external service
12. When configuring the NICs for the green interface, it is
advisable to use ________.
A. Capacity planning
B. Maximum utilization
C. A static IP address
D. Wirespeed settings
E. Factory defaults
13. Which of the following is not related to SmoothWall
offered services?
A. Web cache/proxy
B. Fingerprint authentication
C. DHCP server
D. DDNS
E. Intrusion detection system
14. What does the Transparent option do when you
configure Web proxying in SmoothWall?
A. It allows you to create a tunnel mode.
B. Every client on the network will be forced to connect
through the proxy server.
C. Every client on the network will be waived access to
the network.
D. The proxy server is in stealth mode.
E. Collisions on the network are not seen.
15. SmoothWall does not work well with Mozilla Firefox
and Google Chrome. True or False?
16. The following are services found in the Services tab of
SmoothWall, except:
A. SQUID
B. Web cache/proxy
C. DDNS
D. Diskcopy
E. SSH
17. The following are tools you can use when
troubleshooting a firewall installation, except:
A. ping
B. traceroute
C. robocopy
D. ipconfig
E. tcpdump
CHAPTER
14 Real-World VPNs
VIRTUAL PRIVATE NETWORKS (VPNs) are a key technology and component in today’s computer security environment.
Recall that the Internet is open to virtually any user, while
an intranet is open only to individuals within your
organization. A third kind of network is the extranet.
Extranets lie somewhere between the Internet and an
intranet.
Companies use extranets to connect with suppliers and
customers, two constituencies that are essential to business
processes. Extranets usually use VPN technology to ensure
confidentiality and integrity of information. VPNs are
becoming an increasingly important component of any
successful business’s information technology plan. VPNs can
substantially enhance the technological architecture of any
organization’s network through the use of efficient and
flexible collaborative technology.
In this chapter, you’ll learn how to do a complete VPN
installation at your organization, from operating systems
and VPN appliances to remote desktops.
Chapter 14 Topics
This chapter covers the following topics and
concepts:
What operating system-based VPNs are
What VPN appliances are
What a remote desktop protocol is
How to use remote control tools
How to perform remote access
What terminal services are
What Microsoft DirectAccess is
What DMZ, extranet, and intranet VPN
solutions are What Internet café VPNs are
What the online remote VPN options are
What the Tor application is
How to plan a VPN implementation
What VPN implementation best practices are
Chapter 14 Goals
When you complete this chapter, you will be able
to:
Create a remote control VPN using Remote
Desktop Evaluate hardware VPN devices
Experiment with Tor
Set up an Internet café VPN client
Assess online remote control products, such
as GoToMyPC and LogMeIn Configure an
IPSec VPN
Operating System–Based VPNs
An operating system–based VPN is very convenient because
you can refer to remote servers by their assigned Internet
Protocol (IP) addresses, rather than use network address
translation (NAT). This avoids problems inherent in
connecting to servers behind a many-to-one NAT
configuration. You can choose from several ways to install a
VPN using computers running commercial operating
systems. You can configure a VPN connection from a client
computer using a variety of operating systems, including
Windows XP, Vista, Windows 7, Linux, and UNIX.
A VPN is a hardware and software solution for remote
workers, providing users with a data-encrypted gateway
through a firewall and into a corporate network. VPNs were
once practical only for large businesses. Today, however,
most businesses—large and small—can afford the
technology, and VPNs are becoming increasingly popular in
the small to midsized business market. VPNs are ideal for
companies with telecommuters, satellite offices, or
employees who travel and need to connect to the corporate
network via the Internet. If used properly, VPNs block
hackers attempting to access your network to steal
sensitive data. They can also save your organization a lot of
money on long-distance phone calls.
As a data-encrypted tunnel over the Internet, a VPN can
offer a robust and secure Internet connection for your
organization. It can also be a cheap alternative to a
dedicated phone line. Some solutions for small companies
start as low as $200. How can you know if your organization
needs a VPN? That depends on some key factors you should
consider before deciding to use a VPN: Does your
organization traffic in sensitive data? For most businesses,
the answer is probably yes. Most companies have customer
information and records, financial records, and proprietary
information in their internal networks that merit protection.
On the other hand, if your organization stores its sensitive
data offline or you don’t have anything online of interest to
hackers, perhaps your organization doesn’t need to invest in
a VPN.
Does your organization employ telecommuters,
traveling employees, or other remote workers? If so, a
VPN can provide two main advantages: It can offer
secure network access to employees away from the
office, traveling or working off-site, and it can extend
the corporate network to them, enabling them to
remain productive outside your office.
Does your company already use Secure Sockets Layer
(SSL)–encrypted Internet pages? Some companies
using Microsoft Exchange servers for e-mail, for
example, may already have the encryption protection
necessary for remote workers—at least for accessing
their e-mail (via Outlook Web Access). In this case, the
VPN is a built-in feature of the operating system.
Businesses without sensitive information can use
operating system–based VPNs and Web-based
alternatives to a VPN for authentication and
encryption, though these may be less secure.
Does your organization have more than a few
employees? A VPN may be an expensive solution for a
company with fewer than five employees, so some
alternatives might work better for such an
environment.
Suppose you’ve considered these issues and concluded that
your organization does need a VPN. In this case, here are six
further important factors to consider: Consider the
difference between a VPN based on customer premise
equipment (CPE) and one based on an operating system.
A CPE solution represents the majority of VPNs on the
market and is commonly referred to as a VPN appliance.
This solution is easy to set up, manage, and maintain.
Windows Server 2008 Network Access is an example of an
operating system–based VPN. If you have a server running
Windows Server 2008, you can install the Network Policy
and Access Services role and configure the server as a VPN
server. This requires some expertise with Windows Server
2008 and can be a little more challenging than a CPE
solution. However, the operating system–based VPN can be
cheaper and easier to manage than a CPE.
Should you install the VPN yourself or use a managed
service? Any competent IT staff can probably install
leading commercial products from vendors such as
Cisco or SonicWall. While the DIY approach provides
more control over setup and usage, installing a VPN
incorrectly can inadvertently open a security hole in
your organization’s network. In addition, the
administration and management of a VPN in-house
can sometimes be complicated. Telecommunications
companies such as Qwest, Verizon, and BellSouth, as
well as several Internet service providers, offer
managed security solutions that can save you time
and money.
Do you have a firewall? A VPN cannot replace a
firewall. Some administrators tend to use a VPN
instead of a firewall, which is not a smart choice. The
purposes of a VPN are to create an encrypted tunnel or
gateway through your network’s firewall and to keep
out hackers. The VPN encrypts the pieces of data, but
the firewall still protects the internal network from
outside threats. A VPN without a firewall doesn’t make
good security sense.
Do you have an operating system–based VPN?
Regardless of the strategy you end up using, make
sure you have an IPSec (Internet Protocol Security)–
compliant operating system. IPSec is a VPN-supporting
technology included in Windows XP, Vista, Windows 7,
Windows Server 2008, and Windows Server 2008 R2.
Used with compatible VPNs, IPSec guarantees the
authenticity, integrity, and confidentiality of network
traffic. Interoperability with a VPN may be an issue
with Macintosh systems or some variants of UNIX or
Linux. If you decided to buy a VPN, make sure it is
compatible with your operating system.
Do you have a wireless local area network (LAN)? The
VPN should operate securely with it. A VPN can
enhance the capabilities of a wireless LAN, but
improperly layering a VPN on a wireless network can
result in security holes. One method places the
wireless LAN outside the firewall, hosting the VPN
behind the firewall to ensure security. Otherwise,
wireless network traffic can access systems behind the
firewall, canceling the benefits of the VPN. Many
organizations use layered firewalls so that the wireless
network is protected from the outside while restricting
access to the inside. In essence, the LAN operates in
what is called a demilitarized zone (DMZ).
Can your organization tolerate a potential decrease in
network performance? A VPN may cause a
performance lag for internal users accessing the
Internet. This happens when 10 to 15 percent of the
Internet bandwidth serves as security overhead. While
VPNs are great for setting up a secure connection,
they can take a measurable toll on connection speed.
The tradeoff is that VPNs are worthwhile investments
for providing a secure connection for remote and
traveling workers.
VPN Usage in Organizations
VPNs serve an organization’s computer network in
two primary ways. They give remote users access to
internal networks or they connect two separate
offices. These are the host-to-gateway model and the
gateway-to-gateway models: Host-to-gateway
VPN—In a host-to-gateway VPN, the mobile user
takes specific actions to connect to the VPN. For
example, the mobile user would first connect to the
Internet from a remote location outside the
organization. Once connected to the Internet, the user
could then initiate the VPN to tunnel through the
Internet. The VPN appliance or server then acts as a
gateway for the user to access resources on the
internal network.
Gateway-to-gateway VPN—A gateway-to-
gateway VPN is used to connect two offices in
different locations. For example, an organization
could have a main office in Virginia Beach and a
remote office in Miami. VPN appliances or servers
can operate in both locations with an always-on
VPN connection between them. Now users in
Miami can connect to resources in Virginia Beach
using this gateway-to-gateway model. In this
model, users in the remote office don’t need to
take any additional steps to connect. The
gateway-to-gateway model is also called a site-
to-site model.
VPN Appliances
One of the easiest and most cost-effective ways to provide
secure access to a network is to purchase an inexpensive
VPN appliance and set it up, which will take about an hour of
your time. VPN appliances can make secure remote access
easy.
When considering the purchase of a VPN appliance,
ensure that you have the required complementary hardware
in place. First, the VPN appliance must have access to the
Internet. Remote users will use the public IP address
assigned to the appliance to connect to it. Second, the VPN
server must have access to the internal network. It will use
internal routing to connect remote users from the Internet to
the internal network. Of course, resources in the internal
network must be on and available for the VPN users to
access them.
Not long ago, VPN appliances were expensive and
required client licenses for each computer in addition to the
appliance itself. VPN technology was too expensive for all
but the largest companies. But new products make it
possible to install a VPN appliance on virtually any size
network for budget-minded organizations and small office,
home office (SOHO) networks. For example, Buffalo
Technology’s 125 High-Speed Mode wireless secure remote
gateway is a VPN gateway/firewall router and a wireless
access point rolled into one neat package. Another great
product is the Linksys WRV54 Wireless-G VPN broadband
router, a similar product that provides robust protection for
your network. You should know that some VPN appliance
products on the market are designed for home installations.
While these products are very easy to install, they allow
only a very limited number of accounts and some of them
provide relatively slow access.
Configuring a Typical VPN Appliance
Most VPN appliances are designed for simple and quick
installations, with plenty of wizards and an automated setup
that makes it easy even for non–computer-savvy people. All
you typically need to do is to plug the appliance into your
network between your ISP provider’s connection and your
internal network. If your network does not have a router or
hub, this device can serve that purpose as well. Once you
turn on the VPN appliance, you can use any computer on
the network to log on to a Web page, complete your
configuration, and add user access accounts.
While VPN appliances are a secure technology, you need
to take basic security measures to preserve the security of
your network and remote connections. When you are
configuring user account access on the VPN gateway
system, for instance, always change the default settings
and never use the default passwords. Also, you should give
each VPN user an individual access account. In practice,
that means if an employee leaves the company, you don’t
have to change the access passwords for everyone—you
just turn off the associated account.
Client-Side Configuration
Once you have configured your appliance, you will need to
configure the software on the computers (clients) connected
to the network. The systems designed for small installations
assume that you will use Microsoft or Macintosh VPN client
software. Some variants of Linux and UNIX may have built-in
client VPN software.
Adding a VPN appliance to your office network gives you
a remote access solution that lets you and your staff be
more productive from anywhere in the world. Not a bad
return on a few hundred dollars and an hour of your time.
Remote Desktop Protocol
Remote Desktop Protocol (RDP) is a proprietary protocol
developed by Microsoft that provides a user with a graphical
interface to another computer. The protocol is an extension
of the ITU-T T.128 application-sharing protocol. Clients exist
for most versions of Microsoft Windows, Windows Mobile,
Linux, UNIX, Mac OS X, and other modern operating
systems. By default, RDP uses TCP port 3389.
Remote Desktop Connection (RDC) is a built-in
application that uses RDP. When RDC is enabled, you can
connect to another computer, log on, and perform almost
any action as if you are sitting in front of the remote
computer. You can do this from a desktop PC to another
desktop PC using the same operating system. In large
organizations, administrators commonly use this to
remotely manage servers from their desktop PCs.
RDC must be enabled on the remote computer. In most
Windows operating systems, you do this by right-clicking
Computer in Windows Explorer or in the Start menu and
selecting Properties. You then change the Remote settings
to allow remote desktop connections. This also opens port
3389 on the remote computer. If the connection goes
through a firewall, port 3389 must also be open on the
firewall. You can launch RDC differently in different Windows
operating systems. However, one method that works in all
current Windows versions is to type MSTSC at the command
line. The initials represent Microsoft Terminal Services
Connection.
The client can run other operating systems, such as Mac
OS, Linux, or UNIX, as long as the terminal services protocol
is supported. When connecting to Windows Server 2008,
Windows Vista, or newer systems, you’ll need to weaken
security to support the non-Microsoft clients.
GoToMyPC is another remote desktop technology that
allows you to remotely access your computer from any
other Internet-connected computer in the world with almost
any operating system through a secure, private connection.
The application is ideal for organizations that need remote
desktop access for up to 20 computers. It’s an easy and
secure remote-access solution that enables you to
conveniently access e-mail, files, programs, and network
resources from home or the road.
NOTE
Microsoft changed the name of Terminal Services to
Remote Desktop Services in Windows Server 2008 R2.
However, the MSTSC command still works. It’s also
worth noting that Terminal Services and Remote
Desktop Services have much broader usage than just
connecting to remote desktops. For example, you can
use these services when a Microsoft server is
configured as VPN server.
Using Remote Control Tools
As companies continue to expand their networks and
increasingly use remote offices and telecommuting, they
need the ability to manage devices from virtually any
location.
Microsoft has offered a built-in remote control solution
called Remote Assistance for modern operating systems
since Windows XP. It allows help desk professionals or other
IT administrators to remotely control a user’s system, while
the user is watching.
For example, a user may not know how to configure an
application. The user calls the help desk for assistance.
Instead of trying to talk the user through the steps, the help
desk pro can show the user how to do it. The help desk pro
can use Remote Assistance to take control of the user’s
desktop. While connected, the helper will have control of the
user’s desktop as long as the user allows it. The user is able
to disconnect the helper at any time.
While the built-in Remote Assistance is great as a free
tool, it doesn’t meet the needs of every organization.
Several third-party tools are available that can provide
additional features. For example, Symantec offers
pcAnywhere as a solution for organizations to access and
securely manage remote computers.
The pcAnywhere program supports multiple platforms for
both host and remote systems, including Windows
(including Vista and Windows Server 2008), Linux, and Mac.
Systems can also be securely accessed from Windows
Mobile/Pocket PC devices and Web browsers. The application
allows organizations to easily connect to servers and
endpoint devices.
Some of what pcAnywhere offers:
A feature-rich, secure, reliable remote control solution.
Compatibility with a heterogeneous host and remote
platform support across Windows, Linux, and Mac OS
X. All hosts can also be accessed from Microsoft Pocket
PC devices or Web browsers.
Support for 64-bit environments.
A gateway option that enables real-time discovery of
and connection to multiple devices behind firewalls
and NAT devices, which mitigates private and dynamic
IP.
Using Remote Access
VPNs allow remote users to connect to a private network
over a public network. The private network is the
organization’s internal network. The public network is often
the Internet, but it’s also possible for an organization to use
leased lines from a telecommunications company to create
the VPN connection.
Remote users can be:
Salespeople on the road
Field technicians
Consultants working in customer work sites
Anyone who needs to have access to internal company
resources while away Since data transmits over a
public network, you need to protect it. VPNs use
tunneling protocols to establish secure connections.
These tunneling protocols include different types of
encryption to protect the data.
The Technology for Remote Use
Several protocols support VPNs. These include:
Point-to-Point Tunneling Protocol (PPTP)—This
protocol supports Microsoft’s remote access servers
and has known issues. It uses Microsoft Point-to-Point
Encryption (MPPE). While PPTP is still used for some
remote access solutions, IPSec and SSL-based
solutions are replacing it.
Layer 2 Tunneling Protocol (L2TP)—Cisco and
Microsoft collaborated to create this by combining
strengths from Cisco’s Layer 2 Forwarding (L2F)
protocol and Microsoft’s PPTP. It uses IPSec for
encryption. A significant weakness is that IPSec can’t
go through a Network Address Translation (NAT)
server, since NAT breaks IPSec.
Secure Sockets Layer (SSL)–based tunneling
protocols—Due to the limitations of IPSec with NAT,
newer tunneling protocols use SSL for encryption. For
example, Microsoft can use Secure Socket Tunneling
Protocol (SSTP). VPN appliances can also use SSL-
based tunneling protocols. SSL requires public key
infrastructure (PKI) support to obtain and use a
certificate.
Internet Key Exchange v2—Internet Key
Exchange v2 (IKEv2) is an IPSec-based VPN protocol
that uses NAT traversal (NAT-T). NAT-T allows IPSec
traffic to pass through a NAT server. IKEv2 provides
significant improvements over IKE and has been
adopted by several companies such as Microsoft, in
Windows Server 2008 R2; Cisco; and Openswan.
Openswan is a Linux-based solution presented later in
this chapter. IKEv2 requires public key infrastructure
(PKI) support to obtain and use a certificate.
Each method has its advantages depending on the access
requirements of your users and your organization’s IT
processes. While many solutions only offer either IPSec or
SSL, some vendors, such as Microsoft and Cisco, offer
multiple technologies integrated on a single platform with
unified management. Offering both IPSec and SSL
technologies can enable organizations to customize their
remote-access VPN without any additional hardware or
management complexity.
SSL-based VPNs also enable remote-access connectivity
from almost any Internet-enabled location using a Web
browser and its native SSL encryption. It does not require
any special-purpose client software to be pre-installed on
the system. This makes remote access SSL VPNs capable of
“anywhere” connectivity from company-managed desktops
and non–company-managed desktops, such as employees’
PCs, contractor or business partner desktops, and Internet
kiosks. Any software required for application access across
the SSL VPN connection is dynamically downloaded on an
as-needed basis, thereby minimizing desktop software
maintenance.
IPSec-based VPNs are the deployment-proven remote-
access technology used by most organizations today. IPSec
VPN connections use pre-installed VPN client software on
the user desktop, thus focusing it primarily on company-
managed desktops. IPSec-based remote access also offers
versatility and customizability through modification of the
VPN client software. Using APIs in IPSec client software,
organizations can control the appearance and function of
the VPN client for use in applications such as unattended
kiosks, integration with other desktop applications, and
other special use cases.
Both IPSec and SSL VPN technologies offer access to
virtually any network application or resource. SSL VPNs offer
additional features such as easy connectivity from non–
company-managed desktops, little or no desktop software
maintenance, and user-customized Web portals upon login.
Choosing Between IPSec and SSL Remote
Access VPNs
Both IPSec and SSL can provide the level of security needed
for a VPN. The primary drawback with IPSec is that it can’t
traverse a NAT server. If you are deploying a VPN server and
want the connection to go through a NAT server, SSL is a
sound solution.
While it is possible to use NAT traversal (NAT-T) to allow
IPSec traffic to pass through a NAT server, be aware of some
issues with it. For example, Microsoft has specifically
recommended that NAT-T not be used, though IT
professionals still recommend NAT-T with non-Microsoft
hosts.
Terminal Services
Terminal Services is a built-in Microsoft Server product with
multiple uses. It works in two modes: Terminal Services for
Administration and Terminal Services for Applications. Other
vendors also use terminal services for remote applications.
Terminal Services for Administration allows
administrators to connect remotely into servers from their
desktop computers. It allows them to remotely administer
the server as described in the “Remote Desktop Protocol”
section earlier in this chapter.
Terminal Services for Applications is the focus of this
section. It allows a single server to host one or more
applications for remote users. For example, suppose a
legacy application does not run on Windows 7. A Terminal
Services server could be configured to host the application,
and multiple Windows 7 clients could then connect to the
server to run the application. Each client would run a
separate instance of the application in a separate memory
space.
It’s also possible for a Terminal Services server to host
entire desktops. For example, older computers may be
running Windows 2000 and they don’t have the hardware to
support Windows 7. An organization can configure a
Terminal Services server to host Windows 7 desktops for
these clients. The users would start the Windows 2000
computer, connect to the Terminal Services server, and then
run a Windows 7 desktop.
As mentioned earlier, Microsoft renamed Terminal
Services to Remote Desktop Services when it released
Windows Server 2008 R2. Windows Server 2008 R2
increased the capabilities and features, but supports the
older capabilities and features.
Over the past few years, many software publishers have
experimented with offering hosted services. The basic idea
behind hosted services architecture is that an organization
does not have to purchase licenses for software applications
or have the hassles of installing or maintaining those
applications. Instead, an ISP or a software vendor leases the
applications to the organization. The application actually
runs on the service provider’s servers, and users interact
with the application over the Internet.
This arrangement has some drawbacks, however. For
instance, terminal services take an application’s
configuration out of an organization’s direct control. It’s not
uncommon to hear about network administrators who were
put out of a job because the companies that they worked for
decided to outsource all of their applications to a hosting
provider. Another compelling argument against the use of
hosted services has to do with service availability. If your
Internet connection goes down, then nobody can access the
hosted applications. Of course, Internet service is more
reliable in some areas than others.
Terminal services for hosted applications have many
benefits. The primary one is that the service provider takes
care of all of the application maintenance for you. Many of
these benefits are things that you just don’t get if you install
the applications locally on each individual workstation or if
you outsource your applications to a hosting provider.
Microsoft products can provide hosted applications using TS
RemoteApp and TS Web Access.
TS RemoteApp
One of the challenges with running applications on remote
servers is that it looks odd to users and they have trouble
adapting. TS RemoteApp is a Microsoft solution that runs on
a Microsoft Terminal Services server but appears, to end
users, as if it were actually running on their systems.
They don’t need to open a Terminal Services session, but
instead launch the application from their Start menu or a
shortcut on their computer. The application appears in a
window on the users’ computers just as if it were running on
the local computer.
TS Web Access
An extension of TS RemoteApp is TS Web Access. This allows
TS RemoteApp applications to launch from a Web browser.
This provides many possible benefits.
The TS RemoteApp applications can intertwine into Web
pages and appear to launch from a Web server. In other
words, the clients use a Web browser to access a Web site.
From within this Web site, they can then click on a link for
the TS RemoteApp application. TS WebAccess can be
configured in an internal intranet or accessible to users from
the Internet.
Notice that TS Web Access allows remote clients to
connect to internal resources without the need for a VPN.
Depending on what your remote clients need, this is a
suitable substitute.
Microsoft DirectAccess
DirectAccess is a newer Microsoft solution that can be used
as an alternative to a traditional Internet Engineering Task
Force (IETF) VPN. It allows remote clients to connect to
internal servers without initiating a VPN connection. As long
as clients have Internet connectivity, they will be able to
access internal resources using DirectAccess.
Microsoft introduced DirectAccess in Windows 7 and
Windows Server 2008 R2 products. Once it’s configured on
the clients and servers, it is relatively invisible to the clients.
Client computers connect to the DirectAccess computer,
which acts as a gateway to internal resources. Only
resources configured to be accessible with DirectAccess can
be accessed from clients. In other words, you could have 10
servers in the internal network, but choose to make only a
few of them accessible.
For example, you could configure a Microsoft Exchange
server (used for e-mail) with DirectAccess. When a
DirectAccess-enabled Windows 7 client connects to the
Internet, it would automatically connect with a DirectAccess
server. When the user starts Microsoft Outlook, DirectAccess
automatically makes the connection to the internal Microsoft
Exchange server. In other words, users can be on the road
and still use their e-mail client just as if they were in the
office. The same process works for any servers that an
administrator wants to make accessible on the Internet.
DirectAccess can be enhanced by combining it with
Forefront Unified Access Gateway (UAG). UAG gives
administrators more control over the connections and
enhances security. When UAG is run, a UAG server acts as
the gateway between the client and the internal network.
This is similar to how DirectAccess works by itself in that
clients don’t need to establish a separate VPN connection.
A significant added benefit of DirectAccess is that
administrators can execute control over the remote clients.
For example, in a Microsoft environment, Group Policy can
ensure that a system has minimum-security settings. While
this is normally not possible for systems that are
disconnected from the internal network, DirectAccess with
UAG allows an administrator to apply Group Policy to these
remote computers.
It’s also possible to use Network Access Protocol with
DirectAccess. You can create policies to ensure that the
remote system has other security measures in place. For
example, you can ensure that the system is up to date with
current security updates and that it has up-to-date antivirus
software installed and enabled.
DMZ, Extranet, and Intranet VPN
Solutions
A demilitarized zone (DMZ) is a physical or logical
subnetwork that contains and exposes an organization’s
external services to a larger untrusted network, usually the
Internet. The purpose of a DMZ is to add an additional layer
of security to an organization’s LAN. An external attacker
can gain access to equipment in the DMZ, but not parts of
the network behind the firewall.
For example, public-facing servers that need to be
accessible from the Internet are placed in the DMZ. This
could include Web servers, e-mail servers, FTP servers, and
more. Organizations that employ VPN servers for remote
users often place them in the DMZ.
In a network, the hosts most vulnerable to attack are
those that provide services such as e-mail, Web, and FTP
servers to users outside of the local area network. Because
of the increased potential of these hosts being
compromised, they are placed into their own subnetwork to
protect the rest of the network if an intruder were to
succeed.
Hosts in the DMZ have limited connectivity to specific
hosts in the internal network, though communication with
other hosts in the DMZ and to the external network is
allowed. For example, a Web server in the DMZ may be able
to connect to a database server in the internal network, but
not to any other hosts in the internal network. This allows
hosts in the DMZ to provide services to both the internal
and external network, while an intervening firewall controls
the traffic between the DMZ servers and the internal
network clients.
Intranet VPNs
An intranet is an internal network. While users within the
intranet can access the Internet using different resources
such as a proxy server, access to the internal network is
severely restricted. Since traffic in the intranet is primarily
from internal clients, the intranet is a trusted zone and
needs fewer security measures.
An intranet VPN is a VPN that connects two or more
internal networks. Earlier in this chapter, you learned about
the concept of gateway-to-gateway VPNs. A gateway-to-
gateway VPN provides connectivity between two locations
such as a main office and a branch office. This is also known
as an intranet VPN.
It’s important to realize that even though the VPN may
be called an intranet VPN, it will still have to traverse a wide
area network (WAN) link. Most organizations will rent access
to this WAN link and it’s very rare that a company has
exclusive access to it. In other words, the WAN link will be
accessible to users outside the organization. The same level
of security measures used in a DMZ VPN should also secure
an intranet VPN.
Extranet VPNs
Extranet VPNs link customers, suppliers, partners, or
communities of interest to a corporate intranet over a
shared infrastructure. For example, an organization may hire
a consulting company to look at different processes within
the organization and provide recommendations to improve
them. The organization could create an extranet VPN to
allow the consultants access to some internal resources.
Extranets are commonly configured to connect via the
Internet, but can use leased lines or even dedicated
connections. Extranets differ from intranets in that they
allow access to remote users outside of the enterprise.
Figure 14-1 illustrates an extranet VPN topology. Using
digital certificates, clients establish a secure tunnel over the
Internet to the enterprise. A certification authority (CA)
issues a digital certificate to each client for device
authentication. The CA server checks the identity of remote
users and then authorizes remote users to access
information relevant to their functions.
FIGURE 14-1
An extranet VPN topology.
Internet Café VPNs
An Internet café is a public location that sells Internet
access, often by the minute. The café will often sell typical
café items such as coffee and sandwiches. However, with
the explosion of wireless in recent years, many eateries
provide free wireless Internet access to bring in customers.
For example, many Starbucks and McDonald’s locations
provide free WiFi.
The challenge when using an Internet café or even an
open wireless connection at an eatery is security. Others in
the local area may be able to view data in the connection
unless it’s encrypted. Since the majority of Internet traffic is
not encrypted, attackers may be able to gain valuable
information by capturing another user’s Internet use.
The owner of the Internet café can capture any data that
passes through with a free packet sniffer such as Wireshark.
Additionally, many free wireless sniffers are available that
an attacker can use over a shared wireless connection to
capture all of the traffic.
An alternative is to use an Internet café VPN connection.
As soon as you connect with the Internet café or the
wireless connection, you would connect to the Internet café
VPN. This would be hosted at your organization. It will
encrypt all the traffic and prevent any sniffing attacks.
For example, HotSpotVPN is a product your organization
can purchase and use as an Internet café VPN connection.
