Network security management
World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 [email protected] www.jblearning.com
Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to [email protected].
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Network Security, Firewalls, and VPNs, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.
There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.
Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Editor-in-Chief: Michael Johnson SVP, Curriculum Solutions: Christopher Will Director of Sales, Curriculum Solutions: Randi Roger Senior Marketing Manager: Andrea DeFronzo Associate Marketing Manager: Kelly Thompson VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Manufacturing and Inventory Control Supervisor: Amy Bacus Editorial Management: High Stakes Writing, LLC, President: Lawrence J. Goodrich Senior Editor, HSW: Ruth Walker Senior Editorial Assistant: Rainna Erikson Production Manager: Susan Schultz
Composition: Gamut+Hue, LLC Cover Design: Kristin E. Parker Director of Photo Research and Permissions: Amy Wrynn Rights & Photo Research Assistant: Joseph Veiga Cover Image: © HunThomas/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy
ISBN: 978-1-284-03167-6
Library of Congress Cataloging-in-Publication Data Not available at time of printing.
6048
Printed in the United States of America 17 16 15 14 13 10 9 8 7 6 5 4 3 2 1
Contents
Preface
PART ONE Foundations of Network Security
CHAPTER 1 Fundamentals of Network Security
What Is Network Security? What Is Trust? Who—or What—Is Trustworthy? What Are Security Objectives?
What Are You Trying to Protect? Seven Domains of a Typical IT Infrastructure
Goals of Network Security
How Can You Measure the Success of Network Security?
Why Are Written Network Security Policies Important? Planning for the Worst
Who Is Responsible for Network Security?
Examples of Network Infrastructures and Related Security Concerns Workgroups SOHO Networks Client/Server Networks LAN Versus WAN Thin Clients and Terminal Services Remote Control, Remote Access, and VPN Boundary Networks Strengths and Weaknesses of Network Design
Enhancing the Security of Wired Versus Wireless LAN Infrastructures
Internal and External Network Issues
Common Network Security Components Used to Mitigate Threats
Hosts and Nodes IPv4 Versus IPv6 Firewall Virtual Private Networks Proxy Servers Network Address Translation Routers, Switches, and Bridges The Domain Name System Directory Services Intrusion Detection Systems and Intrusion Prevention Systems Network Access Control
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Firewall Fundamentals
What Is a Firewall? What Firewalls Cannot Do
Why Do You Need a Firewall?
What Are Zones of Risk?
How Firewalls Work and What Firewalls Do
TCP/IP Basics OSI Reference Model Sub-Protocols Headers and Payloads Addressing
Types of Firewalls
Ingress and Egress Filtering
Types of Filtering Static Packet Filtering Stateful Inspection and Dynamic Packet Filtering Network Address Translation (NAT) Application Proxy Circuit Proxy Content Filtering
Software Versus Hardware Firewalls IPv4 Versus IPv6 Firewalls
Dual-Homed and Triple-Homed Firewalls
Placement of Firewalls
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 VPN Fundamentals What Is a Virtual Private Network?
What Are the Benefits of Deploying a VPN?
What Are the Limitations of a VPN? What Are Effective VPN Policies? VPN Deployment Models and Architecture Tunnel Versus Transport Mode
The Relationship Between Encryption and VPNs Symmetric Cryptography Asymmetric Cryptography Hashing
What Is VPN Authentication?
VPN Authorization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4 Network Security Threats and Issues Hacker Motivation
Favorite Targets of Hackers
Threats from Internal Personnel and External Entities
The Hacking Process Fallback Attacks
Common IT Infrastructure Threats
Hardware Failures and Other Physical Threats Natural Disasters Accidents and Intentional Concerns
Malicious Code (Malware) Advanced Persistent Threat
Fast Growth and Overuse
Wireless Versus Wired
Eavesdropping
Replay Attacks
Insertion Attacks
Fragmentation Attacks, Buffer Overflows, and XSS Attacks Fragmentation Attacks Buffer Overflows XSS (Cross-Site Scripting) Attacks
Man-in-the-Middle, Session Hijacking, and Spoofing Attacks Man-in-the-Middle Attacks Session Hijacking Spoofing Attacks
Covert Channels
Network and Resource Availability Threats
Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Hacker Tools
Social Engineering
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
PART TWO Technical Overview of Network Security, Firewalls, and VPNs
CHAPTER 5 Network Security Implementation Seven Domains of a Typical IT Infrastructure
Network Design and Defense in Depth
Protocols
Common Types of Addressing IPv6
Controlling Communication Pathways
Hardening Systems
Equipment Selection
Authentication, Authorization, and Accounting
Communication Encryption
Hosts: Local-Only or Remote and Mobile
Redundancy
Endpoint Security Clients Servers Routers Switches Firewalls and Proxies
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Network Security Management Network Security Management Best Practices
Fail-Secure, Fail-Open, and Fail-Close Options
Physical Security
Watching for Compromise
Incident Response
Trapping Intruders and Violators
Why Containment Is Important
Imposing Compartmentalization
Using Honeypots, Honeynets, and Padded Cells
Essential Host Security Controls
Backup and Recovery
User Training and Awareness
Network Security Management Tools
Security Checklist
Network Security Troubleshooting
Compliance Auditing
Security Assessment
Configuration Scans
Vulnerability Scanning
Penetration Testing
Post-Mortem Assessment Review
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Firewall Basics Firewall Rules
Authentication, Authorization, and Accounting
Monitoring and Logging
Understanding and Interpreting Firewall Logs and Alerts
Intrusion Detection
Limitations of Firewalls
Improving Performance
The Downside of Encryption with Firewalls
Firewall Enhancements
Management Interfaces
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Firewall Deployment Considerations
What Should You Allow and What Should You Block?
Common Security Strategies for Firewall Deployments Security Through Obscurity Least Privilege Simplicity Defense in Depth Diversity of Defense Chokepoint Weakest Link Fail-Safe
Forced Universal Participation
Essential Elements of a Firewall Policy
Software and Hardware Options for Firewalls
Benefit and Purpose of Reverse Proxy
Use and Benefit of Port-Forwarding
Considerations for Selecting a Bastion Host OS
Constructing and Ordering Firewall Rules
Evaluating Needs and Solutions in Designing Security
What Happens When Security Gets in the Way of Doing Business?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Firewall Management and Security Best Practices for Firewall Management
Security Measures in Addition to a Firewall
Selecting the Right Firewall for Your Needs
The Difference Between Buying and Building a Firewall
Mitigating Firewall Threats and Exploits
Concerns Related to Tunneling Through or Across a Firewall
Testing Firewall Security
Important Tools for Managing and Monitoring a Firewall
Troubleshooting Firewalls
Proper Firewall Implementation Procedure
Responding to Incidents
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Using Common Firewalls Individual and Small Office/Home Office (SOHO) Firewall Options
Uses for a Host Software Firewall Examples of Software Firewall Products
Using Windows 7’s Host Software Firewall
Using a Linux Host Software Firewall
Managing the Firewall on an ISP Connection Device Converting a Home Router into a Firewall
Commercial Software Network Firewalls
Open-Source Software Network Firewalls
Appliance Firewalls
Virtual Firewalls
Simple Firewall Techniques
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 VPN Management VPN Management Best Practices
Developing a VPN Policy
Developing a VPN Deployment Plan
Bypass Deployment Internally Connected Deployment DMZ-Based Implementation
VPN Threats and Exploits
Commercial or Open Source VPNs
Differences Between Personal and Enterprise VPNs
Balancing Anonymity and Privacy
Protecting VPN Security to Support Availability
The Importance of User Training
VPN Troubleshooting
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 VPN Technologies
Differences Between Software and Hardware Solutions
Software VPNs Hardware VPNs
Differences Between Layer 2 and Layer 3 VPNs
Internet Protocol Security (IPSec)
Layer 2 Tunneling Protocol (L2TP)
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) SSL/TLS and VPNs
Secure Shell (SSH) Protocol
Establishing Performance and Stability for VPNs
Performance Stability
Using VPNs with Network Address Translation (NAT)
Types of Virtualization
Desktop Virtualization SSL VPN Virtualization
Differences Between Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6)
The TCP/IP Protocol Suite IPv4 Challenges IPv6 IPSec and IPv6
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
PART THREE Implementation, Resources, and the Future
CHAPTER 13 Firewall Implementation Constructing, Configuring, and Managing a Firewall
SmoothWall
Examining Your Network and Its Security Needs What to Protect and Why Preserving Privacy Firewall Design and Implementation Guidelines Selecting a Firewall
Hardware Requirements for SmoothWall
Planning a Firewall Implementation with SmoothWall Firewalling a Big Organization: Application-Level Firewall and Package
Filtering, a Hybrid System Firewalling a Small Organization: Packet Filtering or Application-Level
Firewall, a Proxy Implementation Firewalling in a Subnet Architecture
Installing a Firewall with SmoothWall
Configuring a Firewall with SmoothWall
Elements of Firewall Deployment
Performing Testing with SmoothWall
Firewall Troubleshooting
Additional SmoothWall Features
Firewall Implementation Best Practices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Real-World VPNs Operating System–Based VPNs
VPN Appliances
Configuring a Typical VPN Appliance Client-Side Configuration
Remote Desktop Protocol
Using Remote Control Tools
Using Remote Access
The Technology for Remote Use Choosing Between IPSec and SSL Remote Access VPNs
Terminal Services
TS RemoteApp TS Web Access
Microsoft DirectAccess
DMZ, Extranet, and Intranet VPN Solutions
Intranet VPNs Extranet VPNs
Internet Café VPNs
Online Remote VPN Options Security Wake-on-LAN Support File Sharing Remote Printing Mac Support
The Tor Application
Planning a VPN Implementation Requirements Installation Deployment
Testing and Troubleshooting
VPN Implementation Best Practices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 Perspectives, Resources, and the Future
What the Future Holds for Network Security, Firewalls, and VPNs Threats Firewall Capabilities Encryption Authentication Metrics Focus Securing the Cloud Securing Mobile Devices Mobile IP Bring Your Own Device (BYOD)
Resource Sites for Network Security, Firewalls, and VPNs
Tools for Network Security, Firewalls, and VPNs
Commercial Off-the-Shelf (COTS) Software Open Source Applications and Tools
The Impact of Ubiquitous Wireless Connectivity
Potential Uses of Security Technologies What Happens When There Is No Perimeter?
Specialized Firewalls Available Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)
Effect of Honeypots, Honeynets, and Padded Cells
Emerging Network Security Technologies IP Version 6 VPNs, Firewalls, and Virtualization Steganography Anti-Forensics
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms Glossary of Key Terms
References
Index
Preface
Purpose of This Book
This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.
The first part of this book on network security focuses on the business challenges and threats that you face as soon as you physically connect your organization’s network to the public Internet. It will present you with key concepts and terms, and reveal what hackers do when trying to access your network, thus providing you with the necessary foundation in network security for the discussions that follow. It will define firewalls and virtual private networks (VPNs), providing you with an understanding of how to use them as security countermeasures to solve business challenges.
Part 2 discusses how to implement network security and reviews best practices. It discusses to how select and deploy firewalls and the tools for managing and monitoring them. It also reviews implementing a VPN, the technologies involved, and VPN-management best practices.
Part 3 focuses on the practical, giving concrete, step-by-step examples of how to implement a firewall and a VPN. It also discusses what challenges the future holds for information security professionals involved in network security. It covers the tools and resources available to the professional and scans the horizon of emerging technologies.
Learning Features
The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional and helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.
Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.
Audience
The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.
About the Author
James Michael Stewart has been working with computers and technology for more than 25 years. His work focuses on security, certification, and various operating systems. Recently, Michael has been teaching job-skill and certification courses such as CISSP, CEH, and Security+. He is the primary author of the CISSP Study Guide, 4th Edition and the Security+ 2008 Review Guide. In addition, Michael has written numerous books on other security and Microsoft certification and administration topics. He has developed certification courseware and training materials as well as presented these materials in the classroom. Michael holds the following certifications: CISSP, ISSAP, SSCP, MCT, CEI, CEH, TICSA, CIW SA, Security+, MCSE+Security: Windows 2000, MCSA Windows Server 2003, MCDST, MCSE NT & W2K, MCP+I, Network+, iNet+. He graduated in 1992 from the University of Texas at Austin with a bachelor’s degree in philosophy.
PART ONE
Foundations of Network Security
CHAPTER 1 Fundamentals of Network Security
CHAPTER 2 Firewall Fundamentals
CHAPTER 3 VPN Fundamentals
CHAPTER 4 Network Security Threats and Issues
CHAPTER
1 Fundamentals of Network Security
COMPUTER NETWORK SECURITY is very complex. New threats from inside and outside networks appear constantly. Just as constantly, the security community is developing new products and procedures to defend against threats of the past and unknowns of the future.
As companies merge, people lose their jobs, new equipment comes online, and business tasks change, people do not always do what you expect. Network security configurations that worked well yesterday might not work quite as well tomorrow. In an ever-changing business climate, whom should you trust? Has your trust been violated? How would you even know? Who is attempting to harm your network this time? And why?
Because of these complex issues, you need to understand the essentials of network security. This chapter will introduce you to the basic elements of network security. Once you have a firm grasp of these fundamentals, you will be well equipped to put effective security measures into practice on your organization’s network.
Chapter 1 Topics
This chapter covers the following topics and concepts:
What network security is
What you are trying to protect within the seven domains of a typical IT infrastructure
What the goals of network security are
How you can assess the success of your network security implementation
Why written network security policies are important
Who is responsible for network security
What some examples of network infrastructures and related security concerns are
Which controls can enhance the security of wired vs. wireless local area network (LAN) infrastructures
What some examples of internal and external network issues are
Which common network security components are used to mitigate threats throughout the IT infrastructure
Chapter 1 Goals
When you complete this chapter, you will be able to:
Describe the key concepts and terms associated with network security
Describe the importance of a written security policy and explain how policies help mitigate risk exposure and threats to a network infrastructure
Define network security roles and responsibilities and who within an IT organization is accountable for these security implementations
Identify examples of network security concerns or threats that require enhanced security countermeasures to properly mitigate risk exposure and threats
Describe the security requirements needed for wired versus wireless LAN infrastructures in order to provide an enhanced level of security
Compare and contrast common network security components and devices and their use throughout the IT infrastructure
What Is Network Security?
Network security is the control of unwanted intrusion into, use of, or damage to communications on your organization’s computer network. This includes monitoring for abuses, looking for protocol errors, blocking non-approved transmissions, and responding to problems promptly. Network security is also about supporting essential communication necessary to the organization’s mission and goals, avoiding the unapproved use of resources, and ensuring the integrity of the information traversing the network.
Network security includes elements that prevent unwanted activities while supporting desirable activities. This is hard to do efficiently, cost effectively, and transparently. Efficient network security provides quick and easy access to resources for users. Cost-effective network security controls user access to resources and services without excessive expense. Transparent network security supports the mission and goals of the organization through enforcement of the organization’s network security policies, without getting in the way of valid users performing valid tasks.
Computer networking technology is changing and improving faster today than ever before. Wireless connectivity is now a realistic option for most companies and individuals. Malicious hackers are becoming more adept at stealing identities and money using every means available.
Today, many companies spend more time, money, and effort protecting their assets than they do on the initial installation of the network. And little wonder. Threats, both internal and external, can
cause a catastrophic system failure or compromise. Such security breaches can even result in a company going out of business. Without network security, many businesses and even individuals would not be able to work productively.
Network security must support workers in doing their jobs while protecting against compromise, maintaining high performance, and keeping costs to a minimum. This can be an incredibly challenging job, but it is one that many organizations have successfully tackled.
Network security has to start somewhere. It has to start with trust.
What Is Trust? Trust is confidence in your expectation that others will act in your best interest. With computers and networks, trust is the confidence that other users will act in accordance with your organization’s security rules. You trust that they will not attempt to violate the stability, privacy, or integrity of the network and its resources. Trust is the belief that others are trustworthy.
Unfortunately, sometimes people violate your trust. Sometimes they do this by accident, oversight, or ignorance that the expectation even existed. In other situations, they violate trust deliberately. Because these people can be either internal personnel or external hackers, it’s difficult to know whom to trust.
So how can you answer the question, “Who is trustworthy?” You begin by realizing that trust is based on past experiences and behaviors. Trust is usually possible between people who already know each other. It’s neither easy nor desirable to trust strangers. However, once you’ve defined a set of rules and everyone agrees to abide by those rules, you have established a conditional trust. Over time, as people demonstrate that they are willing to abide by the rules and meet expectations of conduct, then you can consider them trustworthy.
Trust can also come from using a third-party method. If a trustworthy third party knows you and me, and that third party states that you and I are both trustworthy people, then you and I can assume that we can conditionally trust each other. Over time, someone’s behavior shows whether the initial conditional trust was merited or not.
A common example of a third-party trust system is the use of digital certificates that a public certificate authority issues. As shown in Figure 1-1, a user communicates with a Web e-commerce server. The user does not initially know whether a Web server is what it claims to be or if someone is “spoofing” its identity. Once the user examines the digital certificate issued to the Web server from the same certificate authority that issued the user’s digital certificate, the user can then trust that the identity of the Web site is valid. This occurs because both the user and the Web site have a common, trustworthy third party that they both know.
Ultimately, network security is based on trust. Companies assume that their employees are trustworthy and that all of the computers and network devices are trustworthy. But not all trust is necessarily the same. You can (and probably should) operate with different levels or layers of trust. Those with a higher level of trust can be assigned greater permissions and privileges. If someone or something violates your trust, then you remove the violator’s access to the secure environment. For example, companies terminate an untrustworthy employee or replace a defective operating system.
FIGURE 1-1
An example of a third-party trust system.
Who—or What—Is Trustworthy? Determining who or what is trustworthy is an ongoing activity of every organization, both global corporations and a family’s home network. In both cases, you offer trust to others on a conditional basis. This conditional trust changes over time based on adherence to or violation of desired and prescribed behaviors.
If a program causes problems, it loses your trust and you remove it from the system. If a user violates security, that person loses your trust and might have access privileges revoked. If a worker abides by the rules, your trust grows and privileges increase. If an Internet site does not cause harm, you deem it trustworthy and allow access to that site.
To review, trust is subjective, tentative, and changes over time. You can offer trust based on the reputation of a third party. You withhold trust when others violate the rules. Trust stems from actions in the past and can grow based on future behaviors.
In network security, trust is complex. Extending trust to others without proper background investigation can be devastating. A network is only as secure as its weakest link. You need to vet every aspect of a network, including software, hardware, configuration, communication patterns, content, and users, to maintain network security. Otherwise, you will not be able to accomplish the security objectives of your organization’s network.
What Are Security Objectives? Security objectives are goals an organization strives to achieve through its security efforts. Typically, organizations recognize three primary security objectives:
Confidentiality/privacy Integrity/nonrepudiation Availability/uptime
Confidentiality is the protection against unauthorized access, while providing authorized users access to resources without obstruction. Confidentiality ensures that data is not intentionally or unintentionally disclosed to anyone without a valid need to know. A job description defines the person’s need to know. If a task does not require access to a specific resource, then that person does not have a need to know that resource.
Integrity is the protection against unauthorized changes, while allowing for authorized changes performed by authorized users. Integrity ensures that data remain consistent, both internally and externally. Consistent data do not change over time and remain in sync with the real world. Integrity also protects against accidents and hacker modification by malicious code, or software written with malicious intent.
Availability is the protection against downtime, loss of data, and blocked access, while providing consistent uptime, protecting data, and supporting authorized access to resources. Availability ensures that users can get their work done in a timely manner with access to the proper resources.
Authentication is the proof or verification of a user’s identity before granting access to a secured area. This can occur both on a network as well as in the physical, real world. While the most common form of authentication is a password, password access is also the least secure method of authentication. Multifactor authentication is the method most network administrators prefer for secure logon.
Authorization is controlling what users are allowed and not allowed to do. Authorization is dictated by the organization’s security structure, which may focus on discretionary access control (DAC), mandatory access control (MAC), or role-based access control (RBAC). Authorization restricts access based on need to know and users’ job descriptions. Authorization is also known as access control.
Nonrepudiation is the security service that prevents a user from being able to deny having performed an action. For example, nonrepudiation prevents a sender from denying having sent a message. Auditing and public-key cryptography commonly provide nonrepudiation services.
Privacy protects the confidentiality, integrity, and availability of personally identifiable or sensitive data. Private data often includes financial records and medical information. Privacy prevents the unauthorized watching and monitoring of users and employees.
Maintaining and protecting these security objectives can be a challenge. As with most difficult tasks, breaking security down into simpler or smaller components will help you to understand and ultimately accomplish this objective. To support security objectives, you need to know clearly what you are trying to protect.
What Are You Trying to Protect?
In terms of security, the things you want to protect are known as assets. An asset is anything used to
conduct business. Any object, computer, program, piece of data, or other logical or physical component employees need to accomplish a task is an asset.
Assets do not have to be expensive, complicated, or large. In fact, many assets are relatively inexpensive, commonplace, and variable in size. But no matter the characteristics, an asset needs protection. When assets are unavailable for whatever reason, people can’t get their work done.
For most organizations, including SOHO (small office, home office) environments, the assets of most concern include business and personal data. If this information is lost, damaged, or stolen, serious complications result. Businesses can fail. Individuals can lose money. Identities can be stolen. Even lives can be ruined.
What causes these problems? What violates network security? The answer includes accidents, ignorance, oversight, and hackers. Accidents happen, including hardware failures and natural disasters. Poor training equals ignorance. Workers with the best of intentions damage systems if they don’t know proper procedures or lack necessary skills. Overworked and rushed personnel overlook issues that can result in asset compromise or loss. Malicious hackers can launch attacks and exploits against the network, seeking to gain access or just to cause damage.
Hacking originally meant tinkering or modifying systems to learn and explore. However, the term has come to refer to malicious and possibly criminal intrusion into and manipulation of computers. In either case, a malicious or criminal hacker is a serious threat. Every network administrator should be concerned about hacking.
Some important aspects of security stem from understanding the techniques, methods, and motivations of hackers. Once you learn to think like a hacker, you may be able to anticipate future attacks. This enables you to devise new defenses before a hacker can successfully breach your organization’s network.
So how do hackers think? Hackers think along the lines of manipulation or change. They look into the rules to create new ways of bending, breaking, or changing them. Many successful security breaches have been little more than slight variations or violations of network communication rules.
Hackers look for easy targets or overlooked vulnerabilities. Hackers seek out targets that provide them the most gain, often financial rewards. Hackers turn things over, inside out, and in the wrong direction. Hackers attempt to perform tasks in different orders, with incorrect values, outside the boundaries, and with a purpose to cause a reaction. Hackers learn from and exploit mistakes, especially mistakes of the network security professionals who fail to properly protect an organization’s assets.
FIGURE 1-2
The seven domains of a typical IT infrastructure.
Why is thinking like a hacker critically important? A sixth century Chinese military strategist and philosopher, Sun Tzu, in his famous military text The Art of War, stated: “If you know the enemy and know yourself you need not fear the results of a hundred battles.” Once you understand how hackers think, the tools they use, their exploits, and the attack techniques they employ, you can create effective defenses to protect against them.
You’ve often heard that “the best defense is a good offense.” While this statement may have merit elsewhere, most network security administrators do not have the luxury—or legal right—to attack hackers. Instead, you need to turn this strategic phrase around: The best offense is a good defense. While network security administrators cannot legally or ethically attack hackers, they are fully empowered to defend networks and assets against hacker onslaughts.
Seven Domains of a Typical IT Infrastructure Hackers look for any and every opportunity to exploit a target. No aspect of an IT infrastructure is without risk, nor is it immune to the scrutiny of a hacker. When thinking like a hacker, analyze every one of the seven domains of a typical IT infrastructure (Figure 1-2) for potential vulnerabilities and weaknesses. Be thorough. A hacker needs only one crack in the protections to begin chipping away at the defenses. You need to find every possible breach point to secure it and harden the network.
The seven domains of a typical IT infrastructure are:
User Domain—This domain refers to actual users, whether they are employees, consultants, contractors, or other third-party users. Any user who accesses and uses the organization’s IT
infrastructure must review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure.
Workstation Domain—This domain refers to the end user’s desktop devices such as a desktop computer, laptop, VoIP telephone, or other endpoint device. Workstation devices typically require security countermeasures such as antivirus, anti-spyware, and vulnerability software patch management to maintain the integrity of the device.
LAN Domain—This domain refers to the physical and logical local area network (LAN) technologies (i.e., 100Mbps/1000Mbps switched Ethernet, 802.11 family of wireless LAN technologies) used to support workstation connectivity to the organization’s network infrastructure.
LAN-to-WAN Domain—This domain refers to the organization’s internetworking and interconnectivity point between the LAN and the WAN network infrastructures. Routers, firewalls, demilitarized zones (DMZ), and intrusion detection systems (IDS) and intrusion prevention systems (IPS) are commonly used as security monitoring devices in this domain.
Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infrastructure, systems, and data. Remote access solutions typically involve SSL-128 bit encrypted remote browser access or encrypted VPN tunnels for secure remote communications.
WAN Domain—Organizations with remote locations require a wide area network (WAN) to interconnect them. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This domain typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations, sometimes under a managed service offering by the service provider.
System/Application Domain—This domain refers to the hardware, operating system software, database software, client/server applications, and data that is typically housed in the organization’s data center and/or computer rooms.
The first step is recognizing that the potential for compromise exists throughout an organization. The next step is to comprehend the goals of network security.
Goals of Network Security
Network security goals vary from organization to organization. Often, however, they include a few common mandates:
Ensure the confidentiality of resources Protect the integrity of data Maintain availability of the IT infrastructure Ensure the privacy of personally identifiable data Enforce access control
Monitor the IT environment for violations of policy Support business tasks and the overall mission of the organization
Whatever your organization’s security goals are, to accomplish them, you need to write down those goals and develop a thorough plan to execute them. Without a written plan, security will be haphazard at best and will likely fail to protect your assets. With a written plan, network security is on the path to success. Once you define your security goals, these goals will become your organization’s roadmap for securing the entire IT infrastructure.
How Can You Measure the Success of Network Security?
An organization measures the security of its network by how well its stated security goals are accomplished and its security standards maintained. In essence, this becomes the organization’s baseline definition for information systems security. For example, if private information on the network does not leak to outsiders, then your efforts to maintain confidentiality were successful. Or, if employees are able to complete their work on time and on budget, then your efforts to provide system integrity protection were successful.
If violations take place that compromise your assets or prevent the accomplishment of a security goal, however, then network security was less than successful. But let’s face it, security is never perfect. In fact, even with well-designed and executed security, accidents, mistakes, and even intentional harmful exploits will dog your best efforts. The perfect security components do not exist. All of them have weaknesses, limitations, backdoors, work-arounds, programming bugs, or some other exploitable element.
Fortunately, though, successful security doesn’t rely on the installation of just a single defensive component. Instead, good network security relies on an interweaving of multiple effective security components. You don’t have just one lock on your house. By combining multiple protections, defenses, and detection systems, you can rebuff many common, easy hacker exploits.
Network security success is not about preventing all possible attacks or compromises. Instead, you work to continually improve the state of security so that in the future, the network is better protected than it was in the past. As hackers create new exploits, security professionals learn about them, adapt their methods and systems, and establish new defenses. Successful network security is all about constant vigilance, not creating an end product. Security is an ongoing effort that constantly changes to meet the challenge of new threats.
Why Are Written Network Security Policies Important?
A clearly written security policy establishes tangible goals. Without solid and defined goals, your security efforts would be chaotic and hard to manage. Written plans and procedures focus security efforts and resources on the most important tasks to support your organization’s overall security objectives.
A written security policy is a road map. With this map, you can determine whether your efforts are
on track or going in the wrong direction. The plan provides a common reference against which security tasks are compared. It serves as a measuring tool to judge whether security efforts are helping rather than hurting the accomplishment of your organization’s security objectives.
With a written security policy, all security professionals strive to accomplish the same end: a successful, secure work environment. By following the written plan, you can track progress so that you install and configure all the necessary components. A written plan validates what you do, defines what you still need to do, and guides you on how to repair the infrastructure when necessary.
Without a written security policy, you cannot trust that your network is secure. Without a written security policy, workers won’t have a reliable guide on what to do, and judging security success will be impossible. Without a written policy, you have no security.
Planning for the Worst Things invariably go wrong. Users make mistakes. Malicious code finds its way into your network. Hackers discover vulnerabilities and exploit them. In anticipating problems that threaten security, you must plan for the worst.
This type of planning has many names, including contingency planning, worst-case scenario planning, business continuity planning, disaster recovery planning, and continuation of operations planning. The name is not important. What’s crucial is that you do the planning itself.
When problems occur, shift into response gear: respond, contain, and repair. Respond to all failures or security breaches to minimize damage, cost, and downtime. Contain threats to prevent them from spreading or affecting other areas of the infrastructure. Repair damage promptly to return systems to normal status quickly and efficiently. Remember, the goals of security are confidentiality, integrity, and availability. Keep these foremost in mind as you plan for the worst.
The key purpose of planning for problems is to be properly prepared to protect your infrastructure. With a little luck, a major catastrophe won’t occur. But better to prepare and not need the response plan than to allow problems to cause your business to fail.
Who Is Responsible for Network Security?
Network security is the responsibility of everyone who uses the network. Within an organization, no one has the luxury of ignoring security rules. This applies to global corporations as well as home networks. Every person is responsible for understanding his or her role in supporting and maintaining network security. The weakest link rule applies here: If only one person fails to fulfill this responsibility, security for all will suffer.
Senior management has the ultimate and final responsibility for security. This is for good reason —senior management is the most concerned about the protection of the organization’s assets. Without the approval and support of senior management, no security effort can succeed. Senior management must ensure the creation of a written security policy that all personnel understand and follow.
Senior management also assigns the responsibility for designing, writing, and executing the security plan to the IT staff. Ideally, the result of these efforts is a secure network infrastructure. The security staff, in turn, must thoroughly manage all assets, system vulnerabilities, imminent threats, and
pertinent defenses. Their task is to design, execute, and maintain security throughout the organization. In their role as overseers of groups of personnel, managers and supervisors must ensure that
employees have all the tools and resources to accomplish their work. Managers must also ensure that workers are properly trained in skills, procedures, policies, boundaries, and restrictions. Employees can mount a legitimate legal case against an organization that requires them to perform work for which they are not properly trained.
Network administrators manage all the organization’s computer resources. Resources include file servers, network access, databases, printer pools, and applications. The network administrator’s job is to ensure that resources are functional and available for users while enforcing confidentiality and network integrity.
An organization’s workers are the network users and operators. They ultimately do the work the business needs to accomplish. Users create products, provide services, perform tasks, input data, respond to queries, and much more. Job descriptions may apply to a single user or a group of users. Each job description defines a user’s tasks. Users must perform these tasks within the limitations of network security.
Auditors watch for problems and violations. Auditors investigate the network, looking for anything not in compliance with the written security policy. Auditors watch the activity of systems and users to look for violations, trends toward bottlenecks, and attempts to perform violations. The information uncovered by auditors can help improve the security policy, adjust security configurations, or guide investigators toward apprehending security violators.
All of these roles exist within every organization. Sometimes different individuals perform these roles. In other situations, a single person performs all of these roles. In either case, these roles are essential to the creation, maintenance, and improvement of security.
Examples of Network Infrastructures and Related Security Concerns
As you design a network, you need to evaluate every aspect in light of its security consequences. With limited budgets, personnel, and time, you must also minimize risk and maximize protection. Consider how each of the following network security aspects affects security for large corporations, small companies, and even home-based businesses.
Workgroups A workgroup is a form of networking in which each computer is a peer or equal. Peers are equal in how much power or controlling authority any one system has over the other members of the same workgroup. All workgroup members are able to manage their own local resources and assets, but not those of any other workgroup member.
Workgroups are an excellent network design for very small environments, such as home family networks or very small companies. In most cases, a workgroup comprises fewer than 10 computers and rarely contains more than 20 computers. No single rule dictates the size of a workgroup. Instead,
the administrative overhead of larger workgroups encourages network managers to move to a client/server configuration.
Figure 1-3 shows a typical workgroup configuration. In this example, a switch interconnects the four desktop workgroup members as well as an Internet connection device and a wireless access point. Additional clients can connect wirelessly via the access point or wired via a cable connecting to the switch.
Workgroups do not have a central authority that controls or restricts network activity or resource access. Instead, each individual workgroup member makes the rules and restrictions over resources and assets. The security defined for one member does not apply to nor affect any other computer in the workgroup.
FIGURE 1-3
An example of a typical workgroup.
Due to system-by-system–based security, a worker or a workgroup member needs to have a user account defined on each of the other workgroup members to access resources on those systems. Each of these accounts is technically a unique user account, even if it is created by using the same characters for the username and password.
This results in either several unique user accounts with different names and different passwords or several unique user accounts with the same name and same password. In either case, security is poor. In the former case, the user must remember several sets of credentials. This often results in the user writing down the credentials. In the later case, an intruder need compromise only one set of credentials.
This lack of central authority is both a strength and weakness of workgroups. This characteristic
is a strength in that each user of each computer can make his or her own choices about sharing resources with others. However, this is at the same time a weakness because of the inconsistent levels of access.
Workgroups are easy to create. Often, the default network configuration of operating systems is to be a member of a workgroup. A new workgroup is created by just defining a unique name on a computer. Once one computer names the workgroup, it now exists. Other computers become members of the new workgroup just by using the same name. Since workgroups lack a central authority, anyone can join or leave a workgroup at any time. This includes unauthorized systems owned by rogue employees or external parties.
Most workgroups use only basic resource-share protections, fail to use encrypted protocols, and are lax on monitoring intrusions. While imposing some security on workgroups is possible, usually each workgroup member is configured individually. Fortunately, since workgroups are small, this does not represent a significant amount of effort.
SOHO Networks SOHO stands for small office, home office. SOHO is a popular term that describes smaller networks commonly found in small businesses, often deployed in someone’s home, garage, portable building, or leased office space. A SOHO environment can be a workgroup or a client/server network. Usually a SOHO network implies purposeful design with business and security in mind.
SOHO networks generally are more secure than a typical workgroup, usually because a manager or owner enforces network security. Security settings defined on each work-group member are more likely to be consistent when the workgroup has a security administrator. Additionally, SOHO networks are more likely to employ security tools such as antivirus software, firewalls, and auditing.
Client/Server Networks A client/server network is a form of network where you designate some computers as servers and others as clients. Servers host resources shared with the network. Clients access resources and perform tasks. Users work from a client computer to interact with resources hosted by servers. In a client/server network, access is managed centrally from the servers. Thus, consistent security is easily imposed across all network members.
Figure 1-4 shows a possible basic layout of a client/server network. In this example, three servers host the resources, such as printers, Internet connectivity, and file storage shared with the network. Both wired and wireless clients are possible. Switches interconnect all nodes. Client/server networks are more likely to use hardware or appliance firewalls.
Client/server networks also employ single sign-on (SSO). SSO allows for a single but stronger set of credentials per user. With SSO, each user must perform authentication to gain access to the client and the network. Once the user has logged on, access control manages resource use. In other words, client/server authentication with SSO is often more complex than workgroup authentication— but it’s more secure. Users only need to log on once, not every time they contact a resource host server.
Because of their complexity, client/server networks are invariably more secure than SOHO and
workgroup networks. But complexity alone is not security. Instead, because they are more complex, client/server networks require more thorough design and planning. Security is an important aspect of infrastructure planning and thus becomes integrated into the network’s design.
FIGURE 1-4
An example of a typical client/server network.
Client/server networks are not necessarily secure because you can deploy a client/server network without any thought toward security. But most organizations understand that if they overlook network security, they are ensuring their ultimate technological downfall. Security is rarely excluded from the deployment process. And some networks are by nature more secure than others.
LAN Versus WAN LAN stands for local area network. A LAN is a network within a limited geographic area. This means that a LAN network is located in a single physical location rather than spread across multiple locations. Some LANs are quite large, while others are very small. A more distinguishing characteristic of a LAN is that all of the segments or links of a LAN are owned and controlled by one organization. A LAN does not contain or use any leased or externally owned connections.
WAN stands for wide area network. A WAN is a network not limited by any geographic boundaries. This means that a WAN network can span a few city blocks, reach across the globe, and
even extend into outer space. A distinguishing characteristic of a WAN is that it uses leased or external connections and links. Most organizations rely on telecommunication service providers (often referred to as telcos) for WAN circuits and links to physical buildings and facilities, including the last-mile connection to the physical demarcation point. Both LAN and WAN networks can be secure or insecure. They are secure if a written security policy guides their use. With a LAN, the owner of the network has the sole responsibility of ensuring that security is enforced. With a WAN, the leasing entity must select a telco that has a secure WAN infrastructure and incorporate service level agreements (SLAs) that define the level of service and performance that is to be provided on a monthly basis for the customer. In most cases, WAN data is secure only if the data sent across leased lines is encrypted before transmission. This service is the responsibility of the data owner, not the telecommunications service provider, unless this option is offered as a value-added service.
Thin Clients and Terminal Services Thin client computing, also known as terminal services, is an old computing idea that has made a comeback in the modern era. In the early days of computers, the main computing core, commonly called a mainframe, was controlled through an interface called a terminal. The terminal was nothing more than a video screen (usually mono-chrome) and a keyboard. The terminal had no local processing or storage capabilities. All activities took place on the mainframe and the results appeared on the screen of the terminal.
With the advent of personal computers (PCs), a computer at a worker’s desk offered local processing and storage capabilities. These PCs became the clients of client/server computers. Modern networking environments can offer a wide range of options for end users. Fully capable PCs used as workstations or client systems are the most common. PCs can run thin-client software, which emulates the terminal system of the past. That means they perform all tasks on the server or mainframe system and use the PC only as a display screen with a keyboard and mouse. Even modern thin client terminals can connect into a server or mainframe without using a full PC.
Remote Control, Remote Access, and VPN Remote control is the ability to use a local computer system to remotely take over control of another computer over a network connection. In a way, this is the application of the thin client concept on a modern fully capable workstation to simulate working against a mainframe or to virtualize your physical presence.
With remote control connection, the local monitor, keyboard, and mouse control a remote system. This looks and feels as if you are physically present at the keyboard of the remote system, which could be located in another city or even on the other side of the world. Every action you perform locally takes place at that remote computer via the remote control connection. The only limitations are the speed of the intermediary network link and the inability to physically insert or remove media such as a flash drive and use peripherals such as a printer.
You might consider remote control as a form of software-based thin client or terminal client. In fact, many thin client and terminal client products are sold as remote control solutions.
Many modern operating systems include remote control features, such as the Remote Desktop
feature found in most versions of Windows. Once enabled, a Remote Desktop connection remotely controls another Windows system from across the network.
Remote access is different from remote control. A remote access link enables access to network resources using a WAN link to connect to the geographically distant network. In effect, remote access creates a local network link for a system not physically local to the network. Over a remote access connection, a client system can technically perform all the same tasks as a locally connected client, with the only difference being the speed of the connection. Network administrators can impose restrictions on what resources and services a remote access client can use.
Remote access originally took place over dial-up telephone links using modems. Today, remote access encompasses a variety of connection types, including ISDN, DSL, cable modem, satellite, mobile broadband, and more.
In most cases, a remote access connection links from a remote client back to a primary network. A remote access server (RAS) accepts the inbound connection from the remote client. Once the connection goes through, the remote client now interacts with the network as if it were locally connected.
Another variant of remote connections is the virtual private network (VPN). A VPN is a form of network connection created over other network connections. In most cases, a VPN link connects a remote system and a LAN, but only after a normal network connection links to an intermediary network.
In Figure 1-5, a LAN has a normal network connection to the Internet and a remote client has established a normal network connection to the Internet as well. These two connections work independently of each other. The LAN’s connection is usually a permanent or dedicated connection supporting both inbound and outbound activities with the Internet. The remote client’s connection to the Internet can be dedicated or non-dedicated. In the latter case, the connection precedes the VPN creation. Once both endpoints of the future VPN link have a connection to the intermediary network (in this example, the Internet), then the VPN exists.
FIGURE 1-5
Common resource access connections.
FIGURE 1-6
A VPN established betweeen a remote client and a LAN over the Internet.
In Figure 1-6, a new network connection connects the remote client to the LAN across the intermediary network. This new network connection is the VPN.
A VPN is a mechanism to establish a remote access connection across an intermediary network, often the Internet. VPNs allow for cheap long-distance connections over the Internet, as both endpoints only need a local Internet link. The Internet itself serves as a “free” long-distance carrier.
A VPN uses tunneling or encapsulation protocols. Tunneling protocols encase the original network protocol so that it can traverse the intermediary network. In many cases, the tunneling protocol employs encryption so that the original data securely traverses the intermediary network.
Boundary Networks A boundary network is a subnetwork, or subnet, positioned on the edge of a LAN. A boundary network isolates certain activities, such as programming or research and development, from the internal environment (private LANs), which does not need to be externally accessible. External users can also access resources hosted in a boundary network. Such a subnet is known as a demilitarized zone (DMZ).
A DMZ is a boundary network that hosts resource servers for the public Internet. An extranet is a boundary network that hosts resource servers for a limited and controlled group of external users, such as business partners, suppliers, distributors, contractors, and so forth.
A DMZ subnet is a common network design component used to host public information services, such as Web sites. A DMZ allows for anyone on the public Internet to access resources. But at the same time, the DMZ provides some filtering of obvious malicious traffic and prevents Internet users from accessing the private LAN.
An extranet subnet provides companies that need to exchange data with external partners a safe place for that activity. An extranet is secured so only the intended external users can access it. Often, accessing an extranet requires VPN connections. An extranet configuration keeps public users from the Internet out and keeps the external partners out of the private LAN.
You can deploy both DMZ and extranet subnets in different ways. Two of the most common designs are a screened subnet using a three-homed firewall (Figure 1-7) and N-tier deployment (Figure 1-8). A screened subnet using a three-homed firewall creates a network segment for the private LAN and a network segment for the DMZ or extranet. The three-homed firewall serves as a filtering device as well as a router to control traffic entering these two segments.
FIGURE 1-7
A DMZ or extranet deployed as a screened subnet with a three-homed firewall.
FIGURE 1-8
A DMZ or extranet deployed in an N-tier configuration.
The N-tier deployment creates a series of subnets separated by firewalls. The DMZ or extranet subnet serves as a buffer network between the Internet and the private LAN.
Strengths and Weaknesses of Network Design You need to evaluate every network design or layout for its security strengths and weaknesses. While there are no perfect deployments, some provide better security for a given set of parameters than others. For example, a network with only a single connection to the Internet is easier to secure than a network with multiple connections to the Internet.
When you are designing a network, consider the paths that malicious traffic could use to reach the interior of your private LAN. The more potential pathways, the more challenging securing the network will be. However, consider redundancy as well. If your primary connection to the Internet fails, do you have an alternate connection? Remember, security is not just about preventing malicious events but also about ensuring that users can perform essential business tasks.
Try to avoid network designs that have a single point of failure. Always try to have redundant options to ensure that your mission-critical functions can take place. Keep in mind that bottlenecks are
still likely to happen even with redundant pathways. Over time, monitor traffic and use levels on every segment across the network to look for trends toward reduced throughput or productivity. A bottleneck may at first be a slight hindrance to high performance and productivity, but it can later become a form of a denial of service (DoS) attack.
Another consideration is traffic control and filtering. Blocking or allowing traffic is an important element in network security. You control what traffic enters or leaves the network. Traffic filtering often takes place at network chokepoints. A chokepoint is a form of bottleneck and is a single controlled pathway between two different levels of network trust where a firewall or other filtering devices block or allow traffic based on a set of rules. Thus, rather than being only a benefit for filtering, a chokepoint can slow throughput or become a target for DoS attacks.
Another network design issue is the location of authorized users. Often, you assume that valid users are internal users. With the proliferation of telecommuting and outsourcing, however, valid users can often be external users as well. Realizing this, you must design networks to support inbound connections from valid external users. This can involve traditional remote access connections, but more likely will use VPN links. VPNs provide connections for remote users that function like local connections and encryptions to keep the content of those connections confidential.
Enhancing the Security of Wired Versus Wireless LAN Infrastructures
Wired networks offer a form of security that wireless networks lack. That security is the direct physical connection to a wired or cabled network. A hacker requires physical access to your facility or building. Usually, access control of the building can sufficiently prevent most external parties from accessing your private LAN.
Realize, however, that if you allow remote connection via telephone modem, high-speed broadband, or even basic Internet service, then you lose the advantage of a physical access limitation. Once remote access is allowed, the benefits of physical isolation disappear.
The same is true if you allow wireless connections into the network. Wireless networking grants valid and unknown users the ability to interact with the network. This completely eliminates the need to be physically present in the building to connect to the network. Many organizations are allowing, even encouraging, employees, contractors, and visitors to Bring Your Own Device (BYOD), a move that is cost effective and often improves efficiency, but at the risk of control of the end users’ devices. With the right type of antenna, an attacker could be over a mile away from your office building and still be able to affect your wireless network.
To regain some of the security offered by physical isolation, try to incorporate physical isolation into your network design. Isolate all remote access and wireless access points from the main wired network. You can achieve this by using separate subnets and by filtering communications using firewalls. While design does not offer the same level of security as physical isolation, the arrangement provides a significant improvement over having no control over remote or wireless connections.
All remote connections should go through a rigorous gauntlet of verification before you grant
access to the internal LAN. Think of a castle design in the Middle Ages that used multiple layers of defense: a moat, a drawbridge, thick riveted walls, an inner battlement, and finally, a strong keep or inner fortress. Your multilayer defensive design should include multi-factor authentication and communication encryption, such as a VPN. Additional checks can include verification of operating system and patch level, confirmation of physical or logical location origin (such as caller ID, MAC address, or IP address), limitations to time of day, and limitations on protocols above the Transport Layer. Any intruder would need to circumvent layer after layer, making intrusion more and more difficult.
NOTE An attack known as “Van Eck phreaking” allows an attacker to eavesdrop on electronic devices from a distance. This technique is not perfect or simple to perform, but has been demonstrated on LCD and CRT monitors as well as keyboard cables. With minor shielding, you can eliminate most of the risk from such an attack.
Internal and External Network Issues
When deploying a new network or modifying an existing infrastructure, carefully evaluate effects on security and security’s impact on the infrastructure. When you or your team overlook or sidestep standard security practices, good business stops. Business interruptions can result not only in lost profits, but also in lost opportunities and even in lost jobs. If the compromise is serious enough, the business might not recover.
The threats facing business are numerous and constantly changing. Often, these issues arise daily. Malicious code, information leakage, zero day exploits, unauthorized software, unethical employees, and complex network infrastructures are just a few of the concerns that every organization and network manager faces.
Malicious code can make its way into a computer through any communication channel. This includes file transfers, e-mail, portable device syncing, removable media, and Web sites. Precautions against malicious code include network traffic filtering with a firewall, anti-malware scanning, and user behavior modification.
Information leakage stems from malicious employees who purposefully release internal documentation to the public. It can also result from accidents, or can occur when a storage device is lost, recycled, donated, stolen, or thrown away. Or it occurs when users accidentally publish documents to P2P file sharing services or Web sites. Precautions against information leakage include doing thorough background checks on employees, using the principle of least privilege, detail auditing and monitoring of all user activity, classifying all information and controlling communication pathways, using more stringent controls on use of portable devices, and practicing zeroization— purging a storage device to be discarded by filling its space with zeros.
Zero day exploits are new and previously unknown attacks for which no current specific defenses exist. Think of them as surprise attacks on your defenses. Zero day refers to the newness of
an exploit, which may be known in the hacker community for some time, but about which vendors and security professionals are just learning.
The zero day label comes from the idea that work to develop a patch begins the moment a vendor learns of a problem. The moment of discovery of the new exploit is called “day zero.” No specific defenses against zero day attacks exist, but general security management, use of intrusion detection and intrusion prevention, along with detailed logging and monitoring can assist in discovering and preventing new attacks quickly. Once you know of an attack or exploit, you can begin taking steps to contain damage or minimize the extent of the compromise.
Unauthorized software is any piece of code that a user chooses to run on a client system that was not approved nor provided by the company. Not all unauthorized software is directly problematic, but you should prevent its use for many reasons. Such software might be a waste of time and productivity that costs the company money, time, and effort. The software could be a license violation. Software could include hidden malicious components, known or unknown to the user, which could compromise the security of the network. Steps you can take to prevent the use of unauthorized software should include limiting installation privileges of normal users and using whitelists to block the execution of any program not on the approved list.
Unethical employees purposefully violate the stated rules and goals of the organization. These employees often believe the rules are not important, do not really apply to them, or are not really enforced. Most believe they will never get caught. When users violate the mission and goals of the organization, consequences could be catastrophic.
Users are the final link in security and are often the weakest link in network security. If a user chooses to violate a security policy and release information to the public or execute malicious code, the results could devastate the organization or land the perpetrator in court. Methods of preventing unethical employees from doing damage include better background screening, detail auditing and monitoring of all user activity, and regular management oversight and job performance reviews. When you discover a problematic person, you might be able to grant the employee a second chance after retraining, but in many cases, the safest choice for the organization is to terminate employment.
Complex network infrastructures lend themselves to complex vulnerabilities. The larger a network becomes, the more servers, clients, network devices, and segments it includes. The sheer number of moving parts almost guarantees that something is bound to be misconfigured, be improperly installed, lack current firmware or patches, have a bottleneck, or be used incorrectly. Any of these conditions could result in a vulnerability that internal or external attackers can exploit. The larger and more complex a network, the more thoroughly the security team needs to watch over the infrastructure and investigate every symptom, trend, or alert. Preventing complexity from becoming a liability involves detailed planning, careful implementation, regular security management, and constant review of the effectiveness of the infrastructure.
Studies have shown that most threats come from internal sources, but too many organizations focus on external sources and discount the internal threats. A better stance is to count all threats— regardless of their source—as worthy of investigation. Once a potential threat is understood, its risk, potential loss, and likelihood can be better understood and evaluated.
One of the most obvious external threats is the Internet. The Internet is a global network linking people and resources with high-speed real-time communications. Unfortunately, this wonderful
infrastructure also makes great abuse more possible. Once your company installs an Internet connection, the world is at your door—or rather, at the fingertips of every employee. That world includes both potential customers and potential attackers.
Without a global communication infrastructure, hackers had to be physically present—wired in— in or near your building to launch attacks. With the advent of the Internet and wireless technology, any hacker anywhere can initiate attempts to breach your network security. It’s helpful, therefore, to think of the Internet as a threat. It’s not one that you should lightly dismiss, nor should you discard the Internet as a powerful tool. The benefits of Internet access are well worth the effort and expense you should expend to defend against its negative features.
Some of the best defenses against Internet threats include a well-researched, written security policy; thoroughly trained personnel; use of firewalls to filter traffic intrusion, detection, and prevention systems; use of encrypted communications (such as VPNs); and thorough auditing and monitoring of all user and node activity.
Again, perfect security solutions don’t exist. Some form of attack, compromise, or exploit can get past any single defense. The point of network security is to interweave and interconnect multiple security components to construct a multifaceted scheme of protection. This is often called multiple layers of defense or defense in depth.
The goal is to balance the strengths and weaknesses of multiple security components. The ultimate functions of network security are to lock things down in the best way possible, then monitor for all attempts to violate the established defense. Since the perfect lock doesn’t exist, improve on the best locks available with auditing and monitoring. Knowing this, your next step is to understand the common network security components and their uses.
Common Network Security Components Used to Mitigate Threats
When considering the deployment of a network or the modification of an existing network, evaluate each network component to determine its security strengths and weaknesses. This section discusses many common network security components.
Hosts and Nodes A node is any device on the network. This includes client computers, servers, switches, routers, firewalls, and anything with a network interface that has a MAC address. A Media Access Control (MAC) address is the 48-bit physical hardware address of a network interface card (NIC) assigned by the manufacturer. A node is a component that can be communicated with, rather than only through or across. For example, network cables and patch panels are not nodes, but a printer is.
A host is a form of node that has a logical address assigned to it, usually an Internet Protocol (IP) address. This addressing typically implies that the node operates at or above the Network Layer. The Network Layer includes clients, servers, firewalls, proxies, and even routers. But it excludes switches, bridges, and other physical devices such as repeaters and hubs. In most cases, a host either shares or accesses resources and services from other hosts.
In terms of network security, node and host security does vary. Nodes and hosts can both be
harmed by physical attacks and DoS attacks. However, a host can also be harmed by malicious code, authentication attacks, and might even be remotely controlled by hackers. Node protection is mostly physical access control along with basic network filtering against flooding.
Host security can be much more involved because the host itself should be hardened and you will need to perform general network security. Hardening is the process of securing or locking down a host against threats and attacks. This can include removing unnecessary software, installing updates, and imposing secure configuration settings.
IPv4 Versus IPv6 Internet Protocol version 4 (IPv4) has been in use as the predominant protocol on the Internet for nearly three decades. It was originally defined in 1981 in a technical specification known as RFC 791. IPv4 is a connectionless protocol that operates at the Network Layer of the Open Systems Interconnection (OSI) Reference Model. IPv4 is the foundation of the TCP/IP protocol suite as it exists today.
IPv4 was designed with several assumptions in mind, many of which have been proven inaccurate, grossly overestimated, or simply non-applicable. While IPv4 has served well as the predominant protocol on the Internet, a replacement has been long overdue. Some of the key issues of concern are a dwindling, if not exhausted, address space of only 32 bits, subnetting complexity, and lack of integrated security. Some of these issues have been minimized with the advent of network address translation (NAT), classless inter-domain routing (CIDR), and Internet Protocol Security (IPSec). But in spite of these advancements, IPv4 is being replaced with IPv6.
IPv6 was defined in 1998 in RFC 2460. The new version was designed specifically as the successor to IPv4 mainly due to the dwindling availability of public addresses. IPv6 uses a 128-bit address, which is significantly larger than IPv4. Additionally, changes to subnetting, address assignment, and packet headers, as well as simpler routing processing, make IPv6 much preferred over its predecessor. Another significant improvement is native Network Layer security. Figure 1-9 compares an IPv4 address to an IPv6 address.
NOTE If an IPv6 address has one or more consecutive four-digit sections of all zeros, the sections of zeros can be dropped and replaced by just a double colon. For example: 2001:0f58:0000:0000:0000:0000:1986:62af can be shortened to 2001:0f58::1986:62af. However, if there are two sections of zero sets, only a single section can be replaced by double colons.
Be Alert to These Attacks
A man-in-the-middle (MitM) attack occurs when a hacker is positioned between a client
and a server and the client is fooled into connecting with the hacker computer instead of the real server. The hacker performs a spoofing attack in order to trick the client. The result is the connection between the client and server is proxied by the hacker. This allows the hacker to eavesdrop and manipulate the communications.
A hijacking attack occurs when a hacker uses a network sniffer to watch a communications session to learn its parameters. The hacker then disconnects one of the session’s hosts, impersonates the offline system, and begins injecting crafted packets into the communication stream. If successful, the hacker takes over the session of the offline host, while the other host is unaware of the switch.
A replay attack occurs when a hacker uses a network sniffer to capture network traffic, and then retransmits that traffic back on to the network at a later time. Replay attacks often focus on authentication traffic in the hope that retransmitting the same packets that allowed the real user to log onto a system will grant the hacker the same access.
The security features native to IPv6 were crafted into an add-on packet for IPv4 known as IPSec. While in IPv4, IPSec is an optional add-on; it is a built-in feature of and used by default with IPv6. This use is a significant change in the inherent security issues surrounding networking and the use of the Internet. With native Network Layer encryption, most forms of eavesdropping, man-in-the-middle attacks, hijacking, and replay attacks are no longer possible. This does not mean that IPv6 will be free of security problems but at least most of the common security flaws experienced with IPv4 will be fixed.
FIGURE 1-9
Comparing a typical IPv4 address to an IPv6 address.
As you use and manage computers and manage networks, use IPSec with IPv4 or switch over to IPv6. Most protocols that operate over IPv4 will operate without issue over IPv6. You will need to replace some applications that embed Network Layer addresses into their application-level protocol, such as FTP and NTP. But valid IPv6 replacements already exist.
The complete industry transition from IPv4 to IPv6 will likely take upwards of a decade, mainly because of the need to upgrade, replace, or reconfigure the millions of hosts and nodes spread across the world to support IPv6. During the transition, many techniques are available to allow a host to
interact with both IPv4 and IPv6 network connections. These include:
Dual IP stacks—This is a computer system that runs both IPv4 and IPv6 at the same time. Windows Vista and Windows Server 7 both have dual IP stacks by default.
IPv4 addresses embedded into an IPv6 notation—This is a method of representing an IPv4 address using the common notation of IPv6. For example, ::ffff:192.168.3.125 is the IPv4- mapped IPv6 address for the IPv4 address 192.168.3.125. Note: The IPv6 address is 80 zero bits, followed by 16 one bits, then the 32-bit IPv4 address (in dotted decimal notation), which adds up to 128 bits total.
Tunneling—This involves encapsulating IPv6 packets inside IPv4 packets, effectively creating a VPN-like tunnel out of IPv4 for IPv6.
IPv4/IPv6 NAT—This involves using a network address translation service to translate between two networks, one running IPv4 and the other IPv6.
Whatever the hurdles of transition, the benefits of native Network Layer encryption are immeasurable. In short: When you have the option to use IPv6, take it because you will be helping the world IT community upgrade sooner rather than later.
Firewall Not all traffic on your network is from an authorized source, so you shouldn’t allow it to enter or leave the network. Not all traffic is for an authorized purpose, so you should block it from reaching its destination. Not all traffic is within the boundaries of normal or acceptable network activity, so you should drop it before it causes compromises.
All of these protections are the job of a firewall. As its name implies, a firewall is a tool designed to stop damage, just as the firewall in an engine compartment protects the passengers in a vehicle from harm in an accident. A firewall is either a hardware device or a software product you deploy to enforce the access control policy on network communications. In other words, a firewall filters network traffic for harmful exploits, incursions, data, messages, or other events.
Firewalls are often positioned on the edge of a network or subnet. Firewalls protect networks against numerous threats from the Internet. Firewalls also protect the Internet from rogue users or applications on private networks. Firewalls protect the throughput or bandwidth of a private network so authorized users can get work done. Without firewalls, most of your network’s capabilities would be consumed by worthless or malicious traffic from the Internet. Think of how a dam on a river works; without the dam, the river is prone to flooding and overflow. The dam prevents the flooding and damage.
Without firewalls, the security and stability of a network would depend mostly on the security of the nodes and hosts within the network. Based on the sordid security history of most host operating systems, having no firewall would not be a secure solution. Hardened hosts and nodes are important for network security, but they should not be the only component of reliable network security.
You also install firewalls on client and server computers. These host software firewalls protect a single host from threats from the Internet and threats from the network itself, as well as from other
internal network components. In any case, a firewall is usually configured to control traffic based on a deny-by-default/allow-
by-exception stance. This means that nothing passes the firewall just because it exists on the network (or is attempting to reach the network). Instead, all traffic that reaches the firewall must meet a set of requirements to continue on its path.
As a network administrator or IT security officer, you get to choose what traffic is allowed to pass through the firewalls, and what traffic is not. Additionally, you can also determine whether the filtering takes place on inbound traffic (known as ingress filtering), on outbound traffic (called egress filtering)—or both.
Firewalls are an essential component of both host and network security.
Virtual Private Networks A virtual private network (VPN) is a mechanism to establish a remote access connection across an intermediary network, often over the Internet. VPNs allow for cheap long-distance connections when established over the Internet, since both endpoints only need a local Internet link. The Internet itself serves as a “free” long-distance carrier.
A VPN uses tunneling or encapsulation protocols. Tunneling protocols encase the original network protocol so that it can traverse the intermediary network. In many cases, the tunneling protocol employs encryption so that the original data traverses the intermediary network securely.
You can use VPNs for remote access, remote control, or highly secured communications within a private network.
Proxy Servers A proxy server is a variation of a firewall. A proxy server filters traffic, but also acts upon that traffic in a few specific ways. First, a proxy server acts as a middleman between the internal client and the external server. Or, in the case of reverse proxy, this relationship can be inverted with an internal server and an external host. Second, a proxy server will hide the identity of the original requester from the server through a process known as network address translation (NAT) (see the following section).
Another feature of a proxy server can be content filtering. This type of filtering focuses either on the address of the server (typically by domain name or IP address) or on keywords appearing in the transmitted context. You can employ this form of filtering to block employee access to Internet resources that are not relevant or beneficial to business tasks or that might have a direct impact on the business network. This could include malicious code, hacker tools, and excessive bandwidth consumption (such as video streaming or P2P file exchange).
Proxy servers can also provide caching services. Caching is a data storage mechanism that keeps a local copy of content that is fairly static in nature and that numerous internal clients have a pattern of requesting. Front pages of popular Web sites are commonly cached by a proxy server. When a user requests a page from the Internet in cache, the proxy server provides that page to the user from cache rather than pulling it again from the Internet site. This provides the user with faster performance and
reduces the load on the Internet link. Caching of this type often results in all users experiencing faster Internet performance, even when
the pages served to them are pulled from the Internet. Obviously, such caching must be tuned to prevent stale pages in the cache. Tuning is setting the time-out value on cached pages so they expire at a reasonable rate. All expired cached pages are replaced by fresh content from the original source server on the Internet.
Network Address Translation Network address translation (NAT) translates internal addresses into external public addresses, and vice versa. The network performs this conversion on packets as they enter or leave the network to mask and modify the internal client’s configuration. The primary purpose of NAT is to prevent internal IP and network configuration details from being discovered by external entities, such as hackers.
Figure 1-10 shows an example of a pathway from an internal client to an external server across a proxy or firewall using NAT. In this example, the external server is a Web server operating on the default HTTP port 80. The Web server is using IP address 208.40.235.38 (used by www.itttech.edu). The requesting internal client is using IP address 192.168.12.153. The client randomly selects a source port between 1,024 and 65,535 (such as 13,571). With these source details, the client generates the initial request packet. This is step 1. This packet is sent over the network toward the external server, where it encounters the NAT service.
FIGURE 1-10
An example of how NAT functions.
STEP 1 Initial request:
S: 192.168.12.153: 13571
D: 208.40.235.38: 80
STEP 2 NAT creates entry in translation mapping table:
Internal: 192.168.12.153: 13571 <- ->
External: 72.254.149.76: 27409
The NAT service creates an entry in its translation or mapping table for the request. The table contains the source IP address and port and the translated IP address and port. The NAT server uses its own public IP address as the translated IP address and selects a random currently unused port for the new source port for the packet. This is Step 2.
STEP 3 Translated request:
S: 72.254.149.76: 27409
D: 208.40.235.38: 80
Step 3 is the construction of the new packet with the translated source information, which is then transmitted over the Internet to the external server. The Web server receives a request whose source seems to be the proxy/firewall system.
STEP 4 Response from external server:
S: 208.40.235.38: 80
D: 72.254.149.76: 27409
Step 4 is the response generated and transmitted by the Web server.
STEP 5 Response sent to client by NAT:
S: 208.40.235.38: 80
D: 192.168.12.153: 13571
The proxy/firewall receives the response to the Web server’s request. The NAT service uses the translation table to return the original client’s information into the packet header as the destination. This is step 5. This process takes place at wirespeed. It is usually transparent to the client and server involved in the communication, because they are unaware that the translation took place.
Another purpose or use of NAT is to reduce the need for a significant number of public IP addresses you need to lease from an ISP. Without NAT, you’d need a single public IP address for each individual system that would ever connect to the Internet. With NAT, you can lease a smaller set of public IP addresses to serve a larger number of internal users.
This consolidation is possible for two reasons. First, most network communications are “bursty” rather than constant in nature. This means that computers typically transmit short, fast busts of data instead of a long, continuous stream of data. Some forms of network traffic, such as file transfer and video streaming, are more continuous in nature. But these tasks are generally less common on business networks than home networks.
Second, NAT does not reserve a specific public address for use by a single internal client. Instead, NAT randomly assigns an available public address to each subsequent internal client request. Once the client’s communication session is over, the public address returns to the pool of available addresses for future communications.
Additionally, NAT often employs not just IP-to-IP address translation, but a more granular option known as port address translation (PAT). With PAT, both the port and the IP address of the client convert into a random external port and public IP address. This allows for multiple simultaneous communications to take place over a single IP address. This process, in turn, allows you to support a greater number of communications from a single client or multiple clients on an even smaller number of leased public IP addresses.
NAT enables the use of private IP addresses while still supporting Internet communications. These addresses are known as RFC 1918 addresses, from their technical specification. Their ranges are as follows:
Class A—10.0.0.0–10.255.255.255/8 (1 Class A network) Class B—172.16.0.0–172.31.255.255/12 (16 Class B networks) Class C—192.168.0.0–192.168.255.255/16 (256 Class C networks)
RFC 1918 addresses are for use only in private networks. Internet routers drop any packet using one of these addresses. Without NAT, a network using these private IP addresses would be unable to communicate with the Internet. By using RFC 1918 addresses, networks create another barrier against Internet-based attacks and do not need to pay for leasing of internal addresses.
As mentioned, NAT is one of the technologies that have allowed the extended use of IPv4 even after the depletion of available public IP addresses. Now that the transition to IPv6 is underway, NAT is serving a new purpose in proving IPv4-to-IPv6 translation. Many firewall and proxy devices may include IPv6 translation services. This feature is a worthwhile option that you might want to include on a feature list when researching a firewall purchase or deployment.
technical TIP An interesting wrinkle on NAT and PAT is that most devices and software products that support PAT actually state in their documentation and in their configuration interfaces that they support NAT. It seems that NAT has been redefined to include the functionality of port address translation, even though an official acronym for that specific additional technology already exists. Most certification exams combine the two as well. Questions might use the NAT acronym but actually refer to port translation (PAT).
Routers, Switches, and Bridges Routers, switches, and bridges are common network devices. While not directly or typically labeled
as network security devices, you can deploy them to support security rather than hinder it. A router’s primary purpose is to direct traffic toward its stated destination along the best-known
current available path (see Figure 1-11). Routing protocols such as RIP, OSPF, IGRP, EIGRP, BGP, and others dynamically manage route selection based on a variety of metrics. A router supports security by guiding traffic down preferred routes rather than routes that might not be as logically or physically secure. If a hacker can trick routers into altering the pathway of transmission, network traffic could traverse a segment where a hacker has positioned a sniffer. A sniffer, also known as packet analyzer, network analyzer, and protocol analyzer, is a software utility or hardware device that captures network communications for investigation and analysis.
While this is an unlikely scenario, it’s not an impossible one. Ensuring that routers are using authentication to exchange routing data and are protected against unauthorized physical access will prevent this and other infrastructure level attacks. Figure 1-11 depicts an example of a routed network deployment.
FIGURE 1-11
An example of router deployment.
FIGURE 1-12
An example of switch deployment.
Switches provide network segmentation through hardware. Across a switch, temporary dedicated electronic communication pathways connect the endpoints of a session (such as a client and server). This switched pathway prevents collisions. Additionally, switches allow you to use the full potential throughput capacity of the network connection by the communication instead of 40 percent or more being wasted by collisions (as occurs with hubs). See Figure 1-12.
You can see this basic function of a switch as a security benefit once you examine how this process takes place. A switch operates at Layer 2, the Data Link Layer, of the OSI model, where the MAC address is defined and used. Switches manage traffic through the use of the source and destination MAC address in an Ethernet frame. The Ethernet frame is a logical data set construction at
the Data Link Layer (Layer 2) consisting of the payload from the Network Layer (Layer 3) with the addition of an Ethernet header and footer (Figure 1-13).
Switches employ four main procedures, labeled as “learn,” “forward,” “drop,” and “flood.” The learn procedure is the collection of MAC addresses from the source location in a frame header. The source MAC address goes into a mapping table along with the number of the port that received the frame. Forwarding occurs once a frame’s destination MAC address appears in the mapping table. This table then guides the switch to transmit the frame out the port that originally discovered the MAC address in question.
If the frame goes on the same port that the mapping table indicates is the destination port, then the frame is dropped. The switch does not need to transmit the frame back onto the network segment from which it originated. Finally, if the destination MAC is not in the mapping table, the switch reverts to flooding—that is, a transmission of the frame out every port—to ensure that the frame has the best chance of reaching the destination.
By monitoring the activity of the switch—-specifically, watching the construction and modification of the mapping table and the variation of MAC addresses seen in frame headers—you can detect errors and malicious traffic. Intelligent or multilayer switches themselves or external IDS/IPS services can perform this security monitoring function.
When the switch procedures fail, the network suffers. This could mean a reduction in throughput, a blockage causing a denial of service, or a redirection of traffic allowing a hacker to attempt to modify or eavesdrop. Fortunately, such attacks are “noisy” in terms of generating significant abnormal network traffic, and thus you can detect them with basic security sensors. This benefit alone is a significant reason to use switches rather than hubs.
FIGURE 1-13
An IEEE 802.3 Ethernet Type II frame.
FIGURE 1-14
An example of a MAC-layer bridge deployment.
Bridges link between networks. Bridges create a path or route between networks, used only when the destination of a communication actually resides across the bridge on the opposing network. An analogy of this would be a city split in two by a river. When people in that city want to visit a location on the same side of the river that they are, then they have no need to cross the bridge to get there.
The same is true of a network bridge. Bridges work in a similar manner to switches in that they use several basic procedures to manage traffic. Bridges use the process of learn, forward, and drop. Thus, with these processes, only traffic intended for a destination on the opposing network will go by the bridge to that network. All traffic intended for a destination on the same side of the bridge that received it will be dropped since the traffic is already on the correct network.
Bridges are used to connect networks, network segments, or subnets whenever you desire a simple use-only-if-needed link and the complexity of a router, switch, or firewall is neither specifically required nor desired. See Figure 1-14. Bridges can also link networks with variations in most aspects of the infrastructure barring protocol. This includes different topologies, cable types, transmission speeds, and even wired versus wireless.
You can use bridges to detect the same types of traffic abuses that switches do. In addition, both bridges and switches can impose filtering on MAC addresses. Here you can use a blacklist or whitelist concept, where you allow all traffic except for that on the black/block list or you block all traffic except for that on the white/allow list.
You can arrange to log activities across a router, switch, and bridge. You should review traffic logs regularly, typically on the same schedule as firewall and IDS/IPS logs. You will note the signs of abuse, intrusion, denial of service, network consumption, unauthorized traffic patterns, and more in these common network devices not typically considered to be security devices.
The Domain Name System The Domain Name System (DNS) is an essential element of both Internet and private network resource access. Users do not keep track of the IP address of servers. So, to access a file server on, say, a social networking site, users rely upon DNS to resolve the fully qualified domain names (FQDNs) into the associated IP address. DNS is similar to the address book in your mobile phone. Instead of remembering people’s phone numbers, you just look up their names; the address book associates each person’s name with the number to dial.
Most users don’t even realize that networks rely upon IP addresses to direct traffic toward a destination rather than the domain name that they typed into the address field of client software. However, without this essential but often transparent service, most of how the Internet works today would fail. In such a case, users would need to maintain a list of IP addresses of sites they wanted to visit or always go to a search engine for a site’s IP address.
DNS is the foundation of most directory services in use today, such as Active Directory and LDAP (see the following section). Thus, DNS is essential for internal networks, as much as it is for the external Internet.
DNS is vulnerable in several ways. First, DNS is a non-authentication-query-based system. This allows a false or “spoofed” response to a DNS query to appear valid. Second, anyone can request transfers of the DNS mapping data (called the zone file), including external entities if TCP port 53 allows inbound access. Third, DNS uses a plaintext communication allowing for eavesdropping, interception, and modification.
You can address some of the faults of DNS with local static DNS mapping in the HOSTS file, filtering DNS on network boundaries, and using IPSec for all communications between all hosts. (A HOSTS file is a static file on every IP-enabled host where FQDN-to-IP address resolutions can be hard-coded.) However, these are defenses for DNS. DNS does not protect the network; rather, it is an essential service that needs protection.
NOTE A few Internet index sites still exist, but they are not as exhaustive (nor current) as most search engines. Think of the difference between the Yellow Pages dropped on your front porch each year versus dialing 411: One is more current and relevant than the other.
Directory Services A directory service is a network index. It helps users locate resources within a private network. A directory service is responsible for keeping track of which servers (sometimes as clients) are online, as well as the resources these hosts share with the network. A directory service operates much like a telephone book does for phone numbers and addresses.
Prior to directory services, less efficient methods of tracking or locating available resources were in service. These included local static or dynamic lists, which networks maintained using broadcast announcements. Only workgroup networks still use these outdated methods.
A directory service is another essential piece of modern networks that does not itself provide obvious security services. However, directory services need the protection provided by other security services and devices. You should limit access to directory services to authorized and authenticated clients and users of the local network. Your network should ignore all external requests for information, with the exception of valid remote access or VPN links. If possible, you should deploy IPSec so that you protect every internal network communication.
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion detection systems (IDS) and intrusion prevent systems (IPS) have become popular topics of discussion in the IT and security fields. The concept of an IDS is a system that watches internal hosts or networks for symptoms of compromise or intrusion. Effectively, an IDS is a form of burglar alarm that detects when an attack is occurring within the network.
An IDS serves as a companion mechanism to firewalls. Once an IDS detects an intruder, it can send commands or requests to the firewall to break a connection, block an IP address, or block a port or protocol. You must configure the firewall to receive these commands and authorize the IDS to send them. Not all IDSs and firewalls are compatible in this manner.
Eventually, the IPS concept appeared. The IPS strives to detect the attempt to attack or intrude before it has the opportunity to be successful. Once an attempt is detected, the IPS can respond to prevent the success of the attempt rather than waiting until after a successful breach to respond. IPSs do not necessarily replace IDSs. Instead, they are often used as a first or initial layer of proactive defense, relegating the IDS to a reactive measure against those events that the IPS misses or that internal personnel perform.
IDSs and IPSs are important components of a complete network security solution. However, they are not without fault. IDSs and IPSs can create a false sense of security under certain conditions. Two commonly discussed conditions include unknown zero day attacks and false positives.
When unknown zero day attacks threaten the network, an IDS or IPS might not have the mechanism to detect it. Thus, the lack of an alarm could cause administrators to assume that no attacks are occurring. In most cases, the lack of an alarm does mean that nothing malicious is happening. So this assumption is not completely unwarranted. But if an IDS never triggers an alarm, then you should suspect a poor detection system rather than the complete lack of compromise attempts or attacks.
False positives present the same result for the opposite reason, namely too many alarms from benign occurrences. After the first initial alarms turn out to be triggered by benign activity, the urgency of responding to alarms diminishes. After additional false positives, an administrator might put off investigating alarms. Eventually, you ignore the alarms altogether. Once this situation arises, you treat even alarms for malicious events as false positives, once again establishing a false sense of security.
Network Access Control Network access control (NAC) limits access or admission to the network based on the security compliance of a host. NAC is essentially an enforcement tool to make sure that all hosts connecting to the network have current and compliant security components. With NAC, you can block or restrict
access if a computer does not have the latest antivirus update, a certain security patch, or a host firewall.
NAC usually operates by placing an agent on each authorized host. When the host connects to the network, the agent contacts the master control program to find current host requirements. If the host fails to meet those requirements, then the NAC prevents the host from accessing the network. A noncompliant host may be granted access only to remediation servers. These remediation servers can provide the patches and updates needed to bring the host into full compliance.
Effectively, NAC is a method to enforce host-hardening rules through an automated systemwide mechanism. With NAC, systems must be in compliance or they are unable to access general network resources. Only after you update noncompliant systems are they allowed access to the network.
CHAPTER SUMMARY Because of the complexities and difficult questions surrounding network security, you need to fully understand the fundamentals of network security. Once you have a firm grasp of these basic issues, you will be able to put security into practice on your own network.
A written security policy is the foundation of a successful security endeavor. Without a written policy, security will be chaotic and uncontrolled. A security policy defines and assigns roles and responsibilities to personnel within the organization. Network infrastructure design can have a significant impact on security. Administrators can employ numerous network components and devices to support a network security policy. These include firewalls, VPNs, and IDSs/IPSs.
KEY CONCEPTS AND TERMS Access control Appliance Asset Auditing Auditor Authentication Authorization Availability Backdoor Blacklist Bottleneck Breach Bridge
Business task Caching Chokepoint Client Client/server network Confidentiality Defense in depth Demilitarized zone (DMZ) Denial of service (DoS) attack Directory service Domain Domain Name System (DNS) Downtime Egress filtering Encapsulation Encryption Exploit Extranet Filtering Firewall Fully qualified domain name (FQDN) Hacker Hacking Hardening Hijacking Host HOSTS file Ingress filtering Integrity Internet Protocol Security (IPSec) Intrusion detection system (IDS) Intrusion prevention system (IPS) Job description Local area network (LAN) Log Logging Malicious code Man-in-the-middle (MitM) attack Media Access Control (MAC) address Monitoring
Network access control (NAC) Network address translation (NAT) Network security Node Open Systems Interconnection (OSI) Reference Model Permission Port address translation (PAT) Privacy Private IP address Privilege Proxy server Public IP address Redundancy Remote access Remote access server (RAS) Remote control Replay attack Resources RFC 1918 addresses Risk Roles Router Security objective Security policy Senior management Server Single point of failure Single sign-on (SSO) Sniffer SOHO (small office, home office) Switch Telco Terminal services Thin client computing Threat Trust Tunneling Virtual private network (VPN)
Vulnerability Whitelist Wide area network (WAN) Workgroup Zero day exploits Zeroization
CHAPTER 1 ASSESSMENT
1. An outsider needs access to a resource hosted on your extranet. The outsider is a stranger to you, but one of your largest distributors vouches for him. If you allow him access to the resource, this is known as implementing what? A. DMZ B. Virtualization C. Trusted third party D. Remote control E. Encapsulation
2. Which of the following are common security objectives? A. Nonrepudiation B. Confidentiality C. Integrity D. Availability E. All of the above
3. What is an asset? A. Anything used in a business task B. Only objects of monetary value C. A business process D. Job descriptions E. Security policy
4. What is the benefit of learning to think like a hacker? A. Exploiting weaknesses in targets B. Protecting vulnerabilities before they are compromised
C. Committing crimes without getting caught D. Increase in salary E. Better network design
5. What is the most important characteristic of an effective security goal? A. It is inexpensive. B. It is possible with currently deployed technologies. C. It is written down. D. It is approved by all personnel. E. It is a green initiative.
6. What is true about all security components and devices? A. They are all interoperable. B. They are all compatible with both IPv4 and IPv6. C. They always enforce confidentiality, integrity, and availability. D. They are sold with pre-defined security plans. E. They all have flaws or limitations.
7. Who is responsible for network security? A. Senior management B. IT and security staff C. End users D. Everyone E. Consultants
8. What distinguishes workgroups from client/server networks? (In other words, what feature is common to one of these but not both?) A. DNS B. Centralized authentication C. List of shared resources D. User accounts E. Encryption
9. Remote control is to thin clients as remote access is to? A. NAC B. VPN C. DNS D. IPS
E. ACL
10. What two terms are closely associated with VPNs? A. Tunneling and encapsulation B. Bridging and filtering C. Path and network management D. Encapsulation and decapsulation E. Port forwarding and port blocking
11. What is a difference between a DMZ and an extranet? A. VPN required for access B. Hosted resources C. External user access D. Border or boundary network E. Isolation from the private LAN
12. What is the primary security concern with wireless connections? A. Encrypted traffic B. Support for IPv6 C. Speed of connection D. Filtering of content E. Signal propagation
13. What elements of network design have the greatest risk of causing a DoS? (Select two.) A. Directory service B. Single point of failure C. Bottlenecks
14. For what type of threat are there no current defenses? A. Information leakage B. Flooding C. Buffer overflow D. Zero day E. Hardware failure
15. Which of the following is true regarding a Layer 2 address and Layer 3 address? A. MAC address is at Layer 2 and is routable B. Layer 2 address contains a network number C. Layer 2 address can be filtered with MAC address filtering
D. Network Layer address is at Layer 3 and is routable E. Both C and D are true
16. Which of the following are not benefits of IPv6? A. Native communication encryption B. RFC 1918 address C. Simplified routing D. Large address space E. Smaller packet header
17. What is the most common default security stance employed on firewalls? A. Allowing by default B. Custom configuring of access based on user account C. Caching Internet content D. Denying by default, allowing by exception E. Using best available path
18. What is egress filtering? A. Investigating packets as they enter a subnet B. Allowing by default, allowing by exception C. Examining traffic as it leaves a network D. Prioritizing access based on job description E. Allowing all outbound communications without restriction
19. Which of the following is not a feature of a proxy server? A. Caching Internet content B. Filtering content C. Hiding the identity of a requester D. Offering NAT services E. MAC address filtering
20. Which of the following is allowed under NAC if a host is lacking a security patch? A. Access to the Internet B. Access to e-mail C. Access to Web-based technical support D. Access to file servers E. Access to remediation servers
CHAPTER
2 Firewall Fundamentals
TO SOME NETWORK ADMINISTRATORS, A FIREWALL is the key component of their infrastructure’s security. To others, a firewall is a hassle and a barrier to accomplishing essential tasks. In most cases, the negative view of firewalls stems from a basic misunderstanding of the nature of firewalls and how they work. This chapter will help dispel this confusion.
This chapter clearly defines the fundamentals of firewalls. These include what a firewall is, what a firewall does, how it performs these tasks, why firewalls are necessary, the various firewall types, and filtering mechanisms. Once you understand these fundamentals of firewalls, you will be able to look beyond the unschooled opinions, common mythology, and marketing hype surrounding them, and the crucial benefits of effective firewall architecture will become clear. Like any tool, firewalls are useful in solving a variety of problems and in supporting essential network security.
Chapter 2 Topics
This chapter covers the following topics and concepts:
What a firewall is
Why you need a firewall
How firewalls work and what they do
What the basics of TCP/IP are
What the types of firewalls are
What ingress and egress filtering is
What the types of firewall filtering are
What the difference between software and hardware firewalls is
What dual-homed and triple-homed firewalls are
What the best placement of a firewall is
Chapter 2 Goals
When you complete this chapter, you will be able to:
Define firewalls
Explain the need for firewalls
Describe types of firewalls, including network router/interface firewall, hardware appliance firewall, and host software firewall
Explain standard filtering methods, including static packet filtering, NAT services, application proxy filtering, circuit proxy filtering, dynamic packet filtering, stateful inspection filtering, and content filtering
Define the meaning of ingress and egress filtering
Compare and contrast software and hardware firewalls
Illustrate on a typical business network diagram possible placements for a firewall
Compare and contrast dual- and triple-homed firewalls
What Is a Firewall?
A firewall is like a border sentry. A firewall is like a gateway and is often called a “security gateway.” A firewall is like a traffic control device. A firewall is a filtering device that enforces network security policy and protects the network against external attacks. A packet is a unit of information that is routed between one point and another over the Internet or any other network. The packet header includes information such as source, type, size, and origin and destination address. As a filtering device, a firewall watches for traffic that fails to comply with the rules defined by the firewall administrator. Firewalls can focus on the packet header, the packet payload (the essential data of the packet) or both; or on the content of a session, the establishment of a circuit, and possibly other assets. Most firewalls focus on only one of these. The most common filtering focus is on the header of the packet, with the payload of a packet a close second.
Filtering allows what you want on your network and denies what you do not. Filtering relies on filtering rules. Each rule has a pattern of concern and a response the firewall will make if an incoming element matches the pattern.
Firewalls follow a philosophy or stance of security known as deny by default/allow by exception. All the rules on a firewall are exceptions. Some exception rules define what you allow. Some exception rules define what you wish to deny. The final option, sometimes called the final rule, is anything that did not match one of the exceptions is denied by default.
Firewall filtering compares each packet received to a set of exception rules. These rules state that content in the packet is either allowed or denied. If the packet matches an allow rule, it continues on to its destination. If the packet matches a deny rule, then the packet is dropped. Hence, a deny rule
prevents the packet from reaching its destination. If a packet fails to match any rule, then the firewall drops the packet by default.
The filtering rules are the exceptions to the deny-all rule that is the final and absolute rule of a firewall. In fact, if a deny by default rule didn’t exist, the filtering device would not be a firewall at all. Instead, it would be more like a router or switch, allowing traffic to pass, even if it did not match an expected pattern or rule. So, keep in mind the security stance of deny by default/allow by exception. A firewall is a filtering device that helps support this stance.
Think of a firewall as a sentry along the borders of a country. The term firewall is not exactly the best term that could have been selected for this device or service, which performs essential security filtering for hosts and networks. The term firewall comes from a building and automotive construction concept of a wall that is built to prevent the spread of a fire from one area into another. The firewall in a building or car engine compartment is a physical block against the spread of fire.
Network security administrators use the term firewall to refer to a device or service that allows some traffic but denies other traffic. This is not the same as a building’s firewall, which allows a fire to spread only if the firewall fails. In network security, firewalls allow traffic through that’s considered safe—or at least authorizes traffic without the entire firewall failing. Additionally, if a firewall does fail, it fails into a secured state. This means that when the firewall is offline, is locked or frozen, or otherwise experiences a problem, it stops all traffic rather than allowing all traffic through. This is known as fail-safe or fail-secure.
Better ways to envision the job of the firewall are a sentry, doorman, or even border guard. These people positioned at the entrance or exit of a building watch for unauthorized attempts to enter the secure area. Some people are allowed to enter; others are prevented. In the event that the sentry isn’t present, the entry is locked, so only those with a key can enter. Think of a firewall as a border sentry.
A gateway is an entrance or exit point to access a controlled space. People use gateways every day in a variety of ways. An on-ramp is a gateway to the highway, a doorway is a gateway to a building, and a personal computer is a gateway to the Internet—and to your organization’s network. You can also think of a firewall as the gate at a gateway. The firewall stands at the entrance of a network to block unwanted traffic.
Gateways are important because, typically, high levels of traffic pass through a gateway. Thus, positioning a firewall at a network gateway is an aspect of secure design. If the gateway already exists in the network infrastructure, then positioning the firewall at that point is an obvious security improvement. A firewall so positioned watches over all traffic crossing that gateway point.
Another place that firewalls are often deployed is in front of (that is to say, on the public Internet side), behind (inside the data center), or in load balancing systems, or, as they are most often called, load balancers. Load balancers are reasonably well named because that is what they do: They take the load coming into a set of servers and ensure that the load is balanced between or among the servers, based on a variety of factors. It is a funnel point for traffic that is an ideal place to enforce policy, and that is done through the firewall.
If a network is still in its design phase, a network designer might make the secure choice to create a gateway in the network’s layout. However, in this situation, the concentration point would be known as a chokepoint instead of a gateway. If a gateway is an access point to other areas of resources, a chokepoint is a specialized kind of gateway that focuses on traffic to a single concentrated pathway to
simplify the process of filtering. Whether labeled as a gateway for resource access or a chokepoint to control security, the result is
the same. A firewall positioned at a gateway provides filtering services across all traffic. The chokepoint provides filtered access to resources. As a wise poet once said: “Good fences make good neighbors.” So, too, do good gateways and well-positioned firewalls make secure networks.
You can also think of a firewall as a traffic control device. A significant amount of network security is little more than controlling traffic. Authorized traffic passes through the digital intersection, while unauthorized, unwanted, abnormal, or obviously malicious traffic is blocked.
The very basic and original form of the modern firewall was a screening router. Routers analyze traffic based on destination address. The best-known available route to the destination informs the forwarding decision. However, screening routers added in additional rules that could discard traffic based on destination or source address. Once filtering expanded to address protocols and even ports, the screening router became the basic static packet filtering firewall.
In addition to filtering, firewalls can also offer routing functions, which are a holdover from this router ancestry. A multi-homed firewall can grant traffic access to one or another interface or segment based on the results of filtering. Traffic for a private LAN could traverse one segment, while traffic destined for the DMZ could follow another (see Figure 2-1). A firewall is an efficient, necessary traffic control device on the highway that is your network.
FIGURE 2-1
A basic multi-homed firewall filtering and routing for two network segments.
A firewall enforces your organization’s network security policy. Specifically, a firewall enforces the network traffic access control security policy. A firewall is the physical embodiment of the security policy. It’s the most obvious or direct enforcement of access control on your network’s traffic. No device more than your firewall is as directly involved in allowing authorized traffic and
denying all else. A security policy defines the goals, objectives, and procedures of security. Every security policy
focusing on network security requires the deployment of a firewall. The firewall’s job is to impose all restrictions and boundaries defined in the security policy on all network traffic. A firewall enforces your organization’s network security policy just as a traffic policeman enforces the motor vehicle laws of a town or state.
A firewall’s critical function is to protect your network against external attacks. It’s no secret that external threats are numerous. The onslaught of attacks is almost unbelievable, like a constant flood against every Internet-connected node. If it were not for vigilant hardening of hosts and the use of firewalls, the Internet and private networking could not exist as they do today.
It’s no accident that some threats to computer networks are called viruses; external threats seem to continuously change and evolve. Other attacks are targeted specifically for your network or organization. Some attacks are untargeted and random. Instead, they are directed toward any host that happens to have a specific vulnerability. Malicious code relentlessly infects and compromises unprotected computer systems. Flooding attacks attempt to interrupt timely Internet communications. And these are only some of the external threats facing your organization’s network.
A firewall stands as a sentry, as a front guard, as a defense against all attacks and attempts at system compromise. The good news is that many firewalls are well hardened against all known-to- date attacks. These firewalls can withstand the blitzkrieg of the attacks without faltering. A firewall protects the network against the substantial asset damage that external attacks can cause.
Understanding these definitions and distinctions is only the beginning of understanding firewalls.
What Firewalls Cannot Do A firewall is an essential part of network security. However, it’s not the whole of network security. Don’t make the mistake of deploying a firewall while ignoring other security management activities. A firewall is only one piece of the large complex puzzle of network security.
There are many things a firewall is not. Don’t be fooled by the marketing. Some of these deficiencies can become cloudy as vendors sell combination or multifunction solutions. Often, these devices are designed for the SOHO or home user and thus were never intended to provide commercial-grade protections.
A firewall is primarily for network traffic filtering. It’s not an authentication system. Firewalls aren’t designed to check logon credentials, compare biometric scans, or even confirm the validity of digital certificates. These are the functions of an authentication service, typically hosted on a domain controller or primary network server.
That said, you might find it necessary for a firewall to allow authentication before granting access to a resource or allowing a session. Some firewalls can have enhancement features that provide for firewall-hosted authentication services. However, in many cases, a better solution would be to have the firewall offload that task to a dedicated authentication server or service, such as 802.1x, public key infrastructure (PKI), or directory services. Most security experts do not recommend using a firewall to authenticate users, or at least not as a replacement for a network’s directory service or centralized authentication solution. Firewalls are not authentication systems.
A firewall is not a remote access server. Connections from remote users do not have an endpoint at the firewall. Instead, the endpoint is a remote access server (RAS) or network access server (NAS). A firewall may function before or after the RAS/NAS to filter remote access traffic. However, that doesn’t mean the firewall is the RAS/NAS itself.