Once you set it up, you can direct your users to connect to it
for all Internet access.
NOTE
You can get more details about HotSpotVPN at
http://www.hotspotvpn.com/overview/.
Online Remote VPN Options
GoToMyPC, LogMeIn, and NTRconnect are remote access
and control solutions that which all perform extremely well.
Each product is easy to set up and use, and all offer a
similar set of features. While each product is similar, you
should know about a few noteworthy differences.
Security
While each technology handles security slightly differently,
all are extremely secure and can be safely used in any
environment. LogMeIn and NTRconnect do offer a few more
features than GoToMyPC. Both LogMeIn and NTRconnect
provide 256-bit end-to-end encryption. GoToMyPC, on the
other hand, provides only 128-bit. For example, LogMeIn
and NTRconnect allow you to restrict the times that your
computer can be remotely accessed and specify the IP
addresses from which it can be remotely accessed—
functionality that is not offered by GoToMyPC. Also,
NTRconnect is the only product to provide keycard security.
If you feel that you need to limit remote access times and/or
restrict access to only certain IPs, then you will want to
consider either LogMeIn or NTRconnect.
Wake-on-LAN Support
Wake-on-LAN is an extremely valuable feature. Most
computers include power management capabilities, allowing
them to turn off or go to a low power state when they aren’t
being used for a time. These computers can then be
awakened when they are sent a specific string of bits in a
“magic packet.” When the computer receives the magic
packet, it wakes up. If it was off, it will turn on. If it was in a
lower power state, it will go to a full-power state.
Of the products mentioned, only NTRconnect enables you
to remotely start your computer. To use GoToMyPC or
LogMeIn, the remote computer must be switched on. If you
work away from your home or office computer for extended
periods and switch off your computer while away, you’ll
probably find NTRconnect’s wake-on-LAN support to be a
real benefit.
File Sharing
LogMeIn provides file-sharing functionality that enables you
to e-mail a link to a file on your computer that the recipient
can use to download the file (directly from your computer)
at any time. To share files in this manner, you do not need
to invite the person to share your desktop and you do not
need to be at your computer at the time he or she
downloads the file. This feature is especially useful if you
frequently need to share files that are too big to e-mail.
This feature is not available with GoToMyPC or
NTRconnect.
Remote Printing
GoToMyPC and LogMeIn enable you to easily print a
document on the host using the printer attached to the
client. However, NTRconnect does not support this feature.
NTRconnect’s lack of support for remote printing is not too
much of a problem, as you can easily copy a document from
the host to the client (and then print it). That said, if remote
printing is something that you need to do on a regular basis,
you’ll probably prefer the convenience of GoToMyPC or
LogMeIn.
Mac Support
With all three products, you can use a Mac as the client, but
only NTRconnect enables you to use a Mac as the host. So,
if you need to be able to remotely access a Mac,
NTRconnect is your only choice.
The Tor Application
Tor is an application that uses “onion routing.” Generically,
onion routing was designed as an architecture to limit a
network’s vulnerability to eavesdropping and traffic
analysis. It uses multiple proxy servers or relays to provide
anonymous connections. Each proxy server knows only the
details from the previous proxy server or the next proxy
server.
The proxy servers provide anonymity for users by
requesting access to resources and making it appear as if
the proxy server is requesting the access, not the original
user.
FYI
Data leakage is also a common problem with peer-to-
peer (P2P) networks such as BitTorrent. Users share
data they didn’t intend to. As an example, the Top
Secret plans for the U.S. president’s helicopter were
leaked through a P2P network and found on servers in
Iran. Some people think that organizations forbid these
types of applications to prevent piracy of copyrighted
material. However, the primary reason is due to the
inherent security risks that most people simply don’t
understand. Of course, there’s nothing wrong with
helping prevent the theft of copyrighted material in the
process.
Tor was derived from the Onion Routing Project managed
by the U.S. Naval Research Lab. However, Tor is not an
acronym for The Onion Routing project. Instead, it is simply
a brand name—similar to Kleenex for facial tissues. The
torproject.org Web site still uses an onion as a logo;
however, Tor is not all uppercase.
The goal of Tor is to allow users to browse the Internet
anonymously. Instead of going directly to an Internet site,
Tor uses the computers of other Tor users as relays or
proxies. Any single Tor connection will go through multiple
other computers.
Interestingly, even though the U.S. Naval Research Lab
originally designed Tor, it’s forbidden on most government
systems. The primary reason is related to data leakage.
While the Tor network does provide a level of anonymity, the
user never knows what other computers the request will go
through. Data sent and received can be captured by any of
these computers.
For example, in 2007 Dan Egerstad, a security
professional in Sweden, collected usernames and passwords
for 100 e-mail accounts of users at different embassies. He
simply installed Tor on his system and then captured all the
data that went through it. His computer was used as a proxy
in the Tor network for thousands of users, and a simple
protocol analyzer captured the data. More than the
credentials, he also captured a significant number of
sensitive e-mail messages from embassies and Fortune 500
companies.
NOTE
You can download the Openswan RPM package at
www.openswan.org. The RPM package has an
extension of .rpm (from the original Red Hat Package
Manager standard used by many Linux distributions
today). Be aware that to download the RPM version of
Openswan you must have the IPSec-tools RPM package
installed on your system.
Planning a VPN Implementation
VPNs create a secure data link with a branch office, remote
employee, business partner, or customer that will enable or
require server access behind a firewall. VPNs can provide a
secure and encrypted data stream between a firewall and a
remote client or server.
This section provides you with the configuration of a
permanent site-to-site VPN tunnel using Openswan, one of
the most popular VPN packages for Linux.
Requirements
For this implementation you will need Linux kernel 2.0, 2.2,
2.4, or 2.6.
For Linux kernels 2.0 or 2.2, use Openswan 1.0.10.
For Linux kernels 2.4 and 2.6, use Openswan 2.4.x.
For FreeBSD, OpenBSD, NetBSD, and OSX, use
Openswan 2.5.x.
Before you attempt this simple SOHO Linux VPN, keep the
following in mind:
The IPSec protocol on which VPNs are based will not
tolerate network address translation (NAT) of its data
packets. If your firewall does NAT, then you’ll have to
disable it specifically for the packets that will traverse
the VPN.
You should set up your Linux VPN box also as a
firewall. Configure and test the firewall first, and then
configure the VPN.
The networks at both ends of the VPN tunnel must use
different IP address ranges. For example, the
organization’s internal network may be using an IP
address range of 192.168.0.1 to 192.168.0.254. The
other network must use a different address range,
such as 192.168.1.1 through 192.168.1.254. To avoid
confusion, you may want to use completely different
private address ranges for each network such as
172.16.y.z. or 10.x.y.z.
Permanent site-to-site VPNs require firewalls at both
ends that use static IP addresses.
Figure 14-2 depicts an Openswan sample topology diagram
of a VPN between two environments.
NOTE
In this implementation, the external IP of the machine
is listed as 12.34.56.78. The gateway IP is listed as
12.34.56.1. The internal IP of the VPN server (since it
has a NIC on both the inside and the outside) is
192.168.1.1 in this example. You can change it to fit
your needs.
FIGURE 14-2
Openswan sample topology diagram.
FIGURE 14-3
Installing Openswan from the source.
FIGURE 14-4
Using Openswan’s userland-only install.
Installation
You can install Openswan in two different ways: by
performing an RPM install or by installing it from source
libgmp development libraries.
Performing an RPM Install
You’ll find different instructions for installing Openswan
depending on what version of UNIX/Linux you’re using.
Openswan hosts a Wiki site that includes instructions for
many different types of RPM installations at
http://wiki.openswan.org/. This site also includes a lot of
other details on installing, configuring, and troubleshooting
Openswan.
Install from the Source
As root, unpack your Openswan source somewhere in your
drive, such as /usr/src. Figure 14-3 provides an example.
You now need to choose your install method. You can
choose userland-only, for 2.6 kernels, or a KLIPS install for
kernels 2.6 or earlier (2.0, 2.2, and 2.4). If you decide to use
the userland-only install, change your new Openswan
directory, and then make and install Openswan’s userland
tools, as depicted in Figure 14-4.
Once you finish entering these commands you should be
done with the install. Now all you need to do is to start
Openswan and test your new install. If you decide to use
KLIPS, you will have to make a modular of it, along with
other Openswan programs you’ll need for the VPN. To do so,
enter the command sequence shown in Figure 14-5, which
will change to your new Openswan directory, make the
Openswan module, and install it all.
NOTE
Kernel IP Security (KLIPS) modifies the Linux kernel to
support IPSec protocols.
FIGURE 14-5
Performing an Openswan’s KLIPS install.
FIGURE 14-6
Link KLIPS statically into your kernel.
FIGURE 14-7
Starting Openswan.
At this point, you can actually enhance the security of
the VPN by using NAT traversal (NAT-T) support. NAT-T is a
method for encapsulating IPSec ESP packets into UDP
packets for passing through routers or firewalls employing
Network Address Translation (NAT). To deploy NAT-T, you
need to patch and rebuild your kernel. However, rebuilding
the kernel is a risky operation and so should be approached
cautiously.
To link KLIPS statically into your kernel (using your old
kernel settings) and install other Openswan components,
just follow the commands listed in Figure 14-6, then reboot
your system and test your install.
NOTE
For more information on installing NAT-T, check the
Openswan Web site at
http://wiki.openswan.org/index.php/Openswan/NATTrav
ersal.
Start Openswan
To start Openswan, enter the command shown in Figure 14-
7.
This step is not necessary if you have rebooted your
system, as Openswan will launch automatically after it’s
been successfully installed.
You can take additional steps to secure the VPN
connection. For example, you can use certificate-based keys
to secure the connection. You can follow the steps in an
excellent walk-through here:
http://www.linuxhomenetworking.com/wiki/index.php/
Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs.
Deployment
Before you deploy your VPN, you need to start Openswan on
both VPN devices for the new /etc/ipsec.conf settings to take
effect. You can do that by issuing the following commands:
Once that’s done, it’s time for you to initialize the tunnel. To
initialize it you can use the ipsec command to start the
tunnel net-to-net. Be sure to issue the command
simultaneously on the VPN boxes at both ends of the tunnel.
The IPSec SA established message highlighted in Figure 14-
8 signifies a successful deployment.
FIGURE 14-8
Successfully deploying the Openswan VPN.
Testing and Troubleshooting
To check that you have a successfully installed VPN you
should run the command ipsec verify. If your installation was
successful, you should see a screen display similar to the
one depicted in Figure 14-9.
If any of these first four checks fails, check the
Troubleshooting section below on the installation screen.
Firewalls can interfere with Openswan, so you’ll want to
pay attention to your firewall settings. Make sure you allow
UDP 500 and ESP (protocol 50) through the firewall. This is
necessary because for IPSec traffic to traverse through a
firewall, you need the following ports/protocols open in both
directions: Protocol 50 ESP
Protocol 51 AH (optional)
UDP port 500 IKE
UDP port 4500 (if you are using NAT traversal to tunnel
through NAT/other firewalls) The Smoothwall firewall
works well with Openswan. You will need to do the
following: Create some name for the remote VPNs in
the zones file.
Describe which IPSec interface to use based on the
names in the zone file.
Describe how the networks named in the zones file
interact in the policy file.
Define the public IP address of the remote sites in the
tunnels file.
Smoothwall automatically makes the rules necessary to
allow IPSec for the networks named in the tunnels file.
NOTE
Another alternative for a firewall to work with
Openswan is Shorewall. This firewall also works well
with IPSec and Openswan. Best of all, you will find
comprehensive documentation at their Web site at
http://www.shorewall.net.
FIGURE 14-9
Testing Openswan’s install.
TABLE 14-1 VPN implementation best practices.
DO DON’T
Passwords Do change the
original
password to
something you
will remember.
Don’t write down
your password
unless it will be
stored in a safe.
Software
Do buy or
upgrade
antivirus
detection
software.
Do update your
virus definitions
daily.
Do check
frequently for
updated OS
(operating
system)
patches and
application
patches.
Don’t go without
antivirus software.
Don’t ignore OS
and application
updates/patches.
Don’t use unsafe
applications, such
as peer-to-peer
file sharing tools
or applications of
unknown origin.
Firewalls
Do enable
built-in
firewalls. Do
use external
standalone
firewalls
whenever
possible.
Don’t go without
either a built-in or
standalone
firewall.
Hardware If connecting
via a wireless
interface, do
disconnect or
disable the
wired network
interface.
If connecting
via a wired
Don’t enable or
connect more
than one network
interface while
using a VPN-
connected
computer.
Don’t allow people
to use the
interface, do
disconnect the
wireless.
Do use the VPN
for work
purposes only.
computer who
might do so
unsafely.
Services
and
protocols
Do disable any
unneeded
services or
protocols.
Don’t run default
services and
protocols if they
aren’t needed.
VPN Implementation Best Practices
The VPN is only as safe as the machine it is used on. Before
deploying a VPN, review the implementation best practices,
listed as dos and don’ts, in Table 14-1.
Additional steps you can use for the VPN server include:
Use strong authentication—Ensure that only
authorized clients can connect. Since the VPN server
will have a public IP address, it’s accessible from an
Internet user anywhere in the world. If someone can
easily log on to the VPN server, that person can easily
access your Internet network.
Use strong encryption—The two primary encryption
protocols used in VPNs today are IPSec and SSL. Either
of these is strong enough to protect a VPN, but other
protocols should also be carefully evaluated.
Protect the VPN server behind a firewall—
Whether you’re using a host-to-gateway or gateway-
to-gateway configuration, you should not put the VPN
server directly on the Internet. Instead, place it behind
a firewall such as in a DMZ configuration. This will
provide a layer of protection from Internet attacks.
CHAPTER SUMMARY
This chapter discussed the different types, design,
configuration, implementation, and testing of VPNs. It
also discussed the main VPN technologies available
on the market and best practices in their
implementation. VPNs can provide remote clients
access to your internal network in a host-to-gateway
configuration. They can also provide access between
two offices in the same organization using a gateway-
to-gateway model.
Many different VPN applications are available.
Microsoft provides VPN solutions built into the server
operating system. Cisco and other vendors sell VPN
appliances you can install and configure easily. You
can also use UNIX or Linux systems and install free
VPN solutions such as Openswan.
VPNs are increasingly becoming a part of everyday
life on the Internet. Many people use them to gain
access to resources in their offices, such as e-mail
servers and other intranet resources. This trend is
certain to become more popular as many companies
are finding it cheaper for their employees to work
from home, relieving them of the need to lease
additional office space.
Site-to-site VPNs will also continue to be deployed as
companies both small and large find it increasingly
necessary to share access to their main networks
with remote offices. One notable area is in the realm
of IP telephony, where VPNs enable all remote offices
to use a single IP switchboard at the center of a VPN
hub and spoke network. Intra-office communication is
encrypted and the use of a single switchboard saves
money.
KEY CONCEPTS AND TERMS
Customer premise equipment (CPE)
Gateway-to-gateway VPN Host-to-gateway VPN
Internet Key Exchange v2 (IKEv2)
CHAPTER 14 ASSESSMENT
1. ________ provide(s) secure communications between
external users and internal servers located behind a
firewall. (Multiple answers may be correct.) A. VPNs
B. IPSec
C. Intranets
D. Extranets
E. SSL
2. A desirable feature of an operating system–based VPN
is the ability to refer to remote servers by their network
address translated IP addresses. True or False?
A. True
B. False
3. A VPN is also known as:
A. A neural network
B. A data-encrypted tunnel over the Internet
C. A file sharing and printing server
D. A bastion host
E. None of the above
4. Encrypted communications using Web browsers usually
use the ________ protocol.
5. An easy and cost-effective way to secure access to a
network is by purchasing (an) inexpensive ________.
A. Switch
B. Router
C. Antivirus software
D. Remote terminal
E. VPN appliance
6. Most VPN appliances are designed for complex
installations. True or False?
7. VPN appliances are ________.
A. Not readily available
B. OS specific
C. Very expensive
D. Secure technologies
E. A and B
8. What does RDP stands for?
A. Remote Desktop Processing
B. Remote Desktop Protocol
C. Radio Demilitarized Processing
D. Recovery Dispatching Process
E. Remote Dial-up Process
9. Another name for Terminal Services is:
A. Remote Dial-up System
B. Remote Desktop Services
C. Remote Desktop System
D. Radius Dial-up Services
10. GoToMyPC is a remote desktop technology that allows
you to remotely access your computer from any other
Internet-connected computer in the world with almost
any operating system through a secure, private
connection.
A. True
B. False
11. What are two primary methods for deploying remote-
access VPNs?
A. SSL and SSH
B. SSL and API
C. IPSec and SSL
D. IPSec and SSH
E. None of the above
12. Terminal Services provides the ability to:
A. Host multiple, simultaneous client sessions
B. Implement software bugs
C. Implement dynamic addressing
D. Sync proxy servers
E. All of the above
13. Terminal Services RemoteApp applications appear to
users as if the applications are installed locally when
they are actually running a remote server.
A. True
B. False
14. Microsoft’s DirectAccess:
A. Is an alternative to a traditional VPN
B. Is not a VPN
C. Is a mix of Microsoft Access database served through
a VPN
D. Is a DDNS
E. Is an intrusion detection system
15. Users must have physical connectivity with the
internal network for the DirectAccess connection to be
established.
A. True
B. False
16. When performing a download and install of the RPM
version of Openswan, you do not need to have the
IPSec-tools RPM package installed on your machine.
A. True
B. False
17. What are the two methods of installing Openswan?
A. KLIPS and IPSec
B. RPM and source libgmp development libraries
C. By hand and automatically
D. Remotely and through a diskette
E. None of the above
18. To check that you have a successfully installed
Openswan VPN you should run the command ipsec
verify.
A. True
B. False
CHAPTER
15 Perspectives,
Resources, and
the Future
IN YOUR CAREER as a security professional, you will make it your business to know how to secure your organization’s IT
assets, networks, and systems. You are already learning a
great deal about the tools, technologies, processes, and
procedures currently available. In your work, you will know
how to use firewalls to secure the perimeter of the network
and VPNs to secure data in transit. A deep knowledge of the
current security landscape is vital to your professional
success. But you need to know what’s on the road ahead,
too. In this chapter you’ll learn about what’s next.
Today’s information security professionals face a
daunting task. Not only do you need to understand how to
secure a complex, diverse, and rapidly changing IT
environment, but you also need to be aware of the
challenges and threats to come. An in-depth understanding
of security technologies such as VPNs and firewalls and of
threats like malware and social engineering provides the
foundation of your arsenal. To be truly successful, however,
you also need the ability to identify and respond to trends in
both the technologies and the threats under development.
To keep up with attackers, you need to know what’s coming
and where to get reliable, current information.
Throughout your career as an information security
professional, you will encounter situations in which you will
need to apply security best practices to new technologies or
new architectures. You may find that you are conducting
investigations, trying to determine how your infrastructure
was compromised. You may be monitoring new attacks and
trying to develop new defenses. Whatever challenges you
face in the future will require that you leverage the
experience, understanding, and best practices you’ve
learned to ensure you are effective against new risks and
threats.
Chapter 15 Topics
This chapter covers the following topics:
What the future holds for network security,
firewalls, and VPNs
What some resources sites for network
security technologies, techniques, and
threats are
What some useful network security tools are
What the impact of ubiquitous wireless
connectivity is
What potential uses of security technologies
are
What specialized firewalls are available
What the impact of anti-hacker technologies
like honeypots, honeynets, and padded cells
is
What emerging network security
technologies are
Chapter 15 Goals
When you complete this chapter, you will be able
to:
Discuss the different types of integrated and
specialized firewalls, as well as the
advantages and disadvantages of each
List additional sources of information related
to network security
Describe emerging IT and security trends and
their impact on network security
Identify challenges and advantages
presented by the new technologies and
emerging threats to network security
Understand the difference between an IDS
and an IPS
Discuss the future of network security,
firewalls, and VPNs
What the Future Holds for Network
Security, Firewalls, and VPNs
In this chapter, you will be looking to the future of network
security, firewalls, and VPNs.
How does a security expert discern what the future
holds? A number of factors should influence your planning
as you try to draw a road map for your information security
strategy:
Historical progression of threats—If you are
familiar with how threats have progressed over time,
you will have a better understanding of where those
threats may be headed in the future. For example, 10
years ago, virtually all malware attacks were focused
on operating systems. Today, malware attacks go after
applications far more than operating systems.
Browsers are a particularly popular target for attacks
today.
Your industry—Each industry has a different focus
when looking to the future. A bank will have very
different requirements from a shoe store, for example.
Understand your industry, network with your peers,
and make sure you are looking at the proper
framework for your planning.
Experts—It’s always a good idea to see what the
people who predict the future of the industry think
before doing your planning. While experts can
disagree over certain specific predictions, if you keep
an eye on the major information sources (some of
which are provided later in this chapter), you will find
you can develop a pretty good idea of where
information security is headed.
Vendors—Since they are frequently trying to sell you
their next-generation solution, vendors usually have a
biased view of the future. They can provide valuable
information for your planning, however. If the vendors
you work with or follow are all targeting a particular
threat or technology, they view it as an area to
generate revenue. If an industry targets a specific area
as a source of revenue, it’s a good bet that a threat
lurks there somewhere.
Role of cybersecurity in national security—In his
State of the Union Speech in February 2013, President
Obama highlighted the role of cybersecurity in the
future of the United States. While the experienced
security professional knows that nothing new has
really happened, public awareness, along with that of
lawmakers, heads of organizations, and—importantly—
employers has increased dramatically. Every major
publication from The New York Times to The Wall
Street Journal and everyone in between has stated
that there are not enough, and will not be enough,
trained security professionals to fill the need. This
reality must be as important as a part of your own
career planning as it is in planning to protect your
organization.
Here are some of the areas you should pay attention to as
you plan your information security strategy.
Threats
One area that is evolving extremely quickly is the variety of
threats to your infrastructure. Several years ago, the most
prevalent threats were from unsophisticated attackers
whose main goal was to accomplish something they could
brag about in chat rooms with their buddies. Today,
organized crime has zeroed in on the huge amounts of
money to be made in computer hacking. You now see
targeted attacks against specific industries and companies;
viruses that target credit card numbers, bank account
information, and Social Security numbers; and rootkits that,
once installed on a computer, turn it into a host the attacker
can control remotely to attack other systems and networks.
Some attackers will threaten to crash networks with denial
of service attacks unless the system owner pays extortion
money—the high-tech equivalent of a protection racket.
In the future, you will see more resilient networks that
will mitigate the risk of traffic-based attacks, more secure
operating systems and applications to resist malware, and
intrusion prevention systems that will respond instantly to
attacks, choking them off before they can damage your
infrastructure.
Firewall Capabilities
Firewalls have been adding capabilities since they were first
introduced. Early firewalls contained some limited filtering
and NAT capabilities and not much else. You will learn about
the wide range of today’s firewall capabilities and
specialties later in this chapter.
Encryption
Encryption is a constantly evolving standard. In 1977, the
Data Encryption Standard (DES) was specified in the Federal
Information Processing Standards (FIPS) Publications. It
became a national standard. The standard has since
changed from DES, a 56-bit algorithm, to 3DES, an effective
168-bit algorithm, to the Advanced Encryption Standard
(AES), which supports a 256-bit algorithm. The problem with
encryption is the constantly improving processing power of
computers. As computers get faster and more capable, with
bigger and bigger memory space, encryption algorithms
become easier and easier to break through brute force and
other techniques.
Encryption’s popularity has grown as concerns about
protecting data at rest, in transit, and while archived have
come to the forefront of many industries. How many stories
have you seen about the stolen laptop with 100,000 Social
Security numbers on it or an application compromised by an
attacker able to read data directly from a hard drive
because it was stored in cleartext? Today, some government
agencies (the Department of Defense, for example) require
full-drive encryption for all laptops.
Recognizing the growing need for encryption, the
industry is responding quickly. The AES standard was
designated as the replacement for DES. It is designed to
scale upward with longer keys. Keep in mind as you look
into encryption solutions whether they support AES or an
equivalent algorithm, and be sure that you encrypt your
data everywhere it’s vulnerable. The days of relying on your
VPN as the only data protection are gone. You need to
secure data with encryption everywhere it can be accessed.
Authentication
Another area where you can expect to see dramatic
changes in future capabilities is in authentication, especially
with respect to identity and access management. In the
past, much of user security was based on a user ID and
password. Years were spent trying to teach users what a
strong password is, why they need a strong password, and
why they need to change their passwords every 90 days.
The effort has been largely ineffective. Users still choose
poor passwords, and even when they select strong
passwords, the passwords can still be cracked with sufficient
computer power.
The other challenge associated with authentication is
actually a user-management issue. All too often in a
complex environment, the creation, permissioning,
management, and eventual retiring of user accounts doesn’t
work. Accounts retain permissions long after users move on
to other roles, accounts remain on systems long after
employees have left the organization, and, in many cases,
no auditing of actions using privileged accounts takes place.
Collectively, these critical tasks are known as identity and
access management.
How will these challenges evolve in the future? One trend
is moving away from passwords to tokens, smart cards, and
biometric authentication as a replacement to user ID and
password solutions.
On the identity and account management front, a
number of solutions automate these activities, providing full
account life-cycle management and the associated auditing
capabilities many companies look for. The one challenge
with these solutions is that, due to the sophistication of
most corporate computing environments, they are very
complex to install and maintain. It’s not just a matter of
automating the creation of Active Directory accounts in
most cases. Companies have multiple application systems
and authentication requirements. Making all of these
components work together is not easy. Once you get them
working together, however, you’ve removed a significant
threat to your security landscape.
Metrics
One of the biggest complaints from CIOs about information
security is the lack of measures for the success of a
program. Information security has moved from being an
esoteric discipline practiced by a few misunderstood experts
to a core business function vital to supporting the bottom
line. While this evolution has been long overdue, today
management expects you to quantify your contribution to
the company and justify the expenditures they make to
support security.
The good news is that the industry has been moving this
direction for some time and has developed a number of
performance metrics. The most popular is the Information
Technology Infrastructure Library (ITIL), which is a set
of concepts you can use to formalize your security
management practice and the associated reporting. In
addition, numerous solutions allow you to automate not only
these processes, but also the associated measurements.
Focus
Another area of significant evolution in information security
is in the nature of what you are trying to protect. Initially,
information security was all about keeping the bad guys out
of your network. As a result, companies invested significant
amounts of money in firewalls and other network security
technologies.
Then focus shifted from the network to the host,
however, and organizations focused more on managing
patches, hardening operating systems, and installing host-
based firewalls.
Once the industry secured the host, attackers shifted to
threatening the applications running on those hosts. IT then
started focusing on integrating security into the software
development lifecycle, testing and evaluating code, hiring
penetration testers to try to break code deliberately, and
deploying firewalls and proxy servers specifically to secure
applications.
The next shift in focus for information security is a
growing focus on what is truly valuable—the data itself.
Ultimately, all the measures developed to date, from the
network firewalls, to the host hardening, to the penetration
testing, have all been about securing the data. The industry
is now moving toward a data-centric security model, which
is a significant paradigm shift from previous models. A data-
centric model will force companies to focus on classifying
and applying values to their data. While this will
undoubtedly be a painful process for many companies, this
approach will ultimately yield a much more secure
environment.
Securing the Cloud
Cloud computing is a relatively new phenomenon in
computing infrastructure that involves moving computing
resources out to the Internet. Resources are then shared by
multiple applications and, in many cases, shared by multiple
corporations. Think of how the phone networks or the
electrical grid operate. These clouds are typically built using
virtualization that allows for exceptional efficiencies, but
also opens up a number of new security challenges.
First, to leverage the true benefits of cloud computing,
you have to trust the vendor providing your cloud. This
requires a shift in focus from deploying security
technologies to ensuring that your vendors are contractually
obligated and physically able to keep your data secure. You
also need to be able to evaluate vendors to determine how
trustworthy they are. If you have the available resources,
you should be auditing the vendor(s) to ensure they
consistently keep your data secure.
You’ll learn about the security challenges specific to
virtualization later in the chapter.
Securing Mobile Devices
A rapidly growing sector of the end user computing space is
the use of mobile devices like smartphones, netbooks, or
tablet computers. These devices present some unique
challenges. Think about how many people today receive e-
mail on their smartphone, or who ran out to get a new iPad
and are now reviewing confidential documents while riding
the train to work. How do you secure these devices?
The good news is that once the industry identifies issues
like these, it concentrates resources to work and ultimately
solve the problem. The computer security industry has very
few “unsolvable” issues. Already, virus protection, mobile
device management, and encryption applications are
available for mobile devices. The challenge you’ll typically
see in both current and future technology is that these types
of devices are frequently overlooked or discounted when
documenting security risks. Be sure to keep these devices
on your list of risks. They possess an alarming amount of
storage and processing capacity, which makes it easy for an
employee to inadvertently place confidential information on
them.
Mobile IP
The future will bring with it an increased clarity of the
techniques, technologies, and protocols associated with
making IP mobile, from the technology actually called
Mobile IP to a potential host of other technologies,
including IP Multimedia Subsystem (IMS), and including
changes to the Domain Name Service and other
fundamental technologies.
Bring Your Own Device (BYOD)
Bring Your Own Device will increase, as will the need to
secure a growing number of mobile endpoints and different
operating systems and applications. The BYOD mobility
aspect becomes even more important when it is considered
in light of the discussion of mobility technologies and the
mobility enablement of base technologies, and when you
consider that employees, contractors, clients, and others
need to connect securely, with potentially varying
permissions, to the assets of the organization.
Resource Sites for Network Security,
Firewalls, and VPNs
A variety of resource sites are available to you for more
information on network security, firewalls, and VPNs. While
this list of online and offline resources provides a good start,
it’s impossible to cover every source. Here are some sites
and books covering the critical topics just to get you started.
If you need additional information, you are only a search
engine click or a bookstore trip away from the answer.
At press time, all Web sites listed here were valid;
however, with the mergers, acquisitions, and other changes
in the industry, some of these links may change over time.
Firewall Vendors
Check Point Software—www.checkpoint.com
Cisco—www.cisco.com
Juniper Networks—www.juniper.net
Fortinet—www.fortinet.com
McAfee—www.mcafee.com
Palo Alto Networks—www.paloaltonetworks.com
Sophos—www.sophos.com
SonicWALL—www.sonicwall.com
WatchGuard—www.watchguard.com
Virtual Private Network Vendors
Citrix—www.citrix.com
F5 Networks—www.f5.com
Microsoft—www.microsoft.com
Nortel—www.nortel.com
OpenVPN—www.openvpn.net
Openswan—www.openswan.org
Juniper Networks—www.juniper.net
Cisco—www.cisco.com
Network Security Web Sites
CERT (security research)—www.cert.org
Data Breach Investigations Report (security research)
—www.verizonenterprise.com/DBIR/
Gibson Research Corporation (security testing and
tools)—www.grc.com
HackerWhacker (firewall testing Web site)—
www.hackerwhacker.com
ISACA (standards/certifications)—www.isaca.org
(ISC)2 (standards/certifications)—www.isc2.org
National Institute of Standards and
Technology/Computer Security Research Center—
csrc.nist.gov
SANS (security research and training)—www.sans.org
Symantec (security vendor)—www.symantec.com
Network Security Magazine Web Sites
CSO Magazine—www.csoonline.com
Data Breach Investigations Report (security research)
—www.verizonenterprise.com/DBIR/
SC Magazine—www.scmagazine.com/
Search Security—searchsecurity.techtarget.com
Tools for Network Security, Firewalls,
and VPNs
As you review the information security technologies that
you may encounter as your information security career
progresses, one of the questions you’ll probably have is,
where will you find these tools?
In your studies, you’ve probably learned about a number
of commercial and open source solutions for network
security. Numerous commercial and open source solutions
for network security tools, firewalls, and VPNs are available.
Where will you find the tools of the future?
Commercial Off-the-Shelf (COTS) Software
Commercial software remains the choice of corporations
everywhere, and this won’t be changing any time in the
future. A number of reasons account for the dominance of
commercial solutions in the information security industry.
They include:
The popularity of combining hardware and
software into an appliance—Many of the most
popular firewall, VPN, vulnerability management,
intrusion detection, and other security applications will
be developed and distributed in an appliance format.
While some open source solutions will allow you to use
standard server hardware to create an appliance-like
solution, a truly open source appliance will probably be
distributed as a commercial solution.
Companies rely on solutions they can support—
One of the ongoing challenges with open source
software is the lack of commercial support for the
solutions. Highly technical people can work well within
the open source support community. Support from an
open source community is typically better than what
comes from a commercial help desk, but corporations
are generally reluctant to trust security-related
solutions to that model.
The commercialization of open source solutions
—Many of the most popular open source solutions are
being commercialized as their developers look to
generate revenue off the products. Two examples
would be the Snort intrusion detection solution as well
as the Nessus vulnerability scanner. Both tools were
widely used and extremely popular open source
security solutions, and both are now available
commercially.
Open Source Applications and Tools
While it is pretty common to see companies embrace
commercial tools in their production environments, you
can’t discount the sheer innovation available in the open
source community. Most of the tools referenced in this book
are open source, and you can expect to see continued
development on most of them.
Keep in mind a couple of other advantages of open
source tools as you build your security tool kit. First, working
with open source tools is a great way to build your
information security skill set. Most security professionals
cannot afford to purchase multiple commercial security
applications to learn with, so leveraging open source is a
cost-effective career builder.
The other value that open source security tools bring to a
security professional is that these are the same tools many
of the people attacking your network will use. One of the
most important skills you can develop is the ability to
understand the people trying to get into your systems.
Learning the tools and techniques they may use by
developing parallel expertise will take you far in your career.
Commercial applications seldom offer the same learning
opportunities. Attackers generally are not using commercial
applications in their attacks, and they typically don’t draw
from the same community available with open source
solutions as you will to help your learning.
The Impact of Ubiquitous Wireless
Connectivity
No chapter on the future of information security would be
complete without a discussion of the influence of wireless
connectivity on security technologies. The first thing to
realize as you think about wireless is that you need to
consider a variety of wireless technologies. Be sure not to
focus too narrowly and miss something critical. Consider the
types of wireless technologies that affect your environment:
Wireless deployed as a LAN technology—The
deployment of wireless as part of the office LAN
caused constant sleepless nights for security
departments. Security departments used to invest
countless hours test-driving their locations, searching
for unsecured wireless access points on their
networks. The real challenge with this technology,
other than the fact that it permitted the bypassing of
perimeter security controls, was that it was so
convenient. Setup was so easy for an employee—
particularly setting up in the default configuration,
with all the attendant security issues.
The good news is that the industry has made great
strides in wireless security. Stronger authentication
technologies like 802.1x, which requires connecting
systems to be authenticated using PKI machine
certificates, stronger encryption technologies, and
significant improvements in user awareness, have
made wireless LAN in the office a viable replacement
for the wired LAN, while still affording the security you
need to keep your data secure.
Public and home office wireless—Public/home
office wireless is a great thing for your employees.
Take out your laptop, connect to the wireless, and
you’re on the Internet, ready to surf. You can connect
to the corporate network, do your banking, shop
online, or just catch up on the news. What could be
more convenient? As is often the case, convenience is
the enemy of security. A number of security challenges
present themselves with public/home office wireless.
First, any unencrypted traffic sent over these wireless
networks can be intercepted. Counting on Starbucks
(or an employee’s cable company) to configure their
wireless with the most advanced security capabilities
enabled is not reasonable. Work with your users to
make sure they understand the risks associated with
these types of wireless. The good news from a
corporate network perspective is that you are probably
running a VPN for business connections, so that data
should be secure.
Mobile wireless—The ubiquity of smartphones and
other devices that can connect to cellular networks
presents the third challenge when discussing the
impact of wireless connectivity on information security.
Now employees don’t need to search for a wireless hot
spot before connecting to the network; they can
access their mail from just about anywhere. The best
defense against these risks is a combination of policy
and technology. First, your policy should restrict access
to company systems and e-mail to company-owned
devices. That allows you some level of control over the
types and configurations of devices with access to
your data. Next, make sure the devices you’re using
leverage the appropriate security technologies like
encryption and antivirus scanning. While it’s virtually
impossible to physically secure something as portable
as a smartphone, you can ensure that the data on the
device can’t be recovered if it is stolen or lost.
Potential Uses of Security
Technologies
One ever-expanding area of discussion when looking at
security technologies like firewalls, VPNs, intrusion
detection, honeypots, vulnerability management, and others
is the many uses for this technology. Obviously, you use
security technologies to secure your data, networks, and
systems. And that is certainly the primary use for security
technologies. But you should be aware of some additional
uses for this technology.
The core security concepts can be summed up with the
acronym C-I-A. This stands for confidentiality, integrity, and
availability.
Confidentiality—Confidentiality deals with keeping
information, networks, and systems secure from
unauthorized access. This issue is particularly critical
in today’s environment in light of the high-profile
leaking of people’s personal information by several
large companies. These breaches in confidentiality
made the headlines largely because the thefts
exposed people to the potential of identity theft.
Several technologies support confidentiality in an
enterprise security environment. These include:
Strong encryption
Strong authentication
Stringent access controls
Integrity—Integrity is the consistency, accuracy, and
validity of data or information. One of the goals of
successful information security is to ensure that the
information is protected against any unauthorized or
accidental changes. The architecture should include
processes and procedures to manage intentional
changes, as well as the ability to detect changes.
Availability—Availability is the third core security
principle, defined as a characteristic of a resource
being accessible to a user, application, or computer
system when required. In other words, when users
need information, it’s available to them. Typically,
threats to availability come in two types: accidental
and deliberate. Accidental threats include natural
disasters such as storms, floods, fire, earthquakes, and
so forth with attendant power outages. This category
also includes outages due to equipment failure,
software issues, and other unplanned system,
network, or user issues. The second category is related
to outages that result from the exploitation of a
system vulnerability. Some examples of this threat
include a denial of service attack or a network worm
that affects vulnerable systems and their availability.
In some cases, one of the first actions you need to
take following an outage is determining which
category an outage fits into. Companies handle
accidental outages very differently from deliberate
ones.
As you continue to work in the information security field,
another acronym you will encounter is GRC. This stands for
governance, risk, and compliance. This is the best way to
look at your security technologies from a business
perspective. Look at how the security technologies you’re
deploying provide much more than just securing data:
Governance—Governance includes the processes and
procedures that ensure employees are following your
organization’s security policy. For example, you have a
policy that says that data in transit across a public
network must be secured with at least 56-bit
encryption. You would ensure that the only way to
connect to the network is through a VPN that uses at
least 56-bit encryption. This mechanism would be part
of your governance efforts.
Governance is generally used to demonstrate to
management, customers, and auditors that your
information security program is operating as outlined
in your policies, procedures, and practices. If you are a
service provider, you can leverage your governance
capabilities to show that you can be trusted to keep
clients’ information secure.
Risk—One of the foundations of any information
security program is a robust risk management
practice. If you don’t identify your risks, how do you
know which security technologies to deploy and
where? A risk is the likelihood or potential for a threat
to take advantage of a vulnerability and cause harm or
loss. Risk is a combination of an asset’s value,
exposure level, and rate of occurrence. A goal of
security is to recognize, understand, and eliminate
risk.
A risk management process starts with a risk
assessment of your environment. Start with your
critical data, applications, systems, and networks.
Document the risks associated with them in a risk
matrix. A typical risk matrix will contain the following:
A description of the risk
The likelihood that the risk will actually occur
The impact of the risk
A total risk score
The relevant business owner for the risk
Which of the core security principles the risk affects:
confidentiality, integrity, and/or availability
The appropriate strategy or strategies to deal with the
risk
The last bullet is the one that’s critical with respect to
security technologies—you leverage security technologies
as part of the strategy to deal with the risks. One of the
fastest-growing sectors in the information security field is
compliance. Compliance means ensuring your company
obeys internal policies as well as any applicable laws or
other regulatory requirements. A good example of this is the
Sarbanes-Oxley Act, which requires publicly traded
companies to validate the controls securing all financial
data. You will find that your security program, in conjunction
with the security technologies supporting it, are critical to
ensuring compliance with a growing number of regulations.
What Happens When There Is No
Perimeter?
If you look back to the first uses of network security,
security professionals essentially put a firewall between the
corporate network and the Internet. That firewall marked
the perimeter of the network. As networks became more
complex, companies started finding they were connecting to
the Internet in more locations, so more firewalls were
installed. The perimeter remained the demarcation between
the Internet and the corporate network. Today, the
vanishing perimeter has been the subject of many
presentations, white papers, and sales pitches, as vendors
try to convince organizations to invest to protect their
perimeter-less environments.
VPNs extended the internal network outside the nice,
neat network perimeter defined by the firewall/Internet
interface. Suddenly, your network could be in any hotel or
coffee shop in the country, as your employees discovered
the benefits of mobile computing. To make matters worse,
high capacity drives and portable storage meant that not
only was your network being extended into places that you
had never imagined, but your data storage was no longer
contained within your office space. Critical information could
be stored easily anywhere your employees wanted.
Unfortunately, that wasn’t the end of the challenges you
faced as an information security professional. In addition to
your employees taking your network and data anywhere
they wanted, your business discovered the benefits of
interconnecting with customers, vendors, suppliers, and
partners. Each of these groups needed varying levels of
access to your systems, networks, and data.
In addition to all the challenges with connections and
data beyond your network, businesses also discovered the
benefits of online commerce over the Internet. That seems
harmless enough, until you realize that to do business on
the Internet, you need to punch holes in the network
perimeter to provide access from the Internet to your
systems, networks, and data. It’s a little like installing
skylights in your roof: You want the benefit of the sunlight in
the house, but you don’t want leaks when it rains.
In a perfect world, upper-level management would have
consulted with you before they embarked on these projects.
They would have given you an unlimited budget to deploy
network zones separating each of the different types of
data, with firewalls and intrusion detection deployed at each
level, and enough staff to monitor all the infrastructure to
ensure nothing is getting past your security measures.
In reality, the first few connections were most likely put
in without input from security, and these might not even be
firewalled. It’s so much easier than having to justify
purchasing firewalls, set up firewall rules, monitor logs, and
do all the other things an organization needs to do as it
opens holes in its protective perimeter.
What’s needed in this case is a clear, well-established
policy with strong senior management support. The
appropriate controls should be put in place to reestablish
your perimeter. If you treat the risk of all these new
technologies connecting to your network the same way you
treat the risks posed by the Internet, you’ll mitigate the
risks associated with the increasingly fluid perimeter you
will be dealing with.
Specialized Firewalls Available
In this section you’ll learn about some of the specialized
firewalls that are available or are coming soon, such as:
Hybrid—A hybrid firewall combines a number of
different functions in a single appliance. You learned
about firewalls with integrated VPN capabilities, but
you can also expect to see firewalls combined with
vulnerability management, intrusion detection and
prevention, antivirus/anti-spyware, content filtering, or
a variety of other network and security-related
technologies. The key when looking into hybrid
firewalls is ensuring that they will meet your specific
security needs while not creating a performance
bottleneck. The more functions you put on a single
system, the more chances you’ll run into a
performance bottleneck.
Data protection—A data protection firewall is a
hybrid firewall, but deserves some additional
explanation. The focus of a mature security program is
to ensure that data is secure. An emerging technology
is data leakage prevention (DLP), which is a
technology specifically designed to ensure that your
data stays within your network. When combined with
firewall technologies at the perimeter of the network, a
data protection firewall becomes an invaluable tool in
keeping your data out of Gmail and Facebook accounts
and within the internal network where it belongs.
Application—An application firewall is specifically
designed to control input, output, and/or access to an
application. This type of firewall became very popular
when the focus of attacks shifted from operating
systems to applications. An application firewall
operates by monitoring the input, output, and system
calls made in an application, and blocking any that do
not conform to the firewall rules. An application
firewall can block buffer overflow attacks, SQL
injection attacks, and the majority of other application-
focused attacks.
Application firewalls are either network-based or host-
based applications. One drawback of application
firewalls is they are typically designed for specific
types of applications (i.e., Web applications or
databases), whereas a standard firewall can secure
many different types of applications, though not to the
level an application firewall provides.
Database—A database firewall is an application
designed to control the input, output, and system calls
made to a database. While limited to database
security, this firewall offers very granular security for
databases.
Ubiquitous—This is ultimately the direction that
firewalls will likely take in the future. The industry
currently supports a variety of firewalls integrated into
the network and the host that run on the perimeter
and the core to protect demarcation between network
zones. Now firewalls are moving into the virtualization
area. Eventually, this intelligence and control will be
pushed directly into the infrastructure and managed
from a single console. Instead of controlling isolated
ports on a firewall-by-firewall basis, you’ll be able to
manage secure data as it flows into, out of, and
through your environment from the originating host to
the perimeter of your network and at all connections in
between. This will allow you to reestablish the
perimeter that disappeared with all the external
connections to your network.
Intrusion Detection Systems (IDSs) and
Intrusion Prevention Systems (IPSs)
Two other security technologies available to secure
networks are intrusion detection systems (IDSs) and
intrusion prevention systems (IPSs). An IDS detects
unauthorized user activities, attacks, and network
compromises (Figure 15-1). IDSs come in two types, host-
based and network-based.
An intrusion prevention system (IPS) is very similar to an
IDS, except that in addition to detecting and alerting, an IPS
can also take action to prevent a breach from occurring
(Figure 15-2).
NOTE
IDS/IPS is used largely on Internet connections, since
those connections typically present the largest threat
to the network. You can also deploy IDS/IPS in strategic
locations on the internal network. This is an excellent
idea if your internal network has connections to third-
party networks such as customers, vendors, or
business partners.
FIGURE 15-1
IDS detects an attack, and alerts operators—manual
intervention needed.
FIGURE 15-2
IPS detects attack, alerts operators, and then modifies
firewall and router configuration to address the attack.
Two common deployment methods are used when
placing an IDS/IPS for protecting a network from the
Internet. Each has its own advantages and disadvantages.
An unfiltered IDS/IPS installation examines the raw
Internet data stream before it crosses the firewall (Figure
15-3). This provides the highest amount of visibility to
attacks, but also means that a significantly higher volume of
data will be monitored, with a higher possibility of false
positives. During periods of high traffic, the IDS/IPS might
not be able to process all the packets, and attacks can be
missed.
FIGURE 15-3
Placement of the intrusion detection system so it gets
unfiltered traffic for analysis.
FIGURE 15-4
An intrusion detection system deployed behind a screening
firewall.
A screened IDS/IPS solution monitors traffic that gets
through the screening firewall (Figure 15-4). The advantage
to this model is it dramatically reduces the amount of traffic
to be monitored, reducing the chances of false positives and
lost packets during high traffic volumes. A loss of visibility
accompanies this model, as you cannot see attacks blocked
by the screening firewall.
Effect of Honeypots, Honeynets, and
Padded Cells
Honeypots, honeynets, and padded cells are
complementary technologies to IDS/IPS deployments. A
honeypot is a trap for hackers. A honeypot is designed to
distract hackers from real targets, detect new exploitations,
and learn about the identity of hackers. A honeynet is just a
collection of honeypots used to present an attacker an even
more realistic attack environment. A padded cell is a system
that waits for an IDS to detect attackers and then transfers
the attackers to a special host where they cannot do any
damage to the production environment.
While these are all extremely useful technologies, not
many corporate environments deploy them. You generally
see these deployed by educational institutions and security
research firms. Generally, corporate information security
professionals are so busy securing their environment from
attacks that they don’t spend time researching attack
patterns. As long as the attack doesn’t succeed, they are
satisfied.
Emerging Network Security
Technologies
In addition to these future enhancements to security
technologies, you should also be aware of three more areas
of emerging security technology:
Data leakage prevention (DLP)—DLP technologies
are systems that identify, monitor, and protect data in
use, data in motion, and data at rest from
inappropriate use, distribution, transmission, or other
unauthorized actions. DLP technologies perform deep-
content inspection within a scope defined by a central
management console and are usually deployed at
multiple locations within the environment to ensure
full coverage. As the value of data continues to climb,
this technology should see wider implementation. The
technology is already used heavily in the financial
industry. New government regulations will help drive
the implementation in other sectors, most likely health
care. HIPAA, HITECH, and PCI have specific data
protection requirements.
Biometrics—Biometrics identify a user based on
anatomical characteristics such as a fingerprint, a
voice print, or iris patterns. These methods of
identification have a number of advantages over
passwords, tokens, or ID cards.
First, biometric authentication requires the person
being authenticated be physically present. Second,
biometric security removes the need to remember
complicated passwords. No more passwords taped
under keyboards; you carry your password with you
wherever you go. Finally, biometrics remove the need
to carry a token or ID card with you. You don’t have to
worry about not being able to work when you leave
your token on the kitchen table at home.
The areas where biometrics are currently being
investigated include ATMs, laptops, and computer
networks.
Virtualization security—As virtualization and cloud
computing continue to gain ground, a new generation
of virtualization-aware security tools are under
development. Antivirus, vulnerability management,
data leakage prevention, and IDS/IPS technologies are
all being developed to run against the underlying
hypervisor layer. The hypervisor layer is the hardware
or software on which virtual machines run. This gives
the security applications direct access to the
underlying data transport layer of the virtual
environment rather than forcing them to run against
each virtual server, dramatically improving
performance, visibility to security issues, and ease of
use.
In multi-tenant environments (multiple companies
sharing the same virtual environment), additional
security tools are being developed to ensure that no
access occurs between the virtual environments.
IP Version 6
IPv6 is the next-generation IP version and the successor to
IPv4. While the main driving force for the redesign of
Internet Protocol was the rapidly approaching exhaustion of
IPv4 addresses, IPv6 has significant implications to future
information security professionals.
IPv6 includes a native information security framework
(IPSec) that provides for both data and control packets. This
means that what you currently do with a traditional VPN you
will be able to do natively with any IPv6 device. At a high
level, that means you can run your IPSec VPN without
requiring a client, but the implications are significantly more
profound than just that.
In a fully IPv6 environment, any connection can use an
IPSec connection. This means that any connection from a
user to an application, a host to a host, or even a peer to a
peer authenticates and encrypts as it passes across the
network.
While the thought of a network featuring nothing but
secure connections seems like a security professional’s
dream configuration, you should also consider some
drawbacks before kicking off your IPv6 migration project.
One of the challenges with encryption is that it not only
secures data from the bad guys, but it also secures the data
from the good guys. A number of security technologies like
IDS/IPS, content filtering, network-based antivirus, data
leakage prevention, and even firewall technologies rely on
being able to look at packets as they cross the network to
determine how to handle them. Once those packets are
encapsulated in a secure IPSec connection, all the security
tools you have relied on stop working.
With the limited deployment of IPv6, significant
development on solutions to overcome these challenges
hasn’t occurred yet, but it will be a subject of great interest
as the use of IPv6 expands.
VPNs, Firewalls, and Virtualization
Here are some areas that look to the future of virtualization
that you should think about.
Virtualization and VPN deployment are examples; some
SSL VPNs have the ability to provide a unique virtual VPN
configuration for each individual user group. Much like other
types of virtualization, a virtualized SSL VPN allows you to
separate the physical and logical use of the VPN. In the
future, this capability could extend to IPSec VPNs as well.
While this technology offers some unique abilities when
configuring secure VPN contexts for different user groups,
the additional complexity is something you need to know. A
misconfigured virtual VPN context could expose parts of
your network to groups that should not have access to
them. For example, if you are using a virtualized VPN to
provide customers access to a help desk ticketing system,
and you inadvertently grant that context access to your
intranet where all your pricing information resides, you
expose the organization’s proprietary data to unnecessary
risk.
Firewalls are another technology that is starting to permit
virtualization. Currently, some firewalls on the market can
partition into multiple virtual firewalls. Each virtual firewall
appears to be a separate firewall with its own security
policy, interfaces, and configuration. This allows you to use
your firewall hardware more efficiently than you might
otherwise, but once again, additional risks occur with the
deployment of virtual firewalls.
First, while firewalls exist that support this technology,
not all of them support all their features in the virtualized
environment. Before you deploy a virtualized firewall, be
sure it supports all the features you need to meet your
business and security requirements. While this is a very
promising technology, it’s also very new, and sometimes
early adopters can find themselves encountering issues the
vendor didn’t discover during the quality assurance
processes.
Next, you are relying on the logical segregation of
firewalls rather than the physical separation offered by
multiple physical firewalls. While this technology remains
new, do some testing before deploying virtual firewalls into
a critical environment. Finding that there’s a way to bypass
the virtual security and move from one virtual environment
to another would not be good if you are using the firewall to
separate two customers connected to your network.
Finally, this model suffers from the same complexity
challenges with respect to the virtual VPNs. Any time you
have a solution that offers greater flexibility, you also open
the possibility for greater complexity. Complex
environments are almost always more difficult to secure,
monitor, and manage than simple environments.
However, in spite of all the challenges associated with
virtualizing security technologies like VPN and firewalls, a
compelling business case exists for leveraging hardware
more effectively in a virtualized environment. Be sure you
understand the technology thoroughly before deploying it.
Information security is seldom a forgiving field for learning
as you go.
Steganography
Steganography is the art and science of writing hidden
messages so that only the sender and intended recipient
know a message exists. Steganography is the ultimate
security through obscurity technology.
Probably the most well known technique for
steganography in the modern era is the embedding of
additional information in a digital image. An image before
and after a message has been embedded in it appears
unchanged to the naked eye. But if you run the image
through the proper program, the secret message appears.
However, steganography has been around a lot longer than
digital images, and it can take many forms. Simply writing a
message in invisible ink on the page of a book is a form of
steganography.
The main advantage of steganography is that messages
do not arouse suspicion. If you encrypt an e-mail message
and send it, and the message is intercepted, then whoever
intercepted the message assumes there’s something
sensitive in the message. If however, you send a copy of a
picture of your kids at the amusement park with a message
embedded in the photo, unless the intercepting party knows
the coded message is coming, they will not give it any
special attention. Encrypted messages protect the message.
Steganographic messages protect the data as well as the
intentions of the sender and the receiver.
Anti-Forensics
The final topic for discussion in this chapter is the use of
anti-forensics. Anti-forensics are a series of techniques
designed to try to frustrate forensic investigators and their
digital forensic techniques.
Forensic techniques are well known to the information
security community and, by extension, to the hacker
community as well. As a result, hackers have developed an
arsenal of counter-techniques they use to foil investigations.
If they can prevent the investigator from recovering usable
evidence, they stand a better chance of avoiding discovery
or prosecution. Some of these techniques are also used to
hide rootkits and other malware.
Some examples of anti-forensic tools and techniques
include:
Securely overwriting data
Overwriting metadata
Designing code that won’t run when the system is in
debugging mode
Designing code that won’t run in a virtual machine
Preventing a system from entering safe mode or
debugging mode
Running all code from an external device like a USB
drive
Tampering with file system date and time stamps
Running in read-only mode to prevent the system from
updating file information.
You should be familiar with the concepts associated with
anti-forensics, but unless you plan to become a forensic
investigator, you probably won’t encounter any of these
except possibly securely overwriting data.
CHAPTER SUMMARY
In this chapter, you learned about a number of topics
dealing with the future of security technologies and
some of the significant emerging security threats.
Future information security tools may come from the
commercial or the open source communities, and you
learned about the pros and cons of both of those
areas of development.
Governance, risk, and compliance are the pillars of
good policy for guiding your use of security
technologies. While the obvious use for security
technologies is to provide security, when all is said
and done, information security needs to be a
business enabler, created with an understanding of
the business requirements and the bottom line. The
days of deploying information security technologies
based solely on management’s fear of security
incidents are long gone.
Changes in networking technologies on the security
perimeter can affect how network security operates.
Firewall specialization includes hybrid, data
protection, application, database, and ubiquitous
firewalls. IDS, IPS, and other complementary
technologies, such as honeypots, honeynets, padded
cells, steganography, and anti-forensics, are essential
elements in modern secure networks.
KEY CONCEPTS AND TERMS
Anti-forensics
Data leakage prevention (DLP)
Digital forensic techniques
Information Technology
Infrastructure Library (ITIL)
IP Multimedia Subsystem (IMS)
Mobile IP
CHAPTER 15 ASSESSMENT
1. Pick the two most common IDS/IPS deployment models:
A. Bypass
B. Unfiltered
C. Tunneled
D. Intranet
E. Screened
2. Which of the following are types of specialized firewalls?
A. Data protection
B. Host
C. Application
D. Hybrid
E. Network
3. Two technologies used to identify attack techniques and
patterns include ________ and ________.
4. Techniques used to counter digital investigations are
known as ________.
5. Pick the two changing areas to watch when developing
your information security road map.
A. Security industry focus
B. Vendors
C. Computer processing power
D. Cloud computing
E. Network design
6. The technique of hiding a secret message in plain sight
is known as ________.
7. Which of the following is a potential disadvantage of
IPv6 from a security perspective?
A. Additional address space
B. Less flexible than IPv4
C. Industry support
D. Maturity of the standard
E. Ubiquitous encryption
8. Identifying a user based on anatomical characteristics is
known as ________.