Your firewall should of course filter all remote traffic, especially because remote traffic is much more likely to be purposefully malicious or accidentally damaging than local traffic. Why? An organization has much more control over who can connect to its network locally than it does when it allows remote connectivity. Remember: A firewall does not replace a remote access server.
Unlike Superman, your firewall does not have X-ray vision into encrypted traffic; in other words, it cannot see the contents of encrypted traffic. A firewall can filter on the header of traffic using transport mode encryption, since the original header is in plaintext form. However, a firewall cannot filter the original header of traffic using tunnel mode encryption, since the only plaintext component is a temporary tunnel header that only includes information about the endpoints of the tunnel. It’s like trying tell what’s in the boxcars of a train by observing only the locomotive and the caboose.
Position your firewall where it can be most effective. If the security design requires that all traffic content be examined by a firewall, then you need to position the firewall after encryption is removed from the traffic. If the security design requires filtering only on non-encrypted traffic, then positioning the firewall is not as critical.
Firewalls designed for use by Web e-commerce sites may have an additional ability to act as the endpoint of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) tunnel from an Internet client. This grants the client protection for its data as the information traverses the Internet. This allows a firewall to filter the content of the traffic before the Web server receives and processes the information.
Encryption is one method to evade filtering. Users and hackers can employ client-side encryption solutions that encode the data before transmission or create unauthorized encrypted encapsulation tunnels to prevent firewall filtering. In this situation, your network security policy may stipulate that the firewall needs to block encrypted transmission initiated by clients, especially if the destination is on the Internet. It’s important to remember that firewalls are powerful, but they don’t have X-ray vision into encrypted traffic.
A firewall is also not a malicious code scanner. Firewalls are traditionally rule-based filtering products. These rule sets usually have only a few dozen to at most a few hundred rules. To filter malicious code, the rule list would need millions of entries. As of December 2009, the AVG Anti- Virus definition database #270.14.88/2538 was tracking 24,303,360 malicious code infection definitions. That number of entries is simply impractical to include in a firewall rule set.
Some firewall products include an enhancement or add-on module for malicious code scanning. Such an enhancement is just an add-on component, not a core feature of a firewall. In most cases, it’s more efficient and more secure to use separate anti-malware scanners than to add this function to your firewall.
Many firewall rules block traffic with spoofed addresses, uncommon ports, unauthorized protocols, invalid header constructions or values, etc. Such rules block a significant amount of traffic caused by malicious code, but these rules do not themselves directly block malware from entering or
leaving a network. Keep in mind that your firewall can do many things, but it’s not a malicious code scanner.
A firewall is also not an intrusion detection system. An intrusion detection system, or IDS, is a type of network burglar or intruder alarm that detects and responds to unauthorized activity inside your network. An IDS performs this task by monitoring all network traffic. While an IDS can be deployed on a network border or outside the network against the Internet, most IDSs operate inside private networks so that they can watch all internal network traffic.
A firewall can detect malicious traffic only when such traffic enters one of the firewall’s interfaces. Firewalls generally don’t watch over general interior network activity. Either firewalls are border devices for networks and subnets, or they are software products watching over a single host. In either case, they cannot see the same traffic nor perform the same tasks as an IDS. A firewall, therefore, is not interchangeable with a good intrusion detection system.
A common misconception is that firewalls protect against insider attacks. They cannot. A firewall can be a border device or a firewall can be software on a host. A border firewall can filter traffic entering or leaving a network or subnet. So a border firewall is unable to see any interior traffic (Figure 2-2). When an attacker from an inside client attacks a target that is also an internal host, a border firewall is not part of the communication and thus can neither detect nor block the attack.
A host software firewall can only see the traffic entering or leaving that one host. A host software firewall is unable to see any other interior traffic
Of course, if traffic does not pass through its interfaces, a firewall cannot filter the traffic. A firewall can filter only what it sees. If malicious or unwanted traffic does not enter an interface of a firewall, the firewall will not be able to filter that traffic (see Figure 2-2). So you’ll want to place firewalls on each host, on every border gateway or chokepoint, and between each significant subnet or interior network division.
NOTE IDSs can detect a plethora of unwanted activities, use several methods of detection, and perform a wide range of responses, both passive and active.
Another thing firewalls can’t do is protect against social engineering. Social engineering is the category of attacks that focus on the personnel of an organization. These attacks get information from people just by asking for it in clever ways or convincing someone to perform an action that breaches network security. The only real protection against social engineering is worker training and awareness. A firewall cannot stop an attack stemming from social engineering.
FIGURE 2-2
Border firewalls cannot filter internal communications.
A firewall can’t protect against the threat posed by removable media. The widespread use of removable media has been a significant threat to every computer in existence, even those not connected to the Internet, an external network, or even a single other computer through a network link. Removable media include USB hard drives, USB thumb drives, CDs, DVDs, Blu-ray discs, HD-DVD discs, other optical discs, flash memory cards, FireWire storage devices, tape media, e-mail attachments, and more. Removable media can leak information out of an organization or smuggle malicious code in. A firewall is not involved in the use of removable media nor any of the contents these devices may contain. A firewall cannot protect your network against the ongoing threat posed by removable media. Again, the best defense against this threat is good company policy, worker training, and awareness.
A firewall, of course, cannot protect against physical incursions or attacks. Physical attacks bypass any and all logical and electronic protection mechanisms. A firewall does not protect against theft of devices, planting of eavesdropping mechanisms, disconnection of cables, connecting a rogue notebook to an open node, destruction of equipment, dousing electronics with liquids, building fires, or any other form of physical attack. Only effective physical defenses can deter physical attacks. A firewall is not designed or intended to thwart physical attacks.
Firewalls aren’t insurance against inept or ignorant administrators. Computer equipment and software can do only what it’s designed and programmed to do. If an administrator misconfigures a security device, the device doesn’t automatically compensate for that oversight. If a security administrator fails to learn about all the features and defaults of new equipment, the product cannot secure itself autonomously. Security requires training, research, careful planning, thoughtful implementation, and ongoing review and maintenance. This process is known as security management —and it takes work. The old expression was never more true than today: “Garbage in, garbage out.”
What you put into network security is precisely what you will get out of it. So remember that a firewall can’t compensate for ineptitude or ignorance on the part of administrators.
In the same vein, firewalls can’t compensate for poor security management. Proactive security management is essential for the success of any security endeavor. Security management is the process of reviewing, testing, tuning, and updating an organization’s security policies and security infrastructure. This is an ongoing effort that requires knowledge, research, and vigilance. The threats and risks facing an organization are constantly evolving to become more persistent and virulent. Your security strategy should be just as rigorous and purposeful in defense. Keeping up to date on the most current threats to and trends in network security is a big part of this job. Networking, conferencing, and reading the latest industry literature are ways to keep yourself and your security efforts sharp.
Keep in mind that a firewall is a focal point of security. It’s an embodiment—a physical representation—of your organization’s security policy. When you use them well and wisely, firewalls provide reliable and consistent security from external threats. However, firewalls have limitations and are only part of the complete security strategy. By itself, a firewall cannot protect a network against every threat. A firewall cannot compensate for the lack of informed, state-of-the-art security management.
Furthermore, and this follows from everything you have read so far, firewalls are not a substitute for a solid written security policy. A firewall is nothing but a reliable border sentry. It is not the complete security infrastructure and strategy. Even the decision to deploy a firewall is a significant strategic undertaking that shouldn’t be taken for granted. Thorough research and planning will help with the design and deployment of an effective firewall. A firewall policy ensures the success of your network’s firewall. A company-wide security policy ensures the success of your organization’s security infrastructure. Firewalls are in no way a substitute for such a security policy.
Finally, firewalls are not a perfect solution. As noted, a firewall is a border sentry, reliable but limited. A firewall can filter only what it sees. It can perform filtering only according to the rule sets defined by the security administrator. It cannot self-adjust to changing conditions or future threats. A firewall is only a part of a complete security infrastructure. Firewalls are mostly software, even when operating on dedicated hardware. They are software, written by fallible humans; therefore, they can, and do, have bugs and flaws. A firewall is never the perfect solution—but it is part of the solution.
Fortunately, in spite of all the things a firewall is not, a firewall is a solid filtering solution. A firewall can and should protect the borders of networks and individual hosts. No security strategy— or deployment—is complete without properly installed firewalls.
Why Do You Need a Firewall?
Who needs a firewall? Anyone who uses a computer to interact with and exchange resources with any other computer! Your personal computer needs a firewall. Your home network needs firewalls. Your company network needs firewalls. Every network needs firewalls. They are a fundamental of network communication.
High-speed Internet connectivity has become ubiquitous. Most computer users now have high- speed access at home, at work, and even on the go through mobile devices. Often, these broadband connections are always-on connections. This means computers and networks are online all the time—
and exposed to attacks. A drawbridge is easy to cross if it’s always down. When a system is always connected, it can be the focus of a concerted attempt to discover its vulnerabilities and breach its security.
How likely is it that a computer will be discovered and attacked over the Internet? Almost guaranteed. Most systems are detected, scanned, and probed within minutes of obtaining a public IP address. It is technical suicide to connect your system to the Internet before installing a firewall, as well as installing the latest vendor patches for the hardware, OS, and installed applications.
Does this mean that there are armies of hackers just waiting to find new targets to attack? Unfortunately, yes. Not, however, in the way you might think. Malicious programs perform most of the scanning and attacking automatically. These are commonly known as agents, robots, zombies, or just bots. Groups of malicious code, known as botnets, scour the Internet for new victims constantly.
Another wrinkle in being constantly online over a broadband connection is the throughput speed. High-speed links to the Internet enable high-speed attacks against your system. On older, slower connections, the same risks existed, but the attacks were slower or fewer simply because the link to a targeted system throttled the speed of the attack. With 10 Mbps and faster connections being common, attacks can occur at near-lightning speed.
This is not to suggest that only slow-speed Internet links are secure. On the contrary, you should take full advantage of high-speed Internet connections. However, you need to protect your systems with firewalls. A firewall will impose a significant barrier to most attacks that originate from the Internet.
With a firewall protecting your system from the Internet, hacker scans will be nearly worthless. Responses to probing packets will be filtered. An outsider will learn little about your infrastructure. This, in turn, means they will discover fewer vulnerabilities, thus wage fewer attacks. And even then, those attacks will be more likely to fail.
Firewalls are not used only for Internet protection. Don’t forget that significant levels of threat exist internally. Firewalls stand guard against network segments inside your private network (Figure 2-3). Think of a firewall as a tool to prevent abuse or misuse of LAN resources. Each major department, subnet, or other relevant distinction within an organization should have firewall protection. This will ensure that accidental compromises, as well as intentional abuses, are minimized internally. All networks protect against both internal threats and external ones.
FIGURE 2-3
An example of a private network using firewalls to securely separate subnets.
Don’t overlook that, while a firewall has its origins in routing, you still want to use a dedicated router for routing and a dedicated firewall for filtering. In many cases, the combination or multifunction devices offer lots of features, but not necessarily best-of-breed performance and efficiency. These may be money-savers for small networks, but they are often cause for expense for larger networks. If a device fails to perform at commercial levels when necessary, the repercussions can cost more than deploying the proper safeguards in the first place.
Firewalls should be used to protect a resource, no matter where that resource resides on your network. A hardware firewall can protect a single host or a network of hosts, while a software firewall can protect only a single host. Don’t limit your definition of a firewall to just a border sentry device. Think of it, instead, as a sentry device in general, able to protect anything placed behind its filtering service.
Host firewalls protect a host and protect a network from the host. A host firewall’s job is to filter traffic entering or leaving a single computer system. Attacks and malicious traffic can come from the Internet or the local network. A host firewall can protect the host against such threats. However, the host itself could be compromised by malicious code or be controlled by a malicious user. In this situation, the host firewall protects the network from the threats coming from the host.
Another way of looking at this is that a host firewall also protects the network from a user in general. A user is the most risky element in a network infrastructure. Even if every other component, hardware or software, does what it was programmed and configured to do, a user can decide to violate security. Thus, the free will of human users is one of the biggest risks to every computing environment.
Users can be ignorant, make mistakes, be tricked by a Trojan horse, be the target of social engineering attacks, or perform malicious actions on purpose. The security of a host system, including general system hardening, anti-malware scanning, Internet client restrictions, blocking of non-
approved software, and a host firewall, are all designed to protect the network from the risk of human users.
Firewalls protect against Internet threats, protect against internal network threats, protect resources generally, and protect against the risk of users. These capabilities alone might make installing a firewall on every host and on every segment seem like the obvious follow through.
However, deploying firewalls everywhere has two significant drawbacks: cost and over- dependence. Most commercial-grade firewalls are costly. Even if they have no purchase cost (due to promotions or being open source), the ongoing maintenance costs of firewalls add up significantly over time. With firewalls deployed on every host and on every segment, the overhead of firewall management would far exceed the total IT budget of most businesses.
A second drawback to ubiquitous deployment of firewalls is over-dependence. Firewalls are only part of a complete security solution, not a whole solution by themselves. By deploying firewalls on every host and every segment, other essential security endeavors might be overlooked or deemed unnecessary. This would be a disastrous security stance. Firewalls cannot compensate for poor security policy, poor security management, or a lack of proper system hardening.
With these concerns, how can your organization determine how many firewalls to deploy and where to deploy them? In most cases, this requires a process of risk assessment and risk management. Risk assessment involves examining values, threat levels, likelihoods, and total cost of compromise versus the value of the resource and the cost of the protection. While many other factors affect risk assessment, this essential business and security process is as follows:
1. Determine the overall value of the resource or asset. Known as the asset value (AV), this calculation should include both tangible and intangible costs and value.
2. Determine the threats that face that asset. For each threat, calculate the exposure factor (EF), or the amount of potential harm expressed as a percentage. This will create a list of asset-threat pairs with a corresponding EF.
3. Calculate the single loss expectancy (SLE): SLE = AV × EF. This is the amount of potential loss that could be experienced due to a single occurrence of compromise against this asset for a specific threat. This will add an SLE value to each asset-threat pair.
4. For each threat, calculate the potential number of times the threat could be a realized attack within a year’s time. This is known as the annualized rate of occurrence (ARO).
5. Calculate the annualized loss expectancy (ALE): ALE = SLE × ARO. This is the amount of potential loss that can be experienced due to any compromise of this asset for a specific threat within a year. This will add an ALE value to each asset-threat pair.
6. Sort the list of asset-threat pairs by the ALE. The highest ALE is the biggest risk for this specific asset/resource.
7. Take the asset-threat with the largest ALE and determine the possible countermeasures that could be used to protect against that threat. This creates asset-threat-countermeasure triplets.
8. For each asset-threat-countermeasure triplet, calculate a new ARO. The countermeasure should reduce the ARO. A perfect countermeasure would reduce the ARO to zero. There
are few perfect countermeasures. 9. With the new ARO, calculate a new ALE for each asset-threat-countermeasure triplet. 10. For each asset-threat-countermeasure triplet, make a cost/benefit analysis. The formula for
this is: (Original ALE – New ALE) – cost of the countermeasure per year. 11. Sort the asset-threat-countermeasure triplets by their potential cost/benefit. The triplet with
the greatest cost/benefit is the best choice.
In short, if the cost/benefit analysis for a particular asset-threat suggests a firewall, then installing one is a good business, security, and budget decision. If some other countermeasure delivers greater benefit for less cost, then that countermeasure is the better choice.
Performing detailed risk analysis is a complex task. Many small companies or home network enthusiasts might not want to spend the effort to perform a complex risk assessment. This is understandable, but failing to perform a full risk assessment doesn’t mean that you have no risk or that you have no assets worth protecting.
At a minimum, you need to protect any and all data that is personally identifiable. This includes personal communications like e-mails; any custom crafted document, picture, video, or other file type; all medical information; all financial information; configuration settings; and passwords and other credentials. Identity theft is one of the most frequent and devastating crimes of the interconnected world. Worrying only about your neighbors, the random home burglary, or the pickpocket on the street is nothing short of tunnel vision. Today, you must be concerned about all would-be criminals across the globe attempting to gain access to your electronic assets over the Internet.
Who needs a firewall? Everyone with a networked computer needs a firewall. Why are firewalls necessary? Firewalls are critical because threats and malicious entities lurk on the Internet, on private networks, and possibly within your own home!
What Are Zones of Risk?
A zone of risk is any segment, subnet, network, or collection of networks that represents a certain level of risk. The higher the risk, the more security you need to protect against that risk. The less of a risk associated with a zone, the less security is necessary because the threats of that zone pose less chance of harm.
The flip side of zones of risk is zones of trust. Highly trusted zones naturally require less security, while zones of low trust require more security.
Each zone of risk needs to be clearly and distinctly isolated from any other risk zone, especially if those zones have different levels of risk. The primary tool used to isolate zones from each other is the firewall.
Most networks have two to four zones of risk. These include the private network, DMZ, extranet, and the Internet. See Figure 2-4. The private network zone has the lowest risk and is the zone of the highest trust. The Internet zone has the highest risk and is the zone with the least trust. A DMZ has less risk than the Internet, but is not as trusted as the private network. A DMZ zone has medium-high risk or medium-low trust. An extranet has more risk than the private network and more trust than the
Internet. An extranet zone has medium-low risk or medium-high trust. See Table 2-1.
FIGURE 2-4
An example of a private network with four risk or trust zones.
TABLE 2-1 Risk and trust levels of common network zones.
ZONE RISK LEVEL TRUSTLEVEL
LAN Low High
Extranet Medium–low Medium–high
DMZ Medium–high Medium–low
Internet High Low
Your organization’s written security policy should define where these zones exist and dictate the security requirements for each zone. Such requirements would include traffic management, use of
firewalls, use of VPNs to cross the zone divisions, hardening of systems, malicious code scanning, and so on. Firewalls are likely found at risk zone divisions and may be the best cost/benefit security countermeasure in some circumstances. The next step is to understand what a firewall can do at these points and how it performs these tasks.
How Firewalls Work and What Firewalls Do
Firewalls work along a communication pathway. This can be the gateway point of a network, a chokepoint within a network, a point of zone transition, or on a host. In these locations, the firewall interrupts the traffic flow to inspect packets or sessions. If the traffic is authorized, it continues to its destination. If the traffic is not authorized, it is blocked and dropped.
When one thinks of a firewall, one generally pictures some sort of hardware, when in fact it is more accurate to think of the firewall as a function. There are really two broad types of firewall implementations: bump-in-the-wire and bump-in-the-stack. The bump-in-the-wire is a separate hardware firewall implementation, and the bump-in-the-stack is a firewall that is implemented via software.
Firewalls operate on a bastion host basis (Figure 2-5). This is most obvious in the case of hardware firewalls, but it’s true of host software firewalls as well. A bastion host firewall stands guard along the pathway of potential attack, positioned to take the brunt of any attack. A firewall acts as the vanguard, as the front line of defense against any attack. A bastion host can also be called a sacrificial host.
In the case of a host software firewall, the firewall will attempt to prevent all malicious interactions to and from the host. In the event that the firewall itself is compromised, it usually disconnects the system from the network. While this is a form of DoS, it’s often a preferred fail- safe/fail-secure response over defaulting to an open unrestricted and unfiltered connection. This is especially true if the connection is directly to the Internet.
FIGURE 2-5
An example of a bastion host firewall deployment.
If the firewall is able to rebuff an attack, then the resources are secure. If the firewall falls due to the attack, it prevents any further communication with the resources behind it. Think of a firewall as a dead-man switch. If the firewall fails or goes offline, so does the connection it was filtering.
The most common function of a firewall is to screen or filter traffic. The firewall checks any packet received on its interface against its rule set to determine whether to forward or drop the packet. As you read earlier, firewalls typically function on a deny-by-default/allow-by-exception security policy.
The firewall performs most traffic filtering based on information in a packet or segment header. This can include the IP address of the source and destination, as well as the source and destination port. Some firewalls can also filter or block specific protocols or certain uses of protocols. For example, a firewall could block all streaming media protocols and block just the Internet Control Message Protocol (ICMP) type 3 (destination unreachable) and 11 (timeout exceeded).
Firewalls differentiate between networks or subnets. A firewall serves as a clear and distinct boundary between one network area and another. By positioning a firewall between network divisions or subnets, the network designer and security administrators are using traffic management and control for traffic attempting to cross that intersection. Firewalls serve as boundary devices both on the edge of networks facing the Internet as well as internally between different divisions within an organization.
Open and unrestricted internal communications might sound like a good idea, but in practice such traffic causes severe degradation of overall infrastructure performance and stability. By preventing or at least limiting communications between certain divisions of an organization, traffic efficiency increases. Additionally, traffic control and management decrease risk.
For example, by blocking communications between the programming group’s network and the production network, unapproved versions of software cannot leak out. Additionally, blocking general access to the accounting subnet, the research and development subnet, the DMZ, and the extranet from the production network protects against data leakage, spread of malicious code, and other forms of fraud and abuse.
Firewalls can act as a general filter for malicious activity or as a one-way sieve. As a general filter, a firewall will allow all normal benign traffic to pass through. This is the type of firewall used to protect a DMZ or differentiate subnets within a LAN. A general filter firewall works to stop malicious activities.
A general filter firewall can allow communication using any protocol on any port or limit communications to specific protocols and ports (amongst other limitations). If only a few specific resources hosted behind the firewall are to be accessed by external users, the firewall can allow access to those specific internal systems based on IP address and port but block all other inbound requests.
A sieve firewall will only allow traffic to originate from the private or trusted side. A sieve firewall will allow non-malicious responses to return from the public or less-trusted side, but it will generally block or prevent any initiation or inbound communication request from the outside. A sieve firewall typically protects a private LAN or an extranet.
Firewalls can support special inbound authorized connections with the LAN, such as VPN links from telecommuters. This is an important feature for an extranet, as well, since VPN access is often
the only method to reach hosted resources through the Internet. Firewalls can provide port-forwarding services. Port forwarding is a form of static reversal of
network translation. In traditional or dynamic network address translation (NAT), external entities cannot initiate communications with internal systems because any packet received by the outside interface of the NAT system will not find a matching mapping in the translation table and will therefore be considered invalid and dropped.
With port forwarding, a translation mapping is coded so that an external IP address and port combination are fixed and redirect traffic to a specific internal system, even if the internal system uses a private IP address. The combination of an IP address and a port number is known as a socket. In Figure 2-6, the external port 208.40.235.38:8081 is forwarded to an internal server’s port at 192.168.5.74:80. Port forwarding can also be called static NAT, traffic forwarding, service redirection, reverse proxy, and “punching a hole through the firewall.”
The phrase “punching a hole through the firewall” points out a very important concern: namely, that using port forwarding reduces the effective security provided by the firewall. Without port forwarding or other similar services, a firewall can rebuff attempts to communicate with internal systems. Using port forwarding, you create a pathway across the primary border sentry. Several hacker exploits can take advantage of port forwarding to reach other internal systems on other ports than what was “allowed” by the port forwarding settings. These attacks are usually variations of fragmentation manipulation.
FIGURE 2-6
An example of port forwarding across a NAT system.
Managing and controlling traffic is a primary concern and function of firewalls. Only authorized communications are allowed; everything else is blocked. The act of determining what to allow and what to block depends on the filtering features of the firewall. These include packet inspection, connection or state management, stateful inspection, and others. (A state is a logical connection between a client and a resource server.) These filtering concepts are defined later in this chapter.
In addition, firewalls can block or filter outbound traffic. This function can block spoofed traffic or anything with an invalid IP address as the destination or source. Specific protocols or ports can be blocked as well. And, of course, specific domain names or destination addresses can be blocked.
Firewalls can also filter based on content. The firewall can intercept specific content in a packet leaving the network before it reaches the outside. This could result in the packet being discarded, an
entire connection being dropped, or the packet being edited to remove the blocked content and replace it with something else. Content filtering can focus on domain name, URL, filename, file extension, or keywords in the content.
Another capability of firewalls is the ability to filter based on encryption. A firewall can allow encryption without restriction. Or, a firewall can be set to block encryption on some ports and not others. Firewalls can also block encryption from and to all internal IP addresses except for servers, VPN devices, and RAS/NAS.
Firewalls can perform intermediary functions between hosts where network administrators deem direct communication too risky. This is the basic function of a proxy. A proxy firewall positioned along a communication path can hide the identity of one or both endpoints of a communication from the participants. In most cases, proxy services hide the identities of internal systems from external entities.
Firewalls can perform address conservation through the use of an address conversion or translation system. NAT is the most common translation service supported by networks. NAT translates between internal addresses and public external addresses. NAT allows a private network to use RFC 1918 private IP addresses. This, in turn, provides additional security, since Internet hosts cannot address an RFC 1918 system directly.
Through the combination of all their features, functions, and capabilities, firewalls provide consistent, reliable protection for an organization’s computer and electronic resources. But firewalls are not perfect and should not be the sole security component of a network infrastructure. They are only one element—although an essential one—of a network security strategy.
Firewalls can log events. Firewalls can be set to record any action into a log file. In addition, they can record the content of any malicious traffic into a log file. And they can record any abnormal network activity, performance levels, and traffic statistics into a log file. Logging events is an invaluable feature of a firewall.
Since perfect security products don’t exist, you must rely on monitoring to watch for attempts (and any successes) to breach or violate security. Security is locking things down to the best of your ability, and then watching for attempts to breach your defenses. Lock, then watch. A successful security strategy is not possible without both locking and watching. Additionally, most security components should include a locking and a watching aspect to them. Firewalls are no exception. If a proposed firewall product is unable to record a log of its actions and network activities, then you need to seek out a different firewall product. Remember the time-tested business adage: “You get what you inspect, not what you expect.”
TCP/IP Basics
To fully understand the mechanisms of filtering employed by firewalls, you need a solid understanding of the TCP/IP protocol suite. Thorough knowledge of TCP/IP benefits a security administrator not just in the area of firewall management, but also in routing, switching, maintaining availability, improving network performance, managing network traffic, analyzing protocol, understanding vulnerabilities and exploits, and even performing penetration testing or ethical hacking.
Most networks, including the Internet, use the TCP/IP protocol. The most prevalent version in use
is IPv4. However, IPv6 is gaining wider use across the globe. During this transitional period, you should learn about both versions of IP. If you need additional detailed information regarding TCP/IP, please consult:
Stevens, W. Richard, and Gary R. Wright. TCP/IP Illustrated, Volumes 1–3. Addison-Wesley Professional, 1994.
Kozierok, Charles. The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference. No Starch Press, 2005.
Comer, Douglas E. Internetworking with TCP/IP, Vol 1 (5th Edition). Prentice Hall, 2005.
The ARIN IPv6 Wiki at http://www.getipv6.info.
OSI Reference Model Most protocol discussions begin with the Open Systems Interconnection (OSI) Reference Model. The OSI model is a standard conceptual tool used to discuss protocols and their functions. The OSI model has seven layers (Figure 2-7). Each layer communicates with its peer layer on the other end of a communication session. While the OSI model is helpful in understanding protocols, most protocols are not in full compliance with it.
Below is a brief description of the OSI model’s seven layers. Each layer has unique responsibilities, functions, and features. The OSI model defines what needs to take place at each layer and leaves the actual process of accomplishing those tasks to the protocols and, ultimately, to the protocol programmers.
NOTE The OSI model is the documented standard for discussing and describing network protocols. However, TCP/IP is the de facto or practical standard, as it was actually in use before the OSI model was developed into actual protocols. Few products can directly support the OSI model or its derived protocols. Instead, most products support TCP/IP, in spite of its not being the official, documented standard from the International Standards Organization.
Application Layer (Layer 7)—The Application Layer (Layer 7) enables communications with the host software, including the operating system. The Application Layer is the interface between the host software and the network protocol stack. The sub-protocols of this layer support specific applications or types of data.
Presentation Layer (Layer 6)—The Presentation Layer (Layer 6) translates the data received from the host software into a format acceptable to the network. This layer also performs this task in reverse for data going from the network to the host software.
Session Layer (Layer 5)—The Session Layer (Layer 5) manages the communication channel, known as a session, between the endpoints of the network communication. A single Transport Layer connection between two systems can support multiple, simultaneous sessions.
Transport Layer (Layer 4)—The Transport Layer (Layer 4) formats and handles data transportation. This transportation is independent of and transparent to the application.
Network Layer (Layer 3)—The Network layer (Layer 3) handles logical addressing (IP addresses) and routing traffic.
Data Link Layer (Layer 2)—The Data Link Layer (Layer 2) manages physical addressing (MAC addresses) and supports the network topology, such as Ethernet.
Physical Layer (Layer 1)—The Physical Layer (Layer 1) converts data into transmitted bits over the physical network medium.
What You Should Know About Addresses
Logical addresses, such as IP addresses, create global distinction. At least for public IP addresses, all addresses used on the Internet are unique. Assignment of a logical address is independent of physical location. Logical addresses enable communications between two hosts, regardless of their physical proximity to each other.
Physical addresses, such as MAC addresses, create local distinction. MAC addresses must be unique only within the local subnet. This enables a distinction between physically proximate systems that are able to receive the same electronic signal. The manufacturer usually performs physical address assignment of the NIC and is thus dependent on the physical hardware component itself.
MAC addresses are dependent on the physical NIC; the manufacturer assigns these as a “permanent” hardware address. However, modifying or spoofing the effective MAC address is usually possible on most systems. MAC changes are possible using native commands, as with Linux, Unix, and Mac OS, or with third-party utilities, such as required by Windows. Tools for this include MAC Spoof, MAC Makup, and MAC changer.
FIGURE 2-7
The process of encapsulation and the names of header and payload sets at each OSI layer.
As data moves from a software application for transmission over the network, it traverses the layers of the protocol stack from top to bottom. As each layer receives data from the layer above it, that data becomes the payload with a layer-specific header (Figure 2-7). At the Data Link Layer (Layer 2), where Ethernet resides, the data receives a footer as well. This process is known as encapsulation. The inverse, known as de-encapsulation, occurs when a network communication is received. As this process takes place, the data set being manipulated receives unique names, depending on the layer it traverses. They are
Application Layer (Layer 7)—PDU (payload data unit) (data obtained from the host software application)
Presentation Layer (Layer 6)—PDU Session Layer (Layer 5)—PDU Transport Layer (Layer 4)—Segment Network Layer (Layer 3)—Packet Data Link Layer (Layer 2)—Frame Physical Layer (Layer 1)—Bits of data
The encapsulation process of adding headers (and a footer at the Data Link Layer) enables data exchange between layers on different systems. This is known as peer-to-peer communications. The content of a header includes information to be processed by the corresponding layer on the receiving end of a network link.
The content of the headers, mainly from Layers 2–4, are the greatest concern and focus of a firewall. Application proxy firewalls and stateful inspection firewalls can also examine the headers and the payload content of Layers 5–7. You will learn more about the methods of filtering based on this layer information later in this chapter.
Sub-Protocols
TCP/IP is not a single protocol, but a collection of protocols. Often referred to as the TCP/IP suite, this collection includes several core protocols, such as IP, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP), as well as several commonly used protocols, such as ARP, ICMP, HTTP, and TLS. In addition to these, tens of thousands of other protocols can operate within the network infrastructure created by TCP/IP.
A firm knowledge of the sub-protocols of TCP/IP is assumed but not essential to grasping the scope of this text.
Headers and Payloads Firewalls, specifically packet-filtering firewalls, inspect the contents of headers to allow or deny frames, packets, or segments. Depending on the type of filtering and the layer or protocol focus of the filtering, the item examined and the header it comes from can vary.
technical TIP For a more complete list of the additional sub-protocols, along with their port assignments, please view the document hosted by Internet Assigned Numbers Authority (IANA) at http://www.iana.org/assignments/port-numbers. Nearly every one of the 65,536 ports has one or more protocols and applications associated with it.
For a list of ports used by malicious software, visit http://www.glocksoft.com/trojan_port.htm or http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html.
Packet filtering often focuses on four main headers:
The Ethernet header of the frame from the Data Link Layer The IP header of the packet from the Network Layer The TCP header of the segment from the Transport Layer The UDP header of the segment from the Transport Layer
Each of these four headers has numerous details that affect a filtering action. These include MAC addresses, IP addresses, TCP header flags, port numbers, and more.
Addressing With regard to the basic differences in IPv4 and IPv6 addressing, the issues to focus on are not subnet masks or the length of an address, both of which are important, but rather the issues of source and destination, public and private, known and unknown, and benign and malicious, as well as real and spoofed addresses.
Many forms of filtering focus on the IP address and/or port number to make an allow or deny decision. Such decisions or rules can focus on either the source address or the destination address found in the header of a segment, packet, or frame. In other words, port number, IP address, or MAC address can support filtering as a source and/or destination concern.
Firewall filtering can focus on whether an address is public or private in both the source or destination position in the IP packet header. Generally, private addresses function on the private network and do not reach the outside. NAT will translate source-private addresses into a public address if the packet is heading toward an external destination. On the Internet, both routers and firewalls drop any IP packet that has an RFC 1918 address in the header. Firewalls can filter on whether an address is known or unknown. This function filters against addresses used for the source and/or the destination. Known addresses are usually trusted addresses. Packets with only trusted and known addresses are allowed to reach their destination. Unknown addresses are potentially not trusted. Packets with unknown addresses can be stopped in every case or further inspected before an allow or deny decision is made.
Firewalls can filter on whether an address is known to be benign or malicious, a variation of known and unknown filtering. However, instead of known addresses being trusted and unknowns not being trusted, this method twists the idea. A benign address is a known, trusted address and a malicious address is a known, not trusted address. But in both cases here, the addresses are known. Any unknown address encountered using this form of filtering will require additional subsequent filtering that looks at other aspects of the traffic.
Firewalls can also filter on whether an address is real or spoofed. This form of filtering is not as clear and distinct as the previous types. Whether a segment, packet, or frame’s address is the real correct address or a spoofed falsified address can be difficult to determine in every situation. When an address is a real address, in the sense that it’s within the subnet ranges of a network, the methods for determining whether it’s a spoofed address are few.
One method is to compare against a use table, such as that maintained by the DHCP, to see if the address is not currently assigned to any authorized system. Another method is to check the route, communication path, receipt vector, or receiving interface of the source address against what that aspect should be for a given address. For example, if a source address typically arrives on port 4 but it shows up on port 7, it’s likely a spoofed source address.
Spoofed addresses can also be detected at border sentry points. When a source address comes from the opposite side of the firewall, then it’s obviously a spoofed address. One clear example is when an internal LAN address appears as a source address in a packet on its way in to a network from outside. This form of spoof filtering can be part of ingress filtering.
Likewise, the same process can be used for packets leaving a network. Any packet whose source address is from the outside, such as an Internet address, but the packet is received by a firewall from an interface in the private LAN, must be from a spoofed address. This form of spoof filtering can be part of egress filtering.
These are most of the mechanisms that a firewall can use to filter or manage traffic based on addresses. The following sections examine the various types of firewalls and filtering methods.
Types of Firewalls
Listing the types of firewalls is almost like listing the taxonomy of the animal kingdom in biology. The variations, models, and versions are numerous. In addition, opinions vary about what is and is not a firewall. Many experts begin the discussion of firewall types by dividing the collective into two simple, main groupings: personal and commercial.
A personal firewall is designed to provide protection to a single system or a small network, such as a SOHO network. To take full advantage of their features, most personal firewalls do not require special training or certification. Most personal firewalls offer user-friendly interfaces that may be Web-based or graphical in nature (that is, a graphical user interface, or GUI).
A commercial firewall is designed to provide protection for a medium-to-large business network. Most commercial firewalls are quite complex and often require special training and certification to take full advantage of their features. Most commercial firewalls use a Unix-like command line interface (CLI) that, while powerful and efficient, is not intuitive.
These two groupings do not, however, represent the complete collective of firewalls, as several could easily fall into either or both categories. Another common grouping method, therefore, is to classify firewalls as either hardware or software.
A hardware firewall is a dedicated hardware device specifically built and hardened to support the functions of the firewall software running on it. A hardware firewall is also known as an appliance firewall. A hardware firewall does not require any additional hardware or software for its use. All it needs is one or more network connections and a power source.
A software firewall is an application installed on a host. A software firewall is also known as a host firewall. A software firewall depends upon the host’s hardware and operating system. If the host’s components are not properly hardened, the software firewall will be less effective, especially if there are other communication pathways or attack points on the host. Software firewalls must compete for resources among all other processes active on the host. A software firewall is only able to protect a single host from malicious network activity. A software firewall is only able to filter traffic that reaches the network interface of its host.
With these two types of divisions, four potential combinations exist:
Personal hardware firewall Commercial hardware firewall Personal software firewall Commercial software firewall
A personal software firewall is a product used on individual home systems, on SOHO systems, and even on client/server network workstations and servers. Generally, a personal software firewall is free or less expensive than commercial software firewall products. A personal software firewall operates on its own to protect a single host.
A commercial software firewall is a product used on client/server network work--stations and servers. While they can be installed on personal or SOHO systems, they are usually expensive and
are part of an overall security management or NAC system. Most commercial software firewalls can be used in an agent/console infrastructure where each host’s firewall can be remotely administered from a master management console.
A personal hardware firewall is part of an integrated firewall product, such as a wireless access point or a cable/DSL modem. Another variation of the personal hardware firewall is the repurposing of a client or server computer into a home-crafted open-source firewall. One example of this is SmoothWall, a hardened bootable Linux-based firewall.
A commercial hardware firewall is usually a device that handles the complexity of larger organizational networks. A commercial hardware firewall is often very expensive, running in the range of $10,000 or more.
FYI Two common but different dichotomies are free versus paid and open source versus closed source. Free means you do not need to pay for the firewall to use it. Paid means you must pay a purchase price and/or a licensing fee to use it. Many examples of both free and paid firewall products are available. Open source means the original source code is available for viewing and modification. Closed source means the distributed version is pre-compiled and the original source code is undisclosed.
Firewall products, as well as any other form of IT product, can be free and open sourced, free and closed sourced, paid and open sourced, and paid and closed sourced. You should not assume that, because something is free, it is open sourced, or that because something is commercial, it must be purchased.
The personal and commercial versions of software and hardware firewalls might include different add-ons or enhancements than their commercial equivalents. These add-ons or enhancements include antivirus, password management, registry protection, driver protection, VPN gateways, remote access support, IDSs, IPSs, spam filtering, and more. Usually these add-ons make the firewall products more attractive to the potential buyer. However, most commercial entities would generally avoid integrated firewall solutions in favor of dedicated products to handle their distinct security or management functions. An integrated device might offer easier administration, but it represents a single point of failure for multiple services. Additionally, such bundled solutions are more difficult to troubleshoot due to the complexity of the communications they support.
Another variation of firewall, in fact the original variation, is a screening router. Most appliance routers and many software routers, such as the Routing and Remote Access Service (RRAS) of Windows Server, are able to perform firewall filtering services in addition to routing. Those screening routers that perform firewall filtering might provide enough sentry security for your needs. However, if you want more advanced features, a screening router is unlikely to be the best solution for your network.
Regardless of the type of firewall or implementation, it is important to be certain that your firewall implements the security and privacy policies that you want but, at the same time, does not conflict with other security measures. If, for instance, a remote system that you will access requires use of a certain protocol or procedure that is blocked by your local firewall, then you have a problem that must be solved before you can access the remote system.
Ingress and Egress Filtering
Ingress and egress filtering is a common tool for spoof filtering. A source address that comes from the opposite side of the firewall than where it is assigned is obviously a spoofed address. An example of this is when an internal LAN address appears as a source address in a packet on its way into a network from outside. This form of spoof filtering can be part of ingress filtering.
Likewise, the same process can filter for packets leaving a network. If a packet with a source address from the outside such as an Internet address is received by a firewall from an interface inside the private LAN, this is also a spoofed address. This form of spoof filtering can be part of egress filtering.
Ingress and egress filtering can expand beyond protection against spoofing and include a variety of investigations on inbound and outbound traffic. This can include blacklist and whitelist filtering, protocol and port blocking, and confirmation of authentication or authorization before communications continue.
Unfortunately, if a packet’s spoofed addresses don’t violate any of these concerns, the spoofed addresses might not be as easy to detect. For example, if a client spoofs an IP address to look like another client in the same subnet, the rules just described to catch spoofing would fail to notice this spoofed communication.
In addition to basic ingress and egress filtering, firewalls can support additional forms of packet examination and investigation.
Types of Filtering
Filtering is the primary function of a firewall. Through its filtering services, most of the other benefits and capabilities of firewalls apply. Firewalls can support many different forms of filtering. Additionally, the terms for the type of filtering and the type of firewall are often used interchangeably. For example, a firewall that supports packet filtering is known as a packet filtering firewall.
Static Packet Filtering The most common form of filtering is static packet filtering. Static packet filtering uses a static or fixed set of rules to filter network traffic. The rules can focus on source or destination IP address, source or destination port number, IP header protocol field value, ICMP types, fragmentation flags, and IP options. Static packet filtering is therefore mainly focused on the Network Layer (Layer 3), but can also include Transport Layer (Layer 4) elements. Static packet filtering focuses on header
contents and does not examine the payload of packets or segments. Static packet filtering is fast. Traffic matching a deny rule gets dropped, while traffic matching an
allow rule gets to continue toward its destination. Static packet filters are invisible or transparent to hosts and users unless their traffic is blocked; then they will notice the actions of the firewall on their communications. Static packet filtering requires the firewall administrator to define and tune the rule set. Most firewall rule sets, including static packet filtering rule sets, are a first-match ordered system. Static packet filtering can be problematic when the rule sets get too large. If the rules are in the wrong order or in a chaotic order, the rule set could create loopholes or unintentionally discard authorized traffic.
The complexities of network communications, such as accepting query responses and port shifts, can be difficult to handle with static packet filtering. Static packet filtering may allow the subsequent packets of a fragmented message through, even though the lead packet was dropped. This can result in a DoS on the destination system, which would be waiting for the lead packet that never arrives.
Additionally, static packet filters perform their analysis on individual packets, regardless of the relationship or correlation between previous or future packets in a communication stream. This could allow complex multipacket attacks to bypass the firewall if each individual packet is not recognized as malicious on its own.
Static packet filtering should still be used as a first line of defense in spite of its shortcomings. By using static packet filtering as the first layer of defense, subsequent layers of filtering will have less bulk to address and thus can operate more efficiently.
Stateful Inspection and Dynamic Packet Filtering Stateful inspection addresses the issue of complex malicious traffic. Stateful packet filtering determines whether or not a current packet is part of an existing session, and allow/deny decisions are made based on this determination. A state is a session of communication. Often, state refers to the Transport Layer (Layer 4) protocol TCP’s virtual circuits established through the three-way handshake (using the SYN, SYN/ACK, and ACK flagged segments). However, stateful inspection systems can also track communications in Layers 5–7. A stateful inspection firewall will keep track of current sessions in a state table stored in memory.
As the firewall encounters each packet, it is analyzed to determine whether the packet is part of an existing state or not. If not, it’s likely to be dropped unless it’s a packet used to help initiate a new authorized session. Such a stateful investigation can be considered a dynamic packet filter as well. With static packet filtering, rules had to be created to allow the outbound requests and the inbound replies. With dynamic packet filtering, once a session is established, the filtering watches for packets that don’t belong to authorized sessions. Using stateful inspection as dynamic packet filtering allows for simpler rule sets. A rule allows an outbound connection and the firewall’s state management automatically allows the return traffic.
Unfortunately, stateful inspection can sometimes be fooled through manipulation of header contents that makes malicious traffic look like part of an existing valid session. More advanced stateful inspection filters keep track of not just the basic endpoints of a session, but also additional details about the session, such as the sequencing and acknowledgment numbers. This reduces the risk but does not fully eliminate it, as a hacker can eavesdrop on a session, learn the sequencing numbers,
and predict future valid sequences. Another issue with stateful inspection is that not all traffic uses states. Specifically, UDP and
ICMP are connectionless protocols. So, state management won’t apply to them. For these protocols, the firewall acts as if a state does exist and keeps track of the source and destination from outbound packets. These are added to the state table with a timeout value. If the timeout occurs before a response is received, the state is removed from the table. A hacker can fool this mechanism in the same way as any stateful protocol like TCP.
NOTE Stateful inspection is a form of dynamic packet filtering. Dynamic packet filtering is the process of automatically creating temporary filters. In most cases, the filters allow inbound responses to previous outbound requests, but on a limited timeout basis. Both forms of state or session awareness, dynamic packet filtering and stateful inspection are usually interchangeable terms.
Network Address Translation (NAT) Network address translation (NAT) is not exactly a form of filtering, but is often included in lists of the filtering services or options provided by firewalls. NAT translates internal addresses into external addresses. NAT can perform this service against IP addresses as well as port numbers. Any firewall that supports NAT can be a NAT firewall. In most cases, NAT is an additional translation service to the core filtering functions of a firewall. NAT is a common, if not standard, feature of modern firewalls.
Application Proxy An application proxy, application firewall, or application gateway is an application-specific version of a packet filter. However, unlike a static packet filter that is only able to inspect the header of a packet or segment, an application proxy is able to inspect traffic fully at any layer, including the application payload.
An application proxy, even if given the name firewall or gateway, acts as the go-between or middleman between a client and a server. All communications for the specific application are proxied. This grants the application firewall the ability to inspect application-specific elements of the traffic. Application proxies are application-specific, so specific products for e-mail, Web, file transfer, database access, VoIP, and other TCP/IP sub-protocols are available.
When an application proxy is deployed, it usually requires that all client software be reconfigured to point communications to the proxy server rather than the actual intended resource server. The application proxy will also rebuild the request packet before sending it to the resource server. This can include NAT services, but in most cases, it’s just a process of proxying the communication. The application proxy maintains two connections, one between itself and the requesting client and a second between itself and the resource server. Thus, application proxies are not transparent filters
because a client is aware the proxy is in use. The client never establishes a direct connection between itself and the resource server when a proxy is involved.
Additionally, all other firewalls monitoring a network border must deny access for the application protocols to be managed by the application proxy. This prevents a user from attempting to bypass the application proxy.
Application firewalls can filter on the content of the application payload. This can include IP addresses, domain names, URLs, sub-protocols, attachments, keywords, and more. An application proxy can inspect every aspect of an application’s communications. This is known as deep packet inspection.
Application proxies can also perform caching services to improve performance and reduce connection throughput consumption.
The primary limitation of application proxy firewalls is each unique application will need its own dedicated application proxy. Generic proxy systems are usually ineffective.
Circuit Proxy A circuit proxy or circuit firewall focuses its filtering on the initial setup process of a session, state, or circuit. This form of filtering can focus on Layers 3–5. It functions similarly to an application proxy, as it acts as a middleman between a client and server. A circuit proxy prevents a direct connection from existing between a client and server to protect the network.
A circuit proxy makes an allow or deny decision on the initiation of the session, state, or circuit. Once a circuit is created, no further filtering takes place. If a client is allowed to initiate communications with a resource server, then the content of their communication is unfiltered and unmonitored (at least by the circuit proxy).
The filtering rules of circuit proxies are similar to those of static packet filtering in that a list of rules of IP addresses, port numbers, domain names, networks, or even resource providers determines what circuits or connections are allowed and which are not. The filter set can be a deny all but allow exceptions stance, or an allow all but deny exceptions stance.
Content Filtering Firewalls can also filter based on content. The firewall can intercept specific content in a packet leaving the network before it reaches the outside. This could result in the packet being discarded, an entire connection being dropped, or the packet being edited to remove the blocked content and replace it with something else. Content filtering can focus on domain name, URL, filename, file extension, or some other form of keyword.
Content filtering is often a feature of application proxy firewalls, stateful inspection firewalls, and dynamic packet filtering firewalls.
Software Versus Hardware Firewalls
A software firewall is an application installed on a host. A hardware firewall is a dedicated
hardware device specifically built and hardened to support the functions of the firewall software running on it.
A software firewall is also known as a host firewall. A hardware firewall is also known as an appliance firewall.
A software firewall depends upon the host’s hardware and operating system. If the host’s components are not properly hardened, the software firewall will be less effective if other communication pathways or attack points on the host exist. A hardware firewall does not require any additional hardware or software for its deployment. All it needs is one or more network connections and a power source.
Software firewalls must compete for resources among all other processes active on the host. A hardware firewall has dedicated hardware resources not shared with any other service.
A software firewall is only able to protect a single host from malicious network activity. A hardware firewall can protect a single system or an entire network
A software firewall is only able to filter traffic that reaches the network interface of its host. A hardware firewall can also only filter traffic that reaches the network interfaces of its appliance. However, a hardware firewall can be positioned on a network at a choke-point or gateway to analyze and filter all traffic.
A software firewall and a hardware firewall are both a form of software, but the hardware firewall has a dedicated appliance as its host, while the software firewall uses a standard client or server as its host. In either case, software flaws or bugs in programming can cause the firewall to fail.
A software firewall and a hardware firewall can both be targets of attack. Exploits can compromise their software component or physical attacks can harm their host/appliance.
A software firewall is often less expensive than a hardware firewall. A hardware firewall typically offers a wider range of features and capabilities than a software firewall.
Both software firewalls and hardware firewalls are options you can use throughout a network infrastructure.
IPv4 Versus IPv6 Firewalls No real distinction exists between a firewall designed for IPv4 and one designed for IPv6. Many firewalls can already support both versions of IP. If you are planning to migrate to IPv6 or have already started the conversion process, be sure your firewalls support IPv6.
A small issue affects filtering between IPv6 and IPv4 subnets. A protocol translation tool can support interaction between networks using different versions of IP. This translation tool is called Network Address Translation–Protocol Translation (NAT-PT) and was defined in RFC 2766 by the IETF. Be sure your selected firewall supports NAT-PT if you plan to communicate across an IP version barrier.
If you would like to read more on this translation issue or gain further understanding about IPv6, please visit:
The ARIN IPv6 Wiki at http://www.getipv6.info IPv6.com at http://www.ipv6.com
Dual-Homed and Triple-Homed Firewalls
Firewalls, specifically hardware appliance firewalls, typically have two or more network interfaces. A firewall with two interfaces is known as a dual-homed firewall, while a firewall with three interfaces is known as a triple-homed firewall or a three-legged firewall.
The benefit of multiple interfaces is that the segments, subnets, or networks connected to each firewall interface are electronically isolated from each other. This prevents unfiltered traffic from leaping from one segment to another in an attempt to bypass firewall filtering.
However, for software firewalls using multiple interfaces, you need to ensure that the TCP/IP protocol feature called IP forwarding is disabled. IP forwarding is actually a router rule that allows traffic from one interface to exit another interface without needing to move any further up the protocol static than where IP resides. In many cases, IP forwarding allows packets to bypass filtering. If the system is to be a firewall, you should disable this feature.
Software host firewalls are most often single-homed firewalls since the host only has only a single NIC. This is acceptable, since the software host firewall is not providing sentry services between network segments, but between the host and the network.
While firewalls with four or more interfaces are possible, they are rarely deployed. Such a configuration requires significantly more complex filtering and routing rules to operate effectively. It’s also a significant single point of failure and a bottleneck to traffic flow between multiple network segments.
NOTE If a system is to function as a router rather than a firewall, IP forwarding might be a desirable function.
Placement of Firewalls
The placement of your network’s firewalls depends on several key but subjective factors. No single correct answer or deployment strategy is perfect for everyone. However, several good general guidelines can be of help in planning firewall placement.
First, understand the structure of your network. Where are natural or organizational divisions on the network? Do they correspond to distinct subnets or geographic/physical locations? In many situations, placing a firewall between each division or physical location (even different floors of a building) can be beneficial. Do you have a DMZ or extranet? You will need to isolate these from the private LAN and from the Internet.
Second, know the traffic patterns of your network. What are the common vectors and pathways of communication, both between internal systems and between internal and external systems? Consider positioning firewalls so that they can filter all traffic. This may involve the creation of chokepoints.
Third, is Internet connectivity essential to business tasks? You should firewall-protect all Internet
access points or gateways. In fact, any external gateway or portal should have a firewall. Fourth, is any form of remote access in use, including wireless? You should position a firewall
between each RAS or NAS and the private LAN. Assume all remote and wireless connections are potentially malicious.
Fifth, based on previous compromises, what are the most likely access pathways an internal or external hacker might use to breach your network? Place firewalls along these pathways.
Sixth, does any other unique aspect or feature of your IT infrastructure warrant consideration for firewall protection?
Placing a firewall everywhere mentioned in these guidelines may not be practical, cost effective, or secure. So before any deployment, conduct a risk assessment to determine whether a firewall is the best choice of countermeasure. Review the section “Why Do You Need a Firewall?” for more information on conducting risk assessments.
CHAPTER SUMMARY An essential element of network security, a firewall is a filtering service used to protect your network and hosts from a variety of threats, both internal and external. Several types of firewalls are available, including screening routers, hardware appliances, and host software products. Each of these firewalls can employ one or more features for ingress and egress filtering. The common filtering features include static packet filtering, stateful inspection or dynamic packet filtering, NAT, application proxy, and circuit proxy.
KEY CONCEPTS AND TERMS 802.1x Agent Annualized loss expectancy (ALE) Annualized rate of occurrence (ARO) Appliance firewall Application Layer (Layer 7) Application firewall Application gateway Application proxy Asset value (AV) Bastion host Border sentry Botnet
Bots Bump-in-the-stack Bump-in-the-wire Circuit Circuit firewall Circuit proxy Closed source Commercial firewall Content filtering Cost/benefit analysis Data Link Layer (Layer 2) Dead-man switch De-encapsulation Dual-homed firewall Dynamic packet filtering Exposure factor (EF) Fail-safe/fail-secure Frame Gateway Hardware address Hardware firewall Header Host firewall Intangible costs and value Internet Control Message Protocol (ICMP) IP address Load balancer Logical address Network Layer (Layer 3) Open source Packet Payload Personal firewall Physical address Physical Layer (Layer 1) Port forwarding Port number
Presentation Layer (Layer 6) Public key infrastructure (PKI) Reverse proxy Risk assessment Risk management Rule set Rule Sacrificial host Screening router Secure Sockets Layer (SSL) Segment Session Session Layer (Layer 5) Single loss expectancy (SLE) Socket Software firewall Spoofing State Stateful inspection Static NAT Static packet filtering Tangible costs and value Transmission Control Protocol (TCP) Transport Layer (Layer 4) Transport Layer Security (TLS) Transport mode encryption Triple-homed firewall Tunnel mode encryption User Datagram Protocol (UDP) Zombie Zone of risk Zone of trust
CHAPTER 2 ASSESSMENT
1. What is another term for the individual rules in a firewall rule set? A. States B. Exceptions C. Policies D. Referrals E. Sentries
2. Which of the following is not associated with a firewall? A. Fail-secure B. Sentry device C. Fail-open D. Chokepoint E. Filtering service
3. A firewall is designed to allow what type of traffic to traverse its interfaces? A. Authorized B. Non-benign C. Unknown D. Abnormal E. Malicious
4. What is the first step in deploying a firewall? A. Determining the filtering process B. Defining rules C. Selecting a security stance D. Purchasing a license E. Writing a security policy
5. Which of the following is the best description of a firewall? A. An authentication service B. A remote access server C. A resource host D. A sentry device E. A malicious code scanner
6. A border firewall cannot protect against which of the following? A. Flooding attacks B. Insider attacking another internal target
C. Protocol abuses D. Unauthorized inbound service requests E. Port scans
7. All of the following are mistakes in firewall security except: A. Managing security poorly B. Deploying too many firewalls C. Using firewalls to provide filtering for networks and hosts D. Not writing a security policy E. Failing to keep current with updates and patches
8. What is the primary reason a firewall is an essential security product? A. Low cost of deployment B. Threats exist C. High ROI D. Native protocol encryption E. Interoperability
9. What technique determines if a firewall is the best countermeasure choice for a particular threat against a specific asset? A. Conducting a risk assessment B. Reading blogs C. Buying the least expensive option D. Only using open-source products E. Using products from a single vendor
10. Which of the following is not a common zone of risk? A. An extranet B. A DMZ C. A private LAN D. The Internet E. Department subnets
11. Which of the following statements are true? A. A firewall can be deployed as a bastion host. B. Firewalls protect resources. C. Firewalls are often the first line of defense for a network. D. Firewalls are part of an overall security strategy.
E. All of the above
12. When a one-way or sieve firewall protecting your network allows external initiations of communications to occur over a specific socket, this is known as: A. Static NAT B. Traffic forwarding C. Port forwarding D. Reverse proxy E. All of the above
13. What is ingress filtering? A. Restricting traffic to a specific subnet B. Preventing traffic from leaving a network C. Limiting host activities to that host D. Monitoring traffic on its way inbound E. Blocking access to external resource sockets
14. Content filtering can focus on the following aspects of traffic except: A. Source or destination IP address B. Keywords in the payload C. URLs D. File extensions E. Domain names
15. Which of the following will prevent firewall filtering from blocking malicious content? A. Speed of the network B. User permissions C. Not being positioned at a chokepoint D. Encrypted traffic E. Cable type
16. Which of the following is not a valid method for determining whether a source address is spoofed? A. Comparing against a use table B. Verifying the route of reception C. Checking the DHCP logs D. Checking against RFC 1918 E. Performing ingress filtering
17. What form of filtering focuses on source or destination IP address and requires separate rules for inbound and outbound communications? A. Stateful inspection B. Static packet filtering C. Application proxy D. Circuit proxy E. Dynamic packet filtering
18. Dynamic packet filtering is also known as: A. Static packet filtering B. Application proxy C. Stateful inspection D. Circuit proxy E. Deep packet inspection
19. What method of filtering automatically keeps track of sessions on a limited timeout basis to allow responses to queries to reach internal clients? A. Deep packet inspection B. Static packet filtering C. Application proxy D. Dynamic packet filtering E. Circuit proxy
20. What form of filtering allows communications regardless of content once the session is established? A. Dynamic packet filtering B. Circuit proxy C. Stateful inspection D. Application proxy E. Deep packet inspection
FIGURE 2-8
The seven domains of a typical IT infrastructure.
21. What type of firewall requires the presence of a host operating system? A. Appliance firewall B. Personal firewall C. Software firewall D. Commercial firewall E. Screening router
22. Based on the seven domains of a typical IT infrastructure, all of the following locations (see Figure 2-8) are appropriate locations for firewall deployment except: A. Between users and workstations B. Between workstations and a LAN C. Between a LAN and a WAN D. Between remote access and a LAN E. Between remote access and application servers
23. What activity performed by a triple-homed firewall cannot be performed by a dual-homed firewall? A. Filtering content B. Physically isolating subnets C. Supporting NAT proxy services
D. Deployment as an appliance E. Deployment traffic from the Internet to either an intranet or a DMZ
CHAPTER
3 VPN Fundamentals
VIRTUAL PRIVATE NETWORKS (VPNS) allow organizations to transmit private and sensitive data securely over public intermediary networks. The Internet can serve as a cheap long-distance carrier for WAN connections established using VPNs. VPNs use native operating system features or third-party software, as well as hardware devices, including edge routers, firewalls, and VPN appliances. Remote access for mobile users, linked multi-office intranets, and secured access into an extranet are common VPN architecture solutions.
The use of VPNs on networks ranging from small home networks to corporate global networks has dramatically expanded the ways people connect and do their work. Through the use of VPNs, telecommuting employees, business partners, traveling workers, suppliers, distributors, and others can benefit from secured connectivity even while geographically distant. With a basic understanding of VPNs, you can begin designing and planning your own VPN solution.
Chapter 3 Topics
This chapter covers the following topics and concepts:
What a VPN is and what is it used for
What the benefits of a VPN are and why you would deploy one
What the limitations of a VPN are
What the relationship between encryption and VPNs is
What VPN authentication is and how is it implemented
What VPN authorization is and why is it necessary
Chapter 3 Goals
When you complete this chapter, you will be able to:
Define VPNs
Explain the business and personal uses of VPNs
Describe the pros and cons of VPNs
Illustrate deployment models or architectures of VPNs, including an edge router, a corporate firewall, a VPN appliance, a remote access server, a site-to-site VPN and supporting devices, and a host-to-host VPN and supporting devices
Differentiate between a transport-mode VPN and a tunnel-mode VPN
Describe the importance of encryption, authentication, and authorization to VPNs
What Is a Virtual Private Network?
A short and direct definition is that a virtual private network (VPN) is a mechanism to establish a secure remote access connection across an intermediary network, often the Internet. VPNs allow remote access, remote control, and highly secured communications within a private network. VPNs employ encryption and authentication to provide confidentiality, integrity, and privacy protection for network communications.
A more involved exploration of the phrase “virtual private networks,” however, can reveal other import aspects that such a succinct definition overlooks. The term VPN has its origins in the telecommunications world. A telephone VPN created a PBX-like system for businesses without the need for deployment of true private branch exchange (PBX) hardware. Instead, the system used a public telephone service and the PBX services at the telco’s central offices. This service/product sold under the name Centrex (a combination of the terms central and exchange) in the 1960s through the 1980s.
After the proliferation of computer networks and Internet connectivity, the term VPN evolved to refer to tunneling connections across network links. Early computer VPNs focused on the tunneling or encapsulation processes and rarely included encryption services. Today, VPNs are almost always secured using encryption. However, you should never assume anything is totally secure, especially connections over public networks. You should always confirm that a product performs encryption properly before depending on it for sensitive operations.
A VPN creates or simulates a network connection over an intermediary network. But what makes a VPN private? At least three possible mechanisms can work:
When the primary organization owns all of the network infrastructure components, including switches, routers, and cables. A true private VPN occurs when a single organization owns all of the hardware supporting its VPN. However, few organizations actually own all of the connections between their locations, so this is usually impractical or prohibitively expensive. This wholly owned and operated system constitutes a trusted VPN.
When a dedicated set of channels is used across leased telco connections. This method provides physical isolation even on third-party equipment; hence privacy is maintained. This type of system is more practical, but is still expensive. This can also be called a trusted VPN,
since you must be able to trust the owner of the hosting infrastructure to protect network communications against eavesdropping.
When encryption ensures privacy even over public networks, such as the Internet. This method is the most reliable, as the other two options are still at risk to eavesdropping. Additionally, encryption to provide privacy is not only practical, it is the least expensive option as well. This system can be called a secured VPN.
A fourth type private VPN is possible, known as a hybrid VPN. This form of VPN establishes a secure VPN over trusted VPN connections. A trusted VPN allows an organization to know and control the pathway of its transmissions. However, a trusted VPN does not protect against eavesdropping or alteration. A secure VPN protects the confidentiality and integrity of data, but does not control or ensure the transmission path. When you combine these two VPN techniques, you create a potentially more secure and practical solution. Two possible layouts of hybrid VPNs are shown in Figures 3-1 and 3-2.
FIGURE 3-1
A hybrid VPN consisting of a secure VPN across an intermediary trusted VPN.
FIGURE 3-2
A hybrid VPN consisting of a secure VPN segment within a trusted VPN.
VPNs are often associated with remote access or remote control. However, these associations need clarification to have value. Remote control is the ability to use a local computer system to remotely take over control of another computer over a network connection. In a way, this process is the application of the thin client concept on a fully capable modern workstation to simulate working against a mainframe or to virtualize your physical presence. This application is generally the same as a VPN, which creates a remote network connection rather than a remote control session.
With a remote control connection in place, the local monitor, keyboard, and mouse control a remote system. This process looks and feels like you are physically present at the keyboard of the remote system, which could be located in another city or even on the other side of the world. Every action you perform locally acts as if you were physically present at that remote computer virtually via the remote control connection. The only limitations are the speed of the intermediary network link and the inability to physically insert or remove media and peripherals.
You might think of remote control as a form of software-based thin client or terminal client. In fact, many thin client and terminal client products sell as remote control solutions. Many modern operating systems include remote control features, such as Remote Desktop found in most versions of Windows. Once enabled, a Remote Desktop connection remotely controls another Windows system from across the network.
Remote access is different from remote control. A remote access link enables access to network resources using a WAN link to connect to the geographically distant network. In effect, remote access creates a local network link for a system not physically near the network. Over a remote access connection, a client system can technically perform all the same tasks as a locally connected client. Network administrators can impose restrictions on what resources and services a remote access VPN client can use.
Remote access and VPNs were originally supported over dial-up telephone links using modems. Today, remote access encompasses a variety of connection types including ISDN, DSL, cable modem,
satellite, mobile broadband, and more. Due to the wide availability of high-speed Internet connections, VPNs and other remote access solutions have become very popular for both personal and business purposes.
In many cases, a remote access connection is created from a remote client back to a primary network. If the remote client needs to connect directly to the LAN, such as over a dial-up connection, a RAS server will host a modem to accept the connection. If the remote client can use the Internet to access the LAN, then a local Internet connection is necessary. Once a normal LAN connection or Internet connection runs from the client, the VPN link is possible. Once the connection is established, the remote client can interact with the network as if it were locally connected.
In Figure 3-3, a LAN and a remote client have a connection to the Internet. These two connections are independent of each other. The LAN’s connection is usually a permanent or dedicated connection supporting both inbound and outbound activities with the Internet. The remote client can have a dedicated or non-dedicated connection to the Internet. In the latter case, the connection is established before a VPN can be created. Once both endpoints have a connection to the intermediary network, in this case the Internet, the VPN can be created. In Figure 3-4, a new network connection is established from the remote client to the LAN across the intermediary network. This new network connection is the VPN.
VPNs can operate over standard Internet connections or dedicated business communication circuits, such as ATM and Frame Relay. However, the additional expense of a dedicated, isolated, and even secured business circuit isn’t necessary with a VPN. A VPN can operate securely over the Internet and still provide high levels of security through solid encryption. This allows inexpensive insecure links to replace expensive business-leased lines without sacrificing security.
FIGURE 3-3
A corporate LAN and a remote client with Internet connections.
FIGURE 3-4
A VPN established between a remote client and a LAN over the Internet.
VPNs are one of the most efficient and cost-effective means to provide secure remote connectivity. VPNs take advantage of cheap long distance connections when established over the Internet, since both endpoints need only a local Internet link. The Internet itself serves as a “free” long distance carrier. Because the speed of the VPN depends on the speed of the local Internet link, you still might want an optical carrier (OC) line (such as an OC-1 at 51.84 Mbps) for high-speed connectivity.
Connections from a LAN to an intermediary network can support VPN traffic only or allow a combination of both VPN and normal non-VPN traffic. The latter configuration is less secure, but offers you flexibility as to whether all communications must be VPN-secured or not. An Internet connection reserved solely for VPN use, therefore, is not necessary. An OC-1 line is more than capable of supporting one or more VPN links in addition to numerous non-VPN Internet sessions with no difficulty or latency.
Setting up VPNs can require extensive knowledge and expertise on the part of the IT or security administrator. For example, some important concerns of secure VPNs include:
All VPN traffic must be authenticated and encrypted. A VPN without authentication is not private, and a VPN without encryption is insecure.
All VPN endpoints must abide by the same security parameters and algorithms. Each VPN tunnel must have corresponding encryption key sets to securely exchange encrypted content. Additionally, the same security policy should govern all endpoints.
Proper encryption protocols must ensure that no external third party can affect the security of the VPN. Weak encryption makes a “secure” VPN worthless.
When you use a trusted VPN, you need to consider its own unique concerns:
Only the trusted VPN provider should be able to modify the channels or pathway of the VPN. A trusted VPN is based on the provider’s ability to limit and control access to the VPN’s content.
Only the trusted VPN provider can add, remove, or change data in the trusted channel. Violating this violates the trust the client places in the provider.
The addressing and routing performed within the trusted VPN must be defined before the VPN goes online. These services are usually pre-defined in the SLA (service level agreement), but may be dynamically modified for each VPN connection.
Even hybrid VPNs have an important focus for concern, namely that the segments of the VPN that are trusted versus secured need clear definition. Mistaking security for trust—or vice versa—can have devastating results.
VPNs use tunneling or encapsulation protocols. Tunneling protocols encase the original network protocol so that it can traverse the intermediary network. In many cases, the tunneling protocol employs encryption so that the original data traverses the intermediary network securely. The protocols that create VPNs include IPSec, PPTP, L2TP, SSL, and TLS. The dominant forms of secure VPNs use IPSec or SSL/TLS as the tunneling/encapsulation protocol.
Most VPNs use software that operates on top of the operating system of a host. However, some VPN appliances can support VPN connectivity without adding any software to the host. In much the same way that a host firewall works only on the host where it is installed, an appliance firewall provides security services for the entire network. A host VPN software product allows a single host access to VPN services, while a VPN appliance allows an entire network to access VPN services.
VPNs simplify many business networking problems by providing an easy and efficient means to securely connect headquarters, remote offices, traveling workers, and telecommuters.
What Are the Benefits of Deploying a VPN?
The reasons to deploy and use VPNs vary greatly among organizations. Many of the obvious reasons are based on the benefits of a VPN. Nevertheless, other reasons are based on business or personal factors needing the solutions VPNs readily provide.
Cost is always a significant factor in any business decision. Budgets are never unlimited, so organizations must shepherd their limited funds to accomplish their missions and goals. One common goal is high productivity. Granting workers the ability to access and use resources in a timely and efficient manner assists in the completion of work. When those resources are computer files or network services, employees no longer need to be in the same building as those resources. Remote access to resources, therefore, is becoming more common than ever.
Secure remote access is essential. As the proliferation of access and connectivity spreads from work to home to portable/mobile devices, access to the Internet and private LANs is becoming ubiquitous. Companies must use security controls on resource access or suffer the consequences of insecure access methods. With the removal of physical limitations for access comes the loss of control over where and how workers connect back into the private LAN.
Workers connect into the company LAN from mobile phones, through Internet cafés, over hotel networks, and at random Wi-Fi hotspots. Many use personally owned laptop computers and hand-held mobile devices rather than officially issued company systems. All of these are outside the control of the company’s IT and security department. The only option is to limit LAN connections to those that can be secured. Thus, VPNs have become a necessity in the brave new mobile and interconnected world.
VPNs support remote access from a wide variety of complex devices, reduce risk caused by insecure access locations, and enable interaction with all LAN resources. Furthermore, flexibility, scalability, ease of administration, reliability, and more make VPNs an obvious choice in the face of modern connectivity risks and challenges.
FIGURE 3-5
A corporate network using dedicated leased lines versus using VPNs over the Internet.
Does every worker and every organization need VPNs and remote access? No. For many work situations, VPNs are not the correct solution. These include any form of work that requires special tools, physical access to equipment, or close supervision by managers.
Remote access, mobile connectivity, and secured communications are solid reasons to deploy and use a VPN. But are these the only positive aspects of a VPN?
The most often touted benefit of VPNs is cost savings. They are a great way to save on long distance charges for telecommuters and traveling workers. They also create huge savings for businesses that would need only local Internet links for a VPN rather than a dedicated leased line between each location (Figure 3-5). The farther away each business location is and the more locations a company has, the more of a cost savings a VPN can generate.
Additionally, to truly compare the connectivity that a VPN offers to dedicated leased lines, you need a full mesh of leased lines. A full mesh requires a line between each business location. This allows for direct communication between one site and another. Since a VPN across the Internet would provide the equivalent site-to-site communication capabilities, only a mesh network of dedicated leased lines can truly compare. This solution is obviously very expensive compared to a VPN’s significant cost savings.
As corporations seek to reduce IT infrastructure costs, a common technique is to allow employees to telecommute. Telecommuting allows workers to access corporate resources whether the employee works from home, while traveling, or while on site with a customer. In the past, telecommuting clearly implied the use of dial-up connections to connect with the company LAN.
With the proliferation of high-speed broadband connections and Wi-Fi, telecommuting has become more plausible and realistic. Through the use of VPNs, telecommuting enables a true remote office rather than just a file exchange and communication system. VPNs make telecommuting not only possible, but also practical and secure. VPNs make expanding the workforce no longer a geographically limited proposition.
Extranets are often deployed as businesses establish new partnerships or seek more interaction
with suppliers, distributors, and other external entities. Extranets are border networks, similar to a DMZ, where resources are hosted for access by external entities. However, unlike a DMZ, an extranet is not open for public use. Only a limited and specific set of users is allowed to connect into an extranet. Often, this limitation means that a specific VPN configuration is necessary to access the extranet’s resources. With VPNs, extranets are both possible and practical.
VPNs allow system administrators to remotely manage and control a network. VPNs allow employees to work from anywhere. VPNs allow friends to create WAN links to support multiplayer games. VPNs allow technical support to remotely repair client systems. A VPN is the solution anytime a network connection is needed between two systems or two networks, but installing a direct cable connection is unfeasible.
Often, the real benefits of a VPN are not from the VPN itself, but from all the new possibilities for work, research, learning, and play feasible because of a VPN. These benefits include:
Reduced equipment costs Unlimited geographic connectivity Increased flexibility and versatility of worker location Improved privacy and confidentiality due to strong encryption Verified transmission integrity Fully scalable global infrastructure and architecture Rapid deployment options Flexible integration with existing networks and technologies Faster return on investment (ROI) than traditional WAN infrastructures Reduced dependence on long-distance carrier solutions Reduced support burden as ISP
Individuals and organizations that use VPNs and integrate them in new and unique ways are sure to reap additional benefits. History shows us that as new means of communication are created, they often change and are used in ways that were unpredictable at the beginning of their adoption. However, VPNs are not perfect, and some very real and challenging issues limit the use of VPNs.
What Are the Limitations of a VPN?
While the use of VPNs has many benefits, you need to evaluate the very real and distinct limitations before you put a VPN in place.
Although a VPN connection offers flexible secure communication options, it does not ensure quality of service. A VPN link is dependent upon the stability, throughput, and availability of the ISP connection as well as the intervening network connections between endpoints. VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets. This also results in a lack of dedicated bandwidth between business sites because of the volatility of the Internet.
technical TIP Encrypted traffic does not compress. Compression reduces the size of a data set, removing redundancies or repeated sections within the data set. Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns. If ciphertext did have these characteristics, it would not be as secure. Thus, without these redundancies, it’s not possible to compress encrypted data.
While VPNs are excellent solutions over nearly every broadband connection option, a VPN can be difficult to maintain over dial-up. VPN traffic is encrypted, and encrypted traffic does not compress. Most dial-up modem connections rely on compression—mainly hardware compression— to improve connection speed. When compression is not possible, a significant and noticeable speed reduction occurs. Additionally, VPN tunnel management can impose a significant increase in management overhead because of changes in protocol headers, potential authentication latency, and a prolonged connection establishment negotiation.
Another area of concern is the minor risk or potential of data exposure while in transit over the Internet. This is only a real concern if the VPN does not use encryption, uses poor encryption, or configures the encryption improperly. Proper security management will eliminate this as a serious concern.
Vulnerabilities exist at VPN endpoints. With a VPN, side attacks against the encrypted link are nearly eliminated. However, data entering or leaving the VPN is at risk. An end-user computer could be infected by malicious code that can traverse the VPN link into the company LAN. Also, private and confidential data from the company LAN can be copied across the VPN link to the end-user computer. On this computer, that data is less secure and subject to a wider range of threats.
You should also consider the increased difficulty in providing technical support remotely. This is especially true when the remote connection itself is not functioning. In addition, it’s more difficult to keep remote systems in compliance with security settings, conduct training, allow supervisory oversight, enable HR management, and monitor user activities.
Not every person is a good candidate for a remote user. Those who are easily distracted, who are not motivated, or whose home environment is not conducive to work are prime examples of those who should stay in the office rather than work from home.
technical TIP The latest generation of traditional telephone modems is often rated with a speed of 56 Kbps. Most of that speed is the result of hardware compression. Without compression, most modem speeds are significantly slower—24 Kbps or less.
An even larger concern is granting open or blanket unrestricted network-resource access to those connecting via VPN. You must enforce stronger authentication and authorization limitations on VPN users, especially on VPN telecommuters. Remote users should have access only to those resources necessary for their current tasks. Unlimited access to network resources can quickly result in exploitation and confidential data leakage if the remote user or the remote computer is compromised.
If you understand these limitations and address them properly, you can help to avoid catastrophic mistakes when correctly installing and productively using VPNs. One of the primary tools to accomplish this is the VPN policy.
What Are Effective VPN Policies? Effective VPN policies are those that clearly define security restrictions imposed on VPNs that align with the overall IT mission and goals of your organization. VPNs can offer numerous exciting possibilities of mobility and interconnection. However, VPNs can also be a risk to the confidentiality and stability of your organization’s infrastructure.
Like all security policies, your VPN policy should derive from a thorough risk assessment and analysis. Without fully understanding the assets, processes, threats, and risks of VPNs, you can’t effectively use or manage them.
Developing your VPN security policy is not a simple or straightforward task. You need to plan for time and effort to address a wide variety of issues and concerns. Some of the aspects of design and planning of a VPN policy include (but are not limited to):
Considering the benefits and drawbacks of software and hardware VPN solutions Imposing stringent multifactor authentication on all VPN connections Implementing strong access control (authorization) restrictions on all VPN connections Defining how the VPN will be managed, through what interfaces, and by whom Exploring the complexities of patch management over VPN Defining the mechanisms of providing remote technical support for VPN telecommuters Enabling detailed auditing on all activities occurring across or through a VPN Defining distinct qualifications on granting user access to telecommuting VPNs Prescribing the user training requirements for all VPN activities
VPN Deployment Models and Architecture One of the first decisions you face when deploying a VPN is, which device will serve as the termination point of the secured tunnel? You have several options, but often the decision rests on where in the network infrastructure you want to position the tunnel endpoint. Additionally, the features the VPN device provides may be a factor in the decision.
Such factors include deciding which devices have sufficient processing power to maintain wirespeed even with heavy traffic and complex encryption. Another concern is whether NAT is present, as this can impose problems for tunnel mode encryption.
The three primary VPN device models are edge router, corporate firewall, and VPN appliance. In addition to the selection of the VPN device, you have several architectural decisions to make. These focus on the intended purpose, function, or use of the VPN, such as remote access, host-to-host, site-to-site, and extranet access.
Edge Router With edge routers as the VPN termination point, the VPN link exists only over the public intermediary networks, not within the private LAN(s). This does require that the edge router support VPN connectivity.
Edge router VPN termination ensures that a firewall can filter the traffic exiting the VPN on its way into the LAN. This method ensures that all traffic, regardless of transportation means, complies with the firewall’s filtering rules. If the VPN terminates inside the firewall, then traffic from the VPN could potentially violate security because it was not firewall-inspected.
VPN termination on edge routers is best suited for controlled access into the DMZ. Such a configuration grants business partners easy access to the DMZ without exposing their traffic to the Internet or granting them unnecessary access to the private LAN.
Corporate Firewall Terminating the VPN at the corporate firewall is possible if the firewall supports VPN services. Not all firewalls provide this service, so this depends on your choice of make and model of the firewall product. With a firewall-to-firewall VPN across the public network, users from one network LAN can access resources in another network LAN without additional complexities. Primarily, this configuration treats the VPN link between the firewall endpoints as just another route in the LAN (actually WAN). The benefit here is that users don’t need to re-authenticate or abide by additional firewall restrictions when the VPN terminates at the corporate firewall.
Corporate firewall termination of the VPN means that the traffic entering or leaving the VPN does not pass through the filtering restrictions of the firewall. Instead, the firewall simply serves as a tethering point for the VPN tunnel endpoint. Any traffic not associated with the VPN, however, is subject to firewall investigation.
This configuration has a potential limitation. As the number of VPN links or the traffic load of the VPNs increases, the resulting increase in cryptographic computations could interfere with the firewall’s wirespeed filtering performance. In this case, perform a trend analysis to monitor for this condition and improve firewall performance before a bottleneck occurs.
VPN Appliance A third device option is a dedicated VPN appliance. Unlike an edge router or firewall termination point, a dedicated VPN appliance specifically handles the load of a VPN instead of VPN support being an add-on service.
You can position a VPN appliance outside the corporate firewall, in a similar location to an edge router, so that all VPN traffic passes through firewall filters. A VPN appliance can also reside inside
the corporate firewalls to prevent firewall filtration. This deployment is similar to the corporate firewall concept, at least in terms of not filtering VPN traffic. This second deployment method also ensures that no external entity can interfere with the endpoints of the VPN tunnel.
FIGURE 3-6
A VPN used to connect a single LAN with remote mobile users.
These techniques are useful when corporate firewalls already exist that do not support the VPN technology or architecture you want. So rather than replacing the firewalls, you install an additional dedicated VPN appliance.
Remote Access The first VPN architecture is basic remote access (Figure 3-6). Remote access VPN is also known as host-to-site VPN since it supports single-host VPN connections into a LAN site. This design grants individual telecommuters or traveling workers easy access into the private LAN. A single LAN can support several remote users with any of the VPN endpoint concepts: edge router, corporate firewall, or VPN appliance.
Site-to-Site A second VPN architecture is site-to-site (Figure 3-7). Site-to-site VPNs are also known as LAN- to-LAN VPNs or WAN VPN connections between LANs. Regardless of the name, a site-to-site VPN supports secure connections between LANs over intermediary public networks. When you install it properly, a site-to-site VPN can be an inexpensive mechanism to create a single distributed LAN (also known as a WAN) for a multi-location organization. A site-to-site VPN uses any of the VPN
endpoint concepts: edge router, corporate firewall, or VPN appliance.
FIGURE 3-7
A VPN used to connect multiple LANs.
A slight variation on the site-to-site VPN is the site-to-site VPN with remote mobile users. This is a combination of the site-to-site VPN concept with remote access VPNs (Figure 3-8). The benefit of this architecture is the ability to add new employees with secure connections to the LAN without needing additional corporate facilities to provide on-site workspaces.
FIGURE 3-8
A VPN used to connect a multiple LANs with remote mobile users.
Host-to-Host A third VPN architecture is host-to-host. Host-to-host VPNs are also known as client-to-server, remote-to-office, or remote-to-home VPNs. A host-to-host VPN is a direct VPN connection between one host and another. This mechanism operates over a public network or within a private network. Over a public network, a host-to-host VPN provides a connection that is secure from the public. Over a private network, it provides an additional level of security for mission-critical or highly sensitive transactions.
Host-to-host VPNs labeled as client-to-server VPNs create secure client interaction with the services of a resource host. This is similar to, but not exactly the same as, a secure Web link between a Web browser and a Web server. SSL can be used for application protocol security, as it is with secure Web sessions, or as a VPN protocol. As a VPN protocol, SSL operates at the Network Layer; as a Web session security tool, it operates at the top of the Transport Layer.
A remote-to-office VPN is a direct link between a portable or home system and an office workstation. This VPN link allows a user to work from home or while traveling without sacrificing access to resources, services, or applications that might only be installed (or licensed) for use on the office workstation computer. This VPN can establish a remote control session as commonly as a remote access session.
A remote-to-home VPN connects a work computer or a portable computer back to a home system, effectively the opposite configuration of the remote-to-office. The remote-to-home VPN grants you access to a home computer while you are away from the house.
The host-to-host VPN variations usually depend on software VPN solutions native to the operating system or third-party applications installed on the host. However, some VPN appliances are adaptable to these simpler host-to-host connectivity architectures.
Extranet Access A fourth VPN architecture is extranet access. With a VPN tunnel endpoint positioned at or inside the perimeter of an extranet, this option serves as a pathway for business partners, distributors, suppliers, and so forth to gain access to corporate resources without exposing their traffic to the Internet or granting them unnecessary access to the private LAN.
Additionally, a VPN linked into the extranet, as opposed to the DMZ, provides greater security to the remote entities. A VPN link to the DMZ exposes the remote entities to any threats found in the DMZ. Since the DMZ is publicly accessible, it’s risky. An extranet VPN grants the remote entity secure communications without significant risks at the VPN termination point.
VPNs commonly serve as a choke point to control which external entities have access to the extranet. Only those granted specific access, assigned user accounts, and provided configuration details are able to configure and establish a VPN link with an extranet.
Tunnel Versus Transport Mode VPNs can use two main types of encapsulation encryption. These are known as tunnel mode and transport mode encryption.
Tunnel mode encryption protects the entire original IP packet’s header and payload. This encrypted packet becomes the payload of a new IP packet with a new IP header. This form of encryption ensures that the identities of the original endpoints of the communication are kept confidential while the traffic traverses the secured link. Tunnel mode encryption is commonly used by VPNs linking network sites together or providing secure remote access.
Transport mode encryption protects only the original IP packet’s payload. The encrypted payload retains its original IP header. This form of encryption protects only the payload, not the identities of the endpoints. Transport mode encryption helps VPNs link individual computers together.
The Relationship Between Encryption and VPNs
Encryption and a secure VPN are virtually inseparable. A secure VPN exists only because its traffic is encrypted. But some trusted VPNs may or may not use encryption. To fully understand and appreciate the operations of VPNs, you need a reasonable understanding of encryption.
Encryption is just one aspect of the larger topic of cryptography. Cryptography is the art and science of hiding information from unauthorized third parties. Cryptography occurs through a complementary and reversible process: encryption and decryption. Encryption is the process of converting original usable form data, called plaintext, into an unusable chaotic form, called ciphertext. Decryption is the process of converting ciphertext back into plaintext. A real-world communication product must provide both encryption and decryption.
Modern cryptography is based on algorithms. An algorithm is a set of rules and procedures, usually mathematical in nature, that define how the encryption and decryption processes operate. Algorithms are often very complex. Many algorithms are publicly known and anyone can investigate and analyze the strengths and weaknesses of an algorithm.
technical TIP Less than 10 years ago, 64 bits was considered strong encryption. Today, 128 bits is the smallest symmetric key length that can be considered strong. Is a key of twice the size of the previous key length stronger? Actually, while a 128-bit key is twice as long as a 64-bit key in that it has twice as many digits, the former creates a keyspace much more than twice the size of the latter. Every time an additional bit is added to a key length binary number, it doubles the size of the possible keyspace. A 128-bit key creates a keyspace that is doubled 64 times that of a 64-bit key. That is 2^64 or 1.8 × 10^19 times as large as that of a 64-bit keyspace.
Encryption algorithms use a key. The key is a unique and secret number that controls the encryption and decryption processes performed by the algorithm. A key is a very large binary number measured or defined in terms of its bit length. The bit length of the key is the number of binary digits that compose the key. For example, a key of 128 bits is 128 binary digits long.
The bit length of an algorithm’s key defines that algorithm’s keyspace. The keyspace is the range of keys that are valid for use for that specific algorithm. Any key created using the specific number of binary digits of the key length is part of that algorithm’s keyspace. This keyspace includes every number between a key of all zeros to a key of all ones (remember this is binary code with only ones and zeros as digits). This means that 2^128 number of keys are available to an algorithm with a key length of 128 bits. 2^128 in decimal is over 3.4 × 10^38.
Three main types of algorithms operate within the realm of cryptography: symmetric, asymmetric, and hashing.
Symmetric Cryptography Symmetric cryptography is based on algorithms that use a single, shared secret key. A common way to remember the type of key used by symmetric is to remember a synonym for symmetric: same. The same key must encrypt and decrypt data and the same key must be shared with all communication partners of the same session.
Symmetric cryptography is very fast in comparison to asymmetric cryptography, typically 10,000 times as fast with similar key length and message size. Generally, the longer the length of a symmetric key, the stronger the encryption produced. Most algorithms have one or only a few key length options, so picking an algorithm with a longer key often ensures stronger encryption. Keys shorter than 128 bits are considered weak, keys of 128 to 256 bits are considered strong, and keys longer than 256 bits are considered very strong. That’s why when you select a symmetric cryptography product, you should only use solutions employing 128-bit or longer keys.
Selecting a strong algorithm is more involved than just key length; you also need to consider other issues, such as use of random numbers, use of the avalanche effect, and resistance to reverse engineering attacks. Most weak algorithms do not survive long once released to the public, so most consumers do not need to focus as much on the details of the algorithm as to look for algorithms that support longer keys. The general rule (which does gloss over some of the details) is that longer keys are better. For more information on cryptography, selection of algorithms, and the internal workings of algorithms, please consult Schneier’s Cryptography Classics Library or Introduction to Modern Cryptography.
NOTE Hypothetical communication partners Bob and Alice are commonly used to describe and discuss the functions of cryptography.
FIGURE 3-9
The symmetric cryptography process.
Symmetric cryptography works as follows (Figure 3-9):
1. Bob and Alice exchange a symmetric key (K1). (This process is normally performed by an asymmetric process or out of band communication.)
2. Bob encrypts a message with the shared symmetric key. 3. Bob transmits the message to Alice. 4. Alice decrypts the message using the shared symmetric key.
The security service provided by symmetric cryptography is confidentiality. Symmetric encryption, with a reasonably long key, prevents unauthorized third parties from accessing or viewing the contents of communications or stored data files. Symmetric cryptography protects files on storage devices, as well as data in transit. In fact, due to its strength and efficiency, symmetric cryptography is the preferred method to secure data in storage or in transit of any size.
Some examples of symmetric cryptography algorithms or systems include DES, 3DES, AES, CAST, RC4, RC5, RC6, RC7, IDEA, Twofish, and Blowfish.
VPN solutions employ symmetric cryptography to protect communications in transit. This protection prevents unauthorized eavesdropping or midstream modifications.
Asymmetric Cryptography Asymmetric cryptography is based on algorithms that use either key pairs or some other special mathematical mechanism. Asymmetric cryptography that uses key pairs is commonly known as public key cryptography. All public key cryptography is asymmetric, but some asymmetric algorithms are not public key algorithms. A common way to remember the types of keys or non-keys that are used by asymmetric cryptography is to remember a synonym for asymmetric: different. Different keys are used for different purposes, different keys are used by different members of the communication session, and some systems use something different from keys altogether.
technical TIP Keep in mind that an average 2,048-bit asymmetric key is not just 8 times as long as a very strong 256 symmetric key; in fact, it has a keyspace that is doubled 1,792 times that of the keyspace of a 256-bit key, an astronomically large number: 2^1,792 or 2.79 × 10^539 times that of a 256-bit keyspace. Numbers of this size are very hard to manage, much less run through complex mathematical computations.
Asymmetric cryptography is very slow in comparison to symmetric cryptography. This is due to the complexity of the math used by these algorithms, as well as the length of asymmetric keys (when there are keys). Public key cryptography uses keys that are 1,024 to 8,192 bits long (and sometimes longer).
Asymmetric cryptography also uses math based on a concept known as one-way functions. A one- way function is a mathematical operation performed in one direction relatively easily, but impossible or nearly so to reverse. This type of math was formalized into cryptographic algorithms only in the late 1970s.
Asymmetric cryptography, therefore, is slow in comparison to symmetric due to its extremely long keys and its extraordinarily complex mathematical functions. Thus, asymmetric is generally not suitable for encrypting bulk data for storage or transmission; instead, this type of encrypting is best suited for identity proofing and key exchange.