9. Which of the following are biometric characteristics?
A. Default password
B. Fingerprint
C. Iris pattern
D. Voice print
E. Token
10. Which of the following are considered complementary
technologies to an IDS/IPS implementation?
A. Honeypot
B. Encryption
C. VPN
D. Padded cell
E. Virtual firewall
11. A device that monitors network traffic and alerts during
an attack is an ________.
12. A device that monitors network traffic and alerts and
takes action without manual intervention during an
attack is an ________.
13. Which of the following contribute to the erosion of the
network perimeter?
A. Specialized firewalls
B. VPN
C. IPS/IDS
D. Cloud computing
E. Business partner connections
14. The act of ensuring your company obeys internal
policies and any applicable laws is known as ________.
15. The processes and procedures used to ensure
employees are following corporate security policies are
known collectively as ________.
16. Identify one risk associated with the use of a public
wireless connection.
A. Encryption
B. Virus
C. Data interception
D. Data corruption
E. Social engineering
17. What is one advantage to commercial security solutions
that might make a company select them over open
source equivalents?
A. Flexibility
B. Support
C. Cost
D. Availability
E. Value
18. Which of the following might be included in a risk
register?
A. Risk description
B. Impact
C. Cost
D. Business owner
E. Continuity planning
19. Which of the following are considered core security
principles when discussing the uses of security
technologies?
A. Confidentiality
B. Governance
C. Integrity
D. Risk
E. Compliance
20. When an IDS detects an attack, it can direct the
attacker to a host where the attacker cannot do any
damage. This host is known as a ________.
Answer Key APPENDIX
A
CHAPTER 1 Fundamentals of Network Security 1. C 2. E 3.
A 4. B 5. C 6. E 7. D 8. B 9. B 10. A 11. A 12. E
13. B and C 14. D 15. E 16. B 17. D 18. C 19. E
20. E
CHAPTER 2 Firewall Fundamentals 1. B 2. C 3. A 4. E 5. D 6.
B 7. C 8. B 9. A 10. E 11. E 12. E 13. D 14. A
15. D 16. D 17. B 18. C 19. D 20. B 21. C 22. A
23. E
CHAPTER 3 VPN Fundamentals 1. D 2. B 3. E 4. A 5. B 6. C
7. A 8. E 9. A 10. C 11. D 12. D 13. D 14. D 15.
A 16. B 17. A 18. B 19. A 20. D 21. C 22. C 23.
B 24. A 25. D
CHAPTER 4 Network Security Threats and Issues 1. C 2. A
3. D 4. E 5. C 6. D 7. E 8. C 9. B 10. E 11. A 12.
A 13. C 14. B 15. D 16. D 17. C 18. E 19. A 20.
C
CHAPTER 5 Network Security Implementation 1. C 2. E 3. C
4. A 5. A 6. D 7. D 8. C 9. B 10. A 11. E 12. B
13. D 14. A 15. D 16. C 17. B 18. D 19. C 20. A
CHAPTER 6 Network Security Management 1.
D 2. B 3. E 4. C 5. D 6. A 7. E 8. E 9. A 10. E
11. D 12. B 13. C 14. C 15. E 16. E 17. B 18. E
19. A 20. D
CHAPTER 7 Exploring the Depths of Firewalls 1. B 2. A 3. D
4. C 5. E 6. D 7. E 8. D 9. B 10. C 11. C 12.
wirespeed 13. A 14. C 15. E 16. E 17. C 18. C
19. C 20. E
CHAPTER 8 Firewall Deployment Considerations 1. B 2. E 3.
D 4. B 5. A 6. D 7. B 8. C 9. D 10. B 11. E 12. D
13. C 14. A 15. D 16. D 17. B 18. D 19. A 20. B
CHAPTER 9 Firewall Management and Security Concerns 1.
B 2. E 3. D 4. B 5. B 6. A 7. C 8. B 9. D 10. E
11. A 12. C 13. C 14. C 15. B 16. A 17. B 18. D
19. B 20. D
CHAPTER 10 Using Common Firewalls 1. A, C, and E 2. D 3.
B and D 4. B 5. A 6. inbound, outbound 7. B 8.
A, C, and E 9. C 10. B 11. A 12. B 13. A, C, D,
and E 14. D 15. A, B, C, D, and E (all) 16.
outside 17. port forwarding 18. A 19. B 20.
throughput CHAPTER 11 VPN Management 1.
E 2. C 3. Three of the following: Denial of
service attack, missing patches, backdoor
attack, unpublished vulnerability in the code,
weak client security, weak authentication,
weak encryption key selection, social
engineering 4. SSL, IPSec 5. A and D 6.
anonymity 7. C and E 8. VPN policy 9. B, C,
and D 10. A, B, and D 11. privacy 12.
patch/update 13. B 14. two-factor or
token/biometric 15. redundant 16. C and D 17.
B 18. A, B, and D 19. A and C 20. circuits
CHAPTER 12 VPN Technologies 1. B and D 2.
C and E 3. 3DES 4. SSL and IPSec 5. A and B 6.
network address translation (NAT) 7. C and D
8. platform independent 9. B, C, and D 10. B
and D 11. request for comments (RFC) 12.
virtualization 13. A, B, and E 14. L2F and PPTP
15. SSH 16. A, C, and E 17. B, C, and F 18. A,
B, D, and E 19. A and D 20. Secure Sockets
Layer CHAPTER 13 Firewall Implementation
1. C 2. B 3. A 4. B 5. C 6. D 7. B 8. B 9. E 10.
True 11. A 12. C 13. B 14. B 15. False 16. D 17.
C
CHAPTER 14 Real-World VPNs 1. A and D 2. B 3. B 4.
Secure Socket Layer (SSL) 5. E 6. False 7. D 8.
B 9. B 10. A 11. C 12. A 13. A 14. A 15. B 16. B
17. B 18. B
CHAPTER 15 Perspectives, Resources, and the Future 1. B
and E 2. A, C, and D 3. honeypots and
honeynets 4. anti-forensics 5. A and D 6.
steganogrophy 7. E 8. biometrics 9. B, C, and
D 10. A and D 11. IDS or IPS 12. IPS 13. B, D,
and E 14. compliance 15. governance 16. C
17. B 18. A, B, and D 19. A and C 20. padded
cell
Standard Acronyms APPENDIX
B
3DES
triple data encryption standard
ACD
automatic call distributor
AES Advanced Encryption Standard
ANSI
American National Standards Institute
AP
access point
API
application programming interface
B2B
business to business
B2C
business to consumer
BBB
Better Business Bureau
BCP
business continuity planning
C2C
consumer to consumer
CA certificate authority
CAP
Certification and Accreditation Professional
CAUCE
Coalition Against Unsolicited Commercial
CCC
CERT Coordination Center
CCNA
Cisco Certified Network Associate
CERT
Computer Emergency Response Team
CFE
Certified Fraud Examiner
CISA
Certified Information Systems Auditor
CISM
Certified Information Security Manager
CISSP Certified Information System Security
Professional
CMIP
Common Management Information Protocol
COPPA
Children’s Online Privacy Protection
CRC
cyclic redundancy check
CSI
Computer Security Institute
CTI
Computer Telephony Integration
DBMS
database management system
DDoS
distributed denial of service
DES
Data Encryption Standard
DMZ demilitarized zone
DoS
denial of service
DPI
deep packet inspection
DRP
disaster recovery plan
DSL
digital subscriber line
DSS
Digital Signature Standard
DSU
data service unit
EDI
Electronic Data Interchange
EIDE
Enhanced IDE
FACTA Fair and Accurate Credit Transactions Act
FAR
false acceptance rate
FBI
Federal Bureau of Investigation
FDIC
Federal Deposit Insurance Corporation
FEP
front-end processor
FRCP
Federal Rules of Civil Procedure
FRR
false rejection rate
FTC
Federal Trade Commission
FTP
file transfer protocol
GIAC Global Information Assurance Certification
GLBA
Gramm-Leach-Bliley Act
HIDS
host-based intrusion detection system
HIPAA
Health Insurance Portability and
Accountability Act
HIPS
host-based intrusion prevention system
HTTP
hypertext transfer protocol
HTTPS
HTTP over Secure Socket Layer
HTML
hypertext markup language
IAB
Internet Activities Board
IDEA International Data Encryption Algorithm
IDPS
intrusion detection and prevention
IDS
intrusion detection system
IEEE Institute of Electrical and Electronics
Engineers
IETF
Internet Engineering Task Force
InfoSec
information security
IPS
intrusion prevention system
IPSec
IP Security
IPv4
Internet protocol version 4
Internet protocol version 6
IPv6
IRS
Internal Revenue Service
(ISC)2 International Information System Security
Certification Consortium
ISO
International Organization for Standardization
ISP
Internet service provider
ISS
Internet security systems
ITRC
Identity Theft Resource Center
IVR
interactive voice response
LAN
local area network
metropolitan area network
MAN
MD5
Message Digest 5
modem
modulator demodulator
NFIC
National Fraud Information Center
NIDS
network intrusion detection system
NIPS
network intrusion prevention system
NIST
National Institute of Standards and
Technology
NMS
network management system
OS
operating system
OSI open system interconnection
PBX
private branch exchange
PCI
Payment Card Industry
PGP
Pretty Good Privacy
PKI
public key infrastructure
RAID
redundant array of independent disks
RFC
Request for Comments
RSA
Rivest, Shamir, and Adleman (algorithm)
SAN
storage area network
SANCP Security Analyst Network Connection Profiler
SANS
SysAdmin, Audit, Network, Security
SAP
service access point
SCSI
small computer system interface
SET
Secure electronic transaction
SGC
server-gated cryptography
SHA
Secure Hash Algorithm
S-HTTP secure HTTP
SLA
service level agreement
SMFA
specific management functional area
SNMP
Simple Network Management Protocol
SOX
Sarbanes-Oxley Act of 2002 (also Sarbox)
SSA
Social Security Administration
SSCP
Systems Security Certified Practitioner
SSL
Secure Sockets Layer
SSO
single system sign-on
STP
shielded twisted cable
TCP/IP Transmission Control Protocol/Internet
Protocol
TCSEC
Trusted Computer System Evaluation Criteria
TFTP Trivial File Transfer Protocol
TNI
Trusted Network Interpretation
UDP
User Datagram Protocol
UPS
uninterruptible power supply
UTP
unshielded twisted cable
VLAN
virtual local area network
VOIP
Voice over Internet Protocol
VPN
virtual private network
WAN
wide area network
WLAN wireless local area network
WNIC
wireless network interface card
W3C
World Wide Web Consortium
WWW
World Wide Web
Glossary of Key Terms
802.1x | Port or portal authentication. A mechanism
commonly used by network devices, such as firewalls,
routers, switches, and wireless access points, to perform
authentication of users before allowing communication to
continue across or through the device. The authentication
can take place locally on the device or go to an
authentications service, such as a credit card payment
system, PKI, or directory service.
A
Access control | The process or mechanism of granting or
denying use of a resource; typically applied to users or
generic network traffic.
Access control list (ACL) | Mechanism defining traffic or
an event to apply an authorization control of allow or deny
against. Often used interchangeably with the terms rule and
filter in relation to firewalls. An ACL focuses on controlling a
specific user or client’s access to a protocol or port.
Active threat | A form of threat that takes some type of
initiative to seek out a target to compromise. These can be
hackers, intruders, or automated worms. In any case, an
active threat seeks out vulnerable targets. If you don’t have
reasonable security measures and the active threat
discovers your system, you might be at risk for a
compromise.
Advanced persistent threat (APT) | A network attack in
which an unauthorized person gains access to a network
and stays there undetected for a long period of time. The
purpose of such an attack is to steal data, not to damage
the network or organization. Sectors with high-value
information, such as national defense, manufacturing, and
the financial industry, are commonly the target of such
attacks.
Adware | Unwanted software that displays advertisements.
Often linked with spyware.
Agent | A malicious software program distributed by a
hacker to take over control of a victim’s computers. Also
known as a bot or a zombie. Agents are commonly used to
construct botnets.
Alert | A notification from a firewall that a specific event or
packet was detected. Alerts notify administrators of events
that may need real-time human response or attention.
Algorithm | A set of rules and procedures, usually
mathematical in nature. Algorithms can define how the
encryption and decryption processes operate. Often very
complex, many algorithms are publicly known; anyone can
investigate and analyze the strengths and weaknesses of an
algorithm.
Alternate data stream (ADS) | A feature added to the
NTFS file system to support files from POSIX, OS/2, and
Macintosh. ADS supports multiple resource forks for file
objects. Hackers use ADS to hide files.
Annualized loss expectancy (ALE) | The calculation of
the total loss potential across a year for a given asset and a
specific threat. ALE calculations are part of risk assessment.
ALE = SLE × ARO.
Annualized rate of occurrence (ARO) | A probability
prediction based on statistics and historical occurrences on
the likelihood of how many times in the next year is a threat
going to cause harm. ARO
is used in the ALE calculation.
Anomaly-based detection | A form of intrusion detection
system/intrusion prevention system (IDS/IPS) based on a
defined normal, often defined using rules similar to firewall
rules. All traffic or events that fail to match defined normal
are considered anomalies and potentially malicious.
Anonymity | The ability for a network or system user to
remain unknown. A number of tools and techniques provide
anonymity when connected to a network, although the
underlying network protocols make true anonymity very
difficult.
Anti-forensics | A series of tools and techniques used to
prevent forensic examination from identifying an attack or
attacker.
AppleTalk | A legacy protocol developed by Apple Inc. for
use in networks hosting mainly Macintosh computers.
Mostly replaced by TCP/IP.
Appliance | A hardware product that is dedicated to a
single primary function. The operating system or firmware
of the hardware device is hardened and its use is limited to
directly and exclusively supporting the intended function.
Firewalls, routers, and switches are typical appliances.
Appliance firewall | A hardened hardware firewall.
Application Layer (Layer 7) | The top or seventh layer of
the OSI model. This layer is responsible for enabling
communications with host software, including the operating
system. The Application Layer is the interface between host
software and the network protocol stack. The sub-protocols
of this layer support specific applications or types of data.
Application firewall | A type of firewall that filters on a
specific application’s content and session information.
Application gateway | See application firewall.
Application proxy | See application firewall.
Arbitrary code execution | An exploit that allows a hacker
to run any command line function on a compromised
system. Buffer overflow attacks and SQL injection attacks
can often allow arbitrary code execution.
ARP spoofing | The falsification of ARP replies to trick the
requestor into sending frames to a system other than its
intended destination.
Asset | Anything you use in a business process to
accomplish a business task.
Asset value (AV) | The cumulative value of an asset based
on both tangible and intangible values. AV supports the SLE
calculation.
Asymmetric cryptography | A means of encoding and
decoding information using related but different keys for
each process. A key used to encode cannot decode, and
vice versa. Cryptography based on algorithms that use
either key pairs or some other special mathematical
mechanism. Asymmetric cryptography that uses key pairs is
commonly known as public key cryptography. Different keys
serve different purposes. Different keys are used by
different members of the communication session. Some
systems use something different from keys altogether.
Asymmetric digital subscriber line (ADSL) | A form of
the digital subscriber line technology, which enables faster
data transmission over copper telephone lines than a
conventional voice band modem can provide.
Attack surface | Portions of a software system that
unauthenticated users can run.
Auditing | Act of conducting an audit. Auditing can be the
action of a system that is recording user activity and system
events into an audit log. Auditing can also be the action of
an auditor who checks for compliance with security policies
and other regulations.
Auditor | Either an outside consultant or an internal
member of the information technology staff. The auditor
performs security audits, confirms that auditing is sufficient,
and investigates audit trails produced by system auditing. In
the case of regulatory compliance, auditors should be
external and independent of the organization under audit.
Authentication | The process of confirming the identity of
a user. Also known as logon.
Authentication, authorization, and accounting (AAA)
services | Programs used to control access to computer
resources, enforce policies, audit usage, and provide billing
information. Examples include RADIUS, TACACS, 802.1x,
LDAP, and Active Directory.
Authentication Header (AH) | A protocol that provides
integrity protection for packet headers and data, as well as
user authentication.
Authenticity | The security service of the combination of
authentication and access control (authorization) that
provides either the identity of the sender of a message or
controls who is the receiver of a message.
Authorization | Defining what users are allowed and not
allowed to do. Also known as access control.
Availability | When a system is usable for its intended
purpose. The security service that supports access to
resources in a timely manner. If availability becomes
compromised, a denial of service is taking place.
Avalanche effect | A common feature of hash algorithms.
This effect ensures that small changes in the input data
produce large changes in the outputted hash value. A single
binary digit change in a file should produce a clearly
recognizable difference in the resultant hash value.
Awareness | Basic security training that focuses on
common or basic security elements that all employees must
know and abide by. Less rigorous than training or education.
B
Backdoor | Unauthorized access to a system.
A backdoor is any access method or pathway that
circumvents access or authentication mechanisms.
Backup | The process of making copies of data onto other
storage media. The purpose of a backup is to protect
against data loss by having additional onsite or offsite
copies of data that can be restored when necessary.
Banner | A message sent by a service in response to a valid
or invalid query. A banner can confirm communication is
functioning properly or announce an error. Some banners
disclose the product name and version number of the
service.
Banner grabbing | The act of capturing or extracting
banners from services. Hackers often perform banner
grabbing after port scanning to learn what service is active
on a port.
Bastion host | A firewall positioned at the initial entry point
where a network interfaces with the Internet. It serves as
the first line of defense for the network. Also known as a
sacrificial host.
Bastion host OS | A system designed, built, and deployed
specifically to serve as a frontline defense for a network.
Behavioral-based detection | A form of IDS/IPS detection
based on a recording of real-world traffic as a baseline for
normal. All traffic or events that fail to match the normal
baselines are considered abnormal and potentially
malicious.
Blacklist | A type of filtering in which all activities or
entities are permitted except for those on the blacklist. Also
known as a block list.
Blog | A contraction of the words “web” and “log,” it is a
form of Web site where the site owner posts messages,
images, and videos for the public to view and potentially
comment on. Blogs are commonly a platform for discussing
issues, causes, or interests.
Border sentry | A description often applied to firewalls
positioned on network zone transitions or gateway locations.
Botnet army | A network of zombie/bot/agent–
compromised systems controlled by a hacker.
The network consists of the bots, agents, or zombies that
intercommunicate over the Internet. Another term for
zombie.
Botnet | A network of zombie/bot/agent–compromised
systems controlled by a hacker.
The network consists of the bots, agents, or zombies that
intercommunicate over the Internet.
Bots | Malicious software programs distributed by hackers
to take over control of victims’ computers. Also known as
agents or zombies. Bots are commonly used to construct
botnets.
Bottleneck | Any restriction on the performance of a
system. Can be caused by a slower component or a
pathway with insufficient throughput. A bottleneck causes
other components of system to work slower than their
optimum rate.
Breach | Any compromise of security. Any violation of a
restriction or rule whether caused by an authorized user or
an unauthorized outsider.
Bridge | A network device that forwards traffic between
networks based on the MAC address of the Ethernet frame.
A bridge forwards only packets whose destination address is
on the opposing network.
Bring Your Own Device (BYOD) | A policy of allowing or
even encouraging employees, contractors, and others to
connect their own computers, smartphones, and other
devices to their organization’s networks. BYOD can save
expenses and afford employees more autonomy, but it can
also compromise security.
Brute-force password attack | A form of password or
encryption key cracking attack that tries all possible valid
combinations from a defined set of possibilities (e.g., a set
of characters or hex values). Brute-force attacks will
eventually generate a valid solution given enough time,
assuming the hacker uses the correct set of possibilities.
Buffer overflow | A condition in which a memory buffer
exceeds its capacity and extends its contents into adjacent
memory. Often used as an attack against poor programming
techniques or poor software quality control. Hackers can
inject more data into a memory buffer than it can hold,
which may result in the additional data overflowing into the
next area of memory. If the overflow extends to the next
memory segment designated for code execution, a skilled
attacker can insert arbitrary code that will execute with the
same privileges as the current program. Improperly
formatted overflow data may also result in a system crash.
Bump in the stack | A term for a firewall that is
implemented via software.
Bump in the wire | A term for a firewall that is a separate
hardware implementation.
Business continuity plan | A plan to maintain the
mission-critical functions of the organization in the event of
a problem that threatens to take business processes offline.
The goal of business continuity planning is to prevent the
interruption of business tasks, even with a damaged
environment and reduced resources.
Business task | Any activity necessary to meet an
organization’s long-term goals. Business tasks are assigned
to employees and other authorized personnel via their job
descriptions.
C
Caching | Retention of Internet content by a proxy server.
Various internal clients may access this content and provide
it to subsequent requesters without the need to retrieve the
same content from the Internet repeatedly.
Centralized logging system | A technique of storing or
copying log events to a centralized logging server. This
mechanism is used to create a redundant copy of all log
files in a single warehousing location. A common example of
this is syslog.
Certificate Authority (CA) | A trusted third-party entity
that issues digital certificates to verify and validate
identities of people, organizations, systems, and networks
digitally.
Channel | A communication pathway, circuit, or frequency
dedicated or reserved for a specific transmission.
Chip creep | The slow movement of a chip out of its socket
or solder points because of expansion and contraction
caused by extreme temperature fluctuations.
Chokepoint | Similar to a bottleneck, but deliberately
created within a network infrastructure. A chokepoint is a
controlled pathway through which all traffic must cross. At
this point, filtering to block unwanted communication or
monitoring can occur.
Ciphertext | The seemingly random and unusable output
from a cryptographic function applied to original data.
Ciphertext is the result of encryption. Decryption converts
ciphertext back into plaintext.
Circuit | A logical connection between a client and a
resource server. May exist at Layer 3, 4, or 5 of the OSI
model. Also known as a session or a state.
Circuit firewall | A filtering device that allows or denies the
initial creation of a circuit, session, or state, but performs no
subsequent filtering on the circuit once established.
Circuit proxy | See circuit firewall.
Client | A host on a network. A client is the computer
system, which supports user interaction with the network.
Users employ a client to access resources from the network.
Users can also employ a client generically as any hardware
or software product to access a resource. For example,
standard e-mail software is a client.
Client/server network | A form of network where certain
computers are designated as “servers” to host resources
shared with the network. The remaining computers are
designated as “clients” to enable users to access shared
resources. Most client/server networks employ directory
services and single sign-on. Also known as a domain.
Client-to-server VPN | A VPN created between a client
and a server either within the same local network or across
a WAN link or intermediary network to support secure client
interaction with the services of a resource host. Also known
as a host-to-host VPN.
Clipper chip | A chipset developed and promoted by the
U.S. government as an encryption device to be adopted by
telecommunications companies for voice transmission. It
was announced in 1993 and was discontinued in 1996.
Closed source | A type of software product that is pre-
compiled and whose source code is undisclosed.
Cluster | A logical division of data composed of one or more
sectors on a hard drive. A cluster is the smallest
addressable unit of drive storage, usually 512, 1,024, 2,048,
or 4,096 bytes, depending on the logical volume size.
Cold calling | A tactic of pursuing and extracting
information for the purpose of making a sale or performing a
social engineering attack. A cold call presupposes little or no
knowledge of the person answering the phone. It requires
the caller to be able to pick up on vocal and word clues, be
knowledgeable about human nature, and adapt quickly to
changes in conversation.
Command shell | A software interface with a system that
allows code execution. A command shell is often the focus
of an attack. If a hacker gains access to a command shell,
he or she can perform arbitrary code execution. Also known
as a terminal window or a command prompt. For example,
in Windows, the command shell prompt is usually “C:\>”.
Commercial firewall | A firewall product designed for
larger networks. Usually a commercial firewall is a hardware
device.
Common Gateway Interface (CGI) script | The Common
Gateway Interface (CGI) is a standard that defines how Web
server software can delegate the generation of Web pages
to a console application. Such applications are known as CGI
scripts. They can be written in many programming
languages, although scripting languages are often used.
Compliance audit | A detailed and thorough review of the
deployed security infrastructure compared with the
organization’s security policy and any applicable laws and
regulations.
Compression | Removal of redundant or superfluous data
or space to reduce the size of a data set. Compression
consumes less storage space and increases the speed of
data transmission.
Confidentiality | The security service of preventing access
to resources by unauthorized users, while supporting access
to authorized users.
Content filtering | A form of filtering that focuses on traffic
content. Application proxies perform most content filtering.
Contract worker | An outsider brought into an organization
to work on a temporary basis. Contracted workers can be
consultants, temporary workers, seasonal workers,
contractors, or even day-laborers. Contracted workers
potentially represent a greater risk than regular, full-time
regular employees because they might lack loyalty, not see
the company as worthy of protection, might not be
accountable after a project ends, and so on.
Cookie filter | A cookie is a small text file used by Web
browsers and servers to track Web sessions. A cookie filter
blocks the sending and receiving of cookies. Blocking
cookies can reduce some threats of session tracking and
identify theft, but can also disable many Web-based services
such as online purchasing.
Corporate firewall | An appliance firewall placed on the
border or edge of an organization’s network.
Cost/benefit analysis | The final equation of risk analysis
to assess the relative benefit of a countermeasure against
the potential annual loss of a given asset exposed to a
specific threat.
Covert channel | An unknown, secret pathway of
communication. Covert channels can be timing or storage-
based.
Cross-site scripting (XSS) | The malicious insertion of
scripting code onto a vulnerable Web site. The results of an
XSS attack can include the corruption of the data on the
Web site or identity theft of the site’s visitors.
Cryptography | The art and science of hiding information
from unauthorized third parties. Cryptography is divided into
two main categories: encryption and decryption.
Customer premise equipment (CPE) | A customer
premise equipment-based VPN. This VPN is also known as a
VPN appliance.
D
Data leakage prevention (DLP) | A distributed data
protection technology that leverages deep analysis, context
evaluation, and rules configured from a central console to
ensure confidential information remains secure while in use,
in transit, and at rest
Data Link Layer (Layer 2) | The second layer of the OSI
model responsible for physical addressing (MAC addresses)
and supporting the network topology, such as Ethernet.
Database-based detection | A form of IDS/IPS detection
based on a collection of samples, patterns, signatures, and
so on stored in a database of known malicious traffic and
events. All traffic or events that match an item in the
database is considered abnormal and potentially malicious.
Also known as signature, knowledge, and pattern-matching
based detection.
Dead-man switch | A form of auto-initiation switch that
triggers when the ongoing prevention mechanism fails.
Common dead-man switches include firewalls and hand
grenades. If the firewall stops functioning, the connection is
severed. If a person dies while holding a live grenade, the
safety latch opens and the grenade explodes.
Decryption | The process of converting cipher text back
into plain text.
Dedicated connection | A network connection that is
always on and available for immediate transmission of data.
Most leased lines are dedicated connections.
Dedicated leased lines | See dedicated connection and
leased line.
De-encapsulation | The action of processing the contents
of a header, removing that header, and sending the
remaining payload up to the appropriate protocol in the next
higher layer in the OSI model.
Default allow | A security stance that allows all
communications except those prohibited by specific deny
exceptions. Also known as allow by default.
Default deny | A security stance that blocks all access to
all resources until a valid authorized explicit exception is
defined.
Defense in depth | A tactic of protection involving multiple
layers or levels of security components. Based on the idea
that multiple protections create a cumulative effect that will
require an attacker to breach all layers, not just one.
Demilitarized zone (DMZ) | A type of perimeter network
used to host resources designated as accessible by the
public from the Internet.
Denial of service (DoS) attack | A form of attack that
attempts to compromise availability. DoS attacks are usually
of two types: flaw exploitation and flooding. DDoS
(Distributed Denial of Service) often involves the distribution
of robots, zombies, or agents to thousands or millions of
systems that are then used to launch a DoS attack against a
primary target.
Deny by default/allow by exception | A security stance
that prevents all communications except those enabled by
specific allow exceptions. Also known as default deny.
Deterrent | A form of security defense that focuses on
discouraging a perpetrator with disincentives such as
physical harm, social disgrace, or legal consequences. A
deterrent can also be a defense that is complex or difficult
to overcome, such as strong encryption, multifactor
authentication, or stateful inspection filtering.
Dialer | A rogue program that automatically dials a modem
to a pre-defined number. Sometimes this is to auto-
download additional malware to the victim or to upload
stolen data from the victim. In other cases, the dialer calls
premium rate telephone numbers to rack up massive long
distance charges.
Dictionary password attack | A form of password or
encryption key-cracking attack that uses a pre-constructed
list of potential passwords or encryption keys.
Digital certificate | An electronic proof of identity issued
by a certificate authority (CA). A digital certificate is an
entity’s public key encoded by the CA’s private key.