The protections provided by asymmetric cryptography are authenticity and nonrepudiation. Authenticity is a term used to convey the combination of authentication and access control. Based on usage, especially with public key cryptography, asymmetric solutions can prove the identity of the source of a message (authentication) or control the destination or receiver of a message (access control). Additionally, when used properly, asymmetric cryptography may provide proof that a sender sent a message and prevent that sender from being able to credibly deny sending it. This is known as nonrepudiation.
Public key cryptography, a subset of asymmetric cryptography, is based on key pairs. Each participant in a communication or community has a discrete key pair set. The key pair set consists of a private key and a public key. The private key is kept secure and private at all times. The public key is put out for open public access and use. The key pairs work together as opposites. The encryption or encoding that one of the keys performs can only be undone by the opposite key of the pair.
One mechanism afforded by asymmetric cryptography is a digital envelope. It works as follows (Figure 3-10):
FIGURE 3-10
The asymmetric cryptography process of digital envelope.
1. Bob obtains Alice’s public key. 2. Bob encodes a message with Alice’s public key. 3. Bob sends the message to Alice. 4. Alice decodes the message using her private key.
The encoded message is readable only by Alice, who has the corresponding private key. A digital envelope ensures that the message is accessible only by the intended recipient, namely the owner of the corresponding private key. The mechanism of digital envelope exchanges symmetric keys between communication partners. In this mechanism, one side of the conversation performs key generation, and then exchanges that key securely. This is the mechanism VPNs use to exchange keys securely.
Another mechanism afforded by asymmetric cryptography is a digital signature. A digital signature proves the identity of the sender. It works as follows (Figure 3-11):
1. Alice uses her private key to encode a message. 2. Alice sends the encoded message to Bob. 3. Bob accesses Alice’s public key. 4. Bob uses Alice’s public key to unlock the encoding.
This process proves to Bob that the message came from Alice. This is authenticity. A digital signature does not prevent others from viewing the message or confirming the source of the message. A digital signature is not encryption; it does not provide confidentiality protection. VPNs use digital signatures, but they usually employ the version that uses hashing as part of the process (see the next example).
FIGURE 3-11
The asymmetric cryptography process of digital signature.
This mechanism of digital signatures improves through the addition of hashing. (Hashing is described in more detail in the next section.) A digital signature using hashing is a bit more complex, and uses the following procedure (Figure 3-12):
1. Alice computes the hash value of a message. 2. Alice encodes the hash value with her private key. This encoded hash is the digital
signature. 3. Alice adds the encoded hash to the message. 4. Alice transmits the message. 5. Bob strips off Alice’s digital signature. 6. Bob hashes the original message to compute its hash. 7. Bob obtains Alice’s public key. 8. Bob decodes Alice’s digital signature to reveal Alice’s original hash. 9. Bob compares Alice’s original hash to the hash Bob calculated.
If the hashes are the same, Bob accepts the message as retaining its integrity. This has also proved that the message was from Alice (authenticity). Furthermore, this process ensures that Alice cannot deny having sent it (nonrepudiation). VPNs commonly employ this form of digital signature to prove the identity of the endpoints and confirm the integrity of transmissions.
FIGURE 3-12
The asymmetric encryption process of digital signature with hashing.
Some examples of asymmetric cryptography algorithms or systems that are not public key cryptography are Diffie-Hellmann, El Gamal, and elliptical curve cryptography (ECC). The most common example of an asymmetric cryptography algorithm or system that is public key cryptography is Rivest-Shamir-Adleman (RSA).
VPN solutions employ asymmetric cryptography to secure symmetric key exchange (via digital envelopes), authenticate VPN link endpoints or users (via digital signatures), and, when used in conjunction with hashing, verify source and integrity of transmitted messages (also digital signatures).
Hashing Hashing is the cryptographic function that takes the input of a file or message and creates a fixed length output. The input can be of any size, but the output is a fixed length based on the hashing algorithm used. Hashing does not modify or alter the original data in any way; it simply uses the original data to generate a hash value as a new data item. Common hash value output lengths include 128 bits (such as those produced by MD5), 160 bits (such as those produced by SHA-1), and even 512 bits or more (such as those produced by various members of the SHA-2 family).
The output of a hash algorithm can be called a hash, a hash value, a message digest, a message authenticating code, a fingerprint, a digital value, or a checksum.
Hashing checks integrity. Hashing computes a hash value upon storage or transmission of a file or message, then computes another hash value at the end of the storage period or upon receipt of the transmission. If the before and after hash values are the same, then the message has retained its integrity. If the before and after hash values are different, then the message has lost its integrity and is no longer trustworthy or usable.
Hashing verifies integrity based on the complex mathematical functions used in the hashing algorithm itself. A central component or feature of these functions is the avalanche effect. This effect ensures that small changes in the input data produce large changes in the outputted hash value. A single binary digit change in a file should produce a clearly recognizable difference in the resultant hash value.
Hashes are a one-way function. A hash value cannot be reversed directly back into the original data file from which it was calculated. Thus, if an attack obtains a hash value, the data is not at significant risk of being extracted from the hash.
Some examples of hashing algorithms or systems include MD5, HAVAL, SHA-1, and the SHA-2 variants (SHA-256, SHA-384, SHA-512, etc.).
VPNs employ hashing, often as part of digital signatures, as a method to confirm that transmitted data has retained its integrity. Any mismatching of hash values discards the received data and requests a retransmission. This ensures that either end of a VPN connection accepts only fully valid and true data.
Establishing VPN Connections with Cryptography Now that you know about symmetric cryptography, asymmetric cryptography, and hashing, let’s take a look at the overall process VPNs use to provide secure communications. A basic VPN setup process occurs as follows:
1. Bob computes the hash from a message (Figure 3-13). 2. Bob encodes the hash using his private key to create a digital signature. 3. Bob generates a random symmetric key (K1).
4. Bob uses K1 to encrypt the message. 5. Bob obtains Alice’s public key. 6. Bob encodes K1 with Alice’s public key to create a digital envelope. 7. Bob sends the digital signature, the encrypted message, and the digital envelope to Alice. 8. Alice uses her private key to decode the digital envelope to reveal K1 (Figure 3-14). 9. Alice uses K1 to decrypt the message. 10. Alice computes the hash of the message. 11. Alice obtains Bob’s public key. 12. Alice decodes the digital signature with Bob’s public key to obtain Bob’s hash value.
Alice compares the pre- and post-hash values. If the hash values are the same, then the message has retained its integrity. Thus, the correct public key decoded the digital signature. Bob’s identity is verified (authenticity and nonrepudiation).
This exchange enables the symmetric key to secure subsequent messages from Bob to Alice or from Alice to Bob (Figure 3-15). Once a VPN has been established between Bob and Alice, an exchanged session key (K1) exists at both endpoints. Using this shared session key, Bob can encrypt messages (envelope #1) to send to Alice and Alice can encrypt messages (envelope #2) to send to Bob (Figure 3-15).
FIGURE 3-13
The overall cryptographic process of establishing a VPN connection (1/3).
FIGURE 3-14
The overall cryptographic process of establishing a VPN connection (2/3).
Variations on this basic VPN session establishment are possible. One variation would be to encrypt both the message and the digital signature with K1. Another variation would have Bob digitally sign K1 with his private key before using Alice’s public key to encode it into a digital envelope.
This initial symmetric key exchange establishes the encryption that will protect all subsequent messages for the current communication session. When this session ends and a new VPN session begins, a new symmetric key will initiate the process. However, as long as the current session lasts, the same symmetric key applies.
FIGURE 3-15
The overall cryptographic process of establishing a VPN connection (3/3).
Reusing a symmetric key poses a slight risk, even for multiple messages in the same session or conversation. To minimize or reduce this risk, some VPNs use rekeying processes. Rekeying discards the current in use key and generates and exchanges a new symmetric key. Rekeying comes in several types:
Time rekeying—Rekeying triggers at a specific time. Idle rekeying (lag or delay)—Rekeying triggers when a specific amount of idle, lag, or delay in the conversation occurs.
Volume rekeying—Rekeying triggers when a specific amount of traffic is transmitted. Random rekeying—Rekeying triggers at random time intervals. Election rekeying—Either member of a VPN session can elect to rekey at any time
If a VPN solution performs mid-session rekeying, you may or may not have an administrative configuration option to manage the rekeying processes. Rekeying may be embedded in the encryption algorithms. One-time pad encryption systems are also possible. A one-time pad system uses a unique and random symmetric key for each segment of a communication. This is a more complex system, but offers greater security. Attempting to crack a multi-random-key encryption scheme is one of the most difficult attacks against encryption known.
NOTE Technically, computers provide pseudo one-time pads, as they are currently unable to produce true random numbers. Instead, a pseudo random number generator (PRNG) is used. A PRNG uses a complex algorithm and the timing chip to produce seemingly random numbers. The result is very good, but not truly random.
Digital Certificates You can increase the reliability of authenticity and nonrepudiation by using digital certificates instead of plain public and private keys. A digital certificate is a public key and private key pair digitally signed by a trusted third party. This third party is a certificate authority (CA). The CA first verifies the identity of the person or company, then crafts and issues the digital certificates.
In addition to improved reliability, certificates also resolve a scalability issue with public key cryptography systems. Without certificates, each system has to manage an ever-expanding library of public keys. With a third-party certificate-based system, each system no longer needs to retain public keys. Instead, they are exchanged at the beginning of each session with the assistance of the CA.
Each host stores only the trusted public keys of the CA. The CA’s public keys are stored in the trusted roots list (TRL). Any certificate issued by a trusted CA is accepted as valid, providing the
certificate has not expired and has not been revoked. The process is similar to the overall cryptographic process to establish a VPN connection. The
primary difference is that instead of a sender’s generic private key, the sender’s digital certificate encodes the message. Then, the recipient uses the CA’s public key to start the unpacking process. The CA’s public key decodes the CA’s private key encoding around the sender’s public key. (This is the sender’s digital certificate.) This confirms the identity of the sender through the CA’s issued digital certificates. Then, the recipient uses the sender’s public key to decode the sender’s private key encoding on the message.
The use of digital certificates adds a few additional steps to the overall process, but this improves the identity verification of the participants in the secured communication. Once a communication session ends, the recipient can discard the sender’s public key. Each time a new session starts, the sender’s public key will be re-exchanged via the digital certificate process. This reduces the burden of public key management and makes any secure communication service, including VPNs, much more scalable.
What Is VPN Authentication?
Authentication is the process of confirming or proving the identity of a user and is of significant importance for VPNs. Since VPNs allow external entities to connect to and interact with a private network (or system), verifying the identity before granting access is paramount. VPN authentication takes place on two levels: connectivity and user.
When a VPN link starts, the hardware and software components at each endpoint must authenticate to establish the connection. Once the communication link begins, the user performs a separate and distinct authentication process. If either of these identity proofs fail, the VPN is severed.
The actual mechanism of authentication used in either case can vary. Options include username and password, smart cards, token devices, digital certificates, and even biometrics. As a rule of thumb, you should avoid username- and password-only solutions and lean toward multifactor authentication options. Password-only authentication is notoriously exploitable and is not reliably secure enough for a VPN.
The VPN services, whether software or hardware, may support authentication directly or indirectly when offloaded to dedicated authentication servers. Offloading can point to any number of widely used authentication, authorization, and accounting (AAA) services or technologies, including RADIUS, TACACS, 802.1x, LDAP, and Active Directory.
When selecting an authentication solution for a VPN, consider the strengths and weaknesses of the authentication factors independently of their VPN integration. If an authentication factor has weaknesses on its own, these are not relieved when used with a VPN.
VPN authentication should be scalable and support interoperability among potential connecting hosts. Don’t use authentication that cannot support more than a few dozen users or hosts. Likewise, using a form of authentication that is available on only one platform or operating system will impose limitations difficult and expensive to resolve later.
VPN Authorization
Authorization is controlling what users are allowed and not allowed to do. Authorization is also known as access control. You must establish clearly defined policies as to what activities will and will not be supported for VPN connections.
An initial concern is defining who is and who is not allowed to establish a VPN connection. By considering VPN a resource rather than just a method of connectivity, clearly not all users should have access to all resources. If VPN connectivity is neither essential to nor conducive of a worker’s assigned tasks and responsibilities, he or she should not be allowed to open or use VPN connections.
Authentication can help enforce this access control issue. Whenever a user account that is not authorized to use VPN attempts to authenticate across a VPN, that attempt should fail. In fact, automatically locking such an account is a reasonable security response. Users should have a clear understanding of whether or not they have been granted the privilege of VPN use. Any access of a non-VPN approved user across a VPN, therefore, is either a sign of a policy-violating employee or an outside intrusion attempt.
In addition to locking down use of the VPN itself, you should restrict access to resources across a VPN, even for authorized users. A VPN does establish a network connection indistinguishable except for speed from a local direct-wired connection, but that does not mean that the same level of authorization is necessary, required, or even recommended.
A stronger application of the principle of least privilege is needed with VPN connectivity. Not all of the tasks and resources employees use when on site are necessarily required for activities they perform remotely. A user should have one level or sphere of access when on site and a different, smaller sphere of access when connecting through a VPN. This, of course, will depend upon the assignments of the worker and the sensitivity of the resources needed to carry out those assignments, but thoroughly consider this issue before granting default or wholesale access.
Mission-critical resources, processes, and information may be at risk if they’re exposed to users connecting over a VPN. Since a remote user’s computer is potentially less secure than workstations on site, the additional risk may be significant. Does a telecommuter or traveling worker actually need access to a specific resource? If not, block access.
Should a remote VPN user be able to transfer sensitive, private, or valuable data to the remote host? This is the risk of information leakage. Once data leaves the LAN, the corporate security infrastructure loses its ability to fully control and protect the information. On a remote host, once the VPN disconnects, the LAN’s security protections disappear. The only remaining security left is on the host and practiced by the user.
Remote access is inappropriate or just impractical for some resources. For example, consider preventing printer access by remote VPN users. Do traveling workers need to print documents they are unable to physically handle? Yes, in some situations, remote printing makes sense. But should you allow every local activity over a VPN just because it’s possible?
Another authorization concern is whether or not to allow Internet communication for VPN users. If local LAN users are able to access the Internet, then technically so can VPN users. But should they? Is this an additional risk or just an additional bandwidth consumption burden?
If VPN users are unable to access the Internet from the LAN through the VPN, can they access the
Internet simultaneously over the same ISP link as their VPN link to the LAN? This configuration is known as a split tunnel. Many organizations see this as a significant risk. This scenario makes it possible for an Internet attack to breach the remote host, and then use the VPN to access the private LAN. This would be a nearly unrestricted pathway between the Internet and the LAN. Most organizations employ VPN connection solutions that prevent simultaneous local VPN and Internet connectivity on remote hosts.
Even with these VPN authentication issues, the overall process of enforcing access control is essentially the same for both local and remote hosts. In most cases, access control is defined on the resource itself, regardless of where the users are. Keep this in mind as you craft policies defining the parameters of VPN management and use.
CHAPTER SUMMARY VPNs are mechanisms to remotely connect LANs and mobile hosts. VPNs save money and offer worker flexibility. VPNs secure communications over public intermediary networks. VPNs should be used whenever infrastructure costs are high or you need mobile access and flexibility. VPNs can’t guarantee quality of service over the Internet or protect against endpoint device/host vulnerabilities. You should deploy VPNs based on thoroughly researched VPN policies.
VPNs offer many advantages, including a wide range of implementation choices. Various devices and software products support VPN connections. VPNs’ endpoints can be inside, on, or outside a firewall. VPNs can support remote access for mobile hosts, create links between individual systems, and support channels between networks. VPNs can employ either tunnel- mode or transport-mode encryption. They can use the same authentication and authorization techniques that you deploy elsewhere for general network security.
KEY CONCEPTS AND TERMS Algorithm Asymmetric cryptography Authentication, authorization, and accounting (AAA) services
Authenticity Avalanche effect Certificate authority (CA) Channel Ciphertext Client-to-server VPN Compression
Corporate firewall Cryptography Decryption Dedicated connection Dedicated leased line Digital certificate Digital envelope Digital signature Distributed LAN Eavesdropping Edge router Extranet VPN Fragmentation Hardware VPN Hash Hash algorithm Hash value Hashing Host-to-host VPN Host-to-site VPN Host VPN Hybrid VPN Identity proofing Intermediary network Key or encryption key Key exchange Key pair Keyspace LAN-to-LAN VPN Leased line Multifactor authentication Non-dedicated connection Nonrepudiation One-time pad One-way function Optical carrier (OC) Out of band
Private branch exchange (PBX) Private key Pseudo random number generator (PRNG) Public key Public key cryptography Public network Rekeying Remote access VPN Remote-to-home VPN Remote-to-office VPN Scalability Secured VPN Site-to-site VPN Software VPN Split tunnel Symmetric cryptography Telecommuting Traffic congestion Trusted third party Trusted VPN Virtual private network (VPN) VPN appliance WAN VPN
CHAPTER 3 ASSESSMENT
1. Which of the following is not a valid example of a VPN? A. A host links to another host over an intermediary network. B. A host connects to a network over an intermediary network. C. A network communicates with another network over an intermediary network. D. A host takes control of another remote host over an intermediary network. E. A mobile device interacts with a network over an intermediary network.
2. Which of the following is not ensured or provided by a secured VPN?
A. Confidentiality B. Quality of service C. Integrity D. Privacy E. Authentication
3. Which of the following techniques make(s) a VPN private? A. A single organization owning all the supporting infrastructure components B. Leasing dedicated WAN channels from a telco C. Encrypting and encapsulating traffic D. Both A and B E. Items A, B, and C
4. What is the primary difference between a VPN connection and a local network connection? A. Speed B. Resource access C. Security D. Access control models E. Authentication factors
5. Which of the following is not a true statement? A. VPN traffic should be authenticated and encrypted. B. VPNs require dedicated leased lines. C. Endpoints of a VPN should abide by the same security policy. D. VPNs perform tunneling and encapsulation. E. VPNs can be implemented with software or hardware solutions.
6. What is a hybrid VPN? A. A VPN with a software endpoint and a hardware endpoint B. A VPN supporting remote connectivity and remote control C. A VPN consisting of trusted and secured segments D. A VPN supporting both symmetric and asymmetric cryptography E. A VPN using both tunneling and encapsulation
7. What is the most commonly mentioned benefit of a VPN? A. Cost savings B. Remote access C. Secure transmissions
D. Split tunnels E. Eavesdropping
8. Which of the following is a limitation or drawback of a VPN? A. Intermediary networks are insecure. B. VPNs are not supported by Linux OSs. C. VPNs are expensive. D. VPNs reduce infrastructure costs. E. Vulnerabilities exist at endpoints.
9. On what is an effective VPN policy based? A. A thorough risk assessment B. Proper patch management C. Business finances D. Flexibility of worker location E. Training
10. What form of VPN deployment prevents VPN traffic from being filtered? A. Edge router B. Extranet VPN C. Corporate firewall D. Appliance VPN E. Host-to-site VPN
11. What form of VPN deployment requires additional authentication for accessing resources across the VPN? A. Site-to-site VPN B. Corporate firewall C. Host-to-site VPN D. Edge router E. Remote access VPN
12. Which of the following is not a name for a VPN between individual systems? A. Client-to-server B. Host-to-host C. Remote-to-home D. Host-to-site E. Remote-to-office
13. Which of the following is the primary distinction between tunnel mode and transport mode VPNs? A. Whether or not it can support network to network links B. Whether or not the payload is encrypted C. Whether or not it can support host-to-host links D. Whether or not the header is encrypted E. Whether or not it supports integrity checking
14. What VPN implementation grants outside entities access to secured resources? A. Edge router VPN B. Corporate firewall VPN C. Site-to-site VPN D. Extranet VPN E. Remote control VPN
15. What form of cryptography encrypts the bulk of data transmitted between VPN endpoints? A. Symmetric B. Hashing C. Public key D. Transport mode E. Asymmetric
16. What components create a digital signature that verifies authenticity and integrity? A. Public key and session key B. Private key and hashing C. Hashing and shared key D. Session key and public key E. Shared key and hashing
17. By what mechanism do VPNs securely exchange session keys between endpoints? A. Digital envelope B. Digital forensics C. Digital encapsulation D. Digital certificate E. Digital signature
18. What are the two most important characteristics of VPN authentication? A. Single factor and replayable
B. Scalable and interoperable C. Transparent and efficient D. Interoperability and single factor E. Replayable and scalable
19. What VPN access control issue can be enforced through VPN authentication? A. Blocking unauthorized VPN users B. Restricting access to the Internet C. Limiting access to files D. Filtering access to network services E. Controlling access to printers
20. When designing the authorization for VPNs and VPN users, what should be the primary security guideline? A. Scalability B. Multifactor C. Distributed trust D. Principle of least privilege E. Grant by default, deny by exception
21. All of the following statements about a host-to-host VPN are true except: A. A host-to-host VPN is commonly supported by the host OS. B. A host-to-host VPN must be implemented with VPN appliances. C. A host-to-host VPN can be interoperable between different OS products. D. A host-to-host VPN usually employs transport mode encryption. E. A host-to-host VPN can be established within a private network.
FIGURE 3-16
The seven domains of a typical IT infrastructure.
22. All of the following are commonly used in supporting a site-to-site VPN except: A. VPN appliance B. Commercial firewall C. Client VPN software D. Edge router E. VPN gateway proxy
23. A VPN used to connect geographically distant users with the private network is located within which domain from the seven domains of a typical IT infrastructure (Figure 3-16)? A. LAN Domain B. User Domain C. System/Application Domain D. Remote Access Domain E. LAN-to-WAN Domain
24. What feature or function in tunnel mode encryption is not supported in transport mode encryption? A. The header is encrypted. B. The payload is encrypted. C. The source address is encrypted, but not the destination address.
D. A footer is added to contain the hash value. E. It provides encryption protection from the source of a conversation to the destination.
25. All of the following statements are true except: A. Encryption ensures VPN traffic remains confidential. B. It is possible to have a private VPN without encryption. C. VPN authentication ensures only valid entities can access the secured connection. D. Authorization over a VPN consists exclusively of granting or denying access to file resources. E. VPN authentication can include multifactor options.
CHAPTER
4 Network Security Threats and Issues
NETWORK SECURITY IS UNDER CONSTANT ATTACK by threats both internal and external, ranging from disgruntled employees to worldwide hackers. There’s no perfect defense because hackers are able to bypass, compromise, or evade almost every safeguard, countermeasure, and security control. Hackers are constantly developing new techniques of attack, writing new exploits, and discovering new vulnerabilities. Network security is a task of constant vigilance, not a project to complete. It’s a job that’s never done.
Why is understanding hacking, exploitation, vulnerabilities, and attacks critically important? As the sixth century B.C. Chinese military strategist and philosopher Sun Tzu stated in his famous military text The Art of War: “If you know the enemy and know yourself you need not fear the results of a hundred battles.” Once you understand how hackers think, the tools they use, their exploits, and their attack techniques, you can then create effective defenses to protect against them. Understanding hacking not only improves network security; it also maintains security at a high level of readiness.
Chapter 4 Topics
This chapter covers the following topics and concepts:
What motivates hackers to attack computer networks
Which assets attackers frequently target
Which internal or external threats networks are vulnerable to
What common IT infrastructure threats are
What the various types of malicious code (malware) are and what the security concerns about them are
What fast growth and overuse are
What wireless and wired connections are
What the risk of eavesdropping is
What a replay attack is and how it is performed
What an insertion attack is
What fragmentation attacks, buffer overflows, and XSS attacks are
What man-in-the-middle, session hijacking, and spoofing attacks are
What covert channels are and how a hacker uses them
What threats to network and resource availability are
How a denial of service (DoS) functions
What a distributed denial of service (DDoS) is
What some common hacker tools are
Who is at risk from social engineering
Chapter 4 Goals
When you complete this chapter, you will be able to:
Describe the motivations of hackers and other malicious computer network intruders
Compare and contrast threats from internal and external sources
Describe how accidents, natural disasters, and ignorance affect network security
Explain the risk posed by malicious code
Express the effects of wired and wireless connectivity on network security
Describe common network security exploits and attacks, including replay attacks, insertion attacks, fragmentation attacks, buffer overflow attacks, XSS attacks, man-in-the-middle attacks, hijacking attacks, spoofing attacks, covert channels, DoS, DDoS, botnet attacks, and social engineering attacks
Demonstrate how hacker tools exploit vulnerable targets
Hacker Motivation
What motivates hackers to attack computer networks? Why does anyone get involved in illicit activity outside the mainstream? The motives are as numerous as there are ways of conducting the computer attacks: Many do it for the sheer thrill of hacking, for the sport of it. Some hackers consider hacking their hobby. Some love a challenge. Some are victims of peer pressure or are seeking social validation. To still others, hacking is a status trip. And finally, many hackers pursue their exploits for power and financial gain. Take a look at some of these motives in more detail to see if you can begin to understand the hacker mentality.
Many criminal hackers are in it simply for the money. There are many ways of gaining financially
from attacking computer networks. These range from theft of credit cards and financial statements to blackmail and black markets. Some monetary gain is immediate. Hackers might be able to transfer funds out of a target account, for example. Other methods are more involved, such as stealing corporate documents and selling them to competitors or hijacking data using encryption and holding it for ransom. Hackers can become involved in selling their services, including distributing spam, eavesdropping, cracking passwords, and generating DoS events.
Demonstrating the ability to compromise a target, especially if the target is reasonably secure, is a way for hackers to prove they are more powerful than the defenders. If you can control something, you have power over it. If a hacker can control your computer remotely, then the hacker has power over your computer, and in some ways has power over you as well. Hackers sometimes hack as an ego boost. If they can wage a successful attack, then they are showing dominance over their target.
For many hackers, it’s an exciting challenge to find new vulnerabilities, develop new attack code, or discover new security breaches. Some hackers attack targets for the same reasons some people climb mountains—because it’s there, because they can, and because they want to beat it. Some hackers continually seek out new, more difficult targets to improve their skills and increase the level of the challenge.
Some hackers enjoy the sheer risk of attacking a network. As with any crime, the risk of being caught is always a possibility. A target network might have honeypots, IDSs, IPSs, firewalls, and other technical defenses that the hacker will need to detect and evade. Security professionals are always looking to discover new attack techniques and learn the identity of hackers. With every attack, therefore, the hacker is at risk of getting caught and prosecuted.
Hacking can be thrilling. Think of the way a treasure hunter on private property feels. The combination of power, challenge, risk, and potential pursuit along with discovering potentially valuable assets is a thrill for some hackers. The thrill of getting away with it motivates many hackers to continue their attacks once they figure out how to successfully hack into a network.
Some hackers have few exciting or engaging aspects of their life and they resort to hacking as an attempt to be entertained or distracted from their boredom. A successful system breach will usually initiate a response, often a cat-and-mouse game that is more entertaining for hackers than anything else they can think of at the moment.
Hackers have peers and social groups just like everyone else. Peer pressure can be a powerful motivator to fit in, show off, or demonstrate loyalty to a group. Peer pressure is often a motivator for those in the lower levels or rankings of hacker communities. New or inexperienced hackers feel encouraged to perform attacks to maintain their membership in their peer group.
Hacking can also be a mechanism to validate someone socially, such as proving a qualification to join a group. Some attacks are performed as an initiation or rite of passage from a potential hacking group member to an actual full member.
Hacking can help the hacker achieve or maintain status. Hackers may be seeking to achieve status in the eyes of hacking peers, in the judgment of other hacking groups, or in the perspective of the world at large. Some hackers try to cause a media story and to get their name in the news. Other hacks are performed to instill fear and compliance in current and future targets.
Hackers perform hacks for many reasons, and this list is likely incomplete. These motivations drive them to do unethical activities. You might or might not completely understand the hacker
mindset. It’s important for you to try, however; the results, regardless of the motivation, can be devastating for companies and individuals alike.
Favorite Targets of Hackers
In terms of security, the things you want to protect are known as assets. An asset is anything used to conduct business over a computer network. Any object, computer, program, piece of data, or other logical or physical component employees need to complete a task is an asset.
Among a hacker’s favorite targets are easy assets—ones that pay off quickly. Easy targets are IT infrastructures and elements not properly secured. Systems with well-known, exploitable holes exposed to the world are “easy pickin’s” for hackers.
Targets that pay off quickly are those that earn the hacker some form of monetary or barter gain. Credit cards and bank accounts can be a solid monetary score. In other cases, gaining access and control of networks, especially those with high-speed Internet links, is valuable. Such a network could be saddled with malicious code that transmits spam, eavesdropping, file exchange, encryption cracking, and so on. The hacker can then trade or sell these services to others.
Some hackers, however, do not seek the easy targets; instead they look for unique targets, new challenges, and complex infrastructures to test and improve their skills. Expert and highly experienced hackers often want to continue to improve their abilities rather than waste their time on targets that any amateur hacker, or script kiddie, could compromise.
What valuable assets do attackers most frequently target? Every hacker is different, just as with any individual member of any subculture. While many agree on what is valuable, such as money and access, others might find corporate finances, secret formulas, medical history, credit reports, court records, accounting logs, and so on preferable as their target of choice. For example, why do some people collect toys while others collect cars, Coke bottles, or pictures of Elvis?
To better understand possible targets hackers might choose, review the seven domains of a typical IT infrastructure (Figure 4-1):
User Domain—Any user, worker, employee, contractor, consultant, or individual can be a target. Social engineering is a hacker attack against people. This type of attack attempts to fool people through clever wording, lying, misdirection, relationship manipulation, fear, psychological tricks, and confidence games. The results of social engineering attacks can include users giving away private information or performing actions on a computer that causes a reduction in network security.
Workstation Domain—The workstation, client, or standalone home system can be a target. These types of hosts are often less secure than LAN servers. This is not on purpose, because most security focuses on core components of the infrastructure, rather than those seemingly on the periphery. Many times the security measures on a workstation are old, out-of-date, or improperly installed and configured.
LAN Domain—The private LAN, from SOHOs to large corporations, is a common target. A LAN often consists of dozens to thousands of hosts. The odds that all individual systems are
highly secure are unlikely. Once a hacker gains access to one system on the network, the rest of the LAN is vulnerable to attack. The compromise of a single host can lead to the compromise of the entire infrastructure.
LAN-to-WAN Domain—The WAN connections between LAN locations, especially those controlled by third-party entities, are targets. Transition interfaces between a private LAN and a WAN connection can be potential weak points. If a compromise is successful against a WAN connection, the malicious traffic inbound across the WAN/LAN interface is unlikely to be filtered.
Remote Access Domain—Remote access is always a popular target of hackers. Remote access removes the need for the hacker to be physically present to access and attack the LAN. Hackers anywhere in the world with an Internet or telephone connection can still reach out to attack any seemingly isolated target. Remote access is an invitation to hackers to try to breach your defenses.
WAN Domain—WAN domains are networks, such as ATMs or Frame Relays, owned by a telco or a carrier network company that leases access to corporations. Often, the privacy of these WAN connections is electronic isolation rather than encryption. Hackers focusing on a specific target may attempt to breach the electronic isolation of the carrier network rather than focusing on the endpoint LANs themselves.
System/Application Domain—Collections of servers hosting applications, virtualized systems, or databases are valuable targets. Sometimes the data hosted is the target. Sometimes the computing power of the servers is the resource the hacker wishes to seize.
FIGURE 4-1
The seven domains of a typical IT infrastructure.
Assets do not have to be expensive, complicated, or large. In fact, many assets are relatively inexpensive, commonplace, and variable in size. For most organizations, including SOHO (small office, home office) environments, the assets of most concern include business and personal data. If this information is lost, damaged, or stolen, serious complications can result. Businesses can fail. Individuals can lose money. Identities can be stolen. Even lives can be ruined.
Valuable resources abound on individual computers as well as on IT infrastructures comprised of interconnected LANs. Hackers seek out targets based on a variety of goals and motivations, as well as perceived value of a resource. But who are the hackers?
Threats from Internal Personnel and External Entities
What violates network security? The answer includes accidents, ignorance, oversight, and hackers. Accidents happen, including hardware failures and natural disasters. Poor training promotes ignorance. Workers with the best of intentions damage systems if they don’t know proper procedures and lack the necessary skills. Overworked and rushed personnel overlook issues that can result in asset compromise or loss. Malicious hackers can launch attacks and exploits against the network, seeking to gain access or just to cause damage.
“Hacking” originally meant tinkering or modifying systems to learn and explore. However, the term has come to refer to malicious and possibly criminal intrusion into and manipulation of computers. In either case, a malicious hacker or criminal hacker is a serious threat. Every network administrator should be concerned about hacking.
While historically two-thirds or more of security violations have been the direct result of outsiders, the balance is changing, and very dramatically. As a result of more automated breaches, more hacking, and increased criminal and terrorist activity, the percentage of “inside” computer crime has shrunk as low as single digits, while even small and medium-sized businesses and small government agencies experience hundreds of thousands or more attacks daily. This has markedly increased the need for trained computer security professionals in organizations of all sizes. According to the Verizon Data Breach Investigations Report (http://www.verizonenterprise.com/DBIR/2012/), 98 percent of data breaches stemmed from external agents.
Hackers are people. Misguided, unethical, ingenious, and criminal, but still people. The major threat to network security is mostly because of human intervention. While designing security, keep in mind that the threat is ultimately and mostly human. This awareness should lead to better selections of deterrent, detection, and response.
Employees and external entities represent differing levels of risk you need to address. An external entity does not start off intrusion attempts with physical or logical access. Initially, the risk from an external attacker is low. Outside attackers must seek out and discover methods of gaining logical or physical access. Without access, hackers must resort to attacking external interfaces such as Web servers, VPN devices, firewalls, and RAS. If these are secure, then their default or fallback position is to wage a DoS attack, attempt a burglary, or perform social engineering against insiders.
FIGURE 4-2
Internal and external hackers.
An on-site employee has physical access to the facility and logical access to the network. An employee may only have a standard or normal user account, but some level of logical access can be parlayed into greater levels of access (known as privilege escalation). Threats from insiders, whether physical or logical, are serious. You must address such threats in your security policy, network design, infrastructure deployment, and ongoing system and security management.
The people who represent the most common threats to an organization’s network security include disgruntled employees, contract workers, recreational hackers, opportunistic hackers, and professional hackers.
Disgruntled employees believe that they have been wronged somehow by the organization. Whether the wrong is real or perceived, their actions can cause severe disruption of mission-critical operations. Disgruntled employees may attempt to embezzle, steal supplies, waste time, deposit malicious code, leak confidential data, interrupt other workers, or derail projects.
Contract workers are outsiders brought in to perform work on a temporary basis. Contract workers can be consultants, temporary workers, seasonal workers, contractors, even day-laborers. Outsiders do not necessarily share the same loyalty to the organization that most full-time employees exhibit. Thus, if the opportunity affords itself to compromise the organization for personal gain, contract workers are more likely to act unethically. Such criminal outsiders don’t worry about long- term stability or viability, or the fate of regular employees. Instead, they take advantage at the expense of others.
Recreational hackers are those who enjoy learning and exploring, especially with computing technology. However, they might make poor choices as to when to use their newfound skills. Bringing in unapproved software from home, experimenting on the company network, or just trying out an exploit to see if it works are all potential actions of recreational hackers. Some hackers might not fully consider that their hobby can be dangerous and their actions are in violation of the company
security policy. Opportunistic hackers are hackers who are timid and not likely to initiate an attack. For whatever
reason, they are unwilling to purposefully plan out and wage intrusions. However, if the circumstance presents itself for an attack that can be easily performed with little potential for discovery or consequence, the opportunistic hacker may take advantage of the fleeting moment. That moment could arrive when someone happens to work late and ends up being the only one left in the building. That moment could be when a fire drill drives everyone else out of the facility. Or it could be when a random power outage occurs and half the workforce leaves for home. That moment could arrive when he or she notices a certain office door is left open and no one else is watching.
Professional hackers are criminals whose sole career objective is to compromise IT infrastructures. Whether operating as individuals, offering mercenary hacking services, or functioning as a member of a criminal ring, professional hackers focus all their time and energy on conducting the best security assault possible. When people spend years learning and practicing in one primary area of interest, they can develop expertise and skills to rival all defenses. The perfect unbreachable security solution does not exist. Professional hackers have the time, stamina, skill, patience, and backing to keep up an assault against a target until they succeed. They are to a network what termites are to a wooden building. You can deter them; you can keep them out most of the time. But they will always be nearby and eager to gnaw into the foundations if you drop your guard for a moment.
These descriptions are not meant to imply that all humans are by nature malicious. Instead, they offer a realistic perspective on who might be an unethical person, where potential human-based compromises exist, and what precautions you should take to protect your organization from both internal and external threats.
The Hacking Process As much as IT professionals dislike the practice, hacking can be a fascinating process. Hackers’ activities often appear chaotic and random, at least when observed from the mainstream IT industry. Hackers don’t have to follow any fixed procedures or recognize any established boundaries. Instead, they are seeking out vulnerabilities on a selected target using any and all means at their disposal. For them, chaos is both a methodology and a defense mechanism.
Generally, hacking falls into five main subgroups of events or activities. This categorization can represent hacking, but does not actually control or prevent hacking. These five categories are (Figure 4-3): reconnaissance, scanning, enumeration, attacking, and post-attack activities. This order of phases occurs if an attack is successful. If an attack is not successful, the hacker can instead attempt a fallback position.
Reconnaissance The initiation of the whole process of hacking is called reconnaissance. Reconnaissance means the act of inspecting or exploring and can also be called footprinting, discovery, research, and information gathering. This phase is the first of three pre-attack phases in which hackers learn as much as possible about a target before attempting the first actual attacks. Reconnaissance consists of collecting data about the target from all possible sources online and offline. The hacker is careful to
avoid tipping off the target that it’s being probed for information.
FIGURE 4-3
Five phases of hacking.
Reconnaissance can include:
Researching old versions of a target organization’s Web site at archive.org Examining search engine contents Reviewing the live Web site Investigating the background of personnel Performing location mapping Reading job postings Checking insider information leak sites Looking at newspaper and magazine articles or mentions Perusing press releases Searching USENET newsgroups, chat archives, blogs, and forums Auditing financial records or reviewing public filings Reviewing court cases and other public records Querying whois, domain registrations, and public IP assignments Eavesdropping on e-mail and other conversations Visiting a physical location
These are just a few of the possible reconnaissance activities a hacker can perform. Information gathering is limited only by the time, resources, and imagination of the hacker. Once the hacker has built and organized a reasonable portfolio of information about the target, the next step is scanning.
Scanning Scanning is the activity of using various tools to confirm information learned during reconnaissance
and to discover new details. Scanning is aimed at discovering live and active systems. Scanning can include wardialing, wardriving, ping sweeps, and port scanning.
Wardialing is an older tactic that uses the telephone system to locate any active and answering modems. Using a modem, a hacker’s computer automatically dials target phone numbers. The hacker obtains phone numbers during reconnaissance or by dialing all the numbers in an area code or prefix.
Wardriving, a term derived from wardialing, is the technique of using a wireless detector to locate wireless networks. Hackers used to drive around cities or neighborhoods with laptop computers to discover wireless networks. Today, driving is not necessary and smartphones detect wireless networks automatically.
Ping sweeps are used to discover systems over network connections that will respond to Internet Control Messaging Protocol (ICMP) echo requests. Hackers commonly use ICMP for network health and testing. The ping command or network mapping utilities send ICMP echo requests to all possible recipients within an IP address range or subnet. ICMP echo responses from system indicate their IP address and that they are up and running.
FIGURE 4-4
Basic TCP and UDP port scanning.
Hackers perform port scanning by sending various constructions of TCP or UDP packets to ports
(Figure 4-4). If the system is not already known to exist, then a port scan can determine the existence of a system at a specific IP address as well as whether a port is open, closed, or filtered. A TCP port is known to be open if a full TCP three-way handshake can establish a virtual circuit. A UDP port cannot be confirmed being open, since the default response from an open port is always silence.
technical TIP Ports exist at the Transport Layer (Layer 4) of the OSI model. TCP and UDP use ports to support multiple simultaneous communications, connections, or sessions over a single Layer 3 IP address. There are 65,535 ports, but most systems can only support a few hundred concurrent transactions.
A port is open if an active service is ready to process data through the specific port. A port is closed if no service is associated with a specific port.
When communications elicit error messages or abnormal responses from a port, a firewall can filter out these responses. This will result in a port being visible for valid and normal communications. A firewall can block any attempt to elicit errors or abnormal responses.
Scanning is the process of sending out probes to elicit responses. When a hacker performs scanning, it’s detectable. Reconnaissance is generally silent, secretive, and unobtrusive. You are also unlikely to detect scanning to verify individual data items, such as a single open or closed port. But when hackers scan to discover all possible IP addresses in use and all possible open and closed ports, it’s very noticeable. Scanning for confirmation is to scanning for discovery as a sniper firing a single bullet is to a Gatling gun destroying a forest. One activity might or might not draw attention, but the other will be hard to ignore.
Hackers perform scanning until they discover one or more targets. Since scanning uncovers only a system and the open ports, hackers learn very little about the targets. Hackers stop scanning and move on to enumeration, the next step toward attacking, whenever they want, based on the purpose of their attacks. Keep in mind that an attacker needs only a single vulnerability to gain access. Once hackers can access one machine, moving on toward attacking it quickly is the most common escalation.
Enumeration The enumeration phase is the third pre-attack phase. Enumeration is the hackers’ process of discovering sufficient details about a potential target to learn whether a vulnerability exists that they can successfully attack. Enumeration often starts with operating system identification, followed by application identification, then extraction of information from discovered services. Enumeration, then, is the discovery and listing of potential attack targets.
Hackers perform OS identification by probing an open and closed port of a target. The responses from these ports identify the OS. This ID is possible because of the idiosyncrasies of different
programmers writing interoperable code. Each OS uses a different group of programmers to write their network protocol stack. Even though the resultant protocol stack may be in compliance with IEEE standards, the defaults and reactions of the stack often differ from one OS to the next. These differences are known and maintained in a small database, which is coded into most network scanning and probing tools, such as nmap.
FIGURE 4-5
A banner grabbed from a Web server.
Each open port has a service running behind it. Banner grabbing is the activity of probing those services to obtain information (Figure 4-5). Once a connection has begun, a service may send an announcement of connection or communication confirmation. This announcement is called the banner. The banner may contain additional details such as the product name and version number of the service.
The information in the banner can be used by a hacker for reconnaissance purposes—to gain the intelligence needed to form the basis of an attack. One method of protection that can be employed at low cost is to change the banner in such a way as to mislead hackers. A little bit of experimentation will allow banners to be created that mislead hackers into using the wrong exploits against the server but still allow the service on the given port to perform its duties. In some cases, banners are not actually used, so they may be greatly shortened; in other cases, advanced features that are not used may be abandoned in a trade-off that results in better security.
Once hackers have identified the service, they can request additional information. The information request may be secure and nothing goes out. But if insecure, the service may return volumes of data to the hacker. Depending upon the service and the queries the hacker performs, the extracted information could include system name, network name, user names, group names, share names, security settings, resources available, access control settings, and more.
Enumeration provides the hacker with identified, potential attack points. After reviewing vulnerability databases, such as MITRE (http://cve.mitre.org) or National Institute of Standards and Technology (NIST) (http://nvd.nist.gov), hackers evaluate the potential vulnerabilities. Once the hacker selects an attack target, he or she collects exploit tools and wages the attack.
One aspect that characterizes modern attacks is the amount of time that passes before the reconnaissance phase and the attack phase. In the past, a matter of minutes may have separated the two, but the more modern attack might go weeks, months, or longer before it is unleashed. Such an attack, the highly targeted advanced persistent threat (APT), will be discussed in more depth later in this chapter.
Attacking Attacking is the fourth phase of hacking. Although this seems to be the phase that attracts most of the hype about hackers, in fact, it’s the briefest phase of the overall hacking process. A successful attack, based on solid research and preparation, can take just seconds.
If an initial attack fails, hackers can modify their exploits, tune their payloads, adjust their shell code, reset their vectors, and relaunch the attack. Once hackers figure out that an assumed vulnerability doesn’t exist or has been secured, they return to their enumeration results to select a new point of assault. Again, think of termites: If they can’t get into the house structure through a doorjamb, they will just as eagerly try to enter through a window sill. They are relentless.
Repeated attacks will either lead to an eventual successful breach or to the frustration of a successful defense by the target. If successful, the attacker moves on to post-attack activities. If unsuccessful, the attacker can elect to move to alternative fallback attacks.
Post-Attack Activities In a successful attack, the hacker usually has breached the target’s security to gain some level of logical access. This could be the credentials of a standard user account or a command shell accessed through a buffer overflow exploit. In any case, some common post-attack activities usually take place. These include privilege escalation, depositing additional hacker tools, pilfering data, and removing evidence.
Privilege escalation is the action of attempting to gain higher levels of access or privilege over the target. This can occur using a keystroke logger, known OS exploits to steal administrator or system access, manipulation of scheduled tasks, social engineering, Trojan horses, remote control programs, and other mechanisms. The result is that the hacker gains access to a user account or a command shell that operates as an administrator, root, or the system itself. With privileged access, the remaining post-attack activities are much easier.
Depositing additional hacker tools gives the hacker more power over the compromised system. Tools may enable additional abilities unavailable through the current connection method. Tools may assist in pilfering data. Tools may also assist in removing evidence. Or tools may assist in maintaining or regaining access in the future.
Pilfering data is just that: scouring storage devices looking for files of interest. Hackers look for anything they can turn into cash immediately. They also look for things that would be fun or interesting to disclose to the public. They look for items they can use to blackmail or coerce users. And, of course, they are on the lookout for potentially valuable information for bartering or trading with other hackers or criminals. Dumping the user account database and password hashes is often a priority as well. Cracking the passwords of other users will help if accessing the system again in the future.
Removing evidence of the compromise and subsequent activities is an important step for the hackers. Failing to cover their tracks could lead to apprehension and prosecution. Allowing the IT and security staff to discover the intrusion will only lead to heightened levels security. Discovery makes future returns more difficult, if not impossible, depending on the hacker’s skill set.
Once the hacker performs evidence cleanup, the attacker can claim to have owned (or pwned, in leetspeak, hackers’ secret code language) a system. The hacker has demonstrated his or her skills
through the discovery, tracking, and penetration of a target. This is often the goal of a hacker: to successfully penetrate a target. However, such successes are not always easy, or common. If the attacks fail, the hacker always has fallback attack options.
Fallback Attacks Fallback attacks are the other options for mayhem a hacker can deploy after unsuccessful breach attempts against a target. Common alternatives to intrusion include DoS, eavesdropping, breaking and entering, social engineering, malicious code, session hijacking, man-in-the-middle attacks, wireless hacking, SQL injection, Web site attacks, and more. The following sections of this chapter discuss these and other attacks.
Common IT Infrastructure Threats
Some important aspects of security stem from understanding the techniques, methods, and motivations of hackers. Once you learn to think like a hacker, you may be able to anticipate future attacks. This enables you to devise new defenses before a hacker can successfully breach your organization’s network.
So how do hackers think? Hackers think about manipulation or change. They look into the rules to create new ways of bending, breaking, or changing them. Many successful security breaches have been little more than slight variations or violations of network communication rules.
Hackers look for easy targets or overlooked vulnerabilities. They seek out targets that provide them the most gain, often financial rewards. Hackers turn things over, inside out, and in the wrong direction. They attempt to perform tasks in different orders, with incorrect values, outside the boundaries, and with a purpose to cause a reaction. Hackers learn from and exploit mistakes and anomalies, especially mistakes of network security professionals who fail to properly protect an organization’s assets.
The more you understand about the various threats and risks to network security, the more defenses you can mount against attacks. Threats to network security include hacker exploits, as well as Mother Nature, device failures, and even normal business activities.
Hardware Failures and Other Physical Threats Network security is not just about protection against hacking. Many other threats face computer systems on an ongoing basis. Computer equipment is complex and sometimes fragile. Hardware failures are the most common cause of unexpected downtime. Most equipment operates well beyond its expected lifetime in normal environments. Some forms of technology, however, are more prone to failure than others.
One of the most commonly discussed causes of unexpected downtime is hard drive failure. A hard drive is one of the few common computer components that has moving parts. While optical drives, tape drives, mice, and keyboards have moving parts, these devices seem to outlast hard drives by a significant margin. Hard drive failure can occur unexpectedly or with reasonable warning. The
warning is usually a grinding, whining, or clicking noise coming from the drive as it begins to fail. These noises are clear signs that the end is near.
The best defense against hard drive failure, as well as hardware failure in general, is to be prepared. Being prepared includes consistent periodic backups, using redundant array of independent disks (RAID), performing general cleaning and maintenance, and having spare parts on hand for the inevitable. Another method to avoid downtime and a loss of availability is to replace equipment before it fails. Most devices have a mean time to failure (MTTF) or mean time between failures (MTBF) that can determine the statistical likelihood of a failure. It is a good practice to replace the device before that period expires. While you will be replacing some devices long before their actual failure, this technique keeps the statistics on your side. Though planned downtime is costly, it is less costly than unplanned downtime.
Another physical threat is heat. Too much heat damages computer equipment. Systems that experience severe temperature cycles, such as very hot to very cold, can have incidents of chip creep or warping and cracking of materials. Chip creep is caused by the expansion and contraction of metal because of temperature changes. Severe temperature cycling can even break soldered connections. The traditional debate about turning computers off at night or over weekends and leaving them in a running state speaks to the effects of these temperature changes. A running computer is at its optimum functioning temperature.
Static electricity discharge (SED) from dry conditions can destroy most circuits. Frayed wires caused by rubbing against sharp metal edges can cause a short circuit. Moisture due to high humidity in the air or liquid spills is always bad for electrical devices. Excessive vibration can be damaging to computer equipment. Vibrations caused by nearby heavy construction or regular passing of trains, subways, and airplanes can cause damage over time. Any obvious physical damage caused by devices falling, being knocked over, having heavy objects dropped on them, and so on can result in broken equipment.
You can eliminate or significantly reduce most physical risks and threats with reasonable precautions and common sense in proper handing, care, and storage of electronic equipment.
One such risk is intentional electromagnetic interference (IEMI), in which an intentional discharge is made that damages or destroys electronic equipment from cell phones and video surveillance to computers and servers. IEMI discharges have been recorded up to two miles away and pose no risk of damage to living creatures. While IEMI and related technologies have been used by the military for years, IEMI is just now becoming a threat to computer security.
One final physical threat is theft. Physical facility protections ensure that an IT infrastructure is not threatened by unauthorized outsiders (or insiders) walking away with storage devices or other critical components.
Natural Disasters Mother Nature is unpredictable and quite powerful. All sorts of serious weather events damage or destroy IT infrastructures. Knowing the types of severe weather common in your area will suggest the correct precautions, such as special insurance, structural reinforcements, lightning protection, surge protectors, bilge pumps, and so on. No matter what the potential disaster, the best protection for data is a reliable regular backup stored in a secured, offsite facility.
Accidents and Intentional Concerns Accidents happen. Whenever humans are involved, things will go wrong. Murphy’s Law states, “Anything that can go wrong will.”
An IT infrastructure is a large, complex, but fragile entity. And it is completely at the mercy of human beings. Accidental damage in the wrong location or at the wrong time can have devastating results. Accidents include spilling liquids on equipment, tripping over cables, pulling out the wrong power cord, tripping the building’s circuit breaker, setting off the water sprinklers, placing candles on top of warm devices, knocking over a computer, turning off a system prematurely, installing the wrong driver, removing the wrong cable, and so on.
The best precautions and protections against accidents are backups, configuration documentation, and training. With some commonsense adjustments to worker activity, paying closer attention to activities they perform, and watching out for precarious circumstances, you can avoid many “common” accidents.
Unfortunately, accidents are not the only concern when humans are around. Another threat to network security is intentional damage or sabotage. Disgruntled employees, dismissed contract workers, opportunistic janitorial staff, unhappy managers, and even careless visitors can wreak havoc in moments if they have access to sensitive equipment or information. Proper personnel screening, perceptive supervisory oversight, escorts, background checks, security cameras, training, paying attention to the corporate culture, giving in on some indulgences (such as an occasional long lunch or casual Fridays), and providing competitive pay scales can go a long way toward preventing intentional disruption or destruction of IT equipment and resources.
Malicious Code (Malware)
Malware is the shortened term for malicious software. Malware is unethical code hackers write to cause harm and destruction. Malware gains access to a system in myriad ways, usually without the consent or knowledge of the user. The most common vectors of this computer contaminant are portable storage devices and Internet communications. A wide range of types of malware exist, including the virus, the worm, the Trojan horse, keystroke loggers, spyware, adware, the rootkit, the logic bomb, the trapdoor, the backdoor, dialers, URL injectors, and exploits. The number of unique malicious code examples is astounding. In April 2012, Symantec reported that its virus definitions file contained 17.7 million separate signatures—although as ZDNet blogger Ed Bott noted, some of them are of more concern than others.
Just like a biological virus, a computer virus needs a host object to infect. Most viruses infect files, such as executables, device drivers, DDLs, system files, and sometimes even document, audio, video, and image files. Some viruses infect the boot sector of a storage device, including hard drives, floppies, optical discs, and USB drives. Viruses spread through the actions of users. As users open infected files, the virus spreads to other files. As users send infected files to other systems, the virus spreads there, as well.
Unlike viruses, which spread from file to file, worms spread from system to system. Because human interaction isn’t necessary for propagation, they can (and do) spread much more quickly than
viruses. Today, nearly every threat described as a virus is really a worm. Hackers design worms around specific system flaws. The worm scans other systems for this flaw, and then exploits the flaw to gain access to another victim. Once hosted on another system, the worm spreads itself by repeating the process. Worms can be carriers to deposit other forms of malicious code as they multiply and spread across networked hosts.
A Trojan horse is actually a mechanism of distribution or delivery more than a specific type of malware. During the Trojan War, the Greeks built a huge, hollow wooden horse, hid warriors inside, and seemingly departed the area. The Trojans took the horse into their citadel and were massacred overnight when the Greek warriors emerged from hiding. The concept now embeds a malicious payload within a seemingly benign carrier or host program. When the host program runs, the malware is delivered.
The gimmick of a Trojan horse is the act of fooling someone (a type of social engineering attack) into accepting the Trojan program as safe. Any program can be converted into a Trojan horse by embedding malware inside it, in the same way that any food can be poisoned by adding a toxic substance to it. In fact, hackers have specialized tools designed for the express purpose of building Trojan horses called wrappers or Trojan horse construction kits.
Keystroke loggers record the keyboard activity of a user. Hackers can deposit software keystroke loggers onto a victim’s system through a variety of techniques, including a worm or a Trojan horse. Once a system is infected, the keystroke logger periodically transmits key logs to the originating hacker through e-mail, FTP, or instant message (IM). Hardware keystroke logger attacks can come through the keyboard cable. These are hard to detect because they are so small and are a parasitic link to the keyboard cable.
Spyware is an advancement of keystroke logging to monitor and record many other user activities. Spyware varies greatly, but can collect a list of applications launched, URLs visited, e-mail sent and received, chats sent and received, names of all files opened, recording of network activity, periodic screen captures, and even recordings from a microphone or images from a Web cam.
Adware infiltrates advertisements. Spyware and adware are often linked together in a symbiosis, since the information learned about a target from spyware helps in selecting materials the adware will push through. Adware can push advertisements as pop-ups, as e-mail messages, or by replacing existing legitimate ads on Web sites as they display in the browser.
Rootkits are malicious camouflage that function as invisibility shields for anything a hacker wants to hide on a computer. A rootkit acts like a device driver and positions itself between the kernel (the core program of an operating system) and the hardware. From there, the rootkit can selectively hide files on storage devices and active process in memory from being viewable, accessible, or detectible by the OS. Rootkits hide other forms of malware or hacker tools. Rootkits can include other malware functions in addition to their stealth abilities.
A logic bomb is an electronic land mine. Once a hacker embeds a logic bomb in a system, it remains dormant until a triggering event takes place. The trigger could be a specific time and date, the launching of a program, the typing of a specific keyword, or accessing a specific URL. Once the trigger occurs, the logic bomb springs its malicious event on the unsuspecting user.
Trapdoor and backdoor malware are two terms for the same type of malware. A backdoor or trapdoor program opens an access pathway for a hacker to gain easy access into a compromised
system. The access could be the creation of a new user account with credentials the hacker has defined; a rogue Web, telnet, or SSH server that gives the hacker remote command prompt access; or a source that enables full remote control over the victim’s machine (sometimes just by turning on Remote Desktop on a Windows host). Many other possible trapdoor or backdoor manipulations can grant access to external hackers.
A dialer is a rogue program that automatically dials a modem at a pre-defined number. Sometimes this process auto-downloads additional malware to the victim or uploads stolen data from the victim. In other cases, the dialer calls premium rate telephone numbers to rack up massive long distance charges. If the user normally connects to the Internet over a dial-up link, the dialer to could dial a rogue proxy site instead of the ISP. This site would act as a man-in-the-middle and be able to eavesdrop on all communications.
URL injectors replace URLs in HTTP GET requests for alternative addresses. These injected URLs cause a different Web page to appear in the browser than the one requested by the user’s click. These replaced Web pages could present advertisement sites, generate traffic to falsify search engine optimization (SEO), or lead to spoofed sites.
Exploits are any form of malware designed to take advantage of a flaw in programming, timing, communication, or storage. Hackers often embed exploits into other forms of malware to assist in their infection and distribution. Exploits also exist on their own, usually as tools employed by hackers to wage attacks, cause damage, and perform intrusions.
Spam is any unwanted and unsolicited message. Spam is not technically malicious software, but spam can have a series negative effect on IT infrastructures. Experts estimate that 80 to 95 percent of e-mail Internet traffic is spam and other forms of malicious messages. Hackers can easily use spam to wage DoS attacks through flooding and commonly use it to wage social engineering attacks such as phishing.
Malware is spread through the same communication channels as legitimate, benign data. The difference is that hackers design malware to cause distress and destruction. A growing area of risk for the spread of malware is mobile code. Mobile code is software that hackers write for easy distribution over communications networks, such as the Internet and mobile phone networks. Hackers design mobile code to download to a host, then execute on the host. Because of a lack of proper precautions and awareness by IT professionals, malware under the guise of mobile code is spreading more rapidly than ever.
Advanced Persistent Threat For many years, it was common for the general public, and even many knowledgeable security professionals, to call every type of malware a virus. It has become just as common for every type of malware to now be called an advanced persistent threat (APT). And it is just as wrong. While the occurrence of APTs has increased dramatically, they still represent a small percentage of attacks. It is true that APTs represent the next generation of malware in that they sit quietly on a target machine until they are activated. However, APTs are highly targeted, with the targeting intelligence often gleaned from other types of attacks, from phishing to social engineering. Historically, most attacks have been opportunistic attacks seeking the lowest-hanging fruit, the weakest systems to break in to. As we see a shift from financially motivated attacks to state-sponsored espionage and hacktivism, or
politically motivated hacking, it follows that we are likely to see the continued growth of targeted attacks such as APTs.
Even with all the variations of malware that currently exist and those that will exist in the future, you can choose from only a few common defenses: antivirus software, anti-malware scanners, integrity checking scanners, and user awareness. Antivirus software actively searches for viruses, worms, Trojan horses, and other similar destructive forms of malware in memory and on storage devices. Anti-malware scanners look for spyware, adware, dialers, and so forth that an antivirus software might not address. An integrity checker keeps a database of hash values for all system and application files and reports when unauthorized changes occur to those files. You can improve user awareness by offering training that encourages responsible action with regard to security. Training will also encourage users take reasonable precautions against infection and attack both at work and at home.
Fast Growth and Overuse
Granted, network security is not always an organizational priority. Some organizations are more concerned with profits and rapid growth than spending time on network security. Security is sometimes viewed as an annoying overhead expense that consumes resources without providing any return to compensate for the outlay. While this mindset is common among senior management, it’s a poor and incorrect understanding of the return on investment (ROI) of the crucial investment in network security.
Network security—in fact, most forms of security—protects the organization so that its profit centers can function without interruption or interference. Without network security, the capability and availability of the IT infrastructure would be unstable, especially during periods of accident, infection, attack, or hardware failure. Network security reduces the occurrences of downtime and damaged or lost resources. What could be more important to an organization’s bottom line?
Organizations that fail to address security issues as they experience explosive growth are more likely to experience catastrophic failure. By failing to protect assets (communications, data stores, intellectual property, customer data, financial records, and private personnel data), any level of hacker breach could result in organizational implosion.
Racing to get ahead, without proper planning and preparation, usually ends in failure. When constructing a skyscraper, the top of the structure isn’t built until each floor below it is properly erected. Growing a company too fast without adequate network security protections is like attempting to build the penthouse before the lower floors are completed. The rise to the top floor may be exhilarating, but the subsequent crash will be unavoidable. What goes up too fast will inevitably come down faster.
A slightly slower growth rate to build network security concurrently with the expansion of the organization is a much smarter plan. Such a deliberate approach is more likely to provide sustained growth and longevity than one based on an unbridled push for forward momentum without considering the risks.
Another potential oversight is an organization’s pushing equipment, software, and connectivity beyond a reasonable load level. Trying to pull a yacht with a sports car comes to mind. It looks sexy,
but what’s at risk? Modern IT equipment is able to perform at astounding levels. But even the best equipment can do only so much before it exceeds its peak operational limitations—and starts trending toward failure.
The growth of most organizations is predictable. Predictable growth can help plan for expansion of infrastructure before the infrastructure becomes a bottleneck. As growth passes 60 percent capacity of the current infrastructure, you should already be planning for expansion. As growth passes 80 percent capacity, take steps to implement expansion. As growth passes 90 percent, accelerate your efforts to complete the expansion.
If the company reaches 100 percent capacity before it completes expansion, a bottleneck inhibiting growth will result. This obstacle can create a bounce-back effect, in which interrupted growth could shrink the organization, making the return to growth more difficult. Equipment, storage space, memory capacity, backup capabilities, communication bandwidth, and processing capabilities should never reach maximum use or consumption. You should reserve sufficient overhead for the occasional spike above normal maximum activity.
Wireless Versus Wired
The security implications of a wireless network compared to a wired network are often exaggerated. The biggest difference is the mechanism and proximity of the attack. With wired networks, a hacker must gain physical proximity to a target to make direct contact with it. Once connected to the wired network, the hacker can attempt various attack and exploits.
With wireless networks, the hacker doesn’t have to be physically close. Hackers can attempt network breaches from a mile or more away from the access point (Figure 4-6). In most real-world situations, however, the range is often under a thousand feet with a small but powerful directional antenna.
In either case, wired or wireless, the hacker must first obtain a network connection with the target network to attack if the hacker’s goal is to gain access to user accounts or data stored on the network. If the hacker is mainly interested in destruction and DoS, then logical network access isn’t necessary.
FIGURE 4-6
Wired networks require local attacks; wireless networks allow for remote attacks.
Eavesdropping
Eavesdropping is listening in on communications. Eavesdropping can be the recording of network traffic using a packet capturing tool, generically known as a sniffer (Figure 4-7). Hackers can eavesdrop against data packets or against voice traffic. Eavesdropping can occur over wired or wireless connections.
Any communication performed in plain and directly usable data forms is subject to interception and recording. You can prevent eavesdropping by using encrypted protocols. Only cryptographically encoded messages are safe from outsiders learning the content of the conversation.
Replay Attacks
Replay attacks are also known as playback attacks. A replay attack is the retransmission of captured communications. The goal of a replay attack is to gain interactive or session access to a system. The traffic captured and retransmitted for a replay attack is authentication packets (Figure 4-8). In this type of attack, the hacker captures traffic between a client and server, and then later retransmits it against the same server as the original communication.
FIGURE 4-7
Eavesdropping on an existing session between client and server.
FIGURE 4-8
Replay attacks collect authentication packets, and then retransmit them later.
The goal of this attack is to replay the credential packets so that the hacker gains access to the user’s account on the target host. Another type of replay attack is resending a transaction, such as “Send a $10 refund check.”
Fortunately, you can thwart most replay attacks by using one of several common communication improvements. Many authentication transactions include a non-replayable random challenge-response dialogue. This dialogue consists of one endpoint generating a random seed value sent to the other endpoint. The second endpoint uses a mutual secret known by both endpoints to compute a response using a one-way computation. The response returns to the original endpoint, where the response was predicted. If the received and predicted responses match, the user is authenticated.
Another defense against replay attacks is time stamps. Some authentication exchanges have encoded time details that are difficult to reproduce or modify without detection. Additionally, the use of one-time pad or session-based encryption can make replay attacks impossible.
Insertion Attacks
Insertion attacks come in many forms, but all of them involve the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks include SQL injection, IDS insertion, and rogue device insertion.
SQL injection is an attack that inserts a hacker’s code into a script hosted on a Web site. SQL injection attacks can give the hacker access to the back-end database of a Web application. The technique exploits a weakness in common Web communications that treats certain characters differently because they are assigned a special meaning or purpose rather than just treated as text. These are called metacharacters and act as programming markup. If you don’t write a script defensively to block out or ignore metacharacters, then injection attacks can effectively rewrite the script based on content a hacker submits. The injected code can perform just about any possible command line task imaginable.
IDS insertion is a form of attack that exploits the nature of a network-focused IDS to collect and analyze every packet to trick the IDS into thinking an attack took place when it really hasn’t. The common purpose of IDS insertion attacks is to trick signature- or pattern-matching detection of malicious network events. By interspersing attack traffic with packets that the target host will reject but the IDS will view, the IDS fails to see the attack pattern, but the attack still takes place. For example, suppose an attack is composed of four packets, A, B, C, and D, and the IDS signature is a packet stream of ABCD. If the hacker transmits the attack as AXBCYD, where X and Y are invalid packets rejected by the target, then the IDS doesn’t recognize the pattern. After X and Y are discarded, the ABCD attack occurs against the target.
Rogue device insertion is a physical form of insertion attack where a hacker inserts an imposter device into an infrastructure. The most common example of this is the insertion of a rogue wireless access point configured similarly to the real, authorized access point. Some users might be fooled into
connecting to the rogue access point. This would constitute a man-in-the-middle attack where the hacker would intercept all transactions from the compromised system.
Each insertion attack method requires that you create a unique defense. You can prevent SQL injection attacks by defensive programming and filtering input. Squelch IDS insertion attacks by using modern IDS techniques such as anomaly, behavioral, and heuristic detection. You can derail a rogue device insertion through encrypted communications, pre-configured network access, prohibited wireless networking, user training, and regular site surveys.
Fragmentation Attacks, Buffer Overflows, and XSS Attacks
Fragmentation Attacks Fragmentation attacks are an abuse of the fragmentation offset feature of IP packets. Fragmentation occurs when there are many different network links connected to construct a global infrastructure. Some network segments support smaller datagrams (another term for packet or frame) than others, so larger datagrams are fragmented into the smaller, more compatible size. When the fragmented elements of the original datagram reassemble, manipulations of fragmentation can cause several potentially malicious reconstructions, such as overlapping and overrun. Think of the transporter on Star Trek: If anything gets in the way of the reassembly of the person being transported, you might end up with an evil Mr. Spock with a goatee.
Overlapping can cause full or partial overwriting of datagram components creating new datagrams out of parts of previous datagrams. Overrun can result in excessively large datagrams. Other fragmentation attacks cause DoS or confuse IDS detection and firewall filtering.
Protections against fragmentation attacks include modern IDS detection and firewall filtering features, as well as performing sender fragmentation. Sender fragmentation queries the network route to determine the smallest maximum transmission unit (MTU) or datagram size. The sender then pre- fragments the data to ensure that no fragmentation needs to occur en route. “Beam me up, Mr. Scott— and make sure I get back all in one piece.”
Buffer Overflows A buffer is an area of memory designated to receive input. Buffers are of a specifically determined size set by the programmer, since only a finite amount of memory resides on a host. A buffer overflow is an attack against poor programming techniques and a lack of quality control. Hackers can inject more data into a buffer than it can hold, which may result in the additional data into the next area of memory.
This overflow could be totally ignored, could trigger an overflowing crash or freeze, or could result in arbitrary code execution. In the latter case, the hacker crafts the input stream so the overflowed data is a command-line code statement executed with system-level privileges.
Programmers can prevent buffer overflows. Using defensive programming techniques, such as input limit checks and avoiding programming language functions that do not check boundary limitations, buffer overflows become a useless form of attack.
XSS (Cross-Site Scripting) Attacks Cross-site scripting (XSS) is similar to SQL injection, but the results attack future visitors to a Web page rather than grant the hacker access to the back-end database. An XSS attack submits script code to a Web site. XSS can result in persistent malicious modification of Web source files. This causes all future visitors to the site to receive compromised content.
XSS attacks can include e-mails to victims with falsified hyperlinks that point the script injection to a target site when the victim clicks on the e-mail’s embedded links. Such an attack can grant the hacker access to the seemingly secured Web transaction of the victim. This form of attack is non- persistent since it affects only those who click on the links in the malicious e-mail.
XSS attacks are generally preventable if you use defensive coding techniques and metacharacter filtering. For end users, defenses include cookie management and disabling scripting support in browsers and e-mail clients.
Man-in-the-Middle, Session Hijacking, and Spoofing Attacks
Man-in-the-Middle Attacks Man-in-the-middle (MitM) attacks occur when a hacker intervenes in a communication session between a client and a server. The attack usually involves fooling or tricking the client into initiating the session with the hacker’s computer instead of with the intended server (Figure 4-9). This form of attack is also called an interception attack, a proxy attack, or a monkey-in-the-middle attack.
FIGURE 4-9
Man-in-the-middle attacks fool clients into initiating sessions with the hacker instead of the target server.
MitM attacks involve a pre-attack element, in which the client is given false information that leads the client to request a session with the hacker’s computer rather than the real server. The hacker can accomplish this using one of several methods:
ARP spoofing—Address Resolution Protocol (ARP) is a non-authenticating broadcast query service that requests the MAC address from a system using a specific IP. If a hacker running an ARP spoofing tool sends a false response to the requester before the real response returns,
then the sender will use the false MAC address. Subsequent frames go to the rogue MAC address, which the hacker’s computer uses. ARP spoofing must occur within a subnet.
MAC spoofing—The hacker’s computer uses a server’s MAC address; while the server is flooded, the hacker’s system receives traffic instead of the intended server. MAC spoofing must occur within a subnet.
DNS poisoning—To perform DNS poisoning, a hacker compromises a DNS server and plants false FQDN-to-IP mapping records. The DNS source will feed subsequent user queries false data.
DNS spoofing—DNS is a non-authenticating query service that requests the resolution of a FQDN into its related IP address. A hacker hosting a rogue DNS spoofing tool can send back false DNS responses.
technical TIP When a non-authenticating query service is in use, it does not confirm the source or the validity of any response received. Thus, if you receive a fake, spoofed, or rogue response, the system accepts it as genuine and the query session ends. If the real response arrives, the system rejects it as an invalid or stray packet because it will no longer correspond to any open query session.
ICMP redirect—On subnets with multiple routers, ICMP redirects can cause a host to alter its routing table. This attack could redirect traffic along a different route than the default, expected, or optimal one.
Proxy manipulation—To perform proxy manipulation, a hacker reconfigures a client’s proxy configuration. Requests for services go to the hacker’s system that acts as a MitM proxy.
Rogue DHCP—A rogue DHCP is a false DHCP server that can provide IP address configuration leases for a unique subnet and define the default gateway since the hacker’s computer acts as a MitM router/proxy.
Rogue access point—To create a rogue access point, a hacker configures a rogue wireless access point similarly to the real authorized access point that can fool users into connecting, which then serves as a MitM proxy.
Defenses against MitM attacks include IDS and IPS solutions that monitor for common network abuses or abnormal network activity. Additionally, strong multifactor authentication and mutual authentication can reduce the success of MitM attacks.
Session Hijacking
Session hijacking occurs when a hacker is able to take over a connection after a client has authenticated with a server (Figure 4-10). To perform this attack, a hacker must eavesdrop on the session to learn details, such as the addresses of the session endpoints and the sequencing numbers. With this information, the hacker can desynchronize the client, take on the client’s addresses, and then inject crafted packets into the data stream. If the server accepts the initial false packets as valid, then the session has been hijacked.
FIGURE 4-10
Session hijacking steals a connection from a client.
In a session hijack, the attacker does not directly learn the credentials of the client. If the hacker loses the connection, he will have to look for another session to hijack. The client who lost the session will be aware that the connection was lost, but will not necessarily be aware that the disconnect was a hijack attack.
Session hijacking sometimes employs DNS spoofing, poisoning, ARP spoofing, ICMP redirects, and rogue DHCP to alter the route or pathway of a session. The hacker uses this pathway alteration to make the session hijacking attack easier by forcing the target session to travel over a more accessible network segment.
Any host that uses TCP/IP without encryption is vulnerable to session hijacking. Even with complex or pseudo-randomized packet sequence numbering, a little eavesdropping is all that is necessary for hackers (or the hackers’ tools) to predict future sequence values. The only true protection against session hijacking is encryption, such as a VPN.
Spoofing Attacks Spoofing is falsification of information. Most spoofing is a falsification of the identity of a source. E- mail addresses, MAC addresses, and IP addresses are all easily spoofed. Spoofing tricks a user or a host into believing a communication originated from somewhere other than its real source. This is a common tactic in the transmission of spam. Spoofing impersonates an authorized entity, such as MAC
spoofing to bypass wireless access-point MAC filtering. Spoofing is difficult to prevent and somewhat hard to detect. Most spoofing detection occurs
when you watch normal traffic and look for addressing anomalies. For example, if a switch sees that a specific MAC address is the source address for frames received on switch port 6, and that MAC address also appears as the source address for frames received on switch port 9, that’s a symptom of MAC spoofing (Figure 4-11). In another example, if a firewall receives a packet on its external interface and the source IP address is an internal LAN address, spoofing could be going on.
FIGURE 4-11
Spoofing of a client’s MAC address by a hacker’s computer.
technical TIP The alternate data streams (ADS) of NTFS are a feature added to this file system to support files from POSIX, OS/2, and Macintosh. This feature was added to NTFS in the mid-1990s to drive government purchase of Windows NT. However, even with POSIX and OS/2 support now dropped from Windows and Macintosh hierarchical file system (HFS) support no longer needed, NTFS has retained this feature. ADS is the ability of a file to contain multiple resource forks. The result of NTFS support for ADS is that not just additional resources, but complete additional files, can hide below any normal file object.
A normal file object, including directories, can contain numerous additional files underneath itself. The number of additional files is limited only by the total amount of free space on the drive and the size of the hidden files. Once a file stores as an ADS, it’s no longer visible or easily accessible by the OS itself. Several hacking tools can create and manipulate ADS. Only a few scanning tools, such as Streams from sysinternals.com, and only a handful of malware scanners can specifically explore a drive for ADS hidden code.
Spoofing is something to watch and filter for, but no real or direct prevention of spoofing exists. Additionally, hackers can intercept and modify data already in transit from a real source if it’s not encrypted. Thus, spoofed data does not always originate as falsified communications.
Covert Channels
Covert channels are hidden, unknown, unique, atypical pathways of information transfer. The channel is covert because it is unknown and unseen. Hackers use covert channels for secretive communications, often to leak data out of a secured environment. Covert channels are insecure pathways of transmission. If the pathway were known, it would be an overt channel and likely blocked, filtered, or otherwise secured.
Two main forms of covert channels exist: timing and storage. A timing channel conveys information through timed and synchronized activities. A few potential examples of timing covert channels include:
Blinking lights to distribute information in Morse code Manipulating a fan’s speed so the higher and lower pitched noise creates binary transmission Throttling the bandwidth consumption on an Internet link so that at a specific interval a utilization measurement reads a value below 60 percent as a zero and a value above as a one for binary communications
A storage covert channel conveys information through unseen or undiscovered storage locations. A few potential examples of storage covert channels include:
Using the unpartitioned space of a hard drive to store data written via a hex editor Using a firmware flash memory on-board chip to store data Using the alternate data streams of new technology file system (NTFS) to hide files Using the slack space of a hard drive to store data
The best defenses against covert channels include IDS and IPS, as well as thorough monitoring of all aspects of an IT infrastructure for aberrant or abnormal events of any type. Predicting covert channels is difficult because by their very nature they are unknown and unseen.
How Hackers Hijack Slack Space
A hard drive contains segments known as sectors. A sector is the smallest fixed-size block of storage space of a drive and is 512 bytes. When a file system is applied to a partition, clusters are created out of one or more sectors. Slack space is the unused portion of the last cluster only partially consumed by a stored file. The cluster:sector ratio typically ranges from
1:1 to 1:128 for clusters of 512 bytes to 64 KB.
A file system has a fixed maximum number of addresses assigned to clusters. Larger drives have the same number of clusters as smaller drives, but the clusters are larger. It’s a little like shoes: kids’ shoes are one pair to a box, just like adults’ shoes, but the box containing adults’ shoes is bigger. A cluster is the smallest consumable element of storage space and can contain data from only a single file. No native mechanism addresses sub-cluster divisions in standard file system formats.
When a file writes to a drive, it consumes as many clusters as necessary to contain all of the data of the file. All clusters but the final or last cluster containing the file are filled. The last cluster is fully consumed only if the file happens to be an exact multiple of the cluster size (which is not very common). The unused portion of the last cluster is known as slack space (Figure 4-12). Slack space is effectively unusable, wasted storage space.
Hackers have developed special file manipulation tools that can locate and hijack the slack space and use it to create hidden volumes on a hard drive. These volumes are nearly impossible to detect because they are not contained, referenced, or addressed by the file system of the storage device. Instead, the slack space drive exists only because special software can address sub-cluster storage locations. The slack space drive software operates independently of the OS and the file system.
FIGURE 4-12
Slack space is the unused portion of the last cluster only partially consumed by a stored file.
technical TIP Web servers, or at least Web sites, appear on the Internet in a least four different architectural deployment options: reverse proxy, DMZ, co-location, and hosting. Reverse proxy uses a static NAT mapping or port forwarding to allow outside visitors to initiate communications with an internal server. This is the poorest security choice because it could grant hackers access to the entire intranet if the Web server is compromised.
Hosting a Web server in a DMZ is a more secure solution. However, if compromised, a DMZ Web server gives the hacker a weapons platform just outside of the private network’s front
door. Co-location is placing a Web server host directly on an ISP network within a facility. Hosting is leasing access to space on an existing Web server owned and managed by the hosting entity (squarespace.com is a great example). These last two options are the most secure; if the Web server/site is compromised, the hacker gains no location benefit to breach the private network.
Network and Resource Availability Threats
To be successful, many exploits and attacks require special access on a private network. Some exploits will function against an Internet facing Web server, but such a server might not directly connect to a private network. If a hacker is unable to find an exploitable vulnerability that gains access or control over the targeted systems, a fallback or final resort option is to launch availability attacks.
An availability attack aims at preventing legitimate access or use of resources to delay or interrupt business. Generally, this is known as denial of service (DoS) attack.
Denial of Service (DoS)
A denial of service (DoS) attack interrupts the normal patterns of traffic, communication, and response. A DoS attack interferes with timely processing and reply to legitimate requests for resources. A DoS attack can be of two primary forms: flaw exploitation or traffic generation.
FIGURE 4-13
Denial of service flooding attack against a client.
Flaw exploitation DoS attacks take advantage of a programming bug, flaw, or convention. The DoS exploit results in the system freezing, crashing, rebooting, or failing to respond to external communications. You can mitigate flaw exploitation DoS attacks through the application of a patch and the use of an IDS or IPS system. Once you apply a patch, the DoS will no longer be effective. Flaw exploitation attacks are usually specific to a software version.
Traffic generation DoS attacks flood a target with traffic (Figure 4-13). The traffic consumes
available bandwidth and processing, preventing legitimate communications. No patches exist to mitigate traffic generation DoS attacks. Instead, traffic filtering is the only effective response. Upstream filtering, however, is more effective than edge device filtering.
Upstream filtering occurs when a parent network, usually the ISP, provides filtering for traffic before it enters the child network to which individual and business customers connect. Edge device filtering will prevent malicious traffic from entering the private network, but not prevent a successful DoS. Only upstream filtering will reduce or eliminate the DoS traffic and allow legitimate communications to continue.
Distributed Denial of Service (DDoS)
Distributed denial of service (DDoS) attacks advance DoS attacks through massive distributed processing and sourcing. The foundation of DDoS is the agent, bot, or zombie. Agents, bots, and zombies are malicious code implanted on victim systems across the Internet. These mobile agents may create their own peer-network interaction or connect into a public communication medium, such as an Internet relay chat (IRC) channel. The resultant network is known as a botnet army or zombie army.
The hacker remotely controls the botnet and directs it to perform various malicious activities, including flooding attacks, against selected targets. Generally, the main targets of the botnet are known as primary victims, while the compromised systems hosting the botnet’s agents are known as secondary victims. This form of DoS is distributed because the bots are disseminated across numerous secondary victims and the resulting attacks originate from a plethora of source vectors.
A hacker distributes the bots, agents, or zombies to many secondary victims located throughout the Internet. The bots then connect back to some form of communication server, commonly a chat service like IRC, where they can receive instructions from the hacker. Once the hacker sends attack instructions, the bots launch attacks against the primary target (Figure 4-14).
A botnet can perform a wide range of malicious actions including flooding, spamming, eavesdropping, intercepting, MitM, session hijacking, spoofing, packet manipulating, malware distributing, phishing site hosting, password stealing, encryption cracking, and more.
Several botnets have appeared in the last few years, such as Storm and Conficker, which had an estimated secondary victim base of 75 to 100 million systems.
FIGURE 4-14
Distributed denial of service flooding attack against a primary target.
Defenses against DDoS focus on either avoiding becoming a secondary victim or protecting against primary victim onslaughts. To avoid becoming a secondary victim, you should use measures including current antivirus and anti-malware scanning, user behavior modification, firewall filtering, and IDS/IPS solutions. Protection against primary victim onslaughts includes firewall filtering, honeypots, and IDS/IPS solutions.
Hacker Tools
Hacker tools include a wide variety of software, from mundane native OS utilities to commercial applications to custom coded exploits. Generally, any software put to a malicious or unauthorized (according to company security policy) use is a hacking tool.
Hacking tools perform hacking activities. All of the exploit concepts mentioned in this chapter are possible through a wide variety of hacking tools and utilities.
No master list of hacker tools exists to search for or block access to protect IT systems. Just about every legitimate program can be put to some illicit task. To defend generally against hacker tools, consider using a whitelist restriction system.
A whitelist restriction system incorporates a list of software executables authorized for use. A user can launch any application on the list. You block from running all executables not on the list. A whitelist cannot focus on just authorized filenames; this process uses a hash value, as well, to prevent easy bypassing of the limitation through simple file renaming.
In addition to whitelisting, you can reduce the threat of hacking tools through limiting Internet downloads and file exchanges, controlling use of portable storage devices (especially those used on external systems), filtering e-mail attachments, installing IDS/IPS solutions, and providing user education.
Social Engineering
Social engineering is the art of manipulating and exploiting human nature. Social engineering is the craft of manipulating people into performing tasks or releasing information that violates security. Social engineering is an exploit that can almost always be performed against a target organization. This is due to the presence of humans. Humans are the primary targets of social engineering.
Humans are the weakest link in most security solutions because humans are the only element in an organization with free will. Every other element can perform only within its programming and design. In addition, humans can be tricked or fooled, while hardware and software can perform only in accordance with its design and programming.
Social engineering can take place over any communication method, including face-to-face, telephone, e-mail, IM, and Web sites. Social engineering may focus on extracting information from a target or convincing the target to take action that alters the security status of a host or network.
Many social engineering attacks stem from some form of relationship, from initial and casual to business professional to long-term and highly developed. The more in-depth and long-term the relationship, the more leverage the hacker can exploit to turn, trick, or abuse the target.
Social engineering can involve a wide range of techniques, including impersonating a position of authority, reciprocating favors, using social validation, and creating urgency through scarcity. Often these attacks become more successful if the hacker can impersonate an insider.
Gaining access to inside information is often the first element of a social engineering attack. Dumpster diving, using reconnaissance, and cold calling are techniques to learn about the internal culture of the target. As a hacker learns more and more terminology, processes, organizational hierarchy, policies, events, gossip, social occurrences, calendars, project scheduling, and so on, the more that hacker is able to simulate being an insider. Once a hacker fools a target into believing that he or she is just another employee, the initial attack is successful. With the standing gained, the hacker manipulates the target into revealing more internal information, reconfiguring systems, or downloading tools from questionable Internet locations.
Social engineering may be the first wave of hacker attacks or could be the last-resort fallback plan if attempts to perform logical intrusion or physical burglary fail. Some hackers are naturally gifted at social engineering, while others must practice to obtain workable competency at the craft. These skills of social engineering are not unique to this unethical activity; instead, they are the same skills most people use in normal social situations when trying to get their way, convince someone to go out on a date, ask for help, improve social status, get out of trouble, lead a group, sell and market, create advertising, and so on. The difference is that hackers have an unethical goal in their use of these skills.
Social engineering, primarily attacks against people, is invulnerable to typical IT countermeasures. Instead, the best defense against social engineering is thorough user training and
awareness. Once personnel are aware that they are, have been, and will be targets of attack, they can adopt a slightly suspicious and cautious outlook. Employees should skeptically evaluate any activity, question, interaction, or relationship that seems odd or out of place.
You can help reduce the threat of social engineering by using security policies that employ information classification with related restrictions on communication methods. If you limit the communication channels that specific classes of information traverse, you will reduce information leakage caused by social engineering. For example, if you restrict the use of passwords over the telephone or by e-mail, then anyone who requests a password will be obviously attempting to violate security. Employees should be trained to report all such requests to the network security staff.
CHAPTER SUMMARY Hackers are consistently seeking to take advantage of anyone or any system not prepared or properly secured. Understanding the various means of attacks hackers commonly employ directly improves awareness and overall network security.
Hackers often seek monetary gain through attacks against individuals and organizations. Hackers can be employees or outsiders. Compromising situations are not limited to hacker attacks, but can also include accidents, oversights, hardware failure, rapid growth, and severe weather. Hacker tools and techniques include malicious software, exploiting wireless connections, eavesdropping, replay, insertion, fragmentation, buffer overflow, XSS, man-in- the-middle, session hijacking, spoofing, covert channels, and the availability attacks of DoS and DDoS. You should take action to restrict or limit hacker tools and use caution and training to avoid social engineering.
Other hacking attacks and techniques than those listed here are exist. This chapter offers a generic description of the hacking process, not a definitive or exhaustive examination. However, from this foundation, you can develop a greater understanding of hacking and the threats posed by hackers (as well as other sources of threat and risk), leading to improved security design, policy, and implementation.
KEY CONCEPTS AND TERMS Advanced persistent threat (APT) Adware Alternate data stream (ADS) Arbitrary code execution ARP spoofing Banner
Banner grabbing Blog Botnet army Buffer overflow Chip creep Cluster Cold calling Command shell Contract worker Covert channel Cross-site scripting (XSS) Deterrent Dialer Disgruntled employee Distributed denial of service (DDoS) attack DNS poisoning DNS spoofing Domain registration Dumpster diving Enumeration Flaw exploitation attack Flooding Footprinting Hacktivism Hierarchical file system (HFS) Honeypot ICMP redirect IDS insertion Insertion attack Instant message (IM) Intentional electromagnetic interference (IEMI) Interception attack Internet relay chat (IRC) Keystroke logger Leetspeak Logic bomb MAC spoofing
Maximum transmission unit (MTU) Mean time between failures (MTBF) Mean time to failure (MTTF) Metacharacter MITRE Mobile code Monkey-in-the-middle attack National Institute of Standards and Technology (NIST) New technology file system (NTFS) Nmap Non-authenticating query service Opportunistic hacker OS/2 Partition Phishing Ping sweep Playback attack Port scanning POSIX Privilege escalation Professional hacker Proxy attack Proxy manipulation Pwned Reconnaissance Recreational hacker Redundant array of independent disks (RAID) Return on investment (ROI) Rogue access point Rogue DHCP Rootkit Scanning Script kiddie Sector Session hijacking Shell code Slack space
Social engineering Spam Spyware SQL injection Static electricity discharge (SED) Trapdoor Trojan horse Unpartitioned space Upstream filtering URL injector USENET newsgroups Virus Wardialing Wardriving Whois Worm Wrapper Zombie army
CHAPTER 4 ASSESSMENT
1. All of the following are common or likely motivations for a hacker except which? A. Ego boost B. Social validation C. College credit D. Challenge E. Adventure
2. Which of the following potential hackers represents the greatest threat because they likely already have physical and logical access to a target? A. Consultant B. Competitor C. Overseas black hat for hire D. Customer
E. Recreational hackers under 16 years old
3. Which of the following is not a significant threat to availability? A. Natural disasters B. Hardware failure C. Accidental spills D. Stateful inspection filtering E. Lack of proper training
4. Which of the following is not a potential consequence of a malware infestation? A. Corruption of data B. Leaking of confidential information C. Crashing of systems D. Identity theft E. Improved throughput
5. What is the primary difference in network security between a wired connection and a wireless connection to a private LAN? A. Inability to access all network resources B. Lack of realistic throughput C. Needing to be inside the building to access the network D. Ability to support encrypted sessions E. Support for multi-factor authentication
6. Most exploits are based on the existence of which? A. Encryption B. Filtering C. Humans D. System anomalies E. Synchronization
7. What is the first stage or step in the hacking process? A. Scanning B. Penetration C. Enumeration D. Privilege escalation E. Reconnaissance
8. Which form of attack captures authentication packets to retransmit them later?
A. Insertion B. Hijacking C. Replay D. Interruption E. Spoofing
9. Which form of attack can potentially evade an IDS? A. Virus B. Insertion C. Man-in-the-middle D. ARP poisoning E. Rogue DHCP
10. Which exploit takes advantage of variable MTUs? A. Spoofing B. Hijacking C. Covert channels D. DoS E. Fragmentation
11. Which form of attack submits excessive data to a target to cause arbitrary code execution? A. Buffer overflow B. DDoS C. Insertion D. Interruption E. Fragmentation
12. Which attack exploits a Web site to poison its dataset so future visitors receive corrupted content? A. Cross-site scripting B. Proxy manipulation C. Rogue DHCP D. SQL injection E. Hijacking
13. Which attack uses rogue DHCP, ARP poisoning, or ICMP redirect? A. Fragmentation B. Injection
C. Man-in-the-middle D. Social engineering E. Buffer overflow
14. Which attack is preceded by eavesdropping? A. SQL injection B. Hijacking C. IDS insertion D. Covert channel E. XSS
15. Which attack is based on the impersonation of a legitimate host? A. DoS B. Replay C. Fragmentation D. Spoofing E. Hijacking
16. Which method of communication is unseen, unfiltered, and based on timed manipulations? A. Buffer overflow B. Man-in-the-middle C. DDoS D. Covert channel E. IDS insertion
17. Which form of attack is based on malware distributed by Trojan horse or worm and can generate massive levels of traffic toward a primary target from numerous source vectors? A. Fragmentation B. Hijacking C. DDoS D. Playback E. XSS
18. Which attack uses non-technical means to achieve results? A. Spoofing B. SQL injection C. Buffer overflow D. Covert channels
E. Social engineering
19. A hacker writes an exploit to compromise targets due to the presence of which? A. A vulnerability B. Multi-factor authentication C. Sufficient throughput D. A bot army E. Traffic filtering
20. What is the primary benefit to network security of knowing hacker attacks and exploits? A. Training contract workers B. Improved antivirus detection mechanisms C. Defending against specific threats D. Alterations of network subnet organization E. Reduced infrastructure cost
PART TWO
Technical Overview of Network Security, Firewalls, and VPNs
CHAPTER 5 Network Security Implementation
CHAPTER 6 Network Security Management
CHAPTER 7 Firewall Basics
CHAPTER 8 Firewall Deployment Considerations
CHAPTER 9 Firewall Management and Security
CHAPTER 10
Using Common Firewalls
CHAPTER 11
VPN Management
CHAPTER 12
VPN Technologies
CHAPTER
5 Network Security Implementation
IMPLEMENTATION is the act of designing, installing, deploying, and configuring network security. This chapter focuses on the foundations of network security essential to every organization, from an individual computer at home to a multinational corporation’s network. The foundations of security apply universally no matter the size, purpose, or function of computers and networking.
The foundations of network security include layered defenses, proper use of protocols, communication management, system hardening, and more. Based on some common, often simple, principles, you can significantly improve your organization’s computer systems. Following the suggestions in this chapter will reduce the risk of system compromise from accident, oversight, Mother Nature, or malicious intent.
Chapter 5 Topics
This chapter covers the following topics and concepts:
What the seven domains of a typical IT infrastructure are
What network design and defense in depth are
What protocols and topologies are
What common types of addressing are
How to control communication pathways
How to harden systems
Which method to use for selecting equipment
What authentication, authorization, and accounting are
What communication encryption is
What the best architecture is: local hosts only or remote and mobile hosts
What redundancy is
What node security is
Chapter 5 Goals
When you complete of this chapter, you will be able to:
Describe elements of network security design
Compare and contrast public and private addressing as well as static and dynamic addressing
State the importance of system hardening
Describe why authentication, authorization, accounting, and encryption are essential for network security
Identify the security concerns of local hosts as well as remote and mobile hosts
Define the elements of node security
Seven Domains of a Typical IT Infrastructure
Seven domains are commonly found in the typical IT infrastructure (Figure 5-1) of moderate-sized to large organizations. These seven domains were introduced in the first chapter, but in the context of network security implementation, they require more detail and focus.
Hackers look for every opportunity to exploit a target. No aspect of an IT infrastructure is without risk or immune to the scrutiny of hackers. When designing and implementing network security, you need to analyze every one of the seven domains of a typical IT infrastructure for potential vulnerabilities and weaknesses. Security measures must be detailed, focused, and exhaustive. You must consider every possible avenue of attack, assess risk, and if the risk is sufficient, apply a countermeasure. Failing to do so will leave an open pathway for a hacker. A hacker needs only one crack in your defenses to begin chipping away at the security of the entire network.
Each of the seven domains of a typical IT infrastructure has unique aspects that need security improvements. A quick list of important foundational network security issues related to these seven domains is pertinent here:
User Domain—This domain refers to the actual users, whether they be employees, consultants, contractors, or other third parties. Any user who accesses and uses the organization’s IT infrastructure should review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure. This domain should also be the focus of training, strong authentication, granular authorization, and detailed accounting. Additionally, many of the protections added to other domains provide additional protections for and against the user domain.
FIGURE 5-1
The seven domains of a typical IT infrastructure.
Workstation Domain—This domain refers to the end user’s desktop devices such as a desktop computer, laptop, VoIP telephone, or other endpoint device. Workstation devices typically require security countermeasures such as antivirus, anti-spyware, and vulnerability software patch management to maintain the integrity of the device. System hardening, communication protection, and positioning of work stations are critical to security.
Local Area Network (LAN) Domain—This domain refers to the physical and logical local area network technologies used to support workstation connectivity to the organization’s network infrastructure. Protocols, addressing, topology, and communication encryption provide security for this domain.
LAN-to-Wide Area Network (WAN) Domain—This domain refers to the organization’s internetworking and inter-connectivity point between the LAN and the WAN network infrastructures. Switches, routers, firewalls, proxies, and communication encryption are important aspects of security for this domain.
Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infrastructure, systems, and data. Remote access solutions typically involve SSL 128-bit encrypted remote browser access or encrypted VPN tunnels for secure remote communications. Knowing where a host is located helps determine the types of security necessary on that host.
WAN Domain—Organizations with remote locations require a wide area network to interconnect them. Protocol selection, addressing schemes, and communication encryption are elements of securing this domain.
System/Application Domain—This domain refers to the hardware, operating system software, database software, client-server applications, and data that are typically housed in the organization’s data center and/or computer rooms. Network design, authentication, authorization, accounting, and node security are important security concerns for this domain.
Network administrators need to recognize that the potential for compromise exists throughout an organization. This recognition leads the need for adequate network security throughout an organization. Starting from the knowledge that risk exists and threats loom, network security administrators can design and implement appropriate countermeasures and safeguards.
Network Design and Defense in Depth
Every network is different. However, common security principles apply to any network, regardless of its unique elements. One of these common principles is secure network design. Secure network design embeds core protections and improvements into an IT infrastructure before it is implemented. Design comes from planning. Planning comes from sufficient knowledge and understanding.
Common security goals include confidentiality, integrity, availability, privacy, authentication, authorization, nonrepudiation, and accounting. To efficiently accomplish these goals, informed planning assists you in designing the network before deployment.
An underlying fundamental of network security design is that no security solution is perfect. Any single security protection, countermeasure, and safeguard is insufficient. Hackers will use some method, technique, or exploit to bypass, evade, or render useless a security protection. The potential concerns include placement, programming flaws, default settings, maximum values, processing capabilities, memory capacity, backdoors, malicious code, social engineering, and physical attacks. This list is not exhaustive, but represents the key issues. In theory, no security solutions are sufficient and complete.
Thus, you need to use multiple security components. This is known as defense in depth or multiple layers of defense (Figure 5-2). If you follow a defense-in-depth design concept, numerous safeguards will protect each asset. As one defense tool interlocks with another, they overlap and improve the overall security. The strengths and benefits of one countermeasure supplement or compensate for the weaknesses and limitations of another.
Defense in depth leads many security professionals to two additional guidelines. First, avoid single points of failure. Second, divide and conquer. A single point of failure is any element, component, or aspect of a system that could lead to failure or compromise of the entire system. Divide and conquer is the process of separating a large project into multiple smaller and more manageable pieces.
FIGURE 5-2
An example of defense in depth around an asset.
Avoiding single point of failure must take place on multiple fronts. A hacker needs only a single flaw or weakness to exploit a target. Efforts should focus on finding and eliminating as many vulnerabilities as possible to remove the single points hackers seek to exploit.
Good design filters every user interaction with an asset multiple times. This filtering should include authentication, authorization, content filtering, and context filtering. Only relying upon a single filter or check system is a form of a single point of failure. Always assume that any one service or function is flawed or will fail.
Effective network design monitors and examines all activities against an asset using multiple techniques. This could include object auditing, server monitoring, client monitoring, network monitoring, and so on. Only using a single monitoring viewpoint could be a single point of failure. Everyone has seen video footage from a single perspective that guides the viewer into seeing or believing one thing, but from another camera angle the truth, the trick, or an alternate explanation becomes clear.
Divide and conquer is not just a tactic for waging actual war; it is also a tactic in the war against network security breaches. By dividing up a larger project or task into manageable components, you can focus on and care for each component to ensure accuracy and completeness in addressing network security concerns. Attempting to tackle the security of a network as a whole is often a recipe for disaster. Evaluating the big picture is always a good idea, but working exclusively on the whole may lead to overlooking details or missing subtle nuances only perceived upon close detailed inspection.
A layered security approach throughout the IT infrastructure works best: slow, methodical, compartmentalized, and thorough. Properly designed network security should support timely delivery of information and adequate response during transactions. A properly secured network provides reliable and stable communications. Well-designed security adapts to changing conditions. Well- designed security anticipates future growth and expansion.
Designing network security is neither a simple nor a short-term task. Thorough network security design must include adequate research, thorough planning, and extensive modeling and testing. The
process of security design must evaluate a wide range of technologies performing an astounding number of functions.
Ultimately, good network security design produces a blueprint to guide the construction of a securely functioning network infrastructure. The blueprint is the foundation for your organization’s security policy. Most network designs have limitations. These limitations include budget, internal politics, regulations, standards, and industry practices. Network design should focus on providing the best security possible within prescribed budgetary boundaries.
One method to reduce compromise by hackers is to keep them from finding your network as a target. By staying offline and only using trusted communication pathways, your organization can avoid significant levels of risk. However, this form of technological hide and seek is not perfect, nor does it eliminate all issues. External hackers might not be able to hack a non-Internet-connected intranet from the outside; however, the risk from disgruntled employees and other internal users is still present.
The idea of hiding from danger is commonly known as security through obscurity. While it’s true that if you are not found, you cannot be attacked, the issue is often a false hope if obscurity rather than actual countermeasures and safeguards protect the network. Being obscure or difficult to locate may be a good thing, but it’s not itself a form of reliable security. Use only direct and real security defenses when you are designing network security.
Security is essential to the long-term survival of any modern organization. Without security, logical, physical, and social breaches would render most companies vulnerable to failure. But security cannot work without balance. You can over-secure an infrastructure to the point where security interferes with work tasks. Usability and security must be in balance. Usability will not survive long without security, and too much security can cripple usability. Good network security design balances security and usability.
One goal of most organizations is to expand and grow. They often seek to attract new customers, support more clients, sell more products, offer more services, make more money, and so forth. But growth can be a two-edged sword. While growth can lead to a more reliable and assured future, it can also cause growing pains. For any organization, growing pains occur when the existing infrastructure, facilities, and even personnel are pushed to the limit or beyond to support the additional workload caused by growth.
Growth can be expected, unexpected, gradual, or abrupt. A proper network design process evaluates and predicts potential growth scenarios and plans contingencies for each. One contingency for growth is to build additional capacity into the current infrastructure. If slow growth is expected, then 20 percent additional capacity may be sufficient, while rapid growth may consume 50 percent additional capacity in a short time (Figure 5-3).
FIGURE 5-3
Rate of growth used to predict needed additional capacity.
Growing too fast is as much of a burden as shrinking. As an organization stretches beyond its capacity to support, sell, create, maintain, respond, produce, and so forth, small problems quickly snowball into avalanches. Steady, controlled, limited growth is often a method of ensuring long-term viability and stability. This is true in general business management and it’s true in network security design.
During the network design phase, consider the scalability of all technologies you select for deployment. Does a component or system have a maximum value or limitation it will quickly reach? Can the component or system expand without compromising efficiency, cost effectiveness, and security? Will the component or system need replacement by a scalable solution once moderate growth occurs? If so, why not use the scalable solution now? Planning for growth will reduce problems associated with outgrowing function and security capacity.
No security endeavor will succeed without the active involvement of senior management. In fact, without its explicit approval and support, any security effort is likely doomed to fail. Senior management has the responsibility to dictate the strategic goals and plans of the organizations and, hence, its IT infrastructure and integrated security. Senior management must approve budgetary funding, encourage compliance, and support security, even when problems occur.
Throughout the entire design and implementation process for network security, senior management monitors and approves progress reports. Senior management steers the organization and its security planning through the changing business environment. But secure network design isn’t only about following the leader; it’s also about integrating every employee into the overall security design process. Security is the responsibility of everyone in the organization, not just managers and
executives. The elements of secure network design touch on every aspect of an IT infrastructure. This
includes hosts, nodes, communications, encryption, local and remote systems, redundancy, and more. Often, the process of designing security starts by focusing a central or core element found throughout the infrastructure. Examples of distributed core components are networking protocols and topologies.
Protocols
A significant portion of network security is about making the right technology choices without falling into easy traps or defaults. One common trap is to continue doing the same thing or using the same product. You need to re-evaluate old technologies and existing solutions on a regular basis. Most organizations choose to perform a security design evaluation annually. When performing a security evaluation, rethink every aspect of the infrastructure, including network protocols.
Most networks use Transmission Control Protocol/Internet Protocol (TCP/IP) as their primary network protocol. Specifically, most networks still use IPv4 as opposed to IPv6. Using IPv4 is not an open invitation for hackers, but it does have numerous commonly exploited weaknesses and concerns. IPv4 typically defaults to a plaintext form of transmission, while IPv6 can be set by default to encrypt transmissions. IPv4 can be encrypted using IP Security (IPSec) or other virtual private network (VPN) protocols.
Other issues to consider include:
Is the current protocol easy to compromise? Are there numerous exploits for this protocol available for novice hackers? Can encryption be applied? Is the process of adding encryption complex or costly? Will encryption interfere with other technologies such as IPSec and network address translation (NAT)?
Is there an alternative or replacement available? Is the alternative backward compatible? Is the alternative supported by all current hosts and nodes?
This is only a partial list of questions you need to consider when assessing the currently deployed networking protocol for possible replacement. The point is to give serious consideration to this issue on a regular basis. Most of the elements of a network’s security are based on the protocol in use. If the protocol has changed or improved, this could cause sweeping changes throughout the production environment—most importantly in the security of that environment.
As a general rule of thumb, if most hosts and software are less than five years old, then upgrading to IPv6 is likely possible with minimal complication. However, if IPv4 with IPSec or other forms of encryption are functioning well within performance and security parameters, there’s no strong need to upgrade to IPv6.
When you consider a protocol upgrade, you’ll need to thoroughly research and test every aspect of the production and security environment to confirm compatibility with IPv6. Any transition is going to have some hurdles, and certainly switching the main network protocol is a candidate for major hurdles. Perform the rollout of a protocol change in stages, only after piloting in a lab, and consider running dual protocols for a transition period.
TCP/IP, or at least IP itself, is not the only protocol in use on most networks. Every single protocol across every theoretical layer of the OSI model network protocol stack needs re-evaluation on a regular basis. Do you still want to continue using Simple Mail Transfer Protocol (SMTP) and Post Office Protocol (POP)? What about File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and telnet? If a protocol operates in plaintext, consider using a protocol with native encryption or investigate the possibility of encapsulating it inside an encrypting tunneling protocol, such as IPSec or SSL/TLS.
Are AppleTalk, Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), Systems Network Architecture (SNA), NetBios Extended User Interface (NetBEUI), or other protocols still present on the network? Are they still necessary? Have the older systems requiring them been replaced or removed? Can newer secure alternatives replace these older and insecure protocols? Can any system still using a legacy protocol be replaced to gain host security and remove the protocol?
Don’t let tradition, personal bias, or sunk cost get in the way of making a smart security design decision. Just because something has always been done a certain way doesn’t mean it should continue to be done that way, especially if the old way was insecure. Personal bias in terms of likes, dislikes, comfort, and familiarity are not good business reasons to avoid moving on to more secure solutions.
Sunk cost is the money or investment already made in the past, as opposed to prospective costs that are investments likely in the future. Often, those managers overly concerned with wasting resources already invested will make poor decisions. Avoiding loss is a good principle of business, but just because you have already spent some money, time, and effort does not mean you should continue on a set path. Often, throwing good money after bad is compounding the loss due to sunk cost. If the future benefit of an existing system, solution, or product is not assured, then no amount of sunk cost justifies its continued use. In most cases, you should analyze only future costs and benefits in making a decision. Already incurred expense (sunk cost) should not influence future choices.
Common Types of Addressing
Addressing is the assignment of a logical numbering system to the hosts on a network for the purposes of efficient traffic routing. Addressing is more than just a system imposed by a network topology; it’s often a means to control traffic. Traffic managing through routing and traffic filtering are possible through the use of logical addresses.
The most common protocol in use worldwide is TCP/IP. This network protocol dictates the most common addressing scheme. The addressing schemes of IPv4 and IPv6 are quite different. Some common elements, security concerns, and management techniques remain consistent, however.
Internal IP addresses can be public addresses, private addresses, or a mixture of both. A public address is an address issued by the IANA, monitored by RIRs, and leased directly through ISPs. The
Internet Assigned Numbers Authority (IANA) (http://www.iana.org/) is the entity responsible for global coordination of IP addressing, DNS root, and other Internet protocol resources. A Regional Internet Registry (RIR) is one of five regional organizations that oversee and monitor the use and assignment of IP addresses (both IPv4 and IPv6). An Internet service provider (ISP) may randomly assign or semipermanently lease an IP address to an individual or organization. Public addresses are those obtained from an ISP.
A public address also implies that it communicates directly with resources on the Internet. The Internet itself uses only public addresses. Without a public address, it’s impossible to communicate to or receive responses from an Internet-hosted resource.
NOTE In the past, it was possible to purchase or own IP addresses, specifically large groups or an entire class of addresses. However, this practice is mostly no longer possible, not because ownership of IP addresses is prohibited, but because of the lack of available IP addresses to sell. Many of the original Class A and Class B subnet owners still own, control, and use their purchased address. Some of these are actually ISPs that now lease out subsets of their owned IP address ranges. Today, most public IP addresses are leased rather than sold or owned.
Public addresses are assigned from Class A, B, and C ranges of the IPv4 address spectrum (as Class D and E are reserved for multicasting and experimentation, respectively). Public addresses for IPv6 are most of the 2^128 addresses, except for the fc00::/7 address block.
In a technical specification called RFC 4193, IANA set aside the fc00::/7 address block for use as private addresses for IPv6, similar to RFC 1918 for IPv4. RFC 1918, which provides for private IPv4 addresses, sets aside three class ranges for private use:
Class A—10.0.0.0–10.255.255.255/8 (1 Class A network) Class B—172.16.0.0–172.31.255.255/12 (16 Class B networks) Class C—192.168.0.0–192.168.255.255/16 (256 Class C networks)
technical TIP A DHCP reservation is the pre-assignment of a specific IP address to a host by reserving it using the target host’s MAC address. Reservations ensure that the same address is always issued to a specific host. It can also simulate static addressing, but retain centralized control of address assignment.
A private address is used only within a private network. Individuals and organizations without
approval or a fee from an outside entity can use private addresses. However, using private addresses requires NAT services to communicate with Internet resources. All Internet routers automatically drop any packet with a private address in its header.
Private addresses serve as a basic isolation security measure, as external entities with public addresses cannot directly communicate with internal privately addressed hosts. But a NAT server allows communication with Internet resources.
You should review your organization’s choice to use private or public addresses internally. The issue is not only about saving money. Private addresses are free, while public addresses are usually leased. Private addresses require translation, while public addresses do not. Private addresses are natively isolated from the Internet, while public addresses are not. It’s even possible to mix private and public addresses on an intranet.
Another addressing concern is whether to employ static or dynamic addressing. Static addressing pre-assigns a specific IP address to each host, while dynamic addressing hands out IP addresses to hosts from a pool. Dynamic addressing does not guarantee that a host will always have the same address assigned to it, unless a reservation is created for the host.
Static addressing typically requires that the IP address be configured on each individual host. This ensures that a host always uses the same IP address. However, if changes to the network configuration or topology occur, manual changes to IP addresses on a host-by-host basis involve a significant amount of additional administrative overhead.
Because of this, most organizations use dynamic assignment, typically using a Dynamic Host Configuration Protocol (DHCP) system. If static addressing is preferred, then DHCP reservations can simulate static addressing while maintaining centralized control. With reservation based static addressing, changes can be made by editing the reservations on the DHCP server, without needing to manually adjust each host individually.
When addresses are assigned dynamically, it may be possible for a rogue system to come online and receive a valid IP address just by asking. If addresses are assigned statically, then the attacker will need to discover a valid but unused IP address and manually configure his or her system to use it. Similarly, if DHCP reservations are used, the attacker will either statically assign his or her own address manually or spoof a Media Access Control (MAC) address to “borrow” an IP address from another offline system.
IPv6 While only a small percentage of global Internet addressing is done with IPv6 addresses, and an equally small percentage of exploits take advantage of it, it is important for the security professional to stay up-to-date, and a familiarity with IPv6 is important. IPv6 varies from IPv4 in two important ways. Their packet headers differ in structure, and an IPv6 address has a different size and construction from that of an IPv4 address. There are also a handful of transition mechanisms that allow IPv4 to ride inside of IPv6 packets and vice versa. The transition mechanisms make the job of going between IPv4 and IPv6 easier but can be a nightmare for security and policy enforcement.
An IPv6 address consists of 128 bits, as compared to the 32 bits of the IPv4 address. Addresses are classified into various types for applications in the major addressing and routing methodologies:
unicast, multicast, and anycast networking. In each of these, various address formats are recognized by logically dividing the 128 address bits into bit groups and establishing rules for associating the values of these bit groups with special addressing features. There is no Class A, Class B, etc. in IPv6 as there is in IPv4.
A unicast address identifies a single network interface. The Internet Protocol delivers packets sent to a unicast address to that specific interface.
An anycast address is assigned to a group of interfaces, usually belonging to different nodes. A packet sent to an anycast address is delivered to just one of the member interfaces, typically the nearest host, according to the routing protocol’s definition of distance. Anycast addresses cannot be identified easily, they have the same format as unicast addresses, and differ only by their presence in the network at multiple points. Almost any unicast address can be employed as an anycast address.
A multicast address is also used by multiple hosts, which acquire the multicast address destination by participating in the multicast distribution protocol among the network routers. A packet that is sent to a multicast address is delivered to all interfaces that have joined the corresponding multicast group.
IPv6 does not implement broadcast addressing. Broadcast’s traditional role is subsumed by multicast addressing to the all-nodes link-local multicast group ff02::1. However, the use of the all-nodes group is not recommended, and most IPv6 protocols use a dedicated link-local multicast group to avoid disturbing every interface in the network.
Address management is an important concern of network security. Another concern is the management of communication pathways.
Controlling Communication Pathways
Controlling the flow of information is a key element of network security. This involves ensuring that data travels along pathways isolated, secured, and controlled, and not along pathways that are public, insecure, and uncontrolled. Part of communication pathway control is about topology selection, but it’s also about router configuration, encrypted protocols, physical access management, and filtering.
Routers are the primary network devices administrators use to control the pathways that communications traverse. Failing to design router configuration and deployment with security in mind is a serious oversight. Routers make real-time determinations of the best available path to a destination. However, the information available to a router to make those decisions can be true and accurate or incorrect, falsified, and misleading.
Secure network design includes protections for routers, routing protocols, and routing information. Physical isolation of a router is important to ensure that only authorized router administrators can access the device itself. Failing to protect routers physically means that the logical activities and the resulting routes selected will not be trustworthy.
Routers employ routing protocols to exchange information about routes and connected pathways. This information calculates the best path to guide a packet toward its destination. Depending upon the
make and model of router, the routing protocol, and the related configurations, a hacker can spoof or manipulate routing data through false Internet Control Message Protocol (ICMP) type 5 redirect messages. Configure routers to accept routing information only from other known routers through authentication of the source. Consider also encrypting all communications between routers.
Encrypted protocols are another important aspect of communication pathway security. Even the best design, proper installation, and reasonable physical isolation are not guarantees that a wired or wireless communication channel will not be the target of an eavesdropping, interception, or man-in- the-middle attack. Assuming that physical access is under your control all the time is naïve. The possibility of an internal malicious entity or of the planting of a socially engineered listening device always exists.
To thwart eavesdropping and related attacks based on eavesdropping, you should encrypt all traffic over a network communication link. This especially applies to any traffic traversing a network segment physically accessible from outside your organization’s facilities. But it also applies to physically isolated and internal connections, as well. Compromise of every physical connection is always possible, so the best defense against content eavesdropping is encryption.
Physical access management should always be a part of communication pathway security. Even with encrypted protocols, hackers can gain significant information by eavesdropping on a network segment. Even if you encrypt every single packet (which is often not the case), eavesdropping can still glean a wide variety of information about the protected communications.
Such gleaned information can include a count of the number and size of packets. This can estimate the size of the payload delivered, which in turn can extrapolate the likely type of data, such as e-mail transmission, Web surfing, file exchange, or database synchronization.
Eavesdropping can also glean the identity of the endpoints of the secured communication. If the transaction is using transport mode encryption, then the endpoints are the actual sending and receiving hosts. If the transaction is using tunnel mode encryption, then the endpoints are either both VPN gateways or one end is a remote host.
Eavesdropping can also glean the general identity or purpose of each endpoint discovered, based on the timing of and volume of traffic sent to and from each discovered endpoint. This can allow an outside user to reliably predict which endpoint is a server, a client, or a VPN gateway.
Generally, data gathering through eavesdropping on communications, whether encrypted or not, is known as traffic and trend analysis. Such analysis can reveal many important details about internal processes and the importance, value, or criticality of systems. Thus, even with encryption, prevention of physical access to communication cables and wireless signals is paramount.
Filtering is another important part of communication pathway security. The movement of data between departments, subnets, WAN-connected LANs, and the Internet requires that you monitor and filter communications to prevent violations of disclosure, intrusion, and malicious code infection.
Covert channels are a risk for many organizations in communication pathway security and control. Covert channels are pathways of communication unknown to or uncontrolled by security systems or personnel. Covert channels, whether timing- or storage-based, can leak information out or bring malicious content in.
The best defenses against covert channels include IDS and intrusion prevention system (IPS), as well as thoroughly watching all aspects of an IT infrastructure for aberrant or abnormal events of any
type. Uncovering covert channels is difficult because their very nature is to remain unknown and unseen.
While planning and designing communication pathway security, evaluate the protections you’ll need for inbound and outbound traffic and how to manage internal-only, external-only, or border- crossing communications.
You’ll need to examine inbound traffic by asking several key questions. Is the inbound communication a response to a previous request from an internal entity or is it a communication that originates from an outside source? Responses are often allowed, unless the initial request itself was for a resource that’s off limits. Restrictions along these lines include blocked protocols, IP addresses or domain names, unauthorized services and applications, or users without sufficient or correct authorization.
If the communication has external origins, rather than being a response, is the communication generally allowed or not? If the communication is for a resource offered to the public, then the communication could be allowed. However, if no public resources exist, the communication is more likely unauthorized.
Is the source address in the communication from a known or unknown location, and if known is it known to be malicious or questionable? If the latter, then blocking the traffic is more likely the proper security stance. Is the traffic obviously spoofed? Does the traffic match any known malicious patterns, have any construction anomalies, or have questionable content? Can it otherwise be classified as abnormal or atypical? In most of these cases, the packet should be dropped rather than allowed to continue on to its claimed destination.
You should subject outbound traffic to the same investigations and analysis as inbound. Does the outbound communication take place over an abnormal protocol or port? Does it attempt to communicate with a blocked or prohibited host or service? Is the traffic spoofed, does it have abnormal time stamps, is it a clone of another packet, or is it part of a flood?
Fortunately, inbound and outbound traffic filtering is the primary function and purpose of firewalls using ingress- and egress-focused filters. Secure communications pathway management often requires the use of firewalls. Firewalls are an essential element in secure network design.
One final area of concern for communication pathway security is the difference between traffic management based on whether the traffic is internal-only, external-only, or border-crossing. Generally, internal-only traffic is more trustworthy than any other form of traffic. In most cases, internal traffic originates from a trusted internal host and terminates at a trusted internal host. However, because the possibility always exists of a rogue internal host or a malicious insider, blindly trusting traffic just because it originates internally is a security blunder.
A good practice is to treat all traffic with caution. Trust nothing until it’s proven to comply with security policy and not to match any known malicious patterns. Monitoring and filtering of internal communications is as important as monitoring external and border crossing communications.
Naturally, external-only communications are more likely to be malicious, but since they do not end or originate from an internal source, there’s usually little need for concern. Malicious activity that does not attempt to breach your network borders is not really your problem. However, if external only communications are defined as those that do not interact with your intranet but which may interact with your DMZ or extranet, then you should be concerned.
With this definition of external only communications, you must filter, monitor, and block the most obvious malicious packets and events, but still allow any conforming communication request even if the origin or source is unfamiliar.
Border-crossing communications are those that either leave the intranet heading to the Internet or enter the intranet from the Internet. In either case, an increased risk of compromise exists. Inbound communications could be carrying malicious code or an intrusion attempt. Outbound communications could be revealing internal secrets or distributing confidential files. While these are extreme examples, they’re not uncommon. Most border-crossing traffic is benign, but since the risk of malicious traffic is greater at border crossings, you need additional filtering, monitoring, and blocking.
Controlling communication pathways is an important part of managing and designing network security. But another important piece of the security puzzle is management of hardened systems between which the secured communications take place.
Hardening Systems
Hardening systems focuses on improving security of hosts and nodes. Hardening is the process of reducing the attack surface of a potential target by removing unnecessary components and adding in protections. While each organization usually creates its own custom and internal hardening processes and procedures, most hardening guidelines have common elements and components.
Some of the common recommendations to improve the security or harden a host include:
Remove all unnecessary protocols. Uninstall all unnecessary applications and services. Define a complex password for all accounts; do not leave any account with a default password or a blank password.
Configure account lockout and define a logon warning banner. Install all available final release updates, patches, fixes, service packs, and so on for the operating system and every remaining application and service.
Update all hardware device firmware or BIOS with the latest final release from the vendor. Install the latest final releases of all device drivers. Install and update antivirus and anti-malware scanners. Configure communication encryption. Install and configure a host firewall. Use a file system that supports file level permissions and auditing. Configure system monitoring and auditing. Synchronize the clock. Run vulnerability assessment tools against the host, such as HFNetChkPro and Nessus. Configure regular backups.
Impose any organization-specific security limitations, such as blocking USB drives or using whitelist execution management. This is often performed using a security template file.
In Windows, disable the guest account, and rename the Administrator account. In Unix, establish policies whereby the root account is never used directly, but administrators must use the su command to obtain root access (thus creating a log of their events).
In addition to these hardening suggestions, organizations add additional steps to their securing procedures based on the purpose of the system, the criticality of the system, and the risk present in the environment.
Once you’ve hardened your system, you must maintain it over time. On a regular schedule, re- examine every host against your organization’s hardening policies to ensure compliance. Remove from service any system out of compliance with hardening policies until you are able to bring it into compliance. Then investigate the cause of the security noncompliance and take countermeasures to prevent a re-occurrence.
Equipment Selection
Equipment selection is a commonly overlooked aspect of secure network design. The general belief that any hardware capable of performing an IT function is suitable for deployment is, unfortunately, not the case. Both cheap and expensive products may have well-known or not-yet-discovered security flaws.
Arbitrarily or automatically choosing the least expensive or the most expensive products isn’t a winning security strategy. You should carefully evaluate each piece of computer equipment, from network device to host system, for its native security defenses or lack thereof, regardless of its cost.
As you select, purchase, and deploy equipment, consider the vulnerabilities introduced and any protections or improvements to the infrastructure’s security stance. Every piece of equipment will either improve security or reduce it in some way. Some equipment adds new weak points or expands the organization’s attack surface, while other equipment will act as a countermeasure, protecting weak points of other components and reducing the attack surface.
Whenever possible, select equipment providing greater improvement to security rather than acting as a detriment. This seems an obvious guideline, but you can only follow it if you are conscientious about evaluating the security profile of each device. Failing to evaluate the security of a new device properly could mean that you inadvertently introduce new vulnerabilities into the organization’s network and systems.
Some of the security concerns regarding equipment include:
Electricity consumption—Excessive energy use can cause not only increased electric bills, but also increased temperature within the device and on electrical distribution systems. A circuit drawing too much power can cause a breaker overload. A tripped breaker causes downtime and may cause data loss and equipment damage.
Heat produced—The more heat a device produces, the more the heating, ventilation, and cooling (HVAC) system must work to keep the temperature of the room within acceptable
boundaries. Excessive heat-producing devices can also increase the risk of fire. Reset button—A reset button is used to return a device to the default factory settings. Any defined security configuration on the device is lost if someone presses the reset button. When possible, select equipment without a reset button or a button that can be disabled to provide physical security for the device.
Easy-access power switch—If the power switch is easily accessed or triggered, casual contact with the device could cause power interruption. Additionally, an easy-access power switch allows a malicious person to power off equipment or trigger a reboot.
Easy-access management console port or interface—If device can be reconfigured through an LCD screen and a few buttons (such as a printer) or if a console or terminal port allows quick access to a configuration or management interface (such as a wireless access point, router, or switch), then use caution when deploying the device and assess the level of physical access security.
Removable media—Equipment with removable media bays (such as tapes, optical discs, floppies, and so on) or external peripheral ports (such as universal serial bus [USB], firewall, Ethernet, and so on) may be easier to compromise than those with fewer or none of these access points.
Removable case—The easier it is to remove or open the case of a device, the easier it is to hack into the device, plant a listener, or modify its functions.
Portability—Is the device small enough to fit into a pocket, purse, or backpack, making it easy to steal?
Rack mountable—A rack-mounted device is less likely to be stolen once screwed into a rack case, which can be locked.
BIOS/firmware flashing—Being able to change the embedded software of a device is both a benefit and a problem. Flashing to an updated, more secure version of firmware is a positive benefit. However, being able to replace firmware with a third-party version or an older version with flaws could be a problem if a hacker can perform this easily.
Remote connection—If remote connectivity to a device is possible, then risk increases. Limit, encrypt, and monitor remote connections.
Plaintext protocols—The more a device defaults to or only supports plaintext protocols, the less secure it is. Choose equipment than supports encryption.
Many other aspects of equipment security are important when evaluating the deployment of a new device. Whether a high-end server, a user’s notebook, a smartphone, a network router, or anything else, consider the security of equipment thoroughly and don’t just make purchasing recommendations based on equipment cost.
Keep in mind those devices that are cheap or free up-front may cost considerably more to manage and secure over time than a more expensive device. However, just because something has a high cost doesn’t ensure that it has a low security management requirement. Money alone is rarely the true measure of the security of anything.
Authentication, Authorization, and Accounting
Security ultimately is supported and enforced by authentication, authorization, and accounting (AAA). AAA is part of field of security commonly referred to as identity and access management (IAM). Without all three of these security fundamentals properly implemented, real security cannot exist.
Authentication is the verification or proof of someone or something’s identity. The most common form of authentication is the use of a password. While passwords are the most common, they are also one of the weakest forms of authentication. People typically pick passwords that are easy to guess or that are somehow predictable. They often reuse the same passwords on multiple systems.
Passwords reside in account databases in hashed form, which means the original password can’t be recovered from the hash value. However, by hashing large numbers of potential passwords, password-cracking techniques can potentially match a password hash to the target hash. Password- cracking techniques including dictionary password attacks, brute-force password attacks, and hybrid attacks can often reveal poorly constructed passwords.
technical TIP Password cracking typically focuses on generating and hashing large numbers of passwords with the goal of matching a stolen or captured password hash. Dictionary password cracking uses a pre-created list of potential passwords. Each password from the list is hashed using the same hashing algorithm as the target/stolen password. If a match is found before the list is exhausted, the attack is successful.
A brute-force password attack builds potential passwords out of a selected character set, creating ever longer and longer passwords using every possible valid combination of characters. The hacker hashes each crafted password and compares it to the target hash until a match is found or the attack is abandoned. Given enough time and the right character set, a brute-force attack will eventually be successful.
A hybrid attack uses a dictionary list as seed passwords that are then brute-force-modified. First the hacker makes all possible one-character modifications, then two, then three. This technique is often more successful, since many people pick an easy-to-remember word and then make only a few character modifications, such as changing an “a” to an “@” or an “l” to a “1” or just adding one or two characters.
The best defense against password-cracking techniques is to select a long password. For example, using at least 15-character passwords on Windows systems avoids the weakness of the backward-compatible (and vulnerable to brute-force cracking) LANMAN hash of passwords 14 character or less. Adding complexity (mixing multiple character types: uppercase, lowercase, numbers, and symbols) and using multiple words or phrases instead of a single base word also improve password strength.
A dynamic password token is a device with a display screen that shows a seemingly random
non-repeating one-time use password. The password displayed on the token must be included in the logon process, usually with a separate Type 1 PIN or password. This two-part mechanism is a form of multifactor authentication.
Multifactor authentication is significantly more secure than any single factor form of authentication. Passwords are but one example of the first type of authentication factor. Three commonly recognized authentication factors are:
Type 1—Something you know Type 2—Something you have Type 3—Something you are or do
Something you know can be anything you memorize so that you can type, write, or speak it when asked to authenticate. Passwords are the most common example of a Type 1 authentication factor.
Something you have can be anything you must physically carry with you, such as a device or token. These can include metal keys, smart cards, radio-frequency identification (RFID) chips, ID badges, or electronic devices known as dynamic password tokens.
Something you are or do is commonly known as biometrics. Some part of the human body is used as an element in an authentication process. This can include fingerprints, retina scans, facial geometry, palm scans, signature dynamics, keystroke dynamics, and voice-pattern analysis.
A mixture of two or more authentication factors is multifactor authentication. Multifactor authentication is much more secure than single-factor. With single-factor authentication, an attacker only needs to have a single skill or exploit to successfully log on with a compromised user account. With multifactor authentication, an attacker needs to have multiple skills or exploits to successfully log on with a compromised user account.
Strong authentication prevents unauthorized entities from gaining easy access to the internal workings of an organization’s infrastructure. Apply strong authentication to the logical environment as well as the physical environment.
Authorization, commonly known as access control, defines what actions a user can and can’t perform. Proper granular use of authorization ensures that authorized users perform only authorized activities.
The principle of least privilege is often a good guideline on which are the most appropriate authorization settings to make. This principle states that you should grant users the fewest capabilities, permissions, and privileges possible to complete their assigned work, without additional capabilities. In other words, you grant users enough power and access to perform their assigned work, but no additional capabilities beyond their job descriptions are necessary.
Accounting is the activity of logging, monitoring, and auditing the environment, focusing both on users as well as system activities, to check for security policy compliance. Accounting is the process of holding users and systems accountable for their actions and activities. Through the use of thorough accounting and detailed auditing, you can detect and respond to any violations, attempts to violate, or
trends towards violations. Remember, security is locking things down, and then watching for attempts to breach the lock.
Authentication and authorization are forms of locking, and accounting is the watching. However, these are not the only forms of locking and watching on a secure network. Another important area of network security is communication encryption.
Communication Encryption
Communication encryption is the use of encryption protocols to secure the contents of communications. Use encryption anytime a transaction occurs with an outside entity. Use encryption when a communication crosses a segment that is at risk of eavesdropping. You should also use encryption internally whenever the potential for loss or compromise, even by internal personnel, would cause significant harm to the organization.
You can protect transactions by encryption in two main ways. One is to use encapsulating intermediary protocols that provide encryption, such as IPSec and SSL/TLS; another is to encrypt data before it goes to a network protocol.
Protocol encryption ensures that all or most data sent over the network is safe from eavesdropping, modification, and other forms of compromise. A widely used mechanism of protocol encryption is that of a VPN. VPNs can function between individual systems or between entire networks or any other combination of endpoints.
Data encryption, performed either by the client or server software, ensures that even if the protocol encryption fails or is compromised, the data itself is safe by its own encryption. Software or data encryption is not as interoperable as protocol or VPN encryption, but it can be a viable option when both endpoints of the transaction are using compatible software components.
When in doubt, always encrypt. While not a perfect solution (indeed, no perfect security solution exists), encryption offers significant protections from outside eavesdropping and modification. However, encryption fails if the selected algorithm is poor, if key management is insecure, if either endpoint of the communication has been compromised (such as by hacker intrusion or planting of malicious code), or if intermediary network nodes that decrypt and reencrypt fail.
Choosing to encrypt by default is an excellent network security rule of thumb. This guideline does not imply that the same encryption protects both internal-only communications as well as those that cross the network’s boundaries. In deciding what encryption to use, it’s important to consider where the hosts are located.
Hosts: Local-Only or Remote and Mobile
When designing network security, focus on the function of each device as well as the physical and logical location of the device. When a host is local and communicates only with other local hosts, then you can use slightly less stringent security on internal communications. However, when a host is remote or mobile or otherwise outside of the private network, use significant additional precautions.
Once you allow remote access, you lose the benefit of the physical access controls. Once you
support remote connectivity, a hacker or intruder need no longer be physically present in a facility to launch an attack. Thus, remote access itself is a risk, and it lowers the overall security of an environment. To compensate for this security reduction, you should impose more rigid limitations in terms of authentication, authorization, and accounting.
As security is designed and deployed, consider the purpose or function of each device, especially clients and servers, as well as its location in one (or more) of the seven domains of a typical IT infrastructure (refer to Figure 5-1). Then, consider what other devices will need to communicate with it. The more vulnerable the communications pathways, the more security you will need to impose.
If both endpoints are physically located in the same facility, but the network pathway linking them involves any exterior segments, then the transaction demands greater security than a local-only communication. If the endpoints are geographically distant, then you need to use encrypted communications.
Remote and mobile devices are inherently more risky as they are exposed to a greater number of potential threats. Inside the office, most threats are known, controlled, and monitored. But mobile and remote devices are potentially exposed to unknown, uncontrolled, and unmonitored situations, data, software, and users. Being outside of the organization’s facility also means less strictly controlled physical access to the device.
technical TIP Location-aware anti-theft software periodically collects IP information and any available location data and uploads it to a centralized site. If the owner of a system reports the item lost or stolen, this automatically posted data might help recover the device. However, if the thief reformats the hard drive, then the anti-theft software might be removed.
These changes to security and potential exposure to risks require additional protections on remote and mobile devices. These devices should continue to host antivirus scanners, anti-malware scanners, and host firewalls. But they can also benefit from whole hard drive encryption, multifactor authentication, and location-aware anti-theft software.
Remote and mobile devices are most likely to be out of compliance with security requirements, such as patch levels or application of security templates. A Network Access Control (NAC) system can isolate and quarantine devices until they have installed all the necessary patches and updates.
Even with good host management, whether local, remote, or mobile, consider redundancy requirements. Is one of something enough or just enough to cause a significant problem when it goes offline?
Redundancy
Security is not complete without adequately addressing preparedness. Redundancy is at the heart of preparedness. Can your organization survive downtime, blackouts, communication loss, server crashes, hard drive failure, floods, building eviction, virus infection, or any other potential threat? In most cases the ability to answer, “Yes, the organization can survive,” depends on the level of preparedness of that organization.
Preparedness is also known as business continuity planning or disaster recovery planning. The purpose of such planning is to ensure a plan exists to recover from any realistic threat. Assess each serious threat to the stability and function of the organization. Then, develop procedures to respond to the threat. The procedure can focus on prevention or recovery (or a combination of both).
A core element throughout this form of planning is redundancy. Redundancy is the act of avoiding single points of failure by building in multiple elements, pathways, or methods of accomplishing each mission-critical task.
Redundancy works in many ways. Redundant Array of Inexpensive Disks (RAID) is a form of redundancy for hard drives. RAID protects against drive failure. Uninterruptible Power Supply (UPS) is a form of redundancy for power. UPS devices provide temporary power in the event of a brownout or blackout. A UPS can trigger a graceful shutdown to prevent loss of data if facility power is not restored promptly.
Redundancy can apply to communication pathways. Good network design requires at least two pathways to every important resource. Redundant links to and from clients may not be a strong need in most cases, but having multiple pathways to reach resources is often essential.
Redundant communication links for voice and data are also important considerations. Construction workers could accidentally dig in the wrong location and sever the primary wire bundle supporting the organization. Redundant lines to service providers could make the difference between a nuisance and a company-ending event. Do you want to leave the power of terminating your organization in the hands of outsiders?
Redundant firewalls, proxies, routers, switches, servers, and databases begin to make security and financial sense once they become an essential or mission-critical element of the IT infrastructure. Don’t entrust the viability of an organization to any single component. Always have a secondary option or backup plan.
Failing to plan is planning to fail. Hardware failures, mistakes, accidents, or intentional damage will occur in every system in an organization at some point. No organization is immune. The difference is whether an organization is prepared for the problem with a ready-to-use response solution, or will be caught off guard, scrambling to recover in a panic.
Endpoint Security
Implementing network security is about both the big picture and the granular details. Infrastructure design, topology, and redundancy are all important big-picture items. But do not overlook the details that need attention on a node-by-node basis.
A node is any device on the network, even those without an IP address. Node security focuses on the tasks for each type of networking device to improve its security. Node security or node hardening
takes the generic recommendations of system hardening and expands them with additional node/host specific improvements.
Clients Clients are the devices directly controlled by people. Thus, clients must protect the network from the user and vice versa. Thinking of clients as two-way interfaces can assist in proper security design and implementation for this command and essential IT infrastructure component.
Every client needs the following security elements:
Antivirus and anti-malware scanners Host firewall Secured Internet client software such as browser, e-mail, file transfer, and chat Password-protected screen saver with auto timeout Ability to encrypt network communications Ability to encrypt storage devices Auditing of all user activity An integrity checking system that monitors for unauthorized file changes using hash value comparison
Clients should be subject to NAC procedures to prevent an insecure client from compromising the rest of the network. Use multifactor authentication whenever possible to minimize the risk of an unauthorized person gaining access to the client and hence the entire network.
Another recent shift for organizations is to allow, even encourage, employees and contractors to Bring Your Own Device (BYOD). The use of an individual’s personal cell phone, tablet, personal laptop, or similar device lowers the cost to the organization but also raises many different security questions, which range from policy to implementation. For instance, who is responsible for the applications that are run on the device and their security? Who owns and is responsible for the content and protection of the files created on the device? What if the specific device is incapable of running specific organization-decreed security software such as antivirus or even VPN software? Or what if the owner of the device just doesn’t want to allow a security scan or to run certain software? BYOD brings along with it a yet-to-be understood array of security problems—problems that are growing in importance each day, especially because of the growing population of BYODs and because those devices are wireless.
Servers Servers are the backbone of any IT infrastructure. Whether a file server, database host, e-mail server, proxy server, or authentication server, a server is usually supporting an essential or mission-critical function for the organization. Servers need protection against downtime. This can include redundancy in terms of RAID, duplicate servers, and/or clustering.
Duplicate servers means having two identically configured systems running side by side, but only one is performing services live for the network. The second system is acting as a backup and receives all data changes as they occur. In the event of the primary server failure, the secondary server can take over supporting the services for the network.
Clustering is having two or more identically configured systems running as a collective. All the systems share in supporting the live service to the network. If any member of the cluster goes offline, the remaining members continue supporting the service. Clustering allows for a service to be available consistently while still allowing for scheduled maintenance and occasional individual server downtime.
Servers need strong multifactor authentication to ensure that only administrators ever have the ability to log into them at the keyboard. You should sequester servers in a dedicated room or vault to prevent casual or intentional access by unauthorized users. Lock and monitor the server vault at all times.
Routers Routers are an essential traffic-management device of any network. Network router security is primarily about preventing unauthorized access. First and foremost, a router should be physically inaccessible to any non-administrator. All router configuration or management interfaces must require strong authentication. Some environments have elected to eliminate local accounts on the routers themselves and rely upon Terminal Access Controller Access-Control System Plus (TACACS+) for router authentication and access.
Limit management interface access to a direct console or terminal cable connection only, rather than allowing in-network access. Require that all management interface communications and router- to-router communications be encrypted.
If a password is stored in a configuration file for the router, be sure to use an encoding scheme that is not easily cracked or reverse engineered. For example, the Cisco IOS password 7 hashing method uses a weak reversible algorithm and can be cracked easily using software tools dating back to 1997.
Generally, configure the following on the router:
Block all directed IP broadcasts. Drop all packets from the Internet using an RFC 1918 source address or any other internal address.
Disable the TCP and UDP small services of echo, chargen, discard, and daytime. Enable a warning banner for all attempted connections to the router, especially to the management interface.
If SNMP is used on the network, require the use of SNMP v3, which allows for encrypted transactions and authentication of SNMP sessions. Then, use custom community names rather than the default public or private communities.
Consider the software or firmware of the router. Only install full final releases, never beta or
partial firmware. If you are concerned that the latest release has not been thoroughly tested in the real world, sticking with a previous release is acceptable, provided there are no published reports of critical security flaws.
Try to limit the use of a router as a filtering device. Keep the router table focused on traffic routing and implement firewalls to provide content filtering and blocking of suspicious or malicious traffic. Protect any router considered a border router with a firewall.
Switches Switch security is similar to that of router security. Maintain control over who can physically reach the switch. Limit access to management consoles and require strong authentication to access the management interface. If a password is stored in a configuration file for the switch, be sure to use an encoding scheme not easily cracked or reverse engineered.
If SNMP is used on the network, require the use of SNMP v3, which allows for encrypted transactions and authentication of SNMP sessions. Then, use custom community names rather than the default public or private communities.
Consider the software or firmware of the switch. Only install full final releases, never beta or partial firmware. If you are concerned that the latest release has not been thoroughly tested in the real world, sticking with a previous release is acceptable, provided there are no published reports of critical security flaws.
Consider deploying switches that support IDS-like features such as watching for MAC spoofing and ARP flooding. MAC spoofing tricks a switch into thinking a hacker’s computer is actually a legitimate host. The hacker steals or spoofs a legitimate MAC address. If a switch is monitoring for MAC addresses that change ports, then MAC spoofing ceases to be a serious threat unless a hacker can physically access the port connection of the MAC he or she is trying to spoof.
ARP flooding overloads a switch’s mapping table so that instead of forwarding packets out the correct port, the switch will default into flooding mode and transmit packets out all ports. This type of attack is part of active sniffing. Active sniffing is an attempt to eavesdrop on switched networks.
Use switch features such as Virtual Local Area Network (VLAN) support and auditing ports. VLANs are hardware-imposed network segmentation. VLANs control traffic. Using VLANs to manage traffic is often cost-effective, since it does not require re-cabling or changing of IP addresses; all of the VLAN configuration takes place within the switch.
The audit, mirror, or IDS port on a switch connects an IDS or IPS to monitor all the traffic traversing the switch. Since a switch only transmits data out the port where its intended destination resides, attempting to monitor all traffic on a switched network is not possible without the use of the auditing port.
Also, disable all unused switch ports. This prevents the easiest method of adding rogue devices to a network—namely, plugging into an open port.
Firewalls and Proxies Firewalls and proxies defend the network, but you need to secure them as well. Otherwise, if a
hacker can compromise the firewall, then the security it provides is unreliable. Firewalls and proxies, as with routers and switches, need physical access protection. No non-
administrative user should be able to gain direct physical contact with a firewall or proxy. Limit access to management consoles and require strong authentication to access the management interface. If a password is stored in a configuration file for the firewall or proxy, be sure to use an encoding scheme not easily cracked or reverse engineered.
If simple network management protocol (SNMP) is used on the network, require the use of SNMP v3, which allows for encrypted transactions and authentication of SNMP sessions. Then, use custom community names rather than the default public or private communities.
Consider the software or firmware of the firewall or proxy. As noted earlier, only install full final releases, never beta or partial firmware. If you are concerned that the latest release has not been thoroughly tested in the real world, sticking with a previous release is acceptable, provided there are no published reports of critical security flaws.
A firewall should drop all packets addressed directly to the firewall, as the firewall does not host traditional services accessed in this manner. The same is generally true of a proxy server, but some instances apply where the proxy server is either directly communicated with or that hosts additional accessible resources.
Make a final security evaluation of any device, including firewalls, proxies, switches, routers, servers, and clients. You can perform this evaluation using an automated vulnerability scanning tool or a custom manual penetration test. The goal is to find any remaining vulnerabilities in these devices so they can be made as secure as possible, as quickly as possible.
CHAPTER SUMMARY Network security implementation relies on a thorough understanding of your organization, its goals, its risks, and the technologies employed within your IT infrastructure. Before you can properly deploy network security, you must first design it. Most network security designs include layers of defense as well as sufficient capacity for growth.
Network security includes an evaluation of the protocols and topologies your organization uses. If the current design is insufficient, replace it with a design that addresses productivity and security. You need to assess the addressing schemes in use, whether public or private, static or dynamic, in light of how they improve or detract from security.
Other important components of network security design and deployment include controlling communication pathways; hardening systems; and selecting proper equipment, authentication, authorization, accounting, communication encryption, types of hosts, redundancy, and node security specifics.
KEY CONCEPTS AND TERMS
AppleTalk Attack surface Bring Your Own Device (BYOD) Brute-force password attack Dictionary password attack File Transfer Protocol (FTP) Hybrid attack Identity and access management (IAM) Internet Assigned Numbers Authority (IANA) Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) Modeling NetBIOS Extended User Interface (NetBEUI) Network News Transfer Protocol (NNTP) Piloting Post Office Protocol (POP) Regional Internet Registry (RIR) Security through obscurity Simple Mail Transfer Protocol (SMTP) Sunk cost Systems Network Architecture (SNA) Telnet
CHAPTER 5 ASSESSMENT
1. Which of the following is not an important factor when included as part of network design? A. Usability B. Capacity C. Obscurity D. Growth E. Defense in depth
2. All of the following are elements of network design except: A. Satisfying security goals B. Understanding of the seven domains of IT infrastructure
C. Implementing multiple layers of defense D. Thorough research and planning E. Utilizing a single vendor
3. Which IT infrastructure domain does not require firewalls to be included as part of its network design? A. Workstation Domain B. LAN Domain C. User Domain D. Remote Access Domain E. System/Application Domain
4. Which of the following is a benefit of private addressing that is not present in public addressing? A. Isolation from the Internet B. Subnetting C. Use of IPv6 D. Routing traffic E. Filtering by source and designation address
5. Why would a network implement public addresses internally instead of private addresses? A. To avoid the use of NAT B. To be able to custom subnet C. To maintain isolation from the Internet D. To prevent external initiation of communications with internal hosts E. To reduce costs
6. How can static addresses be simulated with DHCP? A. Round robin assignment B. Manual configuration on each host C. Duplicate MAC addresses D. Reservations E. DNS reverse lookup
7. Which of the following is a flaw or weakness that both static and dynamic addressing share? A. The assignment server can go offline. B. Changes require manual modification on each host. C. Public queries will fail. D. Hackers can spoof valid addresses.
E. The first half of the address identifies the NIC vendor.
8. What is a primary benefit of system hardening? A. It reduces user performance. B. It increases network throughput. C. It decreases the attack surface. D. It improves host ROI. E. It tracks attempted intrusions.
9. All of the following are elements of system hardening except: A. Removing unnecessary protocols, services, and applications B. Implement ingress and egress filtering against spoofed addresses C. Installing patches and updates D. Configuring encryption for storage and communication E. Installing antivirus and a host firewall
10. All of the following are true statements about system hardening except: A. System hardening is a one-time process that does not need to be repeated on the same host. B. System hardening removes or reduces many known vulnerabilities. C. System hardening is different for each system with a unique function. D. System hardening is dependent on the location or placement of a host within the seven
common domains of an IT infrastructure. E. Any system discovered to be out of compliance with system hardening guidelines should be
quarantined until it can be repaired.
11. System hardening should be applied to all of the following except: A. Clients B. Servers C. Switches D. Routers E. Cable adapters
12. Which of the following is not usually part of the system hardening process? A. Updating hardware firmware or BIOS B. Installing additional RAM C. Configuring a backup process D. Configuring account lockout E. Replacing outdated device drivers
13. What is the essential purpose or function of authentication? A. Controlling access to resources B. Monitoring for security compliance C. Watching levels of performance D. Verifying entity identity E. Preventing distribution of malware
14. What is the essential purpose or function of authorization? A. Granting or denying access to resources B. Checking policy compliance C. Identifying entities D. Monitoring levels of utilization E. Detecting spoofed content
15. What is the essential purpose or function of accounting? A. Detecting intrusions B. Proving identity C. Controlling access to assets D. Recording the activities and events within a system E. Throttling transactions
16. What is the essential purpose or function of encryption? A. Verifying integrity B. Proving the identity of endpoints C. Protecting content from unauthorized third parties D. Maintaining performance E. Validating parking
17. A remote host has all of the following additional security issues or concerns in comparison with a local host except: A. Potential exposure to unfiltered Internet B. Poor end user training C. Greater risk of physical theft D. Possible lack of patches and updates E. Additional interaction with external entities
18. Which of the following is a protection against a single point of failure? A. Encryption
B. Filtering C. Auditing D. Redundancy E. VPNs
19. When performing node security on a router, all of the following are important concerns, except: A. Blocking all directed IP broadcasts B. Disabling echo, chargen, discard, and daytime C. Watching for MAC spoofing D. Dropping RFC 1918 addressed packets from the Internet E. Enabling a warning banner for all attempted connections
20. When configuring node security on a switch, all of the following are important elements except: A. Enabling keystroke logging B. Limiting access to management interfaces C. Monitoring for ARP flooding D. Upgrading to SNMP v3 E. Using a final version of firmware
CHAPTER
6 Network Security Management
COMPUTER NETWORK SECURITY is not a final solution or a task to be completed. Security is a continuous journey. Safeguards and infrastructures that worked before might offer little or no protection against future attacks. You must constantly develop and deploy new defenses against new exploits. This vigilance is the essence of network security management.
Network security management strives to maintain established security, adjust the infrastructure to future threats, and respond to breaches in a timely manner. Using a variety of techniques and tools, including incident response, host security, backup and recovery, checklists, and security assessment, network security management is a complex, but essential component of long-term, reliable security.
Chapter 6 Topics
This chapter covers the following topics and concepts:
What best practices for network security management are
What fail-secure, fail-open, and fail-close options are
What the important elements of physical security are
Why is it essential to watch for compromise
What incident response is
How to trap intruders and violators
What containment is
How to impose compartmentalization
How to use honeypots, honeynets, and padded cells
What some essential host security controls are
How to properly implement backup and recovery
What the importance of user training and awareness is
What some important network security management tools are
How to create and use a security checklist
What the basics of network security troubleshooting are
What compliance auditing is
What security assessment is
What a configuration scan is
What vulnerability scanning is
What the purpose of penetration testing is
Why post-mortem assessment review is important
Chapter 6 Goals
When you complete this chapter, you will be able to:
List examples of network security best practices
Describe the importance of physical security
Compose a procedure for incident response
Enumerate key components of an effective network security installation
Describe the methods of network security assessment
Network Security Management Best Practices
Network security management best practices are recommendations, guidelines, or standard operating procedures for obtaining reasonable security on a real-world budget. Best practices are usually not specific recommendations for products or tools; instead, they are recommendations for philosophies, stances, or concepts to use. The following items are suggested best practices. These might not apply to every environment, although you should consider, adapt, or adopt each when appropriate.
The foundation of any security endeavor and the start of security best practices is having a written plan. A written security policy has no substitute. Any other method, any other process, and other attempted procedure for defining, implementing, and managing security will fail. Only a written security policy has the potential to succeed.
To have a plan, you must thoroughly understand your organization’s infrastructure, its mission and goals, and the processes necessary to produce its products and services. This means understanding what technology your co-workers need and use, what assets are involved, what resources are consumed, where everything resides, and how users access the infrastructure. Consider larger and more complex environments in light of the typical IT infrastructure.
A written security policy establishes a documentation trail that everyone in the organization can subscribe to. To write a comprehensive security policy, you must first thoroughly inventory and examine every component of the IT infrastructure. Only when you fully understand the environment can you create a comprehensive and effective security policy.
To create a useful and relevant security policy, perform a risk assessment. The process of understanding assets, vulnerabilities, threats, and likelihoods is at the heart of risk assessment.
Once you have designed and deployed a written security policy, regularly review the policy. Investigate whether the overall quality and reliability of the existing security is sufficient or in need of improvement. Verify that assets are still properly protected. Evaluate whether prevention, deterrence, and response have been adequate and effective. Wherever you discover a deficiency, act to improve and rectify the situation immediately.
Security cannot succeed without the solid endorsement and support of senior management. Executives should support the security policy, follow the limitations themselves, and stand behind the decisions made by you and the IT staff. When the security staff and the executives are focused on the same goal, solutions will follow. When these two groups are not working in concert, time, money, and effort go to waste, and network security fails.
Establish a no-exceptions policy. Every device connecting to the company network must be in full compliance with the security policy and current with approved patches and updates. Block any device not in compliance with these restrictions from interacting with the network. This effectively is the function of a NAC (network access/admission control) service. But it should also be a written element of the security policy. Define “no exceptions” in writing, and then use technology to enforce this element of the plan.
Maintain physical control over all personnel access to IT equipment. Block access to all servers or networking equipment to all non-administrative users. Limit access to client systems to authorized personnel within each department. Ensure that departments are separated by locked doors. Limit visitor, consultant, and other authorized non-employee access primarily through a mandatory escort system. More suggestions about physical security are included in a later section in this chapter.
Limit and filter Internet connectivity. In spite of many users’ desire for an unrestricted, unmonitored Internet connection for personal use, the Internet poses a significant risk for most organizations. An unrestricted or unfiltered Internet connection is a pathway for malicious code, social engineering attacks, and intrusion attempts. If an Internet service, protocol, domain, or IP address is not essential to a necessary business task, block it. Computer access to the organization’s network and assets is for work tasks, not personal activities.
Install antivirus scanners, anti-malware scanners, and firewalls on every host. Every portable device, every desktop workstation, and every server should have these malicious code and malicious traffic protections. No system is immune to malware and malicious communications; basic filters and barriers to known issues prevent easily avoidable compromises and downtime. Antivirus and other host essentials are discussed further later in this chapter.
FIGURE 6-1
An example of defense in depth around an asset.
Do not rely upon single or individual defenses. Attempt to interlock and layer defenses. Implement defense in depth or a multiple-layered defense wherever possible (Figure 6-1). By following a defense-in-depth design concept, you will protect each asset with numerous safeguards. As one defense tool interlocks with another, they overlap—like medieval armor plate—and improve the overall security. The strengths and benefits of one countermeasure can supplement or compensate for the weaknesses and limitations of another.
When possible, avoid remote access. Limit access to local direct connections only. When remote access is necessary, require a virtual private network (VPN). Once you allow remote connectivity, you allow the possibility of remote hacking. Remote hacking attempts to breach security without the need to be physically at or within the target’s facilities. Requiring VPNs for all remote connections reduces this threat by preventing open connections or communications vulnerable to eavesdropping.
Any device that is portable or easily accessible by a non-employee should use whole hard drive encryption or at least file encryption. While not absolutely foolproof, encrypting an entire hard drive makes accessing the data on a portable device much more complex. If a system is stolen when powered off, the hard drive’s encryption typically presents an insurmountable barrier. If the equipment is running when stolen, a hacker might bypass the hard drive encryption by hacking the encryption key out of active memory. However, this is an unlikely attack.
Require encryption of all internal network communications. Use Internet Protocol Security (IPSec) to secure all intranet communications. This is often an easy and cost-effective means to quickly reduce the risk of eavesdropping, man-in-the-middle, replay, and many other forms of network attacks. Well-encrypted data is much less likely to fall into the hands of hackers, thieves, and unauthorized personnel.
Harden internal hosts as well as border devices. Do not focus exclusively on one area or issue of security to the exclusion of all others. Provide consistent and thorough security throughout the IT infrastructure. All networked devices are at risk—perhaps from different threats, but still at risk.
Always test new code before deployment onto a production system. No matter what the source of new code, you must test it. Even if an internal programmer wrote the code, you must test it. Even if the code addresses a mission-critical issue, you must test it. Test all new code without exceptions. Any and all untested code is unauthorized and should be blocked from all production systems.
Implement multifactor authentication whenever possible. Single-factor authentication, especially password-based authentication, is no longer a truly secure or sufficient method of protecting the logon process. Adding at least one additional factor significantly increases the authentication security of the environment. Once multifactor authentication begins, allow no exceptions that fall back on single-factor solutions. Otherwise, intrusion efforts will focus on the single-factor pathway.
Back up, back up, back up: Backups are the best form of insurance against data loss. Don’t store backups on the same system or even in the same locale as your other assets. Store backups on separate storage devices. While you can store backups both onsite and offsite, offsite is the preferred secure location in the event of natural or manmade disasters. Backup and recovery are covered in more detail later in this chapter.
If an asset is worth the time and effort to secure, then it’s worth monitoring as well. Lock each asset as necessary, and then watch for attempted breaches of that security. No perfect security solutions exist; thus, to improve security, prepare to respond immediately when you detect breaches. Lock, then watch. Failing to watch a secured asset means that when a compromise occurs, you won’t notice immediately. Watching for compromise is discussed further later in this chapter.
Have an intrusion and incident response plan. Bad things and failures will happen. Breaches will take place. Be prepared. Evaluate and examine the realistic threats facing your assets. But plan for the worst. Define procedures to respond to any situation. Incident response is addressed further later in this chapter.
Do not overlook making a business continuity plan and a disaster recovery plan. Above and beyond security breaches are business-terminating events in the form of natural and manmade disasters. Building collapse, flooding, earthquakes, hurricanes, fire, sabotage, blackouts, malware infection, criminal activities, and so on can end your organization’s operations. If alternate means of accomplishing mission-critical tasks are not available, your organization will cease to exist. Plan to recover from disasters and do business in the future.
KISS—Keep It Simple: Security. Security is complex enough without purposefully imposing additional complexity. Focus on designing security that the average user can comply with easily and simply. The more arcane and cryptic procedures become, the greater chance that users will misunderstand, fail to comply, or purposefully subvert. Simplicity encourages compliance.
Focus on balancing security and usability. Security does not need to make all work difficult. Likewise, essential work functions need not compromise security. Finding a balance between these two extremes is important. The focus should be on reducing risk to the infrastructure while enabling users to perform authorized work with a minimum of hassle.
Prioritize. Security concerns can always overwhelm available time, effort, or budget. Focus on the big impact and big result issues first rather than attempting to swat every minor annoyance that arises. Security is constantly changing; the goal is to maintain reasonable rather than perfect security. (Remember, this is an unattainable goal anyway!)
Always be fully and truly aware of the state of the organizational security. Don’t make assumptions. If you are not positive that an aspect of the organization is secure, find out. Assuming security exists leads to a false sense of safety. A lack of knowledge about the security status can lead to complacency. By assuming nothing is wrong, you feel no urgency to investigate and rectify problems. Do not fall into the “I thought it was protected” trap; if you do not know or are not sure, take the time to investigate and be sure.
Look for the weakest link. Every system or structure has a weak point, and a security structure is no different. It might be power, it could be humans, it might be a coding issue, it could be processing capacity, or it could be any number of other potential culprits. In any case, some weakest link exists in the security chain. Think like a hacker and look for it. Find it. Improve it. Then, go looking for the next weakest link.
Focus on known, real, probable threats rather than on unknown, imagined, or possible threats. You don’t have enough time, energy, or budget to protect against everything. Perform a risk assessment and focus on current, significant issues.
Develop a standardized, procedural-based process for hardening new systems. You should subject every new piece of host equipment, including switches, routers, firewalls, servers, and clients, to a rigorous and thorough hardening process before it is deployed onto the production network. In fact, having a dedicated, isolated, new system-testing network will protect the existing production network from new systems, as well as protect new systems from threats from the existing production network.
Develop and implement an efficient patch management system. You need to promptly analyze, evaluate, and install every new patch released from your vendors, whether for hardware or software. Never short-circuit the test-all-code-before-deployment policy, and never implement code based on fear. Instead, have a focused and efficient process for testing and approving new updates so that they can be rolled out to production systems quickly. Keep every system current on patches; remember, however, that pushing out a patch too soon and without proper testing is just as bad as delaying patch approval because you lack the time to examine it.
User training and behavior modification is essential. Technology cannot solve or remedy all security concerns. Technology cannot compensate for the human factor. Be sure to train all authorized personnel on general security concepts as well as task-specific security concerns. Train users on what policy expects, define what policy prohibits, and encourage buy-in and support of the overall organizational security effort. User training is addressed further later in this chapter.
FIGURE 6-2
National Institute of Standards and Technology (NIST): National Vulnerability Database.
Stay current on security and vulnerability research. You can’t protect against existing, new, and upcoming threats unless you know what they are. You need to seek out this information, because most general news sources, even those focusing on technology, don’t address most of the security vulnerabilities, exploits, or compromises that arise daily. Find good resources-related security and vulnerability research (Figure 6-2) and consult it religiously. Knowledge is often one of the best weapons in the fight for security.
Develop a security checklist. Periodically review it for completeness and accuracy, such as every quarter. Confirm every element on the checklist on a regular and frequent basis, such as once a week or once a day. You can automate this to an extent, but checking often requires human effort to test and confirm that every security mechanism is in place, active, armed, and effective. Security checklists are discussed further later in this chapter.
Perform regular self-assessments. Numerous security groups and government/military agencies post security implementation guidelines, manuals, and checklists. You can use these documents, commonly known as Security Technical Implementation Guides (STIGs), to review and assess your organization’s status and state of security. A self-assessment attempts to take an external, unique, or independent viewpoint in evaluating security. This is why using external security guidelines, standards, and measurements can reveal oversights in an existing security infrastructure.
Perform internal compliance audits. Thinking you are secure isn’t enough; the laws in many industries, such as finance and medicine, now require compliance. Ensuring that you are in full compliance with all federal and state laws and regulations is not only good security management; it will keep your company officials out of jail. Using external auditors is often a poor substitute for internal self-verification.
Implement the principle of least privilege. All users, including administrators, require only the
privileges, access, and permissions necessary to accomplish their assigned work. Any abilities beyond this minimum increase the potential for compromise and abuse.
Isolate and compartmentalize administrative privileges through the implementation of separation of duties. This is also known as split knowledge. Administrators are given limited administrative power over a limited area of the IT infrastructure. No single administrator has full or total power over the entire environment. This limits the scope of potential abuse and harm by disgruntled administrators, as well as by hackers who compromise administrative accounts.
Test all security measures for sufficiency. Perform verification scans of all deployed countermeasures to ensure their correct functioning. Improper installation or misconfiguration can render a well-meaning safeguard worthless. Test every new security control when you install it and every time you reconfigure it.
Perform regular vulnerability assessments. Use automated tools with updated databases of security tests and exploit simulations. These tools should confirm patches and updates, verify security configurations, and probe for known vulnerabilities and exploit weaknesses. Quickly resolve any issues discovered by the scans.
After you have improved and fine-tuned your security infrastructure, put it to the ultimate test: Perform penetration testing. Hire or develop an ethical hacking team to test the strengths and weaknesses of the IT security as well as the security of the facilities and the employees. Ethical hackers use the same tools and attack techniques as criminals, but without the intention to cause actual damage. Professional security assessors can customize attacks, modify exploits, and react in real time to fully stress security defenses.
Focus on the core security services when designing security: confidentiality, integrity, and availability. Failing to properly and adequately buttress these essential security services will result in damage, data loss, and downtime. Confidentiality is the prevention of unauthorized access while supporting authorized access. Integrity is the protection against unauthorized modifications. Availability is the assurance that resources are accessible in a timely manner.
Consider designing security, especially physical security, around three central functions: deterrence, detection, and delay. Deterrence is the use of security to convince the potential attacker that the efforts to compromise a system are not worth it. The attack may be perceived as too hard or too complex, the attempt too easy to detect, and the consequences too severe. Detection is to watch for the attempts at breaching security so as to respond promptly. Delay is to slow down the attack so that even successful breaches give the defenders time to respond in order to apprehend the attacker or prevent further intrusion.
Another common trio of parameters for security design and implementation is prevention, detection, and response. Prevention is the use of safeguards to thwart exploitation or compromise. It is usually more efficient, easier, and cost effective to prevent intrusions and breaches than to react to them. Immediate detection of attempted and successful security breaches is important. The longer the time span between a malicious action and an authoritative response, the greater the likelihood the perpetrator will get away without consequence. Response means being prepared to contain damage, restrict further compromise, and effect repairs to return the system to normal.
Don’t overlook the importance of authentication, authorization, and accounting. These services are essential to a secure infrastructure. You must control who is allowed into a facility and onto the
network. Place limitations on what authorized users can do. Hold all entities—even upper-level management—accountable for their actions, activities, and results.
Focus on establishing a philosophy of default deny rather than default allow. By blocking everything as a starting point, only those features, services, protocols, ports, applications, and users that you judge and deem safe and appropriate can be enabled by exception. A default-permit stance means you must create a never-ending stream of explicit denials as you detect new compromises or malicious events. Deny by default/allow by exception is always the preferred security stance.
Implement whitelist application control. A whitelist is a list of allowed exceptions against a background of default deny. By configuring a system with a whitelist, you block all executables unless they are on the list of allowed exceptions. A whitelist consists of the application name, its file name, and the file’s hash value. This prevents spoofing by malicious or unapproved applications that simply rename the executable.
This collection of network security management best practices should serve as a starting point for the development of your effective security endeavors. Other valid and useful guidelines exist, so don’t assume this list of recommendations—or any other list from any other source—is exhaustive. You always have new lessons to learn, new challenges to face, and new wisdom to obtain.
Fail-Secure, Fail-Open, and Fail-Close Options
Failure is not an option; it’s a certainty. At some point in the life of your organization, failure will happen. Will you be prepared to handle it properly, and how much harm will the failure cause?
A failure can be due to hardware ceasing to operate properly because of an unknown flaw in materials or construction. A failure can be due to the accidental discharge of static that damages circuits. A failure can be due to atypical weather that floods the building.
A failure can be due to a malware infection that crashes a server. A failure can be due to a zero- day exploit that compromises security from outside.
Failure means problems, downtime, loss, and consequences. However, failures do not have to mean bankruptcy, going out of business, jail time, or catastrophic loss. The difference between calamity and mere inconvenience is planning. As with most aspects of security, proper and extensive planning can assist in designing an infrastructure that can prevent or effectively survive any issue or concern.
Planning for failure is planning how to respond to and recover from failures. The goal is to fail into a state of security or safety rather than into a state of insecurity or chaos. This is known as fail- secure. A fail-secure state reverts to a condition where little or no harm, or at least no further harm, is likely to happen. Depending on the situation, a fail-secure state could be fail-open or fail-close.
To fail-open is to revert to a state of being open, available, or unlocked. In the case of the physical world, fail-open is important for the safety of personnel. Fail-open doors allow people to leave a building easily. However, such easily opened doors might represent a weakness that an intruder could exploit to access secured internal areas. In the case of IT, fail-open is to revert to a state of unfiltered communication or data access.
To fail-close is to revert to a state of being closed, unavailable, or locked. In the case of the
physical world, to fail-close is to prevent a doorway or container from being opened during an emergency or compromise. In the case of IT, fail-close blocks access to communications and other digital resources.
Either state, fail-open or fail-close, can be the fail-secure or fail-safe option depending on the circumstances. In any case, you should carefully consider and plan the type of default response you will use, especially during an emergency, intrusion, compromise, or system failure.
Physical Security
There is no security without physical security. Logical protections can protect only against logical attacks. Physical protections protect against physical attacks. With just a few moments of physical contact, a hacker can overcome or bypass most logical security.
Physical security is the prevention of direct physical contact, access, or influence of an unauthorized person to a sensitive component of an IT infrastructure. Any well-designed network security solution will include physical security components. If you fail to address physical security adequately, you fail to understand the threats facing your organization.
Physical security includes a facility that resists forcible entry. Select, improve, or build facilities that prevent and deter unauthorized physical intrusion. If physical breaking and entering is possible and potentially profitable for a thief, it’s more likely to take place.
Physical security should include the monitoring of all personnel activity. Solid physical access control includes keeping track of when an employee enters and exits every secured or sensitive area. Good physical access control blocks outsider access and enforces escorts for visitors.
Physical security should include card key entry, burglar alarms, motion detectors, and security cameras. Use the best available technology to both deter and detect physical security violations.
Watching for Compromise
Everyone in your organization is part of the physical security effort. All individuals are responsible for staying within the security boundaries themselves. They are also responsible for reporting violations or suspicious activity. Security is about locking and watching. Not every employee can assist in the process of locking things down, but all can and should assist with watching for violations and suspicious behaviors.
Use all available technologies in addition to human eyes to look for security violations. Use auditing, IDSs and IPSs, security cameras, motion detectors, and so on when appropriate. Proper network security management includes proper design to watch for violations.
Violations can occur in the physical world as well as within the logical world of computers, networking, and the Internet. Don’t assume that just because a violation causes no direct physical harm, the issue is not worth knowing about or pursuing. A crime is still a crime whether it’s a physical crime or a logical one. Design and implement detection mechanisms to notice, log, and monitor suspicious or abnormal activities.
Incident Response
Incident response is the planned reaction to negative situations or events. Inevitably, security breaches, or at least attempts to breach security, are going to occur. When those events affect the organization or its abilities to perform its tasks in any way, incident response is triggered. The goals of incident response are to minimize downtime, minimize loss, and restore the environment back to a secured normal state as quickly as possible.
Most incident response solutions include six primary steps or phases:
1. Preparation—Select and train security incident response team (SIRT) members, allocate resources.
2. Detection—Confirm actual breaches. 3. Containment—Restrain further escalation. 4. Eradication—Resolve the compromise. 5. Recovery—Return to normal operation. 6. Follow-up—Review the process and improve future responses.
An incident response plan is an important element of network security management.
Trapping Intruders and Violators
Security often aims at prevention and deterrence. When an intrusion or security violation takes place in spite of the precautions, the next stage or level of security must respond. The next stage of security is detection. Knowing if and when a security violation occurs is essential to a timely and adequate response to a breach.
Once you detect a breach, you must immediately initiate a response. The first stage of response is containment. The goal of containment is to prevent further spread of a known malicious event. Containment is a mindset, a plan of action, and an element of design. As a mindset, containment is the focus of first responders or members of the SIRT. Their goal is to prevent any expansion or spread of the compromise to other systems.
Why Containment Is Important
Containment can be as simple as unplugging a network cable from a compromised system. This effectively cuts off any communication to and from the suspect host. You can also impose containment by disabling user accounts, stopping services, adding entries to filtering devices, and so on. Whatever the vector or source of the malicious event, its source or target should be cut off from causing continued harm.
The act of containment should interrupt or interfere with the continued spread or operation of the
unwanted event. This type of initial response is often effective against malicious code, remote access, backdoor control, a compromised user account, social engineering, and many other forms of network or system compromise.
Containment is often considered a form of response. Containment is the action taken by a first responder. However, even before you experience a security breach, you can employ another preventative measure similar to containment known as compartmentalization.
Imposing Compartmentalization
Compartmentalization is the element of infrastructure design that takes into account the likelihood of a security breach by malicious code or some other intruder. Compartmentalization distinctly separates a network into areas or zones of access. Often, these zones are around departments or entities that commonly interact over the network. Any entity that does not commonly interact is separated by default using network security access control devices such as routers, switches, and firewalls.
The purpose of compartmentalization is to create small collectives of systems that support work tasks while minimizing risk. The typical risk is that if one system is compromised, the breach can quickly lead to other systems being compromised. This is especially true of malicious code, which distributes rapidly. But it can also apply to remote hacker intrusion as the hacker attempts to leap from system to system, searching out valuable resources.
Network compartmentalization is similar to the bulkheads on ships. In the event of a hull leak, the bulkhead doors of the affected compartment close and seal. This prevents the entire ship from being sunk by a single breach. The same is true for computer network compartmentalization. When you detect a breach, you can sever the links between network compartments to prevent any further malicious communication to or from the affected sections.
Using Honeypots, Honeynets, and Padded Cells
Another specific intruder trap you can add to a security infrastructure is a honeypot. A honeypot is a hacker or intruder trap. A honeypot is a system or network that appears to contain valuable information, and appears to be part of a legitimate organizational network, but in fact is a specially designed trap. The purpose of a honeypot is to trap hackers/intruders, detect new attacks, or simply serve as a decoy to deflect attacks from reaching the actual primary network.
A honeypot can be a single system or a network of many systems constructed to look, act, and operate like a real network environment, containing seemingly attractive but actually fake resources. For a honeypot to be effective, it must look and act just like a real target. Otherwise, hackers will quickly uncover that it is fake and search harder to find the real targets. A honeypot often includes extensive focus auditing and recording capabilities to thoroughly capture all activities that take place within it.
Honeypots can be single systems or multiple networked systems. A network of honeypots is sometimes called a honeynet. Both honeypots and honeynets are decoy systems that are always operating in the hopes of attracting would-be hackers and intruders. Another form of honeypot is the
padded cell. The padded cell is turned on only after you detect an intruder; you then lure the intruder into entering the padded cell.
Configure and situate honeypots so that they do not interfere with authorized users performing authorized activities. However, you need to position them along common pathways of access that an outsider or intruder might take, in much the same way a hunter will hide along a game trail in the forest. A honeypot should be attractive and interesting enough to persuade a hacker to attack it, but not too attractive as to trigger that voice in the back of the hacker’s mind that says, “It’s a trap.”
A honeypot has value in two primary circumstances. First, if the organization’s primary goal is to learn about new hacking exploits, then a honeypot can serve as a laboratory for that purpose. Second, if the organization’s primary goal is to prosecute criminals, then a honeypot may assist in the discovery, identification, and apprehension of suspects. However, if neither of these two purposes is a primary goal of the organization, then deploying a honeypot is generally not a worthwhile endeavor.
Essential Host Security Controls
Every host needs protections from its users as well as from the network it communicates with. There are always risks, even within a private network, from authorized users. Precautions include equipping host devices with reasonable defenses against known potential avenues of compromise.
Every host needs an antivirus scanner. While malicious code is not as serious a threat in some operating systems as in others, hackers create malware for every platform. You can no longer safely claim immunity based on your operating system selection alone.
An antivirus scanner needs to be current. The scanner engine, the core mechanisms for malware detection, should be less than a year old. Typically, a deployed antivirus should have the current year in its name or as its build date. Any antivirus scanner more than a year old is too out of date with new and current scanning technologies, malicious embedding techniques, and cleanup and removal procedures.
An antivirus scanner needs to have its database of definitions updated at least once per day. This should be an automated process so that as soon as the vendor releases a new update, it is downloaded and applied. Using a scanner with an old database is just as bad as using an old scanner. An antivirus product provides protection only against known threats, so don’t allow your antivirus software to develop amnesia from delayed updates.
An antivirus scanner must be configured to perform constant, consistent, and automatic scans. Monitor the memory, processing stack, and any other active element of a computer system in real time for symptoms of malicious code compromise. When malware reaches a host, it can infect that host and distribute its spawn in moments. Without real-time monitoring for infections, serious damage can take place long before a periodic scan notices the breach.
An antivirus scanner should be configured to perform complete, systemwide, low-level scans across all memory and storage devices on a periodic basis, every day or at least once a week. By scanning the entire system on a regular basis, you can detect and remove malware that was able to gain access through some unmonitored or covert channel.
In addition to an antivirus scanner, hosts should benefit from an anti-malware scanner. An anti-
malware scanner is also known as a spyware or adware scanner. These are companion scanning products to antivirus software in that they find other forms of malicious, nuisance, or suspicious code that might not qualify as a virus or worm. Their targets include spyware, adware, keystroke loggers, rootkits, hacker tools, backdoors, Trojan horses, malicious/abnormal cookies, suspicious mobile code, bots, zombies, and so on. Don’t let the names fool you. All of these things represent the potential for real network damage.
Every host should be equipped with a software host firewall. A host firewall provides filtering services for data entering and leaving the local box. A host firewall can limit network connectivity for local applications as well as allow or deny access to resources from external entities.
Most hosts can benefit from the added security of whole hard drive encryption. This ensures that all data on the drive is secured. Depending on the product and technology you employ, whole hard drive encryption can be unlocked through a boot password or the use of a hardware device, such as a USB drive or a Trusted Platform Module (TPM) chip. Whole hard drive encryption essentially prevents a hard drive from being read by another system if it is stolen.
Some forms of system and file damage occur from activities that are not malware related. Using a hash integrity checking mechanism to watch for unauthorized file changes can assist in tracking down abnormal sources of compromise. Monitor every system file and device driver. Any change not associated with installation of a valid update is likely a symptom of malicious activity.
You should configure and review auditing on all hosts, not just servers. Malicious activities and communications can take place on any system. Configure every host to audit, monitor, and log local and network events. Then, using an intrusion detection system (IDS) or other form of security auditing tool, scan the log files for symptoms of concern. What you do not know can harm you, so arm yourself with as much knowledge as possible.
Backup and Recovery
Back up. Back up. Back up. There is no excuse for lacking a backup solution. Backups are the only insurance against data loss. Failing to make a backup is planning for failure and data loss. A single data loss incident, such as a failed hard drive, could be enough to cause the failure of an organization. Do not lose data because of carelessness; implement a backup process immediately.
Backups are not difficult. They just take a bit of planning. First, plan where you want to store the backups. The three main choices are online, offsite, or onsite.
Online or cloud backup storage is growing in popularity, availability, and cost effectiveness. Online backups offer access to your data from any Internet connection, making recovery possible from anywhere. However, online backups put your data on someone else’s hardware, making you dependent on that party’s security, confidentiality assurance, and reliability. Plus, backup transfer speeds are dependent on the local Internet link speed, which is usually much slower than most local media backup options.
Offsite and onsite storage employ the use of backup media. Backup media can be tapes, optical disks, hard drives, and solid state drives/cards. Physical media require space for storage and are subject to physical threats, namely theft, damage, and destruction. Offsite storage is the better option when faced with major catastrophes. This protects your backup media from damage by problems
occurring at your primary work location. Onsite storage provides for quick recoveries around minor issues.
Midsize to large organizations often elect a multistage backup solution that provides both onsite and offsite storage benefits. One possible configuration is to use banks of rewritable high-speed optical storage devices to host a live, online, onsite backup. Then perform periodic backups from the optical storage set to portable media, such as tapes, for secure storage offsite.
This configuration provides for fast backup from the original systems to the optical media, then provides a convenient process for creating tape copies quickly. It also allows for fast restoration of data from the online, onsite optical backup, while providing major disaster protection with the offsite secure storage of tapes.
As much as possible, automate the backup process to ensure that it happens. If the act of backing up the network’s data interferes with production, then install a secondary network to exclusively support data transfer for backups. This will require a second network interface in every system protected through the backup process.
The offsite storage location for backup media should be secure and reasonably protected from disasters, especially severe weather. If your organization is large enough to have multiple locations, rather than the same building or even buildings within a few blocks of each other, then offsite storage can switch from third-party storage to internal storage at distant branch locations.
User Training and Awareness
User training is an essential part of any security endeavor. Not every worker in an organization is automatically an IT or technology expert, nor should you expect them to be. Security training and awareness aims at providing all users with basic security knowledge as well as job-specific security information.
To hold users accountable for their actions, first clearly define the network security policy boundaries and limitations. Having a set of rules and restrictions without informing personnel of their existence won’t enforce policy and can lead to employee grievances. Training and awareness is necessary to educate users on their responsibilities and the consequences for violating organizational policy.
Without adequate security education for users, maintaining a secure environment is difficult, if not impossible. However, many organizations fail to support end user training adequately. This results in users not understanding the importance, need, and benefits of security. Additionally, it will result in an increase in violations, most of which are benign and accidental, but incidents that you will nonetheless need to investigate and resolve.
A few common end user security mistakes or problems caused by a lack of security training include:
Opening e-mail attachments from unknown sources or from a known source with an unexpected or unusual attachment
Preventing updates and patches from installing, even when approved and recommended by the
security staff Installing unapproved software on work computers, including games, screensavers, utilities, instant messaging clients, and browser plug-ins
Installing software on work computers that you have not verified as safe and free from malicious code
Failing to make backups of personal data or work data on work computers Using a modem or wireless connection from a desktop or notebook work computer while still connected to the company LAN
Using a password storage/tracking utility that does not encrypt its database Walking away from computers while still logged in Connecting unknown and unapproved devices to a work computer Using portable media and storage devices from an external source on a work computer Installing remote-control or remote-access software on work computers without obtaining approval
Using the same password on multiple systems Leaving portable devices in locations outside of work where they could be easily stolen, such as in a car’s backseat
These are just some examples of common security problems caused by untutored users. You can avoid or at least minimize most of these issues with reasonable user security education. However, it’s also common for IT staff to make security mistakes, even though they are much more knowledgeable about technology. Just because someone is a “tech guy” or might be considered a computer geek does not necessarily imply he or she is security smart as well.
Some mistakes made by technology experts (who really should know better) include:
Using the same password on multiple systems Allowing new systems to go online before they are properly hardened and/or tested Failing to keep current with available patches and upgrades, especially those related to security
Using remote system and device management mechanisms that are convenient but not secure, such as telnet, HTTP, and FTP
Discussing passwords over the phone, including changing passwords based on over-the-phone requests
Failing to properly check identity, authority, and permission before giving out information or access to resources
Failing to implement a proper backup solution Not verifying and testing that backups are working properly Assuming something is secured or properly configured without specifically checking and verifying
Allowing unnecessary and potentially insecure applications, services, and protocols to remain on a system
Using security and network devices with their default settings, such as firewalls, proxies, routers, and so on.
Failing to understand all of the security configuration options on a new software or hardware product
Putting new software or hardware into production before thoroughly testing and gaining approval
Allowing anti-malware defenses to become out of date or go stale Allowing sensitive information to be communicated without an encrypted channel
Even a knowledgeable technical professional can learn how to be more secure through proper training and awareness education. Every single person throughout an organization has security responsibilities. These need to be defined, explained, and taught. Users will improve their behaviors when they understand what the risks are, what is at stake, and how their behavior will affect them if they fail to support security.
The goal of security-related training is user behavior modification. Users need to take steps to change their regular activities from those that place themselves and their workplace at risk to those that avoid risk. Risk is easy for most people to understand, but they need to be made aware of risk to trigger a change in their actions.
Good user training will cause an improvement in user compliance with the standards, policies, procedures, and guidelines of your organization. Often, the beginning of security training is awareness. Awareness is introductory, foundational, and ubiquitous security information that applies to all employees. Awareness aims at establishing a common baseline of security understanding for the entire organization.
The principal means of awareness training is in a classroom setting. It should, however, include a wide variety of communications, including online videos, interactive Web sites, posters, e-mail reminders, regular memos or newsletters, wall banners, coffee mugs, sticky notes, manager review meetings, loudspeaker announcements, screensavers, mouse pads, and even voice mail messages. The point is to inform users about basic security essentials, then reinforce those basics while they are at work.
Awareness is important for all personnel, in all job positions, at every level of access, from the top to the bottom of an organization. Everyone should understand basic security issues. These often focus on general responsibilities, liability, seeking to avoid waste and fraud, reduction of unauthorized activities, and looking out for abnormal or suspicious events.
User Education Every organization should have a written security policy, but that is not enough. In order to ensure that an individual knows the policy, the individual should be made to read the policy
and sign a statement that he or she has read the policy and will abide by the policy. The individual should also read and acknowledge that he or she will abide by changes to the policy as they are published. These requirements apply not just to salaried and hourly employees, but to anyone given electronic or physical access to the premises of the organization and to the assets of the organization in transit as the assets are transported outside of the physical facility. This could include contractors, suppliers, and others. And it requires constant monitoring. It could even require a test or security certification, background check, or other means of determining ongoing compliance. One means of encouraging users to comply with policies is to ensure they are aware of the consequences of noncompliance. No one given permission to access assets of the organization is exempt from the security policy.