Digital envelope | A secure communication based on
public-key cryptography that encodes a message or data
with the public key of the intended recipient.
Digital forensic techniques | Identifying, extracting, and
evaluating evidence obtained from digital media such as
computer hard drives, CDs, DVDs and other digital storage
device
Digital signature | A public-key cryptography–based
mechanism for proving the source (and possibly integrity) of
a signed dataset or message. A digital signature uses the
private key of a sender. Not the same as a “digitized
signature,” which is a digital image of handwriting.
Directory service | A network service that maintains a
searchable index or database of network hosts and shared
resources. Often based on a domain name system (DNS). An
essential service of large networks.
Disaster recovery plan | A plan to restore the mission-
critical functions of the organization once they have been
interrupted by an adverse event. The goal of disaster
recovery planning is to return the business to functional
operation within a limited time to prevent the failure of the
organization due to the incident
Disgruntled employee | A worker who feels wronged by
his or her employer and who may take malicious, unethical,
potentially illegal actions to exact revenge on the
organization.
Distributed denial of service (DDoS) | An attack that
uses multiple remotely controlled software agents
disseminated across the Internet. Because the denial of
service attack comes from multiple machines
simultaneously, it is “distributed.” DDoS attacks can include
flooding, spam, eavesdropping, interception, MitM, session
hijacking, spoofing, packet manipulation, distribution of
malware, hosting phishing sites, stealing passwords,
cracking encryption, and more.
Distributed LAN | A LAN whose components are in
multiple places that are interconnected by WAN VPN links.
Diversity of defense | An approach to security similar to
defense in depth, in that it supports multiple layers, but
unlike it, in that it uses a different security mechanism at
each, or most, of the layers.
DNS poisoning | A form of exploitation in which the data
on a DNS server are falsified so subsequent responses to
DNS resolution queries are incorrect. DNS poisoning can
wage man-in-the-middle attacks.
DNS spoofing | A form of exploitation in which
unauthorized or rogue DNS server responds to DNS queries
with false, spoofed resolutions. DNS poisoning can wage
man-in-the-middle attacks.
Domain | A client/server network managed by a directory
service.
Domain Name System (DNS) | A network service that
resolves fully qualified domain names (FQDNs) into their
corresponding IP address. DNS is an essential service of
most networks and their directory services.
Domain registration | The information related to the
owners and managers of a domain name accessed through
domain registrar’s Web sites and whois lookups. A domain
registration might include a physical address, people’s
names, e-mail addresses, and phone numbers. This
information is useful in waging social engineering attacks.
Downtime | Any planned or unplanned period when a
network service or resource is not available. Downtime can
be caused by attack, hardware failure, or scheduled
maintenance. Most organizations strive to minimize
downtime through security and system management.
Dual-homed firewall | A firewall that has two network
interfaces. Each network interface is located in a unique
network segment. This allows for true isolation of the
segments and forces the firewall to filter all traffic moving
from one segment to another.
Dumpster diving | A type of reconnaissance in which an
attacker examines an organization’s trash or other
discarded items to learn internal or private information. The
results of dumpster diving are often used to wage social
engineering attacks.
Dynamic packet filtering | The process of automatically
created temporary filters. In most cases, the filters allow
inbound responses to previous outbound requests. Also
called stateful inspection.
E
Eavesdropping | The act of listening in on digital or audio
conversations. Network eavesdropping usually requires a
sniffer, protocol analyzer, or packet capturing utility.
Eavesdropping may be able to access unencrypted
communication, depending on where it occurs.
Edge router | A router positioned on the edge of a private
network. Usually an edge router is the last device owned
and controlled by an organization before an ISP or telco
connection.
Education | The third and highest level of obtaining
security knowledge that leads to career advancement.
Security education is broad and not necessarily focused on
specific job tasks or assignments. More rigorous than
awareness or training.
Egress filtering | Filtering traffic as it attempts to leave a
network, which can include monitoring for spoofed
addresses, malformed packets, unauthorized ports and
protocols, and blocked destinations.
Electronic Privacy Information Center (EPIC) | A public
interest research group in Washington, D.C., established in
1994 to focus public attention on emerging civil liberties
issues and to protect privacy, the First Amendment, and
Constitutional values in the information age. It pursues a
wide range of activities, including privacy research, public
education, conferences, litigation, publications, and
advocacy. It maintains two of the world’s most popular
privacy sites—epic.org and privacy.org—and publishes the
online EPIC Alert every two weeks with information about
emerging privacy and civil liberties issues.
Encapsulating Security Payload (ESP) | The second core
IPSec security protocol; it can perform authentication to
provide integrity protection, although not for the outermost
IP header.
Encapsulation | The process of enclosing or encasing one
protocol or packet inside another protocol or packet. Also
known as “tunneling.” Encapsulation allows for
communications to cross intermediary networks that might
be incompatible with the original protocol. Encapsulation is
distinct from encryption, but many encapsulation protocols
include encryption.
Encryption | The process of converting original data into a
chaotic and unusable form to protect it from unauthorized
third parties. Decryption returns the data back to its
original, usable form.
Enumeration | The process of discovering sufficient details
about a potential target to learn about network or system
vulnerabilities. Enumeration often starts with operating
system identification, followed by application identification,
then extraction of information from discovered services.
Exploit | An attack tool, method, or technique a hacker
uses to take advantage of a known vulnerability or flaw in a
target system.
Exposure factor (EF) | The potential amount of harm from
a specific threat stated as a percentage. Used in the
calculation of SLE.
Extranet | A type of perimeter network used to host
resources designated as accessible to a limited group of
external entities, such as business partners or suppliers, but
not by the public. Often, access to an extranet requires the
use of a virtual private network or VPN, especially when
access originates from the Internet.
Extranet VPN | A VPN used to grant outside entities access
into a perimeter network; used to host resources designated
as accessible to a limited group of external entities, such as
business partners or suppliers, but not the general public.
F
Fail-open | A failure response resulting in open and
unrestricted access or communication.
Fail-safe | A failure response resulting in a secured or safe
level of access or communication.
Fail-secure | A failure response resulting in a secured or
safe level of access or communication.
Fair queuing | A technique of load balancing that operates
by sending the next transaction to the firewall with the least
current workload.
False negative | An event that does not trigger an alarm
but should have, due to the traffic or event actually being
abnormal and/or malicious. This is the unwanted non-
detection of a malicious event.
False positive | An event that triggers an alarm but should
not have, due to the traffic or event actually being benign.
This is the unwanted false alarm that wastes time and
resources pursuing a non-malicious event.
File encryption | A form of security protection that
protects individual files by scrambling the contents in such a
way as to render them unusable by unauthorized third
parties.
File Transfer Protocol (FTP) | A protocol and a data
exchange system commonly used over TCP/IP networks,
including the Internet, but which is unencrypted and
performs authentication and data transfer in plaintext.
Filter | A written expression of an item of concern (protocol,
port, service, application, user, IP address) and one or more
actions to take when the item of concern appears in traffic.
A filter expresses the intention to block or deny unwanted
items of concern. Also known as a rule or ACL.
Filtering | The process of inspecting content against a set
of rules or restrictions to enforce allow-and-deny operations
on that content. Firewalls and other security components
use filtering.
Firewalking | A hacking technique used against static
packet filtering firewalls to discover the rules or filters
controlling inbound traffic.
Firewall | A network security device or host software that
filters communications, usually network traffic, based on a
set of predefined rules. Unwanted content is denied and
authorized content is allowed. Also known as a sentry
device.
Flaw exploitation attack | A form of DoS that uses a
software specific exploit to cause the interruption of
availability. Once you apply the appropriate patch, the
system is no longer vulnerable to this particular exploit.
Flooding | An attack, usually resulting in a DoS, in which
hackers direct massive amounts of traffic toward a target to
fully consume available bandwidth or processing
capabilities.
Footprinting | The act of researching and uncovering
information about a potential attack target. Also known as
reconnaissance.
Fragmentation | This occurs when a dataset is too large
for maximum supported size of a communication container,
such as a segment, packet, or frame. The original dataset
divides into multiple sections or fragments for transmission
across the size-limited medium, then reassembles on the
receiving end. Fragmentation can sometimes corrupt or
damage data or allow outsiders to smuggle malicious
content past network filters.
Frame | The collection of data at the Data Link Layer (Layer
2) of the OSI model, defined by the Ethernet IEEE 802.3
standard, that consists of a payload from the Network Layer
(Layer 3) to which an Ethernet header and footer have been
attached.
Fully qualified domain name (FQDN) | A complete
Internet host name including a top-level domain name, a
registered domain name, possibly one or more sub-domain
names, and a host name. Examples include:
www.itttech.edu and maps.google.com. A DNS is used to
resolve FQDNs into IP addresses.
Fuzzing tools | Hacking and testing utilities that use a
brute force technique to craft packets and other forms of
input directed toward the target. Fuzzing tools stress a
system to push it to react improperly, to fail, or to reveal
unknown vulnerabilities.
G
Gateway | An entrance or exit point to a controlled space. A
firewall is often positioned at a gateway of a network to
block unwanted traffic.
Gateway-to-gateway VPN | A VPN model used to connect
to offices together such as a main office and a remote
office. It is also referred to as a site-to-site VPN.
General purpose OS | An operating system such as
Windows, Linux, Mac OS, UNIX, which can support a wide
variety of purposes and functions, but which, when used as
a bastion host OS, must be hardened and locked down.
H
Hacker | A person who performs hacking. Modern use of
this term now implies malicious or criminal intent by the
hacker, although criminals are more correctly known as
“crackers.” An “ethical hacker” obtains the permission of
the owner of a system before hacking.
Hacking | The act of producing a result not intended by the
designer of a system. Hackers may perform such acts out of
curiosity or malice. Malicious hacking is known as
“cracking,” but many people typically call all these actions
“hacking,” regardless of intent.
Hacktivism | Politically or socially motivated hacking, seen
by activists as a form of civil disobedience in the interest of
free speech and human rights, but seen by its opponents as
a form of cyberterrorism.
Hairpinning | A process by which malicious code can enter
from a non-secure network, and make a hairpin, or sharp
turn and enter a secure network with little or no trouble
because it is entering from a secure and verified endpoint.
Hairpinning is a particular issue for organizations whose
work-at-home employees want to connect to both an
unsecure network and a VPN at the same time.
Hardening | The process of securing or locking down a host
against threats and attacks. This can include removing
unnecessary software, installing updates, and imposing
secure configuration settings.
Hardware address | The physical address assigned to a
network interface by the manufacturer. Also known as the
MAC address.
Hardware firewall | An appliance firewall. A hardened
computer product that hosts firewall software exclusively.
Hardware VPN | A dedicated device hosting VPN software.
Also known as an appliance VPN. Hardware VPNs can
connect hosts and/or networks.
Hash algorithm | A set of mathematical rules and
procedures that produces a unique number from a dataset.
See hash and hashing.
Hash or hash value | The unique number produced by a
hash algorithm when applied to a dataset. A hash value
verifies the integrity of data.
Hashing | The process of verifying data integrity. Hashing
uses hash algorithms to produce unique numbers from
datasets, known as hash values. If before and after hash
values are the same, the data retain integrity.
Header | The additional data added to the front of a
payload at each layer of the OSI model that includes layer-
specific information.
Hierarchical File System (HFS) | A storage device file
system developed by Apple Inc. for use on Macintosh
computers. HFS supports multiple resource forks for file
objects.
Hijacking | This attack occurs when a hacker uses a
network sniffer to watch a communications session to learn
its parameters. The hacker then disconnects one of the
session’s hosts, impersonates the offline system, and then
begins injecting crafted packets into the communication
stream. If successful, the hacker takes over the session of
the offline host, while the other host is unaware of the
switch.
Honeynet | A collection of multiple honeypots in a network
for the purposes of luring and trapping hackers.
Honeypot | A closely monitored system that usually
contains a large number of files that appears to be valuable
or sensitive, and serves as a trap for hackers. A honeypot
distracts hackers from real targets, detects new
exploitations, and learns the identities of hackers.
Host | A node that has a logical address assigned to it,
usually an IP address. This typically implies that the node
operates at and/or above the Network Layer. This would
include clients, servers, firewalls, proxies, and even routers.
The term excludes switches, bridges, and other physical
devices such as repeaters and hubs. In most cases, a host
either shares or accesses resources and services from other
hosts.
Host firewall | A software firewall installed on a client or
server.
Host VPN | A VPN endpoint located on a host client or
server. A host VPN relies on either a native feature of the
operating system or a third-party application.
Host-to-gateway VPN | A VPN model where the remote
client connects to the VPN server to gain access to the
internal network.
Host-to-host VPN | A VPN created between two individual
hosts across a local or intermediary network. Host-to-host
VPNs is also known as client-to-server or remote-to-office or
remote-to-home VPNs.
Host-to-site VPN | A VPN created between a host and a
network across a local or intermediary network. Also known
as a remote access VPN.
HOSTS file | A static file on every IP-enabled host where
FQDN-to-IP address resolutions can be hard-coded.
Hybrid attack | A form of password or encryption key-
cracking attack that combines dictionary attacks with brute
force attacks. A dictionary list provides seed values to a
brute force attack tool that makes modifications to the seed
value. A very effective attack against users who mistakenly
believe that changing a few characters or adding a few
characters to a base password is actually improving the
password’s strength. For example, hybrid attacks may
combine dictionary words with a digit or two to increase the
likelihood of obtaining a successful result.
Hybrid VPN | A form of VPN establishing a secure VPN over
trusted VPN connections.
I
ICMP redirect | An announcement message sent to hosts
to adjust the routing table. ICMP type 5 messages are
known as redirects. Hackers can use ICMP redirects to
perform man-in-the-middle or session hijacking attacks.
Identity and access management (IAM) | The security
discipline that enables the right individuals to access the
right resources at the right times consistent with
organizational policy.
Identity proofing | The act of authentication. Confirming
the identity of a user or host.
IDS insertion | An attack that exploits the nature of a
network-focused IDS to collect and analyze every packet to
trick the IDS into thinking an attack took place when it
actually hasn’t. The common purpose of IDS injection
attacks is to trick signature or pattern matching detection of
malicious network events.
Incident response plan | A predefined procedure to react
to security breaches to limit damage, contain the spread of
malicious content, stop compromise of information, and
promptly restore the environment to a normal state.
Information Technology Infrastructure Library (ITIL) |
A set of concepts and practices that provide detailed
descriptions and comprehensive checklists, tasks and
procedures for common IT practices. The Security
Management section is based on the ISO 27002 standard.
Ingress filtering | Filtering traffic as it attempts to enter a
network. This can include monitoring for spoofed addresses,
malformed packets, unauthorized ports and protocols, and
blocked destinations.
Insertion attack | An exploit-based on the introduction of
unauthorized content or devices to an otherwise secured
infrastructure. Three common insertion-based attacks
include SQL injection, IDS insertion, and rogue devices.
Instant message (IM) | A form of near real-time text
communication. Also known as chat, IRC, and SMS
messaging.
Intangible cost (or value) | Costs or values not directly
related to budgetary funds. They can include but are not
limited to research and development, marketing edge,
competition value, first to market, intellectual property,
public opinion, quality of service, name recognition, repeat
customers, loyalty, honesty, dependability, assurance,
reliability, trademarks, patents, privacy, and so on.
Integrated Services Digital Network (ISDN) | A set of
communications standards for simultaneous digital
transmission of voice, video, data, and other network
services over the traditional circuits of the public switched
telephone network.
Integrity | The security service of preventing unauthorized
changes to data.
Intentional electromagnetic interference (IEMI) | The
result of an intentional discharge made to damage or
destroy electronic equipment ranging from cell phones to
computers and servers.
Interception attack | Any attack that positions the
attacker inline with a session between a client and server.
Such attacks typically allow the hacker to eavesdrop and
manipulate the contents of the session. Also known as a
man-in-the-middle attack.
Intermediary network | Any network, network link, or
channel located between the endpoints of a VPN. Often the
Internet.
Internal personnel | Any worker or person who is
physically present within the building or who has
authorization to remotely connect into the network. Internal
personnel are the most common cause of security
violations.
Internet Assigned Numbers Authority (IANA) | The
entity responsible for global coordination of IP addressing,
DNS root, and other Internet protocol resources.
Internet Control Message Protocol (ICMP) | A
commonly used protocol found in the Network Layer (Layer
3). ICMP rides as the payload of an IP packet. ICMP supports
network health and testing. Commonly abused by hackers
for flooding and probing attacks.
Internet Engineering Task Force (IETF) | The standards
body for Internet-related engineering specifications.
Internet Key Exchange v2 (IKEv2) | The second and
latest version of the IKE protocol.
Internet Relay Chat (IRC) | A real-time text
communication system. Hackers commonly use IRC as a
way to communicate anonymously and control botnets.
Internetwork Packet Exchange/Sequenced Packet
Exchange (IPX/SPX) | A legacy protocol developed by
Novell for their NetWare networking product. Mostly
replaced by TCP/IP.
Intrusion detection system (IDS) | A security mechanism
to detect unauthorized user activities, attacks, and network
compromise. An IDS can respond in a passive manner
through alerts and logging or in an active manner by
disconnecting an offending session.
Intrusion prevention system (IPS) | A security
mechanism to detect and prevent attempts to breach
security.
IP address | The temporary logical address assigned to
hosts on a network. An IP address is managed and
controlled at the Network Layer (Layer 3) of the OSI model
by IP (Internet Protocol). IPv4 addresses are 32-bit
addresses presented in human-friendly dotted-decimal
notation. IPv6 addresses are 128-bit address presented in a
special hexadecimal grouping format.
IP Multimedia Subsystem (IMS) | An architectural
framework for delivering IP multimedia services; IMS would
carry packet communications in all known forms over
wireless or landline, everything from traditional telephony to
video on demand (VoD).
IPSec | IP protocol encryption services extracted from IPv6
to be used as an add-on component for IPv4. IPSec provides
tunnel mode and transport mode encrypted Network Layer
connections between hosts and/or networks.
J
Job description | An essential part of security and an
extension of the written security policy. The job description
defines the business tasks for each person within the
organization. This in turn prescribes the authorization
personnel need to accomplish these assigned tasks.
K
Kerberos | A computer network authentication protocol
that allows nodes communicating over a non-secure
network to prove their identity to one another in a secure
manner. It is also a suite of free software published by
Massachusetts Institute of Technology (MIT) that implements
this protocol. It was designed as a client-server model, and
it provides mutual authentication—both the user and the
server verify each other’s identity. Kerberos protocol
messages are protected against eavesdropping and replay
attacks.
Key or encryption key | The unique number used to guide
an algorithm in the encryption and decryption process. A
valid key must be within the keyspace of an algorithm.
Key exchange | The cryptographic function ensuring that
both endpoints of a commutation have the same symmetric
key. Key exchange occurs by simultaneous key generation
or with a digital envelope.
Key pair | The set of associated keys including a public key
and a private key used by public key cryptography. Only the
public key can decrypt data encrypted by the private key,
and vice versa.
Keyspace | The range of valid keys used by an algorithm.
Keyspace is the bit length of the keys supported by the
algorithm.
Keystroke logger | Malware that records all keyboard
input and transmits the keystroke log to a hacker.
Knowledge-based detection | A form of IDS/IPS detection
based on a collection of samples, patterns, signatures, and
so on stored in a database of known malicious traffic and
events. All traffic or events that match an item in the
database is considered abnormal and potentially malicious.
Also known as signature, database, and pattern-matching–
based detection.
L
LAN-to-LAN VPN | A VPN between two networks over an
intermediary network. Also known as WAN VPN and site-to-
site VPN.
Layer 2 Forwarding (L2F) Protocol | An early
communications protocol that competed with Point-to-Point
Tunneling Protocol.
Layer 2 Tunneling Protocol (L2TP) | An older protocol
largely replaced by IPSec and SSL/TLS-based VPNs in
production environments, but still in use in some older
environments.
Leased line | A network communications line leased from
an ISP or telco service. A leased line is usually a dedicated
line between network locations or to the Internet.
Leetspeak | A somewhat secret form of communication or
language hackers use based on replacing letters with
numbers, symbols, or other letters that somewhat resemble
the original characters. For example, “elite” becomes
“eleet,” and then becomes “31337.”
Load balancer | A system or device (hardware or software)
that takes the load coming into a set of servers and ensure
that the load is balanced between or among the servers.
Load balancing | A network traffic management technique
to spread the workload or traffic levels across multiple
devices to maintain availability, uptime, and high-
performance at wirespeed.
Local area network (LAN) | A network confined to a
limited geographic distance. Generally, a LAN is comprised
of segments that are fully owned and controlled by the host
organization as opposed to using lines leased from telcos.
Log | A log is a recording or notation of activities. Many
security services, applications, and network resources
automatically create a log of all events. Also known as an
event log or a log file.
Logging | The act of creating or recording events into a log.
Similar to auditing and monitoring.
Logic bomb | Malware that acts like an electronic land
mine. Once a hacker places a logic bomb in a system, it
remains dormant until a triggering event takes place. The
trigger can be a specific time and date, the launching of a
program, the typing of a specific keyword, or accessing a
specific URL. Once the trigger occurs, the logic bomb
springs its malicious event on the unsuspecting use.
Logical address | A temporarily assigned address given to
a host. IP address is a common example of a logical
address. Most logical addresses exist at the Network Layer
(Layer 3) of the OSI model.
M
MAC spoofing | The act of a hacker changing the MAC
address of their network interface. Commonly used to
bypass MAC filtering on a wireless access point by
impersonating a valid client.
Malicious code | Any software that was written with
malicious intent. Administrators use anti-virus and anti-
malware scanners to detect and prevent malicious code
(also known as malware) from causing harm within a private
network or computer.
Management interface | The command line or graphical
interface used to control and configure a device. Often
accessible through a console (CON) port on the device or
through a logical interface across the network.
Man-in-the-middle (MinM) attack | This attack occurs
when a hacker is positioned between a client and a server
and the client is fooled into connecting with the hacker
computer instead of the real server. The attack performs a
spoofing attack to trick the client. As a result, the
connection between the client and server is proxied by the
hacker. This allows the hacker to eavesdrop and manipulate
the communications.
Maximum Transmission Unit (MTU) | The largest amount
of data that a datagram can hold based on the limitations of
the networking devices managing a given segment. As an
MTU changes across a communication path, a datagram
may be fragmented to comply with the MTU restriction.
Mean time between failures (MTBF) | A rating on some
hardware devices expressing the average length of time
between significant failures.
Mean time to failure (MTTF) | A rating on some hardware
devices expressing the average length of time until the first
significant failure is likely to happen.
Media Access Control (MAC) address | The physical
address assigned to a network interface by the
manufacturer. The MAC address is a 48-bit binary address
presented in as hexadecimal pairs separated by colons. The
first half of a MAC address is known as the Organizationally
Unique Identifier (OUI) or vender ID, the last half is the
unique serial number of the NIC.
Metacharacter | A character that has a special meaning
assigned to it and recognized as part of a scripting or
programming language. Metacharacters should be filtered,
escaped, or blocked to prevent script injection attacks.
Escaping metacharacters is a programmatic tactic to treat
all characters as basic ASCII rather than as something with
special meaning or purpose.
Mission-critical | The state or condition of an asset or
process vitally important to the long-term existence and
stability of an organization. If a mission-critical element is
interrupted or removed, it often results in the failure of the
organization.
MITRE | The MITRE Corporation is a not-for-profit
organization chartered to work in the public interest. It
sponsors a vulnerability research, cataloging, and
information organization: http://cve.mitre.org/.
Mobile code | A form of software transmitted to and
executed on a client. Hackers can use mobile code for
malicious purposes.
Mobile IP | A standard communications protocol designed
to let mobile device users move from one network to
another while maintaining a permanent IP address; this
concept is also known as IP mobility. Mobile IP for IPv4 is
described in RFC 5944. Mobile IPv6, designed to work with
next generation of the Internet Protocol, is covered in RFC
6275.
Modeling | The process of simulating and testing a new
concept, design, programming, technique, and so forth
before deployment into a production environment. Modeling
often occurs before piloting.
Monitoring | The act of watching for abnormal or unwanted
circumstances. Commonly used interchangeably with
logging and auditing.
Monkey-in-the-middle attack | Another term for man-in-
the-middle attack.
Multifactor authentication | Authentication that requires
multiple valid proofs of identity used in simultaneous
combination.
N
National Information Infrastructure (NII) | The product
of the High Performance Computing and Communication Act
of 1991. It was a telecommunications policy buzzword,
which was popularized during the Clinton administration
under the leadership of Vice President Al Gore. It was a
proposed advanced, seamless web of public and private
communications networks, interactive services,
interoperable hardware and software, computers,
databases, and consumer electronics to put vast amounts of
information at users’ fingertips.
National Institute of Standards and Technology
(NIST) | NIST is a non-regulatory federal agency within the
U.S. Department of Commerce whose mission is to promote
U.S. innovation and industrial competitiveness by advancing
measurement science, standards, and technology. As part of
its mission, the NIST performs vulnerability research,
cataloging, and information distribution: http://nvd.nist.gov/.
National Security Agency (NSA) | The National Security
Agency/Central Security Service (NSA/CSS) is a cryptologic
intelligence agency of the United States government,
administered as part of the United States Department of
Defense. It is responsible for the collection and analysis of
foreign communications and foreign signals intelligence,
which involves cryptanalysis. It is also responsible for
protecting U.S. government communications and
information systems from similar agencies elsewhere, which
involves cryptography.
Native firewall | A firewall within an operating system or
hardware device placed there by the vendor or
manufacturer. Can also include firewalls not necessarily
installed by default, but which you can add to a system
through an update or patch installation.
NetBIOS Extended User Interface (NetBEUI) | An
application-programming interface (API) developed by IBM
in 1985 to emulate NetBIOS on a token ring network. Still
used by Microsoft to describe a Transport Layer protocol for
file and print sharing over Ethernet, which technically is
better termed NetBIOS Frames (NBF). NBF makes extensive
use of broadcast messages and thus introduces additional
traffic to a network.
Network access control (NAC) | A mechanism that limits
access or admission to a network based on the security
compliance of a host.
Network address translation (NAT) | A service that
converts between internal addresses and external public
addresses. This conversion is performed on packets as they
enter or leave the network to mask and modify the internal
client’s configuration. The primary purpose of NAT is to
prevent internal IP and network configuration details from
being discovered by external entities, such as hackers.
Network Layer (Layer 3) | The third layer of the OSI
model. This layer is responsible for logical addressing (IP
addresses) and routing traffic.
Network News Transfer Protocol (NNTP) | The protocol
used by the USENET message service. USENET is a
persistent message service that allows anyone to post and
read messages from over 100,000 named, categorized,
topical newsgroups.
Network security | The collection of security components
assembled in a network to support secure internal and
external communications. Network security depends on
upon host security. Network security operates to protect the
network as a whole, rather than as individual systems.
New Technology File System (NTFS) | A file format
developed by Microsoft commonly used on Windows
systems. NTFS offers file security, large volume size, large
file size, and alternate data streams (ADS).
Nmap | A network mapping tool that performs network
scanning, port scanning, OS identification, and other types
of network probing. Nmap is available at
http://www.insecure.org/.
Node | Any device on the network that can act as the
endpoint of a communication. This includes clients, servers,
switches, routers, firewalls, and anything with a network
interface that has a MAC address. A node is a component
that can receive communication with, rather than one that
communication only through or across. For example,
network cables and patch panels are not nodes.
Non-authenticating query service | Any communication
exchange that does not verify the identity of the endpoints
of a communication and accepts any properly formed
response as valid. DNS and ARP are common examples.
Hackers can easily spoof such a service.
Non-dedicated connection | A network connection not
always on and available for immediate transmission of data.
A connection must be established through a negation
process before the channel is open and ready for data
transmission. Dial-up, ISDN, and DSL lines are non-
dedicated connections.
Nonrepudiation | A security service that ensures that a
sender cannot deny sending a message. This service can be
provided by public key cryptography, typically through a
digital signature.
O
One-time pad | A form of cryptography in which each
encryption key is used once before being discarded. Keys
are pseudorandom and never repeat. Key length must
match message length, so that each character is encrypted
with a unique key character.
One-way function | A mathematical operation performed
in one direction relatively easily; reversing the operation is
impossible—or nearly so.
Open source | A type of software product that may or may
not be pre-compiled and whose source code is freely
disclosed and available for review and modification.
Opportunistic hackers | A person who takes advantages
of unique or abnormal situations to perform malicious
actions, but who would not initiate such actions otherwise.