It’s important for employees to see through both words and deeds that security is important. This means that even top executives must be held accountable to the same basic principles enforced throughout the general employee population. If employees see evidence of compromise or compliance avoidance by senior management, then they get the impression that the rules are not important enough for anyone to follow. You don’t want employees to be frustrated and confused by a “Do as I say, not as I do” management model.
After awareness comes training. Training focuses on security issues and topics more closely related to specific job tasks. Training consists, therefore, of job-specific security information. Security training of this type assists users in accomplishing their individual work tasks while staying within the boundaries of the security infrastructure.
Most organizations offer in-house awareness and training. This is common because such training directly reduces incidents and the associated costs of handling and responding to internal accidental and ignorance-based breaches.
Beyond training is security education. This form of learning has a broader scope than just a job description or even the organization as a whole. The purpose of security education is to obtain extensive knowledge about security and related subjects, even if they don’t directly apply to current work responsibilities or tasks. Education is for the advancement of the individual, perhaps to improve his or her career outlook.
Education is usually obtained outside of an organization. A company might perceive education as either a threat to employee retention or a benefit to keep employees happy. Most organizations want to improve the skills of their personnel. Either way, security education improves the knowledge and skill of the individual.
Security awareness, training, and education are beneficial for any security endeavor. Including and funding it in your organization’s overall security solution will improve your odds of success.
Network Security Management Tools
The best network security management tools are neither commercial nor open-source products or solutions. Instead, the best network security management tools are quite simple and obvious. The best
tools are:
A written security policy A complete inventory of all hardware and software A physical cabling layout and device location map A logical organization, addressing, and subnetting map Complete configuration documentation for every device Change documentation and log Backup and restoration procedures A business continuity and disaster recovery strategy Troubleshooting guidelines Hardware and software documentation Personal knowledge and skill Access to online resources
Security management is not about having the most expensive products or the most automated configuration. Instead, good security management is rooted in a solid understanding of the infrastructure and having the tools to improve, respond, and repair as necessary. Focusing on the glitz of shiny products can even distract from the basics of security management.
Security management should always center on protecting assets, supporting authorized activities, and responding to threats as you discover them. It may be more efficient or cost-effective to use off- the-shelf security management products, but using them is no substitute for addressing the organization’s core security concerns.
Security Checklist
Security is fragile. Hackers need discover only a single flaw in your defenses to mount an attack. Changes to the infrastructure, whether physical or logical, could open new holes not previously present. Additionally, users and personnel may intentionally or accidentally breach security.
One method to maintain the efficacy of security is through regular verification and validation checks of every single countermeasure, safeguard, security control, deterrent, prevention, and defense. This requires an inventory of all security measures. This inventory can then become a checklist.
Physical security and logical security each need a separate list focusing on their respective areas of concern. A security guard or a security tech investigates every physical security measure to ensure that it is still in effect, active, and unmodified. Such tasks at the level of logical security are best left to security techs with proper administrative access.
A security checklist shakedown should occur regularly and often, once a day at most to once a week at least. Every single item on the checklist should be physically visited and inspected. If any
issues or concerns arise, document them and immediately bring them to the attention of the security team. Employ remedial measures promptly and investigate to track down the root cause of the concern.
A physical security checklist should include every security control deployed for facility control. These include:
Checking every window lock Checking every door lock Checking every external wall Inspecting access points to raised floor areas Inspecting access points to drop ceilings Ensuring that cabinets or containers are locked Verifying that security cameras are pointed in the correct direction Verifying that all light bulbs are of the correct type and are functioning Checking motion detectors Testing alarm systems Interviewing security guards and confirming compliance with procedures
Depending on the industry and specialization, many more components can make up the physical security of an organization. This list is just a sample of what the typical physical security checklist should contain. Look for any modification, destruction, or general failure of every element of physical security. A single bad window lock or a door that does not fully close automatically can result in easy access for a burglar intent on computer mischief.
A logical security checklist should include every security control deployed for computer and network control. These include:
Checking authentication Checking authorization and access control Auditing systems Verifying firewalls and other filters Checking proxies and other communication management solutions Verifying encryption, including key management Updating antivirus software and scanners Backing up and storing archival information securely
Many more elements exist in a well-designed security infrastructure for an exhaustive logical security checklist. Again, this list is just a sample of some common elements found in most secure organizations. Poor configurations, overlooked defaults, and out-of-date systems can leave gaps that a probing hacker will discover and exploit.
Never assume you are secure. Check and verify everything regularly. No one else will do it for you.
Use the security checklist with the intention of maintaining effective security over time, in spite of change, accidents, and human nature. However, even a complete checklist cannot resolve problems caused by poor design and implementation. To ensure that your checklist is truly a benefit and not just reorganizing deck chairs on a sinking ship, consider the following common oversights or issues:
Do not assume that a service or protocol is secured by some other layer or service. Verify that the data traversing a network segment is encrypted or otherwise secured.
Know the limitations of security products. Each security mechanism addresses a single or small set of issues within a specific context. The presence of security in one location does not cause a magical blanket of security to exist in other locations. Be sure specific and relevant security solutions are in place where necessary. For example, use of IPSec for network encryption does not imply that data stored on clients is encrypted.
Do not rely on authentication at session initiation alone. Session hijacking is a serious threat on most commonly used protocols. Use solutions that support periodic midstream reauthentication, as well as communications encryption.
Assume programs are inherently insecure. Security is not often a priority or a requirement in programming. When possible, use secure programming quality assurance.
Plan for handling failures, errors, intrusions, and downtime. Focus on what to do when bad things occur. The goal should be a fast and efficient recovery. Failing to plan is planning to fail.
Assume you may become a victim of a denial of service (DoS) attack. Every communications system is vulnerable to DoS. Do not forget that physical damage can be an effective DoS.
Learn from your mistakes. When a problem is uncovered, when a design flaw is revealed, when a process is shown to be ineffective, lean in, take the hit, own up to the responsibility, and then deal with it. Improve the environment to resolve the issue. Review the process and learn from it.
A security checklist can be an effective tool in managing and maintaining network security. Make it a point to start your list now and use it in real-world review immediately.
Network Security Troubleshooting
Security troubleshooting aims at recovering from problems related to the countermeasures. Problems will occur with the defense mechanisms themselves. Downtime of a security control is as critical as downtime of a core business process or asset. Troubleshooting failures of security controls is an important part of network security management.
As with most concerns, prevention is always preferable to repair or response. By working to ensure that failures do not occur, or at least do not occur as often, maintaining effective security will be easier and less costly in terms of both budget and manpower.
Network security troubleshooting is often about triage—deciding which issues or problems are of the most imminent concern. The more a security component affects a mission-critical process, the more important rapid response and repair becomes. When security is down, the previously protected assets are put at greater risk for compromise. Minimizing the length of time consumed by the response is important to minimizing long-term losses.
One of the most effective preventative techniques in network security troubleshooting is installing patches and updates. As with patches and updates to production systems, always test the new code thoroughly before deployment. Once tested and approved for application, apply updates when downtime would cause the least number of problems. Always be prepared with a redundant option if the updating process itself causes further security control problems.
Possible complications from the application of patches and updates include resetting to factory defaults, loss of some but not all configuration settings, and “bricking” (that is, making it non- functional) the control. If the security control resets back to factory defaults, then it will need to be fully reconfigured. If a recent configuration backup is available, restoration might be a swift repair. Otherwise, manual resetting will be necessary. To facilitate this process, always have complete documentation of all settings of all security controls.
If you lose some but not all configuration settings, then the security control is unlikely to operate as you expect. Restore or reconfigure the settings promptly. The update itself may have added or modified settings that need testing and verification for function and compatibility. If a new feature interferes with a business task, you might find it necessary to disable the feature or roll back the update.
If the update process causes a complete failure of the security control, the real possibility exists that the product is useless. This is known as bricking—turning a useful device into a worthless brick. In some cases, a hard reset can revive a seemingly bricked device, while there may be more esoteric repair and recovery options for other devices. If the vendor does not provide an unbricking solution, search the Internet for user groups or discussion forums for a home-grown solution.
Configuration errors might be the cause of a security control malfunction. Configuration errors may be caused by human error, oversight, or ignorance, as well as by updates, power fluctuations, and physical damage. When a security control is improperly configured, it does not provide the expected security. Troubleshooting this situation can be as simple as reverting to a previously saved configuration or manually reapplying the settings.
However, a more serious concern arises when configuration errors are not easily fixed. A recent patch or update may have rendered the product unstable, or a patch or update might be needed to stabilize it. If the configuration error reappears after every power cycle, then the device might be defective, it might need additional memory (or need defective memory replaced), or it might need to be attached to an uninterruptible power supply (UPS) to reduce the number of unplanned power fluctuations.
Physical damage should be repaired expeditiously. If unrepairable, you may need to replace the device. Install preventative measures that will prevent the reoccurrence of the physical damage.
In some situations, the problems with security are not with the security components themselves, but with the overall infrastructure design. Perform a reassessment of the design on a periodic basis, such as once a year, to judge whether the current infrastructure continues to meet the security needs of
your organization. Since security changes over time, the security design might need to evolve to meet the demands of new risks, threats, and concerns.
Power faults can take place for many reasons. If the building’s power grid is not reliable, if sags and spikes occur on a regular basis, the focus of the long-term repair should be on improving the building’s power distribution systems. Short-term responses can include surge protectors, UPSs, and generators.
If a device encounters a power fluctuation due to overheating, investigate whether the room where the device is operating has adequate HVAC service. The average temperature for a room dedicated to housing computer equipment should be at or below 70 degrees Fahrenheit with moderate relative humidity to avoid generating static electricity. In rooms where people work with computers, the temperature should remain below 80 degrees Fahrenheit. Also, check the device to see if it has sufficient internal airflow to maintain appropriate internal operating temperatures. Don’t forget to check filters and vents for accumulation of dirt or dust.
Power faults can include power supply or power grid variances. In this situation, the only responses are surge protectors, UPSs, and generators, as customers are unable to affect the quality of the power company’s electricity by themselves. If switching power suppliers is an option, investigate this to determine the reliability of other providers, as well as the expense and hassle of switching. Sometimes actively and publicly “shopping” power suppliers can result in improved service from your present supplier.
Static electricity is also a concern. Electrostatic discharge (ESD) or static-electric discharge (SED) can easily damage equipment, including security equipment. The amount of electricity discharged between someone’s finger and a doorknob when you can see the spark jump is more than enough voltage to destroy most computer chips. Take precautions to prevent static damage.
Physical damage can be a concern requiring troubleshooting. Damage might be caused through intentional destruction, accidents, or Mother Nature. If the damage is superficial or cosmetic, the device can be returned to service. However, if the damage prevents the security device from operating properly, then in most cases you need to replace it. Address the cause of the physical damage to reduce the likelihood of a reoccurrence.
Network security troubleshooting focuses on whether an intruder can bypass a security defense or restriction. A security control that can be bypassed is worthless. Once you discover that a security control can be bypassed, you need to investigate the method or mechanism of the bypass. Then, if possible, remove or block the method of bypass. If the flaw is a design or infrastructure concern, consider revising the design to remove the loophole.
From time to time, hackers find flaws in the programming of a security control. Once an exploit is written, the security control can be rendered useless through taking advantage of the flawed code. Vigilance in reviewing vulnerability databases and research, paying attention to vendor information, and watching the log files of the organization’s network should alert you when an exploit succeeds.
Defending against an exploitation focusing on a security control is the same as when one focuses on any other aspect of a network. If possible, reconfigure the control to minimize the effectiveness of the exploitation. Consider removing the component until you can implement a new defense. Apply a patch or update from the vendor as soon as it becomes available.
A final concern in relation to network security troubleshooting is hardware failure. While not a
common occurrence, hardware can fail. Over the life of an organization, you are almost guaranteed downtime caused by hardware failure. When that hardware is a security control, the downtime is more severe in that it places the rest of the environment at greater risk.
Manage hardware failure by having replacements on hand or being able to obtain them quickly. Reduce downtime through redundant infrastructure design. Monitoring ongoing performance metrics might enable the detection of a future hardware failure as performance degrades. However, abrupt hardware failures are difficult to predict. Thus, being prepared with alternatives and replacement parts is often the best troubleshooting solution.
Compliance Auditing
Compliance auditing is a type of assessment that judges how well an organization is accomplishing set goals or requirements. These goals and requirements can be internal or set by government, industry, and other regulatory agencies. Compliance auditing is an important part of maintaining a business, especially growing businesses, as it ensures that the organization is following all necessary security guidelines.
Compliance auditing may be a legal requirement for some industries, such as finance and medicine. Independent external auditors perform compliance audits to ensure that a target organization is fully abiding by the rules and regulations imposed by the government. This audit is a comprehensive investigation and review of the ongoing business processes. The audit requires a review of the security policy, access controls, risk management processes, and historical log files.
The focus of compliance audits varies based on industry, information type, and whether the organization is public or private. Auditors investigate an organization through documentation analysis, interviewing personnel, and combing through audit logs. Compliance auditing can examine recent security breaches, evaluate incident response, interview ex-employees, judge user access levels, interview executives over critical security concerns, and more.
Organizations are usually distinctly aware when compliance auditing is a mandated periodic occurrence. In those cases, companies should prepare for audits by collecting the various types of information and creating the appropriate records as needed by the auditor. In fact, establishing a standard practice of producing and archiving the necessary information is prudent. The goals of these actions are not to manipulate the data, but to provide adequate access to the facts and historical activities.
Organizations that do not have mandated compliance audits should consider self-imposed audits. The process of thoroughly investigating the compliance level with the stated security policy can improve the long-term stability and security of every organization. The act of self-assessment and improvement is a common characteristic of most successful IT organizations.
Security Assessment
Security assessment is the judging, testing, and evaluation of a deployed security solution. The state of the world, in terms of security, is constantly changing. The hacking community is actively developing
new techniques, methodologies, and exploits to compromise targets. The defenses and strategies that worked yesterday might not be as effective tomorrow.
Security assessment is the ongoing process of evaluating security so that you can improve it. Security is established through the act of performing a risk assessment. The results of the assessment are formulated into a policy that guides the implementation of the initial security infrastructure. From that point forward, security management takes over.
Security management is the process of watching for breaches, tuning existing security, and evaluating the need for improvements to security. It is this latter area of concern that is the focus of security assessment. Security assessment employs several techniques to appraise the effectiveness of deployed security.
Configuration Scans
A configuration scan probes a system to determine the current state of configuration and settings. This scan determines which available vendor patches are installed or missing. This scan also evaluates numerous system configuration settings against a database of recommendations. Depending on the tool you use to perform the configuration scan, you may find different levels of recommendations based on the function of the system or the general level of desired security.
One well-known example of a configuration scan tool is Microsoft Baseline Security Analyzer (MBSA). MBSA scans a Windows system and produces an easy-to-read report (Figure 6-3). This tool provides a fast evaluation of the overall security stance of a single system. To download the MBSA tool, go here: http://www.microsoft.com/en-us/download/details.aspx?id=7558.
MBSA is a great tool for small offices and end users to employ to quickly check their systems for well-known patch and security setting configuration compliance. However, this is just a first step; it should not be the only tool you employ. You’ll need other tools, especially non-Microsoft software, that focus on broader issues to obtain a complete and thorough configuration scan.
FIGURE 6-3
An MBSA scan report.
FIGURE 6-4
A Nessus scan report.
Vulnerability Scanning
The next step or stage in security assessment is vulnerability scanning. Vulnerability scanning focuses on locating known exploitable weaknesses or vulnerabilities in deployed systems. You perform this type of scanning by using an automated tool with an updatable database of exploitations and test scripts. A vulnerability scan will reveal problems with configuration, installation, and product code. A scan of this type is only as reliable as the product itself and how current its testing database is.
A popular and well-known vulnerability scanning product is Tenable Network Security’s Nessus. Nessus is available in a free version for home use and a paid version for commercial use. Nessus is a powerful scanning engine with a massive database of exploitation plug-ins that offers excellent reporting capabilities (Figure 6-4).
NOTE Nessus can be found online at http://www.nessus.org/.
Penetration Testing
The third and final step or stage in security assessment is penetration testing. Also known as ethical hacking, this process is the application of hacking techniques, methodology, and tools in the hands of trusted ethical security experts. The purpose of penetration testing is to evaluate the resiliency of current security infrastructure and recommend improvements. Penetration testing is performed by a team of professionals who can customize and adapt exploits on the fly.
Penetration testing typically consists of five main phases or steps: reconnaissance, scanning, enumeration, attacking, and post-attack activities. The steps or components of criminal hacking and ethical hacking are the same. The difference is the goal and abiding by ethical restrictions and contractual boundaries.
Post-Mortem Assessment Review
Even with adequate security assessment using the three main techniques (configuration scans, vulnerability scans, and penetration tests), you may still have a need for one additional form of security assessment. This additional form is the port-mortem assessment review.
A port-mortem assessment review is the self-evaluation performed by individuals and organizations after each security assessment task. The purpose of a port-mortem is to learn from mistakes. This will improve the process in future events and avoid the reoccurrence of the same mistakes. It’s true that practice makes perfect. If you practice the same tasks repeatedly, each time improving upon the previous performance, you’ll eventually master the task.
Port-mortem reviews provide incremental improvements on a consistent basis along with the rare revolutionary improvement. A review of this type can include numerous elements of appraisal focus, including:
The process as a whole Each performed step The order of the steps Whether steps might be missing What other actions could be taken Whether participants were properly trained Whether additional resources were needed Whether resources were wasted Whether additional people were needed Whether too many people were involved Whether reporting was sufficient or insufficient What was missing What could be improved next time
Many other queries could be posed as long as the goal is to improve future applications of the assessment processes and tools. A post-mortem review is a beneficial process when used consistently.
CHAPTER SUMMARY Network security management focuses on vigilance. Vigilance to remain current in terms of technology. Vigilance to remain knowledgeable about new threats and exploits. Vigilance to respond promptly to downtime and compromise. Vigilance to restore, repair, and update security on a regular, consistent basis.
A wide number of activities make up the realm of network security management, including fail-secure responses, maintaining physical security, detecting compromise, preparing for incident response, trapping intruders, host security components, backup procedures, user training, management tools, checklists, troubleshooting, compliance auditing, and security assessment.
KEY CONCEPTS AND TERMS Awareness Backup Business continuity plan Compliance audit
Default deny Default allow Disaster recovery plan Education Fail-open File encryption Honeynet Incident response plan Mission-critical Padded cell Patch management Principle of least privilege Security Technical Implementation Guides (STIGS) Separation of duties Single-factor authentication Training Trusted Platform Module (TPM) Vulnerability scanning Whole hard drive encryption
CHAPTER 6 ASSESSMENT
1. All of the following are examples of network security management best practices except: A. Writing a security policy B. Obtaining senior management endorsement C. Filtering Internet connectivity D. Providing fast response time to customers E. Implementing defense in depth
2. All of the following are examples of network security management best practices except: A. Avoiding remote access B. Purchasing equipment from a single vendor C. Using whole hard drive encryption D. Implementing IPSec
E. Hardening internal and border devices
3. All of the following are examples of network security management best practices except: A. Using multifactor authentication B. Backing up C. HavBacking up a business continuity plan D. Prioritizing E. Spending each year’s budget in full
4. A firewall host that fails and reverts to a state where all communication between the Internet and the DMZ is cut off displays a type of defense known as: A. Default permit B. Explicit deny C. Fail-close D. Egress filtering E. Security through obscurity
5. The purpose of physical security access control is to: A. Grant access to external entities. B. Prevent external attacks from coming through the firewall. C. Provide teachable scenarios for training. D. Limit interaction between people and devices. E. Protect against authorized communications over external devices.
6. A complete and comprehensive security approach needs to address or perform two main functions. The first is to secure assets and the second is: A. Watch for violation attempts. B. Prevent downtime. C. Verify identity. D. Control access to resources. E. Design the infrastructure based on the organization’s mission.
7. Incident response is the planned reaction to negative situations or events. Which of the following is not a common step or phase in an incident response? A. Containment B. Recovery C. Eradication D. Detection E. Assessment
8. All of the following are elements of an effective network security installation except: A. Backup and restoration B. User training and awareness C. Compliance auditing D. Security checklist E. Unplanned downtime
9. The task of compartmentalization is focused on assisting with what overarching security concern? A. Limiting damage caused by intruders B. Filtering traffic based on volume C. Controlling access based on location D. Supporting transactions through utilization E. Assessing security
10. Which of the following types of security components are important to install on all hosts? A. Firewall B. Antivirus C. Whole hard drive encryption D. Spyware defenses E. All of the above
11. What is the only protection against data loss? A. Integrity checking B. Encryption C. Traffic filtering D. Backup and recovery E. Auditing
12. All of the following are common mistakes or security problems that should be addressed in awareness training except: A. Opening e-mail attachments from unknown sources B. Using resources from other subnets of which the host is not a member C. Installing unapproved software on work computers D. Failing to make backups of personal data E. Walking away from a computer while still logged in
13. The best network security management tools include all of the following except: A. Complete inventory of equipment
B. Written security policy C. Expensive commercial products D. Logical organization map E. Change documentation
14. The purpose of a security checklist is: A. To keep an inventory of equipment in the event of a disaster B. To create a shopping list for replacement parts C. To ensure that all security elements are still effective D. To complete the security documentation for the organization E. To assess the completeness of the infrastructure
15. Which of the following is not a potential hazard when installing patches or updates? A. Resetting configuration back to factory defaults B. Reducing security C. Bricking the device D. Installing untested code E. Improving resiliency against exploits
16. Which of the following is a true statement with regard to compliance auditing? A. Compliance auditing is a legally mandated task for every organization. B. Compliance auditing ensures that all best practices are followed. C. Compliance auditing creates a security policy. D. Compliance auditing is an optional function for the financial and medical industries. E. Compliance auditing verifies that industry specific regulations and laws are followed.
17. Which of the following is not typically considered a form of network security assessment in terms of how well existing security stands up to current threats? A. Configuration scan B. Compliance audit C. Vulnerability assessment D. Ethical hacking E. Penetration testing
18. Which of the following cannot be performed adequately using an automated tool? A. Checking for current patches B. Confirming configuration settings C. Vulnerability assessment
D. Scanning for known weaknesses E. Ethical hacking
19. What is the key factor that determines how valuable and relevant a vulnerability assessment’s report is? A. Timeliness of the database B. Whether the product is open sourced C. The platform hosting the scanning engine D. The time of day the scan is performed E. The available bandwidth on the network
20. What is the primary purpose of a post-mortem assessment review? A. Reducing costs B. Adding new tools and resources C. Placing blame on an individual D. Learning from mistakes E. Extending the length of time consumed by a task
CHAPTER
7 Firewall Basics
A FIREWALL IS A KEY COMPONENT of a complete security infrastructure. And while common, a firewall is by far not a simple security measure. You must understand the complexities of a firewall to design a firewall’s security policy, build the firewall, and configure it properly.
This chapter discusses the foundations of firewall rules, authentication, and authorization. You will learn how these relate to monitoring and logging, interpreting firewall logs and alerts, intrusion detection, firewall limitations, improving firewall performance; how encryption relates to firewalls; how to evaluate various firewall enhancements; and how to think about security concerns related to firewall management interfaces.
Chapter 7 Topics
This chapter covers the following topics and concepts:
What constitutes good firewall rules
What authentication and authorization are
What monitoring and logging are
How to understand and interpret firewall logs and alerts
What intrusion detection is
What the limitations of firewalls are
How to improve firewall performance
What the downside of encryption with firewalls is
What firewall enhancements are
How to use firewall management interfaces
Chapter 7 Goals
When you complete of this chapter, you will be able to:
Construct examples of common firewall rules
Design a policy to guide effective firewall monitoring and logging
Discuss the limitations and weaknesses of firewalls
Describe methods to manage firewall performance
Define the concerns of encryption related to firewalls
Evaluate the benefits and drawbacks of firewall enhancements
Demonstrate how to access and use firewall management interfaces
Firewall Rules
Firewalls filter traffic using rules or filters. All firewalls, of whatever type—static packet filtering, stateful inspection, application proxy, circuit proxy, or content filtering—use rules to filter traffic. Rules are instructions that evaluate and take action on traffic traversing the network.
Generally, two main philosophies or security stances govern the use of rules: default deny or default allow. Default deny is also known as deny by default or deny all. Default allow is also known as allow by default or allow all. These two rules define the foundation for rules governing traffic crossing the firewall.
A default-deny stance assumes that all traffic is potentially malicious or at least unwanted or unauthorized. Thus, everything is prohibited by default. Then, as benign, desired, and authorized traffic is identified, an exception rule grants it access. This is known as deny by default/allow by exception. This method of rule creation allows security administrators to focus on what is wanted or needed rather than watching out for all possible forms of unwanted or malicious activity.
A default-allow stance assumes that most traffic is benign. Thus, everything is allowed by default. Then, as malicious, unwanted, or unauthorized traffic is identified, an exception rule blocks it. This is known as allow by default, deny by exception. This method of rule creation forces the security administrator to be on constant watch for new and different forms of unwanted, unauthorized, and malicious activity.
Most security experts agree that deny by default/allow by exception is the more secure stance to adopt. This stance automatically prevents most malicious communications by default, while the opposite allow-by-default stance allows most malicious communications by default. In most situations, fewer exceptions are required for a default-deny solution than for a default-allow system.
Firewall rules are used to control what traffic enters or leaves a secured network area. Depending on where the firewall is positioned, this mechanism can protect the private network from the public Internet or filter traffic between internal subnets or departments. The security administrator or the dedicated firewall administrator configures firewall rules in accordance with the organization’s security policy.
Most firewalls, both hardware and software varieties, usually come pre-configured with rules
above and beyond their default rule. Firewalls are normally factory-configured in a deny-by-default stance with some common exception rules thrown in for end user/customer convenience (Figure 7-1). Often, these rules allow the most common forms of communication to occur across a new firewall without requiring you to fully configure the firewall upon initial installation. Some of the more common factory default rules allow for Web, e-mail, IM, and file transfer through common Internet services on default ports.
While this can be a convenience, it’s never in your best interest to rely upon a third party’s assumptions about your environment or guesses as to what types of traffic you do or do not want to cross your firewalled boundaries. Always take the time to review any factory-installed rules before deploying them in the production environment. Delete or disable any rule that you do not need or want. With regard to any rules that you do want or need, you should double-check to make sure they are in line with your security policy. If you need rules that are not present by default, add them carefully and double-check your work as you go.
FIGURE 7-1
SonicWall’s default rule configuration interface, showing a default deny as the last rule (rule 11).
Your organization will need to decide which rules to define; this is an essential part of its security policy. If the appropriate sections related to firewalls do not pre-define what rules to define on a new firewall, then perform the following procedure:
1. Inventory all essential business processes and communications that will cross the checkpoint.
2. Determine the protocols, ports, and IP addresses of valid traffic for both internal and external hosts.
3. Write out the rules on paper or using a firewall rule designer/simulator. 4. Test the rules in a laboratory environment.
5. Obtain written approval for the rule sets from a change approval board. 6. Document the rules into a security policy procedure amendment and submit the amendment
to the security policy management team for inclusion in the official document.
Ultimately, this is the basic process for creating any new element of security. The goal always is to have a written security policy for every security component. If no current policy or procedure defining the steps to take for the deployment of a new security element exists, then you must write, test, and get approval for a new policy or procedure. Once a procedure exists, use it to judge successful deployment.
The exact rules to add to a new firewall are completely dependent upon the business processes that are unique to every organization. However, some common types of rules are found on most firewalls. These include:
Access to insecure Internet Web sites (HTTP) Access to secure Internet Web sites (HTTP over SSL or TLS) Access to other Internet Web site protocols (SQL, Java, and so on) Inbound Internet e-mail Outbound Internet e-mail
If other Internet services are essential to a business task, rules allowing or enabling such communications would be needed. Try to keep the number of rules to a minimum, however. Grant access only to traffic that is essential. For each rule added to a firewall, you are increasing its attack surface—and therefore its security vulnerability.
Keep in mind that most network communications are two-way transactions, exchanges, or sessions. Often, an internal client makes an initiation request to an external server. The server responds and sets up a communication channel, often called a virtual circuit (at the Transport Layer based on TCP) or, more generically, a session. Traffic can traverse the session in either direction. Thus, most rules should allow inbound responses to initial outbound requests.
Depending upon the firewall, a single rule can sometimes define both the outbound and inbound communication parameters. Other firewalls need two separate rules—one rule for the initial outbound request and a second rule to handle the resultant inbound response. In either case, each desired session-based communication service must be supported or allowed through proper two-way rule construction.
In addition to rules that allow traffic based on internal user initiation, consider rules that manage inbound communications for externally initiated communications. When a firewall is to allow an external host to request access to internal resources, you need to create an inbound rule or ingress filter. Define rules that allow inbound initiations only if external entities need to access services and resources hosted internally.
Otherwise, allow the firewall to serve its primary purpose and prevent outsiders from gaining easy access to internal systems. Most firewalls deny by default all access to internal resources from external entities. This is done either by ignoring all requests received on a specific interface (such as on dual-homed or triple-homed firewalls) or by having a specific rule (or a set of rules) that filter out
all traffic originating from non-internal IP addresses. A firewall rule can also be called a filter or an access control list (ACL). These terms are often
used interchangeably in documentation, in books, and in the firewall’s own configuration or management interfaces. Don’t be confused by this. A rule is a written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic. A filter is the same thing as a rule, but the point or purpose of using this term is to stress the intention to block or deny unwanted items of concern. The use of the term ACL stresses the intention to grant or deny traffic on an access control/authentication basis. An ACL focuses on controlling a specific user or client’s access to a protocol or port.
Rules allow traffic to pass unhindered or block or deny traffic to prevent it from reaching its intended destination. A rule can also include a logging element so the traffic can be logged whether allowed or denied. The concept of firewall logging and monitoring is discussed later in this chapter.
technical TIP Use your firewall to ensure that only properly originated communications are authorized. Unless you are running internal services (such as a Web server), external entities should never be able to initiate a connection.
technical TIP Most session-based communications will use a well-known default port for the destination port where the service or resource resides. They will use a randomly selected higher order port (any port above 1,023) for the client source port. Most firewalls, especially those capable of stateful inspection, will automatically handle and adjust for the random source port when establishing a session. If this is not the case with a specific firewall, you may need to create a custom rule or consider replacing the firewall with a better product.
Setting up or defining rules for a home, portable host, or SOHO environment can be fairly easy if the number of different types of access is minimal. But, as the number of controls, limitations, restrictions, and exceptions increases, defining rules properly can become more complex. Obviously, larger networks with more advanced infrastructures and communications require more intricate sets of rules.
The basics of defining or crafting rules are the same (or at least similar) across all firewall products. However, some firewalls support editing or writing the rules directly while others employ a graphical interface or use a design wizard to accomplish this task. Software host firewalls, especially those designed for end users, typically use a graphical wizard–based system, while
hardware firewalls typically expose the raw rule itself. Most rules have six main elements or components (Figure 7-2):
Base protocol—Set as TCP, UDP, ICMP, and potentially other Layer 2, 3, or 4 protocols. Source Address—Set as a specific IP address, a subnet, a range of addresses, or ANY for all possible addresses.
Source port—Set as a specific port, a set of ports, a range of ports, ports less or greater than, or ANY for all possible ports.
Target address—Set as a specific IP address, a subnet, a range of addresses, or ANY for all possible addresses.
Target port—Set as a specific port, a set of ports, a range of ports, or ANY for all possible ports.
Action—The two standard actions are Allow and Deny. Some firewalls include Log and Alert actions that allow additional actions in a single rule.
FYI Some firewall rule systems include application protocol designations in the rule set. This is usually a human-friendly naming convention pointing out the Application Layer protocol rather than an element of the filter used to select traffic. However, some firewall interfaces will substitute a common protocol name for the destination port. For example, port 80 would be displayed as HTTP and port 25 as SMTP. However, these are usually for human viewing; the port number itself is still used in the actual protocol-level filtering activity.
FIGURE 7-2
SmoothWall’s rule configuration interface.
Depending upon the firewall, TCP and UDP rules (as well as ICMP, IGMP, ARP, and other OSI Layer 2, 3, or 4 protocols) may be defined in the same place or within different interfaces, pages, or rule sets. When all rules are defined in the same place, use an additional rule element designating TCP, UDP, ICMP, and so on. All of the following examples of rules assume TCP-based communications, unless otherwise noted.
The common rule structure is:
When defining outbound rules, the source address and port are often set as ANY unless the rule is to apply to a specific system(s) or port(s). For example, a rule that allows any internal client on the 192.168.42.0/24 subnet to access any insecure Internet Web site would be:
A rule to allow access to any secured Internet Web site would change the destination port 80 to 443:
A rule to block internal clients from accessing Internet based FTP sites would be:
FYI Keep in mind that firewall vendors may have crafted unique management interfaces that display firewall rules differently than the basic line form discussed here. For example, some firewalls have a configuration page for allow rules and a separate page for deny rules. In that example, the rules on each page would not include an Allow or Deny action, as the page they are defined on implies the action.
When defining inbound rules, the source address and port address are often ANY unless the rule is to apply to a specific system(s) or port(s). For example, a rule that allows any external host client to access an insecure Web site hosted on the 192.168.42.98 would be:
An inbound rule to deny external hosts access to a telnet server hosted on the same internal system as the Web server would be:
Generally, inbound rules are needed only when an internal resource is specifically hosted for the purposes of being accessed by external entities. This type of rule is commonly found on DMZ and extranet firewalls, but shouldn’t be used on intranet border firewalls. The only common inbound rule that might be required is one that allows responses to previous internal client requests to resources outside of the network. A stateful inspection firewall usually allows response traffic automatically, but static filtering firewalls might require a specific respond rule set, such as:
When a UDP rule set needs to be defined, you must either switch to a different rule set interface on the firewall, or change the protocol designation from TCP to UDP. Assuming a firewall interface with a leading protocol designation for each rule, a rule set allowing user queries with an internal DNS server at 192.168.42.104 by external entities, but blocking attempts to perform DNS zone transfers, could be:
To write a firewall rule controlling ICMP, change the protocol designation to ICMP (or change interfaces) and define an ICMP type. The port designations are dropped completely (as they are not used by ICMP at OSI Layer 2). Multiple ICMP rules can be defined for various sub-types to allow some ICMP traffic and a deny-all catchall rule for everything else. For example, to block only inbound ICMP Echo_request packets, use the following filter:
technical TIP The ICMP protocol’s header defines the purpose of the protocol’s control message through the use of numbered types. There are dozens of defined types. The most commonly used are Type 8 Echo Request, Type 0 Echo Reply, Type 3 Destination Unreachable, and Type 11 Time Exceeded. Many types are further specified with the use of a numbered code. For example, Type 3 Code 3 is destination port unreachable.
For a more exhaustive presentation of the ICMP types and codes, please read RFC 2939 at
http://www.iana.org/assignments/icmp-parameters.
When defining firewall rules, keep a few basic guidelines in mind:
Keep the rule set as simple as possible. Document every rule. Use a change control mechanism to track rule modifications. Always confirm the default deny before using changed/updated rule sets.
A simple rule set is a set with as few rules as possible. Fewer rules mean fewer complications. Fewer rules mean less chance for a loophole. Fewer rules are easier to test. Fewer rules are harder to attack and compromise.
Every rule enforced by a firewall should be written in the security policy. Only rules in the written security policy should be enforced by a firewall. Anytime you need to change a firewall rule, first update the security policy, then reconfigure the firewall to match the settings defined in the security policy. Always fully document the rules actively filtering traffic.
Do not just document that a rule exists and what the basic rule structure is; also include a description of the intention or purpose of the rule. Sometimes, a rule written in a way that appears straightforward may not perform the intended purpose. When other security administrators review the documentation and examine the rules, they may see the discrepancy and correct it. Get in the habit of making notes about intentions, thoughts, and concerns. Often, these stray comments will lead to solutions or assist in future troubleshooting.
A change control mechanism tracks and monitors the changes to a system. It does this by recording every change, modification, or adjustment. Often, a change management solution requires manual change logging; thus, it must be enforced and followed by a written component of the security policy. The change control process produces historical documentation of the state of security components. Change documentation is often essential in troubleshooting and repair.
Most firewalls operate on a default-deny stance, but it may be possible to modify this stance. Stance modification may be a general setting in the overall configuration of the firewall, or it might just be the last rule in the rule set. If it’s just a rule, be sure that the final rule is always default deny and that the default-deny rule is never edited or modified. A default-deny rule should look like or enforce filtering as follows:
Since a firewall is a first-match-apply rule-based system, rules are ordered on the firewall. Traffic is compared with each rule starting from the top rule. If a rule matches the traffic, the rule’s action is applied. Once a matching rule’s action is applied to the traffic, no further rule matching is attempted. If the traffic does not match any rule except the final rule, then it will be denied by default. All rules previous to the default deny can be either exceptional Allow actions or specific Deny
actions. No matter what the structure of the rules or the number of rules in the set, always ensure that there is a default rule.
Here is an example of a basic TCP rule set:
FYI All of the firewall rule examples are using the default common port for common services as defined by http://www.iana.org/assignments/port-numbers.
This collection of seven rules performs the following filtering functions:
Allow response to TCP connections to internal hosts. Prevent the firewall (192.168.42.1) from directly connecting to anything. Prevent external hosts from directly accessing the firewall. Allow internal hosts to access external resources. Allow external hosts to send e-mail inbound to the e-mail server at 192.168.42.55. Allow external hosts to access an internal Web server at 192.168.42.98. Apply a default-deny rule to all traffic not matching a previous exception.
Building a rule set is not complex, but it does take focus on the details. Be sure to use a single IP address for a single host and the correct subnet or range designation for a collection of hosts. Specify the port when possible; otherwise, use a valid port range. Include specific Deny rules when needed. Remember that in the first-match-apply system that is a firewall, order matters.
To grant every system but a few specific ones access to a resource, you need a rule to block the few and allow the rest. Position the Deny rule of this set before the Allow rule of the rest since the Allow rule will likely be an ANY-based rule instead of naming all of the many that are granted access.
When the wrong rule is positioned first, this creates a potential loophole. A loophole is a flaw in the logic of filtering that will allow an unwanted action to occur. A firewall can perform only the
operations for which it is programmed, and the specifics of and the order of the rules are a form of programming. Take the time to evaluate, test, and verify that you have defined all firewall rules correctly and placed them in the best order.
If getting the rules in the right order seems daunting, the following general rule of thumb usually results in less access rather than greater access: List specific Deny rules first, then the Allow exceptions, and always keep the default-deny rule last. At best, this will result in exactly what you want and expect. At worst, more things will be blocked than you intended, but that is usually a better security stance than allowing more things than you intended.
As rule sets get larger, they become more complex. Often, the complexity stems from having explicit Allow rules with additional Deny specifications. This results in rules that overlap. Overlapping is acceptable when you understand it and use it on purpose. When overlapping occurs accidentally, it can result in undesired loopholes. Again, the solution is to keep the rule set as simple as possible, document every rule with its intentions, and test the rule thoroughly before deployment.
With this basic understanding of rules, your next step in understanding and deploying firewalls is to consider the options for authentication and authorization across the firewall.
Authentication, Authorization, and Accounting
Authentication is the process of verifying the digital identity of an entity—for example, an employee, a customer, a server, an application, a Web site, a smart meter, a cell phone, or a security guard. Authentication is also commonly called logging on. Authorization is the process of defining which resources can be accessed by an electronic entity and what level or type of access is granted. Authorization is also commonly called access management or privilege management
Authentication can take place at the firewall itself or be passed through the firewall to take place beyond the firewall. Authentication at the firewall takes place when the allow/deny decision is dependent upon the identity of the host or user. Authentication beyond the firewall happens when the allow/deny decision is not dependent upon the identity of the host or user; instead, the firewall filters for traffic characteristics and leaves authentication up to the internal host receiving the connection.
When authentication takes place at the firewall, the firewall itself serves as the gatekeeper, allowing communication beyond the firewall (or not). Whenever different types or levels of port, protocol, or circuit access are granted based on individual user identity or membership in specific groups, authentication at the firewall takes place.
When authentication takes place at the firewall, the firewall itself can perform the logon process or it can forward the task to a dedicated authentication service. Native firewall authentication methods can be basic, such as supporting a username and password online, or complex, such as supporting credit card payments or the use of smart cards. However, most firewalls have a limited number of authentication options.
Generally, authentication on or at a firewall supports only one—or at best a few—options. At- firewall authentication often requires defining credentials on the firewall separately and distinctly from any identity on the network. Thus, most at-firewall authentication solutions do not integrate into a network’s single sign-on system. For this reason, large organizations rarely employ at-firewall authentication.
FIGURE 7-3
A firewall handing off authentication tasks via 802.1x to a dedicated authentication server.
When a firewall hands off the authentication task to a dedicated authentication service that performs the logon process on behalf of the firewall (Figure 7-3), a much wider assortment of authentication options becomes available. A common use of this mechanism is IEEE 802.1x. IEEE 802.1x is known as port-based network access (admission) control (PNAC). In this term, port is not referring to a port number in OSI Layer 4; instead, it refers to a more generic reference of a connection point to a network infrastructure.
IEEE 802.1x is commonly found on many network devices, including firewalls, switches, routers, and wireless access points. It also has the nickname of “portal authentication.” An 802.1x device establishes the initial electronic connection or virtual circuit between the requesting host and itself, but before communication to a host beyond the portal device takes place, authentication must occur. 802.1x can support RADIUS, TACACS, Kerberos, certificates, passwords, smart cards, biometrics, special access codes, and even credit cards as means of authentication.
Handoff authentication, such as when 802.1x is used, is a fully scalable architecture. You can use it to manage at-firewall authentication for any number of users or hosts. The only limitation to 802.1x is the scalability of the authentication server that takes over the responsibility of managing logons on behalf of the firewall.
When authentication takes place beyond the firewall, the firewall makes allow/deny decisions based on traffic factors rather than user- or host-identification factors. In this configuration, the firewall is not involved in the authentication process. Instead, the host beyond the firewall that receives the communication handles any necessary authentication.
For example, a firewall can protect a DMZ. Most DMZ firewalls do not perform at-firewall authentication. Instead, the Web servers hosted in the DMZ can provide both anonymous content and authenticated content to visitors. Visitors log on using any means of authentication supported by the Web server, the protocols in use, and the visiting client. Commonly, this is forms-based authentication secured through an SSL or TLS encrypted session.
When any form of authentication takes place, whether at or through the firewall, you should always encrypt all authentication-related communications. Non-encrypted or plaintext authentication traffic is subject to eavesdropping and thus theft of credentials. Encrypted authentication traffic is resistant to eavesdropping as well as replay attacks and in some circumstances even man-in-the- middle attacks.
Many different authentication protocols, both encrypted and plaintext, can be employed by at- firewall or beyond-firewall authentication. Whatever the solution, evaluate all authentication options in light of their native security and inherent risks. If you are using authentication encryption, realize this does not ensure that subsequent data exchanges are automatically encrypted. Select solutions that provide protection for authentication traffic as well as data traffic.
You can avoid authentication completely with anonymous connectivity. In an anonymous connection, the user and/or host identity is unknown and access is granted or denied based exclusively on the traffic content and the proper formation of resource requests. For example, public Web site access can be anonymous, such as at Wikipedia (http://www.wikipedia.org), which supports mostly anonymous connections to its online community encyclopedia.
Authorization takes place after authentication. Authentication determines, within established parameters, who you are. Once that is known, it is possible to determine whether you are allowed to do what is requested. Authorization, like authentication, can take place either at the firewall or beyond the firewall. When authorization takes place at the firewall, the firewall itself makes a decision on allowing subsequent communications across the firewall. This is sometimes known as controlling the circuit. If the authenticated user does not have access to a resource, the firewall will block or drop the connection. If the authenticated user does have access to a resource, then the firewall allows and supports the connection.
Usually, the firewall is involved only in authorization of the connection or circuit. Any content within the subsequent communication might be subject to content filtering, but that’s a distinct and separate service and function of the firewall. This form of authorization control is the same as a circuit proxy.
When authorization takes place beyond a firewall, just as with beyond-firewall authentication, the destination host controls what is and is not accessible to users. The firewall is involved only in monitoring for abuses or potentially filtering content. When the firewall performs content filtering on a communication not managed by the at-firewall authorization, this is the same as an application proxy.
While authentication and authorization are commonly used together to control users’ access based on their identity, they can be employed independently. For example, a firewall performing at-firewall authentication does not need to also provide separate authorization. If users authenticate, then they have access to whatever is beyond the firewall. If users fail to authenticate, then they do not have access. In this example, the authentication process itself is a form of authorization.
Similarly, a firewall can perform at-firewall authorization without authentication. This is the basic or normal function of firewall rules. Authentication is assumed when addresses and ports in traffic headers “identify” the communications; the rule sets themselves provide authorization restrictions. If a port is closed, access is denied. If a source address is blocked, access is denied.
Authentication and authorization are important components of a complete network security structure. Use these services on a firewall or beyond the firewall as necessary. Additional important services related to firewall security are monitoring and logging of traffic and events that occur on or across a firewall.
The third A in AAA is accounting. It is different from financial accounting in that it logs what a user has done on the system. In other words it keeps track of who did what to which assets via one or
more log files.
NOTE One example of a device able to record all traffic within a sliding period is the Solera DS series of network forensic appliances. For more information on this type of advanced network monitoring product, visit Solera’s Web site at http://www.soleranetworks.com/.
Monitoring and Logging
Monitoring and logging are the watching and recording of events and traffic that take place on or across a firewall. While in theory you can record every packet traversing a firewall, this is usually impractical because the storage space required would be immense. Certain products can maintain a sliding window of recorded traffic encompassing hours of communications using multiple terabytes of storage. However, these devices are for advanced security management and beyond the scope of this chapter.
FIGURE 7-4
An example of SmoothWall’s firewall logging display interface.
Firewall monitoring and logging are about recording events that take place on or across a firewall (Figure 7-4). You can use various approaches to logging. You can log everything, or you can log only
events of seeming importance. Generally, you will fine-tune logging through real-world experience over time. Most security professionals recommend capturing everything initially. Later, you can tune logging and reduce it once you’ve identified specific types of information, traffic, or events as having no forensic, evidentiary, or historical value.
Firewall logging ensures that the defined filters or rules are sufficient and functioning as you expect. By watching traffic coming through a firewall’s filtering scheme, you can discover traffic the firewall should have blocked, but for which an effective rule was not defined (or properly defined). Firewall logging helps to confirm that the restrictions imposed by the firewall are functioning as you expect and the security you assumed the firewall would provide is actually present.
Generally, record every connection allowed by the firewall as well as every packet dropped or blocked. This stance of “log and monitor everything” ensures that nothing goes unnoticed and that future investigations of log file contents will reveal complete data. You can always throw out extra and unnecessary data later, but you can’t recover important data not recorded during the actual event.
Firewall logging can take place on the firewall itself or offload to a dedicated logging system. In either case, the firewall itself collects the event and/or packet you want to record. The difference is whether the information goes into a log file stored locally on the firewall or moves across a network connection to a dedicated logging server.
One well-known and widely used centralized logging system is syslog. Syslog is a standard for forwarding log messages from a client device (the firewall in this situation) to a centralized server. Linux and Unix systems have supported syslog capabilities for decades. Windows systems prior to Windows 7 required third-party products to interact with syslog services. Most network devices, including firewalls, switches, proxies, and so on, natively support syslog.
Firewall logging:
Creates a historical record of activity for traffic and trend analysis as well as growth prediction
Tracks usage levels and times for load balancing, accounting, or even back-charging users Discovers new methods or techniques of attack, especially those based on network packet manipulation
Detects intrusions or attempts to breach security Creates legally admissible evidence for use in prosecution
Having a firewall log of all events produces a significant amount of recorded information. Always track available remaining storage capacity to ensure sufficient space remains to store new logged events. As a current storage device reaches capacity, back up and move the records into long-term archival storage. In a future investigation, you can never know how far back you’ll need to look to discover evidence of a security breach. Your organization’s written retention policy should define how long you will retain logs.
In addition to juggling the storage requirements, you will need to be able to analyze logged data. Log file analysis is not usually an exciting proposition for most people. Long and tedious, it can be mind-bendingly boring. Fortunately, a growing field of automated analysis tools can reduce the time and burden of log file investigation. Firsthand knowledge, understanding, and experience are always
the best tools for interpreting and understanding firewall log contents. Upon infiltrating your network, one of the first steps most experienced hackers take is to remove
all evidence of their activities. They normally do this by deleting log files or surgically editing log files with specialized tools. For example, WinZapper is a tool that edits Windows log files and removes only those entries matching a keyword such as an IP address or username. To combat this potential threat, use a write-once read-many (WORM) storage device to save all log files. Intruders cannot edit data written to a WORM device.
If you make the decision not to record everything taking place across the firewall, here’s a short list of essential things to log:
All connection attempts rejected by the firewall All traffic directed at the firewall Any access to internal resources by external hosts Any access to external resources by internal hosts Any modification or disabling of firewall rules and filters All firewall reboots, storage device shortages, or other abnormal operational events
Every firewall management interface is different. Thus, the methods and mechanisms you employ to configure your specific logging and monitoring will be different as well. Always be sure to consult the firewall’s documentation about the type of logging and what types of events are logged before deploying a firewall.
Define firewall logging in the firewall security policy included in your organization’s written network security policy. The logging and monitoring features of a firewall are as essential as the rule and filter mechanism you use to allow or deny traffic. Configuring and recording logs is important, but understanding how to interpret firewall logs is more important.
Understanding and Interpreting Firewall Logs and Alerts
Enabling firewall logging is often a fairly simple task. Recording traffic and events into a file is not really a complex task. But deciding which events warrant the triggering of an alert and what the contents of a log file actually mean is not always so straightforward.
An alert is the automated notification of an administrator when a specific event affects the firewall. Some software host firewalls are preconfigured with a wide number of pop-up messages triggered each time one of the all-too-common activities occurs. For example, each time a new application attempts to communicate with the network, a firewall pop-up alert might notify the user of this event and prompt an action (Figure 7-5).
FIGURE 7-5
An example of a Windows Firewall pop-up alert.
Appliance firewalls and those generally designed to protect a network rather than a single host are not as commonly configured with pre-set default alerts. Instead, the firewall administrator makes choices about what events actually need alerts. Some common events that usually warrant alerts include:
A firewall reboot A connection attempt with the firewall host itself. Communications to or from a pre-identified IP address or subnet Detection of some or all attack attempts Detection of any successful intrusion or security breach
Ultimately, the organization’s security stance and the level of risk determine which events require alerts as opposed to simply recording them in a log file. A common recommendation is to alert only on those events likely to require an administrator’s immediate response or action. Everything, or nearly everything, should go into a log, but not everything warrants an alert.
With or without alerts, a firewall’s logging system creates a massive amount of raw data that isn’t useful. You can perform analysis of a log file either in real-time or in periodic batches. You can hire a large staff of professionals whose primary task is to perform real-time log file analysis, or you can use an automated analysis or IDS/IPS tool. In most cases, automated log file analysis tools both reduce the strain on manpower and leverage the power of high-speed computing against the massive volumes of information collected by network firewalls.
Through careful analysis of firewall logs, you can detect several different types of unwanted or malicious activities, including worms, Trojan horses, remote control tools, port scans, and directed intrusion attempts. When you perform manual log analysis, the first hurdle is to gain access to the log file content.
Many firewalls record their log files in binary or obfuscated form so that they are difficult for external or unauthorized users to access. Such log files require administrators to access the log
contents through a log reading interface. Some third-party products function as alternative management interfaces and can also interpret the log file format for viewing.
Once you obtain access to the log contents, either directly or through an interpretation interface, the next hurdle is to ensure you are viewing the correct log. Several different types of log files can operate on your system, including traffic logs, audit logs, alert logs, console logs, and even a host device’s OS logs for software host firewalls. Another nuance is that the firewall device itself, a management host, or a centralized logging server might store its own logs. Finally, several dated versions of a log might exist. Be sure to open or access the most recent log—or whatever date range is of relevance to a specific investigation.
Of course, the key to interpreting and understanding the contents of a firewall log lies in understanding how network communications function. Every communication session involves two hosts, each with its own IP address and port number. Some forms of communications have less information, such as blocked connection attempts, connectionless traffic, and Layer 3 protocols such as ICMP and IGMP.
By examining each established session to evaluate the source and destination IP addresses and the port numbers in use, you can quickly determine whether the transaction was valid or invalid. If the addresses are known—or at least not known to be malicious—and the ports are for acceptable services, then the communication is most likely benign. However, if an address is a known malicious host or an invalid address (such as an unassigned internal address) or you discover a known malware port, these are signs of unwanted and potentially malicious communications (or at least attempts to communicate).
IANA and some security vendors maintain a list of well-known port numbers and the associated applications. They often list known malicious software and their commonly used port numbers. Search for “malicious ports” or “Trojan ports” to find current lists.
To examine and interpret firewall logs, you might:
Identify and discard all packets involved in benign sessions between valid hosts and valid ports.
Identify and discard all valid UDP transmissions from and to valid hosts and ports. Identify and discard all valid ICMP (and other authorized protocols) to and from valid hosts. Identify any communication from known malicious addresses. (This is a symptom of communications from known malicious hosts).
Identify any communication from unauthorized or unassigned internal addresses. (This is a symptom of rogue internal hosts.)
Identify any communication to an unknown or unauthorized port on an internal host. (This is a symptom of rogue internal services.)
Identify any patterns of serial communication attempts across a sequential or randomized set of addresses and/or ports. (This is a symptom of scanning or probing.)
Identify significant volumes of non-session traffic of the same or similar construction to one or a small group of internal addresses. (This is a symptom of flooding.)
Identify any packet of invalid size or invalid header construction. (This is a symptom of
scanning, probing, or an exploitation attempt.) Identify any packet with configured source routing. (This is a symptom of attempted intrusion or traffic shaping.)
Identify packets destined to non-resource-sharing systems, such as firewalls or routers. (This is a symptom of probing, network scanning, or an exploitation attempt.)
This is just the start of a firewall log file analysis procedure. For each and every threat, exploit, attack, or concern that an organization wishes to identify, add a step to search log contents for the appropriate symptoms. Remember that many symptoms are shared across a wide variety of malicious activities.
Keep in mind that hackers can perform malicious activities within seemingly benign traffic. This is especially true when the payload of traffic is the malicious content itself. Firewalls can detect malicious or abnormal characteristics based on header information and packet construction oddities, but many types of malicious payloads are not firewall filterable. For example, password guessing against a logon prompt is typically not a filterable activity. An intrusion detection system (IDS) or an intrusion prevention system (IPS) could potentially detect online password guessing, but a firewall cannot.
This brings up an important issue discussed previously, but it bears repeating: Firewalls are not perfect. Firewalls are only part of a security infrastructure; they are not the totality of security in and of themselves. Even when you use them properly, firewalls have limitations. For example, they are of no help in protecting against an insider attack. Firewall limitations are discussed further later in this chapter.
The best tool for interpreting the contents of a firewall log is solid and thorough familiarity with the normal and expected traffic that occurs across a network. By knowing what is normal and expected, you are much better prepared to detect and identify the abnormal and unexpected. Keep complete configuration documentation and actively seek direct, hands-on knowledge and experience to improve your ability as a firewall administrator to examine, interpret, and take action on the contents of log files.
Intrusion Detection
A firewall is a border sentry device. A controlled network border sentry device filters any traffic attempting to cross. However, not all traffic that needs monitoring crosses a network border guarded by a firewall. That’s where an intrusion detection system comes into play. An IDS or an IPS monitors internal hosts or networks, watching for symptoms of compromise or intrusion. Effectively, an IDS is a form of burglar alarm that detects when an attack is occurring within the network.
An IDS serves as a companion mechanism to a firewall. Once an IDS detects an intruder, it can send commands or requests to the firewall to break a connection, block an IP address, or block a port or protocol. You must configure the firewall to receive these commands and authorize the IDS to send them. However, not all IDSs and firewalls are compatible in this manner.
Eventually, security professionals developed the IPS concept. The IPS strives to detect the
attempt to attack or intrude before it can be successful. Once detected, the IPS can respond, preventing the success of the attempt, rather than waiting until after a successful breach to respond. IPSs do not replace IDSs. Instead, they are often used as an initial layer of proactive defense, relegating the IDS to a reactive measure against those events that the IPS misses or that internal personnel perform.
IDS and IPS are important components of a complete network security solution. However, they are not without fault. IDS/IPS solutions can create a false sense of security under certain conditions. Two commonly discussed conditions include unknown zero day attacks and false positives.
When unknown zero-day attacks threaten the network, an IDS or IPS might not have the mechanism to detect them. Thus, the lack of an alarm could cause administrators to assume that no attacks are occurring. In most cases, the lack of an alarm does mean that nothing malicious is happening. So this assumption is not completely unwarranted. But if an IDS never triggers an alarm, you probably have a poor detection system rather than the complete lack of compromise attempts or attacks.
When an IDS fails to detect an attack, whether it’s a zero day or a known attack that was simply overlooked, this is called a false negative. A false negative is one of the most problematic issues with an IDS, as it can lull the organization into a false sense of security. When alarms are not going off, it’s common to assume that no malicious events are taking place. If that’s a false assumption, then real attacks are occurring and the security staff is unaware. This is the worst type of security breach.
False positives may create a false sense of security for the opposite reason—namely too many alarms from benign occurrences. Remember the story of the little boy who cried wolf? After the initial alarms turn out to be benign activity, the urgency of responding to alarms diminishes. After additional false positives, an administrator might put off investigating the alarms. Eventually, you ignore the alarms altogether. Once this situation arises, you treat even alarms for malicious events as false positives, once again reinforcing a false sense of security.
IDS and IPS can use rule-based detection mechanisms similar to those of a firewall, but they can also employ detection mechanisms borrowed from antivirus technology. For example, some IDSs and IPSs have a database of signatures or patterns of known malicious activity. This is known as signature-based detection, database-based detection, or knowledge-based detection. Any attack within the database can be detected in live activity by the IDS.
Another form of detection is anomaly based. Anomaly-based detection systems look for abnormalities. To do that, you have to first define “normal.” Normal can be defined by rules or filters that prescribe all of the valid packet constructions and header contents. Then, anything that fails to match the definition of normal is an anomaly. Since mistakes, errors, and poor network application programming can occur, an anomaly is not necessarily malicious or an intentional attack.
Yet another detection mechanism is behavioral based. Behavioral-based detection looks for differences from normal based on a recording of real-world traffic that establishes a baseline. A normal baseline can be recorded over hours or days. Once recorded, it’s the yardstick to measure all future activities. Any future event not similar to behaviors in the baseline set represents a possible violation.
As with anomaly detection, behavioral-based detection has its own limitations. For example, all forms of benign behavior may not have occurred during the behavior recording time. Or, during the
recording period, malicious events might have taken place. In either case, future situations can generate false positives (mistaking benign behavior as malicious) or false negatives (mistaking malicious behavior as benign).
Some IDSs and IPSs can import and interpret firewall logs as another source of information in their efforts to detect unwanted activity. Thus, in addition to reviewing log files manually or with separate investigation tools, they can also benefit IDSs and IPSs and improve their scope and effectiveness.
IDS and IPS are not substitutes for firewalls, but are potential supplemental or companion solutions that might expand the effective detection methods already available. When you are considering an IDS and/or IPS to improve the filtering already provided by a firewall, carefully consider deployment options and thoroughly plan out the improved infrastructure. Compare the plan to a typical IT infrastructure and consider where the placement of an IDS and/or IPS makes the most sense for your organization.
Limitations of Firewalls
Firewalls are essential components of security. Systems ranging from standalone home systems to global IT infrastructures all need firewalls as part of their overall security solution. However, firewalls are not perfect solutions. In fact, when it comes to firewalls, you need to account for several well-known limitations in their design and management.
Firewalls are ultimately software code written by humans. In either a host firewall or an appliance firewall, the logic and controlling mechanisms of the firewall are software code. Software code is designed and written by people. Whenever people are involved, the possibility exists that they will make mistakes or oversights. Fortunately, most firewall products are rigorously and thoroughly tested as a counterbalance to this threat. But nobody should assume that the firewall software code is inherently perfect.
It doesn’t happen often, but it has happened—and will happen again—that administrators and hackers discover software coding bugs or flaws in real-time use. Hackers are constantly using scanning, testing, and probing tools to discover exploitable weaknesses. Once a vulnerability appears, a hacker will create an exploit that takes advantage of the flaw. Some exploits have caused firewalls to freeze or crash, while others have given hackers the ability to read or adjust filtering rules.
Some exploits are based on buffer overflows. A buffer overflow is a condition whereby a memory buffer exceeds its capacity and extends its contents into adjacent memory. Hackers often use this as an attack against poor programming techniques or poor software quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash.
Once the firewall vendors become aware of an exploit in the field, they quickly develop and release a patch. By having an effective security management and patch management system, you can
quickly test and install such new updates for the firewalls protecting your production environment. If the release of a patch or the application of a patch is delayed, the window of opportunity for hackers to compromise your environment remains open.
Firewalls can sometimes be vulnerable to fragmentation attacks. Fragmentation attacks are an abuse of the fragmentation-offset feature of IP packets. Fragmentation may occur in a network where many different network links join to construct a global infrastructure. Some network segments support smaller datagrams (another term for packet or frame) than others, so larger datagrams fragment into the smaller size. When the fragmented elements of the original datagram reassemble, reassembly of the fragments can cause several potentially malicious reconstructions, such as overlapping and an overrun.
Overlapping can cause full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams (Figure 7-6). An overrun can cause excessively large datagrams to be constructed. Other fragmentation attacks are designed to cause DoS or attempt to confuse IDS detection or firewall filtering.
Protections against fragmentation attacks include using modern IDS and firewall filtering features, as well as performing sender fragmentation. Sender fragmentation queries the network route to determine the smallest maximum transmission unit (MTU) or datagram size. Then the sender pre- fragments the data to ensure that no en-route fragmentation will occur.
Firewalking is another known firewall limitation. Firewalking is a technique to learn the configuration of a firewall from the outside. The technique uses a valid IP address of an internal host. Then, from an external system, a hacker attempts to establish a communication session with the internal host over a multitude of different ports. Effectively, this is a form of port scanning, but with the addition of the known internal host, the hacker can learn not only which ports are open, but also which ports actually allow communications with an internal system. Effectively, firewalking discovers the rules or filters on a basic packet filtering firewall. Modern stateful inspection firewalls are usually not as vulnerable to firewalking, as they can detect this mechanistic activity.
FIGURE 7-6
Fragmentation and overlapping
Internal code planting is another known firewall limitation. Firewalls are often deployed as border sentries. They are intended to protect internal systems from communications that originate from external entities. Unfortunately, some security administrators use only inbound firewall filtering, leaving outbound traffic uncontrolled and unfiltered.
In this situation, if a hacker can plant code internally or trick a user into running code, or an employee brings in code of his or her own, the possibility exists that outbound connections to malicious external entities could occur. Many hacker tools are based on this technique, such as Loki, Back Orifice, NetBus, and event netcat. A hacker creates a server of sorts that is hosted on an external host. The automatic connection client utility executes on an internal host. The client utility establishes the connection, and then the external host is able to send data or commands back to the internal client. Often, this form of attack results in a hacker gaining modest to complete remote control over the compromised internal host.
Denial of service (DoS) is another common problem that reveals a limitation of a firewall. A DoS attack, specifically a flooding- or traffic-based DoS, sends massive amounts of data to a target victim. If that victim has a firewall, then the firewall can detect and discard the potential DoS traffic. The firewall’s filtering service can usually prevent the DoS traffic from breaching the network’s perimeter and affecting internal systems.
However, since the firewall has to collect, analyze, and respond to every packet received on its interfaces, a well-organized DoS can consume all available bandwidth of the connecting segment to the firewall as well as consume all of the processing capabilities of the firewall. This in turn prevents any legitimate traffic from reaching the network. Thus, even with a firewall protecting the internal
network, a DoS flooding attack can still successfully disconnect or interfere with external communications.
The vulnerability to DoS flooding is the one limitation or weakness of firewalls that you cannot fix, improve, or repair by either upgrading the firewall or applying a patch. Upgrading to a stateful inspection firewall addresses fragmentation, firewalking, and even internal planting of code. Patching will address programming bugs and buffer overflows. Upstream filtering is one possible countermeasure to prevent flooding attacks from reaching an Internet-facing firewall, but this technology requires cooperation from Internet service providers (ISPs) and other third parties.
Knowing these limitations, as well as recognizing the likelihood of there being others, brings the security administrator back to basics. Security management is mandatory to maintain any semblance of security in any environment. Keep systems current with patches, use a hardened configuration, stay knowledgeable about new exploits, and monitor the environment for successful and attempted compromise. These are the essential, long-term strategies for maintaining security.
Improving Performance
Using a firewall is mainly about establishing and maintaining border security, but security managers must also look into other areas of importance and concern beyond just security. One of these additional non-security areas is performance. Since the goal of security is to protect the production environment, installing security measures that severely hinder capabilities necessary to accomplish work is counterproductive.
One of the most common concerns with the use of firewalls is network communication speed. When selected and installed properly, a firewall should function at wirespeed. Functioning at wirespeed means the firewall does not introduce any delay or latency in communications because it operates at the same speed as the network. If there is a 1,000 Mbps network, then a 100 Mbps– capable firewall is too slow.
Two primary means can help you to improve firewall performance above and beyond purchasing a firewall suitable for the network’s known transmission speed. These two means are caching and load balancing.
Caching is a technique to seemingly improve performance by borrowing from proxy servers. In fact, adding caching to a firewall effectively transforms it into a proxy server for whatever service you configure the caching to supplement. Caching is the holding of often-accessed content in storage or memory on the firewall. Then, when a future request for the same content is received, the cached copy goes into service rather than the original external source. This does require that the content be relatively static and that a staleness value be used to trigger a content refresh.
technical TIP Router load balancing traffic management can use a variety of scheduling algorithms, such as round robin or fair queuing. Round robin simply hands out tasks in a non-priority sequence.
For example, with three firewalls and five transactions, transaction one is sent to firewall one, transaction two to firewall two, transaction three to firewall three, transaction four to firewall one, and transaction five to firewall two. Fair queuing operates by sending the next transaction to the firewall with the least current workload.
Unfortunately, caching is beneficial only on two main services: Web and file transfer. If the potential or actual bottlenecks to performance across a firewall are not due to these two types of communication, then caching is not a good solution.
Load balancing is the distribution of the firewall filtering workload across multiple parallel firewalls. You can use this as shown in Figure 7-7 with a phalanx of two or more firewalls deployed in parallel between routers that perform load balancing traffic management on both inbound and outbound communications. Load balancing allows for deeper packet inspection while maintaining wirespeed performance using parallel-distributed firewall processing.
The use of load balancing often has additional benefits, such as redundancy and fault tolerance. Both of these improve the availability of the firewall filtering service for network communications. Having a fail-safe or fail-secure plan to disconnect communications if the firewall is compromised is essential. However, a more secure and productivity-friendly solution is to maintain continued communication with filtering by having redundant pathways with duplicate firewalls.
FIGURE 7-7
Firewalls deployed in a load-balancing configuration.
The Downside of Encryption with Firewalls
Encryption is a common security mechanism you can employ to protect data in storage and in transit. When used properly, encryption provides confidentiality protection. Encryption prevents unauthorized third parties from gaining access to secured content. With the risk of eavesdropping and data theft constantly increasing, the use of encryption is becoming not just a good idea, but also an essential element of storage and transaction security.
However, encryption does have a downside relative to firewalls. A firewall is typically not the intended destination or direct communication partner of a communication, especially an encrypted communication. Thus, any encrypted data cannot be filtered by a firewall. However, just because packets are encrypted does not automatically mean that nothing about the packet remains in plaintext.
Transaction or communication encryption takes two main forms: tunnel mode and transport mode. Tunnel mode encrypts the entire original payload and header, while transport mode encrypts only the payload. In tunnel mode, a temporary header goes with the encrypted packet to guide its path across the VPN tunnel. In transport mode, the original header remains in plain text.
A firewall can still view and filter on the contents of the tunnel mode header or the transport mode header. However, the tunnel mode header contains details only about the endpoints of the tunnel, not the endpoints of the actual communication itself. So, tunnel mode header filtering is not very useful as a filter against malicious traffic.
Filtering on the transport mode header is a viable option, because the header in the packet in transport mode is not encrypted. Thus, any header-only filtering rules could still apply to transport mode–encrypted communications. However, any filtering that required an examination of the payload will be rendered null.
When building or designing firewall filtering rules, you must make a choice about how to handle encrypted content. Consider both the valid and invalid reasons for content encryption. The organization can choose to support or allow encryption of specific types over specific protocols or ports, but disallow and prevent encrypted communications elsewhere. Encryption for Web communications and e-mail exchanges are often acceptable, while other transactions with the Internet might not be encrypted.
When designing the firewall rules, the management of encrypted traffic can range from full allowance to full denial. Whether to allow encryption over a specific port but not another and whether to allow encryption all the time, for only certain users, or for no one are common issues your organization needs to address and plan for.
No ultimate right or wrong decision about whether to allow encryption across a network border is possible. Decide based on the security stance of your organization, the risk presented by both encrypted and plaintext transactions, and the types of communications essential for your particular business tasks.
A growing trend in secure deployments, especially for DMZ or other hosted resources designated for public access, is to support encrypted communications but have the encrypted tunnel end at or on a firewall. This allows you to examine the contents of the communications before they reach the actual destination. This is becoming a common infrastructure design component for public facing Web sites. Figure 7-8 shows an example of a configuration where SSL or TLS links from external Internet clients end at the firewall; then, they traverse the last segment in the clear to reach the destination Web server.
FIGURE 7-8
A firewall deployed as an SSL/TLS endpoint to allow for Web traffic filtering.
Another concern is that when encrypted traffic crosses a firewall, the firewall is usually unable to perform NAT. This is dependent on the encryption system in use, but it’s worth investigating before deployment. If the encryption mechanism hashes the header, even if it remains in plaintext, the modification to the header by NAT will cause the hash verification process to fail, thus rendering the transmission void. With an encrypted header, NAT will be unable to modify the addresses. Be sure to select encryption protocols that are NAT-compatible if this is a necessary function of the network’s infrastructure.
Firewall Enhancements
Firewalls emerged from basic router traffic control systems into full-featured content filters. However, throughout this evolution, firewalls have remained focused on their primary purpose— namely, detecting unwanted, unknown, or malicious traffic and blocking it. The filtering mechanisms have typically been identification-based. Whether IP address, port, protocol service, MAC address, content keyword, or even user authentication, the Allow and Deny decisions relied directly on easily definable elements.
Modern firewalls now offer a variety of enhancements, improvements, or add-on features that some organizations might find attractive. You should consider the value of these enhancements in light of the ability of the device to continue to perform the essential services of firewall filtering. Do not let the snazzy up-sell add-ons distract you from obtaining and deploying a reliable filtering device.
It seems that all vendors dream up new enhancements to add to their product line each time they refresh, update, or make a product revision. So, be sure to thoroughly research any newly offered enhancement before making a purchase. Just because the bumpers are shiny does not mean the engine runs.
A common or popular firewall enhancement is malware scanning. Adding an antivirus, anti-
spyware, anti-Trojan, anti-whatever scanner to a firewall is not a significant stretch of the core firewall’s capabilities, especially for application proxies and stateful inspection firewalls. The main concerns should be whether such an enhancement can maintain wirespeed performance and whether the firewall’s anti-malware abilities are on par with existing standalone malware protections.
If you are considering a firewall malware scanning enhancement, pay attention to the details. Important considerations are the detection engine and the mechanism of periodically updating virus signature definitions.
Firewalls can also offer IDS and IPS features. In fact, the merging of intrusion detection and prevention is a logical combination. The ability of a single device that can filter traffic as well as watch for and defend against intrusions is attractive. But the question remains: Does the combination device perform both tasks at the same level of exellence as common independent products? If not, then the combination is more of a detriment than a benefit. Also, does the firewall maintain its ability to operate at wirespeed?
Some firewalls are equipped to function as a VPN endpoint. When designing a firewall and VPN architecture, this might be an attractive option, but as with every firewall enhancement, you should evaluate its features and performance against that of standalone solutions.
Unified threat management (UTM) is the deployment of a firewall as an all-encompassing primary gateway security solution. The idea behind UTM is that you can use a single device to perform firewall filtering, IPS, antivirus scanning, anti-spam filtering, VPN endpoint hosting, content filtering, load balancing, detailed logging, and potentially other security services, performance enhancements, or extended capabilities. UTM has its advantages, mainly in the ability to deploy a single product and manage multiple security services from a single interface.
Any given UTM can be a jack-of-all-trades product and a master of none. With many of the larger firewall and security product vendors developing product lines supporting UTM, however, it’s possible to deploy a reliable single-device solution. But even a reliable UTM product remains a single point of failure.
UTMs are obvious improvements to environments that use simple or outdated firewalls and those that lack independent coverage in the non-firewall security categories. An all-in-one UTM device can quickly and effectively improve your organization’s security.
As the trend toward virtualized networks, hosts, and applications continues, the need for security within virtualized networking environments increases as well. Just because the virtual hosts exist in memory alone does not imply that they are immune to hacking or exploitation. In fact, they may be at even greater risk. Include firewalls in the construction of virtualized networks.
You can still use a hardware firewall when traffic between virtual hosts crosses a physical network segment. However, when virtual host communications occur within memory alone, a virtualized firewall is necessary. A virtualized firewall is really the same as a virtualized host; it’s a software construct of a hardware environment that hosts the operating system so it can function in memory rather than on actual physical devices. You can install a software firewall into a virtual host to act as a firewall for virtual network connections. When designing and using a virtualized network, make the effort to include virtual firewalls as part of the infrastructure.
Management Interfaces
You must configure firewalls for them to perform the security functions you expect of them. Every firewall has a management interface used to configure its functions and features. Through the management interface, you can control and define all aspects of a firewall.
A firewall’s management interface may be command-line based (Figure 7-9) or graphical based (Figure 7-10). A graphical user interface (GUI) might be a standalone client application you must install onto a host, or it may be a Web interface hosted on the firewall’s own internal mini-Web server.
FIGURE 7-9
Examples of accessing a firewall (SmoothWall) via command line (SSH).
FIGURE 7-10
An example of a GUI firewall interface (SmoothWall).
A firewall’s management interface may or may not offer encrypted access by default. If the firewall does not offer encryption of the management interface, then you should replace it with a firewall that does. Always enable the encryption so that all future access to the management interface is protected from eavesdropping, interception, and session hijacking. Encryption of the session accessing a firewall’s management interface is the most important and critical aspect of management interface configuration.
Secure a firewall’s management interface both physically and logically. This implies that direct physical contact with the firewall device (or firewall host) will be limited and restricted to authorized administrative personnel only. Prohibit any physical contact or proximity to external or unauthorized entities.
Secure all logical access to the firewall’s management interface through a strong authentication process. If multifactor authentication is supported, use it. If not, require long and complex passwords. Ensure that administrators do not reuse the same password on any other system. Administrators, as well as all users, should never reuse an old password on any system once it expires. Passwords are like milk—they last only so long, even with proper care and storage, and once expired, they can never be reused.
Limit the methods to access a firewall’s management interface. Manufacturers often enable all possible avenues of access to ensure ease of installation upon initial deployment. However, you should disable all methods of accessing the management interface except for the sole secure mechanism selected for use by your organization. Potentially available avenues of access include telnet, encrypted telnet, Web, encrypted Web, SSH, and other proprietary options. Select one of the secure options and disable the rest.
Also, consider the communication pathways for accessing the management interface. Usually, the
physical cable connection port, often labeled as CON for console, TER for terminal, or ADM for administration, cannot be disabled through software. This port is a dedicated port used for direct physical connection management and not for any other purpose (in most cases). A crossover cable or a special console cable (often RS-232 based) is necessary to connect a computer directly to the firewall to gain access to the management interface.
However, most in-network or over-the-network logical access pathways can be disabled. Be sure to disable access to the management interface on every physical network interface or port that faces outward. In other words, the less-secure NIC ports should not support access to the management interface.
If more than one NIC port exists on the secure side, then limit access to only one of those two ports. If the firewall is a multifunctional device that also supports wireless connectivity, disable management interface access over a wireless connection. The resulting configuration should allow management interface access only via the physical CON connection and one logical pathway. Disable all other methods of access.
Configure the firewall to record every attempted and successful connection to the management interface into a log file. It might also be a good idea to record all subsequent configuration changes made via the management interface. This log can serve as a component of change documentation and will assist with future troubleshooting, investigations, and reconfiguration.
CHAPTER SUMMARY Firewalls are essential to maintaining security, such as supporting valid communications and blocking malicious traffic. However, firewalls are often more than just simple filtering tools. The standard and enhanced features of firewall products require knowledge and skill if you are to properly employ them.
This chapter discussed building firewall rules, ordering rule sets, configuring authentication and authorization based on the presence of a firewall, configuring firewall logging, making sense of the contents of firewall logs, expanding firewall functions with intrusion detection, dealing with the limitations of firewalls, maintaining high-speed network performance with a firewall, managing encryption across a firewall, evaluating firewall enhancements, and handling firewall management interfaces.
KEY CONCEPTS AND TERMS Access control list (ACL) Alert Anomaly-based detection Behavioral-based detection
Centralized logging system Database-based detection Deny by default/allow by exception Fair queuing False negative False positive Filter Firewalking Knowledge-based detection Load balancing Management interface Port-based network access (admission) control (PNAC) Round robin Signature-based detection Unified threat management (UTM) Wirespeed Write-once read-many (WORM)
CHAPTER 7 ASSESSMENT
1. Which of the following is a firewall rule that prevents internal users from accessing public FTP sites? A. TCP ANY ANY ANY FTP Deny B. TCP 192.168.42.0/24 ANY ANY 21 Deny C. TCP 21 192.168.42.0/24 ANY ANY Deny D. TCP ANY ANY 192.168.42.0/24 21 Deny E. TCP FTP ANY ANY Deny
2. Which of the following is a default-deny rule? A. TCP ANY ANY ANY ANY Deny B. TCP 192.168.42.0/24 ANY ANY ANY Deny C. TCP ANY 192.168.42.0/24 ANY ANY Deny D. TCP ANY ANY 192.168.42.0/24 ANY Deny E. DENY TCP ANY ANY ANY ANY
3. The default-deny rule appears where in the rule set?
A. First B. After any explicit Allow rules C. Anywhere D. Last E. After any explicit Deny rules
4. What mechanism allows a firewall to hand off authentication to a dedicated service hosted on a different system? A. IEEE 802.11 B. RFC 1918 C. IEEE 802.1x D. RFC 1492 E. IEE 802.3
5. When an organization first deploys a firewall and chooses to begin logging activity, what should you include in the log file? A. Only malicious traffic B. Only DoS traffic C. Only dropped packets D. Only allowed packets E. All events
6. You can use firewall logging to perform all of the following activities except: A. Discovering new methods or techniques of attack B. Creating a historical record of activity used for traffic and trend analysis C. Tracking usage levels and times for load balancing D. Stopping intrusions E. Creating legally admissible evidence for use in prosecution
7. All of the following events appearing in a firewall log warrant investigation by an administrator except: A. Firewall host reboot B. A connection attempt to the firewall host C. Detection of an attack attempt D. Inbound packets with spoofed internal source addresses E. An internal user accessing a public Web site
8. Which of the following is a highly recommended method or technique for keeping firewall logs secure and uncorrupted?
A. Storing them in binary form B. Using 15,000 RPM hard drives C. Recording only important events D. Centralized logging E. Using timestamps
9. Which of the following is an event found in a firewall log file that is a symptom of a rogue host operating within the private network? A. Packets from a known malicious address B. Packets from an unassigned internal address C. Packets to an unknown port on an internal host D. Packets in a serial grouping that attempt to access a sequential series of ports E. Packets in a very large grouping that are all exactly the same directed toward a single target
10. What is the biggest issue or problem with an IDS? A. False positives B. Failing to operate at wirespeed C. False negatives D. Keeping the pattern database current E. Using anomaly detection
11. Which of the following is not a limitation or potential weakness of a firewall? A. Firewalking B. Software bugs or flaws C. Using first match apply rule systems D. Fragmentation attacks E. Internal code connecting to an external service
12. When a firewall is able to process packets, filter malicious code, and transmit authorized communications onward to their destination without introducing latency or lag, this is known as operating at ________ .
13. Which of the following is not related to improving or maintaining the performance of a firewall? A. Native antivirus scanning B. Round-robin task assignment C. Caching D. Fair queuing session management E. Load balancing
14. What form of encryption allows a firewall to filter based on the original source and destination
address? (Assume the firewall is located along the path between session endpoints.) A. Tunnel mode B. VPN remote access encryption C. Transport mode D. VPN LAN-to-LAN encryption E. Header encryption
15. The performance of what type of communication session can be improved using caching on a firewall? A. Instant messaging B. Remote access C. E-mail D. Time synchronization E. Web
16. Which of the following limitations or potential weaknesses of a firewall cannot be fixed or corrected with the application of an update or patch? A. Programming bug or flaw B. Firewalking C. Buffer overflow vulnerability D. Fragmentation E. Denial of service due to traffic from external sources
17. What is the primary factor used to distinguish a great firewall enhancement from a marketing gimmick used to drive up sales? A. Does the enhanced firewall cost the same or less than separate products? B. Does the enhancement affect the operating speed of the firewall? C. Does the enhancement operate as well as or better than the original firewall? D. Does the enhancement require the purchase of a new firewall, or can it be added to existing
products already deployed? E. Does the enhancement have a reoccurring license or subscription fee?
18. What is the name of a single device that is based on a firewall but that has been expanded and improved to perform a wide variety of services, such as filtering, IPS, antivirus scanning, anti- spam filtering, VPN endpoint hosting, content filtering, load-balancing, and detailed logging? A. Load balanced filtering B. Port based network access (admission) control C. Unified threat management D. Multifactor authentication
E. IEEE 802.1x
19. The most important configuration element related to a firewall’s management interface is: A. Access over wireless is prevented. B. Access through a network interface is enabled. C. Access is encrypted. D. Access through a CON port is allowed. E. Physical access to the device is controlled.
20. All of the following avenues of accessing a firewall’s management interface should be limited, restricted, or disabled except: A. Wireless B. Telnet C. Public facing NIC interface D. Port 80 Web E. Private network NIC interface
CHAPTER
8 Firewall Deployment Considerations
FIREWALLS CAN BE COMPLEX security solutions. You should plan the deployment of a firewall carefully, whether it’s for a small home office or a large corporation. Evaluate as many firewall deployment considerations as possible before ramping up.
Make a clear determination as to what types of traffic you will allow to cross the network border and which types you want to block. Evaluate common security strategies. They include security through obscurity, principle of least privilege, simplicity, defense in depth, defense diversity, chokepoint, weakest link, fail-safe, and forced universal participation. Determine which strategies you want to use and integrate them into the organization’s security policy and its firewall deployment.
Evaluate the purpose and content of the firewall policy. Clearly define the software and hardware firewall options you will use when adopting the firewall policy. Determine whether features such as reverse proxy and port forwarding are necessary to the infrastructure’s network communications. Weigh the benefits of bastion host OSs before using new firewalls. Make sure to order firewall rules properly and use the least number of rules possible to enforce security goals.
Every organization is different and must evaluate its own business and security needs. Determine which tasks are essential, which are optional, which are personal, and which are malicious. Use firewalls and other controls to support what’s necessary and block everything else. Security administrators are responsible for evaluating needs and solutions and for preparing a response when security and business interfere with each other.
Chapter 8 Topics
This chapter covers the following topics and concepts:
What should you allow and what you should block when using a firewall
What common security strategies for firewall deployments are
What essential elements of a firewall policy are
What the software and hardware options for firewalls are
What the benefit and purpose of reverse proxy are
What the use and benefit of port forwarding are
Which considerations aid in selecting a bastion host operating system (OS)
How to construct and order firewall rules
How to evaluate needs and solutions in designing security
What happens when security gets in the way of doing business
Chapter 8 Goals
When you complete this chapter, you will be able to:
Compose a firewall policy defining what to allow and what to block
Describe various firewall security strategies
Define the pros and cons of reverse proxy and port forwarding
Explain the importance of a bastion host
Assess the business impact of security over availability and performance
What Should You Allow and What Should You Block?
The most commonly asked question when installing a firewall is, “What should be allowed and what should be blocked?” This question assumes a distinct and definitive answer. The answer, however, is subjective and variable.
A single security stance or filtering configuration that works for every situation, every organization, and every system doesn’t exist. Network security managers must investigate the needs and threats to make informed decisions about what traffic to allow and what traffic to block.
The first stage in making this determination is to perform a complete inventory of all needed or desired communications. This should include every transaction between internal systems, as well as any interaction with external systems. As part of this inventory, indicate the protocol in use, the port(s) in use, and the likely source and destination addresses.
A possible inventory of network communications could look like Table 8-1. This is not an exhaustive table, but it shows the basic idea of an inventory of network
communications. Notice that some communications are internal only, while others cross the network boundary. Based on a complete and exhaustive inventory of your network’s communications, you can establish a potential rule base.
From the inventory, block from crossing the network border all communications that should only be internal. In most cases, the default-deny rule of a rule set will block those communications from doing so. However, when a port or protocol is in common, it’s possible that an Allow rule for a valid external communication would also allow external entities access to an internal-only communication.
In Table 8-1, an example of this issue is the e-mail protocol SMTP operating over port 25. By
defining an allow-exception rule, you could create a loophole that threatens the internal communication on this same port. Reduce or eliminate this risk by using a very specific rule or by adding an additional Deny exception.
A very specific rule in this example would allow external communication over port 25 only if it originated from the internal e-mail server at 192.168.42.115. With this rule defined, if any other internal host attempted an external SMTP communication on port 25, it would not be allowed because the IP address would not match this specific rule. The communication would instead be blocked by the default deny.
TABLE 8-1 A partial list of communications occurring on a network.
If an allow-exception rule for external communications also applies to internal communications, you can add a specific deny-exception rule just prior to the Allow rule. The Deny exception can specifically block internal communications from crossing the network border, but still allow the subsequent Allow exception to grant access to the valid transactions.
After you complete a thorough inventory of network communications, you should determine which communications are mission-critical, important, optional, for personal recreational use, or actually malicious. Block any traffic you deem malicious or just unwanted, whether through an explicit Deny or via the catchall default deny.
Evaluate all other forms or types of traffic against several factors, including policy. If it’s not in support of the business, is it really needed? Are communications for personal entertainment or nonbusiness functions permitted by policy or considered a waste of resources? Are any communications duplicated or redundant? Is this a waste of resources, an expansion of the attack surface, a valid redundancy, or avoidance of a single point of failure? Are any of the communications no longer necessary? If so, should you disable or remove them?
Base your evaluation of the many other possible questions or issues on your organization’s policy statements, including mission and goals. Take the time to understand the communication needs of your
network, then design the filtering rule set accordingly. Remember that the firewall is often the front sentry or the first line of defense against malicious communications originating from outside networks. Leaning toward caution and locking things down is a more effective security stance than leaving communications open and hoping detection mechanisms will notice malicious events.
Traffic Inventory A common, and free, network protocol analyzer (or sniffer) for doing a traffic inventory is Wireshark (www.wireshark.org). Wireshark can be used in the absence of a firewall, with a firewall set to allow all traffic, or even in the presence of a firewall to inventory all traffic on the network. Traffic can then be partitioned into traffic that needs to cross the firewall and traffic that should not cross the firewall. Use of a sniffer tool in general, or Wireshark specifically, for traffic inventory is done to highlight all traffic and make sure that the firewall rules have a better chance of being accurate. During the traffic inventory, you can uncover a lot of previously hidden information about the network. You can find out which applications and users are the top consumers of bandwidth. You can find out which protocols are actually in use on the network. And you can surface malicious uses that you haven’t known about before. Some of the more advanced firewalls also have this functionality built-in.
While some exceptions to these suggestions will arise from your organization’s business model or strategies, the following items are commonly considered communications to block in most, if not all, circumstances:
All Internet control message protocol (ICMP) traffic originating from the Internet Any traffic directed specifically to the firewall Any traffic to known closed ports Any traffic to known ports of known malware, such as 31337, used by Back Orifice Inbound Transmission Control Protocol (TCP) 53 to block external domain name system (DNS) zone transfer requests
Inbound User Datagram Protocol (UDP) 53 to block external DNS user queries Any traffic from IP addresses on a blacklist Any traffic from internal IP addresses that are not assigned
As an organization manages its security over time, especially as it reacts to intrusion attempts, experiences scanning, and becomes the target of hacking and flooding, it must create additional communication filtering rules to respond to real-world conditions. Security does not stand still. Hacker attacks are constantly changing. Thus, the filtering rules that work well today may be insufficient in the near future.
Networks can be very large and very complex. Be fully aware of the communications taking place across your network to know what to allow and what to block. In addition to this knowledge, having established a security strategy through a written security policy will direct and guide the deployment of firewall rules, as well as other aspects of your security infrastructure.
Common Security Strategies for Firewall Deployments
A security strategy is a guideline, philosophy, or approach to using security for firewalls, as well as the entire organizational security infrastructure. Many different strategies are available. Some organizations focus on a single strategy, while others combine several strategies into a custom policy.
Security Through Obscurity Security through obscurity is the idea of gaining protection by using abnormal configurations. This is both a positive security action and a poor one. It simply depends on the type of obscurity involved. A poor choice for security through obscurity would be to use alternative configurations for standard products.
With a network environment based on standard products, whether operating systems, network services, or security solution, just modifying basic configuration settings does not actually provide true security. For example, a service typically operating on one port that’s reconfigured to use a different port is not good security. Also, changing names, addresses, network size, subnetting, bandwidth consumption, or even spoofing banners, headers, or identity does not provide true security but may provide some protection against elementary attacks.
Some common mistaken examples of obscurity-based security include:
Hiding your front door key under a rock in a flower bed Connecting to the Internet with the assumption that your system is one in 300 million and therefore won’t be noticed
Hiding money in a mattress Keeping an encryption algorithm secret Hiding your car keys behind your bumper while at the park or beach Changing the default service port of a network service Hiding your financial records among the audio files on your MP3 player
All attempts to provide network security based on hide-and-seek can be overcome or bypassed with basic network scanning techniques. When a hacker can discover or breach a host, service, or network just by looking hard enough, no real security exists. Hiding might work for keeping colored eggs and candy secure, but a security solution employed by bunnies has no place in a modern IT environment.
Security through obscurity is problematic for several reasons. First, if it’s the only form of security employed, no real security exists. Second, the obscurity method employed might not actually be as obscure as you think. Hiding a key under a flowerpot is not as obscure as burying it in an
unmarked location in the middle of a field. Third, it often distracts from accurately assessing the true state of security provided by other measures. Fourth, obscurity can instill a false sense of confidence.
True security through obscurity relies on using obscure and nonstandard technologies. If everyone knows the most common or most popular operating system or software product is insecure, it can be a security improvement to use a more obscure product instead. This doesn’t guarantee that other flaws or vulnerabilities won’t be present on the alternative system, but usually the exact same exploit or compromise won’t be a risk.
However, switching to an alternative technology is a security improvement only if the same flaw does not also exist there. It must provide actual security in and of itself. Switching technologies, such as changing operating systems, does not eliminate the need for security management. It simply moves the security concerns to other areas.
Generally, security is obtained through obscurity only when hackers are unable to determine which technologies you are using. The less hackers know about your software, configuration, deployment, addressing, infrastructure design, patching schemes, and so on, the less successful their attempts to compromise security will be. Obscuring information about the internal IT environment itself is a primary defense against their hide-and-seek mentality.
Least Privilege The principle of least privilege is one of the basic concepts of network security. The idea behind the principle of least privilege is that users should have the minimum level of access to resources needed to complete assigned tasks. Any abilities, access, or privileges beyond that necessary minimum increase the risk of compromise and lead to wasted time, effort, and focus.
In most environments, most users need not access every host, every system, every resource, every file, every network service, and every Internet resource. Within a default-deny environment, you block all access to all resources, internal and external, by default. You use the principle of least privilege by adding explicit and specific allow-exceptions only when necessary based on job descriptions.
However, the drawback to least privilege is the need to control every user’s access individually. Each worker will need individually defined resource and activity permissions. This represents a significant increase in user administration. Because of this extra overhead, many organizations only partially use least privilege.
A common practice is to group users into collections of similar job functions or security levels, granting permissions to the group as a whole. This gives users additional privileges beyond what is strictly necessary for their work, but not enough to present a serious risk to the organization’s security, stability, or confidentiality. Instead, this small security tradeoff considerably cuts down on administrative overhead.
An extension of the principle of least privilege known as separation of duties specifically addresses administrative users. A lazy and insecure approach to network security is to grant some high-end users full administrative privileges across the entire IT infrastructure. This is a recipe for disaster. If an administrator makes a mistake, then he or she can accidentally harm the entire organization. If an administrator becomes disgruntled, feels wronged by the company, or is marked
for layoff or forced retirement, he or she can deliberately harm the organization and would have the systemwide power to do it. If another user or an external intruder compromised such an administrator’s account, a hacker could use the administrator’s advanced access to cause significant havoc.
A safer approach is to apply the principle of least privilege to all users, especially administrators. Under the label of separation of duties, divide the collection of all administrative tasks into small sets of privileges, focusing on a single task, system, service, or issue. Then, assign administrators subtasks within one of these focused areas and permissions only within the scope of their assigned tasks. This compartmentalizes administrative functions and provides a type of firewall or blockage against accidents, sabotage, and intrusion.
The result of applying separation of duties is that you eliminate godlike systemwide administrators. Instead, each administrator has sufficient privileges only within a limited scope of responsibility. Some areas may have multiple administrators and some administrators may have powers in multiple areas, but overall the compartmentalization of administrative privileges significantly increases security and decreases risk.
Keep in mind that the principle of least privilege applies to both users and systems alike. Controlling which resources and communication pathways a service or device can touch will directly reduce the potential for abnormalities, abuse, and compromise.
Simplicity Keeping things simple is an important part of security. It makes them easier to understand, manage, and troubleshoot. When things are too complex, they are much more difficult to understand, much harder to manage, and much more complicated to troubleshoot. Furthermore, it’s harder to verify that a complex system is providing adequate security.
The more complex a solution, the more room for mistakes, bugs, flaws, or oversights to creep in undetected by security administrators. The more complex the system, the more likely a hacker can find a vulnerability unseen by the system designers and network managers.
Simple is not always possible, however, especially when it comes to software and network infrastructures. But when you have a choice between a simpler solution and a more complex one, the simpler option may provide a more realistic and verifiable level of security. As someone once said, “Keep things as simple as possible, but no simpler.” Keep in mind that too simple has the same flaws as too complex. Avoid sacrificing security for the sake of simplicity.
Defense in Depth Installing a security infrastructure requires numerous systems to interact and interlock. The goal of any security solution is to prevent unwanted events while supporting authorized and necessary ones. A reliable security infrastructure is typically not a single control, a single defense, or a single countermeasure. Instead, multiple security safeguards provide complete and exhaustive coverage.
One aspect of infrastructure security design is to think of the defenses as multiple layers or barriers to access secured resources. This is known as layered defenses or defense in depth. When designing security, consider the net result if any component of the security system were to fail. If a
single component failing results in a compromise or intrusion, the environment has a single layer of protection. When defense in depth is used, a single component failure does not result in compromise or intrusion. Instead, each component has a backup, an alternative, or a supplemental component. Depending on a single security product as the sole component of a security solution is a bad idea. Firewalls are great products, but firewalls alone cannot provide complete security. They are only one component, one piece of a complete security infrastructure. A proper security infrastructure has numerous components interlocked and deployed in layers or levels.
Another aspect of defense in depth is to deploy multiple subnets in series to separate private resources from public. This is known as an N-tier deployment. N represents the number of subnets under private control. Figure 8-1 shows a common construction of a three-tiered deployment using a demilitarized zone (DMZ), a database subnet, and the private local area network (LAN).
When properly implemented, defense in depth ensures that multiple security controls are involved in every communication, connection, and transaction, regardless of its source or destination. Through the use of multiple or redundant security systems, any attempt to compromise or breach security becomes substantially more difficult, not only for the external intruder, but for the internal saboteur as well.
FIGURE 8-1
An example of an N-tier deployment.
Diversity of Defense Diversity of defense is similar to defense in depth—it supports multiple layers of security. The difference is that each (or at least most) of the layers uses a different security mechanism. Thus, the diversity of defense comes from using a collection of diverse security solutions.
Multiple firewalls in a series is defense in depth, but not defense diversity. Adding tools such as an intrusion detection system (IDS), antivirus, strong authentication, virtual private network (VPN) support, and granular access control converts a monolithic defense in depth to a more substantial, multilayered, diverse type of security.
It might be tempting to claim that having multiple firewalls from different vendors (or any security mechanism from different vendors) constitutes diversity of defense. While using different products from different vendors will reduce some forms of risk, it’s not as beneficial as true diversity—not just of vendors but also of security component types.
Using a variety of vendors will reduce the likelihood that a single flaw in one product is present in every other product from different vendors. For example, using three different vendor antivirus products is a reasonable idea. Having one vendor for clients, one vendor for internal servers, and a third vendor for border devices will increase the likelihood of detecting malicious code and decrease the threat from undetected malware. However, relying exclusively on antivirus and using no other type of security mechanism is a poor security solution.
Proper defense in depth will include diversity in both vendor selection and security component types. Be aware, though, that focusing too heavily on vendor diversity can increase management and administration complexity. It’s difficult enough to manage single-vendor solutions, but when two, three, or more different vendor products of the same product type are involved, the complexity of management increases significantly.
When selecting products, whether by type or vendor, keep in mind the overall infrastructure design, such as parallel versus serial connections, as well as redundancy options. In some circumstances, using two different defenses can result in a larger rather than reduced attack surface. For example, if two different products each have a different vulnerability when they are deployed in parallel, then both weaknesses are vulnerable simultaneously, giving the hacker the option of one or the other. Were they to be deployed in series, the hacker would have to compromise the first layer of defense successfully before attempting to breach the second. Consider whether the planned diversity is truly a security improvement, since poor design can lead to reduced security when you employ diversity improperly.
When investigating and designing an infrastructure to include diversity of defense elements, keep the following concerns in mind:
Some companies resell their products, technology, or intellectual property through other vendors. Private-label or relabeled products from company B might be the same product from company A with a different name or packaging.
Security systems configured by the same security administrator can potentially have the same misconfiguration or design weakness. Consider using a team of security administrators, or at least have several security experts review and check all configurations.
Many products come from a single original code base or standard. Product version 2.0 from company A and product version 5.0 from company B might both include the same protocol stack code borrowed from an open-source or creative commons–licensed code base. Don’t automatically assume that products from different vendors, even with different build versions, represent 100 percent different programming.
Many systems of the same type will all have the same inherent weaknesses in the underlying technology, design, and security concept.
When implementing diversity, ensure that you are using actual diversity-improving security rather than false or misguided diversity that reduces security. All security designs and perceptions should withstand the scrutiny of evaluation and testing.
Chokepoint A chokepoint forces all traffic, communications, and activities through a single pathway or channel. This pathway can be used to control bandwidth consumption, filter content, provide authentication services, or enforce authorization. The purpose of a chokepoint is to ensure that the security device at the control location controls everything. No traffic, user, or data passes unchecked.
Other names for a chokepoint include checkpoint, filter pathway, or bottleneck. A chokepoint can be used to force network traffic along a single pathway monitored or filtered using security devices, including routers, switches, firewalls, IDS/intrusion prevention system (IPS), antivirus, network access control (NAC), and so on. A choke-point can also control user activity, such as requiring authentication and enforcing access control.
As a security measure, a chokepoint has value only if it’s hard to bypass or avoid the bottleneck itself. If a hacker can interact with a target without going through a chokepoint’s filtering system, then the chokepoint is worthless.
If the security of a network has chokepoint infrastructure components as a central part of the infrastructure, be sure to evaluate and consider all possible alternative pathways a hacker might employ. For example, a firewall is less effective as a chokepoint if outsiders can access wireless access points, physical connection ports, or dial-up modems.
In many cases, a single chokepoint won’t be enough. Using multiple chokepoints may be the only effective means of ensuring that your network evaluates and filters all traffic. Some potential chokepoints can include any crossing of a network domain boundary into another. By using chokepoints across the boundaries of a typical IT infrastructure, you filter most pathways of communications that could host malicious interactions.
Consider potential indirect routes that might bypass “standard” chokepoints. For example, if a VPN link is established between two sites, whether branch offices or business partners, the Internet connection of one site could be an alternate pathway into the second site. This breach is possible if one site uses strong chokepoint security while the other does not. And even though it may be old fashioned, don’t forget to check for dial-up access to a LAN’s servers or other components. Dial-up access can serve as a backdoor for hackers to circumvent the security protections prepared to block them at the front door.
Weakest Link Any chain is only as strong as its weakest link. A security infrastructure is only as strong as its weakest component. You must know your security infrastructure thoroughly to have an understanding of where the weakest point lies. Once you’ve identified the weakest link, replace or remove it.
The weakest link security stance is an ongoing process of locating the least secure element of an infrastructure and securing it. Once you’ve secured the current weakest link, it’s no longer the weakest link, and therefore a new weakest link exists. Repeat the cycle by seeking out the next weak point and improving it.
The idea behind this security stance or process is that hackers are performing this exact task as they seek out vulnerabilities to compromise. Ultimately, hackers discover and break the weakest links to gain access and entry into a secured environment. By actively and consistently seeking out vulnerabilities and weak points to secure them, you reduce the potential of a hacker finding and exploiting a weak link.
Weakest links are inevitable. But a strong weakest link is always better than a frail weakest link. Using a find-it-then-secure-it mentality helps build security that can withstand most common exploitation and intrusion attempts.
Fail-Safe Fail-safe, fail-secure, fail-open, and fail-closed are not only design elements of firewalls and other security controls. Fail-safe is also an overarching security stance to drive an organization’s security. The fail-safe security stance is not just about using fail-safe security devices, but about designing the overall infrastructure with fail-safe as a core focus.
When any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections. Generally, this means to maintain confidentiality and integrity protections. However, most fail-safe solutions will sacrifice availability protection to retain confidentiality and integrity.
Fail-safe does not need to be a standalone security stance. You can integrate fail-safe notions into any security perspective. Keep in mind the ultimate goals and policies of your organization. If availability is the top priority, then fail-safe may not be as viable an option as for environments where you can sacrifice availability to support other security protections.
Forced Universal Participation It almost goes without saying that for security to be effective, everyone must work within the limitations established by your organization’s written security policy. If you make exceptions—for upper level managers, for instance, who see themselves as being above the rules, able to do whatever they want without consequences—then you have only an assumption of security. No true security is present. Security works only when you employ forced universal participation.
Every worker, every manager, every senior executive, every temporary worker, every consultant, every vendor, every customer, every business partner, and every outsider must be forced to work within the security policy’s limitations. Yes, exceptions often are necessary in the real world, but
when exceptions become the norm, security is lost. When it’s easy to bypass, avoid, or even ignore security controls, an attacker can use that same pathway to compromise the entire security environment.
Universal participation is not just about official configurations and designs. Every enterprise that cares enough about security to write a security policy has official configurations and designs that assume everyone follows the same rules. When it’s unwritten policy to violate security to accomplish work tasks, an obvious disconnect exists between security and productivity. In this situation, reexamine both security and productivity goals. Security should support productivity, not impede it.
Universal participation is not just about paying lip service to the rules, however. It’s also about ensuring that everyone abides by security limitations. Potentially, users have many ways to purposefully violate security. This often occurs in environments where workers perceive the security limitations as too restrictive or when newly imposed rules strongly limit freedoms they enjoyed previously. The less workers believe in and buy into the organization’s security policy, the more likely they are to violate rules they perceive as unfair.
Examples of users purposefully avoiding or violating security—that is, not actively supporting and participating in security—include:
Choosing poor passwords Sharing accounts with others Using personal computer equipment on the company LAN Installing an unauthorized wireless access point Using personal removable media on company equipment Using proxy tools to bypass firewall filtering Configuring a dial-out modem connection to establish unfiltered Internet access Using Internet based remote-access/remote-control tools to access their workstation from an external system without authorization
Installing unapproved software
To achieve universal participation in the security efforts, either workers must believe that compliance is in their best interests, or you must force compliance through consequences for violations. In most cases, voluntary compliance is better, because it causes workers to support the security effort rather than setting up employees to be adversaries pitted against the security infrastructure.
Essential Elements of a Firewall Policy
A firewall policy is a security policy that focuses on the deployment of firewalls within the organization’s IT infrastructure. The first step in deploying a firewall is constructing a firewall policy. Once you’ve established a firewall policy, deploy subsequently installed firewalls in full compliance with the firewall.
A written firewall policy provides several benefits and serves several purposes, such as:
A guide for installation A guide for configuration A tool to assist in troubleshooting A guideline to detect changes and differences A mechanism to ensure consistent filtering across all firewalls
A firewall policy should address several specific issues and contain specific configuration details. One of the first important elements of a firewall policy is defining and designating security zones. Every network has different zones of risk and zones of trust. Often, zones are differentiated along the same lines as a typical IT infrastructure. Create clear descriptions of what each subnet does, its level of risk, and its level of trust. Based on this information, you can formulate a basic firewall deployment strategy.
A firewall policy should define specifically what type of firewall you need. It may even prescribe the specific vendor, make, and model of firewalls at each zone transition or interface. Firewall types include static packet filtering, proxy, and stateful inspection.
For each prescribed firewall, define a complete firewall rule set. Define each rule in full detail, not just the configuration settings to make on the firewall’s interface. Support each rule with justifications and reasons why you defined or selected it. Give a clear indication of the orders of the rules.
A firewall policy should also prescribe host software firewalls for deployment on clients and servers. This should include configuration settings and rule sets as well. Design and configure host firewalls to complement appliance firewall security.
The firewall policy should also address:
What to log How logging happens Where to store log files How often to review log files What add-ons or enhancements to use Who is responsible for firewall administration How to access firewall configuration interfaces Where to physically and logically locate the firewall What level of physical access control is necessary What form of backup or redundancy is present How to manage encryption and where to use or disallow it How to deploy and configure IDS/IPS to interact with firewalls
As with every security policy, the firewall policy must be as exhaustive as possible. It should address and define every aspect of firewall design, deployment, implementation, management, tuning,
repairing, recovery, troubleshooting, and monitoring. A firewall policy should be the first and last authority on all things firewall within the organization.
The first draft of a firewall policy will probably not be exhaustive or accurate. So, review and improve your firewall policy periodically, just as you do with the rest of your organization’s security policy. Each review period should assess whether the firewall is meeting the security needs and how to improve it so it continues to provide sufficient security. Work all improvements into the written security policy. Then adjust the deployed infrastructure to comply with the written security policy.
Software and Hardware Options for Firewalls
Remember that most real-world solutions include a combination of software and hardware firewall options.
Since technology changes and advances so swiftly, it’s not wise to make specific product recommendations here. Many products can go through significant upgrade or generational change in as little as six months. So, this discussion will focus on software and hardware options in more generic terms.
Many operating systems include host software firewalls as part of their standard installation build. Microsoft Windows XP is one well-known example. Beginning with Service Pack 2, Windows XP has included the Windows Firewall as a standard security component. Other operating systems may offer optional firewall products. A software host-based firewall has benefits on both client systems and servers.
You can usually replace a native or default software firewall product found within a general- purpose operating system (OS) with a third-party option. Many open source, free, and commercial host software firewalls are easily available. When considering third-party options, especially when replacing the native firewall, consider whether investing time, effort, or money in an alternative host software firewall is as effective an investment as using an appliance firewall to enhance or supplement a host firewall.
Home users, SOHO environments, and small companies may benefit from a firewall on their Internet connection devices. Most DSL and cable modem devices include basic to moderately capable firewall options. Evaluate the included firewall in an Internet connection device rather than automatically discarding it as insufficient or inferior. Many current Internet service provider (ISP) devices include firewalls that are more than adequate for small network environments.
Most wireless access points, both consumer and commercial grade, include some form of firewall to provide filtering services for wireless clients and physical cable connections as well. Many wireless access points could be accurately labeled as routers and/or switches, especially when they include two to six extra-wired connection ports.
If a separate dedicated firewall device is necessary in addition to an ISP device or a wireless access point, consider building a firewall using leftover hardware. Building your own hardware firewall can be a way to obtain firewall appliance control and security on a shoestring budget.
technical TIP It’s often possible to replace an appliance or device firewall’s OS with a third-party alternative. This can apply even to ISP devices and wireless access points. Some of the better- known device firmware replacement options are DD-WRT, Open WRT, and Tomato.
The final step up in terms of firewall options is the appliance firewall, which is a dedicated hardware device functioning as a black-box sentry. Appliance firewalls can range from low-end consumer-grade to very expensive high-end, commercial-grade solutions. In most mid-sized and larger organizations, a dedicated hardware firewall is a necessity. Whether you buy that firewall as a pre-built component or build it depends on your organization’s knowledge, skill, and budget.
Keep in mind that security is not about always purchasing the most expensive, the best-known, the most efficient, or even the most secure option. Budgets are not infinite. Your goal should be to deploy security that is adequate and effective for the environment within the confines and limitations of your budget, knowledge, and skill. Getting sufficient security at the best price possible is usually everyone’s priority.
Benefit and Purpose of Reverse Proxy
Reverse proxy is a firewall service that allows external users access to internally hosted Web resources. This service takes the traditional proxy function and inverts it. Instead of hiding the identity of the client reaching out to the Internet, reverse proxy hides the identity of the Web server accessed by the Internet (or external) client.
External users direct their queries to a public Internet IP address and a default or assigned port number as when accessing any service. However, the IP address is the address of a proxy server, not the actual Web server hosting the requested resource. The proxy server then performs network address translation (NAT) on the request to convert the destination address to the internal (likely private) address of the resource host.
You can deploy reverse proxy to support load balancing or load distribution across multiple internal resource hosts. This allows clients to use a single public address to access a cluster of internal Web servers.
Other common reasons to deploy reverse proxy include:
Reverse caching—Reverse caching allows static content to be cached and served by the proxy rather than requiring that each request for the same content be served by the Web server itself.
Security—Using a reverse proxy adds an additional layer of protection and control between Internet-based users and internally hosted servers. Proxying allows the real identities of the internal servers to remain unknown or at least obfuscated.
Encryption—The proxy server itself can serve as the endpoint for Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption tunnels. This can allow a firewall or IDS to monitor and filter the contents of the traffic before it reaches the Web servers. Proxy-based encryption can also benefit from hardware and software acceleration to maintain high- performance communications.
Reverse proxy does not have to function solely on the private network’s borders. It can also operate internally between subnets or departments, especially within IT infrastructures of very large corporations. Reverse proxy is also useful in an extranet or a DMZ. Just because a Web site is hosted for public access does not mean security precautions should vanish. Indirect access by reverse proxy can often be a significant security benefit when you deploy and manage it properly.
Use and Benefit of Port Forwarding
Port forwarding is a firewall, proxy, and routing service that can receive a resource request on an interface at one port, then forward the request to another address on the same or different port. Port forwarding is used in reverse proxy, but only for Web traffic. Port forwarding itself can support any service on any port.
Port forwarding is a variation or enhancement of NAT. When a request reaches an outward-facing interface to a specific port, the request goes to an internal host. The routing is controlled by a static NAT mapping that defines which internal IP address and port will receive communications sent to an external IP address and port.
Port forwarding does not support caching, encryption endpoint, or load balancing. Only a single internal machine can use a forwarded port at a time. The internal receiving (destination) host will perceive the source of the communications as the port-forwarding device because the translation service will rewrite the source address as its own. Thus, the destination system will not know the real originator of a communication.
You can find port forwarding services on almost any service or device that supports NAT. This includes most firewalls (hardware and software), wireless access points, and Internet connection devices (such as DSL and cable modems). Port forwarding is also an essential element in the Internet Connection Sharing (ICS) service of Windows that allows multiple systems to share a single Internet connection through the primary connected computer.
Considerations for Selecting a Bastion Host OS
A bastion host OS is a system designed, built, and deployed specifically to serve as a front-line defense for a network. A bastion host is the first (or nearly so) host accessed by external entities on their way to access DMZ, extranet, or private network resources. The bastion host withstands the brunt of any attack attempt to provide protection for hosts behind it.
Bastions were the highly fortified sections of medieval castles designed to assist with defense. The bastion was located along the castle perimeter wherever access attempts were likely, such as
around the main gateway or entrance, any side or back entrances, or natural landscape pathways of approach. The bastion areas usually had thicker, stronger walls, room for additional warriors, and special defensive features. These special defensive features might have included slits for shooting arrows, holes for ramming spears or pushing away ladders, and pots of boiling oil to pour on attackers.
On modern computer networks, a bastion is a fortified computer device—possibly a host, firewall, or router—placed in the line of fire between privately owned and controlled networks and the public Internet. The purpose of a bastion host is to provide frontline filtering and defense against typical attacks. Most firewalls, especially appliance, hardware, or device firewalls, operate as bastion hosts. Software firewalls can also be bastion hosts if the host is properly locked down and hardened.
Knowing that firewalls are commonly deployed as bastion hosts raises the question of what type of operating system (OS) you should use as the host OS on a bastion host firewall. Two main categories or divisions of bastion host OSs are proprietary OSs and general purpose OSs.
Proprietary OSs are operating systems built exclusively to run on a bastion host device. Most appliance firewalls employ a proprietary operating system. This includes commercial firewall devices as well as many ISP connection devices and wireless access points. These proprietary bastion host OSs support the functions or services critical to security (or their other primary purposes) and little else. An example of a proprietary bastion host OS is Cisco IOS.
A firewall device’s bastion host OS supports only firewall functions. An ISP connection device’s bastion host OS supports firewall services and connectivity services. A wireless access point’s bastion host OS supports firewall services, wired connectivity services, wireless connectivity services, and possibly other services, such as 802.1x.
General purpose OSs include Windows, Linux, Mac OS, UNIX, and others. These are operating systems that support a wide variety of purposes and functions, including serving as client or server host OSs. When used as a bastion host OS, they must be hardened and locked down. Otherwise, an insecure host OS can render the security provided by a firewall worthless. If an attacker can crash the firewall host or bypass the firewall filtering, then the firewall is not providing effective security.
It’s possible to reasonably harden a general purpose OS for use as a bastion host OS, but this takes specific and detailed modifications. Most software firewall products include a guide to perform OS hardening to improve the security of the bastion host and reduce the vulnerabilities and backdoors that might permit firewall compromise.
Some firewalls include a prehardened version of a general purpose OS as the bastion host OS. This is the case for many Linux-based firewalls, such as SmoothWall.
The benefit of using a general purpose OS as a bastion host OS is that such OSs are widely available. Some are free—mostly Linux variations. Also, you can leverage your current knowledge and skill with a general purpose OS when you are using it as a bastion host OS. Keep in mind, however, that general purpose OSs are much more widely attacked and the risk of new exploits is high.
The benefits of a proprietary OS as a bastion host OS are fewer known attacks and less risk of future exploits. However, proprietary OSs might be significantly different from other OSs in the environment and may require learning a completely new system to properly and securely administer
the firewall. Also, most proprietary OSs are officially released only on the bastion host hardware. This makes them more difficult to obtain and more expensive in most cases (at least in comparison to free and open source alternatives).
Constructing and Ordering Firewall Rules
As you begin to seriously consider the options for firewall deployment, a close examination of firewall rules is critical to success. The most important aspect of a firewall rule set is its order.
Getting rules out of order causes unexpected and unwanted consequences. This can include traffic you want to block and other unwanted traffic crossing the checkpoint. Rule-set ordering is critical to the successful operation of firewall security.
The first and most basic rule-set-ordering convention is that the universal Deny rule should be the last and final rule. The use of deny by default or default denial rests on the premise that the last rule is the catchall rule to block all traffic not allowed access due to a previous rule-based exception.
Another common guideline to rule-set ordering is to place critical Deny exceptions first or early in the rule set. When specific internal or external IP addresses or ports, or even entire protocols, are to be absolutely blocked, you may need a Deny exception rather than relying upon the default-deny final rule. Some of the previous Allow exceptions might inadvertently permit communications due to universal application (with the use of ANY). By using a preemptive specific enforced denial before any of the Allow exceptions, you eliminate the possibility of accidentally allowing a known malicious or unwanted communication.
Whenever possible, use fewer rules rather than more rules. Even with proper ordering, the more rules you have, the greater the likelihood of configuring something incorrectly or creating a loophole. One issue that causes more rules rather than fewer is infrastructure design specifically related to addressing. A need for more rules arises if a range of IP addresses is allowed access, but within that range, some addresses are refused access. For example, compare two scenarios.
First, a network has a host address range of 192.168.42.140–190. All hosts except for 188, 189, and 190 are allowed access to a certain port. A single rule allowing hosts 140–187 is all that is necessary because the default-deny rule takes care of blocking the remaining non-included hosts.
Second, a network has a host address range of 192.168.42.140–190. All hosts except for 165, 171, and 188 are allowed access to a certain port. You need multiple rules to use this configuration. One or more rules must define Deny exceptions for 165, 171, and 188, followed by the Allow rule of the 140–190 range. If the firewall allows only a single address or a range of addresses per rule rather than allowing a list of nonsequential addresses, then three Deny rules would be necessary in this scenario.
In this example, network design and addressing can be used to make firewall rule-set construction either larger and more complex or shorter and more distinct and compact. The latter is preferred for administrative purposes as well as security and efficiency. If the process of creating rules requires a significant number of special exceptions to modify or adjust ranges of addresses or ports, consider reconfiguring the network rather than using a too complex or too long rule set. When designing or writing firewall rules, especially when writing pairs or sets of rules, consider using a single rule or a simpler rule set if the network’s addressing scheme, infrastructure design, or subnet layout is
adjusted. As another guideline to ordering rule sets, consider placing rules related to more common traffic
earlier in the set rather than later. Comparing traffic to the rule sets takes time; each check of each rule takes some finite amount of time. The fewer rules you need to check before you grant an Allow, the less delay to the traffic stream. Prioritize in the rule-set list the more commonly used forms of traffic, whether by
IP address, port, or protocol. Put the less commonly used forms of traffic further down in the rule- set list.
Ultimately, rule sets are about enforcing security relevant to the organization. The rule set should reflect the guidelines prescribed in your written security policy, specifically the firewall policy. The goal of designing, writing, and ordering rules for a firewall should be to focus on obtaining the necessary security. Elegance and speed are dividends, but not as essential as blocking the bad and allowing the good. Never lose focus on the primary goal: filtering traffic in accordance with your security policy.
Evaluating Needs and Solutions in Designing Security
Any organization larger than a single person will generate multiple opinions about what should and should not be allowed across the firewall. Almost everyone would agree on allowing (at some level) the necessary protocols, applications, and services essential for mission-critical or at least operationally necessary business tasks to cross the firewall-secured network boundaries.
Opinions may differ about what constitutes a necessary business task, but if it’s a necessary task, the organization’s security solution should make the task possible. Restrictions, limitations, filtering, and logging of even necessary business communications must occur. The point, however, is making a determination about what should and should not cross a firewall.
Generally, four main types of communications take place within a business environment: business-essential, business-wanted, personal, and malicious. Business-essential communications must take place or the business itself will suffer. Blocking critical transactions will directly cause problems for the business by impeding the production and distribution of products, inhibiting customer service, reducing profits, and so on. The security infrastructure must support business- essential communications.
Business-wanted communications are not essential to the core function or purpose of the organization. The failure of these business communications might be inconvenient or reduce quantity or quality, but the essential business functions will go on. Business-wanted communications help the business do what it does better, faster, cheaper, cleaner, more efficiently, or in a flashier way. But when those wants are not available for whatever reason, the business’s core activities still function sufficiently.
Personal communications are those transactions between individuals inside the company and with external entities not directly related to business tasks. If you eliminated personal communications, all business functions would continue unhindered. However, that’s in a perfect world. In the real world, stifling human communications can lead to low job satisfaction, feelings of isolation, and even worker disaffection. This, in turn, causes a reduction in productivity and quality.
Most organizations must strike a balance between allowing only business communications and allowing all communications. Obviously, allowing every communication is a bad idea from a security standpoint as well as a productivity one. Often, a modest level of Web site access, filtered e-mail access, and potentially other nonthreatening services as forms of personal communications can travel on and over company equipment during work hours with a reasonable amount of security.
But no clear or distinct boundaries define what level of personal communication will maintain worker morale and job satisfaction. It’s often fairly obvious when restrictions are too tight because job performance suffers or breaches of security increase. Part of the solution to this problem is educating users or workers about what is acceptable and unacceptable behavior on the company’s network. This includes defining what types of communications to allow or block, whether for business or personal use.
Malicious traffic, the fourth common type of network traffic, should always be blocked. This is a widely held security stance and the whole point of using security in the first place. However, it’s not easy to identify all malicious traffic, and it can sometimes appear to be one of the other three common forms of communications. Improving security over time is essential to maximizing protections against malicious communications while at the same time supporting necessary, desired, or benign personal communications.
Every organization must define its own parameters and justifications for each type of transaction allowed across any security perimeter, whether network traffic or physical access. Whatever the determination, clearly spell out the designations for valid versus invalid transactions in your organization’s written security policy, and then implement them in the security infrastructure.
Once you’ve defined necessary transactions and prescribed the desired security, use these concepts in actual security-enforcing software and hardware solutions. This is where your understanding of the goals of security, the organization’s mission, and the budget is critical. There is always a product that costs more, but more expensive does not always mean better security. In fact, in many cases, cheap or free solutions can offer equivalent or better security than the most expensive product available.
Using security is an essential part of the risk assessment and management process. Part of evaluating security is understanding the threats, attacks, and risks as well as the available countermeasures. One aspect of understanding countermeasures is performing a cost/benefit analysis to obtain the best security solution for the invested dollar. Don’t just purchase the most expensive solution; that’s never a reliable measure of security quality.
Also, don’t automatically purchase the product your cost/benefit analysis says is the best option. You must also evaluate each proposed solution in light of all other elements of the security infrastructure as well as the size of your budget. It’s usually not the right choice to spend 50 percent or more of the budget on a single security component. Instead, devise a spending plan or ratio tool to guide the procurement of security solutions.
One possible method is to allocate 10 percent of the budget to each of the 10 major sections or divisions of security addressed. This assumes you can divide the overall security of your organization into just 10 compartments—you might need 30 sections or maybe you can get by with just four. Whatever the number of divisions you use, grant each an equal or weighted portion of the budget based on risk. When a solution costs more than is available within a certain section, you can then shift
funds between sections as needed. The purpose of this system is to make security administrators and designers more aware of the
cost of security and to prevent overspending in one area and underspending in another. You should spend security funds somewhat evenly to secure the overall organization, rather than over-securing one area and neglecting another. If a hacker or intruder encounters a highly fortified defense, he or she is likely to go looking for a less secure backdoor.
Ultimately, you should treat your security budget just like any other budget. Categorize and prioritize expenses. Outline spending on paper before writing the first check or swiping the plastic. Allocating funds based on needs and importance, then adjusting those allocations based on market conditions or changing threats, is all part of proper security management (as well as security budget management).
What Happens When Security Gets in the Way of Doing Business?
Organizations exist to perform tasks such as producing products or providing services. When the security infrastructure interferes with essential business tasks, something has to change. Security should prevent compromise while supporting and allowing business functions. When security changes or when business tasks change, the security policy and the business should adjust.
Absent this adjustment, security can interfere with business operations. Many organizations will never face this situation, but every business must have a response plan in place in case it does. When business tasks are at odds with security protections, what should you do?
A few short-term options are available, none of them optimal. One short-term option is disabling security so the business tasks go forward. Whether the security is disabled for a short period or permanently, you provide the opportunity for compromise, intrusion, or sabotage. Using this shortsighted solution might not immediately cause harm to the infrastructure, but it establishes a pattern and mindset that security is not important.
Organizations might get away with turning off security defenses. Hackers might not ever notice the reduction of defense or might not happen to time their probing or attacks to correspond to the period of disabled security. However, even if no actual attacks occur due to the security reduction, the real damage is done.
The real damage is the change in mentality toward security, a shift from viewing security as essential and mandatory to optional and nonessential. Once an organization believes that security can be turned off when inconvenient, then security suffers, and it’s only a matter of time before a catastrophic compromise occurs. Security depends on vigilance. Once the commitment to vigilance is lost, so is real security.
Another short-term option is not to perform the task that security is blocking. If the task is not essential, it might be possible to move forward as an organization without performing that specific task again. However, if it’s an essential or critical task, failing to support it will negatively affect the organization.
There is another way. The preferred and secure long-term response is to reevaluate the business task in the light of the security infrastructure. Design a new security solution or modify how the task is
accomplished. Support both security and business functions. They are both essential to the long-term stability and vitality of an organization.
CHAPTER SUMMARY Never deploy firewalls hastily. Instead, use careful investigation and planning in the design and use of firewalls. Consider numerous firewall deployment issues.
Some important concerns include deciding: What to allow and block Which security strategies to integrate Whether the firewall policy is sufficient Which hardware or software options to use Whether you need reverse proxy Whether to configure port forwarding Which bastion host OS to use How to order the firewall rule sets What the essential firewall needs are How the firewall will interact or interfere with business processes
KEY CONCEPTS AND TERMS Bastion host OS Diversity of defense General purpose OS Proprietary OS Reverse caching Security stance Universal participation Weakest link
CHAPTER 7 SUMMARY
1. When crafting firewall rules, determining what to allow versus what to block is primarily dependent on what factor? A. Traffic levels B. Business tasks C. Bandwidth D. User preferences E. Timing
2. The first step in determining what to allow and what to block in a firewall’s rule set is: A. Reviewing vulnerability watch lists B. Polling users for what services they want C. Reading blogs about best practices for firewall rules D. Recording traffic for 24 hours E. Creating an inventory of business communications
3. What is the purpose of including rules that block ports, such as 31337? A. To prevent users from accessing social networking sites B. To prevent DNS zone transfers C. To stop ICMP traffic D. To block known remote-access and remote-control malware E. To allow users to employ cloud backup solutions
4. What security strategy is based on the concept of locking the environment down so users can perform their assigned tasks but little else? A. Simplicity B. Principle of least privilege C. Diversity of defense D. Chokepoint E. Weakest link
5. What security strategy reverts to a secure position in the event of a compromise? A. Fail-safe B. Universal participation C. Defense in depth D. Security through obscurity E. N-tier deployment
6. Which security stance most directly focuses on the use of firewalls or other filtering devices as its primary means of controlling communications?
A. Universal participation B. Weakest link C. Fail-safe D. Chokepoint E. Simplicity
7. A firewall policy performs all of the following functions except: A. Assisting in troubleshooting B. Placing blame for intrusions C. Guiding installation D. Ensuring consistent filtering across the infrastructure E. Detecting changes in deployed settings
8. Which of the following is not a viable option for an enterprise network that needs to control and filter network traffic? A. Virtual firewall B. Appliance firewall C. Physical firewall D. Host firewall E. Software firewall
9. A reverse proxy is useful in which of the following scenarios? A. To grant outside users access to internal e-mail servers B. To support internal users accessing the public Internet C. To allow private hosts to access external Web servers D. To offer external entities access to an internal Web server E. To cache file transfers for peer-to-peer exchange protocols
10. All of the following are true statements with regard to port forwarding except: A. It is a variation of NAT. B. It is limited to Web traffic only. C. It hides the identity of internal hosts. D. It allows the use of nonstandard ports for publicly accessed services. E. Internal servers do not see the identity of the real source of a communication.
11. Which of the following statements is true with respect to reverse proxy? A. Reverse proxy cannot be used in conjunction with secured Web sites. B. Reverse proxy can be used with tunnel mode IPSec VPNs.
C. Reverse proxy can only support SSL tunnels. D. Reverse proxy caches client requests and archives them for load balancing purposes. E. The reverse proxy server can act as the endpoint for a TLS tunnel.
12. Which of the following is not a true statement with regard to port forwarding? A. Port forwarding services can be found on almost any service or device that supports NAT. B. Port forwarding is an essential element in the Internet Connection Sharing (ICS) service of
Windows. C. Port forwarding is used in reverse proxy, but only for Web traffic. D. Port forwarding supports caching, encryption endpoint, and load balancing. E. Port forwarding is a variation or enhancement of NAT.
13. Which of the following is not considered a viable option as a bastion host OS? A. UNIX B. Linux C. Android D. Mac OS E. Windows 7
14. You are selecting a new appliance firewall for deployment in the company network. You are concerned with OS flaws and exploits appearing not only on your hosts but also on the firewall. To minimize that risk, what bastion host OS should you choose? A. Cisco IOS B. Windows 7 C. UNIX D. Mac OS E. Linux
15. What is the most important aspect or feature of a bastion host OS? A. Leveraging existing OS administrative knowledge B. Ease of use C. Remote administration D. Resistance to attacks and compromise attempts E. Support of a wide range of services
16. What is always the most important element within a firewall rule set? A. Using specific addresses instead of ANY B. Listing Deny exceptions after Allow exceptions C. Listing inbound exceptions before outbound exceptions
D. Having a final rule of default-deny E. Blocking every known malicious port
17. Which of the following examples of complete firewall rule sets is the most valid? A.
B.
C.
D.
E.
18. Which of the following guidelines is most important? A. Include all specific denials for known malicious remote-control tools after explicit Allow
rules. B. Include every possible address and port in a rule within the set to ensure an explicit callout
exists for every type of communication. C. There should be more inbound rules than outbound rules. D. Place explicit Deny rules for individual systems before explicit Allow rules for ranges that
include those individual systems. E. Place universal Allow rules before universal Deny rules.
19. When considering the security response triggered by a firewall detecting unwanted traffic, what
is the main factor in choosing between a response that protects confidentiality and integrity and a response that protects availability? A. Traffic load B. Number of external clients C. Port in use D. Business mission and goals E. Whether the breach takes place during non-business hours
20. When security mechanisms and business communications are at odds, what is the best and most secure response? A. Disable security to allow the business communication. B. Modify the security policy to protect the business communication. C. Disable both security and the offending business communication. D. Disable business communication to maintain security. E. Do nothing.
CHAPTER
9 Firewall Management and Security
FIREWALL MANAGEMENT is about focusing on the essential security goals of the environment and making sure the deployed firewalls assist in fulfilling those goals. Following general best practices with care and due diligence will help ensure compliance. Realize that while a firewall is very important, even essential, firewalls are not the totality of security; you’ll need other security safeguards to create a complete solution.
When selecting a firewall, focus on the purpose and needs of your organization. Find a product that meets the real needs of your organization’s network environment, not the most popular or cheapest solution. Consider whether building your own firewall device rather than purchasing a ready-made appliance makes better sense.
But even with an appropriate, properly configured firewall, ongoing security concerns will invariably arise. Plan on the inevitable attacks, exploits, and threats to the security provided by a firewall. Hackers might attempt to use tunneling or virtual private network (VPN) services as a mechanism to bypass firewall filters. Be aware of these issues and be prepared to deal with them. Have an incident response plan in place.
Firewall management also includes testing, monitoring, and troubleshooting. Many excellent tools can help simplify or automate these processes. But even the best tools require solid information and a working knowledge of your environment. Detailed implementation plans can also be a significant benefit to maintaining reliable security.
Chapter 9 Topics
This chapter covers the following topics and concepts:
What best practices for firewall management are
What some security measures in addition to a firewall are
How to select the right firewall for your needs
What the difference is between buying and building a firewall
How to mitigate firewall threats and exploits
What the concerns related to tunneling through or across a firewall are
How to test a firewall’s security
What some important tools are for managing and monitoring a firewall
How to troubleshoot firewalls
What the procedure is for proper firewall implementation
How to respond to incidents
Chapter 9 Goals
When you complete this chapter, you will be able to:
Describe firewall management best practices
Select the best firewall for a given network scenario
Demonstrate the use of tools for managing and monitoring a firewall
Troubleshoot common firewall problems
Write a firewall installation plan
Best Practices for Firewall Management
Firewall management best practices are recommendations, guidelines, or standard operating procedures for obtaining reliable firewall security on a real-world budget. Best practices are usually not specific recommendations for products or tools. Rather, they are recommendations for philosophies, stances, or concepts on how to proceed. The following items are suggested best practices. These might not apply to every environment, although you should consider each and adapt or adopt when appropriate.
A written firewall policy establishes a documentation trail that everyone in the organization can read, consider, and follow. To write a firewall policy, learn about and thoroughly examine every communication, transaction, and service within, across, and through the IT infrastructure. You can write a comprehensive and effective firewall policy only when you know and understand your operating environment.
NOTE The foundation of every firewall implementation is to have a plan. There is no substitute for a written firewall policy. Any other method, process, or procedure for configuring, using, and managing a firewall will fail. Only a written firewall policy can guide you toward a successful and reliable firewall deployment.
To have a plan, you must thoroughly understand your organization’s infrastructure, its mission and goals, and the processes necessary to produce its products and services. This means understanding your organization’s technology use, assets availability, and resources consumption, in addition to where everything resides and how users work with the infrastructure. Consider larger and more complex needs in light of the typical IT infrastructure.
Once you understand your operating environment thoroughly, you can then decide where a firewall is necessary. In most cases, every host should have a local software firewall, every border communication point should have a firewall, and every transition between subnets of different trust, risk, or purpose should have a firewall. Firewalls provide communications control; deploy them liberally.
To create a useful and relevant firewall policy, perform a risk assessment. The process of understanding assets, vulnerabilities, threats, and likelihoods is risk assessment. Only through a proper risk assessment can you determine the threats and risks facing your environment and its communications. This in turn will guide the configuration of a firewall for maximum benefit.
Once a firewall policy is in place, regularly review the policy. Investigate whether the overall quality and reliability of the existing firewall security is sufficient or needs improving. Verify that all services are still properly protected. Evaluate whether prevention, deterrence, and response have been adequate and effective. Wherever you discover deficiencies, strive to improve and rectify the situation immediately.
Establish a no-exceptions policy. Every service, every transaction, every communication must pass through one or more firewalls, filtered according to the guidelines of the firewall policy. Terminate any communication found to take place without firewall filtering immediately.
Maintain physical security over all personnel access to firewalls. No one except the firewall administrator should have physical access to the firewall devices. Firewalls are concentrations of security and often the main embodiment of communications security. The risk of compromise from unauthorized access is significant.
Limit and filter Internet connectivity. In spite of a user’s desire for an unrestricted, unmonitored Internet connection for personal use, the Internet is a significant risk for most organizations. An unrestricted or unfiltered Internet connection is a highway for malicious code, social engineering attacks, and intrusion attempts. If an Internet service, protocol, domain, or IP address is not essential to a necessary business task, block it. Work assets are for work tasks, not personal activities. Configure the firewall accordingly.
Install antivirus scanners, anti-malware scanners, and firewalls on every host. Every portable device, every desktop workstation, and every server should have these malicious code and malicious traffic protections. No system is immune to malware and malicious communications; prevent easily avoidable compromises and downtime with basic filters and barriers to known issues.
Don’t rely upon a single or individual firewall. Attempt to interlock and layer firewalls along the pathways of communication and transactions. Use defense in depth or a multiple-layered defense wherever possible. If you do, numerous filtering events will shield each asset.
When possible, avoid remote access. Limit access to local direct connections only. When remote access is necessary, require a VPN. Remote connectivity enables remote hacking. Remote hacking attempts to breach security without the need to be physically at or within the target’s facilities.
Requiring VPNs for all remote connections reduces this threat somewhat by preventing open connections or communications vulnerable to eavesdropping. All communications crossing the firewall are potential vulnerabilities.
Require encryption of all internal network communications. Use Internet Protocol Security (IPSec) to secure all intranet communications. This is often an easy and cost-effective means to quickly reduce the risk of eavesdropping, man-in-the-middle, replay, and many other forms of network attacks. Well-encrypted data is much less likely to fall into the hands of hackers, thieves, and unauthorized personnel. Configure firewalls to allow IPSec, VPNs, and other forms of encrypted communications where appropriate, but don’t universally allow encrypted communications. Encryption can obfuscate malicious activities. Strongly authenticated endpoints are less likely to be sources of malicious actions.
Harden both internal firewall hosts and border firewalls. Use hardened firewalls against compromise regardless of their network location. Provide consistent and thorough security throughout the IT infrastructure. Protecting the stability and reliability of firewalls will, in turn, protect the security of the network as a whole.
Always test new code before you deploy it onto a firewall. No matter who the source of new code is, test it. Even if the code addresses a mission-critical issue, test it. Test all new code without exception. All untested code is unauthorized and you should block it from all production firewalls.
Back up, back up, back up. Security includes the guarantee of availability. Failing to have a backup increases the risk that if data is lost, damaged, or corrupted, it will never be available. Backups are the best form of insurance against data loss. Don’t store the backups for any given system on the same system or even in the same locale. Store them on separate storage devices, both onsite and offsite. Remember that offsite is more secure in the face of larger disasters. Don’t allow the only copy of a firewall configuration to be in memory on the firewall. Always make a backup.
If an asset is worth the time and effort to secure, then it’s worth monitoring as well. Configure each firewall as you deem necessary, and then watch for attempted breaches of that security. Perfect security doesn’t exist. To improve security, be prepared to respond when breaches happen—and they will. Lock, then watch. Failing to watch a secured asset just means that when the compromise occurs, you won’t notice it immediately. Firewalls can be the focus of an attack, just as much as any other host. Being aware of and prepared for such an attack gives you the edge to respond promptly.
Have an intrusion and incident response plan. Bad things will occur. Failures will happen. Breaches will take place. Firewalls can fail. Malicious traffic goes overlooked. But be prepared, nevertheless. Evaluate and examine the realistic threats facing your environment. Plan for the worst. Define procedures to respond to any and all situations.
Don’t overlook business continuity planning and disaster recovery planning. The greatest threats to organizations are not necessarily security breaches, but threats that represent business- terminating events. Building collapse, flooding, fire, sabotage, blackouts, malware infection, criminal activities, and so on shut down an organization’s operations. If alternate means of accomplishing mission-critical tasks aren’t available, then the organization will soon cease to exist. Plan to recover from disasters so that your organization survives to do business in the future. Recovering a business process does not mean leaving it unprotected; redeploying firewalls is just as essential as restarting business processes themselves.
Keep it simple: security (KISS). Firewalls are complex enough without purposefully imposing additional complexity. Focus on designing and configuring firewalls that use simple and direct rule sets. The greater the complexity involved, the greater the chance for misconfiguring, incorrectly ordering rules, or creating loopholes in protection.
Focus on balancing security and usability. Firewall filtering does not need to make all work tasks difficult. Likewise, essential work functions need not compromise security. Finding a balance between these two extremes is important. Focus on reducing the risk to the infrastructure while enabling users to perform authorized tasks with minimal hassle.
Prioritize. Security concerns always threaten to overwhelm available time, effort, and budget. Focus on the big impact and big result issues first rather than attempting to swat at every minor annoyance that arises. Security is constantly changing; the goal is to maintain reasonable security rather than keep perfect security. (Remember, this is unattainable anyway!) The deny-by- default/allow-by-exception philosophy should keep minor nuisances to a minimum.
Always be fully and truly aware of the state of the organizational security, especially in regard to firewall performance and function. Don’t make assumptions. If you are not positive that an aspect of the organization is secure, find out. Assuming security exists is a false sense of safety. A lack of knowledge about the security status could lead to complacency. Assuming nothing is wrong removes the urgency to investigate and rectify problems. Don’t fall into the “I thought it was protected” trap; if you don’t know or are not sure, take the time to investigate and know. Testing is relatively cheap; recovering from intrusion damage can be disastrously expensive.
Develop a firewall checklist. Review it for completeness and accuracy on a periodic basis, such as every quarter. Confirm every element on the checklist on a frequent regular basis, such as once a week or once a day. You can automate this to an extent, but it often requires human effort to test and confirm that every security mechanism is in place, active, armed, and effective.
Perform regular self-assessments. Numerous security groups, government, and military agencies post security implementation guidelines, manuals, and checklists. Commonly known as STIGs (Security Technical Implementation Guides), these documents can help you to review and assess your organization’s status and state of security. A self-assessment attempts to take an external, unique, or independent viewpoint in evaluating security. This is why using external guidelines, standards, and measurements of security can reveal oversights in an existing security infrastructure.
Perform internal compliance audits. It’s no longer sufficient to think you are secure; compliance audits are now the law in many industries, such as the financial and medical sectors. Ensuring that you are in full compliance with all federal and state laws and regulations is not only good security management; it also keeps company officials out of jail. Using external auditors is often a poor substitute for internal self-verification.
Test all uses of the firewall for sufficiency. Perform verification scans of all deployed firewall settings to ensure they are functioning. Improper installation or misconfiguration can render even well-meaning safeguards worthless. Test every new security setting or rule on installation and at every reconfiguration.
Perform regular vulnerability assessments. Use automated tools with updated databases of security tests and exploit simulations. These tools should confirm patches and updates, verify security configurations, and probe for known vulnerabilities to exploits and weaknesses. Quickly resolve any
issues the scans uncover. After you’ve improved and tuned firewall security, put it to the ultimate test: Perform penetration
testing. Hire or develop an ethical hacking team to test the strengths and weaknesses of the firewalls. Ethical hackers use the same tools and attack techniques as criminals, but without the intent to cause actual damage. Professional security assessment teams can customize attacks, modify exploits, and react in real time to fully stress security defenses.
Focus on establishing a philosophy of default deny rather than default allow. By blocking everything as a starting point, only those features, services, protocols, ports, applications, and users you deem safe and appropriate can proceed by an exception. Using a default-allow stance forces a never-ending stream of explicit denials as new compromises or malicious events arise. Deny by default/allow by exception is always the preferred security stance.
This collection of firewall management best practices should serve as a starting point for the development of an effective firewall deployment. Other valid and useful guidelines deserve consideration, so don’t assume this list of recommendations, or any other list from any other source, is exhaustive. There are always new lessons to learn, new challenges to face, and new wisdom to obtain.
Security Measures in Addition to a Firewall
A firewall is an essential part of any security infrastructure. Every single host needs a firewall. Every single network needs border firewalls. Firewalls are concentrations of security, and are easily recognizable embodiments of an organization’s security policy. A firewall is an incomplete security solution on its own, however.
FIGURE 9-1
Firewalls: Only part of the security puzzle.
A complete security solution requires many more components (Figure 9-1) than just a firewall. Proper understanding of the organization’s essential processes, threats, and goals will guide you toward the creation an effective security plan. Without a proper risk assessment, however, recommendations for safeguards and countermeasures are just guesses.
Several common elements characterize most properly designed security systems. These include:
Multifactor authentication Anti-malware scanning Full hard drive encryption Communications encryption Detailed logging and auditing of events Intrusion detection and prevention systems Network segmentation and traffic management Private IP addresses and NAT proxies VPNs for remote access Network access control
While these are often excellent security components, they are not all necessarily applicable and required in every environment. Addressing your environment’s specific risks is always more preferable than deploying a security product just because it seems like a good idea.
Selecting the Right Firewall for Your Needs
Choosing the best firewall for your specific environment requires knowledge of firewall options and understanding of the security needs of your network environment. Automatically selecting the most expensive option, the cheapest one, or an open source solution fails to properly assess the situation. Firewalls are essential elements of security. They are concentrated security. It would be careless to select a product without due diligence.
NOTE Selecting and purchasing the right firewall for your organization’s situation requires careful evaluation. As with any big decision, first find the longest poles in the tent: Always resolve important aspects of the process sooner rather than later. For example, first familiarize yourself with the budget for the purchase.
Knowing the amount of money available for firewall protection helps you quickly eliminate those
products clearly outside your price range. Don’t automatically discard every product above the budget limit, but realize that anything more than about 15 percent of your maximum allowance is probably out of reach.
Next, consider whether an open-source solution is a viable option for your corporate culture. Some organizations are philosophically opposed to open-source solutions, while others embrace and encourage such endeavors.
Do you want to include the option to build your own or focus on only off-the-shelf, ready-to- deploy options? Making this decision early will help guide you toward a viable choice.
Familiarize yourself with the wirespeed of the network, general traffic levels, the types of filtering desired, types or forms of recent attacks, and future growth and expansion plans. Armed with these pieces of information, you can begin a serious hunt for the most appropriate firewall solutions.
The firewall technology advances quickly. Often, new attacks and exploits crafted by hackers drive these advancements and upgrades. A specific recommendation for a specific model, product line, or even vendor has a finite life. Suggestions you hear today are likely to be out of date, superseded, or compromised in a few short months. Products at the top of the market one year might not even place in the next.
Seek out current firewall reviews both online and in technical publications and trade journals. Find firewall options that fall within the parameters you laid out based on your understanding of the network and known threats.
Some general guidelines will assist you in this process:
If speed, flexibility, and simplicity are priorities, then select a packet filtering firewall or a stateful inspection firewall.
If real-time applications and high-bandwidth communications are priorities, then select a dedicated application-specific proxy firewall.
If strong authentication is a priority, then select an application gateway firewall or a dedicated application-specific proxy firewall.
If detailed logging is a priority, then select an application proxy firewall. If customized, unique, or complicated filtering options are a priority, then select a dedicated application-specific proxy firewall or a stateful inspection firewall.
If stopping internal attacks is a priority, then select a dedicated application-specific proxy firewall or a personal host firewall.
A single firewall product rarely satisfies every need. However, you should be able to find one or more firewall solutions that address the primary security concerns of your organization.
The Difference Between Buying and Building a Firewall
Carefully consider the choice of whether to buy a ready-to-deploy firewall versus building it yourself. An off-the-shelf firewall that you simply plug in can be an attractive solution. However, an out-of-the-box product will generally cost more than an equivalent do-it-yourself system. In addition,
most pre-configured systems are not as flexible or expandable as a custom-built version. That’s not to say that a do-it-yourself firewall is always the best answer, either. A self-constructed
firewall can be less expensive and provide a wider variety of features and options. However, when an in-house, custom firewall experiences a problem, you can usually find little formal technical support beyond a user-community discussion forum.
If you are prepared to fully research and understand a firewall product to install, configure, and manage it yourself, then a do-it-yourself firewall can be a great cost-saving solution. However, if your organization’s IT staff is already stretched and overworked, then home-built solutions will likely cause more problems than they solve.
A pre-built, off-the-shelf firewall is more likely to work right out the box, requiring only that you plug it in, set the configuration, and connect the network cables. A build-it-yourself firewall may require additional hardware manipulation, juggling of device drivers, hardening of a host OS, and so on. Ask yourself: Is custom-built worth the hassle?
Don’t automatically reject either buy or build firewall options before you research and assess the options. You might be surprised at the low cost and feature richness of a boxed product or caught off guard by the complexity, instability, or high-cost of a do-it-yourself product. Always look for the best firewall solution for your specific needs and current threats.
NOTE Build-it-yourself firewalls are usually less costly because they usually don’t include dedicated hardware and often use open-source (free) source code. However, the tradeoff for the savings to successfully deploy a reliable border sentry solution is that you need to know more about firewalls generally and your specific software and/or hardware.
Mitigating Firewall Threats and Exploits
Firewalls are one of the most important components of a complete security solution. However, they are not without their own issues, threats, and concerns. Exploits will cause a firewall to fail. Remember that a firewall is software that sometimes includes dedicated hardware and a host operating system. Any software product is prone to flaws and errors in programming. Simply calling it a firewall does not eliminate this concern.
Ultimately, firewalls are software code written by human beings. In either a host firewall or an appliance firewall, the logic and controlling mechanisms of the firewall are software code. Software code is designed and written by people. And whenever people are involved, mistakes or oversights are possible.
Coding errors are not as common in firewall products as in operating systems or other forms of software. But don’t think they don’t occur. Most firewall programmers and vendors take extra care to comb through and test every line of code to exacting quality control and security standards. Standard industry practice requires considerable pilot testing of firewall code before release into the commercial environment.
In spite of these precautions, firewalls have in the past been released to market with software coding errors later discovered and exploited. Hackers are constantly using scanning, testing, and probing tools to discover exploitable weaknesses. When a vulnerability appears, hackers take advantage of the flaw. Some firewall exploits have caused firewalls to freeze or crash, while others have given the hacker the ability to read or adjust filtering rules. In most cases, vendors quickly release updates and patches to correct these problems. When selecting a firewall, check the version and patching history. Firewall products with lots of patches might not be as reliable in the future as a product with fewer patches.
How long does the vendor typically take to release a patch once a flaw or exploit for the product becomes public knowledge? The longer the vendor takes to release a fix, the longer you will be left insecure waiting for the update.
Some exploits cause buffer overflows. In a buffer overflow, a memory buffer exceeds its capacity and extends its contents into adjacent memory. Hackers often use this attack against poor programming techniques or poor software quality control. Hackers inject more data into a memory buffer than it can hold, which results in the additional data flowing over into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also cause a system crash.
When the firewall vendor becomes aware of an exploit in the wild, it quickly develops and releases a patch. An effective security- and patch-management system will enable you to quickly test and update the firewalls protecting your production environment. A delay in the release of a patch or its application keeps the window of opportunity for hackers to compromise your environment wide open.
A good rule of thumb is to avoid the first generation or first release of a firewall product. Version 1.0 is bound to be more prone to programming errors than later releases. If the first version of a product seems better than any other product from any other vendor, then wait at least six months after its initial release before deployment. This gives other people, good and bad, a reasonable time to find flaws, test exploits, and trigger release updates by the vendor.
Once you’ve chosen a firewall product, always install every available patch and update from the vendor. Always test updates first—no exceptions—but then get them installed as quickly as your testing process will allow. Install only full and final releases of a firewall patch. Never deploy alpha, beta, pre-release, release candidate, or test-build patches on a production firewall.
Another potential concern of firewall security is the filtering it uses. Understand that no perfect security measures exist. Each form of firewall filtering or traffic management is vulnerable in some way. The easiest is basic packet filtering.
Basic packet filtering uses a simple and static rule set. Numerous allow- and deny-explicit exceptions compromise the rule set’s final deny-all rule. Rules can focus on the IP address and port number of the source and/or destination, as well as the protocol in use. A firewall testing and probing technique known as firewalking can potentially discover some or all of the rules on a static packet filtering firewall.
Firewalking sends basic Transmission Control Protocol (TCP) virtual circuit initiation packets (synchronization-flagged packets) to a known internal target system. The firewalking tool manipulates
the parameters of the IP and TCP headers using a brute force technique. This process sends a wide variety of packets toward the internal target in the hopes of discovering a packet configuration that succeeds in passing the restrictions of the firewall rule set.
Once a hacker knows the packet constructions that make it past the firewall, he or she can use that knowledge to attack the known internal target or discover and attack other internal targets.
Other forms of firewall filtering are vulnerable if they do not perform content filtering or deep packet inspection. Non-content-filtering firewalls do not examine the contents of packet payloads. Thus, once an attack establishes what seems like a benign connection to an internal target, subsequent communications can contain malicious payloads.
Even when stateful inspection, content inspection, and deep packet inspection are present, hackers can employ fragmentation and overlapping attacks. These attacks use packets crafted to seem benign when analyzed individually, but once received by the destination, the fragmentation offset values cause an abnormal reassembly that overlaps packets to craft new payload and/or new header content. Such attacks can change target ports or deliver a malicious payload past a filtering sentry.
Fragmentation attacks are an abuse of the fragmentation offset feature of IP packets. Fragmentation may occur in a network where many different network links join to construct a global infrastructure. Some network segments support smaller datagrams (another term for packets or frames) than others, so larger datagrams fragment into the smaller size. When the fragmented elements of the original datagram reassemble, manipulations of fragmentation can cause several potentially malicious reconstructions such as overlapping and an overrun.
FIGURE 9-2
Fragmentation and overlapping.
Overlapping can cause full or partial overwriting of datagram components creating new datagrams out parts of previous datagrams (Figure 9-2). An overrun can create excessively large datagrams. These and other forms of fragmentation attacks cause DoS or attempt to confuse IDS detection or firewall filtering.
Fragmentation is a supported function of IP packets. Packets fragment when they encounter network segments that support a smaller maximum transmission unit (MTU). When packets reassemble, the fragments usually return the data to its original configuration. However, overlapping attacks can abuse the fragmentation offset value in the IP header causing reassembly overlap. Reassembly overlap can create new payloads or headers. For example, if a payload of “EVIL PAYS BLUE LOAD” fragments into “EVIL PAYS BLUE” and “LOAD,” an overlap reassembly could result in the creation of “EVIL PAYLOAD.”
Protections against fragmentation attacks include using modern IDS detection and firewall filtering features as well as performing sender fragmentation. Sender fragmentation queries the network route to determine the smallest MTU or datagram size. Then the sender pre-fragments the data to ensure that no fragmentation needs to occur en route.
The only reliable method of stopping these attacks is to deploy a dynamic filtering system that performs virtual reassembly. Virtual reassembly will piece together both fragmented packets and the original payload. The reassembled payload is analyzed, and then only if it is deemed non-malicious are the original packets transmitted to the internal network. Virtual reassembly is not a completely foolproof technique, but it does greatly reduce the risk of these exploits.
The most common method of exploiting and/or bypassing a firewall is internal code planting. Firewalls are often border sentries. They protect internal systems from communications that originate from external entities. Unfortunately, some security administrators use only inbound firewall filtering, which leaves outbound traffic uncontrolled and unfiltered.
In this situation, if a hacker can plant code internally or trick a user into running code, or if an employee brings in code of his or her own, outbound connections to malicious external entities might be possible. Frequently, laptops that pick up malware connect to the internal network, placing the malware behind the firewall. Many hacker tools rely on this technique, such as Loki, Back Orifice, NetBus, and even Netcat. A server of sorts is hosted on an external host and the automatic connection client utility runs on an internal host. The client utility establishes the initial connection as an outbound connection (thus allowed by the firewall), and then the external host is able to send data or commands back to the internal client through this connection. Often, this form of attack results in a hacker gaining modest to complete remote control over the compromised internal host.
Denial of service (DoS) is another common threat to firewalls and networks as a whole. A DoS attack, specifically a flooding or traffic based DoS, sends massive amounts of data to a target victim. If that victim has a firewall, then it will detect and discard the DoS. The firewall’s filtering service can usually prevent the DoS traffic from breaching the network’s perimeter and affecting internal systems.
However, since the firewall has to collect, analyze, and respond to each and every packet received on its interfaces, a well-managed DoS attack can consume all available bandwidth of the connecting segment to the firewall, as well as consume all of the processing capabilities of the firewall. This, in turn, prevents any legitimate traffic from reaching the network. Thus, even with a
firewall protecting the internal network, a DoS flooding attack can still successfully disconnect or interfere with external communications.
A firewall’s vulnerability to DoS flooding is the one limitation or weakness that you can’t fix, improve, or repair by either upgrading the firewall or applying a patch. Upgrading to a stateful inspection firewall addresses fragmentation, firewalking, and even internal planting of code. Patching will address programming bugs and buffer overflows. Although highly specialized tools are available that can perform partial upstream DoS detection and filtering, in general, no fixes to prevent flooding attacks from reaching an Internet-facing firewall exist.
Knowing these threats and exploits, as well as realizing the probability of others, should remind security administrators to be proficient at the basics. Security management is mandatory to maintain any semblance of security in any environment. Your essential long-term strategies for maintaining security include keeping systems current with patches, using a hardened configuration, staying knowledgeable about new exploitations, and monitoring the environment for successful and attempted compromise.
Concerns Related to Tunneling Through or Across a Firewall
Hackers tunneling through or across your firewall deployments are a serious threat to your organization’s network security. Tunneling is the creation of a communication channel similar to the creation of a VPN. In some cases, it uses actual VPN solutions and protocols. Tunneling can create either a covert channel or a known channel that’s unfiltered.
Tunneling uses two techniques. One method is installing a server component on an internal system, and then an external client component initiates the connection. This technique requires the firewall to allow inbound initiation connections to internal systems. A second method is to install a server component on an external system, then use an internal client component to initiate the connection. This technique requires the firewall to allow outbound connections.
Most firewall deployments strictly limit or restrict inbound initiation of communications to specific ports and services. Thus, a tunneling setup using an inbound connection must “hijack” an existing open port or reconfigure the firewall to open another port for use by the tunnel. If the perpetrator of this security violation has the ability to reconfigure the firewall, you have much more serious security concerns to address than tunneling.
Firewalls commonly allow most outbound communications with little or no restrictions. While not the best security stance, it is convenient and easy. Proper use of a deny-by-default stance should limit both inbound and outbound connections to those explicitly allowed. If the firewall freely allows outbound connections, then internally initiated tunnels are extremely easy to establish.
Tunnels can potentially use almost any protocol, including IP, ICMP, TCP, UDP, and most application protocols. Specialized tunneling server/client applications can replace traditional payload content with whatever content the hacker wishes. Effectively, this can convert almost any protocol at any layer of the OSI model into an encapsulation or tunneling protocol (Figure 9-3).
Tunneling is an obvious abuse and violation of protocol rules. However, if a firewall is not investigating the payload of a frame, packet, segment, and so on, then a hacker can set up a tunnel using a protocol not designed to perform encapsulation.
FYI Once a tunnel is open, data can move in either direction. The directionality of the connection has little to do with which end of the tunnel is the controller and which is the ultimate target or victim.
FIGURE 9-3
A tunnel across a firewall.
The problem gets worse when the tunneling system employs encryption. This makes payload investigations more difficult because the firewall will be unable to decipher the content or purpose of the encoded payload. To combat this complexity, set the firewall to either block all encryption, allow only encryption that originates or terminates at the firewall, or allow encryption only on certain ports (potentially limiting communications to and from specific IP addresses as well).
Encrypted tunnels across a firewall are not inherently or automatically malicious in nature. VPNs are encrypted tunnels that commonly and widely create security for personal and business communications across the Internet and within private networks. However, most VPNs use well- known VPN protocols, such as IPSec and SSL, on standardized ports, with predictable header constructions and characteristics. Unauthorized or rogue tunneling mechanisms often use odd protocols for encapsulation and can operate on any port, use invalid packet constructions, and violate communication standards.
In addition to the standard VPN protocols used for this purpose, such as IPSec, SSL, TLS, OpenVPN, PPTP, L2F, L2TP, and so on, several other legitimate and subversive services, products, and protocols can configure unauthorized tunnels. These include:
Loki—Loki uses ICMP as a tunneling protocol. Netcat—Netcat can create TCP and UDP network connections to or from any port. Cryptcat—Cryptcat is a version of netcat that creates encrypted connections. NetBus—NetBus is a malicious remote control tool.
Back Orifice—Back Orifice is a malicious remote control tool. SubSeven—Subseven is a malicious remote control tool. Remote Desktop Protocol (RDP) and Remote Assistance—These are native features of Windows OS. RDP is disabled by default, and Remote Assistance requires an invitation.
TOR (The Onion Router)—This is a double-blind encapsulation system that enables anonymous, but not encrypted, Internet communications.
JanusVM—This is Linux software powered by VMware that creates SSH encrypted tunnels used in combination with TOR.
PacketiX VPN—This is an encrypted Web proxy service. HotSpotShield—This is an encrypted Web proxy service. HTTP Proxy—This is a Web proxy service. GoToMyPC, GoToAssist, LogMeIn, and other similar services—These are third-party remote desktop control services.
This list of products, services, solutions, and protocols used to create illicit tunnels across a firewall is not exhaustive. Several of these are legitimate services with valid uses, but when a hacker employs them without permission, especially across nonstandard ports, they represent a serious threat. Any ability to breach a firewall to allow unfiltered, full-duplex communications is cause for concern and response.
The best defense against these tunneling exploitations is to strictly enforce deny by default for both inbound and outbound communications. Clearly define in the acceptable use policy (AUP) which tools are unauthorized and which are considered security breaches. Use network and host IDS/IPS monitoring. Deploy whitelist controls to prevent the installation of unapproved software. Limit mobile code such as ActiveX, Java, Flash, Silverlight, and JavaScript in browsers to minimize the possibility that a Web-only form of tunneling might use an authorized Web client.
Testing Firewall Security
Firewall tests are an important and integral part of the build and management process. Standard security management practice is to test security to confirm proper configuration, performance, and strength against attacks and exploits. Failing to test a firewall is a serious breach of this best practice.
Because a firewall is one of the most important parts of your security infrastructure, is a concentration of security controls, and is your first line of defense against inbound attacks, failing to test a firewall thoroughly practically ensures you will have a breach or intrusion.
Every update, change, or alteration to any aspect of your firewall or the network segments connecting to a firewall should trigger another round of firewall testing. Test a firewall as if you were practicing for the Olympics. Repeat the testing again and again, striving to push the limits and improve with each drill. Strive to ensure your firewall deployment is the best it can possibly be.
technical TIP Testing a firewall involves the use of several tools and techniques. These include automated vulnerability assessment tools, exploitation frameworks, and rogue hacker attack tools.
One tool you can use is a simulated firewall test. Such a test uses an attack simulator to transmit attack packets to the firewall. You can locate the attack simulator inside or outside the firewall to simulate an internal attack or an external attack. An attack simulator can verify that a specific weakness is present on a firewall, without actually causing damage or interrupting production. Most simulator tests are secure by design.
Creating a virtualized network environment using a virtualization tool, such as VMware, performs virtual firewall tests. A virtual intranet is created, a virtual firewall bastion host goes up, and virtual external systems become active. The administrator then works through a variety of scenarios of attack, both from internal attackers and external ones. Logically, the virtualized environment functions like the real one, but you can test it using techniques that might otherwise damage or interrupt the production network.
Laboratory tests run in non-production subnets where you’ve configured a duplicate of the production environment. The laboratory setup mirrors each system, including the firewall. Test-run in the lab environment anything that might interfere with production or might cause data loss or system damage.
Laboratory tests and virtualized testing are similar, but both are useful mechanisms; use them both rather than forgoing laboratory tests in favor of using virtual testing exclusively. The actual physical devices of firewalls and systems might reveal weaknesses not present in the virtualized versions.
Any of these testing configurations can benefit from the use of fuzzing tools. Fuzzing tools use a brute-force technique to craft packets and other forms of input directed toward the target. Fuzzing tools stress a system to determine whether it will react improperly, fail, or reveal unknown vulnerabilities. Fuzzing tools can discover coding errors, buffer overflows, race conditions, remote exploit flaws, injection weaknesses, and so on. The downside to using fuzzing tools is that they can take a significant amount of time to discover anything interesting.
Using a variety of testing methods to put a firewall thoroughly through its paces is an important part of security management. To maximize your network’s security effectiveness, plan, design, deploy, test, and then fine-tune.
Important Tools for Managing and Monitoring a Firewall
Proper security management requires that you manage and monitor the firewalls in your infrastructure. As with every type of security, you can’t just install firewalls and forget them. Every security safeguard must be locked down, tuned, and monitored over time. Once the firewall has been installed and configured, the work of managing it begins.
Firewall management is about understanding that new threats are coming from hackers on a
constant basis, and that the defenses and settings that work successfully today might not be the best defense against new attacks tomorrow. Firewall management is the essential task of maintaining a firewall in spite of these new threats.
Firewall management includes verifying that the configuration settings of the firewall remain in place and don’t change without authorization. Device failures, electrical fluctuations, and unexpected reboots can delete or corrupt firewall configurations. So, regularly verify that the desired settings remain active on the firewall.
Firewall management includes applying updates and patches to the firewall. Always test updates before deployment. Back up firewall configurations before applying new and tested updates. Once you apply an update, confirm that the application of the update didn’t reset the configuration to the default settings.
Firewall management includes testing the resistance of the firewall to attacks. This can include the use of a variety of automated and manual attack tools and techniques. Effectively, firewall testing is the application of penetration testing or ethical hacking against the firewall as the primary target. Using the tools and methodology of criminal hackers in an ethical and boundary-limited manner is an excellent way to verify the ability of a firewall to withstand known attacks.
Firewall management includes the use of monitoring tools to watch over the performance and reliability of a firewall over time. Properly use any valid tool in this endeavor. Some recommended tools to consider include:
Nmap—This is a network mapper, port scanner, and OS fingerprinting tool. It can check the state of ports, identify targets, and probe services.
Netstat—This is a simple command line tool to list the current open, listening, and connection sockets on a system.
TCPView—This is a GUI tool to list the current open, listening, and connection sockets on a system as well as the service/program related to each socket.
Fport—This is a command line tool to list the current open, listening, and connection sockets on a system as well as the service/program related to each socket.
Snort—This is an open-source, rule-based IDS that can detect firewall breaches. Nessus—This is an open-source vulnerability assessment engine that can scan for known vulnerabilities.
Wireshark—This is a free packet capture, protocol analyzer, and sniffer that can analyze packets and frames (Figure 9-4) as they enter or leave a firewall.
Netcat—This is a hacker tool that creates network communication links using UDP or TCP ports that support the transmission of standard input and output. It commonly creates covert channels to control a target system remotely or to bypass a firewall. It can test a firewall’s ability to detect and block covert channels. Cryptcat offers similar capabilities using encryption.
Backtrack—This is a Linux distribution that includes hundreds of security and hacking tools, including Nessus and Metasploit. It can perform attacks against or through a firewall for testing purposes.
Syslog—This is a centralized logging service that hosts a duplicate copy of log files. It provides a real-time backup of every log on every participating host.
FIGURE 9-4
Wireshark.
These are only a few of the excellent tools to manage and monitor a firewall. But more important than the tools you use is ensuring that the careful management, monitoring, and tuning of your firewalls actually take place.
Troubleshooting Firewalls
Firewall troubleshooting, like any form of troubleshooting, is about the process more than the actual result. Most firewall problems can be relatively easy to troubleshoot if you’ve planned a detailed troubleshooting procedure with extensive documentation. The foundation of successful troubleshooting is preparation.
When trouble arises in or around the security of the network, especially in regard to the firewall, you must act promptly to resolve the issues at hand. Troubleshooting is both an art and a skill set to systematically diagnose and eliminate problems whatever the source. Although troubleshooting might sometimes sound exciting, in reality it’s a fairly lengthy and tedious process. Knowing a few procedures and commonsense guidelines can improve your troubleshooting skills and help keep downtime and security breaches to a minimum.
You can never have too much useful troubleshooting information. Information, data, documentation, resources, and so on are the primary tools you can use to find and resolve problems. Useful troubleshooting information includes:
Complete hardware and software inventory (relative to firewalls) Paper and electronic copies of configuration settings Firewall policy Change documentation Previous troubleshooting logs Activity, error, and alert logs Maintenance logs Any information about the current problem
Once you have this information in hand, you can begin the overall troubleshooting process. Don’t wait until a problem occurs to collect this essential information, however. Instead, maintain this collection of documentation as a normal, regular, essential element of system maintenance and management. The best time to document the environment and configuration is when you do not urgently need it. When problems do arise, you want to be able to focus on resolving the issue, not collecting resources and tools. Pre-assemble the tools and resources you’ll need for troubleshooting so that you will be ready for action.
Murphy’s Law dictates that when things go wrong, and they will, they will go bad at the least convenient time. To combat this, be prepared before the problems arise. That way, when the firewall fails, locks up, freezes, lets through unwanted traffic, or falls to a hacker, you can focus on dealing with the stress, time crunch, data loss, and downtime ramifications without also having to deal with collecting the essential materials to resolve the problem.
Being prepared is always a solid first step. Next, develop a troubleshooting plan, technique, or procedure. While some problems are predicable and have a known method of resolution, many situations will require off-the-cuff brainstorming to craft a new solution. Most solutions come from a liberal application of common sense. The following are several commonsense elements you need to integrate into your troubleshooting planning:
Have patience—Keeping your cool and taking your time will pay off by allowing you to find a solution quickly without making mistakes, overlooking essential details, or making the problem worse.
Know your firewall thoroughly—The more you already know about the firewall hardware and software, the more you will know how it functions. You can immediately use that knowledge to seek out a solution.
Isolate the problem—Whenever possible, isolate elements or components of the firewall system that are functioning correctly to narrow the range of suspects of potential problem sources.
Simplify—Disable or disconnect software and hardware not essential to the function of the firewall. This will reduce the complexity of the situation and may assist in uncovering the cause.
Focus—Seek to find a solution to the current most critical problem. Don’t waste time fixing,
repairing, upgrading, resetting, or configuring any other problem or aspect of the firewall system until you’ve resolved the primary problem. You can become distracted by minor details that “only take a second” to address; make a list of these smaller issues and come back to them later.
Review change documentation—Could a recent change be responsible for the unwanted activity? If so, try to undo the change to see if the problem stops.
Review previous troubleshooting logs—Consider whether the current problem is the same as or similar to recent problems already in the log. Try repeating successful solutions.
Update the troubleshooting log—Record every action attempted, whether successful or not. Record it into the troubleshooting log and use it as a journal. Think of something, then write it down. Then try the solution, and write that down. Then test for effectiveness, and write that down. Next, repeat the failure fix, and write that down. Repeat until resolved, writing down the successful solution and making note of any other thoughts, ideas, or observations.
Try the quick and easy fixes first—Try the fast and easy stuff before the hard and complicated options. You might be lucky, but if not, undoing easily attempted failed solutions will be simpler than undoing more complex options.
Avoid destructive or irreversible solutions until last—Attempting to use an irreversible fix is a poor idea early in the troubleshooting Process. Only after reversible and/or safe solutions have failed should you attempt more drastic measures.
Try the free options before the costly ones—Always try to perform repairs and fixes in- house using tools and resources that you already own or can obtain free. Hold off on purchasing new resources or hiring technical support until you’ve exhausted other options.
Let the problem guide and direct you—The more you understand how your firewall operates and what the problem is, the more the problem will direct you toward the affected area or the source of the issue.
Make fixes one at a time—Try only one fix or repair option at a time. Attempting multiple fixes at once is more complex and might mask the successful resolution.
Test after each attempt—After each fix is made, test the repair to see if it was successful. Reverse or undo solution failures—If a fix does not resolve the issue, undo it to return to the previous state. Leaving failed fixes in place may cause other problems or may intensify the main problem.
Repeat the failure—Sometimes causing the failure to repeat can assist in identifying the cause. However, do so only when the repetition will not cause further harm or loss.
Perform a post-mortem review—The most valuable result of a problem, especially a resolved problem, is your ability to learn something from the event. Always review the entire troubleshooting response process. Look for ways to improve the response to future problems.
Use these commonsense highlights to create an official how-to procedure that your IT and security staff can follow when a firewall problem arises. Firewall problems won’t wait; strive to understand and resolve them quickly. Otherwise, your network will be at risk or productivity can suffer. Neither
is beneficial to the long-term viability of your organization.
Proper Firewall Implementation Procedure
Successful firewall implementation comes from a written plan. As with every aspect of security, a written procedure is essential for a reliable and trustworthy deployment. If a firewall policy does not exist in your organization, then your first step should be to craft one.
A firewall implementation procedure should prescribe the systematic process to properly install and configure a firewall. Since each firewall product is different and each type of deployment is likely different (a border firewall versus an internal host firewall, forinstance), you may even find that you need several firewall implementation guides.
The specifics of an implementation guide are different for each organization. Customizing a plan for your specific environment is essential to obtain the best security from the deployed firewall. However, every plan should have certain common elements. Whether you are developing your own firewall implementation policy or revising an existing one, use the following plan components to make yours the best possible policy for your organization.
Every firewall procedure should clearly define the requirements for the firewall. A generic description of a firewall is insufficient. Don’t just indicate that you need a software firewall or an appliance firewall. Instead, dictate the specific capabilities, features, and requirements to accomplish the tasks and security goals. You can include a specific example of a vendor’s exact make and model. However, products change, are revised, are replaced, and are retired by vendors on a rather frequent basis. So, include an inventory of features and specifications, even if you focus on a certain off-the- shelf product.
Specify the network design that the firewall will complement. To be effective, network firewalls (as opposed to host firewalls) must be at chokepoints or transition points. The design of the network is an essential element of effective firewall deployment. Define and even map out the network structure that should exist along with pinpointing exactly where the firewall is, down to the logical configuration and the physical cables connecting to it. Your network design will change over time, but this can always change in the future when you perform change documentation and guidelines revision.
Write the plan down. Write out step by step, point by point, every action to take from the moment the firewall arrives on site through the point of enabling the filtering of production traffic. Include hardening of the bastion host, applying patches, updating firmware, changing defaults (especially passwords), locking down management interfaces, changing configuration settings, defining the rule sets, configuring interfaces, installing the physical components, backing up the configuration, testing at startup, testing for stress and load, documenting performance and stability, obtaining approval from senior management, and initiating filtering of production traffic.
Prescribe the process of shopping for and purchasing (or otherwise obtaining) the firewall. Not all firewalls have a purchase cost, such as those that are free, open source, or obtained through bartering. Nonetheless, document a procurement process. Consider purchase price; consider whether the product is new, used, or reconditioned; understand the return policy; look for discounts; investigate the warranty; and know what levels of technical support are free or available for a fee. If the product must be shipped to you, either verify that it’s in stock or determine the backlog waiting
period. Consider overnight shipping and insuring the package against shipping damage and loss. Don’t spend hundreds or thousands of dollars on a product that may arrive damaged without having recourse to a claim with the shipping company.
Document, document, document. Write down every aspect of firewall use before deployment. Journal every step performed from start to finish of deployment, and then record into the documentation every action in managing, administering, monitoring, and troubleshooting the firewall for the remainder of its deployment life. No action or event is too insignificant to record relative to your firewall deployment. This comprehensive firewall documentation is essential to management, troubleshooting, recovery, and incident response.
Responding to Incidents
Incident response is a key part of every security infrastructure. Incident response is the planned reaction to negative situations or events. Security breaches, or at least attempts to breach security, will occur. When those events affect the organization or its abilities to perform its tasks in any way, incident response triggers. The goals of incident response are to minimize downtime, minimize loss, and restore the environment to a secure, normal state as quickly as possible. This applies to breaches of a firewall as well as every other aspect of security.
Most incident response solutions include six primary steps or phases:
Preparation—Select and train security incident response team (SIRT) members and allocate resources.
Detection—Confirm actual breaches. Containment—Restrain further escalation. Eradication—Resolve the compromise. Recovery—Return to normal operation. Follow-up—Review the process and improve future responses.
Incident response is an important element of firewall management.
CHAPTER SUMMARY Firewall management involves addressing all security concerns related to the security provided by a firewall. This includes following recommended best practices, knowing that a firewall is only part of a complete security infrastructure, picking the right firewall for the environment, considering the options of building versus buying a firewall, being prepared to mitigate firewall threats and risks, dealing with tunneling across a firewall, firewall testing, using tools for management and monitoring, troubleshooting problems, planning out use, and being prepared with an incident response policy.
KEY CONCEPTS AND TERMS Fuzzing tools
CHAPTER 9 ASSESSMENT
1. All of the following are considered firewall management best practices except: A. Have a written policy. B. Provide open communications. C. Maintain physical access control. D. Don’t make assumptions. E. Develop a checklist.
2. All of the following are firewall management best practices except: A. Lock, then watch. B. Back up, back up, back up. C. Keep it simple. D. Perform penetration testing. E. Implement fail-open response.
3. You are the security administrator for a small medical facility. To be in compliance with federal HIPAA regulations, you need to deploy a firewall to protect the entire office network. You are concerned that a firewall failure could result in compliance violations as well as legal costs due to client court cases. Which of the following is the best choice of firewall for this situation? A. Deploy a client system with a native OS firewall. B. Select any open source firewall product. C. Use the firewall provided by the ISP connection device. D. Deploy a well-known commercial firewall from the approved products list. E. Use a multifunction device, such as a wireless access point.
4. From the following options, what is the most important factor in selecting a firewall? A. Biometric authentication B. Types of traffic to be filtered C. Sales or discounts D. Bastion host OS
E. Built-in antivirus scanning
5. A well-designed and configured firewall provides more than sufficient security protection without any additional safeguards. A. True B. False
6. Which of the following is a benefit of buying a ready-to-deploy firewall over using a build-it- yourself firewall? A. Minimal setup time B. Less expensive C. Repurposing existing hardware D. Using open-source software E. More complex troubleshooting
7. Which of the following is a benefit of using a build-it-yourself firewall over buying a ready-to- deploy firewall? A. More costly B. On-site technical support C. Greater flexibility and customization D. Product warranty E. Requires skill and knowledge to deploy
8. Which of the following is not one of the possible but rare attacks or exploits against a firewall? A. Coding flaw exploitation B. SMB share exploitation C. Buffer overflow attacks D. Firewalking E. Fragmentation
9. The exploit or attack known as ________ can be used to cause a DoS, confuse an IDS, or bypass firewall filtering. A. Obfuscation B. Trojan horse C. SQL injection D. Fragmentation overlapping E. Spoofing
10. Although successful attacks and exploits against firewalls are rare, what is the best response or resolution to such compromises?
A. Deploying anti-malware scanning B. Adding rules to the set C. Positioning the firewall on a non-chokepoint D. Increasing the transmission frequency E. Patching and updating
11. Tunneling across or through a firewall can be used to perform all of the following tasks except: A. Using a closed port for covert communications B. Bypassing filtering restrictions C. Using any open port to support communication sessions D. Allowing external users access to internal resources E. Supporting secure authorized remote access
12. Which of the following statements is false? A. ICMP can be used as a tunneling protocol. B. Encryption prevents filtering on content. C. Outbound communications don’t need to be filtered. D. Tunnels can be created using almost any protocol. E. Tunnels can enable communications to bypass firewall filters.
13. Which of the following provides anonymous, but not encrypted, tunneling services? A. Cryptcat B. JanusVM C. TOR D. PacketIX VPN E. HotSpotShield
14. What is the best way to know that a firewall is functioning as expected? A. Review the documentation. B. Presume it is until a patch is received from the vendor. C. Test it. D. Check the configuration. E. Watch the log files.
15. Which method of testing a firewall grants the tester the greatest range of freedom to perform tests that might cause physical or logical damage to a firewall? A. Live firewall tests B. Virtual firewall tests
C. Laboratory test D. Simulation tests E. Production firewall tests
16. Which of the following tools tests and probes whether a port is open or closed? A. Nmap B. Netstat C. TCPView D. Fport E. Wireshark
17. Which of the following testing tools is an open-source vulnerability assessment engine that scans for known vulnerabilities? A. Snort B. Nessus C. Wireshark D. Netcat E. Syslog
18. What is always the best tool for firewall troubleshooting? A. Source code B. Crimping tool C. Vulnerability scanner D. Information E. Fuzzing tool
19. Which of the following is not a recommended commonsense element of troubleshooting? A. Isolating the problem B. Setting it aside and return to it later C. Reviewing change documentation D. Making fixes one at a time E. Having patience
20. Which of the following is not part of a successful firewall use? A. A written plan B. Specific requirements C. Purchasing guidelines D. User survey of preferences
E. Documentation
CHAPTER
10 Using Common Firewalls
THE ACTUAL DEPLOYMENT of a firewall is a fairly straightforward process. This process begins with understanding the network environment, includes selecting a product that satisfies security needs, and ends with a more secure network infrastructure. Toward that end, this chapter examines a few of the remaining concepts that are often part of the decision-making process.
Firewalls are useful in many different situations. Every network infrastructure can benefit from proper use of a firewall. This chapter presents additional concerns and decision points for small and large network environments, host software firewalls, native operating system (OS) firewalls, third- party OS firewall alternatives, Internet service provider (ISP) connection device firewalls, commercial firewall options, open-source firewalls, hardware firewalls, and virtual firewalls.
Chapter 10 Topics
This chapter covers the following topics and concepts:
What some options are for individual and small office/home office (SOHO) firewalls
What common uses for a host software firewall are
How to use Windows 7’s host software firewall
How to use a Linux host software firewall
How to manage the firewall on a connection device from an Internet service provider (ISP)
What commercial software network firewalls are
What open-source software network firewalls are
What appliance firewalls are
What virtual firewalls are
What some simple firewall techniques are
Chapter 10 Goals
When you complete this chapter, you will be able to:
Configure the Windows Firewall on Windows 7
Set up a broadband connection device firewall
Individual and Small Office/Home Office (SOHO) Firewall Options
Firewall options for the individual or for those running a small office range from native OS firewalls to special-purpose devices. Most individuals and small office/home office (SOHO) users are concerned about security but don’t want to spend more than really necessary. Obtaining a reasonable level of security for most home or small office environments is actually quite easy and cost effective.
First, an understanding of the common threats facing such an environment suggests that firewall options can be simple and inexpensive. While the Internet is not a safe place, interacting with Internet resources is not an automatic recipe for damage and destruction. Common sense and use of basic security tools greatly reduces the likelihood that a significant compromise from the Internet will take place.
Generally, Internet threats fall into two main categories: passive and active. Passive threats are those you must seek out to be harmed. For example, you have to visit a Web site to be harmed by malicious code embedded in that site. Likewise, downloading infected content occurs only when you elect to click on a download link. Users can avoid most passive threats by making good and safe choices as to where to go and what to do on the Internet.
To address passive threats, modern Web browsers include pop-up blockers, cookie filters (Figure 10-1), and malicious site managers to limit exposure. The use of antivirus scanning, an anti- spyware scanner, and anti-spam filters addresses other common threats. Adding a firewall to your security stance protects against most of the passive threats on the Internet that might be casually triggered. While it’s still possible to go looking and find trouble, most well-known and popular sites take security seriously and strive to make accessing their resources as secure as possible.