Optical carrier (OC) | A form of network carrier line, often
leased or dedicated, which uses fiber optic cables for very
high-speed connections. An OC-1 connection supports a
throughput of 51.84 Mbps.
OS/2 | A multi-tasking operating system developed jointly
by Microsoft and IBM. First released in 1987, it lost nearly its
entire market share to Windows after the two companies
ceased collaboration in 1990. IBM discontinued support in
2006.
Open Systems Interconnection (OSI) Reference Model
| A standard conceptual tool used to discuss protocols and
their functions. The OSI model has seven layers. Each layer
can communicate with its peer layer on the other end of a
communication session. While the OSI model helps to
discuss protocols, most protocols are not in full compliance
with it.
Out of band | A method of communication through an
alternative route, mechanism, or pathway than the current
one employed (the current communication is known as “in
band”). Commonly used as a technique for secured data
exchange or verification of an identity.
P
Packet | The collection of data at the Network Layer (Layer
3) of the OSI model. It consists of the payload from the
Transport Layer (Layer 4) above and the Network Layer
header. IP packets are a common example.
Padded cell | Specialized host used to place an attacker
into a system where the intruder cannot do any harm.
Partition | A logical division of a hard drive that can be
formatted with a file system.
Passive threat | Any harmful code or site that depends
upon the user’s actions to be accessed or activated. If users
never visit an infected site or do not perform the risky
activity, the threat never reaches them. A passive threat is
similar to a virus in that it depends upon the activity of the
user to activate, infect, and spread.
Patch management | The procedure of watching for the
release of new updates from vendors, testing the patches,
obtaining approval, then overseeing the deployment and
implementation of updates across the production
environment.
Payload | The non-header component of a
PDU/segment/packet/frame. The payload is the data
received from the layer above that includes the above
layer’s header and its payload.
Permission | An ability to interact with a resource that is
granted or denied to a user through some method of
authorization or access control, such as access control lists
(ACLs)
Personal firewall | Typically a software host firewall
installed on a home computer or network client. Can also
refer to SOHO hardware firewalls such as those found on
DSL and cable modems and wireless access points.
Phishing | An attack that seeks to obtain information from
a victim by presenting false credentials or luring victims to
an attack site. Phishing can occur face to face, over the
phone, via e-mail, on a Web site, or through IM.
Physical address | The hardware address assigned to a
network interface by the manufacturer. Also known as the
MAC address.
Physical Layer (Layer 1) | The bottom or first layer of the
OSI model. This layer converts data into transmitted bits
over the physical network medium.
Piloting | Using a new service, device, configuration,
software, and so on to a limited number of testing hosts
before rolling out the new component to the entire
production environment. Piloting often occurs after
modeling. Also called beta testing.
Ping sweep | A network scan that sends ICMP type 8 echo
requests to a range of IP addresses to obtain ICMP type 0
echo responses. A ping sweep can discover active systems
and identify the IP addresses in use.
Playback attack | See replay attack.
Point-to-Point Protocol (PPP) | A protocol commonly
used in establishing a direct connection between two
networking nodes.
Point-to-Point Tunneling Protocol (PPTP) | An early
proprietary protocol from Microsoft.
Pop-up blocker | A software tool that prevents or restricts
Web sites from automatically opening additional tabs or
windows without the user’s consent. These additional
windows are known as pop-ups or pop-unders. Pop-ups are
commonly used as methods of advertising, as well as
elements in social engineering and distribution of malicious
code.
Port address translation | An extension to network
address translation (NAT) that permits multiple devices on a
local area network (LAN) to be mapped to a single public IP
address.
Port-based network access (admission) control
(PNAC) | A form of network access control or admission
control (NAC) used on individual network access devices,
such as firewalls, VPN gateways, and wireless routers, to
offload authentication to a dedicated authentication
server/service. Only after valid authentication are
communications with or across the network device allowed.
Port forwarding | The function of routing traffic from an
external source received on a specific pre-defined IP address
and port combination (also known as a socket) to an internal
resource server. Also known as reverse proxy and static NAT.
Port number | The addressing scheme used at the
Transport Layer (Layer 4) of the OSI model. There are
65,535 ports, each of which can in theory support a single
simultaneous communication.
Port scanning | A network scan that sends various
constructions of TCP or UDP packets to determine the open
or closed state of a port. Tools such as nmap are used to
perform port scanning.
POSIX | A variant of the UNIX operating system. Supported
by Windows NT 4.0, but not in any subsequent version of
Windows. POSIX used the ADS feature of NTFS.
Post Office Protocol (POP) | An Application Layer protocol
used by e-mail clients to receive messages from an e-mail
server. The default TCP/IP port is 110, and it does not
encrypt communications. The companion SMTP protocol
sends messages to an e-mail server.
Presentation Layer (Layer 6) | The sixth layer of the OSI
model translates the data received from host software into a
format acceptable to the network. This layer also performs
this task in reverse for data coming from the network to
host software.
Principle of least privilege | The guideline that all users
should be granted only the minimum level of access and
permission required to perform their assigned job tasks and
responsibilities.
Privacy | Keeping information about a network or system
user from being disclosed to unauthorized entities. While
typically focused on private information like a Social
Security number, medical records, credit card number,
cellular phone number, etc., privacy concerns extend to any
data that represents personally identifiable information (also
known as PII).
Private branch exchange (PBX) | A type of business
telephone network. PBX systems allow for multiple phone
extensions, voice mailboxes, and conference calling. PBX
systems require specialized equipment. PBX systems are
largely being replaced by VOIP (Voice over IP) solutions.
Private IP address | The ranges of IP addresses defined in
RFC 1918 for use in private networks that are not usable on
the Internet.
Private key | The key of the public key cryptography key
pair kept secret and used only by the intended entity. The
private key decodes information encoded with its associated
public key, encrypting information that can be decrypted
only by its associated public key. This process validates the
identity of the originator and creates a digital signature.
Privilege | An increased ability to interact with and modify
the operating system and desktop environment granted or
denied to a user through some method of authorization or
access control, such as user rights on a Windows system.
Privilege escalation | The act of obtaining a higher level
of privilege or access for a user account or a session. A
tactic employed by hackers once they intrude into a
network through the compromise of a normal user account.
Professional hacker | A criminal whose objective is to
compromise IT infrastructures. Whether operating as
individuals, offering mercenary hacking services, or
functioning as members of a criminal ring, professional
hackers focus time and energy on becoming effective cyber
attackers. A professional hacker is someone who contracts
out his or her hacking skills to others.
Proprietary OS | An operating system built exclusively to
run on a bastion host device. Most appliance firewalls
employ a proprietary operating system.
Protocol Data Unit (PDU) | The collection of data at the
Session, Presentation, and Application layers (Layers 5–7) of
the OSI model.
Proxy attack | See man-in-the-middle attack.
Proxy manipulation | An attack in which a hacker modifies
the proxy settings on a client to redirect traffic to another
system, such as the hacker’s own machine. The hacker may
host a proxy server in addition to eavesdropping and
manipulating the redirected traffic.
Proxy server | A network service that acts as a “middle
man” between a client and server. A proxy can hide the
identity of the client, filter content, perform NAT services,
and cache content.
Pseudo random number generator (PRNG) | The
mechanism of computer systems that produces partially
random numbers using a complex algorithm and a seed
value that is usually time based. Computers are currently
unable to produce true random numbers and a PRNG
approximates randomness.
Public IP address | Any address that is valid for use on the
Internet. This excludes specially reserved addresses such as
loopback (127.0.0.1–127.255.255.255), RFC 1918
addresses, and the Windows APIPA addresses (169.254.0.0–
169.254.255.255). Organizations lease public addresses
from an Internet Service Provider (ISP).
Public key | The key of the public key cryptography key
pair shared with other entities with whom the holder of the
private key wishes to correspond. The public key decodes
messages encoded with its associated private key,
originates messages that only the holder of the associate
private key can decrypt, and creates digital envelopes.
Public key cryptography | A subset of asymmetric
cryptography based on the use of key pair sets. Public key
cryptography uses public and private keys to create digital
envelopes and digital signatures.
Public key infrastructure (PKI) | A combination of
several cryptographic components to create a real-world
solution that provides secure communications, storage, and
identification services. Commonly uses symmetric
encryption, asymmetric/public key encryption, hashing, and
digital certificates. In most cases, when PKI refers to
authentication, digital certificates are used as credentials.
Public network | Any network that accessible by entities
from outside an organization. Most often, use of this term
implies the Internet, but many other public networks exist.
Pwned | A leetspeak word derived from a common IRC typo
of “owned.” Used to mean hacking and taking over control
of a computer or network.
R
Reconnaissance | The act of learning as much as possible
about a target before attempting attacks. Reconnaissance
consists of collecting data about the target from multiple
sources online and offline. Effective reconnaissance is done
covertly, without tipping off the target about the research.
Reconnaissance can also be called footprinting, discovery,
research, and information gathering.
Recreational hacker | Someone who enjoys exploring and
learning about computer technology but may put an
organization’s network at risk by bringing in unapproved
software, experimenting on the network, or just trying an
exploit to “see if it works.”
Redundancy | The feature of network design that ensures
the existence of multiple pathways of communication. The
purpose is to prevent or avoid single points of failure.
Redundant array of independent disks (RAID) | A disk
set management technology that gains speed and fault
tolerance. RAID can provide some protection against hard
drive failure, but does not protect against software or data
compromises, such as virus infection.
Regional Internet Registry (RIR) | The five regional
organizations that oversee and monitor the allocation and
registration of IP addresses (both IPv4 and IPv6). RIR
consists of American Registry for Internet Numbers (ARIN),
RIPE Network Coordination Center (RIPE NCC), Asia-Pacific
Network Information Centre (APNIC), Latin American and
Caribbean Internet Address Registry (LACNIC) and African
Network Information Centre (AfriNIC).
Rekeying | The process of triggering the generation of a
new symmetric encryption key and secure exchange of that
key. Rekeying can take place based on time, idleness,
volume, randomness, or election.
Remote access | A communications link that enables
access to network resources using a wide area network
(WAN) link to connect to a geographically distant network. In
effect, remote access creates a local network link for a
system not physically local to the network. Over a remote
access connection, a client system can technically perform
all the same tasks as a locally connected client, with the
only difference being the speed or the bandwidth of the
connection.
Remote access server (RAS) or network access server
(NAS) | A network server that accepts inbound connections
from remote clients. Also known as a network access server
(NAS).
Remote access VPN | Another name for host-to-site VPN.
Remote-to-home VPN | A VPN used to connect a remote
or mobile host into a home computer or network. Also
known as a host-to-host VPN.
Remote-to-office VPN | A VPN used to connect a remote
or mobile host into office network workstation. Also known
as a host-to-host VPN.
Remote control | The ability to use a local computer
system to remotely take control of another computer over a
network connection. Often used for remote technical
assistance.
Replay attack | This attack occurs when a hacker uses a
network sniffer to capture network traffic and then
retransmits that traffic back on to the network at a later
time. Replay attacks often focus on authentication traffic in
the hope that retransmitting the same packets that allowed
the real user to log into a system will grant the hacker the
same access.
Request for comments (RFC) | A document that defines
or describes computer and networking technologies. These
documents are published by the Internet Engineering Task
Force, the standards body for Internet engineering
specifications. RFCs exist for hardware, operating systems,
protocols, security services, and much more.
Resources | Any data item or service available on a
computer or network accessible by a user to perform a task.
Return on Investment (ROI) | A business evaluation
technique to determine whether an investment will earn
back equivalent or greater benefit within a specific time.
Reverse caching | A means of providing faster access to
static content for external users accessing internal Web
servers.
Reverse proxy | The function of routing traffic from an
external source received on a specific pre-defined IP address
and port combination (also known as a socket) to an internal
resource server. Also known as port forwarding and static
network address translation (NAT).
RFC 1918 addresses | IP addresses that, by convention,
are not routed outside a private or closed network. Class A:
10.0.0.0–10.255.255.255; Class B: 172.16.0.0–
172.31.255.255; Class C: 192.168.0.0–192.168.255.255
Risk | The likelihood or potential for a threat to take
advantage of a vulnerability and cause harm or loss. Risk is
a combination of an asset’s value, exposure level, and rate
of occurrence of the threat. A goal of security is to
recognize, understand, and eliminate risk.
Risk assessment | Risk assessment is the process of
examining values, threat levels, likelihoods, and total cost of
compromise versus the value of the resource and the cost of
the protection. This involves the use of values and
calculations, such as AV, EF, SLE, ARO, ALE, and the
cost/benefit equation.
Risk management | Performing risk assessment, and then
acting on the results to reduce or mitigate risk. Often risk
assessment establishes a new security policy and then aids
in revising it over time.
Rogue access point | An access point set up and
configured by a hacker to fool users into connecting with it.
The hacker may then use the connection to carry out an
attack such as a man-in-the-middle attack.
Role or job role | A collection of tasks and responsibilities
defined by a security policy or job description for an
individual essential productivity, or security position.
Rootkit | A form of malware that hackers can upload and
deploy on a target system. It often replaces multiple
components of the host operating system with altered code.
Round-robin | A form of load balancing which hands out
tasks in a repeating non-priority sequence.
Router | A network device responsible for directing traffic
towards its stated destination along the best-known current
available path.
RRDool | A round-robin database tool intended to handle
time-series data like network bandwidth, temperatures, CPU
load, and so on. The data are stored in a round-robin
database (circular buffer); thus the system storage footprint
remains constant over time.
Rule | A written expression of an item of concern (protocol,
port, service, application, user, IP address) and one or more
actions to take when the item of concern appears in traffic.
Also known as a filter or ACL.
Rule set | The list of rules on a firewall (or router or switch)
that determine what traffic is and is not allowed to cross the
filtering device. Most rule sets employ a first-match-apply-
action process.
S
Sacrificial host | A firewall positioned at the initial entry
point where a network interfaces with the Internet serving
as the first line of defense for the network. Also known as a
bastion host.
Scalability | The ability of a product or service to provide
adequate performance across changes in size, load, scope,
or volume.
Scanning | The act of probing a network using custom
crafted packets. Scanning can determine the IP addresses in
use and whether ports are open or closed. The tool nmap
can be used to perform scanning.
Screening router | A router that can perform basic static
packet filtering services in addition to routing functions. A
screening router is the predecessor of modern firewalls.
Script kiddie | A new, inexperienced, or ignorant hacker
who uses pre-built attack tools and scripts instead of writing
his or her own or customizing existing ones. Even though a
derogatory term in the hacker community, “script kiddie”
still describes a serious threat to network security.
Sector | A subdivision of computer storage medium that
represents a fixed size of user-accessible data. Magnetic
disks typically have 512-byte sectors; optical disks have
2,048-byte sectors. When a device is formatted, sectors are
grouped into clusters.
Secure Shell (SSH) | A network protocol that allows data
exchange using a secure channel between two networked
devices. It is used primarily on GNU/Linux and UNIX based
systems to access shell accounts. SSH was a replacement
for Telnet and other insecure remote shells, which send
information, notably passwords, in plaintext, rendering them
susceptible to packet analysis. The encryption used by SSH
provides confidentiality and integrity of data over an
insecure network, such as the Internet.
Secure Sockets Layer (SSL) | A security protocol that
operates at the top of the Transport Layer (Layer 4) and
resides as the payload of a TCP session. Netscape designed
SSL in 1997 for secure Web e-commerce, but it can encrypt
any traffic above the Transport Layer. It uses public key
certificates to identify the endpoints of session and uses
symmetric encryption to protect transferred data. SSL v3.0
is the last version of SSL; TLS is replacing SSL.
Secured VPN | A VPN that uses encryption to protect the
confidentiality of its transmissions.
Security objectives | Sets of stated purposes or targets
for network security activity. Standard objectives are
confidentiality, integrity, and availability. Objectives are
generally more oriented towards achieving or maintaining
the goals, such as ensuring the confidentiality of resources.
Security policy | A written document prescribing security
goals, missions, objectives, standards, procedures, and
implementations for a given organization. Also identifies
what assets need protection based on their value.
Security stance | An organization’s filtering configuration;
in essence, its answer to the question, “What should be
allowed and what should be blocked?”
Security Technical Implementation Guides (STIGS) | A
security guideline, procedure, or recommendation manual.
Security through obscurity | A form of security based on
hiding details of a system, or creating convolutions that are
difficult to understand. Such strategies do not usually resist
a persistent attack, and are used when true security is
poorly understood or the perceived threat is insufficient to
overcome the obscure methodology. For example,
proprietary source encryption algorithms can be labeled
security through obscurity, as no forum for peer review or
for formal testing exists to examine whether the
methodology is cryptographically sound.
Segment | The collection of data at the Transport Layer
(Layer 4) of the OSI model. It consists of the payload from
the Session Layer (Layer 5) above and the Transport Layer
header. TCP segments are a common example. (Note: UDP
segments are called datagrams as they are connectionless,
rather than connection-oriented).
Senior management | The individual or group of highest
controlling and responsible authority within an organization.
Ultimately the success or failure of network security rests
with senior management.
Separation of duties | An administrative rule whereby no
single individual possesses sufficient rights to perform
certain actions. Achieved by dividing administrative level
tasks and powers among compartmentalized administrators.
Server | A host on a network. A server is the computer
system that hosts resources accessed by users from clients.
Service level agreement (SLA) | A contractual
commitment by a service provider or support organization
to its customers or users.
Session | A logical connection between a client and a
resource server. May exist at Layer 3, 4, or 5 of the OSI
model. Also known as a circuit or a state.
Session hijacking | When a hacker is able to take over a
connection after a client has authenticated with a server. To
perform this attack, a hacker must eavesdrop on the session
to learn details, such as the addresses of the session
endpoints and the sequencing numbers. With this
information, the hacker can desynchronize the client, take
on the client’s addresses, and then inject crafted packets
into the data stream. If the server accepts the initial false
packets as valid, then the session has been hijacked.
Session Layer (Layer 5) | The fifth layer of the OSI model.
This layer manages the communication channel, known as a
session, between the endpoints of the network
communication. A single transport layer connection
between two systems can support multiple simultaneous
sessions.
Shell code | The content of an exploit to be executed on or
against a target system.
Signature-based detection | A form of IDS/IPS detection
based on a collection of samples, patterns, signatures, and
so on stored in a database of known malicious traffic and
events. All traffic or events that match an item in the
database is considered abnormal and potentially malicious.
Also known as database, knowledge, and pattern-matching–
based detection.
Simple Mail Transfer Protocol (SMTP) | An Application
Layer protocol used by e-mail clients to send messages to
an e-mail server and is also used to relay messages
between e-mail servers. The default TCP/IP port is 25, and it
does not encrypt communications. The companion POP
protocol receives messages from an e-mail server.
Single-factor authentication | The use of only a single
element of validation or verification to prove the identity of
a subject. Considered much weaker than multi-factor
authentication.
Single loss expectancy (SLE) | The calculation of the loss
potential across of a single incident for a given asset and a
specific threat. SLE calculations are part of risk assessment.
SLE = AV × EF.
Single point of failure | Any element of a system or
network infrastructure, which is the primary or only pathway
through which a process occurs. The compromise of such an
element could result in system failure. Network design
should avoid single points of failure by including redundancy
and defense in depth.
Single sign-on (SSO) | A network security service that
allows a user to authenticate to an entire domain through a
single client log on process. All domain members will accept
this single authentication. Local authorization is used to
control access to individual resources. Such a single
authentication can be more complex, since multiple logons
for each individual server are not required.
Site-to-site VPN | A VPN used to connect networks. Also
known as a LAN-to-LAN VPN and WAN VPN.
Slack space | The unused portion of the last cluster
allocated to a stored file. It may contain remnants of prior
files stored in that location. Hackers can hijack slack space
to create hidden storage compartments.
Slideware | An industry term referring to any product that
appears in a vendor’s PowerPoint slide deck, but is not yet
available in one of its products. Also sometimes known as
“vaporware.”
Sniffer | A software utility or hardware device that captures
network communications for investigation and analysis. Also
known as packet analyzer, network analyzer, and protocol
analyzer.
Social engineering | The craft of manipulating people into
performing tasks or releasing information that violates
security. Social engineering relies on telling convincing lies
to manipulate people or take advantage of the victim’s
desire to be helpful.
Socket | The combination of an IP address and a port
number as a complete address.
Software firewall | A host firewall installed on a client or
server.
Software VPN | A VPN crafted by software rather than
hardware. Software VPN may be a feature of the operating
system or a third-party application.
SOHO (small office, home office) network | Any small
network, workgroup, or client/server, deployed by a small
business, a home-based business, or just a family network
in a home.
Spam | Unwanted and often unsolicited messages. Spam is
not technically malicious software, but spam can have a
serious negative effect on IT infrastructures through sheer
volume. Estimates vary, but spam may represents up to 95
percent of all e-mail (which implies for every legitimate e-
mail there are up to 19 unrelated spam e-mails.)
Split tunnel | A VPN connection that allows simultaneous
access to the secured VPN link and unsecured access to the
Internet across the same connection.
Spoofing | The falsification of information. Often spoofing is
the attempt to hide the true identity of a user or the true
origin of a communication.
Spyware | An advancement of keystroke logging to monitor
and record many other user activities. Spyware varies
greatly, but it can collect a list of applications launched,
URLs visited, e-mail sent and received, chats sent and
received, and names of all files opened. It can also record
network activity, gather periodic screen captures, and even
recording from a microphone or Web cam. Can be linked
with adware.
SQL injection | A form of Web site/application attack in
which a hacker submits SQL expressions to cause
authentication bypass, extraction of data, planting of
information, or access to a command shell.
State | A logical connection between a client and a
resource server. May exist at Layer 3, 4, or 5 of the OSI
model. Also known as a session or a circuit.
Stateful inspection | The process of automatically
tracking sessions or states to allow inbound responses to
previous outbound requests. Also called dynamic packet
filtering.
Static electricity discharge (SED) or Electrostatic
discharge (ESD) | A sudden and momentary electric
current, usually of high voltage and low amperage, that
flows between two objects. Commonly caused by low
humidity environments. Humans, polyester, and plastics are
prone to static build-up. SED can damage most computer
components.
Static NAT | The static coding of a translation pathway
across a NAT service. Also known as port forwarding and
reverse proxy.
Static packet filtering | A method of filtering using a
static or fixed set of rules to filter network traffic. The rules
can focus on source or destination IP address, source or
destination port number, IP header protocol field value,
ICMP types, fragmentation flags, and IP options. Static
packet filtering is therefore mainly focused on the Network
Layer (Layer 3), but can also include Transport Layer (Layer
4) elements. Static packet filtering focuses on header
contents and does not examine the payload of packets or
segments.
Sunk cost | Time, money, and effort already spent on a
project, event, or device. In economics, sunk costs are
irrelevant to future decisions. Emotionally, however, people
often use sunk costs as a rationalization to continue failing
processes or procedures.
Switch | A device, which provides network segmentation
through hardware. Across a switch, temporary dedicated
electronic communication pathways are created between
the endpoints of a session (such as a client and server). This
switched pathway prevents collisions. Additionally, switches
allow the communication to use the full potential throughput
capacity of the network connection, instead of 40 percent or
more being wasted by collisions (as occurs with hubs).
Symmetric cryptography | Cryptography based on
algorithms that use a single shared secret key. The same
key encrypts and decrypts data and the same key must be
shared with all communication partners of the same
session.
Synchronous dynamic random access memory
(SDRAM) | Dynamic random access memory (DRAM) that
has a synchronous interface. Traditionally, dynamic random
access memory (DRAM) has an asynchronous interface,
which means that it responds as quickly as possible to
changes in control inputs. SDRAM has a synchronous
interface, meaning that it waits for a clock signal before
responding to control inputs and is therefore synchronized
with the computer’s system bus.
Systems Network Architecture (SNA) | A legacy
networking protocol developed by IBM commonly used to
support communications between mainframes. Mostly
replaced by TCP/IP.
T
Tangible cost (or value) | Costs or values directly related
to budgetary funds. They can include, but are not limited to:
purchase, license, maintenance, management,
administration, support, utilities, training, troubleshooting,
hardware, software, updates/upgrades, and so forth.
Tcpdump | A common packet analyzer that runs at the
command line. It allows the user to intercept and display
TCP/IP and other packets being transmitted or received over
a network to which the computer is attached.
Telco | Short for telecommunications company or
corporation. Used to refer to any company that sells or
leases WAN connection services whether wired or wireless.
Telecommuting | The act of working from a home, remote,
or mobile location while connecting into “the employer’s
private network, often using a VPN.
Telnet | A protocol and a service used to remotely control or
administer a host through a plaintext command line
interface.
Terminal server/services/session | A modern form of
legacy thin client operation. A thin client software utility
connects to a central terminal server, which simulates
remote control. A terminal service system can support
multiple simultaneous terminal client connections. When
terminal services are in use, the client workstation coverts
to thin client status. All operations of storage and processing
then take place on the terminal server.
Thin client computing | A legacy terminal concept used to
control mainframes. Thin clients had no local processing or
storage capability. Modern thin clients simulate these
limitations and perform all operations on the terminal
server, remote control server, or thin client server.
Threat | Any potential harm to a resource or node on the
network. Threats can be natural or artificial, caused by
mother nature or man, or by the result of ignorance or
malicious intent. Threats originate internally and externally.
Traceroute | A computer network tool used to show the
route taken by packets across an IP network. An IPv6
variant, traceroute6, is also widely available.
Traffic congestion | The problem when too much data
crosses a network segment. This results in reduced
throughput, increased latency, and lost data.
Training | The second level of knowledge distribution
offered by an organization to educate users about job task
focused security concerns. More rigorous than awareness;
less rigorous than education.
Transmission Control Protocol (TCP) | The connection-
oriented protocol operating at the Transport Layer (Layer 4)
of the OSI model.
Transport Layer (Layer 4) | The fourth layer of the OSI
model. This layer formats and handles data transportation.
This transportation is independent of and transparent to the
application.
Transport Layer Security (TLS) | A security protocol that
operates at the top of the Transport Layer (Layer 4) and
resides as the payload of a TCP session. It uses public key
certificates to identify the endpoints of session and uses
symmetric encryption to protect transferred data. TLS 1.0 is
the replacement for SSL 3.0.
Transport mode encryption | A form of encryption also
known as point-to-point or host-to-host encryption.
Transport mode encryption protects only the payload of
traffic and leaves the header in plain-text original form.
Trapdoor | A form of unauthorized access to a system. A
trapdoor is any access method or pathway that circumvents
access or authentication mechanisms. Also known as a
backdoor.
Triple-homed firewall | A firewall that has three network
interfaces. Each network interface is located in a unique
network segment. This allows for true isolation of the
segments and forces the firewall to filter all traffic traversing
from one segment to another.
Trojan horse | A mechanism of distribution or delivery
more than a specific type of malware. The Trojan horse
embeds a malicious payload within a seemingly benign
carrier or host program. When the host program is executed
or otherwise accessed, the malware is delivered. The
gimmick of a Trojan horse is the act of fooling someone (a
type of social engineering attack) into accepting the Trojan
program as safe.
Trust | Confidence in the expectation that others will act in
your best interest, or that a resource is authentic. On
computer networks, trust is the confidence that other users
will act in accordance with the organization’s security rules
and not attempt to violate stability, privacy, or integrity of
the network and its resources.
Trusted Platform Module (TPM) | A dedicated microchip
found on some motherboards that host and protect the
encryption key for whole hard drive encryption.
Trusted third party | A mechanism of authentication using
a third entity known and trusted by two parties. The trusted
third party allows the two communicating parties, who were
originally strangers to each other, to establish an initial level
of inferred trust.
Trusted VPN | A VPN whose components are wholly owned
by the organization it serves.
Tunnel mode encryption | A form of encryption also
known as site-to-site, LAN-to-LAN, gateway-to-gateway,
host-to-LAN, and remote access encryption. Tunnel mode
encryption performs a complete encapsulation of the
original traffic into a new tunneling protocol. The entire
original header and payload are encrypted and a temporary
link or tunnel header guides the data across the
intermediary network.
Tunneling | The act of transmitting a protocol across an
intermediary network by encapsulating it in another
protocol. See encapsulation.
Two-factor authentication | A method of proving identity
using two different authentication factors. Authentication
factors are something you know, something you have, or
something you are. Examples include a smart card
(something you have) with a PIN (something you know), a
biometric device (something you are) coupled with a
password (something you know), or a proximity card
(something you have) that activates a fingerprint reader
(something you are).
U
Unified threat management (UTM) | The deployment of
a firewall as an all-encompassing primary gateway security
solution. The idea behind UTM is a single device can be
designed to perform firewall filtering, IPS, antivirus
scanning, anti-spam filtering, VPN end-point hosting,
content filtering, load-balancing, detailed logging, and
potentially other security services, performance
enhancements, or extended capabilities.