NOTE Installing a handful of security tools doesn’t mean that you can throw caution to the wind and randomly explore the entire Internet safely. Instead, by using simple security tools along with common sense, most threats are either blocked or avoided. Potential exceptions can always affect this rule, of course, such as when a trusted site is compromised and your next visit results in the transfer of malware to your hard drive.
FIGURE 10-1
The Privacy section of Firefox’s Options dialog box. Note the cookie settings.
The other category of Internet threat is active. An active threat is one that takes some type of initiative to seek out a target to compromise. This can be a hacker, an intruder, or an automated worm. In any case, an active threat seeks out vulnerable targets. If you do not have reasonable security deployed and an active threat discovers your system, you might be at risk for a compromise.
Fortunately, most individuals and small office environments are not significant or primary targets of most hacker activity. There just isn’t enough value or benefit in spending the time and effort to compromise a moderately secured single computer or small network. If your business is getting lots of traffic and orders or you happen to be hosting hundreds of systems, then you naturally become a more valuable target to hackers.
In most circumstances, the average home user and most small offices (such as those operating a dozen or fewer computers in a network) can obtain reasonable security protection from very simple and inexpensive firewall options.
The first firewall option to consider is any native firewall of the operating system. Most OSs include a default or native firewall. If yours does, investigate its features and options before automatically tossing it aside. Many of the firewalls found in the latest releases of operating systems are as good as or better than most commercially available third-party host software firewall options.
One of the best-known examples of a native operating system firewall is Windows Firewall. Windows Firewall made its debut in the Windows OS as part of Service Pack 2 for Windows XP. Initially, Windows Firewall was panned because it imposed security, restrictions, and control on the Windows OS where none existed before. Many applications and services failed to function with Windows Firewall. Ironically, many of these “failures” were caused not by Windows Firewall, but by a service performing insecure and unfiltered activities blocked by the security provided by the new OS firewall.
Since its initial release, Windows Firewall has matured. It appeared as a standard native feature in Windows Vista and Windows 7 (Figure 10-2). The measure is likely to remain a key OS
component in future versions of Windows. The feature set and uses of Windows 7 Firewall are discussed in a later section in this chapter.
Other OSs may or may not have a firewall as well recognized as Windows Firewall, but you should still investigate the standard options and feature set provided natively before seeking out alternatives. After all, you would never custom turbo-charge a brand new car until you had driven it and road tested its standard features.
FIGURE 10-2
Windows 7’s Windows Firewall Control Panel screen
FYI Current industry nomenclature gives most ISP connection devices a name that includes the word “modem.” Don’t be fooled by this label; the term modem comes from the function of a device that modulates and demodulates (hence, mo-dem) digital information into analog signals. Most ISP connections, including cable, DSL, satellite, and long-range wireless, are digital signaling systems that don’t employ analog signals or information of any type. So, the use of the term “modem” is a merchandising ploy to make the device sound familiar and comfortable, rather than complex and scary.
Linux distributions do not automatically come with a native software firewall. And even when Linux does provide a native firewall, it’s not likely to be enabled or configured by default. Due to the wide range of variations in Linux distributions, Linux provides a range of firewalls. Linux firewalls include older products such as ipchains and iptables, as well as newer options such as PF, Netfilter,
and Vyatta. In addition to the free or native OS firewall options, another simple and easy firewall that
individuals and SOHOs can use is firewalls hosted by ISP connection devices or wireless access points. Most ISP connection devices, including cable modems, digital subscriber line (DSL) modems, satellite modems, and wireless modems, include firewall features. A firewall feature may or may not represent a fully functional firewall. Some are basic filtering tools that block IP addresses, ports, or protocols using a simple blacklist technique.
If the ISP connection device provides firewall services, obtain a copy of the original manufacturer’s user manual for the device. This will provide the best initial information on accessing and configuring the device’s firewall, since your ISP has probably chosen to lock down access to the connection device. The use of an ISP connection device firewall is discussed later in this chapter.
An ISP connection device may or may not offer wireless connectivity. If the provider does not offer a wireless option or requires you to pay extra for wireless via their equipment, you should consider deploying your own wireless access point. Most wireless access points for consumers and SOHO environments cost under $100 and offer firewall services as well as wireless connectivity.
The use of native host OS firewalls and a hardware firewall provided by an ISP connection device or wireless access point is usually more than sufficient filtering security for a home user or a small office network. However, if you want to explore other options or you have a larger, riskier, or more sensitive environment, consider the other firewall alternatives.
Uses for a Host Software Firewall
The next step up from a native OS firewall (or even an OS without a firewall) is a third-party host software firewall. These options include both open-source and commercial software firewalls for most operating systems.
You can use a host software firewall in several situations. The first and most obvious use is simply to protect a client system. This is the original and intended purpose of a host software firewall. Keep in mind that a host software firewall provides protections for both inbound and outbound communications. A host software firewall protects the client from compromises on the network and protects the network from compromises on the client.
NOTE Before installing any third-party software firewall, always double-check for full compatibility with your current operating system version and patch level. If the firewall’s documentation does not specifically list your operating system as being fully compatible, don’t assume that the measure will work properly. Firewall security is not something to leave to chance.
Use a host software firewall as an additional layer of protection on a server system. Most server operating systems do not include a host software firewall. Therefore, a dedicated firewall appliance often deploys on the network. A host software firewall on a server is never a substitute for an
appliance firewall. However, it can be a supplement. A host software firewall can provide firewall filtering services in relation to a virtual private
network (VPN). Just because the VPN link itself may be encrypted does not guarantee that the other end of the VPN connection is as secure as you might desire. Using a host software firewall in conjunction with either a software host VPN (such as a transport mode VPN or a remote access VPN) or an appliance VPN adds an additional layer of protection against compromises that could traverse the VPN connection.
NOTE When installing a third-party software firewall, make sure all native or other firewalls are disabled or uninstalled. Do not attempt to run two software firewalls simultaneously on the same computer system. It’s acceptable to run different software firewalls on different systems and to even use one or more appliance hardware firewalls. Just do not attempt to use two software firewalls on one system.
A host software firewall can provide modest protection for small networks. Home networks, gaming networks, and small office networks are sometimes constructed using a primary system connected to the Internet that shares that connection with a small network off of a secondary network interface. On a Windows system, the Internet Connection Sharing service makes this type of network configuration simple. Use a host software firewall and provide the secondary network with modest firewall filtering services.
A host software firewall likely has many other uses. Don’t limit your imagination or deployment options to those discussed in books, described in manuals, or prescribed by the vendor. Use host software firewalls in any network configuration. The goal is to establish additional layers of security, not conform to static notions of design and implementation.
Examples of Software Firewall Products Software firewall products are important options to consider when designing and deploying a security solution for home environments as well as corporate IT infrastructures. However, as with any type of software, the available products change constantly. Updated versions of software firewalls are released frequently; some products disappear from the marketplace, while new firewall products appear on the scene all the time.
Before selecting a specific firewall product, do research to confirm that the firewall is still a fully supported and maintained solution. You don’t want to buy into a product that has already been marked for retirement or phase-out, or be invested in the installation of a version imminently at risk of being superseded. Verify that the vendor is still supporting the firewall product. Check on the revision history and, based on previous time frames, estimate if the current version release is it a bit stale or a bit tardy for a revision.
Beware the textbook answer. Most authors are reluctant to recommend specific current products. Books typically take six to twelve months to reach the hands of readers once the author completes the
manuscript; coincidentally, six to twelve months is the life span of many product versions. A product an author recommends might no longer be the best option by the time that recommendation reaches readers.
Take caution when following any specific “textbook” advice about a specific product, especially a specific version of a product. Question a product’s shelf life. Gather fresh information. Always double-check the facts, reviews, and suggestions via current Internet search resources, vendor Web sites, IT association blogs and discussion forums, industry journals, and mass market computing magazines. Like milk and cheese, most computer software products have an effective “use by” date that you should be familiar with.
All that being said, a host of third-party software firewalls are worth considering. Here are just a few of the more widely known options:
Check Point ZoneAlarm Pro (free and retail) Comodo Firewall Pro (free) eConceal Pro (retail) Injoy Firewall (retail) Jetico Personal Firewall (retail) Lavasoft Personal Firewall (retail) Look ’n’ Stop (retail) Norman Personal Firewall (retail) Outpost Firewall Pro (free and retail) PC Tools Firewall Plus (free) PrivateFirewall (free) Sphinx Software Windows 7 Firewall Control (free and retail) Tall Emu Online Armor Personal Firewall (free and retail)
In addition to standalone, third-party firewalls, some firewalls come packaged as part of a security suite. These suite-member firewalls are not available as standalone products. However, the collection of security applications might be worthwhile if you don’t already have existing solutions. Some security suites to consider include:
BullGuard Internet Security Computer Associates Internet Security F-Secure Internet Security Kaspersky Internet Security McAfee Personal Firewall Plus MicroWorld eScan Internet Security Suite Microsoft Security Essentials Norton Internet Security and Norton 360
Panda Internet Security Trend Micro Internet Security Webroot Internet Security Essentials
How fresh are these lists? These products were current and available as of spring 2013. The lists are not exhaustive and include only well-known products. As you read this, new firewall options might now be available and some of the listed products might have been terminated. If you want to search for more or current options, search using keywords such as software firewall, and review.
Using Windows 7’s Host Software Firewall
The native Windows Firewall of Windows 7 (Figure 10-3) is a sufficient security measure for many situations. Before rushing to replace this free security component, take the time to evaluate the benefits of this capable firewall option. The version of Windows Firewall in Windows 7 is available only in Windows 7 and is a host software firewall. However, it can be used in a variety of situations and network configurations for most home, SOHO, and mobile environments.
Windows Firewall in Windows 7 includes configuration profiles, so you can create custom firewall configuration settings for work, home, and public connections. This allows strict limitations in public, modest settings at work, and more options available when accessing from home (or whatever your preferences). The benefit is that, once configured, the firewall will adjust its settings based upon the network connection each time you’re connected to a known, previously accessed network.
Windows Firewall in Windows 7 creates a password-protected homegroup or work-group that allows file and printer sharing between systems authorized by a password. This is an improvement over previous versions of the Windows Firewall, which often encouraged users just to turn off the whole firewall rather than properly configure file and printer sharing access rules. In addition, this applies not just to Windows systems, but any devices or computers recognized as media sharing devices (such as an Xbox 360).
FIGURE 10-3
Windows 7’s Windows Firewall with Advanced Security configuration dialog box.
Other Windows Firewall improvements in the Windows 7 version include a more granular control and configuration management interface, more extensive logging, and extended ability to be managed from a command line (using the “netsh advfirewall firewall” command instead of the previous “netsh firewall” command).
While not revolutionary, and still lacking a few features such as being a true two-way personal firewall with program control, Windows Firewall for Windows 7 is a worthwhile host software firewall for most clients in most network situations. That said, you should still explore how this product fits your own computing environment and security needs.
Using a Linux Host Software Firewall
A Linux system can benefit from a host software firewall or can support a software firewall for a network. The first idea is simply to install a host software firewall for the benefit of the local user. This is the same idea as the Windows Firewall on client versions of Windows. A variety of open source and commercial host firewall options are available for Linux, including:
IPCop IPFire m0n0wall
pfSense SmoothWall (Figure 10-4)
FIGURE 10-4
SmoothWall, a Linux host software firewall.
If you selected Linux for its low cost of entry, then selecting an equally low-cost host software firewall is often an attractive option. However, paying for commercial host firewall products might offer a greater range of functions or services, along with better technical support.
Using a Linux software firewall as a replacement for a commercial firewall appliance can be a very cost-effective solution. Linux often can repurpose computer hardware that’s no longer sufficient to support larger, bulkier, more resource-intensive operating systems, such as Windows. Linux can often extend the useful lifetime of computer hardware by several years. A repurposed computer system running Linux is a great option for use as a software firewall host.
Managing the Firewall on an ISP Connection Device
In addition to the free or native OS firewall options, another simple and easy firewall that individuals and SOHOs can use is firewalls hosted by ISP connection devices, routers, or wireless access points.
Most ISP connection devices, including cable modems, DSL modems, satellite modems, and routers, include firewall features. A firewall feature may or may not be a fully functional firewall. It could be a basic filtering tool that blocks IP addresses, ports, or protocols using a simple blacklist technique.
An ISP connection device is any hardware connecting a local network—or even a single computer—to a telco’s carrier network to access the Internet. Common ISP connection devices include DSL modems and cable modems (remember that these are modems in name only; they are really routers). This definition can also include a wide range of other broadband devices, including routers, switches, and wireless access points, especially when required by the ISP to establish an Internet connection.
Most ISP connection devices use a Web interface. To initiate access to the management interface, point a Web browser to the IP address of the device. In most cases, the device’s IP address is the default gateway address, DHCP address, or possibly DNS address of the client’s interface directly connected to a physical port on the device.
TIP If the ISP connection device provides firewall services, obtain a copy of the original manufacturer’s user manual for the device. This documentation will provide the best initial information on accessing and configuring the device’s firewall.
Attempting to open the configuration interface is likely to result in a prompt for authentication credentials. The vendor’s user manual should indicate the device defaults for these. If not, search the Internet using keywords such as “default password” along with the device name, make, and model. If that fails, try username “admin” with a password of “admin” or “password.” It’s shocking how often these are correct.
Your ISP has likely chosen to lock down access to the connection device. This is sometimes done as a precaution against the uninitiated, who might cause increased technical support hassles. If you discover that your ISP connection device is locked down, try calling your ISP and asking them to grant you access (often by their revealing the credentials to log into the device).
If they refuse to offer this information, then you have four choices. First, you can accept their refusal as “just how it is” and employ some other device as a hardware firewall. Second, you can change ISPs or service providers to a carrier that will grant you access to configure the device. Third, you can try to replace the carrier’s device with one that you own and fully control. Fourth, you can seek out ISP and device-specific information on the Internet, which might include bypass or hacking details. However, be very cautious when choosing this last route; it’s often unproductive, is probably a violation of the ISP terms of service, is unethical, and may even be illegal.
NOTE Cable providers are generally less likely to allow you access into their connection device, while most DSL providers seem willing to grant at least partial access.
If you are unable to find a legitimate path to accessing the configuration interface of your ISP connection device, hacking the device should be your last and final option. Hacking an ISP-provided device will void your contract and could make you liable for the cost of the device plus fines and possible legal action. A more ethical solution would be to replace the device with one you own and control, or switch ISPs altogether.
If all else fails, add your own firewall between the ISP connection device and your first networked system. With this configuration, you are still gaining the benefit of an in-line firewall without violating any contracts or flirting with legal troubles. In most cases, you’ll want to supplement or disable an ISP connection device’s firewall anyway. Thus, if your ISP blocks access to it, just design your security as if the device offered no firewall protection to begin with.
NOTE Be careful about searching for Web sites that offer information on how to hack or bypass ISP equipment. Often the sites are booby trapped with malware to trap the unsuspecting visitor. In addition, some ISP equipment may be leased, not sold, and attempting to access internal features may violate the contract, if not the law.
Converting a Home Router into a Firewall Many home routers have sufficiently robust features that you can configure them to function as firewalls. To ensure ease of use (and minimize product returns), these devices are usually shipped with all security features turned off. Because “plug and play” results in immediate connectivity, many users never go back to configure their equipment for security. Thus, hackers and malware often are able to intrude easily into home networks. You can prevent that by understanding what is available in this class of products.
To access a home router, type into your browser the IP address of your gateway. To determine that on a Windows machine, choose Start > Run, type Command, and at the C:\> prompt, type ipconfig. Most routers ship with a default address of 192.168.1.1. If you remember, 192.168.X.X is a non- routable range of IP addresses, which means that traffic inside that address range will not be shared with addresses outside that range.
Once logged in, consider changing a number of settings (Figure 10-5). First, if the router is a wireless device, change the service set identifier (SSID) from the default setting. You do not want to be one of eight access points named “Linksys” in your neighborhood. Why is this important? Most PCs will grab the strongest wireless signal from a known SSID. If you have standard SSIDs such as Linksys in your wireless access table, you may find yourself on a neighbor’s (or hacker’s) system someday without realizing it. Another good idea is to change the default IP address range to something else other than 192.168.1.X. This creates a custom range for your own network. If you hard-code your internal network range to something like 10.20.30.X, you’re less likely to stumble into that situation.
FIGURE 10-5
The initial configuration screen on a Cisco Linksys wireless router.
Most routers enable Dynamic Host Configuration Protocol (DHCP) by default. You could lock down your network by either hard-coding IP addresses into each authorized machine (and turning off DHCP) or setting a strict upper limit on the number of devices permitted to have DHCP leases (most default settings are 100). If you have five devices, limit the number of connections to five. (Don’t forget about the Xbox 360 or PS3—they need IP addresses too!)
NOTE Don’t forget to change the default administrator password of your device.
For firewall settings, most routers will have a configuration page to block services or control port access. Determine what ports you need to access the Internet, and then block all of the rest. Note this setting restricts outbound traffic. So why block it if it originates from within? Malware, zombies, bots, and other hostile applications usually have to connect to the outside to do their damage. If you accidentally download dangerous malware onto your laptop at your favorite coffee bar, and then connect to your home or office network behind the firewall, that malware may have access to all of your peer systems. However, if you are blocking all nonessential outbound traffic, then most malware
won’t be able to exfiltrate your sensitive information or ask for evil instructions. Only those applications that use a common port (like 80) will be able to get through.
Which outbound ports should you block? First, consult your policy, or determine what programs you are using. For the most part, you’ll want to allow the following outbound ports to be open at all times:
Port 25—SMTP (outbound mail) Port 53—DNS Port 80—HTTP Port 110—POP (initiate request for inbound mail) Port 443—HTTPS Ports 465 and 995—SMTP and POP (if you’re using Gmail) Port 1024–1035—DCOM ports for downloading files (increase number of ports based on number of systems protected; 10 is usually sufficient for a home network)
Beyond port 1035, you may not need to allow outbound traffic, unless you are using cPanel to access an externally hosted Web site on port 2083, or port 11371 if you’re looking up PGP keys. By blocking all other high ports, you’ll also quickly hear from people who may have been using some of these ports, which are dedicated to gaming software. At home, you might want to allow (or set time limits); at work, you probably want to block these ports.
In general, you should not accept any connections that originate from outside your firewall. Your policy may permit exceptions, such as remote access tools, so be careful about blocking everything. Some home firewalls don’t provide a direct way to block specific incoming ports, but most allow you to do port forwarding. A clever way to use this to thwart external attacks is to forward to a nonexistent port. So, for example, if your local network range goes from 10.20.30.40 to 10.20.30.49, you might forward incoming connection requests to port 10.20.30.99—where no one is listening! Ports you might consider forwarding are:
Ports 20 and 21—FTP-data and FTP. Prevent external connections from downloading your files.
Port 23—Telnet. Prevent external connections from insecurely logging into your internal systems.
Port 53—DNS. Prevent external entities from poisoning your DNS cache. Port 80—HTTP (unless you are running a Web server from behind your firewall, which is a bad idea).
Ports 81 and 82—Often used as “overflow” for port 80. No valid use, so block them. Ports 137, 138, 139—NetBIOS. Often exploited by malware, this provides access into Windows systems.
Port 443—HTTPS (unless you are running a secure Web server from behind your firewall, which is still a bad idea).
Port 445—NetBIOS for Windows 2000 and later. Port 3074—Xbox game port. Don’t allow strangers to connect to your Xbox while you’re away. Remember—it “lives” on your internal network.
An excellent way to test your configuration is to go to Steve Gibson’s http://www.grc.com Web site and run his free ShieldsUP! port scanning tool (Figure 10-6). Most people end up scoring poorly. If you can achieve 100 percent stealth, you’ve done a great job.
FIGURE 10-6
ShieldsUP! port scan result confirming a well-configured set of home router firewall rules.
FYI A commercial product is simply one that’s for sale rather than given away without cost. Commercial is not necessarily the antonym of open source or a synonym of closed source. Additionally, commercial is not necessarily the opposite of free.
An open-source product is one where the source code can be obtained and viewed by anyone. A closed-source product has its source code protected so that the public cannot view it. A
commercial product can be either open-source or closed-source. However, most commercial software is closed-source. This is viewed as a means to protect intellectual property and allow the vendor to continue to charge for the product. Free can mean both no price or having liberty. Free software can have no cost, which makes it non-commercial. Free software can also be commercial software that grants liberties to its users.
For further discussion on free software, please visit GNU organization’s site at www.gnu.org.
Commercial Software Network Firewalls
Commercial software network firewalls install onto your own hardware and provide network-level security services. Some commercial software network firewalls install on top of existing operating systems, such as Windows. Others are complete OS replacements, many of which are Linux-based.
As with any firewall selection, know your environment and understand your security needs before shopping for a firewall solution. It’s bad security to purchase a product because it’s on sale, is prominently advertised, or is recommended by a salesperson (or even an author). Instead, match your security needs with the product that best suits, fulfills, or satisfies those needs.
Open-Source Software Network Firewalls
An open-source software network firewall is a product that is usually available at no monetary cost and whose source code is available for review. An open-source solution often can be a cost-effective option. However, just because a product is free does not ensure its reliability or trustworthiness. Additionally, being able to review the source code doesn’t warrant the reliability of a product.
You should thoroughly review and test every security product, including firewalls, before purchase and deployment. Seek out a product that meets your specific organizational security needs, rather than selecting something just because it’s open source or free of charge.
Appliance Firewalls
Appliance firewalls, whether called device or hardware firewalls, are common and nearly essential elements of every moderate to large network infrastructure. A hardware firewall is a dedicated hardware device that has been specifically built and hardened to support the functions of the firewall software running on it. A hardware firewall is also known as an appliance firewall.
A hardware firewall does not require any additional hardware or software for its deployment. All it needs is network connections and a power connection. A hardware firewall has dedicated hardware resources not shared with any other service. A hardware firewall can protect a single
system or an entire network. A hardware firewall can filter only traffic that reaches the network interfaces of its appliance.
However, you can position a hardware firewall on a network at a chokepoint or gateway to analyze and filter all traffic.
Firewalls, specifically hardware appliance firewalls, typically have two or more network interfaces. A firewall with two interfaces is known as a dual-homed firewall, while a firewall with three interfaces is known as a triple-homed firewall or a three-legged firewall.
The benefit of multiple interfaces is that the segments, subnets, or networks connected to each firewall interface are electronically isolated from each other. This prevents unfiltered traffic from leaping from one segment to another in an attempt to bypass firewall filtering.
However, for firewalls using multiple interfaces, ensure that you disable the TCP/IP protocol feature IP forwarding. IP forwarding is actually a router rule that allows traffic from one interface to traverse to another interface without needing to move any further up the protocol stack than where IP resides. In many cases, IP forwarding allows packets to bypass filtering. If you’re using the system as a firewall, be sure to disable this feature.
A personal hardware firewall can be part of an integrated firewall product, such as a wireless access point or a cable/DSL modem. Another variation of the personal hardware firewall is the repurposing of a client or server computer into a home-crafted, open-source firewall. One example of this is SmoothWall, a hardened bootable Linux-based firewall.
A commercial hardware firewall usually handles the complexity of larger organizational networks. A commercial hardware firewall is often very expensive—$10,000 or more is not uncommon.
The personal and commercial variants of software and hardware firewalls might include different add-ons or enhancements than their commercial equivalents. These add-ons or enhancements include antivirus, password management, registry protection, driver protection, VPN gateways, remote access support, IDS, IPS, spam filtering, and more. Usually, these add-ons make the firewall products more attractive to the potential individual buyer. However, most commercial entities would generally avoid integrated firewall solutions in favor of dedicated products to handle the distinct security or management functions. An integrated device might offer easier administration, but it represents a single point of failure for multiple services. Additionally, such devices are more difficult to troubleshoot due to the complexity of the communications supported.
A variety of manufacturers and vendors make and service appliance firewalls. The specific products in this category change constantly, so including a list of exact make and models would be outdated within months. (Remember the “use by” date on that carton of milk?) Instead, to find the best products available for either SOHO or enterprise-sized environments, visit the vendor’s technical review sites for updated product discussions, blogs and discussion forums, and buyer’s guides. Some of the major vendors/brands to consider include:
Barracuda Cisco D-Link Fortinet
Juniper Networks Linksys (now owned by Cisco) NetGear SonicWALL WatchGuard ZyXEL
When selecting a hardware or appliance firewall, keep a few important points in mind. Commonsense or basic concerns include ease of use, secured management interfaces, port filtering support, stateful inspection filtering, and the ability to be firmware/software upgraded.
Never skimp on throughput. Firewalls often represent bottlenecks to network bandwidth and thus should be selected to maintain wirespeed. Be sure a hardware firewall can more than handle the current network speeds and allow for future growth. If you are currently pushing a 1 Gbps network, consider a firewall capable of filtering at 2.5 Gbps wirespeed or higher.
For larger networks, centralized and remote management options are often essential. If firewall management requires direct physical contact or if you can configure only a single firewall at a time, you may find these significant hindrances to managing very large networks. An important part of a realistic firewall solution for enterprise networks can be multiple device management, including simultaneous configuration synchronization features.
Consider whether add-ons, upgrades, or extras are available and whether that’s important to your decision. Some firewall devices convert to firewall-plus devices or true multifunctional devices. Additional features may include e-mail scanning, message quarantine, attachment stripping, virus scanning, mobile code filtering, anti-spyware, intrusion detection system (IDS) and intrusion prevention system (IPS) features, spam filtering, compliance monitoring, and network access control. Products that support expansion or firewall additions are known as unified threat management tools or may fall under the heading of advanced intrusion detection and prevention systems.
Whatever the options presented by a vendor, always consider them in light of your actual current and future network needs. Just because a product is expensive does not guarantee it will work better than a free, build-it-yourself alternative.
Virtual Firewalls
The term “virtual firewall” describes a variety of firewall and firewall-like concepts. This can include virtualized software firewalls that provide filtering services for a standard physical network as well as firewalls running between virtualized client and server operating systems. In theory, the use of a software firewall as a replacement for a network appliance could work as long as the host OSs network communication is routed through the virtual firewall before leaving the host’s network interface controller (NIC).
This is a relatively new and growing area for firewall deployment. Virtualization offers numerous benefits over a traditional single OS to a single hardware box deployment. Virtualization allows for rapid development, quick prototyping, isolation, traffic management, quick recoveries, testing, and so
on. By virtualizing firewalls along with operating systems, you can craft new network architectures that do not or could not exist in the traditional network architectural concepts.
For example, with a virtualized firewall, you could route every communication between every virtualized OS through the filtering services. This would be the equivalent of deploying an appliance firewall between every system, but without the hassle, expense, or complexity.
Virtual firewalls are not a panacea. Virtual firewalls will not be useful in every situation, but they are an interesting new option for deployment to monitor, manage, and filter network traffic over traditional or virtualized network segments.
Simple Firewall Techniques
A few mundane concerns affect every firewall user when employing a firewall of any type. In most cases, these issues are common sense or at least well known, but they are often overlooked, forgotten, or discounted. For this reason, they are included here.
After writing a firewall security policy, obtaining approval, and obtaining the firewall to install, the first step in deploying a new firewall is to change the default password of the administrator account. Better yet, modify every pre-defined user account and every default access code of any type. Use something unique, original, and difficult to predict.
Testing is essential. No change or alteration of configuration is so minuscule that testing is inappropriate. Every change should trigger a test to confirm that the change took effect and caused no unintended consequences.
Many firewall appliances can be quickly reset to factory defaults with the simple press of a button. Some devices have a reset button prominently located and labeled so that anyone with a finger can casually revert to default status. However, such an obvious button has disadvantages, such as accidental or innocent hand movements.
Fortunately, a growing number of devices that still offer button-based reset options have receded the button behind a tiny pinhole. A straightened paper clip (or an expensive tiny screwdriver) depresses the reset button. Often, a single quick press is insufficient to reset the device; a series of presses or a prolonged 10- or 30-second depress may be necessary to trigger a reset. This feature makes accidental depression impossible but also makes intentional resetting a bit of a challenge. Be sure to consult the user manual for instructions that may not be obvious or intuitive.
Keep a printed or written copy of all rule sets and settings on hand. Periodically, verify manually that all settings remain as you want them. This is done by viewing the configuration or management interfaces and comparing the live settings to those defined in your documentation. Whenever you discover a discrepancy, investigate and repair it at once.
Finally, regularly visit the vendor’s Web site and discussion forums (including non-vendor- supported ones) for news and information about your firewall product. Keep current with announcements of updates, problems with updates, newly discovered holes or exploits, alternative configuration ideas, troubleshooting options, and more.
CHAPTER SUMMARY Firewalls are useful in many different situations. Every network infrastructure can benefit from proper use of a firewall. When making a choice about what firewall to deploy, consider a breadth of options, including the needs of both small and large network environments, host software firewalls, native OS firewalls, third-party
OS firewall alternatives, ISP connection device firewalls, commercial firewall options, open-source firewalls, hardware firewalls, and virtual firewalls.
KEY CONCEPTS AND TERMS Active threat Cookie filter Native firewall Passive threat Pop-up blocker
CHAPTER 10 ASSESSMENT
1. What types of Internet threats are considered passive, in the sense that the user must seek them out to be harmed? (Select all that apply.) A. Malicious Web sites B. Worms C. Downloaded content D. Spam E. Trojan horse
2. Average home users and workers at a large corporation can both benefit from which of the following: A. Open-source hardware firewall B. Gateway server firewall C. Commercial appliance firewall D. Host firewall
E. Proprietary device firewall
3. In what locations is a home or SOHO user likely to find a firewall by default? (Select two.) A. A self-installed software firewall B. Hosted by the operating system C. A build-it yourself appliance firewall D. Hosted by the ISP connection device E. A commercial firewall device
4. Windows operating systems are the only operating systems that include a native or default host firewall. A. True B. False
5. What is the maximum number of host software firewalls that should be operating on a single computer at any point in time? A. One B. Two C. Three D. Four E. None
6. Firewalls are designed to provide protection for both ________ and ________ communications.
7. An organization should consider purchasing last year’s model firewall instead of this year if they receive a significant discount. A. True B. False
8. When considering the deployment of a firewall, which of the following should be considered? (Select all that apply.) A. Commercial firewalls B. Legacy firewalls C. Open-source firewalls D. Beta firewalls E. Do-it-yourself (DIY) firewalls
9. Windows Firewall for Windows 7 includes an easy-to-configure new feature that allows file and printer sharing between systems authorized by a password. This feature no longer encourages users to just turn off the whole firewall rather than figure out how to properly configure file and printer sharing access rules. What is this feature called?
A. Internet Connection Sharing B. Quick config C. Homegroup D. Shared computing E. Microsoft Easy Access Firewall
10. What is the command line tool used to configure Windows Firewall for Windows 7? A. route firewall B. netsh advfirewall firewall C. new use firewall D. firewall config E. netsh firewall
11. Using a Linux software firewall as a replacement for a commercial firewall appliance can be a very cost-effective solution. Linux often can repurpose computer hardware that is no longer sufficient to support larger, bulkier, more resource-intensive operating systems. A. True B. False
12. The firewall configuration on an ISP connection device is most commonly accessed through what type of management interface? A. SMTP B. HTTP/HTTPS C. SSH D. FTP E. RSH
13. If your ISP refuses to grant access to configure their connection device, what legal options are available to you as alternatives? (Select all that apply.) A. Live without configuring it. B. Hack into it. C. Deploy your own hardware firewall alternative. D. Purchase your own connection device. E. Change ISPs.
14. What is the command line utility used to display the IP configuration of your Windows computer? A. ifconfig B. net use network C. netconfig
D. ipconfig E. netstat
15. When configuring a wireless access point to provide firewall services, which of the following are important configuration actions to take? (Select all that apply.) A. Change the default administrator password. B. Block unwanted ports. C. Change the SSID. D. Turn off SSID broadcasting. E. Change the default IP address range.
16. In general, you should not accept any connections that originate from ________ your firewall.
17. If your home firewall device is unable to block ports, use ________ instead to route data to nonexistent hosts.
18. It is best to pick a firewall based on: A. Actual network security needs B. Recommendations of a salesperson C. The list of awards given the product D. The price E. Prominent advertisement
19. Appliance firewalls are only and always commercial firewalls. A. True B. False
20. When selecting a firewall, especially a hardware firewall, never skimp on ________.
CHAPTER
11 VPN Management
VIRTUAL PRIVATE NETWORK (VPN) MANAGEMENT is a critical component in your organization’s computer security. VPNs extend the internal network beyond the perimeter secured by firewalls and other security technologies. Proper management of a VPN requires an understanding not only of VPN technologies, but also the business requirements driving VPN implementation.
Using the wrong type of VPN or a VPN that doesn’t meet your organization’s requirements can create security problems where none previously existed. Before selecting a VPN product or technology for your organization, create a detailed requirements document. This should factor in not only the security requirements for the VPN, but business requirements as well. Although security is important, keep in mind that security exists to support your organization’s goals, not the other way around.
As soon as you have a set of prioritized requirements, start looking for a solution that meets as many of these requirements as possible. You may not be able to find a single product that meets all requirements. When that occurs, choose the solution that best fits the highest priority requirements. In some cases, using multiple solutions to meet all the requirements may be the right solution.
Good research is crucial to selecting the appropriate VPN. Don’t rely solely on Web sites, technical magazine reviews, or an attractive sales pitch. Depending on your requirements, you may want to explore robust public domain solutions rather than an off-the-shelf commercial product.
Keep in mind that VPNs are a security technology, but they may also degrade your security perimeter. Putting a VPN in place is just the beginning of the project; you’ll need to address a number of additional factors for a successful VPN deployment.
Chapter 11 Topics
This chapter covers the following topics and concepts:
What VPN management best practices are
How to develop a VPN policy
How to develop a VPN deployment plan
What common VPN threats and exploits are
What the tradeoffs are between commercial and open source VPNs
What the differences are between personal VPNs and network VPNs
How to balance anonymity and privacy
How to protect VPN security to support availability
What the importance of VPN user training is
How to troubleshoot VPN issues
Chapter 11 Goals
When you complete this chapter, you will be able to:
Describe VPN best practices
Write a VPN policy
Describe the issues involved with deployment, placement, and implementation of a VPN
Appraise the threats and attacks against VPNs
Contrast the needs and features of personal and enterprise or network VPNs
Compare anonymity and privacy
Compose an introductory VPN training program for users
Formulate a procedure for troubleshooting VPNs
VPN Management Best Practices
First, familiarize yourself with the recommendations, guidelines, and procedures that will allow you to manage your VPN securely, efficiently, and as cost effectively as possible. These techniques and recommendations are known collectively as “best practices” and are generally developed and published or shared by experts in the field. VPNs have been around since the late 1990s. That means a significant amount of real world experience is available in the industry for your reference.
A best practice is generally not a tool, but rather the collected wisdom of fellow security practitioners sharing what they have learned. One of the great things about working in the information security field is that numerous experts are generally willing to share their experience. Be warned, however: Security experts tend to have very strong opinions, so any time you are reviewing a best practice, be sure to keep the needs and requirements of your own environment in mind. A process that works great in a 25,000-employee global manufacturing company may not work nearly as well in a 50-employee medical records processing company.
That said, you might well be able to adapt a process from another company to fit your
environment. The key to getting the most out of best practices is to consider them with your specific environment and requirements in mind. Keep what works, modify what you can adapt, and ignore what doesn’t make sense. After some time in the business, you will be the person other people come to for advice.
Provide redundancy, because everything, including VPNs, can break. If your organization will be relying on your VPN for remote access, encrypting and securing data, or providing a business partner access to your extranet, you will find out quickly how critical your VPN is on the day it breaks. Most commercial VPN products offer a failover or load-balancing capability so that in the event one device fails, the other will pick up the traffic.
Often, VPNs are provided via a cloud implementation. In this case, be sure that a level of redundancy is built in and that the redundancy is clearly spelled out, and guaranteed, in the contract or service level agreement (SLA), as it will otherwise be out of your direct control. The good news about anything implemented as a cloud application is that someone else takes responsibility for the exact implementation. This is also the bad news, especially for security practitioners.
Alternatively, keep a spare VPN product on your shelf, configured and ready to go live in the event of a failure. Generally, waiting for tech support or ordering a spare part can take more time than your organization is willing to wait for restored service. You’ll learn more on this later in the chapter.
Choosing the right VPN product is critical to the long-term success of your VPN deployment. Take your time, document your requirements, carefully evaluate the capabilities of each VPN product you review, check with peers if available, and review appropriate industry literature. A security magazine review of VPN products is a valuable tool for starting your search—or even narrowing the field once you have your requirements documented—but don’t select your solution solely based on who won last year’s Editor’s Choice award from your favorite industry magazine. While the editors and reviewers at most industry magazines, Web sites, and blogs are technically capable and spend a lot of time looking at products, they don’t have to support the product in your environment. Ultimately, you will be responsible for meeting your organization’s requirements and maintaining support.
Beware the vendor with the slick PowerPoint presentation offering a free lunch. Avoid purchasing products based on promises rather than proven capabilities. Slideware, also sometimes known as vaporware, is any product that appears in a vendor’s PowerPoint presentation, but is not yet available for sale. When possible, road-test a product in your environment before purchasing. It’s always a good idea to see what a product can do firsthand.
Finally, when looking for a product, consider using resellers and consultants. A good reseller can do some of the legwork for you by narrowing the search to a smaller pool of products. While some resellers work much like a standard department store, selling whatever is on the shelves, many will go the extra mile to ensure you get a product that will work in your environment. This saves them the challenge of trying to support a poor product after they’ve sold it, and if you like the solution, they have the opportunity to sell you additional products in the future.
A VPN policy (often referred to as a remote access policy) documents your organization’s rules for using the VPN. You will read about creating a VPN policy at length later in this chapter. Recognize, however, that proper policy framework is a key best practice when dealing with security technologies, especially those offering remote access to your computing environment.
The client is a critical component of your VPN solution. For the most part, VPN technology is
both mature and secure. VPNs are subject to denial of service (DoS) attacks, but VPN servers are rarely hacked. Nevertheless, VPNs remain a viable vector for someone who wants to attack your network. The target of these attacks is typically the weakest link of the VPN chain—the client. A typical VPN client runs an operating system that needs to be patched at least once a month, runs applications that may need to be patched almost as often, and is vulnerable to viruses, spyware, and other attacks. Be sure to install antivirus software, anti-malware software, and a software firewall on every client that will be connecting to your network through the VPN.
Split tunneling is a configuration setting that allows simultaneous access to both an untrustworthy network (like a home network) and a secured VPN network connection. This may not sound like a bad idea at first—after all, why wouldn’t you want someone connected to the VPN to access the Internet or their home network (or another network) at the same time? The reason split tunneling is a bad idea is that it potentially opens a door into your network that you can’t control. This is known as hairpinning, because malicious code can enter from the non-secure network, make a hairpin (or sharp) turn, and enter your secure network with little or no trouble because it is entering from a secure and verified endpoint.
If the client machine is compromised by a virus that permits remote control of the system by an attacker, and that client machine connects to the VPN, the attacker will have access to your internal network from anywhere on the Internet. If you prohibit split tunneling, however, then even if the attacker can compromise the client, the external connections terminate as soon as the VPN connects, ensuring your network is secure (even if the client is not).
If it doesn’t belong to the company, it shouldn’t connect to the company’s network. One of the challenges of working with remote access VPNs is making sure that the client at the other end of the connection is secure. Remote access VPNs permit access to a secure network from a remote location across an untrustworthy network. If the client system is not secure, you run the risk of compromising your secure network.
Fortunately, you have some control over your organization’s computers. You can require antivirus, anti-malware, IDSs, and firewall software on any computers your company owns. With systems not owned by the organization, you cannot require anything. As a result, if you don’t prohibit non- company systems from connecting to the network, you cannot control whether those systems are secure, meaning you can’t ensure that your network remains secure. It’s very easy for an end user to load a VPN client on a home PC and connect to your network. While some VPN solutions offer techniques to prevent uncontrolled systems from successfully connecting, it’s important that you lay the groundwork by prohibiting the practice.
This is a problem that must be dealt with if the organization has a Bring Your Own Device (BYOD) policy and a virtual private network. How should BYO devices be admitted to the VPN, and what are the policy and technical guidelines for connection? How much security is the organization willing to give up to gain the financial and operational benefits of BYOD? In many cases, cloud- based providers will offer support for a wider variety of client OS types and versions than a traditional VPN product. Maybe it is time to consider a cloud-based solution. These are all factors your organization must take into account when considering your VPN and the security, or insecurity, of your information.
Effective vulnerability management can help manage your remote clients. These are the technology and business processes used to identify, track, and mitigate known weaknesses on hosts or
applications within a computing environment. Remember, everything is vulnerable to attack. UNIX, Windows, routers, network printers, and
even your VPN solution will have vulnerabilities. Examples of vulnerabilities include software coding errors, improper configurations, and poor password choices. The danger with a VPN is that it expands your network from systems you can closely control to include systems in a home office, a branch office, a hotel, a Starbucks, or even a business partner’s network.
Vulnerability management is a combination of tools and processes that allow you to reduce risk in your computing environment, including VPN-connected systems and networks. Use tools that periodically test your environment, including the VPN systems, for missing patches, configuration issues, known exploits, and other vulnerabilities. This will ensure that your remote systems as well as your local systems are secure. Scan often and address issues when you find them.
technical TIP When addressing vulnerabilities in your environment, be efficient. If you are using a tool that ranks vulnerabilities from Level 1 to Level 5, where Level 1 is informational and Level 5 is critical, you might be tempted to address the Level 5s first, and then come back and address Level 4s next, then Level 3s, and so on. But this would be similar to having a keyboard with several broken keys. You wouldn’t fix the “E” key first, then come back later to fix the “U” key because it’s less critical—you’d fix them all at once. Take a similar approach with vulnerabilities. Determine what level of vulnerabilities you want to address in your environment (all Level 3 and above, for example), then tackle them, system by system. While this approach may leave some Level 5s in the environment a little longer, it will take a lot less time to secure the entire environment, since you will not need to touch the systems multiple times.
Your VPN is only as secure as your authentication method. One of the easiest ways to compromise a VPN is by compromising the authentication credentials. All it takes is one user with a password of “password” to open a direct connection to your network. A best practice is to use two-factor authentication for VPN access. This is a method of proving identity using two different authentication factors. Authentication factors are something you know, something you have, or something you are. Examples include a smart card (something you have) with a PIN (something you know); a biometric device (something you are) coupled with a password (something you know); or a proximity card (something you have) that activates a fingerprint reader (something you are).
If you fail to plan, you plan to fail. Document your implementation plan! You can’t simply find an open rack in the data center, run a cable, plug in a device, and keep your fingers crossed that it will work. Document your implementation and support plans. You’ll learn more on this later in the chapter.
Monitoring the availability of the VPN can be a lifesaver. The typical (and worst) method to discover issues with your VPN is when users start calling for help. This can be particularly
challenging when the callers include members of your organization’s senior management team. A corollary of Murphy’s Law may be, “The likelihood that a senior management team member will be trying to access the network over the VPN is directly proportional to the likelihood that the VPN will fail.” It’s far better to alert senior management to temporary problems than to be informed by them that something isn’t working. Since VPNs are network components, you can generally use the same monitoring equipment that you use to monitor routers, switches, and other network gear.
NOTE Vendors can be very helpful when your equipment is down. Many technical and information security professionals believe they can fix anything, and sometimes they will work on a problem for long hours before finally reaching out to tech support. While tech support can be problematic, especially when wading through the first level of support, the vendor can be invaluable when the problem is in the VPN equipment or software.
Once you have your VPN deployed, regularly review usage. If you notice there are employees who don’t use the VPN, you may want to remove their access. If you see employees who have multiple concurrent connections, you may have a security issue, and should investigate further.
Back up your VPN configuration regularly. This is a good practice for any network equipment, but in the event your VPN hardware fails and needs replacement, you’ll want to be able to restore your last known working configuration quickly. Rebuilding a VPN configuration from the default settings can be a long and challenging task— not to mention making post-incident review meetings an unpleasant experience.
Patch regularly. Vendors typically release patches and updates to VPN code throughout the life of the product. These patches address security issues, fix bugs, or provide additional functionality. In an ideal environment, you will have a development VPN that you can use to test patches and updates. In most environments, however, you will not have the luxury of a development VPN and will have to test when you implement in production. In either circumstance, work closely with your vendor to make sure you receive prompt notice of patches and updates, and establish an operational process and maintenance window to apply patches and updates in a timely fashion.
Your VPN solution may end up being a critical component of the organization’s business continuity planning and disaster recovery planning. In the event of an incident that prevents employees from getting to their work location, a VPN that provides work-from-home support is a key component of many recovery plans. Events such as earthquakes, snowstorms, tornadoes, floods, and other natural disasters can make working remotely a viable alternative to standard operations.
This collection of VPN management best practices is meant to serve as the starting point for your successful VPN deployment. It’s not meant to be comprehensive, but instead to offer some common practices and processes to help you with your VPN deployment. Depending on your VPN solution, your environment, your business requirements, and your experiences, you may find that you will use every one of these—or use only a few. The key is to ensure that you are doing what works in your environment. If you need help, don’t be afraid to reach out to your peers for advice and suggestions. You will find, over time, that you will develop your own set of best practices as you gain more
experience as a security practitioner, and soon others may be asking you for advice.
Developing a VPN Policy
If you are implementing or supporting a VPN solution, use a VPN policy to ensure your users understand the requirements for computing on the VPN. A VPN policy is sometimes called a remote access policy, a term used when dial-up lines and modems were the primary means to access the network remotely. Keep in mind that a VPN policy should be a part of your overall policy framework, and not a standalone. If you try to develop your VPN policy in isolation from the overall policy framework, you may find that you are duplicating information, or potentially writing VPN policy that conflicts with other aspects of your overall policy framework. For example, if you put a requirement in your VPN policy that user passwords must be 10 characters long and the password policy says they have to be eight characters long, you will confuse end users.
The components of a solid VPN policy include:
Introduction—State the policy by name and tell how it fits into the organization’s policy framework.
Purpose—Describe the issues the policy addresses and how the policy should be used. Include references to any applicable governance, risk, or compliance issues, as well as any specific legal or regulatory requirements supported by the document.
Scope/binding nature statement—Describe the systems, networks, or people covered by the policy. Describe penalties associated with not following the policy. The phrase “disciplinary action up to and including termination” is common in security policies.
Definitions/acronyms—Define technical terms or acronyms used in the policy. Document—Include the document creator, creation date, version, document status (for example, draft, template, policy, and guidelines), as well as any version tracking information.
Policy—This is the actual policy language. Be very clear in this section, leaving as little open to interpretation as possible.
Optional elements Summary—If your policy is very long, you may want to summarize it in a bulleted list at either the beginning or end of the policy. This provides employees a quick method to check for policy statements.
Roles and responsibilities—If your document is lengthy, or you need to document who does what under the policy, include roles and responsibilities. For example, a policy dealing with infrastructure might include roles for the system manager, system architect, end user, developer, or other key people within the organization.
Some specific topics to include in your VPN policy are:
Restrict remote access to the organization’s VPN solution.
Prohibit split tunneling. Define what classes of employee can access the network by VPN. This could include regular employees, vendors, contractors, and temps, or it could be restricted to only home office workers, depending on business requirements.
Define what types of VPN connections will be permitted. Define authentication methods permitted. Prohibit sharing of VPN credentials. List the configuration requirements for remote hosts, including current virus protection, anti- malware, host-based intrusion detection system (HIDS), and a personal firewall. Some VPN solutions include the ability to check for these types of configurations.
Prohibit the use of non-company equipment or, if personal systems may connect to the VPN, define the minimum standards for those connections.
Define required encryption levels for VPN connections. If you will be using your VPN for network-to-network connections, define the approval process and criteria for establishing a network-to-network connection.
Have your policy reviewed and approved by your communications, legal, and human resources departments before release. Document the appropriate approvals in the document status portion of the policy, then communicate the policy to your employees. Posting the policy to an information security or security policy intranet Web site is a common practice. Once it’s available on the intranet, you can use standard communications methods to make employees aware of the policy requirements. These methods can include e-mail, a structured awareness program, inclusion in new-hire training, or even
FYI Before selecting and purchasing a VPN solution, consider a number of factors. One that is too frequently ignored is the budget for the solution. Carefully consider your criteria and evaluate your options, always keeping in mind that you need to live within your budget. When budgeting, be sure to look at not only acquisition costs, but also the ongoing support and maintenance costs for at least the first three years.
Web-based or in-person policy training. The method you select will be based on your organization’s size, locations, and requirements. They key with any type of awareness training is to structure your communications to the correct audience. A group of engineers will require a very different introduction to a technical policy than a sales team might.
These are just some of the factors in developing a VPN policy for your organization. While they should form the basis for the development of your organization’s policy, be sure to cover all applicable requirements. One sure way to alienate your employees is to release a policy that makes
no sense to them or that you have to revise too soon to cover things you didn’t think of the first time through. Take your time, consider all the requirements, and you will end up with a usable VPN policy.
Developing a VPN Deployment Plan
Now that you have an understanding of best practices and VPN policy, you’ll look at how to select, place, and use a VPN.
Consider these criteria during your search:
What types of VPN connections does the solution support (user access, site-to-site, or both)? What encryption protocols are supported? How many VPN connections are supported? How well does the VPN perform compared with a high-speed network? How well does the VPN interoperate with your existing network infrastructure? What are the support options available from the vendor? How easy or difficult is the VPN to set up? What are the management capabilities available with the VPN? What additional features does the VPN offer? Does the VPN support failover or high availability configurations? How scalable is the VPN?
Once you have gathered this information, you can start to narrow your selection based on how well these features meet your criteria.
Next, consider where you will deploy the VPN on your network. Three common architectures typically accompany VPN solution deployments.
Bypass Deployment A bypass architecture (Figure 11-1) deploys the VPN so that traffic to the VPN and from the VPN to the internal network is not firewalled in any way.
This was a common architecture when VPNs were first introduced to the market. The logic behind this deployment architecture is that the since the VPN will accept only encrypted connections on a specific port, the security is adequate without additional firewalling. An additional consideration is that since the traffic is encrypted, it doesn’t require additional protection. Even if you did place a firewall on the Internet-facing VPN connection, the firewall would not be able to analyze the encrypted VPN traffic. This architecture also considers anyone connected to the VPN as a trusted host. Finally, passing traffic across a firewall always causes concerns about performance impacts, and justifiably so.
Two significant issues arise with this implementation model. First, VPNs are like any network device—they can have a variety of vulnerabilities. As a result, they are still vulnerable to an attack
against the device itself. The second issue is that the uses for VPN have expanded greatly since the technology first appeared, and it’s not uncommon in today’s environment to leverage a VPN to provide untrustworthy hosts access to portions of the network. These could be customers accessing an order management portal, vendors supporting systems on the internal network, or suppliers who are transferring invoices to your internal systems. While some controls (usually routing table–related) are available in most VPN solutions, terminating a VPN directly on your internal network is a very dangerous practice. As a result, the circumstances where a bypass VPN architecture is still a viable solution are limited, unless your risk tolerance is pretty high.
FIGURE 11-1
A bypass VPN implementation.
FIGURE 11-2
An internally connected VPN.
Internally Connected Deployment An internally connected architecture (Figure 11-2) deploys the VPN so that traffic to the VPN and
from the VPN to the internal network is not firewalled in any way. An internally connected VPN architecture recognizes that the VPN is vulnerable to attack if
placed directly on the Internet, so it places the Internet-facing VPN connection behind a firewall. Selecting the appropriate firewall for this solution is critical to a successful implementation. The VPN then connects any remote users or site-to-site connections directly to the internal network.
While this is an improvement over the bypass architecture, it still doesn’t address the potential security issues associated with untrustworthy VPN connections. This architecture is not recommended, although it will work if the only hosts connecting are trusted hosts.
DMZ-Based Implementation A demilitarized zone (DMZ)–based implementation (Figure 11-3) addresses the main shortcomings of the previous two architectures.
This architecture features a firewall in front of the VPN to protect it from Internet-based attacks, as well as a firewall behind to protect the internal network. The firewall on the inside can be configured to protect important infrastructure like finance department or research department servers, restrict business partners to only the systems to which they need access or even limit vendor access to only those systems that they support.
The largest negative in this design is the cost of deploying multiple firewalls for the implementation. However, many companies already have DMZs set up in this configuration, so it may be just a matter of leveraging the existing infrastructure for your needs.
After selecting the ideal VPN and determining where you’re going to place it in your infrastructure, it’s time to work up your deployment plan.
Before you look at the components of a successful deployment plan, keep in mind that your environment is unique to your organization. Some elements you will read about won’t apply to your deployment. These are, rather, just some common elements found in most typical VPN deployment plans. Just as with the other topics discussed here, review these while thinking of the requirements of your organization.
To deploy your VPN successfully, you need to:
Plan the physical location of the VPN. This is commonly rack space in your data center. Ensure your selected location meets power and cooling requirements. Get information on power and cooling requirements from your VPN’s technical specifications.
NOTE You can use a project management application to plan your VPN rollout, or use something as simple as a word processing or spreadsheet application. The purpose of this plan is to allow you to structure your deployment more formally than a plan written on the back of a cocktail napkin.
FIGURE 11-3
A VPN implemented in a DMZ.
Plan your IP addressing for the external and internal network connections on the VPN, as well as a pool(s) of addresses assigned to clients when they connect to the VPN. Plan for peak usage when assigning these pools to the VPN. While an average number of users is an excellent use benchmark, peak use determines the maximum number of IP addresses to ensure that all users can connect. If this is a site-to-site connection, your IP addressing plan will not be as complex, but will still be important when setting up the tunnel.
If you are using firewalls as discussed in the previous section, plan the rules you’ll need on the firewalls to permit the VPN to work. Generally, IPSec VPNs will require UDP port 500 for the IKE packets and TCP port 443 for the IPSec traffic. SSL VPNs use port 443 exclusively. Most VPN rule sets permit ICMP packets from the Internet. If you are experiencing issues with the VPN, it’s frequently useful during troubleshooting to determine if the user can reach the VPN server using tools like ping or traceroute.
Configure the VPN server by setting up the IP address pools, assigning IP addresses to the interfaces, establishing your banner message, and disabling split tunneling. It’s also a good idea to have the vendor review your configuration before going live to ensure you haven’t missed anything in your planning. In some cases, you might even want to have the vendor install the VPN for you while you concentrate on client rollouts, policy communications, and other related tasks.
Set up the authentication mechanism. Ideally, this will be a token-based authentication solution, but it could also be RADIUS-based authentication or, in some smaller environments, user accounts set up on the VPN itself.
Follow your organization’s change management policies when deploying the VPN. If your organization doesn’t have a formal change management process, be sure to inform management
of your planning schedule to avoid surprises. The last thing you want is to bring the VPN online during the same weekend the accounting department is doing a major upgrade to your organization’s financial systems. If there’s a problem with their upgrade, you can count on at least one person blaming it on your VPN rollout.
Once the VPN is up and on the network, create a pilot group to test the deployment. Address any issues before you roll out to a larger user pool. Minimize any issues that employees might face with the new solution. The best way to doom a new solution is to deploy it with lots of problems. You may find some employees will have a low tolerance for issues.
Develop your operations manual, which will document the configuration, operations procedures, change planning processes, and change history.
Develop your user documentation. Include how to install the client (if a manual install is required), how to log on, whom to call for support, frequently asked questions, and any other information you think will make the user’s experience with the VPN easier.
Develop your support processes. Who gets the first call when there’s an issue? What is the escalation path if the issue can’t be resolved?
Communicate the rollout plan to management and affected employees. Let them know the timing, benefits of the new solution, and anything else that you believe will help you have a successful deployment.
Install the VPN client for any remote access users. If this is a site-to-site deployment, configure the tunnel connection.
Distribute authentication credentials, tokens, and so on. Train your users. Go live—and enjoy a successful VPN rollout.
You now should be able to select, plan, and successfully deploy a VPN for your organization.
VPN Threats and Exploits
Consider the threats and attacks against your VPN, and how to mitigate them. A VPN can be a critical component of your information security infrastructure. A properly implemented VPN addresses a number of common attacks against your infrastructure, including eavesdropping, man-in-the-middle, replay, and others. However, while your VPN can mitigate attacks, it also opens up an entirely new set of security issues.
Remember, VPNs are essentially network devices and subject to many of the same security issues you would find in a router or a switch. If you are running a software VPN, then your VPN can have many of the issues you find on your network’s servers.
A hardware VPN solution can suffer from a number of security vulnerabilities, including:
Weak default password Insecure default configuration or misconfiguration by the installer
One of the most common and easily exploited vulnerabilities on any hardware network device is the default password. Vendors set an initial password on their equipment. Usually, all it takes to discover this password is a quick search on the Internet. Often, it’s not even particularly hard to guess. Try the vendor name, “admin,” or “password,” and odds are good that you’ll be able to log on. It seems like a sensible mechanism—the vendor doesn’t want to distribute its equipment without a password, so it sets a standard password that’s easy for the installer to remember.
The potential problem occurs when the installer forgets to change that password. It’s not uncommon for an installer to leave the password in place for the duration of the installation. Typing in “admin” after each reboot is much easier than typing in “$$Th!s!sAS3cur3P@ssw0rd!!” every time you make a change requiring a reboot. The problem occurs when either the installer forgets to change the password when the work is done, or an attack occurs while the installer is in the middle of the installation.
Imagine the installer has a couple of additional settings to change, but it’s 6:00 p.m. on a Friday and he’s ready for the weekend. He decides to come in early Monday to finish up the configuration. So for the entire weekend, the VPN you’re counting on to provide secure access to your network is on the Internet with the password “admin.” The best way to address this type of vulnerability is through stringent system configuration procedures and strong awareness training for your support staff and contractors. Disciplinary action when an installer fails to follow the instructions is also remarkably effective at getting the message across.
The second common issue with hardware VPNs is a device that is installed in the default configuration. Very few network devices come out of the box in a fully secure configuration. For example, an important configuration setting is disabling split tunneling. A default VPN configuration might not disable that setting without modifying the configuration. If you are completing your first install, it’s very tempting to just change enough of the configuration to get the VPN up and running and stay away from any unfamiliar settings.
A related issue occurs when an inexperienced installer modifies the configuration without understanding the impact of the changes. For example, an installer with a limited understanding of encryption protocols might decide that using the DES algorithm for VPN encryption would be “good enough” and would improve performance over a higher encryption algorithm like 3DES. The installer probably read somewhere that the longer the key length used for encryption, the higher the impact on performance. This is often true, but longer key lengths usually mean more secure communications. Installer-induced security threats are some of the hardest to track down. Since they were caused by someone with a limited understanding of what he or she was doing, the installer’s ability to help you track down the issues is equally limited.
To mitigate the risk of these issues, make sure that you train your installer (or yourself) before installing the VPN. If you do not have the time or justification for training on the product, then engage a vendor or systems integrator to assist with the install or even complete it for you. Once the installation goes online, it pays to have an expert perform a vulnerability or penetration test against your VPN. It never hurts to have an expert check your work.
A software VPN solution can suffer from the following vulnerabilities:
Operating system vulnerabilities
Operating system misconfiguration Application conflicts Instability Viruses and malware
While software VPN solutions are not typical in corporate environments, they are not uncommon in smaller organizations, academic environments, and other areas where a hardware VPN does not meet the business requirements. The main threats to software VPN solutions arise in the operating system. Operating systems like UNIX or Microsoft Windows consist of highly complex coding. They are designed to support a number of business-related tasks, and are more highly complex than the operating systems found on hardware-based VPNs. As a result, the software-related threats can also be much more complex.
Operating systems contain millions of lines of software code, and as with anything written by people, they always contain mistakes. Those mistakes are what attackers seek to exploit when attacking an operating system. Exploits may include buffer overflows, privilege escalation, or any number of other issues. As a result, if you run your VPN on a general-purpose operating system, your VPN becomes susceptible to the same software vulnerabilities as your operating system. In addition, software VPNs have many more possible operating system configuration errors than hardware VPNs.
Some organizations run VPN software on a server that supports multiple applications. For example, the VPN server might also be a SQL server, a Web server, or a file server. If this is the case in your environment, be aware of potential vulnerabilities created by application conflicts. This could be a matter of two applications that contend for resources on the servers causing issues, but it could also be the chance that one of the applications opens a new vulnerability in the VPN software. Think about a VPN server that is also a Web server. If the Web server is configured incorrectly, you could expose VPN configuration files to an attacker through the Web server interface. In that case, you could configure your VPN server securely just to have an attacker pull a copy of your configuration files out of a Web directory, bypassing your security.
Another potential threat associated with software VPNs is instability. Many information security professionals are reluctant to run software VPNs due to the challenges of the operating system crashing and taking the VPN with it. Many security professionals wouldn’t ever want to run a VPN that could be taken out by a “blue screen of death”—the nickname for the Microsoft server crash screen.
Finally, operating systems are vulnerable to viruses and other forms of malware. These would include Trojan horses, rootkits, or any of the other destructive malware currently active on the Internet. Any of these infections could compromise the security of your VPN, as well as your internal network.
If you are planning to run a software VPN, be sure to run it on a dedicated server, double-check both the operating system configuration and the VPN configuration, and keep the operating system fully patched and up to date. When your VPN is fully configured, run a vulnerability management tool against it, or have a professional come in and conduct a penetration test. Moreover, be sure to install and maintain current antivirus and anti-malware software on the server. It’s a good idea to install a firewall application and an intrusion detection/prevention application to ensure that your VPN
remains secure.
Credential Sharing Credential sharing is sharing a logon and password, or other security credentials with others. A person may share credentials with another authorized user such as a boss, secretary, or coworker, or even with a family member. A person may also share credentials for reasons such as unofficial outsourcing all or a part of his or her job, such as data entry or coding, unbeknown to the employer. The practice doesn’t necessarily result in compromising the system, but often it does.
Vulnerabilities common to both hardware and software VPN implementations include:
Denial of service attacks Missing patches Backdoor attacks Unpublished vulnerability in the code Weak client security Weak authentication Hairpinning Credential sharing
In a denial of service (DoS) attack, the attacker is trying to crash or overload the VPN, essentially to deny access to the VPN service. Attackers use specially crafted packets designed to crash the VPN or, more likely, direct a flood of traffic at the VPN in an attempt to overload it. This is not a very common attack because of the large amounts of traffic required to overload most companies’ network infrastructures. Generally, you will not see a VPN targeted with a DoS, as attacks against VPNs are typically designed to allow the attacker access to the internal network. DoS is more common against popular Web sites like Twitter or Facebook, where there is significant publicity, or against online merchants, who are subject to blackmail. When your Web site is a significant source of revenue, a DoS attack can be very expensive.
Any hardware or software platform that can run VPN software is vulnerable. That’s the nature of any computer technology. When these vulnerabilities are discovered, the vendor will typically develop a patch or an update to address the issue. If you do not keep your VPN current, you leave your network open to these issues, and attackers will try to exploit known vulnerabilities with your VPN.
A backdoor account attack is pretty rare, but can happen in some instances. An example of the traditional backdoor attack was featured in the movie War Games, where the system developer left a
user account and password on a secure system in case he needed to get back in. This account was exploited by an attacker (in the movie, a kid just looking to play games)—nearly causing the end of the world. Needless to say, the issues in your environment will not be quite as dramatic, but they are still of concern. Code running on VPNs and operating systems is closely scrutinized, so system developers are less likely to be a threat, but what about a system administrator who thinks he’s about to be fired? Or a vendor who comes in to support your VPN and creates an account for support that he or she forgets to delete before leaving? The best way to mitigate this type of attack is through scheduled auditing of all accounts on your VPN, as well as strong, documented procedures for how and when accounts are created and deleted. This particularly applies to accounts with elevated privileges or on systems accessible from the Internet.
One of the trickiest (and fortunately rarest) security threats is an unpublished vulnerability in the VPN code. Researchers or potential attackers can discover an unpublished vulnerability. If it’s unpublished, it means the vendor is not yet aware of it, and thus has not yet developed a patch or an update. These are probably the most difficult threats you will face because there isn’t a lot you can do beyond following security best practices, creating a layered security environment, and monitoring the behavior of your environment for anomalies. Should you encounter this issue, be sure to follow your incident response process and work with the vendor to identify the issue and create a patch.
Another vulnerability is not directly on the VPN, but in the devices connecting to the VPN. VPNs offer significant security advantages, but if the client at the other end of the connection is not secure, then your network is at risk. To mitigate this risk, have a standard client configuration, which includes antivirus, anti-malware, firewall, and maybe even intrusion-detection software. Also make sure that the only clients connecting to the VPN are company-owned. Permitting personal assets to connect to your network opens a number of additional issues, since you are not able to supervise the configuration of those systems. All it takes is one employee whose daughter clicks on the video link that her friend sent her (generally with a comment like “check out this video I took of you”), and you could end up with a virus on your network when Dad connects to the VPN using the same system.
A final vulnerability to consider is the challenge of weak authentication. Your VPN is really only as secure as your authentication mechanism. If you are authenticating via user ID and password, you run the risk of someone guessing or stealing those credentials and accessing your network without permission. To mitigate this risk, rely on either token-based or biometric authentication methods instead of—or in addition to—a user ID and password. If you must use a user ID and password for authentication, be sure to coach users in the use of strong passwords.
A familiarity with the various threats, attacks, and mitigations is critical to the long-term support of your VPN and your total network. Be aware that no list of threats and attacks can be all-inclusive because attackers are constantly developing new methods for compromising your network. In the absence of specific threats and attacks, rely on good security practices to keep things safe.
Commercial or Open Source VPNs
When looking at VPN solutions, decide if you want to include the option to leverage open source VPNs. If so, be aware of some of the tradeoffs you will encounter when leveraging an open source VPN product.
A commercial solution offers the following benefits:
Ease of installation and management Available management tools Access to vendor support Available hardware maintenance
The benefits of an open source solution include the following:
Low cost Flexibility Ability to run on existing hardware Access to Internet-based support
Both commercial and open source solutions pose some challenges. Commercial solutions are typically easier to implement, but that ease of installation comes at a cost. Not only are commercial solutions more expensive than open source solutions, but also they are typically less flexible. Open source solutions like OpenVPN (www.openvpn.net) offer significant flexibility, but generally require significantly higher skill in installation and support of the product. You rarely have access to vendor support, as open source solutions usually rely on the knowledge of the user and the development community. When you have an issue, you can normally post it on a discussion board, and the community will assist you in resolving your issue.
While weighing the pros and cons of open source VPN solutions, take into account a couple of other factors. First, many organizations have policies about the use of open source software. These policies derive from the company’s tolerance for risk, the open source licensing agreements, and intellectual property implications of open source. If your organization embraces open source, an open source VPN is probably worth considering.
The best VPN application still comes down to identifying your requirements and finding the best solution for your organization. If you’re on a low budget or have access to solid technical resources, an open source solution could be the best choice for your needs.
Differences Between Personal and Enterprise VPNs
Much of the information in this chapter has dealt with VPNs deployed in support of an enterprise or at least a midsized or large network. Another class of VPN applications—the personal or individual VPN—is sometimes referred to as the small-office or home-office VPN solution. Many home routers will include support for VPN connections, and open source VPNs are also very popular in this space. Shrew Soft (www.shrew.net) offers an open source VPN client that will connect to many standards- based VPN gateways like OpenSWAN (www.openswan.org). The value of these personal VPNs is twofold. First, implementing a personal VPN provides you secure access to your home network. Even better, implementing a personal VPN provides you with some valuable experience with VPNs that
you can then transfer to your organization’s enterprise VPN.
Balancing Anonymity and Privacy
A key concept to understand about VPN technologies is the difference between anonymity and privacy. Anonymity is the ability of a network or system user to remain unknown. Tools that support anonymous access include Tor (www.torproject.org), an open software and network to anonymously surf the Web. A hardware solution that leverages the Tor network for anonymity is JanusVM (www.janusvm.com). The problem with solutions for anonymity is that they don’t always protect your privacy. In many cases, the traffic carried anonymously by these applications is unencrypted, which means an attacker can read it with access to the right part of the network. If you are passing user IDs and passwords, credit card numbers, or other information that you would like to keep private, these are not the correct solutions for you.
Privacy, on the other hand, is keeping information about a network or system user from being disclosed to unauthorized people. If you want to protect your information, a VPN connection does an excellent job of this by encrypting the data that it carries. Leverage VPNs whenever you are connected to an untrustworthy network and want to send sensitive information. Wireless networks are a particularly ripe environment for attackers trying to get private information from a public network. VPNs do not offer any anonymity, however, as you are always able to track the endpoints of a VPN connection. That information is needed to maintain the VPN connection.
Protecting VPN Security to Support Availability
One of the design decisions you made when selecting your VPN was whether you needed a highly available solution. Once your users expect to access the network from a hotel, from a customer location, from Starbucks, or from home when they have a sick child, you will find they have little tolerance for outages. A downed VPN means none of your remote workers can do much work, and in some organizations that can mean a majority of the company could be off the network until the VPN is back up and running. A highly available solution makes a lot of sense.
technical TIP When considering VPN availability, don’t overlook the little things. Put your VPNs in separate racks, connected to separate power supplies. Nothing’s more embarrassing than explaining to your manager that the VPN was down for two hours because someone accidentally switched off a power strip.
The most common method for implementing a highly available VPN is pretty simple. You buy two
VPN hardware units (or implement two open source VPNs) and then configure them as a highly available pair using the vendor’s high-availability mechanisms. Cisco offers the Hot Standby Router Protocol (HSRP), for example, which allows configuration of a pair of Cisco VPNs so that in the event the primary VPN fails, the backup takes over seamlessly. If configured correctly, end users don’t even notice the cutover. A more industry-standard protocol that offers similar functionality is the Virtual Router Redundancy Protocol (VRRP). You also have the option to use a third-party solution. Many of today’s load balancers offer the ability to load-balance VPNs. When one VPN fails, the load balancer automatically directs all traffic to the remaining gateway.
In addition to ensuring your VPN is highly available, also ensure that your Internet circuits have similar redundancy. You don’t want to end up with your VPN up and your one Internet connection down. The net result is still unhappy users who cannot access the network. In the event of circuit outages, the user will typically need to reconnect to the VPN. This is still better than not being able to connect at all.
When you are considering a highly available VPN solution, be sure to consider not only the acquisition costs, but also the ongoing maintenance costs over the following three to five years. It’s important to capture the full cost of the solution rather than just the purchase price.
The Importance of User Training
Now that your VPN is up and running, you must train your users on how to use it. One of the most common challenges with IT infrastructure deployments, especially with security infrastructure like a VPN, is for the IT team to assume that, since they understand how the solution works, their end users understand it as well. That’s almost always a bad assumption. It can turn a successful rollout into an unsuccessful one.
To develop good user training, start by setting appropriate training goals. One of the first mistakes security practitioners make when developing training is jumping past any planning and starting with taking screen shots, typing up documentation, and scheduling meetings. However, much like a successful VPN deployment, the first part of successful training is planning. Determine the following before designing your user training:
Who is your target audience for the training? Before you start writing your training, understand who will be learning.
What is the technical awareness level of your audience? Are you training tech-savvy IT professionals, or salespeople who just want to turn on their PCs and start working?
Where is your audience? Is your audience in one central location, or spread out regionally—or even nationally? This will affect the choice of media you use to train users.
What level of training are you trying to deliver? Will users need to install the client software? Do you want to include basic troubleshooting in the training? Are you trying to sell features or do you just want to train them on how to log on? Should you include additional security issues in this training?
Once you gather the appropriate information, determine the best mechanism for delivering the training. You may distribute some written instructions, have a conference call, or even hold a Web conference. For high-profile users, or users who require significant support, hold classroom training. If you decide to go with live training, definitely plan to do additional information security training. After all, you have their attention for the period of the training; you should maximize the benefit not only to your users, but also to your company. Remember that well-trained employees tend to be the most secure computer network users.
Other things to keep in mind as you do user training: Make sure your training plan includes how you will train new employees. Will your training post to an intranet Web site or load onto a DVD that new hires can watch? Will you offer new-hire training at a regular interval to ensure everyone understands how to use the VPN?
Finally, don’t forget your support staff. If a user with VPN issues is supposed to call the help desk, make sure the help desk knows how to help.
VPN Troubleshooting
To successfully troubleshoot and resolve VPN issues, you must be organized, methodical, and prepared. Like anything else on your network, your VPN at some point will experience an issue. The preparations you undertake during installation and maintenance will prove to be critical components of your troubleshooting process.
Before you start troubleshooting your VPN issue, have access to the following information:
A network diagram showing the placement of the VPN and other key network components like firewalls, routers, and switches
A copy of the current VPN configuration Any error, system, or alert logs An operations guide Maintenance logs and change management records
technical TIP When troubleshooting issues with a VPN, or any network equipment, be sure to review all recent changes to the environment, not just changes to the VPN. An update to a DNS server, the replacement of a router, or changes to IP addressing can affect your VPN.
Now that you have your basic information, you can start troubleshooting. There’s no one way to troubleshoot an issue, particularly a VPN issue. What you can do is determine what works best for you, and stick with that process. Some people like to start at the far end and work back to the local
VPN server. Others will start at the network level and work their way up to the application. The actual process is not as critical as having an established process and sticking with it. One way to tackle this process is the following:
1. Identify the symptoms—Frequently, when you are dealing with a user-reported issue, the reported item will bear little resemblance to the actual problem. Users tend to generalize with statements like “No one can get on the VPN” or “The intranet is down from the VPN.” You need more specifics before you start correcting an issue. Ideally, you will receive an automated alert from your monitoring system, which generally permits you to track down issues much more quickly than a help desk ticket.
2. Determine the scope of the problem—Know whether your problem is bigger than a breadbox or a 747. Do you have one user who cannot connect, 100 users, or the entire company? Not only will this help you get a handle on the urgency of the issue, but it also gives you valuable clues to what the problem might be. If it’s one user, the odds are pretty good that it’s a client issue, or possibly a network issue on the user’s end, and the help desk can probably assist with the issue. If a large group but not everyone is affected, you can look for commonalities. Do all the users belong to the same VPN group? Do they all connect from the same part of the country (indicating it could be an ISP issue)? If you have multiple VPNs, are the problems all on one VPN?
3. Look for changes—Before you assume something is broken, see if anything has changed. If the issue is with a single user, did he or she install a new application like Skype or Tor that could be interfering with the VPN? If the VPN is unreachable from the Internet, was someone working on your Internet connection? Did you do a code upgrade over the weekend? The importance of formal change management is critical to successfully maintaining a production computing environment. When you are troubleshooting, determine what has changed. Be aware that sometimes the toughest part of chasing down change- related issues in a complex environment is figuring out which of the 20 or 30 changes performed during a weekend change window is causing your problem.
4. Call the vendor—It’s never a bad idea to call the vendor and see if it has seen your issue before. If you don’t have phone support with the vendor, visit its Web site and check its knowledge base. The Internet is an invaluable tool for helping with troubleshooting.
5. Try the most likely solution—As the resident expert, once you have gathered all the information and reviewed the likely issues, try a fix. Record these fixes not only in your operations guide, but also in your change control process.
6. Test it—You made a change; test to see if it worked. If not, back out the change you made and repeat the previous step with the next most likely fix. Repeat the process until the problem is solved. Do not keep trying fix after fix without backing out previous fixes; you could end up making so many changes that you won’t be able to easily get back to a stable configuration.
7. Check to see if you broke anything else—This is a critical step. Changes to the environment—even if you are trying to fix something—can have unpredictable effects. The last thing you want is to assume the problem is solved, just to get a call later saying no one
can get to the Internet. 8. Document, document, document—This is probably the most important part of the process.
If you don’t write processes and procedures down, it’s as if you didn’t even do them. When the next expert comes along to troubleshoot and your changes aren’t documented, he or she will have to start with incorrect information or guesswork. And if you encounter the same problem 12 months later, you’ll be glad you can refer to your previous process to speed up the second recovery. Create a section in your operations guide just for this kind of documentation.
Now that you have a general troubleshooting process, consider some other things when troubleshooting a situation:
Don’t panic—During a major outage, people tend to panic. They will start sending e-mails to large distribution lists, sending alerts, escalating issues, and doing a variety of other things that are not particularly helpful to you while you’re troubleshooting an issue. Keep your cool, work on the problem at hand, and keep management informed of the progress you make.
Don’t overcommit or make promises you can’t keep—If you don’t know what the issue is, don’t tell your manager that the network will be back up in an hour.
Focus on the problem at hand—Getting sidetracked when troubleshooting a complex issue is easy. Be sure that the problem at hand is the one you are working to address. If you identify other potential issues unrelated to the current outage, document them and handle them under your change control process. But don’t go off on a tangent and delay addressing the immediate issue.
NOTE When you are troubleshooting a VPN issue, management will often require frequent status updates. The worst place for you to be when the VPN is down is spending all your time on conference calls fielding questions like, “When will it be fixed?” Management needs to be educated to the concept that things won’t be fixed until you get off the phone and back to working on the problem.
You can do a couple of quick and easy tests if you are having a major VPN outage and you just want to be sure that your VPN is still on the network. Generally, your VPN will have two interfaces. One will be accessible from the Internet, and the other will be the connection to your internal network (possibly through a firewall). In the event of a major outage, start by verifying that both of those ports are functioning.
To verify the internal port is available, you can use the ping command from the Windows command prompt or from a UNIX command line. See Figure 11-4 for an example of a successful ping response.
Once you’ve validated the internal port, also validate the external port. This is frequently a
challenge because in most organizations, a direct connection to outside the network is not readily available. In some larger organizations, you may have a DSL Internet connection dedicated for testing, but if you don’t have that type of access, a number of Internet sites will let you run network diagnostics from their Web sites. See Figure 11-5 for a sample Internet traceroute command from www.network-tools.com. If you do an Internet search on “network tools,” you can find a number of sites that offer a similar capability.
FIGURE 11-4
Troubleshooting a VPN issue using PING.
FIGURE 11-5
Using Internet-based traceroute tools to determine if your VPN is accessible from the Internet.
You now have the tools to create your own troubleshooting process for your VPN, using some or all of the steps and tips discussed. You just need to determine what works best in your environment.
Be methodical, don’t panic, keep focused on the issue, and you will be very successful in quickly addressing VPN issues in your environment.
CHAPTER SUMMARY VPN management is a complex activity that requires attention to detail and good documentation. A variety of best practices may assist you in your VPN deployment and ongoing support. Selecting and deploying a VPN solution that meets your business requirements is essential. This includes deciding between open source and commercial VPN solutions when selecting your product. Understanding the threats, attacks, and mitigations and ensuring your VPN is available are key components of success. In addition, you must understand the difference between privacy and anonymity, know the difference between personal/individual and enterprise/network solutions and, finally, be able to train your users well. Once you have mastered all these facets of successful VPN rollout and support, you’ll be ready to move on to other security topics.
KEY CONCEPTS AND TERMS Anonymity Hairpinning Service level agreement (SLA) Slideware Two-factor authentication Vulnerability management
CHAPTER 11 ASSESSMENT
1. Which response contains the three most common VPN deployment architectures? A. Bypass, encrypted, OpenVPN B. DMZ, OpenVPN, internally connected C. DMZ, encrypted, OpenVPN D. Encrypted, OpenVPN, internally connected E. Bypass, DMZ, internally connected
2. All of the following are considered VPN management best practices except: A. If one is good, two is better. B. Patch regularly. C. Permit split tunneling. D. Do not allow employee-owned computers to connect. E. Review usage.
3. Three of the threats common to both software and hardware VPNs include ________, ________, and ________.
4. The two different types of VPN commonly used for remote access VPN are ________ and ________.
5. Pick two advantages of using an open source VPN solution instead of a commercial solution. A. Low cost B. Good vendor support C. Less installation and configuration time D. Use of existing hardware E. Ease of troubleshooting
6. The ability of a network or system user to remain unknown to adversaries is ________.
7. Which of the following are benefits of using a commercial VPN instead of an open source VPN solution? (Multiple answers may be correct.) A. More costly B. Less flexible C. Product support D. Greater skill needed to deploy and support E. Dedicated hardware
8. A document that details the requirements for using a VPN is called a ________.
9. Which of the following are vulnerabilities common to both software and hardware VPN solutions? (Multiple answers may be correct.) A. Default password B. Unpublished vulnerability in the code C. Weak client security D. Weak authentication E. Blue screen of death
10. Which of the following are components of a VPN policy? (Multiple answers may be correct.)
A. Introduction B. Scope C. VPN configuration settings D. Definitions E. Backup strategy
11. Keeping information about a network or system user from being disclosed to unauthorized people is known as ________.
12. Recognizing that vulnerabilities will be found with both hardware and software VPNs, be sure to ________ frequently.
13. Which of the following are not VPN best practices? (Multiple answers may be correct.) A. Back up your configuration. B. Pick the solution that gets the best reviews. C. Don’t permit split tunneling. D. Use vulnerability management. E. Secure your endpoints.
14. The best authentication method for client VPNs is ________.
15. When protecting the availability of your VPN, it is a good practice to have ________ VPN gateways in your environment.
16. Which of the following are protocols that can be used for high availability with VPNs? (Multiple answers may be correct.) A. IPSec B. 3DES C. HSRP D. VRRP E. SSL
17. If you want to verify that the VPN is on the network, what is the simplest tool you can use? A. Snort B. Ping C. Traceroute D. VPN Monitor E. Syslog
18. When troubleshooting a VPN issue, which of the following are valid troubleshooting steps? (Multiple answers may be correct.)
A. Don’t panic. B. Gather the symptoms. C. Run a vulnerability scan. D. Review changes to the environment. E. Upgrade the VPN software.
19. Your VPN policy should address which of the following topics? (Multiple answers may be correct.) A. Defining authentication methods permitted B. Defining the VPN platform C. Defining required encryption levels for VPN connections D. Defining the troubleshooting process E. Defining how to respond to incidents
20. In addition to redundant VPNs, also make sure to have redundant ________ for your VPN to be truly available.
CHAPTER
12 VPN Technologies
VIRTUAL PRIVATE NETWORK (VPN) is a general industry term that actually covers many different technologies. Ask anyone who works in a large company and needs to access a corporate network remotely and he or she will probably confirm using a VPN to connect to the network and get to his or her e-mail, intranet, and other corporate applications. Ask him or her how that VPN works, however, and you will almost always get a blank stare. End users are typically interested only in the result of a solution, not in how it works. For you, the information security practitioner, however, just how a VPN works is as important as what benefits a VPN provides your organization.
VPNs are deployed in a number of different ways, leveraging a variety of technologies, platforms, and protocols. Determining which VPN is the right fit for your organization requires successfully gathering and interpreting your business requirements. Once you’ve documented those requirements, it’s up to you as the security practitioner to understand the various options and capabilities to fit the VPN technology to the appropriate business requirements.
A variety of technical factors affect the selection and installation a VPN solution. Some VPNs are available as software installed on a workstation or a server. Other VPNs are software components of other devices, like a router or a firewall. Finally, dedicated VPN hardware appliances provide secure remote connectivity.
A variety of underlying protocols can provide different functions, features, and levels of encryption. When a vendor starts talking about L2TP, IPv6, SSL and SSH, or IPSec, you’ll need to speak the lingo and make the right technology decision for your organization.
Finally, other infrastructure considerations you need to take into account when working with VPN technologies include how things like network address translation (NAT), Internet Protocol (IP) version, and the use of virtualization can affect how you deploy, maintain, and troubleshoot a VPN.
Chapter 12 Topics
This chapter covers the following topics and concepts:
What the differences are between software and hardware solutions
What the differences are between Layer 2 and Layer 3 VPNs
What Internet Protocol Security (IPSec) is
What Layer 2 Tunneling Protocol (L2TP) is
What Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are
What the Secure Shell (SSH) protocol is
How to establish performance and stability for VPNs
How to use VPNs with network address translation (NAT)
What some types of virtualization are
What the differences are between Internet Protocol (IP) versions 4 and 6
Chapter 12 Goals
When you complete this chapter, you will be able to:
Contrast hardware and software VPN solutions
Describe VPN protocols, their uses, their features, and their problems
Explain the problem of using VPNs with NAT
Evaluate hardware VPN devices
Differences Between Software and Hardware Solutions
A key topic in discussing VPN technologies is the differences between software and hardware solutions. The following definitions help reveal those differences:
Software VPN—Software-based VPNs are sold either as part of a server operating system, as part of an appliance operating system, or as a third-party add-on software solution.
Hardware VPN—A hardware VPN is a standalone device, dedicated to managing VPN functions such as authentication, encapsulation, encryption, and filtering.
NOTE In the early days of VPNs, VPN software commonly ran on a Windows or UNIX server. Today, server-based implementations show up mostly in small environments because of the poor scalability and reliability of the operating system. Most software VPNs act as a component of a firewall or router, not as an add-on to a server.
While the functionality of software and hardware VPN solutions is essentially the same, providing a
secure remote connection on demand points out some important differences.
Software VPNs When evaluating whether or not to deploy a software VPN, consider two types of software VPNs:
Operating system–based VPN—An operating system–based VPN solution is an application that runs on a Windows or UNIX operating system. These are generally used in smaller companies, as they tend to be less scalable and less stable than other VPN solutions. They are generally less expensive, especially as they are running on a shared server, which may be running other applications. Many of these solutions are open source, which further reduces the cost, although it can increase the complexity of the solution. One potential security issue with this solution is that the server communicates with the public network (generally the Internet) for the connections to occur. Any time you connect a server and the associated operating system to a public network, you increase the security risk, since you are exposing it to a much larger pool of attackers. You can mitigate this risk by limiting the ports open to the server, and, if you are doing just site-to-site VPN connections, you can sometimes restrict the connections to specified IP addresses. You can also add a firewall to the VPN server, which adds to the overhead on the server, but will provide additional protection to offset the increased exposure.
Module-based VPN—A module-based VPN runs as a component on a larger system. These are sometimes included as part of the overall feature set, or in other cases may require the purchase of additional licenses to use the VPN. An example of this would be the VPN capability included with many firewalls. Many routers also offer this type of capability, which permits the easy encryption of WAN links for security-conscious companies. The benefit of this type of VPN solution is reduced complexity of the environment, since you have fewer discrete devices to manage. VPN modules are also typically less expensive than hardware VPN solutions. Some vendors also offer hardware accelerators for improving overall performance of this solution.
Hardware VPNs Hardware VPNs are dedicated appliance-based solutions, generally based on a router-type platform. Hardware VPNs are the most common type of VPN deployed in corporations today. While hardware VPNs can be complex to deploy, they are typically more scalable than their software counterparts, and can be easily deployed in a redundant manner. Hardware VPNs can increase the complexity of an environment, because you are deploying additional equipment. The good news is that you can usually manage this additional hardware with the same types of network management tools you use to manage the routers and switches in an environment.
Hardware VPNs can create some security issues, largely related to potential vulnerabilities in the VPN software code on the appliance itself. A number of security alerts related to VPN vulnerabilities have appeared in recent years. Fortunately, you can manage this issue fairly easily by keeping current on your vendor’s security alerts and by upgrading VPN code in a timely fashion. A good rule of thumb
is to run the N21 version of code, where N is the current version of code, unless a known issue with that previous version of the code has been published.
Ultimately, the requirements of your business will drive your selection of a software or hardware VPN. The good news is that many options are available to you in your search for the best solution.
NOTE You must make a risk-based decision on whether to accept the possibility of undiscovered bugs in a new version of hardware or to live with the known bugs in a previous version. If an upgrade is issued primarily for fixing security flaws, you may be better off with the new version, surprises and all.
Differences Between Layer 2 and Layer 3 VPNs
One distinguishing component of current VPNs is that they use a variety of transport protocols to establish their connections. This is helpful not only because the protocols have different capabilities, encryption strengths, and authentication mechanisms, but they also can run at different layers of the Open Systems Interconnection (OSI) Reference Model. The OSI model is the standard seven-layer conceptual tool that describes protocols and their functions. Each layer communicates with its peer layer on the other end of a communication session. While the OSI model is helpful in discussing protocols, most protocols are not in full compliance with it.
In the case of VPNs, the protocols used by the vast majority of solutions work at Layers 2 and 3 of the OSI model.
Layer 2 of the OSI model is the Data Link Layer. The Data Link Layer is the protocol layer that transfers data between adjacent network nodes. In the case of a VPN, this protocol transfers data from one VPN endpoint to the other.
An example of a protocol that communicates using Layer 2 would be Layer 2 Transport Protocol (L2TP).
Layer 3 of the OSI model is the Network Layer. The Network Layer is responsible for end-to-end packet delivery and includes the ability to route packets through intermediate hosts.
An example of a VPN protocol that communicates at Layer 3 is IPSec.
technical TIP SSL/TLS and SSH are protocols that operate at Layer 7 of the OSI model, the Application Layer.
technical TIP An RFC is a request for comments. These “requests” are published by the Internet Engineering Task Force (IETF). The IETF is the standards body for Internet-related engineering specifications. The IETF uses RFCs as a mechanism to define Internet-related standards. (See www.ietf.org for more information.)
Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) is a standards-based protocol suite designed specifically for securing Internet Protocol (IP) communications. IPSec authenticates and encrypts each IP packet in an IP data stream. In addition, IPSec has protocols that can establish mutual authentication and cryptographic key negotiation during a session. IPSec operates at the Network Layer of the OSI model.
The IPSec standard utilizes three major components:
Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE)
Authentication Header (AH) provides integrity protection for packet headers and data, as well as user authentication. It can optionally provide replay protection and access protection. AH cannot encrypt any portion of a packet. In the initial version of IPSec, the ESP protocol could provide only encryption, not authentication, so AH and ESP were often used together to provide both confidentiality and integrity protection for communications. Because authentication capabilities were added to ESP in the second version of IPSec, AH has become less significant; in fact, some IPSec software no longer supports AH. However, AH is still of value because AH can authenticate portions of packets that ESP cannot. Also, many existing IPSec implementations use AH.
Encapsulating Security Payload (ESP) is the second core IPSec security protocol. In the initial version of IPSec, ESP provided only encryption for packet payload data. Integrity protection was provided by the AH protocol if needed. In the second version of IPSec, ESP became more flexible. It can perform authentication to provide integrity protection, although not for the outermost IP header.
technical TIP Why does the layer matter? Because IPSec operates at Layer 3 of the OSI model, it can encrypt any traffic in Layers 4 through 7 of the OSI model. That means IPSec can be used to encrypt any application traffic.
Therefore, in all but the oldest IPSec implementations, ESP can provide encryption only, encryption and integrity protection, or integrity protection only. This chapter mainly addresses the features and characteristics of the second version of ESP.
NOTE IPSec supports the Data Encryption Standard (DES), a 56-bit encryption protocol, and 3DES (data is encrypted three times using DES), which effectively yields a 168-bit encryption protocol.