Universal participation | The principle that for an
organization’s security policy to be effective, everyone must
be forced to work within it and follow its rules.
Unpartitioned space | The area on a storage device not
contained within a partition. Unpartitioned space is not
directly accessible by the OS.
Upstream filtering | The management of traffic by a
firewall or other filtering device located one or more hops
away (upstream) from a private network.
URL injector | Malware that replaces URLs in HTTP GET
requests for alternative addresses. These injected URLs
cause a different Web page to appear in the browser than
the one requested by the user’s request. These replaced
Web pages could be advertisement sites, generate traffic to
falsify search engine optimization (SEO), or lead to fake or
spoofed sites.
USENET newsgroups | Persistent public messaging forums
accessed over the NNTP (Network News Transfer Protocol).
USENET has existed since 1980. Although the Web, e-mail,
and BitTorrent are more widely known, USENET is still in use
today.
User Datagram Protocol (UDP) | The connectionless
protocol operating at the Transport Layer (Layer 4) of the
OSI model.
V
Virtual private network (VPN) | A mechanism to
establish a secure remote access connection across an
intermediary network, often the Internet. This allows
inexpensive insecure links to replace expensive security
links. VPNs allow for cheap long-distance connections
established over the Internet. Both endpoints need only a
local Internet link. The Internet itself serves as a “free” long-
distance carrier. VPNs employ encapsulation and tunneling
protocols, such as IPSec.
Virus | Malware that needs a host object to infect. Most
viruses infect files, such as executables, device drivers,
DDLs, system files, and sometimes even document, audio,
video, and image files. Some viruses infect the boot sector
of a storage device, including hard drives, floppies, optical
discs, and USB drives. Viruses are spread through the
actions of users, and spread file-to-file (compare to worms).
VPN appliance | A hardware VPN device.
VPN Fingerprinting | A technique used by an attacker to
identify the vendor, and in some cases, the software
version, of a VPN server.
Vulnerability | A weakness or flaw in a host, node, or any
other infrastructure component that a hacker can discover
and exploit. Security management aims to discover and
eliminate such vulnerabilities.
Vulnerability management | The technology and
business processes used to identify, track, and mitigate
known weaknesses on hosts within a computing
environment.
Vulnerability scanning | A form of investigation that aims
at checking whether or not a target system is subject to
attack based on a database of tests, scripts, and simulated
exploits.
W
WAN VPN | A VPN between two networks over an
intermediary network. Also known as LAN-to-LAN VPN and
site-to-site VPN.
Wardialing | A method of discovering active modems by
dialing a range of phone numbers.
Wardriving | A method of discovering wireless networks by
moving around a geographic area with a detection device.
Wardriving | A method of discovering wireless networks by
moving around a geographic area with a detection device.
Weakest link | A security stance based on a repeating
process of locating the least secure element of an
infrastructure and securing it and then identifying a new
weakest link and securing it.
Whitelist | A type of filtering concept where the network
denies all activities except for those on the white list. Also
known as an “allow” or “permissions list.”
Whois | A tool used to view domain registration
information. Whois is a command line function of Linux and
Unix, but is also a tool on most domain registrar Web sites.
Whole hard drive encryption | The process of encrypting
an entire hard drive rather than just individual files. In most
cases, whole hard drive encryption provides better security
against unauthorized access than file encryption, because it
encrypts temporary directories and slack space.
Wide area network (WAN) | A network not limited by any
geographic boundaries. A WAN network can span a few city
blocks, reach across the globe, and even extend into outer
space. A distinguishing characteristic of a WAN is its use of
leased or external connections and links. Often, telcos own
these external connections.
Wirespeed | The maximum communication or transmission
capability of a network segment. Often used to describe a
network device’s ability to perform tasks on traffic, while
being able to maintain overall network transmission speeds
without introducing delay, lag, or latency.
Workgroup | A form of networking where each computer is
a peer. Peers are equal to each other in terms of how much
power or controlling authority any one system has over the
other members of the same workgroup. All workgroup
members are on equal footing because they can manage
their own local resources and users, but not those of any
other workgroup member.
Worm | Malware that does not need a host object; instead,
a worm is a self-sustaining program in its own right. Worms
are designed around specific system flaws. The worm scans
other systems for this flaw and exploits the flaw to gain
access to another victim. Once hosted on another system,
the worm seeks to spread itself by repeating the process.
Worms can act as carriers to deposit other forms of
malicious code as they multiply and spread across
networked hosts.
Wrapper | A tool used to create Trojan horses by
embedding malware inside of a host file or program.
Write-once read-many (WORM) | A form of storage
device that can be written to once, but once written cannot
be electronically altered. Examples include DVD-R, WORM
tapes, and WORM hard drives.
Z
Zero-day exploits | New and previous unknown attacks for
which are there no current specific defenses. “Zero day”
refers to the newness of an exploit, which may be known in
the hacker community for days or weeks. When such an
attack occurs for the first time, defenders are given zero
days of notice (hence the name.) Such attacks usually
exploit previously unidentified system flaws.
Zeroization | The process of purging a storage device by
writing zeros to all addressable locations on the device. A
zeroized device contains no data remnants that other users
could potentially recover.
Zombie | A malicious software program distributed by a
hacker to take over control of a victim’s computer. Also
known as a bot or an agent. Zombies are commonly used to
construct botnets (or zombie armies).
Zombie army | A network of zombie/bot/agent-
compromised systems controlled by a hacker. The network
consists of the bots, agents, or zombies that
intercommunicate over the Internet. Another term for
botnet.
Zone of risk | Any segment, subnet, network, or collection
of networks that represent a certain level of risk. The higher
the risk, the higher the security need to protect against that
risk. The less the risk of a zone, the lower security need
because fewer threats exist or existing threats are less
harmful. The flip side of risk zones is zones of trust.
Zone of trust | Any segment, subnet, network, or
collection of networks that represent a certain level of trust.
Highly trusted zones require less security, while low trusted
zones require more security. The flip side of trust zones is
zones of risk.
References
Beaver, Kevin. Hacking For Dummies. 3rd ed. Indianapolis:
Wiley Publishing, Inc., 2010.
Bhaiji, Yusuf. Network Security Technologies and Solutions.
Indianapolis: Cisco Press, 2008.
Bott, Ed. “The malware numbers game: how many viruses
are out there?” The Ed Bott Report, April 15, 2012.
http://www.zdnet.com/blog/bott/the-malware-numbers-
game-how-many-viruses-are-out-there/4783 (accessed
May 2, 2013).
Cheswick, William R., Steven M. Bellovin, and Aviel D. Rubin.
Firewalls and Internet Security: Repelling the Wily Hacker.
2nd ed. Boston: Addison-Wesley Professional, 2003.
Cisco Systems. “IKEv2 Packet Exchange and Protocol Level
Debugging,” 2013.
http://www.cisco.com/en/US/tech/tk583/tk372/technologie
s_tech_note09186a0080bf2932.shtml (accessed June 17,
2013).
Cisco Systems. Internetworking Technologies Handbook,
Virtual Private Networks.
http://www.cisco.com/en/US/docs/internetworking/technol
ogy/handbook/VPN.html (accessed July 15, 2010).
CNN. “How the President’s secret helicopter plans wound up
in Iran.” March 2009.
http://ac360.blogs.cnn.com/2009/03/10/how-the-
presidents-secret-helicopter-plans-wound-up-iran/
(accessed July 15, 2010).
Cole, Eric. Hiding in Plain Sight: Steganography and the Art
of Covert Communication. Indianapolis: Wiley Publishing,
Inc., 2003.
———. Network Security Bible. Indianapolis: Wiley
Publishing, Inc., 2009.
Comer, Douglas E. Internetworking with TCP/IP, Vol 1. 5th
ed. Upper Saddle River, NJ: Prentice Hall, 2005.
Davies, Joseph, and Elliot Lewis. Deploying Virtual Private
Networks with Microsoft Windows Server 2003 (Technical
Reference). Redmond, WA: Microsoft Press, 2003.
Davis, Michael, Sean Bodmer, and Aaron LeMasters. Hacking
Exposed Malware and Rootkits. New York: McGraw-Hill
Osborne Media, 2009.
Defense Information Systems Agency (DISA). “Information
Assurance Support Environment (IASE), Security
Checklists.” http://iase.disa.mil/stigs/checklist/index.html
(accessed July 15, 2010).
Defense Information Systems Agency (DISA). “Information
Assurance Support Environment (IASE), Security Technical
Implementation Guides (STIGS).”
http://iase.disa.mil/stigs/stig/index.html (accessed July 15,
2010).
DeLaet, Gert, and Gert Schauwers. Network Security
Fundamentals. Indianapolis: Cisco Press, 2004
Douligeris, Christos, and Dimitrios N. Serpanos. Network
Security: Current Status and Future Directions. Hoboken,
NJ: Wiley-IEEE Press, 2007.
Dr. K. Hackers’ Handbook 3.0 (Expanded, Revised and
Updated): Includes WiFi, Identity Theft, Information
Warfare and Web 2.0. New York: Carlton Books, 2009.
Erickson, Jon. Hacking: The Art of Exploitation. 2nd ed. San
Francisco: No Starch Press, 2008.
Feilner, Markus. OpenVPN: Building and Integrating Virtual
Private Networks. Packt Publishing, 2006.
Ford, Jerry Lee Jr. Absolute Beginner’s Guide to Personal
Firewalls. Indianapolis: Que, 2007.
Frenkel, Sheila, et al. “Guide to Ipsec VPNs:
Recommendations of the National Institute of Standards
and Technology.” Special publication 800-77. Computer
Security Division, Information Technology Laboratory,
National Institute of Standards and Technology, 2005.
Gibson, Darril. MCITP Windows Server 2008 Server
Administrator Study Guide. Indianapolis: Sybex, 2008.
Graves, Kimberly. CEH Certified Ethical Hacker Study Guide.
Indianapolis: Sybex, 2010.
Gregg, Michael. Certified Ethical Hacker Exam Prep.
Indianapolis: Que, 2006.
Harris, Shon. CISSP All-in-One Exam Guide. 5th ed. New
York: McGraw-Hill Osborne Media, 2010.
———, Allen Harper, Chris Eagle, and Jonathan Ness. Gray
Hat Hacking, Second Edition: The Ethical Hacker’s
Handbook. New York: McGraw-Hill Osborne Media, 2007.
Huang, Qiang, and Jazib Frahim. SSL Remote Access VPNs.
Indianapolis: Cisco Press, 2008.
IETF RFC Repository. http://www.ietf.org/rfc.html (accessed
July 15, 2010).
Internet Engineering Task Force (IETF). “Internet Key
Exchange (IKEv2) Protocol.” December 2005.
http://tools.ietf.org/html/rfc4306 (accessed July 15, 2010).
Irwin, Mike, Charlie Scott, and Paul Wolfe. Virtual Private
Networks. 2nd ed. Sebastopol, CA: O’Reilly Media, 1998.
ISA Server.org. “Setting Up the Windows XP PPTP and
L2TP/IPSec client.”
http://www.isaserver.org/img/upl/vpnkitbeta2/xpvpnclient.
htm (accessed July 15, 2010).
Katz, Jonathan, and Yehuda Lindell. Introduction to Modern
Cryptography: Principles and Protocols. Chapman &
Hall/CRC, 2007.
Komar, Brian, Ronald Beekelaar, and Joern Wettern. Firewalls
for Dummies. 2nd ed. Indianapolis: Wiley Publishing, Inc.,
2003.
Kozierok, Charles. The TCP/IP Guide: A Comprehensive,
Illustrated Internet Protocols Reference. San Francisco: No
Starch Press, 2005.
Krawetz, Neal. Introduction to Network Security. Charles
River Media, 2006.
Lewis, Mark. Comparing, Designing, and Deploying VPNs.
Indianapolis: Cisco Press, 2006.
Linux Home Networking. “Configuring Linux VPNs.”
http://www.linuxhomenetworking.com/wiki/index.php/Quic
k_HOWTO_:_Ch35_:_Configuring_Linux_VPNs (accessed
July 15, 2010).
Liu, Dale, and Stephanie Miller, Mark Lucas, Abhishek Singh,
and Jennifer Davis. Firewall Policies and VPN
Configurations. Rockland, MA: Syngress, 2006.
Long, Johnny, Jack Wiles, Scott Pinzon, and Kevin D. Mitnick.
No Tech Hacking: A Guide to Social Engineering,
Dumpster Diving, and Shoulder Surfing. Rockland, MA:
Syngress, 2008.
Lyon, Gordon Fyodor. Nmap Network Scanning: The Official
Nmap Project Guide to Network Discovery and Security
Scanning. City: Nmap Project, 2009.
Mairs, John. VPNs: A Beginner’s Guide. New York: McGraw-
Hill Osborne Media, 2001.
Maiwald, Eric. Network Security: A Beginner’s Guide. 2nd ed.
New York: McGraw-Hill Osborne Media, 2003.
McClure, Stuart, Joel Scambray, and George Kurtz. Hacking
Exposed: Network Security Secrets and Solutions. 6th ed.
New York: McGraw-Hill Osborne Media, 2009.
Merkow, Mark S. Virtual Private Networks for Dummies.
Indianapolis: Wiley Publishing, Inc., 1999.
Metheringham, Nigel. “IPSec/Netkey interaction with
IPTables/Netfilter.” Openswan open forum entry.
http://lists.openswan.org/pipermail/users/2005-
August/006101.html (accessed July 15, 2010).
Microsoft Technet. “DirectAccess Technical Overview.”
http://technet.microsoft.com/library/dd637827.aspx
(accessed July 15, 2010).
Mitnick, Kevin D., William L. Simon, and Steve Wozniak. The
Art of Deception: Controlling the Human Element of
Security. Indianapolis: Wiley Publishing, Inc., 2003.
———, and William L. Simon. The Art of Intrusion: The Real
Stories Behind the Exploits of Hackers, Intruders and
Deceivers. Indianapolis: Wiley Publishing, Inc., 2005.
MITRE Corporation. “MITRE’s Common Vulnerability
Database (CVE).” http://cve.mitre.org/ (accessed July 15,
2010).
National Institute of Standards and Technology (NIST),
National Vulnerability Database. http://nvd.nist.gov/
(accessed July 15, 2010).
Nichols, Randall K., and Panos C. Lekkas. Wireless Security:
Models, Threats, and Solutions. New York: McGraw-Hill
Osborne Media, 2001.
Noonan, Wes, and Ido Dubrawsky. Firewall Fundamentals.
Indianapolis: Cisco Press, 2006.
Off-line certificate enrolment on Windows 2000/XP.
http://www.jacco2.dds.nl/networking/certutil.html
(accessed June 21, 2010).
Peltier, Thomas R. Information Security Risk Analysis. 3rd
ed. Auerbach Publications, 2010.
Philipp, Aaron, David Cowen, and Chris Davis. Hacking
Exposed Computer Forensics. 2nd ed. New York: McGraw-
Hill Osborne Media, 2009.
PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active
Directory + Fedora Howto.
http://www.members.optushome.com.au/~wskwok/popto
p_ads_howto_1.htm (accessed July 15, 2010).
Real Time Enterprises, Incorporated. “Create a IPSEC +
Certificates MMC.” http://support.real-time.com/open-
source/ipsec/index.html (accessed July 15, 2010).
Rhodes-Ousley, Mark, Roberta Bragg, and Keith Strassberg.
Network Security: The Complete Reference. New York:
McGraw-Hill Osborne Media, 2003.
Ruston, Chris, and Chris Peiris. How to Cheat at Designing
Security for a Windows Server 2003 Network. Rockland,
MA: Syngress, 2006.
SANS. “The Top Cyber Security Risks.”
http://www.sans.org/top-cyber-security-risks/?ref=top20
(accessed July 15, 2010).
Scarfone, Karn, and Paul Hoffman. Guidelines on Firewalls
and Firewall Policy: Special Publication 800-41, Revision 1.
Washington: National Institute of Standards and
Technology (NIST), 2009.
Schneier, Bruce. Schneier’s Cryptography Classics Library:
Applied Cryptography, Secrets and Lies, and Practical
Cryptography. Indianapolis: Wiley Publishing, Inc., 2007.
———. Secrets and Lies: Digital Security in a Networked
World. Indianapolis: Wiley Publishing, Inc., 2004.
Schudel, Gregg, and David J. Smith. Router Security
Strategies: Securing IP Network Traffic Planes.
Indianapolis: Cisco Press, 2008.
SearchNetworking.com. “Authentication, authorization, and
accounting (AAA)” (n.d.)
http://searchsecurity.techtarget.com/definition/authentica
tion-authorization-and-accounting (accessed June 17,
2013).
———. “Packet” (n.d.)
http://searchnetworking.techtarget.com/definition/packet
(accessed June 17, 2013) ———. “Port Address Translation
(PAT)” (n.d.).
http://searchnetworking.techtarget.com/definition/Port-
Address-Translation-PAT (accessed June 17, 2013).
Security Focus. “Embassy leaks highlight pitfalls of Tor.
September, 2007.”
http://www.securityfocus.com/news/11486 (accessed July
15, 2010).
Shinder, Thomas W. The Best Damn Firewall Book Period.
2nd ed. Rockland, MA: Syngress, 2008.
SmoothWall Community Forums.
http://community.smoothwall.org/forum/ (accessed July
15, 2010).
SmoothWall Limited. http://www.smoothwall.net/ (accessed
July 15, 2010).
SmoothWall Open Source Project.
http://www.smoothwall.org/ (accessed July 15, 2010).
Snader, Jon C. VPNs Illustrated: Tunnels, VPNs, and IPsec.
Boston: Addison-Wesley Professional, 2005.
Stevens, W. Richard, and Gary R. Wright. TCP/IP Illustrated,
Volumes 1–3. Boston: Addison-Wesley Professional, 1994.
Stewart, James Michael. CompTIA Security+ Review Guide:
SY0-201. Indianapolis: Sybex, 2008.
———, Ed Tittel, and Mike Chapple. CISSP: Certified
Information Systems Security Professional Study Guide.
4th ed. Indianapolis: Sybex, 2008.
Strassberg, Keith, Gary Rollie, and Richard Gondek.
Firewalls: The Complete Reference. New York: McGraw-Hill
Osborne Media, 2002.
Sweeney, T., (2000, April 3). Businesses Lock In On VPN
Outsourcing Options Providers of virtual private network
services put a new spin on the outsourcing spiel.
InformationWeek.
http://www.informationweek.com/780/vpn.htm (accessed
July 15, 2010).
“Using a Linux L2TP/IPsec VPN server.” May 2010.
http://www.jacco2.dds.nl/networking/openswan-l2tp.html
(accessed July 15, 2010).
Virtual Private Network Consortium. http://www.vpnc.org/
(accessed July 15, 2010).
Volonino, Linda, and Ian Redpath. e-Discovery for Dummies.
Indianapolis: Wiley Publishing, Inc, 2009.
Vyncke, Eric, and Christopher Paggen. LAN Switch Security:
What Hackers Know About Your Switches. Indianapolis:
Cisco Press, 2007.
Whitman, Michael E., Herbert J. Mattord, Richard Austin, and
Greg Holden. Guide to Firewalls and Network Security.
Florence, KY: Course Technology/Cengage Learning Inc.,
2008.
Yuan, Ruixi, and W. Timothy Strayer. Virtual Private
Networks: Technologies and Solutions. Boston: Addison-
Wesley Professional, 2001.
Zwicky, Elizabeth D., Simon Cooper, and D. Brent Chapman.
Building Internet Firewalls. 2nd ed. Sebastopol, CA:
O’Reilly Media, 2000.
Index
The index that appeared in the print version of this title was
intentionally removed from the eBook. Please use the
search function on your eReading device to search for terms
of interest. For your reference, the terms that appear in the
print index are listed below.
128-bit key
802.1x
2048-bit asymmetric key
A
AAA. See authentication,
authorization, and accounting
acceptable use policy (AUP)
access control. See also authorization access control list
(ACL)
access management
accidental threats
accidents
accounting
ACL. See access control list active sniffing
active threats
addressing
administrator account password ADS. See alternate data
streams ADSL. See Asymmetrical Digital Subscriber Line
Advanced Encryption Standard (AES) advanced persistent
threat (APT) adware
adware scanner. See anti-malware scanners agents
AH. See Authentication Header ALE. See annualized loss
expectancy alerts
algorithm encryption standard (AES) algorithms
allow by default
allow by exception
allow-exception rule
alternate data streams (ADS) annualized loss expectancy
(ALE) annualized rate of occurrence (ARO) anomaly-based
detection
anonymity
anonymous connectivity
anti-forensics
anti-malware scanners
anti-SPAM filters
anti-spyware scanner
antivirus scanners
anycast address
AppleTalk
appliance firewalls
appliance format
application conflicts
application firewall
application gateway
Application Layer (Layer 7)
application-level firewall
application proxy
application proxy firewalls
APT. See advanced persistent threat arbitrary code
execution
ARO. See annualized rate of occurrence ARP flooding
ARP spoofing
asset value (AV)
assets
asymmetric cryptography
Asymmetrical Digital Subscriber Line (ADSL) at-firewall
authentication
attack surface
attacking
audit capabilities
auditing
auditors
AUP. See acceptable use policy authentication
authentication, authorization, and accounting (AAA)
Authentication Header (AH)
authenticity
authorization
AV. See asset value availability
availability attack
avalanche effect
awareness
B
Back Orifice
backdoor account attack
backdoors
Backtrack
backups
bandwidth for VPN
banner
banner grabbing
basic packet filtering
bastion host
bastion host OS
behavioral-based detection
benign address
best practices
biometrics
BIOS/firmware flashing
BitTorrent
blacklist
blogs
“Blue Screen of Death”
boot sector
border firewall
border sentry
border-crossing communications botnet army
botnets
bots
bottlenecks. See also chokepoint boundary networks
breach
bricking
bridges
Bring Your Own Device (BYOD) brute force attack
brute-force password attack
buffer overflows
buffers
build-it-yourself firewall bump-in-the-stack bump-in-the-wire
business continuity plan
business operations
business tasks
BYOD. See Bring Your Own Device bypass VPN
implementation
C
CA. See Certificate Authority
cable modem devices
caching
centralized logging system
CERN. See European Laboratory for Particle Physics
Certificate Authority (CA)
CGI scripts. See Common Gateway Interface scripts
channels
chip creep
chokepoint
ciphertext
circuit
circuit firewall
circuit proxy
Cisco
Cisco Linksys wireless router client virtualization. See
desktop virtualization clients
client/server network
client-side configuration
client-to-server VPNs
Clipper Chip
closed source software
cloud backup storage
cloud computing
cloud implementation
clusters
code testing
coding errors
cold calling
co-location of Web server
command-line-based interface command shell
commercial firewall
commercial hardware firewall commercial off-the-shelf
(COTS) software commercial software firewall commercial
VPNs
Common Gateway Interface (CGI) scripts communication
encryption
communications in business environment communications
pathways
communications to block
compartmentalization
compliance
compliance auditing
compression compromise
computer viruses
conditional trust
confidentiality
configuration errors
configuration of VPN
configuration scans
Connection Protocol
containment
content filtering
contract workers
cookie filters
corporate firewall VPN termination cost/benefit analysis
cost-effective network security COTS software. See
commercial off-the-shelf software covert channels
CPE. See customer premise equipment credential sharing
cross-site scripting (XSS)
Cryptcat
cryptography
customer premise equipment (CPE) cybersecurity role
D
data at rest
data encryption. See encryption Data Encryption Standard
(DES) data integrity
data leakage
data leakage prevention (DLP) Data Link Layer (Layer 2)
data origin authentication
data protection firewall
database-based detection
database firewall
data-centric security model
data-encrypted tunnel
DDoS attacks. See distributed denial of service attacks
dead-man switch
decryption
dedicated application-specific proxy firewall dedicated
connection
dedicated leased lines
de-encapsulation
default allow
default deny
default-deny rule default password default-permit stance
defense in depth
defensive programming technique delay
deliberate threats
demilitarized zone (DMZ)-based implementation
demilitarized zones (DMZs)
denial of service (DoS)
denial of service (DoS) attacks deny by default
deny by exception
deny exception rule
deployment of a VPN
DES. See Data Encryption Standard desktop virtualization
detailed implementation plans detection
deterrence
deterrent
device firmware replacement options DHCP. See Dynamic
Host Configuration Protocol dialers
dial-up modem connections
dictionary attacks
dictionary password cracking Diffie-Hellmann
digital certificates
digital envelope
digital forensic techniques
digital signatures
digital subscriber line (DSL) modems DirectAccess
directory services
disaster recovery plan
disasters
disgruntled employees
distributed denial of service (DDoS) attacks distributed LAN
diversity of defense
divide and conquer
DLP. See data leakage prevention DMZ pinholes
DMZ Web server
DMZs. See demilitarized zones DNS. See Domain Name
System DNS poisoning
DNS spoofing
documentation
do-it-yourself firewall
Domain Name System (DNS)
domain registrations
domains
domains of IT infrastructure DoS. See denial of service DoS
attacks. See denial of service attacks downtime DSL
modems. See digital subscriber line modems dual IP
stacks
dual-homed firewall
dual-stack migration strategy dumpster diving
duplicate servers
dynamic addressing
dynamic filtering system
Dynamic Host Configuration Protocol (DHCP) dynamic NAT
dynamic packet filtering
dynamic password token
E
easy access management console
port or interface
easy-access power switch
eavesdropping
ECC. See elliptical curve cryptography edge routers
education
EF. See exposure factor efficient network security
egress filtering
electricity consumption
Electronic Privacy Information Center (EPIC) electrostatic
discharge (ESD) elliptical curve cryptography (ECC)
Encapsulating Security Payload (ESP) encapsulation
encapsulation protocols. See also tunneling protocols
encrypted protocols
encryption
encryption filtering
encryption key sets
encryption level
endpoint security
enhancements for firewall
enumeration
EPIC. See Electronic Privacy Information Center equipment
selection for secure network design eradication, incident
response ESD. See electrostatic discharge ethernet frame
ethical hackers
ethical hacking. See penetration testing European
Laboratory for Particle Physics (CERN) experts
exploitation of system vulnerability exploits
exposure factor (EF)
external attacks
external entities threats
external service access
external threats
external-only communications extranet VPNs
extranets
F
factory defaults
fail-close state
fail-open state
fail-safe security stance
fail-safe/fail-secure response fail-secure state
failures
fair queuing
fallback attacks
false negative
false positives
Federal Information Processing Standards (FIPS) Publications
file encryption
file sharing
File Transfer Protocol (FTP) filtering
filters
firewalking
firewall checklist
firewall filtering
firewall implementation firewall limitation
firewall logging
firewall management
firewall monitoring
firewall policy
firewall rules
firewall specialization
firewall-to-firewall VPN
firewall troubleshooting
firewalls
firmware flash memory on-board chip flaw exploitation
attacks
flexibility
flooding
focus for information security follow-up, incident response
footprinting
forced universal participation Forefront Unified Access
Gateway (UAG) forensic techniques
formal change management
forms-based authentication
Fport
FQDNs. See fully qualified domain names fragmentation
fragmentation attacks
frames
free software
FTP. See File Transfer Protocol full mesh of leased lines
fully qualified domain names (FQDNs) future developments
fuzzing tools
G
gateway
gateway-to-gateway VPN
general filter firewall
general purpose OSs
goals of network security GoToAssist GoToMyPC
governance
governance, risk, and compliance (GRC) granular access
control
graphical user interface (GUI)-based interface growth
scenario contingencies GUI-based interface. See graphical
user interface-based interface
H
hackers
hacking
hacktivism
hairpinning
handoff authentication
hard drives
hardening firewall
hardening host
hardening networks
hardening servers
hardening systems
hardware address
hardware failures
hardware firewalls
hardware VPNs
hardware/software platform
hashing
hash algorithm
hash value
hashing
headers
heat
HFS. See hierarchical file system hierarchical file system
(HFS) hijacking attack
home office wireless
home routers
honeynets
honeypots
host
host firewalls. See also software firewall host security
controls
host software firewall
host VPN software product
hosting
HOSTS file
host-to-gateway VPN
host-to-host VPN
host-to-site VPN
Hot Standby Router Protocol (HSRP) HotSpotShield
HotSpotVPN
HSRP. See Hot Standby Router Protocol HTTP Proxy
HTTPS. See Hypertext Transfer Protocol Secure hybrid attack
hybrid firewall
hybrid VPN
Hypertext Transfer Protocol (HTTP) Hypertext Transfer
Protocol Secure (HTTPS)
I
IAM. See identity and access
management
IANA. See Internet Assigned Numbers Authority ICMP. See
Internet Control Message Protocol ICMP redirect
identity
identity and access management (IAM) identity proofing
IDS. See intrusion detection systems IDS insertion
IEEE 802.1x
IEMI. See intentional electromagnetic interference IETF. See
Internet Engineering Task Force IKEv2. See Internet Key
Exchange v2
IM. See instant message IMS. See IP Multimedia Subsystem
inbound rules for firewall
inbound traffic
incident response
incident response plan
individual firewall
industry-standard protocol
information gathering. See reconnaissance information
security professionals Information Technology
Infrastructure Library (ITIL) infrastructure
ingress filtering
in-person policy training
insertion attacks
installer-induced security threats instant message (IM)
intangible costs and value
Integrated Services Digital Network (ISDN) integrity
intentional electromagnetic interference (IEMI) interception
attack
intermediary network
internal code planting
internal compliance audits
internal firewall
internal-only traffic
internal personnel
internally connected VPN
Internet Assigned Numbers Authority (IANA) Internet Café
VPNs
Internet Connection Sharing service Internet connectivity
Internet Control Message Protocol (ICMP) Internet
Engineering Task Force (IETF) Internet Key Exchange (IKE)
Internet Key Exchange v2 (IKEv2) Internet Protocol Security
(IPSec) Internet Protocol version
Internet Protocol version 4 (IPv4) Internet Protocol version 6
(IPv6) Internet relay chat (IRC) channel Internet service
provider (ISP) devices Internet threats
Internet-based Traceroute tools Internet-facing servers
Internetwork Packet Exchange/Sequenced Packet Exchange
(IPX/SPX) intranet
intranet VPNs
intruders
intrusion and incident response plan intrusion detection
systems (IDS) intrusion prevention systems (IPS)
inventory of communications
IP addresses
IP block
IP forwarding
IP Multimedia Subsystem (IMS) IP Network Address
Translator IPS. See intrusion prevention systems IPSec.
See Internet Protocol Security IPSec VPNs
IPSec-tools RPM package IPv4. See Internet Protocol version
4
IPv6. See Internet Protocol version 6
IPX/SPX. See Internetwork Packet Exchange/Sequenced
Packet Exchange IRC channel. See Internet relay chat
channel ISDN. See Integrated Services Digital Network ISP
devices. See Internet service provider (ISP) devices IT
infrastructure domains
IT infrastructure threats
ITIL. See Information Technology Infrastructure Library
J
JanusVM
job description
K
Keep It Simple: Security (KISS)
Kerberos
Kernel IP Security (KLIPS) key exchange key pairs
key space
keycard security
keystroke logger
knowledge-based detection
known addresses
L
laboratory tests
LAN. See local area network; wireless local area network
LAN Domain. See Local Area Network Domain LAN
infrastructure security
LANMAN hash
LAN-to-LAN VPNs
LAN-to-WAN Domain
latency
Layer 2 Forwarding (L2F)
Layer 3 of the OSI model
Layer 7 of the OSI model
Layer 2 Transport Protocol (L2TP) Layer 2 Tunneling Protocol
(L2TP) layered security approach
layers of OSI model
leased lines
leetspeak
Linksys access points
Linux firewalls
load balancers
load balancing
load-related performance
local area network (LAN)
Local Area Network (LAN) Domain local host
location of VPN
location-aware anti-theft software log contents
log file analysis
log file analysis tools
logging
logging on. See authentication logic bomb
logical address
logical security checklist
LogMeIn
Loki
loophole
M
MAC address. See Media Access
Control address
MAC addresses
MAC spoofing
Mac support
mainframe
malicious address
malicious code
malicious code scanner
malicious hackers
malicious traffic
malware
management
management interfaces
man-in-the-middle (MitM) attacks maximum transmission
unit (MTU) MBSA. See Microsoft Baseline Security
Analyzer mean time between failures (MTBF) mean time
to failure (MTTF)
Media Access Control (MAC) address metacharacters
metrics
Microsoft Baseline Security Analyzer (MBSA) Microsoft Point-
to-Point Encryption (MPPE) mission-critical issue
mission-critical process
MitM attacks. See man-in-the-middle attacks MITRE
mobile code
mobile devices
Mobile IP
mobile wireless
modeling
modems
module-based VPN
monitoring
monkey-in-the-middle attack
MPPE. See Microsoft Point-to-Point Encryption MSTSC
command
MTBF. See mean time between failures MTTF. See mean time
to failure MTU. See maximum transmission unit multicast
address
multifactor authentication
multi-homed firewall
multiple LANs
multiple-layered defense. See also defense in depth
Murphy’s Law
N
NAC. See network access control
NAC service. See network access/admission control service
NAS. See network access server NAT. See network
address translation NAT-compatible encryption protocols
National Information Infrastructure (NII) National Institute
of Standards and Technology (NIST) national security
National Security Agency (NSA) National Vulnerability
Database native firewall
native operating system firewall NAT-PT. See Network
Address Translation–Protocol Translation NAT-T. See NAT-
Traversal NAT-Traversal (NAT-T)
natural disasters
necessary business tasks
Nessus
Nessus vulnerability scanning NetBEUI. See NetBios
Extended User Interface NetBios Extended User Interface
(NetBEUI) NetBus
Netcat
Netscape. Version 1.0
Netstat
network access control (NAC) Network Access Protocol
network access server (NAS)
network access/admission control (NAC) service network
address translation (NAT) Network Address Translation–
Protocol Translation (NAT-PT) network and resource
availability threats network compartmentalization. See
compartmentalization network design
network infrastructures examples network interface card
(NIC) network interface controller (NIC) network issues,
internal and external Network Layer (Layer 3)
Network Layer of the OSI model Network News Transfer
Protocol (NNTP) network performance
network security
network security components
network security design
“Network Tools”
network topologies. See topologies network traffic access
control security policy new technology file system (NTFS)
NIC. See network interface card NII. See National
Information Infrastructure NIST. See National Institute of
Standards and Technology nmap
NNTP. See Network News Transfer Protocol node
node security
no-exceptions policy
non-authenticating query service non-content-filtering
firewalls non-dedicated connection
nonrepudiation
normal baseline
NSA. See National Security Agency NTFS. See new
technology file system N-Tier deployment
NTRconnect
O
OC line. See optical carrier line offsite storage
off-the-shelf firewall
one-time pad encryption systems one-way function
mathematical operation Onion Router application, The.
See Tor application onion routing
online remote VPN options
online storage
onsite storage
open source software
Open Systems Interconnection (OSI) Reference Model open-
source applications and tools open-source product
open-source software network firewall open-source VPNs
Openswan
operating system-based VPNs
operating systems (OSs)
OPM. See Other People’s Money, Inc.
opportunistic hackers
optical carrier (OC) line
OS/2
OSI model. See Open Systems Interconnection (OSI)
Reference Model OSs. See operating systems Other
People’s Money, Inc. (OPM) out of band communication
outbound rules for firewall
outbound traffic
overlapping
P
package filtering firewall
packet filtering
packet filtering firewall
packet header
packet payload
packet sniffer
PacketiX VPN
padded cells
partition
passive threats
password cracking
password-protected homegroup PAT. See port address
translation patch management
patches
payloads
PBX. See private branch exchange pcAnywhere
peer systems
peer-to-peer (P2P) communications peer-to-peer (P2P)
networks
penetration testing
performance
perimeter
perimeter network
permissions
personal communications
personal firewall
personal hardware firewall
personal software firewall
personal/individual VPN
personally identifiable information (PII) personnel activity
monitoring phishing
physical access
physical addresses
physical attacks
physical damage
Physical Layer (Layer 1)
physical security
physical threats
PII. See personally identifiable information piloting
PING
ping command
ping sweeps
PKI. See Public Key Infrastructure placement of firewalls
plaintext protocols
platform independence
play configuration
playback attacks
plug configuration
PNAC. See port-based network access control Point-to-Point
Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP)
POP. See Post Office Protocol pop-up blockers
port address translation (PAT) port forwarding
port numbers
port scanning
port validation
portability of equipment
portal authentication port-based network access (admission)
control (PNAC) ports
POSIX
Post Office Protocol (POP)
post-attack activities
post-mortem assessment review power faults
power switch
PPP. See Point-to-Point Protocol PPTP. See Point-to-Point
Tunneling Protocol preparation, incident response
Presentation Layer (Layer 6) prevention
principle of least privilege privacy
private branch exchange (PBX) private IP address
private key
private messages
private networks
private VPN
privilege control
privilege escalation
privileged access
privileges
PRNG. See pseudo random number generator proactive
security management professional hackers
proprietary OSs
protocol encryption
protocols
proxies
proxy attack
proxy firewall
proxy manipulation
proxy servers
proxy-based encryption
pseudo random number generator (PRNG) public IP
addresses
public key
public key cryptography
Public Key Infrastructure (PKI) public networks
public wireless
public-key cryptography
PuTTY application
pwned
Q
QoS. See quality of service
quality of service (QoS)
R
rack mountable equipment
RADIUS-based authentication
RAID. See redundant array of independent disks random
challenge-response dialog RAS. See remote access server
RDC. See Remote Desktop Connection RDP. See Remote
Desktop Protocol reconnaissance
recovery
recreational hackers
redundancy
redundant array of independent disks (RAID) Regional
Internet Registry (RIR) regular self-assessment
rekeying processes
remote access
Remote Access Domain
remote access policy
remote access server (RAS)
remote access VPN
Remote Assistance
remote connection
remote control
Remote Desktop Connection (RDC) Remote Desktop Protocol
(RDP) Remote Desktop Services
remote hacking
remote or mobile host
remote printing
remote VPN connection
remote-to-home VPN
remote-to-office VPN
removable case
removable media
replay attacks
requests for comments (RFCs) research. See reconnaissance
reset button
resources
resources sites
response
return on investment (ROI)
reverse caching reverse proxy
reverse proxy firewall service RFC 791
RFC 1918
RFC 1918 addresses
RIR. See Regional Internet Registry risk
risk assessment
risk management
risk matrix
Rivest-Shamir-Adelman (RSA)
rogue access point
rogue device insertion
rogue DHCP
ROI. See return on investment roles
rootkits
round robin
round robin database tool (RRDtool) routers
RPM install of Openswan
RRDtool. See round robin database tool RSA. See Rivest-
Shamir-Adelman rule sets
rules
rule-set ordering
S
sabotage
sacrificial host
scalability
scanning
scope/binding nature statement screened IDS/IPS solution
screening routers
script kiddie
SDRAM. See synchronous dynamic random access memory
search engine
sectors
secure network design. See network design secure remote
access
Secure Shell (SSH) protocol
Secure Socket Tunneling Protocol (SSTP) Secure Sockets
Layer (SSL)
Secure Sockets Layer (SSL)–based tunneling protocols
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
secured VPN. See also virtual private network (VPN)
security
security assessment
security association (SA)
security assurance
security checklist
security goals
security infrastructure
security management
security mistakes
security objectives
security policies
security stance
security strategy
security suite firewall
Security Technical Implementation Guides (STIGs) security
technologies
security through obscurity
security troubleshooting
security zones
SED. See static electricity discharge segment
self-assessments
sender fragmentation
senior management
separation of duties
servers
service level agreement (SLA) service set identifier (SSID)
services tab of SmoothWall
session
session hijacking
Session Layer (Layer 5)
shell code
ShieldsUP! port scanning tool Shorewall firewall
Shrew Soft
sieve firewall
signature-based detection
Simple Mail Transfer Protocol (SMTP) simple network
management protocol (SNMP) simplicity
simulated firewall test
single-factor authentication single loss expectancy (SLE)
single point of failure
single sign-on (SSO)
site-to-site VPNs Skype
SLA. See service level agreement slack space
SLE. See single loss expectancy slideware
sliding window of recorded traffic small office/home office
(SOHO) SmoothWall firewall
SmoothWall software
SMTP. See Simple Mail Transfer Protocol SNA. See System
Network Architecture sniffer
SNMP. See simple network management protocol Snort
Snort intrusion detection software Snort intrusion detection
solution social engineering
socket
software coding errors
software firewall
software firewall products
software host firewalls
software VPNs
SOHO. See small office/home office Solera DS series of
network forensic appliances solid VPN policy
spam
split knowledge. See separation of duties split tunnel
spoofed addresses
spoofing
spyware
spyware scanner. See anti-malware scanners SQL injection
SSH protocol. See Secure Shell protocol SSID. See service
set identifier SSL. See Secure Sockets Layer SSL VPNs
SSO. See single sign-on SSTP. See Secure Socket Tunneling
Protocol stability of VPNs
state management
stateful inspection
stateful inspection filtering stateful inspection firewalls
static addressing
static electricity
static electricity discharge (SED) static filtering firewalls
static IP
static NAT
static packet filtering
steganography
STIGs. See Security Technical Implementation Guides
storage covert channel
strong authentication
strong encryption
subnet architecture
subnetting
sub-protocols
SubSeven
suite-member firewalls
sunk cost
switches
symmetric cryptography
symptoms
synchronous dynamic random access memory (SDRAM)
syslog
System Network Architecture (SNA) System/Application
Domain
system-by-system–based security Systems/Applications
Domain
T
TACACS+. See Terminal Access Controller Access-Control
System Plus tangible costs and value
targets of hackers
TCP. See Transmission Control Protocol tcpdump command
TCP/IP. See Transmission Control Protocol/Internet Protocol
TCPView
telcos. See telecommunication service providers
telecommunication service providers (telcos)
telecommuting
telnet
Terminal Access Controller Access-Control System Plus
(TACACS+) terminal services
testing
testing firewall
theft
thin client computing third-party software firewalls third-
party trust system
threats
time stamps
timing covert channel
TLS. See Transport Layer Security tools
topology
Tor application
TPM chip. See Trusted Platform Module chip traceroute
command
traceroute tools
traffic and trend analysis
traffic congestion
traffic generation
traffic inventory
traffic loads
training
transaction security
translation migration strategy Transmission Control Protocol
(TCP) Transmission Control Protocol/Internet Protocol
(TCP/IP) transparent network security Transport Layer
(Layer 4)
Transport Layer Protocol
Transport Layer Security (TLS) transport mode encryption
transport mode (host-to-host) of IPSec trapdoor
trapping intruders and violators triple-homed firewall
Trojan horse
troubleshooting
trust
Trusted Platform Module (TPM) chip trusted third party
trusted VPN
trustworthy
TS RemoteApp
TS Web Access
tunnel mode encryption
tunnel mode of IPSec
tunneling
tunneling migration strategy tunneling protocols
two-factor authentication
U
UAG. See Forefront Unified Access
Gateway
ubiquitous firewall
UDP. See User Datagram Protocol unauthorized software
unauthorized tunnels
unfiltered IDS/IPS installation unicast address
unified threat management (UTM) Uninterruptible Power
Supply (UPS) universal denial rule
universal participation
unknown zero-day attacks
unpartitioned space
updates
UPS. See Uninterruptible Power Supply upstream filtering
URL injectors
usability
USENET newsgroups
User Authentication Protocol user awareness
User Datagram Protocol (UDP) User Domain
user training
userland-only install
UTM. See unified threat management
V
Van Eck phreaking
vaporware. See slideware vendors
Verizon Data Breach Investigations Report violations of
security
violators
virtual firewall test
virtual firewalls
Virtual Local Area Network (VLAN) virtual private network
(VPN) virtual reassembly
Virtual Router Redundancy Protocol (VRRP) virtualization
virtualization security
virtualized firewall
virtualized network environment virtualized networks
virtualized SSL VPN
virus
VLAN. See Virtual Local Area Network VMware
voluntary compliance
VPN. See virtual private network VPN appliances
VPN authorization
VPN link
VRRP. See Virtual Router Redundancy Protocol vulnerabilities
vulnerability assessments
vulnerability management
vulnerability research
vulnerability scanning
W
wake-on-LAN
WAN. See distributed LAN; wide area network WAN Domain
WAN VPN connections
wardialing
wardriving
weakest link security stance Web browsers
Web server
Web-based GUI
Web-based policy training
well-known port numbers
white-list controls
whitelists
whois
whole hard drive encryption
wide area network (WAN)
Windows Firewall
Windows Server 2008 Network Access WinZapper tool
wired networks
wireless access points
wireless connectivity
wireless local area network (LAN) wireless networking
wireless technologies
Wireshark
wirespeed functions
workgroup
Workstation Domain
WORM storage device. See write-once read-many storage
device worms
wrappers
write-once read-many (WORM) storage device written
firewall policy
written security policy
X
XSS. See cross-site scripting
Z
zero-day attacks
zero-day exploits
zeroization
zombie army
zombies
zone file
zone of risk
zones of trust
- Cover
- Title Page
- Copyright
- Contents
- Preface
- Part One: Foundations of Network Security
- Chapter 1 Fundamentals of Network Security
- What Is Network Security?
- What Is Trust?
- Who—or What—Is Trustworthy?
- What Are Security Objectives?
- What Are You Trying to Protect?
- Seven Domains of a Typical IT Infrastructure
- Goals of Network Security
- How Can You Measure the Success of Network Security?
- Why Are Written Network Security Policies Important?
- Planning for the Worst
- Who Is Responsible for Network Security?
- Examples of Network Infrastructures and Related Security Concerns
- Workgroups
- SOHO Networks
- Client/Server Networks
- LAN Versus WAN
- Thin Clients and Terminal Services
- Remote Control, Remote Access, and VPN
- Boundary Networks
- Strengths and Weaknesses of Network Design
- Enhancing the Security of Wired Versus Wireless LAN Infrastructures
- Internal and External Network Issues
- Common Network Security Components Used to Mitigate Threats
- Hosts and Nodes
- IPv4 Versus IPv6
- Firewall
- Virtual Private Networks
- Proxy Servers
- Network Address Translation
- Routers, Switches, and Bridges
- The Domain Name System
- Directory Services
- Intrusion Detection Systems and Intrusion Prevention Systems
- Network Access Control
- Chapter Summary
- Key Concepts and Terms
- Chapter 1 Assessment
- Chapter 2 Firewall Fundamentals
- What Is a Firewall?
- What Firewalls Cannot Do
- Why Do You Need a Firewall?
- What Are Zones of Risk?
- How Firewalls Work and What Firewalls Do
- TCP/IP Basics
- OSI Reference Model
- Sub-Protocols
- Headers and Payloads
- Addressing
- Types of Firewalls
- Ingress and Egress Filtering
- Types of Filtering
- Static Packet Filtering
- Stateful Inspection and Dynamic Packet Filtering
- Network Address Translation (NAT)
- Application Proxy
- Circuit Proxy
- Content Filtering
- Software Versus Hardware Firewalls
- IPv4 Versus IPv6 Firewalls
- Dual-Homed and Triple-Homed Firewalls
- Placement of Firewalls
- Chapter Summary
- Key Concepts and Terms
- Chapter 2 Assessment
- Chapter 3 VPN Fundamentals
- What Is a Virtual Private Network?
- What Are the Benefits of Deploying a VPN?
- What Are the Limitations of a VPN?
- What Are Effective VPN Policies?
- VPN Deployment Models and Architecture
- Tunnel Versus Transport Mode
- The Relationship Between Encryption and VPNs
- Symmetric Cryptography
- Asymmetric Cryptography
- Hashing
- What Is VPN Authentication?
- VPN Authorization
- Chapter Summary
- Key Concepts and Terms
- Chapter 3 Assessment
- Chapter 4 Network Security Threats and Issues
- Hacker Motivation
- Favorite Targets of Hackers
- Threats from Internal Personnel and External Entities
- The Hacking Process
- Fallback Attacks
- Common IT Infrastructure Threats
- Hardware Failures and Other Physical Threats
- Natural Disasters
- Accidents and Intentional Concerns
- Malicious Code (Malware)
- Advanced Persistent Threat
- Fast Growth and Overuse
- Wireless Versus Wired
- Eavesdropping
- Replay Attacks
- Insertion Attacks
- Fragmentation Attacks, Buffer Overflows, and XSS Attacks
- Fragmentation Attacks
- Buffer Overflows
- XSS (Cross-Site Scripting) Attacks
- Man-in-the-Middle, Session Hijacking, and Spoofing Attacks
- Man-in-the-Middle Attacks
- Session Hijacking
- Spoofing Attacks
- Covert Channels
- Network and Resource Availability Threats
- Denial of Service (DoS)
- Distributed Denial of Service (DDoS)
- Hacker Tools
- Social Engineering
- Chapter Summary
- Key Concepts and Terms
- Chapter 4 Assessment
- Part Two: Technical Overview of Network Security, Firewalls, and VPNs
- Chapter 5 Network Security Implementation
- Seven Domains of a Typical IT Infrastructure
- Network Design and Defense in Depth
- Protocols
- Common Types of Addressing
- IPv6
- Controlling Communication Pathways
- Hardening Systems
- Equipment Selection
- Authentication, Authorization, and Accounting
- Communication Encryption
- Hosts: Local-Only or Remote and Mobile
- Redundancy
- Endpoint Security
- Clients
- Servers
- Routers
- Switches
- Firewalls and Proxies
- Chapter Summary
- Key Concepts and Terms
- Chapter 5 Assessment
- Chapter 6 Network Security Management
- Network Security Management Best Practices
- Fail-Secure, Fail-Open, and Fail-Close Options
- Physical Security
- Watching for Compromise
- Incident Response
- Trapping Intruders and Violators
- Why Containment Is Important
- Imposing Compartmentalization
- Using Honeypots, Honeynets, and Padded Cells
- Essential Host Security Controls
- Backup and Recovery
- User Training and Awareness
- Network Security Management Tools
- Security Checklist
- Network Security Troubleshooting
- Compliance Auditing
- Security Assessment
- Configuration Scans
- Vulnerability Scanning
- Penetration Testing
- Post-Mortem Assessment Review
- Chapter Summary
- Key Concepts and Terms
- Chapter 6 Assessment
- Chapter 7 Firewall Basics
- Firewall Rules
- Authentication, Authorization, and Accounting
- Monitoring and Logging
- Understanding and Interpreting Firewall Logs and Alerts
- Intrusion Detection
- Limitations of Firewalls
- Improving Performance
- The Downside of Encryption with Firewalls
- Firewall Enhancements
- Management Interfaces
- Chapter Summary
- Key Concepts and Terms
- Chapter 7 Assessment
- Chapter 8 Firewall Deployment Considerations
- What Should You Allow and What Should You Block?
- Common Security Strategies for Firewall Deployments
- Security Through Obscurity
- Least Privilege
- Simplicity
- Defense in Depth
- Diversity of Defense
- Chokepoint
- Weakest Link
- Fail-Safe
- Forced Universal Participation
- Essential Elements of a Firewall Policy
- Software and Hardware Options for Firewalls
- Benefit and Purpose of Reverse Proxy
- Use and Benefit of Port-Forwarding
- Considerations for Selecting a Bastion Host OS
- Constructing and Ordering Firewall Rules
- Evaluating Needs and Solutions in Designing Security
- What Happens When Security Gets in the Way of Doing Business?
- Chapter Summary
- Key Concepts and Terms
- Chapter 8 Assessment
- Chapter 9 Firewall Management and Security
- Best Practices for Firewall Management
- Security Measures in Addition to a Firewall
- Selecting the Right Firewall for Your Needs
- The Difference Between Buying and Building a Firewall
- Mitigating Firewall Threats and Exploits
- Concerns Related to Tunneling Through or Across a Firewall
- Testing Firewall Security
- Important Tools for Managing and Monitoring a Firewall
- Troubleshooting Firewalls
- Proper Firewall Implementation Procedure
- Responding to Incidents
- Chapter Summary
- Key Concepts and Terms
- Chapter 9 Assessment
- Chapter 10 Using Common Firewalls
- Individual and Small Office/Home Office (SOHO) Firewall Options
- Uses for a Host Software Firewall
- Examples of Software Firewall Products
- Using Windows 7’s Host Software Firewall
- Using a Linux Host Software Firewall
- Managing the Firewall on an ISP Connection Device
- Converting a Home Router into a Firewall
- Commercial Software Network Firewalls
- Open-Source Software Network Firewalls
- Appliance Firewalls
- Virtual Firewalls
- Simple Firewall Techniques
- Chapter Summary
- Key Concepts and Terms
- Chapter 10 Assessment
- Chapter 11 VPN Management
- VPN Management Best Practices
- Developing a VPN Policy
- Developing a VPN Deployment Plan
- Bypass Deployment
- Internally Connected Deployment
- DMZ-Based Implementation
- VPN Threats and Exploits
- Commercial or Open Source VPNs
- Differences Between Personal and Enterprise VPNs
- Balancing Anonymity and Privacy
- Protecting VPN Security to Support Availability
- The Importance of User Training
- VPN Troubleshooting
- Chapter Summary
- Key Concepts and Terms
- Chapter 11 Assessment
- Chapter 12 VPN Technologies
- Differences Between Software and Hardware Solutions
- Software VPNs
- Hardware VPNs
- Differences Between Layer 2 and Layer 3 VPNs
- Internet Protocol Security (IPSec)
- Layer 2 Tunneling Protocol (L2TP)
- Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
- SSL/TLS and VPNs
- Secure Shell (SSH) Protocol
- Establishing Performance and Stability for VPNs
- Performance
- Stability
- Using VPNs with Network Address Translation (NAT)
- Types of Virtualization
- Desktop Virtualization
- SSL VPN Virtualization
- Differences Between Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6)
- The TCP/IP Protocol Suite
- IPv4 Challenges
- IPv6
- IPSec and IPv6
- Chapter Summary
- Key Concepts and Terms
- Chapter 12 Assessment
- Part Three: Implementation, Resources, and the Future
- Chapter 13 Firewall Implementation
- Constructing, Configuring, and Managing a Firewall
- SmoothWall
- Examining Your Network and Its Security Needs
- What to Protect and Why
- Preserving Privacy
- Firewall Design and Implementation Guidelines
- Selecting a Firewall
- Hardware Requirements for SmoothWall
- Planning a Firewall Implementation with SmoothWall
- Firewalling a Big Organization: Application-Level Firewall and Package Filtering, a Hybrid System
- Firewalling a Small Organization: Packet Filtering or Application-Level Firewall, a Proxy Implementation
- Firewalling in a Subnet Architecture
- Installing a Firewall with SmoothWall
- Configuring a Firewall with SmoothWall
- Elements of Firewall Deployment
- Performing Testing with SmoothWall
- Firewall Troubleshooting
- Additional SmoothWall Features
- Firewall Implementation Best Practices
- Chapter Summary
- Key Concepts and Terms
- Chapter 13 Assessment
- Chapter 14 Real-World VPNs
- Operating System–Based VPNs
- VPN Appliances
- Configuring a Typical VPN Appliance
- Client-Side Configuration
- Remote Desktop Protocol
- Using Remote Control Tools
- Using Remote Access
- The Technology for Remote Use
- Choosing Between IPSec and SSL Remote Access VPNs
- Terminal Services
- TS RemoteApp
- TS Web Access
- Microsoft DirectAccess
- DMZ, Extranet, and Intranet VPN Solutions
- Intranet VPNs
- Extranet VPNs
- Internet Café VPNs
- Online Remote VPN Options
- Security
- Wake-on-LAN Support
- File Sharing
- Remote Printing
- Mac Support
- The Tor Application
- Planning a VPN Implementation
- Requirements
- Installation
- Deployment
- Testing and Troubleshooting
- VPN Implementation Best Practices
- Chapter Summary
- Key Concepts and Terms
- Chapter 14 Assessment
- Chapter 15 Perspectives, Resources, and the Future
- What the Future Holds for Network Security, Firewalls, and VPNs
- Threats
- Firewall Capabilities
- Encryption
- Authentication
- Metrics
- Focus
- Securing the Cloud
- Securing Mobile Devices
- Mobile IP
- Bring Your Own Device (BYOD)
- Resource Sites for Network Security, Firewalls, and VPNs
- Tools for Network Security, Firewalls, and VPNs
- Commercial Off-the-Shelf (COTS) Software
- Open Source Applications and Tools
- The Impact of Ubiquitous Wireless Connectivity
- Potential Uses of Security Technologies
- What Happens When There Is No Perimeter?
- Specialized Firewalls Available
- Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)
- Effect of Honeypots, Honeynets, and Padded Cells
- Emerging Network Security Technologies
- IP Version 6
- VPNs, Firewalls, and Virtualization
- Steganography
- Anti-Forensics
- Chapter Summary
- Key Concepts and Terms
- Chapter 15 Assessment
- Appendix A: Answer Key
- Appendix B: Standard Acronyms
- Glossary of Key Terms
- References
- Index