Internet Key Exchange (IKE) negotiates, creates, and manages security associations. Security association (SA) is a generic term for a set of values that define the IPSec features and protections applied to a connection. You can also create SAs manually, using values agreed upon in advance by both parties, but because these SAs cannot be updated, this method does not scale for real-life large- scale VPNs. In IPSec, IKE provides a secure mechanism for establishing IPSec-protected connections.
IPSec supports two different modes:
Transport mode (host-to-host)—In transport mode, only the data packet payload is encapsulated, while the packet header is left intact. In this mode, the destination host decapsulates the packet. This is the mode used in a Microsoft Windows environment to secure a client-to-server connection using IPSec.
Tunnel mode (gateway-to-gateway or gateway-to-host)—In tunnel mode, the IP packet is entirely encapsulated and given a new header. The host/gateway specified in the new IP header decapsulates the packet. This is the mode used to secure traffic for a remote access VPN connection from the remote host to the VPN concentrator on the internal network. (A VPN concentrator decrypts information coming from a remote user over the Internet, and encrypts information sent back over the Internet to the remote user.)
IPSec is a little different from some of the other protocols. It provides high-quality, interoperable, cryptographically based security for IPv4 and IPv6. As a result, the protocol supports a comprehensive set of security services, including:
Access control Connectionless data integrity checking Data origin authentication Replay detection and rejection Confidentiality using encryption Traffic flow confidentiality
IPSec-based VPNs have been the dominant VPN platform for many years, although in recent years SSL-based VPNs have been making significant inroads. IPSec is so popular for three reasons:
It supports all operating system platforms. It provides secure, node-on-the-network connectivity. It offers a standards-based solution, permitting easier interoperability between different devices and vendors.
For more information on IPSec, see http://tools.ietf.org/html/rfc4301. While RFC 4301 provides the main IPSec standard definitions, separate RFCs exist for some IPSec features. The full set of RFCs defines the entire standard.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) is an older protocol largely replaced by IPSec and SSL/TLS- based VPNs in production environments. You will still encounter references to the protocol in current VPN literature, however, and it may still be in use in some older environments, where backward compatibility could still be an issue. L2TP was used extensively in early VPN solutions but lost its popularity as other protocols proved to be more usable as industry standards developed.
L2TP is a combination of the best features of Point-to-Point Tunneling Protocol (PPTP), a Microsoft proprietary protocol, and the Layer 2 Forwarding (L2F) Protocol, which was an early competing protocol for PPTP, developed by Cisco Systems. Like PPTP, L2TP was an extension of Point-to-Point Protocol (PPP) to allow PPP to be tunneled through an IP network. L2TP support was first included in a Microsoft server product with the release of Windows 2000 Server. Prior to Windows 2000, PPTP was the only supported protocol. A number of hardware VPN vendors, including Cisco, also supported it.
One of the challenges with L2TP is that it only provides a mechanism for creating tunnels through an IP network. It doesn’t provide a mechanism for encrypting the data being tunneled. As a result, L2TP was typically used in conjunction with IPSec protocol’s ESP for encryption. For this reason, you may sometimes see L2TP referred to as L2TP/IPSec.
RFC 3193 defines the use of IPSec to secure an L2TP implementation. For more information on L2TP, see http://tools.ietf.org/html/rfc2661. While RFC 2661 provides
the main L2TP standard definitions, separate RFCs for some other implementations and features exist. The full set of RFCs defines the entire standard.
Remember that you may never encounter L2TP in a production environment, but you should know the basic aspects of this protocol when looking at tunneling and VPN protocols in general.
technical TIP PPP was defined in the late 1990s to provide a standard transport mechanism for point-to-point
data connections. This was used largely in conjunction with modem connections and has been phased out as high-speed Internet connections have replaced modem connections.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
One of the key VPN protocols today is SSL/TLS, which is the main alternative for a VPN solution if you don’t want to leverage an IPSec solution. However, before you consider this protocol in conjunction with VPNs, it’s important to understand the origin of this protocol.
If you have ever surfed the World Wide Web, you have used the Hypertext Transfer Protocol (HTTP) to connect to a Web site. One of the drawbacks of HTTP is that is does not include the ability to encrypt or otherwise protect the data stream between the client and server. This wasn’t an issue until the early 1990s, when the need to protect against eavesdropping on communications became critical to the ultimate success of the World Wide Web. While several technologies have addressed this need, one solution has rapidly become the industry standard: Secure Sockets Layer (SSL).
HTTPS is the Web protocol that utilizes SSL to encrypt HTTP, and is used worldwide today for secure Web communications. (See Figure 12-1.)
NOTE SSL supports 128-bit encryption, while TLS supports the Advanced Encryption Standard (AES) with keys up to 256 bits.
FIGURE 12-1
A secure browser session using SSL. Note the “https” in the address bar.
FIGURE 12-2
A certificate used to authenticate a server in an HTTPS connection.
SSL was originally proposed as a standard by Netscape. Version 1.0 had serious security flaws, which were corrected in versions 2.0 and 3.0. As this protocol has become more widely used, it has been formalized in the IETF standard known as Transport Layer Security (TLS). The SSL/TLS protocol provides a method for secure client/server communications across a network. SSL/TLS prevents eavesdropping and tampering with data in transit. SSL/TLS also provides endpoint authentication and communications confidentiality through encryption.
In typical end user/browser usage, SSL/TLS authentication is one-way. Only the server is authenticated when the client compares the information entered to access a server to information on the SSL certificate on the server. The client knows the server’s identity, but not vice versa; the client remains unauthenticated or anonymous. See Figure 12-2 for an example of the information in a server certificate.
technical TIP The terms SSL and TLS sometimes confuse people. In practical terms, they are the same thing. While the IETF standard refers to the protocol as TLS, the industry still uses the acronym SSL when referring to the protocol used to secure browser communications.
FYI While SSL/TLS is supposed to authenticate servers, it hasn’t been as robust as originally
planned. Phishing attacks—that is, attacks that direct a user’s browser to a counterfeit Web site —are a major problem for security professionals. Users typically do not check to see if a site is encrypted or if the certificate information matches their destination Web site. Newer versions of browsers check encryption status for the user and warn of a mismatch between a certificate and the domain presenting it.
SSL/TLS can also perform bidirectional authentication by using client-based certificates. This is particularly helpful when using this protocol to access a protected network, as it adds a layer of authentication to the access.
SSL/TLS and VPNs As you learned in the section on IPSec, a VPN creates a secure tunnel through a public network like the Internet. While SSL VPNs still leverage the concept of tunneling, they create their tunnels differently than IPSec. An SSL VPN establishes connectivity using the SSL protocol. IPSec works at Layer 3 of the OSI model, while SSH functions at Layers 4 and 5. SSL VPNs can also encapsulate information at Layers 6 and 7, which makes SSL VPNs some of the most flexible available.
On additional function of an SSL VPN is that it usually connects using a Web browser, whereas an IPSec VPN generally requires client software on the remote system.
SSL VPNs create predominantly remote access VPN connections, where a client connects to applications on an internal network. This is different from a site-to-site connection, where two gateways connect disparate private networks across the Internet.
SSL/TLS VPNs benefits over IPSec VPNs include:
Less expense—Since an SSL VPN is typically clientless, you don’t have the costs of rolling out, supporting, and updating client software.
Platform independence—Since the access to an SSL VPN comes through the standard SSL interface, which is a component of virtually every Web browser, virtually any OS that runs a browser is supported. While the operating system (OS) support for VPN clients is good for common OSs, a significant lag can exist in client development following the release of a new OS or the release of a new client version. You may see a Windows client 90 to 180 days earlier than the Mac version.
Client flexibility—As a general rule, IPSec clients are installed only on corporate systems. Due to the additional configuration flexibility, SSL VPNs allow access from a variety of clients, including corporate systems, home systems, customer or supplier systems, or even a kiosk machine in a library or an Internet café. This wider accessibility tends to increase employee satisfaction with the technology.
No problems with network address translation (NAT)—Historically, NAT caused issues with IPSec VPNs. As a result, virtually all IPSec vendors have created workarounds. With an SSL VPN, you don’t have these issues because SSL works at a higher layer than IPSec and, as
a result, is not affected by NAT. Granular access control—This is a benefit or a drawback, depending on your environment. SSL VPNs require a greater granularity of access than a typical IPSec VPN because instead of creating a tunnel from the host to the internal network, SSL VPNs require explicit definition of each resource accessed. The upside is that, unless you have defined it explicitly, an SSL VPN user cannot access the resource. Although this barrier has significant security benefits, in a complex environment, this could add significant overhead to your VPN support.
Fewer firewall rules required—To access an IPSec gateway across a firewall, you need to open several ports to support the individual protocols for authentication and the tunnel. With an SSL VPN, you need to open only port 443, which is easy because of the prevalence of the HTTPS protocol.
For more information on TLS, see http://tools.ietf.org/html/rfc5246.
Secure Shell (SSH) Protocol
The Secure Shell (SSH) protocol is a method for secure remote logon and other secure network services over a public network such as the Internet. SSH services a number of applications across multiple platforms including UNIX, Microsoft Windows, Apple Mac, and Linux.
You can use SSH:
For logon to a shell on a remote host, replacing telnet and rlogin (see Figure 12-3 for an example of an application that uses SSH for this application)
For executing a single command on a remote host, replacing rsh For file transfers to a remote host In combination with rsync to back up, copy, and mirror files securely In conjunction with the OpenSSH server and client to create a full VPN connection
The SSH protocol consists of three major components:
Transport Layer Protocol, which provides server authentication, confidentiality, and integrity with perfect forward secrecy
User Authentication Protocol, which authenticates the client to the server Connection Protocol, which multiplexes the encrypted tunnel into several logical channels
For more information on SSH, see http://tools.ietf.org/html/rfc4251.
FIGURE 12-3
PuTTY is an application that leverages SSH to provide secure connections to hosts.
Establishing Performance and Stability for VPNs
Now that you have an in-depth understanding of the many options available to you for VPNs as well as other secure access protocols, it’s time to discuss some of the challenges you might encounter when supporting your VPN. For your VPN rollout to be successful, consider two factors: performance and stability.
Performance Some critical factors can affect the performance of your VPN:
VPN type—When considering the performance of your VPN, consider the type of VPN you’ve chosen. The performance characteristics of a VPN supporting remote clients can be very different from the performance characteristics of a VPN supporting site-to-site connections, or even a mixture of remote clients and site-to-site connections.
Protocol—The performance characteristics associated with an IPSec VPN can be very different from what you may find with an SSL VPN implementation. How you apply IPSec and SSL/TLS in a VPN solution can affect your VPN’s performance. Validating the performance specifications of the solution before you roll out should allow you to address any performance issues associated with the protocol startup.
Load—The number of remote access or site-to-site VPNs will affect the overall performance of your VPN rollout. The challenge in addressing this issue, particularly in an environment supporting a large pool of remote clients, is that the performance issues will tend to crop up during peak use. To appropriately diagnose these issues, you’ll need to be able to report on use in a way that tracks the peaks. Many of the current reporting tools available for VPNs tend
to show averages over time, which can hide peaks and valleys in your use numbers. Be sure you fully understand these performance reports.
Client configuration—In a remote VPN connection, much of the performance is actually related to the client’s capabilities. If the remote client is running on old hardware with limited memory and an underpowered processor, the overhead associated with encrypting the traffic will affect performance of the VPN connection. Another factor contributing to overhead is what else is being done with the remote PC. If the user is running a memory-intensive application such a photo editing suite, you may find that this resource impact reduces the performance of the VPN.
NOTE Don’t forget time-of-day considerations when investigating load-related performance issues. You will generally find your peak times for VPN use will be first thing in the morning, as employees get started for the day; after lunch, when everyone comes back from the break; and at the end of the business day. If performance issues arise, be sure to note the times of day to help correlate the data and identify root causes or at least common factors.
Bandwidth—The bandwidth available to your VPN can have a significant impact on its performance and can vary widely among the remote hosts and gateways. If your VPN is supporting site-to-site VPNs connecting two locations, the bandwidth allocated at either (or both) ends of the connection may affect performance. You may find, for example, that an unreliable DSL connection at a remote client location creates unacceptable delays for the user.
Topology—Depending on the location of your VPN endpoints, the topology may affect performance. For example, if your VPN connection has to traverse a firewall or a proxy server, you may find reduced performance depending on how well those devices handle the VPN traffic.
Encryption level—The higher the encryption level, the greater the impact on the memory and processor of the endpoint devices. That being said, you should always run the highest encryption available. If you suspect encryption is causing performance issues, you can look into either a dedicated processor for handling encryption or upgrading the processing capabilities of the central processor.
Traffic—An issue related to bandwidth is traffic loads. If, for example, the sales department likes to watch streaming video baseball games on Wednesday afternoon, and you have VPN performance issues during that time, increasing bandwidth may fix the problem, but does not really address the root cause, which is a traffic spike rather than too little bandwidth. To diagnose a performance issue related to traffic, devise some way to look at the traffic on your network. Another facet of this issue is what the traffic load looks like across the VPN. Do your remote users store their documents on servers in the core network? If you are running your VPN with split tunneling disabled, are remote users doing Web browsing through the VPN connection? Optimizing traffic both within the VPN as well as outside network traffic can go a
long way to ensuring you don’t encounter performance issues. Client version—Sometimes, the version of the client can affect performance. Managing older versions on remote devices can be very difficult depending on how your organization manages those devices. Keep your clients up to date, and you should be able to avoid any performance issues related to client versions.
Stability To ensure a successful VPN deployment, the implementation must be stable. Some factors that can affect VPN stability include:
Configuration—Ultimately, how you configure your VPN will have a major impact on your VPN deployment. Not only should you check your internal VPN configuration, but also factor stability into your initial design. If access to the network through the VPN is mission-critical, you should ensure you use a configuration that includes some level of high availability or failover.
Location—Consider where you have placed your VPN in the network. If the VPN connection has to traverse three firewalls, multiple local routers, and a proxy server, you may find that the connections are not as stable as you need them to be.
Software version—The version of VPN software (or in the case of a hardware VPN, the concentrator code) can have a significant impact on the stability of your rollout. Be sure to keep your VPN software up to date. Updating too quickly can also be a source of stability issues, so a good rule of thumb is to keep your software version one less than the latest version number of the VPN software. That model allows you to keep your VPN relatively current, so you avoid any issues contained in older versions of code, but also keeps you from being the vendor’s beta tester for new code, which is never a good idea in a production environment.
Underlying OS—The OS on which you run your VPN can definitely affect the stability of your VPN implementation. A VPN running on an old Windows operating system might have issues with the dreaded blue screen of death. A hardware-based VPN could run into challenges if there are firmware or OS issues, although those problems are typically less common than with an OS-based solution. The number of lines of software code needed to run a hardware VPN are quite a bit less than the current OS coding. The leaner the software, the less risk you run of issues with the OS.
While these lists contains many of the most common sources of performance issues you may encounter, be sure to reference your troubleshooting processes and procedures when diagnosing VPN performance and stability issues.
Using VPNs with Network Address Translation (NAT)
VPNs and network address translation (NAT) have historically suffered from some conflicts when
used together. NAT is an Internet standard that allows you to use one set of IP addresses on your internal LAN and a second set of IP addresses for the Internet connection. A device (usually a router or firewall) stands between the two connections and provides NAT services, managing the translation of internal addresses to external addresses. This allows companies to use large numbers of unregistered internal addresses while needing only a fraction of that number of addresses on the Internet, thus conserving the addresses. This is similar to a company that may have hundreds of phones in a building but pays for only a small number of connections to the phone switch, as it is unlikely that every employee would pick up the phone at the exact same time.
NAT was created as a workaround to IP addressing issues. Since the Internet relies on the TCP/IP protocol for communications, it also relies on the IPv4 addressing that is an integral part of the TCP/IP protocol suite. The explosive growth of the Internet threatened to exhaust the pool of IPv4 IP addresses. Without unique addresses, the Internet would be unable to successfully route TCP/IP traffic. This was clearly unacceptable because the Internet was fueling the explosive growth of many businesses. As a result, NAT was proposed and adopted widely as a way to conserve critical IPv4 addresses.
In the early days of the Internet, when IP addressing was being created, developers believed the 32-bit addressing scheme (known as IPv4) to be more than adequate for any potential network growth. Theoretically 4,294,967,296 unique addresses were available using 32-bit addressing and, even discounting the reserved ranges, more than 3 billion addresses were possible. At the time, that was enough addresses to provide one for every person on the planet.
Unfortunately, the designers of the addressing scheme dramatically underestimated the explosive growth of the Internet, as well as the popularity of TCP/IP in business and home networks. There are no longer enough addresses to go around. IPv6 is contains an addressing scheme that allows for a dramatically larger pool of addresses, but is receiving very limited deployment in corporate networks and on the Internet today. This is due in large part to the use of NAT. For more information on NAT, see RFC 3022 at http://tools.ietf.org/html/rfc3022.
Two main types of NAT are available:
Static NAT—This version of NAT maps an unregistered IP address on the private network to a registered IP address on the public network on a one-to-one basis. This is used when the translated device needs to be accessible from the public network. For example, a Web server on your private network might have an unregistered address of 10.10.10.10, but a NAT address of 12.2.2.123. A user trying to connect to that Web site can enter 12.2.2.123, and the router or firewall at the other end will translate that address to 10.10.10.10 when the packet reaches it.
Dynamic NAT—This version of NAT maps an unregistered IP address to a registered IP address from a group of registered IP addresses. This is more commonly used when large pools of systems on the internal network need to access the Internet and don’t have a requirement for a static address. The workstation’s address is translated to the next available registered address as soon as it initiates a connection to the public network.
The critical thing to remember about NAT is that due to limitations in the IPSec standard, IPSec has issues traversing a translated network. VPN vendors have addressed this issue, but the workaround
they have put in place can create challenges for troubleshooters. If possible, run your IPSec VPNs on untranslated addresses or deploy an SSL VPN. Because SSL runs at a higher level in the OSI model, it’s not affected by NAT.
NAT traversal is a general term for techniques that establish and maintain TCP/IP network and/or UDP connections traversing NAT gateways.
For IPSec to work through NAT, configure the firewall to permit the following protocols and ports:
Internet Key Exchange (IKE)—User Datagram Protocol (UDP) port 500 Encapsulating Security Payload (ESP)—IP protocol number 50 Authentication Header (AH)—IP protocol number 51
Types of Virtualization
A number of definitions and types of virtualization are available to businesses today. Operating system virtualization is the emulation of an operating system environment hosted on another operating system. A virtual machine exists logically, but does not have an associated dedicated physical device. Thus, a single physical machine can host multiple virtual machines. Virtualization of storage allows a storage manager to abstract the underlying physical storage technologies and manage storage at a logical level. Network virtualization allows you to run multiple logical switches within a single physical switch chassis. Some SSL VPNs support VPN virtualization.
All of these technologies can potentially affect your VPN environment.
Desktop Virtualization Desktop virtualization (sometimes called client virtualization) is a concept that separates the personal computer desktop environment from the physical desktop machine by using a client/server model of computing. This model is reminiscent of the thin client client/server architectures of years ago, where the operating system was run centrally. This generation of the model offers significantly more business benefits. A virtualized desktop is hosted on a remote central server instead of on the local hardware of the remote client. This allows users to work from their remote desktop client, while all of the programs, applications, processes, and data used are kept and run centrally.
This has an immediate impact on your VPN in ensuring the compatibility of your VPN client with the virtualized desktop. The possibility always exists that the virtualization of the client might cause issues with the client or complicate troubleshooting of any issues with the VPN. The best approach to working in a virtualized desktop environment is to test your VPN applications carefully before the virtual implementation goes into production.
Another issue that can come up in conjunction with the VPN is how you publish the virtual desktop to a remote client that is not connected to the network. One model would be to make the VPN connection first, then publish the virtual desktop across the VPN connection. This is an environment that lends itself well to SSL VPNs, due to the lack of dedicated client software. With an IPSec VPN
deployment, you need to get a working VPN client on the remote desktops before publishing the virtual desktop, adding to the complexity of your VPN environment. The other model is to publish the virtual desktops natively from a DMZ environment across the Internet, and then connect back to the network via VPN, publishing the VPN client (if using IPSec) as part of the virtual desktop image.
Some limitations of desktop virtualization include:
Additional security risks associated with the complex network and desktop image environments used when working with remote virtual desktops.
Loss of employee privacy as all storage and processing is centralized. Maintaining your VPN clients in the virtual images. Increased downtime in the event of network failures. Outages can also affect a greater number of employees.
The concept of virtualization is becoming more popular among enterprise customers. For SSL VPNs, the need for virtualization is natural. Enterprises like to provide different remote access VPN presences to different user groups, such as partners and different departments of employees. The following section covers some of the basic capabilities you should consider for a “virtualized” SSL VPN deployment.
SSL VPN Virtualization Virtualized SSL VPNs provide a unique virtual VPN configuration for each individual user group. Much like other types of virtualization, a virtualized SSL VPN allows you to separate the physical and logical sides of the VPN.
Some benefits of a virtualized SSL VPN environment include:
Greater flexibility—A virtualized SSL VPN gives you the ability to create custom authentication methods and VPN group policies for different user groups.
Delegation of management—Virtual VPNs allows the delegation of management roles for each virtual instance. If one virtual VPN instance allows a business partner to connect to an internal application, the management of that virtual VPN can go to someone supporting that business partner.
Added security when working in a multigroup environment—Virtual VPNs provide a total logical separation of the VPN’s instances in terms of system resources, routing tables, user databases, and policy management interfaces.
The use of virtualized VPNs is especially attractive to companies that provide VPNs as a service. Being able to create completely separate environments and resource pools is critical to a successful service provider. Setting up dedicated hardware environments for each customer does not allow a service provider to take advantage of the economies of scale offered by a single implementation.
Differences Between Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6)
One of the critical topics associated with today’s VPN implementations has to do with IPv4 versus IPv6. A quick look at the history of the Internet Protocol (IP) will be helpful first.
The Internet has driven the development of the TCP/IP suite, and TCP and IP remain tightly coupled. TCP/IP has always been at the root of the Internet; today, you are using TCP/IP in your corporate network because of the success of both the Internet and TCP/IP. In the early days of computing, multiple protocols ran on corporate networks, and you had to worry about how to tunnel other protocols across the VPN. Today, most networks run TCP/IP exclusively.
The TCP/IP Suite The TCP/IP suite is composed of a large number of protocols, defined in a series of RFCs. Each of the protocols in the TCP/IP suite provides a different function, and together they provide the functionality known as TCP/IP.
The TCP/IP suite got its name from the two main protocols in the suite: TCP (Transmission Control Protocol) and IP (Internet Protocol). TCP is responsible for providing reliable transmissions from one system to another, and IP is responsible for addressing and route selection. IP defines how computers communicate over a network. IP version 4 (IPv4), the currently prevalent version (defined at http://tools.ietf.org/html/rfc791), contains just over four billion unique IP addresses. IPv6 offers a newer numbering system that provides a much larger address pool than IPv4, among other features.
IPv4 Challenges The largest challenge with IPv4 is address exhaustion. While IPv4 addressing has kept the Internet and corporate networks running since the early years of the Internet, the industry is running out of addresses. The judicious use of NAT has extended the life of IPv4 far beyond its expected life span; however, currently less than 10 percent of total IPv4 address space remains. Organizations will soon need to start adopting IPv6 to support applications that require ongoing availability of contiguous IP addresses.
TIP The assignment of both IPv4 and IPv6 addresses is the domain of suborganizations of a global organization called the Internet Assigned Numbers Authority (IANA). To find out more about IANA, go to www.iana.org. In the U.S., the suborganization is the American Registry for Internet Numbers (ARIN); for more information, visit www.arin.net.
FIGURE 12-4
Comparison of IPv4 and IPv6 addresses.
IPv6 IPv6 is the next-generation IP version and has been designated as the successor to IPv4, the first implementation used in the Internet. The main driving force for the redesign of Internet Protocol is the foreseeable IPv4 address exhaustion. IPv6 was defined in December 1998 by the IETF with the publication RFC 2460. IPv6 is documented in several requests for comments (RFCs) starting with RFC 2460.
Some benefits of IPv6 include:
Increased address space—IPv6 supports 340 undecillion (3.40282E38) IP addresses for network devices.
More efficient routing—The routing functionality of IPv6 has been enhanced. Reduced management requirement—A more robust protocol, IPv6 requires less management. In contrast, IPv4 required significant management due to new requirements after the introduction of the protocol.
Better quality of service (QoS) support for all types of applications—Support for QoS is built into IPv6, whereas it was an add-on in IPv4.
Security—IPv6 includes a native information security framework (IPSec) that provides for both data and control packets.
Plug-and-play configuration with or without DHCP—IPv6 permits hosts to automatically configure themselves when they connect to an IPv6 network by querying the local routers with a multicast message. If the routers are configured correctly, they will respond with the appropriate configuration information. If this mechanism is not appropriate for a specific environment or application, support is available for an IPv6 version of DHCP. It also supports static configurations.
Three mechanisms currently exist for the transition from IPv4 to IPv6. It’s important to understand that when the IPv6 standard appeared, the expectation was that the two protocols would need to coexist in the network for 20 to 30 years, allowing for a gradual transition period. Three of the proposed migration strategies are:
Dual-stack—With this transition solution, both IPv4 and IPv6 protocol stacks coexist in the
same terminal or network equipment. This would allow the network to communicate using both protocols, but adds significant overhead to the network infrastructure.
Tunneling—This solution allows two IPv6 hosts to create a tunnel for traffic between two IPv6 hosts through an IPv4 network, or vice-versa, as IPv4 starts to phase out. This could add significant configuration overhead.
Translation—This solution enables an IPv4 host to talk to an IPv6 host. This solution will require additional development, as currently IPv6 does not include this capability.
IPSec and IPv6 IPSec is a mandatory component for IPv6, and is used to natively protect IPv6 data as it is sent over the network. The components of IPSec in IPv6 are not dramatically different from IPSec, which industry has been using since the 1990s. In IPv6, IPSec uses the AH and the ESP extension header.
The IPv6 IPSec is a set of Internet standards that uses cryptographic security services to provide the following:
Confidentiality—IPSec traffic is encrypted and cannot be deciphered without the appropriate encryption key. This should be easier to use in conjunction with IPv6, since it’s a native component of the protocol.
Data origin authentication—Ipv6 IPSec uses a cryptographic checksum that incorporates a shared encryption key so that the receiver can verify that it was actually sent by the apparent sender. This prevents spoofing of transactions.
Data integrity—The cryptographic checksum can also be used by the receiver to verify that the packet was not modified in transit.
You can find more information about IPv6 in RFC 2460 at http://tools.ietf.org/html/rfc2460.
CHAPTER SUMMARY You should now be familiar with the different VPN and related protocols and their uses, such as IPSec, Layer 2 Tunneling Protocol (L2TP), Secure Sockets Layer (SSL)/Transport Layer Security (TLS), and SSH. You should also understand the advantages and disadvantages of hardware and software solutions, and be able to determine which solution would be appropriate in your environment.
You learned how some of the challenges associated with establishing performance and stability for VPNs can affect the performance and stability of your VPN.
You learned about the issues network address translation (NAT) can present when rolling out a VPN, as well as the impact of both client and VPN virtualization on your VPN.
You took a detailed look at Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), including challenges and benefits associated with the rapidly approaching migration
to IPv6.
KEY CONCEPTS AND TERMS Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Engineering Task Force (IETF) Internet Key Exchange (IKE) Layer 2 Forwarding (L2F) Protocol Layer 2 Tunneling Protocol (L2TP) Point-to-Point Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP) Requests for comments (RFC) Secure Shell (SSH)
CHAPTER 12 ASSESSMENT
1. What are the two modes supported by IPSec? (Multiple answers are correct.) A. Transition B. Tunnel C. Encrypted D. Transport E. Internally connected
2. Which of the following are not considered IPSec services? (Multiple answers may be correct.) A. Access control B. Encryption C. NAT interoperability D. Replay rejection E. Support for AES encryption
3. The strongest encryption protocol currently supported by IPSec is ________.
4. The two different protocols commonly used for remote access VPN are ________ and
________.
5. Pick two advantages of using an IPSec-based VPN solution instead of an SSL-based solution. (Multiple answers are correct.) A. IPSec provides a direct connection to the network. B. Since IPSec works at Layer 3, it can support virtually all network applications. C. IPSec requires the configuration of each application being accessed via the VPN. D. IPSec is a clientless solution.
6. A solution that permitted industry to extend the life of IPv4 addresses is ________.
7. Which of the following are benefits of using an SSL VPN? (Multiple answers may be correct.) A. More costly B. Less flexible C. Support for NAT D. Fewer firewall rules required E. Used for secure logons
8. SSL VPNs are considered ________ because access is granted through SSL, which is supported by Web browsers on virtually all platforms.
9. Which of the following can affect the stability of your VPN? (Multiple answers may be correct.) A. Number of users B. VPN configuration C. Code revision level D. Operating system E. Encryption level
10. Which of the following are types of network address translation? (Multiple answers may be correct.) A. On demand B. Dynamic C. Secure D. Static E. Encrypted
11. The mechanism used by the IETF to document Internet standards is the ________.
12. Separating the physical devices from the logical devices is known as ________.
13. Which of the following are uses for the SSH protocol? (Multiple answers may be correct.) A. Secure remote logon
B. Secure file transfers C. Secure access to a Web site D. Encrypting data on backup tapes E. Creating a VPN connection
14. The L2TP protocol was created by the combination of these two protocols: ________ and ________.
15. When you need to securely connect to a router for remote logon, ________ would be the recommended protocol.
16. Which of the following are protocols that can be used for a VPN connection? (Multiple answers may be correct.) A. IPSec B. 3DES C. SSH D. IETF E. SSL
17. When working with IPSec in an environment using network address translation, which protocols and ports need to be open for IPSec to communicate? (Multiple answers may be correct.) A. IKE/UDP port 500 B. IKE/UDP UDP port 500 C. ESP/IP port 50 D. SSL/TCP port 443 F. AH/IP protocol number 51
18. When designing a VPN solution, which of the following areas could affect VPN performance? (Multiple answers may be correct.) A. Available bandwidth B. Client configuration C. Client patch level D. Traffic E. Topology
19. Which of the following are benefits of IPv6? (Multiple answers may be correct.) A. IPSec is defined as a native protocol. B. Support for SSL included in the standard. C. IPv6 has the ability to address a limit of 4.3 billion hosts. D. IPv6 allows plug-and-play configuration with or without DHCP.
E. IPv6 defines how to respond to incidents.
20. The ability to traverse a firewall using network address translation on port 443 is a component of which VPN protocol ________?
PART THREE
Implementation, Resources, and the Future
CHAPTER 13
Firewall Implementation
CHAPTER 14
Real-World VPNs
CHAPTER 15
Perspectives, Resources, and the Future
CHAPTER
13 Firewall Implementation
THE LOCAL AREA NETWORK (LAN) ADMINISTRATOR oversees all aspects of Internet and Web security administration. This chapter is for those professionals who don’t have enough time to dig into the more technical aspects of Internet and Web security, but need reliable options for Internet protection. Here are practical instructions to get a firewall up and running at your organization.
Chapter 13 Topics
This chapter covers the following topics and concepts:
How to construct, configure, and manage a firewall
What SmoothWall is
How to examine your network and its security needs
What the hardware requirements for SmoothWall are
How to plan a firewall implementation with SmoothWall
How to install a firewall with SmoothWall
How to configure a firewall
What the elements of firewall deployment are
How to perform testing with SmoothWall
How to troubleshoot a firewall with SmoothWall
What some additional SmoothWall features are
What firewall implementation best practices are
Chapter 13 Goals
When you complete of this chapter, you will be able to:
Install a host software firewall
Constructing, Configuring, and Managing a Firewall
Say you want to protect a small office, home office (SOHO) network of about 25 computers. Many firewall products are available for small businesses and those working from home. SOHO VPN hardware firewalls are often built on a secure virtual private network (VPN) connection to the company network to transfer e-mail and sensitive files.
In many cases, the SOHO firewalls have additional features such as an antivirus tool, IP filtering, Web content filtering, router options (router/firewall combinations), intrusion detection, and DDoS/DOS attack detection. Some of the firewalls come with a Linux or Linux-like operating system and use ipchains to manage their filter rules.
A SOHO VPN hardware firewall is the best solution when you already have a working network and want to provide remote access. For example, you may already connect your personal computers within your office. If you want to open a new office in another location, you could connect both offices with a SOHO VPN firewall at each office. It will create a secure connection to transfer sensitive data (bank information, customer information, or company-related information) from one office to the other. Another example is a mobile worker such as a salesperson working in the field. The salesperson could use the VPN’s secure connection to access company files and presentations or customer-related information directly from the company office, even when working in the field.
Recall that a firewall allows you to restrict unauthorized access between the Internet and an internal network. It exists to block unauthorized connections and keep outside attackers from penetrating the internal network. It also prevents inside connections from reaching out to the Internet without authorization. By monitoring inside users, firewalls can prevent them from sending out to the Internet sensitive information, such as personally identifiable information or sensitive corporate data.
SmoothWall
You have many choices for firewall applications. This section discusses one possible choice: SmoothWall, which supports many different network types and is a practical solution for just about any organization. SmoothWall uses colors to differentiate networks. A green network interface card (NIC) is a private, trusted segment of the network, while an (optional) orange NIC is not trusted, but does share the Internet connection. A red interface is a connection to the Internet. This could be a conventional Ethernet adapter, a dial-up modem, an Integrated Services Digital Network (ISDN), or a USB asymmetrical digital subscriber line (ADSL) or a conventional Ethernet adapter. Figure 13-1 illustrates this scenario. A purple interface indicates a wireless connection.
FIGURE 13-1
A typical SmoothWall network interface setup.
Key features of the SmoothWall firewall include:
Compatibility with a wide range of hardware and systems Flexibility and ease of use Support for multiple network zones—client local network (green), demilitarized zone (DMZ) for hosting servers (orange), wireless client (purple), and external (red)
Comprehensive reporting and logging capabilities POP3 e-mail antivirus proxy Web proxy support Snort IDS support Static and dynamic Domain Name System (DNS) support Remote access and VPN support DHCP and network time server support Powerful traffic graphs and bandwidth bars Inline proxy support for instant messaging (MSN, ICQ, Yahoo!, AOL) and VoIP with logging capabilities
Universal Plug and Play support (UPnP) Bandwidth management
Real-time graphs and traffic stats per IP System updates Outbound traffic blocking with time-based controls
Examining Your Network and Its Security Needs
According to the National Security Agency (NSA), attacks to systems connected to the Internet are becoming more and more complex and dangerous. For instance, hackers can penetrate computer systems using a variety of techniques to exploit weaknesses hidden in the complex code of many operating systems and applications.
NOTE Tim Berners-Lee started the World Wide Web while at CERN (the European Laboratory for Particle Physics). The project sought to build a “distributed hypermedia system.” The Web is a large collection of interconnected Web pages providing dynamic content documents, accessible throughout the world. Berners-Lee is still working on this project, now under the auspices of the W3 Consortium at MIT.
What to Protect and Why Internet-facing servers are accessible to people anywhere in the world who have Internet access, and these servers are often targets of attacks. They include Web servers, e-mail servers, File Transfer Protocol (FTP) servers, and more. If a server has a public IP address, it’s a potential target for hacker attack. Firewalls provide protection for Internet-facing servers. Firewalls also provide protection for internal clients. They provide a layer of protection to limit the ability of attackers to exploit system weaknesses—both hardware and software.
Imagine an organization that sells products over the Internet and processes credit card transactions. Customers insist that the merchant protect their credit card data. To do this, organizations need to address two distinct security areas:
Network security—Computers, hard disks, databases, and other computer equipment attached directly or indirectly to the Internet need protection. Firewalls serve an important role in this aspect of network security.
Transaction security—Web servers must be able to securely complete private transactions with other entities in databases accessible on the Internet. Hypertext Transfer Protocol Secure (HTTPS) is an important tool used to encrypt the transactions. Additionally, firewalls provide protection for the data. For example, it’s common for a Web server to stand behind one firewall. The database server stands behind a second firewall that restricts access to the database to only the Web server. In this scenario, the area where the Web server operates is
called a demilitarized zone (DMZ).
Network security and transaction security have four overlapping types of risk:
Risk that unauthorized individuals can breach the server’s document tree—Depending on what data resides on the server, this threat can compromise the confidentiality of documents stored there.
Risk that transaction data can be intercepted—This threat can include personal data, financial data, or credit card information.
Risk that information about the server can be accessed—If attackers learn details about the server, such as the type of server and its operating system, they may be able to identify and exploit its known vulnerabilities.
Risk of denial of service (DoS) attacks—Many different types of DoS attacks are possible. A simple SYN-flood attack withholds the third packet in the TCP three-way handshake, for example. Hundreds of these incomplete sessions in a short time can consume substantial resources on a server and even crash it.
If your organization conducts business on the Internet, you need to take steps to protect those transactions. E-commerce requires a zero tolerance for failure. Protection is not optional.
Protecting Information and Resources An organization must protect against attackers trying to access information and resources within the internal network, such as servers and workstations. Servers can host massive amounts of data that’s invaluable to attackers. Database servers may host personally identifiable information (PII) about customers, including their credit card data. Domain Name System (DNS) servers host information such as the IP addresses and names of all systems in the network.
Protecting Clients and Users Most organizations have a written security policy that outlines specific security requirements. A firewall can be useful in upholding the security policy by providing perimeter security. In other words, the firewall limits the risk of attack from hackers outside the internal network.
However, if you want to guarantee the security of an organization’s network and protect its clients’ and users’ interests, you should do the following as well:
Treat private messages as confidential—Private messages should be encrypted to ensure the message remains confidential. Encryption prevents the unauthorized disclosure of the private message.
Maintain integrity of information—Integrity methods verify that data has not changed. For example, hashing is often used to verify the integrity of messages. A hash is simply a number calculated using an algorithm on a message. No matter how many times you calculate the hash, it will always be the same as long as the data has not changed. The hash is calculated at the
source and sent with the message. The hash is recalculated at the destination on the received message and compared with the hash sent with the message. If they’re both the same, the integrity of the message is ensured.
Use strong authentication and nonrepudiation methods for all transactions—Digital signatures commonly accompany both authentication and nonrepudiation. For example, a sender can sign a message with a digital signature. The receiver can use this signature to verify the identity of the sender. In other words, the digital signature provides authentication. Additionally, since it was digitally signed, the sender can’t later deny sending it. In other words, the digital signature also provides nonrepudiation.
Preserving Privacy It’s more difficult to preserve a user’s privacy on the Internet than in the physical world. Usually, you can close your door when seeking privacy or whisper something so that others can’t hear you. But the digital era has changed things. There’s no such thing as whispering on the Internet.
When data is sent or received by a user surfing the Internet, that information can be intercepted and collected. Much of this data is stored in databases and can be made available for sale to others. Data mining methods are then used to help build customer preference profiles. From the perspective of an organization selling products, this data is valuable for identifying an individual’s buying habits and targeting advertising. However, this data can be easily misused.
The Electronic Privacy Information Center (EPIC) was established in 1994, in Washington, DC. Its goal is to alert the public on emerging privacy issues relating to the National Information Infrastructure (NII), such as the Clipper chip, the Digital Telephony Proposal, medical record privacy, and the sale of consumer data. EPIC’s mission is to preserve the right of privacy in the electronic age as well as to give individuals greater control over personal information, and to encourage the development of new technologies that protect privacy rights. EPIC can provide valuable information to IT professionals on emerging cyber laws and other privacy threats.
Preserving privacy on a corporate network may require more stringent security if you have users accessing resources from all over the world. While administrators are responsible for setting up security policies to guarantee users’ privacy, each user accessing the company’s network is responsible for browsing the Web with ethical regard for others. They also should be aware of information they may reveal while accessing resources from outside of the network.
Typically, most network servers (and Web servers) log all the hits they receive. This log usually includes the IP address and/or the host name. If the site uses any form of authentication, the server will also log the username. If the user filled out any form during the session, all the values of any variable from that form will be also recorded. The status of the request, the size of data transmitted, the user’s e-mail address, and so on can also be logged. Moreover, Web servers can make all this information available to Common Gateway Interface (CGI) scripts. Since the majority of Web browsers are running on single-user PCs, very likely all the transactions can be attributed to the individual using the PC.
TIP
If you want to know more about EPIC, you can check out its Web page at http://epic.org/.
Revealing any of this information can harm the user. This is especially true if the user has logged any PII. Attackers can use PII for identity theft. Some PII may allow an attacker to access bank accounts or fraudulently charge credit cards. As a subtler example, if a user researches a job opening opportunity at a site, it may indicate that the user is searching for a new job. Browser lists, hotlists, and caches can also reveal certain patterns about the user.
A proxy server, for instance, will track every single connection outside the Web by IP address and the URL requested. If you install a proxy server within an organization, data needs to be protected so that only authorized individuals have access to it.
Firewall Design and Implementation Guidelines When deciding to install a firewall, you should consider several basic decisions before going ahead with the project.
Before you start thinking about the type of firewall you want to use, where to install it, and how to deploy it, you should make sure you have a guideline in hand. You need a policy that will set the security standards for the network, including the rules users and system administrators will follow and the security strategy configuration you plan to deploy.
Many security policies have a special section just for the firewall, outlining how to configure and use it. For example, many organizations recognize that every service and protocol allowed through the firewall represents a risk. By blocking traffic that isn’t needed to support the organization, these risks are eliminated. A simpler route is to just monitor the activity at the network and Web server, but it may subject the network to risks you can easily avoid.
Be prepared to face a situation where the final design of the firewall may involve political issues from upper management and other departments of the company. For example, the security policy may state that the Network News Transfer Protocol (NNTP) is not essential for the organization. You would then design the firewall to block all NNTP traffic. But even though it may not be essential, upper management may decide to allow the traffic.
Once you decide on the design, then you need to identify a firewall that can meet your needs. You’ll need to consider several items including:
Suitability—Can the firewall implement the policy? Flexibility—Is it easily reconfigurable? Training—Is training required and if so, what is the cost? Need—Make a list of traffic you want to allow, filter, or block. This is often derived from the organization’s security policy.
Risk—Make a separate list of all the risks in the network based on the traffic allowed.
FIGURE 13-2
Simple firewall solution.
Cost—Add the “need” and “risk” lists up and find out how much it will cost to provide everything. You then need to divide this result by available financial resources, and you will have a clear picture of how much it will cost to implement your ideal firewall system. The result may even point out the likely type of firewall you must purchase. Many times, you’ll find you must reevaluate your needs so that the plan is more realistic, from both the security and financial perspectives.
You can recommend a firewall solution that costs almost nothing or a solution that may cost hundreds of thousands of dollars. You need to balance the security needs with the resources within your organization.
On the technical side, you need to decide how you want to configure the firewall and what strategy you’ll use. Figure 13-2 shows a simple firewall solution with one network firewall and all resources placed behind it.
This method is generally not recommended for organizations that host Internet-facing servers such as e-mail servers or Web servers. These servers can go behind this single firewall and you can configure the firewall to direct Internet traffic to the servers using port forwarding. However, this exposes the internal network to potential threats from the Internet. If you instead put your Internet- facing servers directly on the Internet, you expose them to threats of attack from anywhere in the world.
An alternative for organizations that have Internet-facing servers is to use a perimeter network. Figure 13-3 shows one example. The firewall has three connections: one to the Internet, one to the internal network, and one to the perimeter network. This is also known as a bastion host.
In this solution, the firewall will direct traffic destined for the Internet-facing servers to the servers on the perimeter network. Unrequested traffic from the Internet will be blocked from entering the internal network.
FIGURE 13-3
Multi-homed firewall used for a perimeter network.
The third solution uses two firewalls to create a DMZ as shown in Figure 13-4. This provides several benefits. The two firewalls provide an additional layer of security for the internal network. If the Web server accesses a database, the database server can go in the internal server for better protection. Internet users won’t be able to access the database server directly.
Many organizations use two different brands for their different firewalls. If a flaw or vulnerability appears in one, it’s unlikely the second firewall will be vulnerable at the same time. Additionally, an attacker may be an expert on one brand of firewall, but it’s less likely that the attacker has the same level of expertise for two separate brands.
Remember, though, you need to balance the needs of the organization with the security requirements. While it’s a true a DMZ provides more protection than a single firewall, it also costs more.
FIGURE 13-4
Two firewalls used to create a DMZ.
Selecting a Firewall Before you select a firewall, you should make sure that your organization has created a written security policy. You would then select the firewall that can fulfill and comply with the policy. When
evaluating firewalls, take the time to evaluate the levels of security they provide. Quite simply, some are better than others, and a high cost doesn’t necessarily mean high quality.
The basic concept of any firewall is the same, so you should evaluate a firewall based on the level of security and features it offers. First and foremost, the firewall should be able to fulfill and comply with your security policy. Some other characteristics to consider are:
Security assurance—Independent assurance that the relevant firewall technology meets its specifications.
Privilege control—The degree to which the product can impose user access restrictions. Authentication—The ability to authenticate clients and allow different types of access control for different users.
Audit capabilities—The ability to monitor network traffic, generate logs, and provide statistical reports. Logs may include both authorized traffic and unauthorized attempts and may be able to trigger alarms in response to certain events.
When considering the features, consider the product’s ability to meet the needs of the organization. A good firewall product should provide:
Flexibility—The firewall should be open enough to accommodate the security policy of your organization, as well as allow for changes. Security policies can change, and security procedures should also be able to change and adapt to different needs.
Performance—A firewall should be fast enough that users don’t notice the screening of packets. The volume of data throughput and transmission speed associated with the product should be reasonable and consistent with the organization’s network bandwidth to the Internet.
Scalability—Firewalls should be able to handle additional workload. The additional workload can be due to growth within the organization or due to increased use of the Internet connection.
When considering integrated features, consider the ability of the firewall to meet your network and users’ needs. This includes:
Ease of use—The firewall product should ideally have a graphical user interface (GUI), which simplifies the job of installing, configuring, and managing it.
Customer support—Vendors that sell firewalls provide support for them. This includes providing prompt access to technical expertise for installation, use, and maintenance. It also includes training.
FIGURE 13-5
SmoothWall topology.
Hardware Requirements for SmoothWall
As mentioned previously, one of the main advantages of SmoothWall is that it will run on a variety of hardware. It’s recommended you use a machine that is 166 MHz or faster. In any case, you will need at least two network cards (NICs) in your SmoothWall machine, as firewalls traverse two or more network connections. You may or may not need a crossover cable as well. The Dell Powerconnect 2650 switch performs auto-sensing, so there is no need to use a crossover cable. This is common with many switches today. Figure 13-5 depicts the topology of SmoothWall.
The minimum requirements for a computer running SmoothWall are:
Processor running 166 MHZ or greater 512 MB PC133 synchronous dynamic random access memory (SDRAM) 20 GB hard drive Two NICs
Planning a Firewall Implementation with SmoothWall
As a software appliance, SmoothWall will convert a computer server or PC into a dedicated hardware security appliance, running the security-hardened Linux operating system and all other necessary software. When planning a firewall, you should use standard hardware, typically from major manufacturers such Dell, HP, or IBM, which will provide you with considerable benefits including:
Flexibility—You can easily add RAID, redundant power supplies, additional RAM, and a range of network interface cards.
Performance and value for the money—The average desktop PC will have many times the processing power and memory complement of most mid-range hardware firewall appliances. Office PCs have become a commodity, offering exceptional value for the money.
Support—The major PC manufacturers can support their products virtually anywhere in the world, including rapid, on-site repair or replacement if the customer requires. Alternatively, in most major cities, several computer support companies also support such hardware. In contrast, the support available for smaller manufacturers’ equipment is often limited to repairs done after you’ve had to ship the machine back to the factory.
What kind of firewall is right for an organization? Truthfully, no single correct and definite answer exists. A security policy developed by a Fortune 500 company certainly will not be suitable for a small business owner (and vice versa).
The following are brief fictitious scenarios to illustrate different firewall designs to meet different needs.
Firewalling a Big Organization: Application-Level Firewall and Package Filtering, a Hybrid System Employees at Other People’s Money, Inc. (OPM) access the Internet on a daily basis for a wide variety of different business purposes. Additionally, they host a Web server that has a high volume of access from OPM customers. Finally, mobile workers use a VPN server to access internal resources.
OPM might decide a DMZ with two application-level firewalls and packet filtering is adequate for its needs. The Web server and VPN server would go in the DMZ so that they are accessible from the Internet, but the internal network has additional layers of protection.
Firewalling a Small Organization: Packet Filtering or Application-Level Firewall, a Proxy Implementation Imagine a smaller organization that requires Internet access by employees, but doesn’t host a Web server or a VPN server. All users in the organization require access to the Internet, and they need a layer of protection against Internet-based attacks.
A proxy server or a firewall such as SmoothWall would be enough. All users could access the Internet through the SmoothWall firewall, and it would provide protection against external attacks. While SmoothWall was the example examined in depth in this chapter, many other products can provide the same level of service for a small organization.
Firewalling in a Subnet Architecture Imagine a larger organization with multiple subnets. They may want to limit specific types of traffic within subnets. For example, they may want to ensure that traffic within a specific subnet is encrypted with IPSec. Additionally, they may want to allow NNTP traffic on one subnet, but not on others.
You can configure routers to provide basic packet filtering. In other words, they can block or
allow traffic based on IP addresses, ports such as port 119 for NNTP, and some protocols such as ICMP or IPSec.
If the organization wants to protect subnets within the network, basic packet filtering provided by routers might be the most appropriate choice. This model supports each type of client and service within the internal network. No hardware or software modifications or special client software would be necessary. The access through the routers used as packet-filtering firewalls is transparent for both the user and the applications. The existing routers can handle the packet filtering. This solution doesn’t require the purchase of a host or firewall product. Buying an expensive UNIX host or firewall product would be unnecessary.
Installing a Firewall with SmoothWall
The installation of SmoothWall is easy. As long as you ensure you have the computer BIOS set to boot from a CD, the installation process will begin automatically. SmoothWall Express runs on a workstation with a bootable CD-ROM drive. After booting, it will automatically check the workstation and hardware components.
The common interfaces on the installation screen of SmoothWall are listed below:
Red—Internet. This interface is protected by the iptables firewall rules. Orange—Filtered/special purpose. This is commonly used for a DMZ or other special section you want to allocate.
Green—Trusted network. All traffic is permitted to and from this interface.
WARNING During the installation process, SmoothWall will delete all data you may have on your hard disk. So, before you start the installation, ensure that all valuable data is safely backed up.
Note the green + red configuration. The green interface card connects to the internal network and the red interface to the external network. If you have a different setup or hardware, please use the appropriate configuration.
At this point, you should read the information that appears on the following screen and press the Enter key on your keyboard.
Next, you should see the screen alerting you that your hard drive will be prepared for installing the firewall.
If you have two of the same NICs, you may want to pay attention to the Media Access Control (MAC) addresses so you know which cable to connect to the modem and which one goes to your switch. If your red interface connects to an ISP, ensure you configure it based on the requirements of the ISP. For example, some ISPs will assign manual
IP addresses, while others use DHCP. When DHCP is used, all the Transmission Control
Protocol/Internet Protocol (TCP/IP) configuration information such as DNS, gateway, and IP address happens automatically.
The green interface should have a static IP (such as 192.168.0.1) to connect to the internal network. Once you have the interfaces set up correctly, it’s time to reboot the computer. Also, it’s very important that you power-cycle the modem. Often, ISPs will assign a different IP when the MAC address of the device attached to the modem changes.
When configuring the NICs for the green and red interfaces, you can use static IP addresses for both interfaces.
Now you will need to set up the DNS and default gateway accordingly. Next, enter the SmoothWall admin password. You will need it for logging into the Web interface
later. Then, set up the root password. At this point, the setup of SmoothWall is complete and your network should be protected. You
should see a screen showing that the installation is complete. Remove the CD and restart SmoothWall.
TIP An excellent Web site is available that will walk you step by step through SmoothWall installation: http://www.linux-tip.net/cms/content/view/316/26/.
Configuring a Firewall with SmoothWall
Once you have finished installing SmoothWall, you will have to configure the firewall via a Web browser. The interface is clean and well laid out, and works well with Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. Once you reboot the computer, you can access it via a browser from a Web interface (usually https://192.168.0.1:441) to start configuring the firewall. SmoothWall Express version 2.0 added the ability to use HTTPS. You can also access it using port 81. Without logging in, you should be able to see part of the management menu, the version, and load averages.
Since the install connected the red interface to the Internet, your first access of the home page should lead you to the following message: “There are updates available for your system. Please go to the ‘Updates’ section for more information.” You will find the Updates menu item under Maintenance.
At this point, if you want to verify or change anything, you must log in. During the configuration process you were asked to specify some passwords. To log in to the Web interface, you must use admin as the username and the password you specified. Logging in as root will work only over Secure Shell (SSH) or from the console. You cannot log in as root using the Web interface.
For most scenarios, the out-of-the-box SmoothWall installation should work without any additional configuration. But additional customization can bring out the real power of SmoothWall features. The Services tab allows you to monitor each advanced feature, including time, remote access, intrusion detection, dynamic DNS updates, and proxy services. Some services such as SSH access services are not started by default. Interestingly, ICMP is configured to reply to both external
and internal ping requests, making the firewall susceptible to DoS attacks. The Networking tab exposes the interface settings, IP address blocking, timed access, and traffic
rules. Incoming and outgoing rules are easy to create and maintain. You can view the status of the system at all times with various options. Configuration and resources appear in text form. You can also view a summary screen of all the services running on the SmoothWall system (computer).
In the quality of service (QoS) configuration section, you can use drop-down boxes to select upload and download connection speeds and enable the service. The QoS engine prioritizes different types of traffic to make the connection speed seem faster. The settings are combo boxes, which makes them understandable even to non-technical users. By default, instant messaging traffic is set to low priority, VPN traffic to normal, and gaming traffic to high.
Elements of Firewall Deployment
At this point, you should start thinking about deploying the firewall and about the services you want it to run. You should pay special attention to the Services tab. You have the ability to run:
Web cache/proxy (SQUID) DHCP server DDNS (for dynamic IPs) Intrusion detection system (Snort) Secure Shell (Open SSH)
To enable the Web proxy, you must select it by checking the box. The Web proxy information needs to be changed.
The Transparent option simply means that every client on the network will be forced to connect through the proxy server. Browser settings will not need to be changed, and the clients will not even know they are using the proxy. You should change the cache size from 50 to 5000 MB. You shouldn’t change the other options, as caching objects too large or too small can create problems.
One of the great features of SmoothWall is the ability to view network usage. You can view graphs of network traffic generated by RRDtool (round robin database tool) every five minutes.
You can also view the logs of Web usage through the proxy. You can even dig further by filtering the log by IP. This way, you can see all the Web sites visited by a certain IP (or user).
Performing Testing with SmoothWall
To test SmoothWall’s ability to mitigate attacks, you can enable Snort intrusion detection software and run a few attacks against the firewall over the red interface. For example, you can use Nmap, the Metasploit framework, and some other port scanning and attacking tools. In all cases, the firewall should be able to deal with them. The Snort and firewall logs should identify most types of attacks, the IP address of the attacker, and the time and date of the attack. SmoothWall’s IP lookup feature can
determine and report the origin of an attacker.
TIP ICMP may be blocked by the host you ping. If the ping fails, consider pinging another host that you know will respond.
Once SmoothWall is up and running, the next step is to test its ability to access Internet resources. You should first ensure you can access the Internet from the SmoothWall box. To do this, run the following command: ping www.google.com
ping www.google.com
If you get a successful reply, it means your host can access the Internet. Now, if you have an internal client configured, try to ping one by running the command,
substituting the actual IP address of an internal client. An example would be:
ping 173.16.0.1
You can also test a client’s ability to traverse the firewall. Start a Web browser on a client system and enter the IP address of the SmoothWall router. For example, if the IP address for the green NIC on the SmoothWall machine is 172.16.1.95, then you would enter http://172.16.1.95 in the location bar of the browser. You should be able to see the SmoothWall startup screen. If you see the screen, then the firewall is up and running. Next, try to access any Web site to confirm that you can surf the Internet. If you encounter problems accessing the Internet, try the following:
Check the TCP/IP settings on the SmoothWall host. Make sure all of the addresses and subnet masks are correct.
Make sure the NIC accessing your ISP (red) is the correct card. Some ISPs will provide access only when the MAC address on the NIC is correct.
Check the TCP/IP settings on the client computer.
Firewall Troubleshooting
Sometimes, right after installing SmoothWall, you may have problems being able to SSH into the system. This is typically because port 22 is not open. In this case, you should make sure that SSH is enabled and that port 22 or 222 is open. This enables you to tunnel different SSH connections at the same time.
One small disadvantage of using SmoothWall from the console is that some traditional Linux tools are modified. For example, some shell commands such as whereis and locate are not included, which can make it a little hard to find items. Also, config files are stored in non-traditional Linux locations,
and partitions are not named according to standards. For instance, the snort.conf file is stored in /etc and the squid.conf file is stored in /var/SmoothWall/proxy.
If you are still having trouble with the networking aspect of the firewall during the configuration process, you still have access to traditional tools such as ping, traceroute, and tcpdump. They are all useful in determining what your network problem may be. Another factor to watch for is the crossover cable. Some networking devices require a crossover cable when they are connected together, while others have auto-sensing capabilities and will automatically switch to crossover mode even when you’re using a regular cable. The cable from your green interface may or may not need to be a crossover cable.
While SmoothWall does not natively contain an FTP server, you can still transfer files to and from the system via SCP/SFTP. To do so, you simply need to connect to port 22 or 222 with a client such as WinSCP3, which is nearly the same as using another FTP client.
Additional SmoothWall Features
SmoothWall is a versatile product that gives power to network security administrators, allowing them to decide how to control their networks by making it easy to do so.
The Web-based GUI is clean and easy to read, and provides a wealth of information about the status of a network’s traffic and security. The Web-based interface is organized into broad areas with tabs that allow navigation for specific features. You can run SmoothWall as a proxy server or a DHCP server, forward ports to machines in the green zone, and more. You can even set up advanced proxy server features such as per-user authentication and delay pools. Larger organizations may want to use a dedicated proxy server to get these functions, however.
You can configure the address range, WINS server, and static hosts for the DHCP server. You can specify dynamic DNS, offer remote access for SHH, and synchronize with a Network Time Protocol server. SmoothWall also lets you enable Snort, a popular open source intrusion detection system.
Some of the network settings you can control include:
Port forwarding—This allows you to forward a port from the firewall to a machine inside the green or orange zones. You can use this feature to hide your Web servers behind a single IP address.
External service access—You can access any services running on the SmoothWall machine by opening the ports you need.
DMZ pinholes—As the name implies, this allows you to open a pinhole from the DMZ to the green zone. This is useful if your external servers need to communicate with servers inside the green zone. For example, your Web server may need to communicate with a database server inside the green zone.
PPP settings—You can set up various profiles, configure up to four modems, and use dial on demand.
IP block—You can ban specific IP addresses or ranges.
Firewall Implementation Best Practices
You must keep the firewall and your protected network logically secure. Sound security logic should be the starting point in putting together a security policy that will use secure systems such as Kerberos, IPSec, and many others. The requirements to run a secure firewall, such as SmoothWall, also include a series of good habits that administrators should cultivate. It’s a good policy to try to keep the strategies simple so that the system is easier to maintain.
Most bastion hosts and firewall applications have the capability to generate traffic logs. You can record user-browsing patterns on these servers. This may include information about the users, their connections, their address, or even specifications about their organization. These logs usually include:
The IP address The server/host name The time of the access The user’s name (if known by user authentication or, with UNIX, obtained by the identd protocol)
The URL requested The data variables submitted through forms users usually fill out during their session The status of the request The size of the data transmitted
CHAPTER SUMMARY Firewalls provide protection from Internet threats to servers and workstations. They can be configured to allow only specific traffic based on what an organization wants to allow. Organizations typically define what traffic is acceptable in a comprehensive, written security policy. IT professionals then identify a firewall solution that can fulfill and comply with the policy within the established budget.
SmoothWall Express is an Internet firewall that can protect an organization’s network. This chapter demonstrated how to configure and use a firewall such as SmoothWall using a Web- based GUI. SmoothWall is an open source firewall, requiring no knowledge of Linux to install or use. SmoothWall turns any typical PC into a network appliance whose sole function is to route network traffic to and from the Internet, assign IP addresses, and protect the private side of the network from intrusion.
KEY CONCEPTS AND TERMS Asymmetric digital subscriber line (ADSL) Clipper chip Common Gateway Interface (CGI) script Electronic Privacy Information Center (EPIC) Integrated Services Digital Network (ISDN) Kerberos National Information Infrastructure (NII) National Security Agency (NSA) RRDtool (round-robin database tool) Synchronous dynamic random access memory (SDRAM) tcpdump traceroute
CHAPTER 13 ASSESSMENT
1. The following are all key features of SmoothWall, except: A. POP3 B. Static and dynamic DNS support C. Cybercash support D. Snort IDS support E. DHCP and network time server support
2. According to the ________ ________ ________ , attacks to systems connected to the Internet are becoming more and more complex. A. National Systems Agency B. National Security Agency C. Central Intelligence Agency D. Navy Security Agency E. Federal Bureau of Investigation
3. Firewalling involves two distinct areas that must be protected: A. Network and transaction security B. Access and controls
C. File sharing and printing capabilities D. Access to the Internet and from the Internet E. None of the above
4. The ________ was created to alert the public to the emerging privacy issues relating to the National Information Infrastructure. A. EDIP B. EPIC C. NII D. CERN E. W3C
5. The following are characteristics you should be looking for in a firewall, except: A. Security assurance B. Privilege control C. Digital switches D. Authentication E. Audit capabilities
6. A good firewall product should provide: A. Flexibility B. Performance C. Scalability D. All the above E. A and C
7. The following are all characteristics of SmoothWall firewall, except: A. It is a simple Linux kernel. B. It cannot use iptables to control and route traffic. C. It is built to run as a dedicated firewall/router. D. It provides a way to gain extra capability with NAT. E. It runs on a variety of hardware.
8. The following are all common interfaces used by SmoothWall, except: A. Green: Trusted network B. Blue: DMZ connection C. Red: Internet D. Orange: Filtered/special purpose
9. The following are attributes of a minimum hardware specification to run SmoothWall, except: A. 512 MB PC133 SDRAM B. 20 GB hard drive C. 10/100 on-board NIC D. AMD Duron 1100 E. Flat LCD screen
10. To install SmoothWall, you need to make sure the computer BIOS is set to boot from a CD. True or False?
11. In a typical SmoothWall firewall installation the green interface should have: A. A static IP B. Software bugs but not flaws C. Dynamic addressing D. Proxy servers connected to it E. Internal code connecting to an external service
12. When configuring the NICs for the green interface, it is advisable to use ________. A. Capacity planning B. Maximum utilization C. A static IP address D. Wirespeed settings E. Factory defaults
13. Which of the following is not related to SmoothWall offered services? A. Web cache/proxy B. Fingerprint authentication C. DHCP server D. DDNS E. Intrusion detection system
14. What does the Transparent option do when you configure Web proxying in SmoothWall? A. It allows you to create a tunnel mode. B. Every client on the network will be forced to connect through the proxy server. C. Every client on the network will be waived access to the network. D. The proxy server is in stealth mode. E. Collisions on the network are not seen.
15. SmoothWall does not work well with Mozilla Firefox and Google Chrome. True or False?
16. The following are services found in the Services tab of SmoothWall, except: A. SQUID B. Web cache/proxy C. DDNS D. Diskcopy E. SSH
17. The following are tools you can use when troubleshooting a firewall installation, except: A. ping B. traceroute C. robocopy D. ipconfig E. tcpdump
CHAPTER
14 Real-World VPNs
VIRTUAL PRIVATE NETWORKS (VPNs) are a key technology and component in today’s computer security environment. Recall that the Internet is open to virtually any user, while an intranet is open only to individuals within your organization. A third kind of network is the extranet. Extranets lie somewhere between the Internet and an intranet.
Companies use extranets to connect with suppliers and customers, two constituencies that are essential to business processes. Extranets usually use VPN technology to ensure confidentiality and integrity of information. VPNs are becoming an increasingly important component of any successful business’s information technology plan. VPNs can substantially enhance the technological architecture of any organization’s network through the use of efficient and flexible collaborative technology.
In this chapter, you’ll learn how to do a complete VPN installation at your organization, from operating systems and VPN appliances to remote desktops.
Chapter 14 Topics
This chapter covers the following topics and concepts:
What operating system-based VPNs are
What VPN appliances are
What a remote desktop protocol is
How to use remote control tools
How to perform remote access
What terminal services are
What Microsoft DirectAccess is
What DMZ, extranet, and intranet VPN solutions are
What Internet café VPNs are
What the online remote VPN options are
What the Tor application is
How to plan a VPN implementation
What VPN implementation best practices are
Chapter 14 Goals
When you complete this chapter, you will be able to:
Create a remote control VPN using Remote Desktop
Evaluate hardware VPN devices
Experiment with Tor
Set up an Internet café VPN client
Assess online remote control products, such as GoToMyPC and LogMeIn
Configure an IPSec VPN
Operating System–Based VPNs
An operating system–based VPN is very convenient because you can refer to remote servers by their assigned Internet Protocol (IP) addresses, rather than use network address translation (NAT). This avoids problems inherent in connecting to servers behind a many-to-one NAT configuration. You can choose from several ways to install a VPN using computers running commercial operating systems. You can configure a VPN connection from a client computer using a variety of operating systems, including Windows XP, Vista, Windows 7, Linux, and UNIX.
A VPN is a hardware and software solution for remote workers, providing users with a data- encrypted gateway through a firewall and into a corporate network. VPNs were once practical only for large businesses. Today, however, most businesses—large and small—can afford the technology, and VPNs are becoming increasingly popular in the small to midsized business market. VPNs are ideal for companies with telecommuters, satellite offices, or employees who travel and need to connect to the corporate network via the Internet. If used properly, VPNs block hackers attempting to access your network to steal sensitive data. They can also save your organization a lot of money on long-distance phone calls.
As a data-encrypted tunnel over the Internet, a VPN can offer a robust and secure Internet connection for your organization. It can also be a cheap alternative to a dedicated phone line. Some solutions for small companies start as low as $200. How can you know if your organization needs a VPN? That depends on some key factors you should consider before deciding to use a VPN:
Does your organization traffic in sensitive data? For most businesses, the answer is probably yes. Most companies have customer information and records, financial records, and proprietary information in their internal networks that merit protection. On the other hand, if
your organization stores its sensitive data offline or you don’t have anything online of interest to hackers, perhaps your organization doesn’t need to invest in a VPN.
Does your organization employ telecommuters, traveling employees, or other remote workers? If so, a VPN can provide two main advantages: It can offer secure network access to employees away from the office, traveling or working off-site, and it can extend the corporate network to them, enabling them to remain productive outside your office.
Does your company already use Secure Sockets Layer (SSL)–encrypted Internet pages? Some companies using Microsoft Exchange servers for e-mail, for example, may already have the encryption protection necessary for remote workers—at least for accessing their e-mail (via Outlook Web Access). In this case, the VPN is a built-in feature of the operating system. Businesses without sensitive information can use operating system–based VPNs and Web- based alternatives to a VPN for authentication and encryption, though these may be less secure.
Does your organization have more than a few employees? A VPN may be an expensive solution for a company with fewer than five employees, so some alternatives might work better for such an environment.
Suppose you’ve considered these issues and concluded that your organization does need a VPN. In this case, here are six further important factors to consider:
Consider the difference between a VPN based on customer premise equipment (CPE) and one based on an operating system. A CPE solution represents the majority of VPNs on the market and is commonly referred to as a VPN appliance. This solution is easy to set up, manage, and maintain. Windows Server 2008 Network Access is an example of an operating system–based VPN. If you have a server running Windows Server 2008, you can install the Network Policy and Access Services role and configure the server as a VPN server. This requires some expertise with Windows Server 2008 and can be a little more challenging than a CPE solution. However, the operating system–based VPN can be cheaper and easier to manage than a CPE.
Should you install the VPN yourself or use a managed service? Any competent IT staff can probably install leading commercial products from vendors such as Cisco or SonicWall. While the DIY approach provides more control over setup and usage, installing a VPN incorrectly can inadvertently open a security hole in your organization’s network. In addition, the administration and management of a VPN in-house can sometimes be complicated. Telecommunications companies such as Qwest, Verizon, and BellSouth, as well as several Internet service providers, offer managed security solutions that can save you time and money.
Do you have a firewall? A VPN cannot replace a firewall. Some administrators tend to use a VPN instead of a firewall, which is not a smart choice. The purposes of a VPN are to create an encrypted tunnel or gateway through your network’s firewall and to keep out hackers. The VPN encrypts the pieces of data, but the firewall still protects the internal network from outside threats. A VPN without a firewall doesn’t make good security sense.
Do you have an operating system–based VPN? Regardless of the strategy you end up using, make sure you have an IPSec (Internet Protocol Security)–compliant operating system. IPSec
is a VPN-supporting technology included in Windows XP, Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Used with compatible VPNs, IPSec guarantees the authenticity, integrity, and confidentiality of network traffic. Interoperability with a VPN may be an issue with Macintosh systems or some variants of UNIX or Linux. If you decided to buy a VPN, make sure it is compatible with your operating system.
Do you have a wireless local area network (LAN)? The VPN should operate securely with it. A VPN can enhance the capabilities of a wireless LAN, but improperly layering a VPN on a wireless network can result in security holes. One method places the wireless LAN outside the firewall, hosting the VPN behind the firewall to ensure security. Otherwise, wireless network traffic can access systems behind the firewall, canceling the benefits of the VPN. Many organizations use layered firewalls so that the wireless network is protected from the outside while restricting access to the inside. In essence, the LAN operates in what is called a demilitarized zone (DMZ).
Can your organization tolerate a potential decrease in network performance? A VPN may cause a performance lag for internal users accessing the Internet. This happens when 10 to 15 percent of the Internet bandwidth serves as security overhead. While VPNs are great for setting up a secure connection, they can take a measurable toll on connection speed. The tradeoff is that VPNs are worthwhile investments for providing a secure connection for remote and traveling workers.
VPN Usage in Organizations VPNs serve an organization’s computer network in two primary ways. They give remote users access to internal networks or they connect two separate offices. These are the host-to- gateway model and the gateway-to-gateway models:
Host-to-gateway VPN—In a host-to-gateway VPN, the mobile user takes specific actions to connect to the VPN. For example, the mobile user would first connect to the Internet from a remote location outside the organization. Once connected to the Internet, the user could then initiate the VPN to tunnel through the Internet. The VPN appliance or server then acts as a gateway for the user to access resources on the internal network.
Gateway-to-gateway VPN—A gateway-to-gateway VPN is used to connect two offices in different locations. For example, an organization could have a main office in Virginia Beach and a remote office in Miami. VPN appliances or servers can operate in both locations with an always-on VPN connection between them. Now users in Miami can connect to resources in Virginia Beach using this gateway-to-gateway model. In this model, users in the remote office don’t need to take any additional steps to connect. The gateway-to-gateway model is also called a site-to-site model.
VPN Appliances
One of the easiest and most cost-effective ways to provide secure access to a network is to purchase an inexpensive VPN appliance and set it up, which will take about an hour of your time. VPN appliances can make secure remote access easy.
When considering the purchase of a VPN appliance, ensure that you have the required complementary hardware in place. First, the VPN appliance must have access to the Internet. Remote users will use the public IP address assigned to the appliance to connect to it. Second, the VPN server must have access to the internal network. It will use internal routing to connect remote users from the Internet to the internal network. Of course, resources in the internal network must be on and available for the VPN users to access them.
Not long ago, VPN appliances were expensive and required client licenses for each computer in addition to the appliance itself. VPN technology was too expensive for all but the largest companies. But new products make it possible to install a VPN appliance on virtually any size network for budget-minded organizations and small office, home office (SOHO) networks. For example, Buffalo Technology’s 125 High-Speed Mode wireless secure remote gateway is a VPN gateway/firewall router and a wireless access point rolled into one neat package. Another great product is the Linksys WRV54 Wireless-G VPN broadband router, a similar product that provides robust protection for your network. You should know that some VPN appliance products on the market are designed for home installations. While these products are very easy to install, they allow only a very limited number of accounts and some of them provide relatively slow access.
Configuring a Typical VPN Appliance Most VPN appliances are designed for simple and quick installations, with plenty of wizards and an automated setup that makes it easy even for non–computer-savvy people. All you typically need to do is to plug the appliance into your network between your ISP provider’s connection and your internal network. If your network does not have a router or hub, this device can serve that purpose as well. Once you turn on the VPN appliance, you can use any computer on the network to log on to a Web page, complete your configuration, and add user access accounts.
While VPN appliances are a secure technology, you need to take basic security measures to preserve the security of your network and remote connections. When you are configuring user account access on the VPN gateway system, for instance, always change the default settings and never use the default passwords. Also, you should give each VPN user an individual access account. In practice, that means if an employee leaves the company, you don’t have to change the access passwords for everyone—you just turn off the associated account.
Client-Side Configuration Once you have configured your appliance, you will need to configure the software on the computers (clients) connected to the network. The systems designed for small installations assume that you will use Microsoft or Macintosh VPN client software. Some variants of Linux and UNIX may have built-in
client VPN software. Adding a VPN appliance to your office network gives you a remote access solution that lets you
and your staff be more productive from anywhere in the world. Not a bad return on a few hundred dollars and an hour of your time.
Remote Desktop Protocol
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application-sharing protocol. Clients exist for most versions of Microsoft Windows, Windows Mobile, Linux, UNIX, Mac OS X, and other modern operating systems. By default, RDP uses TCP port 3389.
Remote Desktop Connection (RDC) is a built-in application that uses RDP. When RDC is enabled, you can connect to another computer, log on, and perform almost any action as if you are sitting in front of the remote computer. You can do this from a desktop PC to another desktop PC using the same operating system. In large organizations, administrators commonly use this to remotely manage servers from their desktop PCs.
RDC must be enabled on the remote computer. In most Windows operating systems, you do this by right-clicking Computer in Windows Explorer or in the Start menu and selecting Properties. You then change the Remote settings to allow remote desktop connections. This also opens port 3389 on the remote computer. If the connection goes through a firewall, port 3389 must also be open on the firewall. You can launch RDC differently in different Windows operating systems. However, one method that works in all current Windows versions is to type MSTSC at the command line. The initials represent Microsoft Terminal Services Connection.
The client can run other operating systems, such as Mac OS, Linux, or UNIX, as long as the terminal services protocol is supported. When connecting to Windows Server 2008, Windows Vista, or newer systems, you’ll need to weaken security to support the non-Microsoft clients.
GoToMyPC is another remote desktop technology that allows you to remotely access your computer from any other Internet-connected computer in the world with almost any operating system through a secure, private connection. The application is ideal for organizations that need remote desktop access for up to 20 computers. It’s an easy and secure remote-access solution that enables you to conveniently access e-mail, files, programs, and network resources from home or the road.
NOTE Microsoft changed the name of Terminal Services to Remote Desktop Services in Windows Server 2008 R2. However, the MSTSC command still works. It’s also worth noting that Terminal Services and Remote Desktop Services have much broader usage than just connecting to remote desktops. For example, you can use these services when a Microsoft server is configured as VPN server.
Using Remote Control Tools
As companies continue to expand their networks and increasingly use remote offices and telecommuting, they need the ability to manage devices from virtually any location.
Microsoft has offered a built-in remote control solution called Remote Assistance for modern operating systems since Windows XP. It allows help desk professionals or other IT administrators to remotely control a user’s system, while the user is watching.
For example, a user may not know how to configure an application. The user calls the help desk for assistance. Instead of trying to talk the user through the steps, the help desk pro can show the user how to do it. The help desk pro can use Remote Assistance to take control of the user’s desktop. While connected, the helper will have control of the user’s desktop as long as the user allows it. The user is able to disconnect the helper at any time.
While the built-in Remote Assistance is great as a free tool, it doesn’t meet the needs of every organization. Several third-party tools are available that can provide additional features. For example, Symantec offers pcAnywhere as a solution for organizations to access and securely manage remote computers.
The pcAnywhere program supports multiple platforms for both host and remote systems, including Windows (including Vista and Windows Server 2008), Linux, and Mac. Systems can also be securely accessed from Windows Mobile/Pocket PC devices and Web browsers. The application allows organizations to easily connect to servers and endpoint devices.
Some of what pcAnywhere offers:
A feature-rich, secure, reliable remote control solution. Compatibility with a heterogeneous host and remote platform support across Windows, Linux, and Mac OS X. All hosts can also be accessed from Microsoft Pocket PC devices or Web browsers.
Support for 64-bit environments. A gateway option that enables real-time discovery of and connection to multiple devices behind firewalls and NAT devices, which mitigates private and dynamic IP.
Using Remote Access
VPNs allow remote users to connect to a private network over a public network. The private network is the organization’s internal network. The public network is often the Internet, but it’s also possible for an organization to use leased lines from a telecommunications company to create the VPN connection.
Remote users can be:
Salespeople on the road Field technicians
Consultants working in customer work sites Anyone who needs to have access to internal company resources while away
Since data transmits over a public network, you need to protect it. VPNs use tunneling protocols to establish secure connections. These tunneling protocols include different types of encryption to protect the data.
The Technology for Remote Use Several protocols support VPNs. These include:
Point-to-Point Tunneling Protocol (PPTP)—This protocol supports Microsoft’s remote access servers and has known issues. It uses Microsoft Point-to-Point Encryption (MPPE). While PPTP is still used for some remote access solutions, IPSec and SSL-based solutions are replacing it.
Layer 2 Tunneling Protocol (L2TP)—Cisco and Microsoft collaborated to create this by combining strengths from Cisco’s Layer 2 Forwarding (L2F) protocol and Microsoft’s PPTP. It uses IPSec for encryption. A significant weakness is that IPSec can’t go through a Network Address Translation (NAT) server, since NAT breaks IPSec.
Secure Sockets Layer (SSL)–based tunneling protocols—Due to the limitations of IPSec with NAT, newer tunneling protocols use SSL for encryption. For example, Microsoft can use Secure Socket Tunneling Protocol (SSTP). VPN appliances can also use SSL-based tunneling protocols. SSL requires public key infrastructure (PKI) support to obtain and use a certificate.
Internet Key Exchange v2—Internet Key Exchange v2 (IKEv2) is an IPSec-based VPN protocol that uses NAT traversal (NAT-T). NAT-T allows IPSec traffic to pass through a NAT server. IKEv2 provides significant improvements over IKE and has been adopted by several companies such as Microsoft, in Windows Server 2008 R2; Cisco; and Openswan. Openswan is a Linux-based solution presented later in this chapter. IKEv2 requires public key infrastructure (PKI) support to obtain and use a certificate.
Each method has its advantages depending on the access requirements of your users and your organization’s IT processes. While many solutions only offer either IPSec or SSL, some vendors, such as Microsoft and Cisco, offer multiple technologies integrated on a single platform with unified management. Offering both IPSec and SSL technologies can enable organizations to customize their remote-access VPN without any additional hardware or management complexity.
SSL-based VPNs also enable remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. It does not require any special-purpose client software to be pre-installed on the system. This makes remote access SSL VPNs capable of “anywhere” connectivity from company-managed desktops and non–company-managed desktops, such as employees’ PCs, contractor or business partner desktops, and Internet kiosks. Any software required for application access across the SSL VPN connection is dynamically downloaded on an as- needed basis, thereby minimizing desktop software maintenance.
IPSec-based VPNs are the deployment-proven remote-access technology used by most organizations today. IPSec VPN connections use pre-installed VPN client software on the user desktop, thus focusing it primarily on company-managed desktops. IPSec-based remote access also offers versatility and customizability through modification of the VPN client software. Using APIs in IPSec client software, organizations can control the appearance and function of the VPN client for use in applications such as unattended kiosks, integration with other desktop applications, and other special use cases.
Both IPSec and SSL VPN technologies offer access to virtually any network application or resource. SSL VPNs offer additional features such as easy connectivity from non– company-managed desktops, little or no desktop software maintenance, and user-customized Web portals upon login.
Choosing Between IPSec and SSL Remote Access VPNs Both IPSec and SSL can provide the level of security needed for a VPN. The primary drawback with IPSec is that it can’t traverse a NAT server. If you are deploying a VPN server and want the connection to go through a NAT server, SSL is a sound solution.
While it is possible to use NAT traversal (NAT-T) to allow IPSec traffic to pass through a NAT server, be aware of some issues with it. For example, Microsoft has specifically recommended that NAT-T not be used, though IT professionals still recommend NAT-T with non-Microsoft hosts.
Terminal Services
Terminal Services is a built-in Microsoft Server product with multiple uses. It works in two modes: Terminal Services for Administration and Terminal Services for Applications. Other vendors also use terminal services for remote applications.
Terminal Services for Administration allows administrators to connect remotely into servers from their desktop computers. It allows them to remotely administer the server as described in the “Remote Desktop Protocol” section earlier in this chapter.
Terminal Services for Applications is the focus of this section. It allows a single server to host one or more applications for remote users. For example, suppose a legacy application does not run on Windows 7. A Terminal Services server could be configured to host the application, and multiple Windows 7 clients could then connect to the server to run the application. Each client would run a separate instance of the application in a separate memory space.
It’s also possible for a Terminal Services server to host entire desktops. For example, older computers may be running Windows 2000 and they don’t have the hardware to support Windows 7. An organization can configure a Terminal Services server to host Windows 7 desktops for these clients. The users would start the Windows 2000 computer, connect to the Terminal Services server, and then run a Windows 7 desktop.
As mentioned earlier, Microsoft renamed Terminal Services to Remote Desktop Services when it released Windows Server 2008 R2. Windows Server 2008 R2 increased the capabilities and features, but supports the older capabilities and features.
Over the past few years, many software publishers have experimented with offering hosted
services. The basic idea behind hosted services architecture is that an organization does not have to purchase licenses for software applications or have the hassles of installing or maintaining those applications. Instead, an ISP or a software vendor leases the applications to the organization. The application actually runs on the service provider’s servers, and users interact with the application over the Internet.
This arrangement has some drawbacks, however. For instance, terminal services take an application’s configuration out of an organization’s direct control. It’s not uncommon to hear about network administrators who were put out of a job because the companies that they worked for decided to outsource all of their applications to a hosting provider. Another compelling argument against the use of hosted services has to do with service availability. If your Internet connection goes down, then nobody can access the hosted applications. Of course, Internet service is more reliable in some areas than others.
Terminal services for hosted applications have many benefits. The primary one is that the service provider takes care of all of the application maintenance for you. Many of these benefits are things that you just don’t get if you install the applications locally on each individual workstation or if you outsource your applications to a hosting provider. Microsoft products can provide hosted applications using TS RemoteApp and TS Web Access.
TS RemoteApp One of the challenges with running applications on remote servers is that it looks odd to users and they have trouble adapting. TS RemoteApp is a Microsoft solution that runs on a Microsoft Terminal Services server but appears, to end users, as if it were actually running on their systems.
They don’t need to open a Terminal Services session, but instead launch the application from their Start menu or a shortcut on their computer. The application appears in a window on the users’ computers just as if it were running on the local computer.
TS Web Access An extension of TS RemoteApp is TS Web Access. This allows TS RemoteApp applications to launch from a Web browser. This provides many possible benefits.
The TS RemoteApp applications can intertwine into Web pages and appear to launch from a Web server. In other words, the clients use a Web browser to access a Web site. From within this Web site, they can then click on a link for the TS RemoteApp application. TS WebAccess can be configured in an internal intranet or accessible to users from the Internet.
Notice that TS Web Access allows remote clients to connect to internal resources without the need for a VPN. Depending on what your remote clients need, this is a suitable substitute.
Microsoft DirectAccess
DirectAccess is a newer Microsoft solution that can be used as an alternative to a traditional Internet Engineering Task Force (IETF) VPN. It allows remote clients to connect to internal servers without
initiating a VPN connection. As long as clients have Internet connectivity, they will be able to access internal resources using DirectAccess.
Microsoft introduced DirectAccess in Windows 7 and Windows Server 2008 R2 products. Once it’s configured on the clients and servers, it is relatively invisible to the clients. Client computers connect to the DirectAccess computer, which acts as a gateway to internal resources. Only resources configured to be accessible with DirectAccess can be accessed from clients. In other words, you could have 10 servers in the internal network, but choose to make only a few of them accessible.
For example, you could configure a Microsoft Exchange server (used for e-mail) with DirectAccess. When a DirectAccess-enabled Windows 7 client connects to the Internet, it would automatically connect with a DirectAccess server. When the user starts Microsoft Outlook, DirectAccess automatically makes the connection to the internal Microsoft Exchange server. In other words, users can be on the road and still use their e-mail client just as if they were in the office. The same process works for any servers that an administrator wants to make accessible on the Internet. DirectAccess can be enhanced by combining it with Forefront Unified Access Gateway (UAG). UAG gives administrators more control over the connections and enhances security. When UAG is run, a UAG server acts as the gateway between the client and the internal network. This is similar to how DirectAccess works by itself in that clients don’t need to establish a separate VPN connection.
A significant added benefit of DirectAccess is that administrators can execute control over the remote clients. For example, in a Microsoft environment, Group Policy can ensure that a system has minimum-security settings. While this is normally not possible for systems that are disconnected from the internal network, DirectAccess with UAG allows an administrator to apply Group Policy to these remote computers.
It’s also possible to use Network Access Protocol with DirectAccess. You can create policies to ensure that the remote system has other security measures in place. For example, you can ensure that the system is up to date with current security updates and that it has up-to-date antivirus software installed and enabled.
DMZ, Extranet, and Intranet VPN Solutions
A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s LAN. An external attacker can gain access to equipment in the DMZ, but not parts of the network behind the firewall.
For example, public-facing servers that need to be accessible from the Internet are placed in the DMZ. This could include Web servers, e-mail servers, FTP servers, and more. Organizations that employ VPN servers for remote users often place them in the DMZ.
In a network, the hosts most vulnerable to attack are those that provide services such as e-mail, Web, and FTP servers to users outside of the local area network. Because of the increased potential of these hosts being compromised, they are placed into their own subnetwork to protect the rest of the network if an intruder were to succeed.
Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. For example, a
Web server in the DMZ may be able to connect to a database server in the internal network, but not to any other hosts in the internal network. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
Intranet VPNs An intranet is an internal network. While users within the intranet can access the Internet using different resources such as a proxy server, access to the internal network is severely restricted. Since traffic in the intranet is primarily from internal clients, the intranet is a trusted zone and needs fewer security measures.
An intranet VPN is a VPN that connects two or more internal networks. Earlier in this chapter, you learned about the concept of gateway-to-gateway VPNs. A gateway-to-gateway VPN provides connectivity between two locations such as a main office and a branch office. This is also known as an intranet VPN.
It’s important to realize that even though the VPN may be called an intranet VPN, it will still have to traverse a wide area network (WAN) link. Most organizations will rent access to this WAN link and it’s very rare that a company has exclusive access to it. In other words, the WAN link will be accessible to users outside the organization. The same level of security measures used in a DMZ VPN should also secure an intranet VPN.
Extranet VPNs Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure. For example, an organization may hire a consulting company to look at different processes within the organization and provide recommendations to improve them. The organization could create an extranet VPN to allow the consultants access to some internal resources.
Extranets are commonly configured to connect via the Internet, but can use leased lines or even dedicated connections. Extranets differ from intranets in that they allow access to remote users outside of the enterprise.
Figure 14-1 illustrates an extranet VPN topology. Using digital certificates, clients establish a secure tunnel over the Internet to the enterprise. A certification authority (CA) issues a digital certificate to each client for device authentication. The CA server checks the identity of remote users and then authorizes remote users to access information relevant to their functions.
FIGURE 14-1
An extranet VPN topology.
Internet Café VPNs
An Internet café is a public location that sells Internet access, often by the minute. The café will often sell typical café items such as coffee and sandwiches. However, with the explosion of wireless in recent years, many eateries provide free wireless Internet access to bring in customers. For example, many Starbucks and McDonald’s locations provide free WiFi.
The challenge when using an Internet café or even an open wireless connection at an eatery is security. Others in the local area may be able to view data in the connection unless it’s encrypted. Since the majority of Internet traffic is not encrypted, attackers may be able to gain valuable information by capturing another user’s Internet use.
The owner of the Internet café can capture any data that passes through with a free packet sniffer such as Wireshark. Additionally, many free wireless sniffers are available that an attacker can use over a shared wireless connection to capture all of the traffic.
An alternative is to use an Internet café VPN connection. As soon as you connect with the Internet café or the wireless connection, you would connect to the Internet café VPN. This would be hosted at your organization. It will encrypt all the traffic and prevent any sniffing attacks.
For example, HotSpotVPN is a product your organization can purchase and use as an Internet café VPN connection. Once you set it up, you can direct your users to connect to it for all Internet access.
NOTE You can get more details about HotSpotVPN at http://www.hotspotvpn.com/overview/.
Online Remote VPN Options
GoToMyPC, LogMeIn, and NTRconnect are remote access and control solutions that which all perform extremely well. Each product is easy to set up and use, and all offer a similar set of features. While each product is similar, you should know about a few noteworthy differences.
Security While each technology handles security slightly differently, all are extremely secure and can be safely used in any environment. LogMeIn and NTRconnect do offer a few more features than GoToMyPC. Both LogMeIn and NTRconnect provide 256-bit end-to-end encryption. GoToMyPC, on the other hand, provides only 128-bit. For example, LogMeIn and NTRconnect allow you to restrict the times that your computer can be remotely accessed and specify the IP addresses from which it can be remotely accessed—functionality that is not offered by GoToMyPC. Also, NTRconnect is the only product to provide keycard security. If you feel that you need to limit remote access times and/or restrict access to only certain IPs, then you will want to consider either LogMeIn or NTRconnect.
Wake-on-LAN Support Wake-on-LAN is an extremely valuable feature. Most computers include power management capabilities, allowing them to turn off or go to a low power state when they aren’t being used for a time. These computers can then be awakened when they are sent a specific string of bits in a “magic packet.” When the computer receives the magic packet, it wakes up. If it was off, it will turn on. If it was in a lower power state, it will go to a full-power state.
Of the products mentioned, only NTRconnect enables you to remotely start your computer. To use GoToMyPC or LogMeIn, the remote computer must be switched on. If you work away from your home or office computer for extended periods and switch off your computer while away, you’ll probably find NTRconnect’s wake-on-LAN support to be a real benefit.
File Sharing LogMeIn provides file-sharing functionality that enables you to e-mail a link to a file on your computer that the recipient can use to download the file (directly from your computer) at any time. To share files in this manner, you do not need to invite the person to share your desktop and you do not need to be at your computer at the time he or she downloads the file. This feature is especially useful if you frequently need to share files that are too big to e-mail.
This feature is not available with GoToMyPC or NTRconnect.
Remote Printing GoToMyPC and LogMeIn enable you to easily print a document on the host using the printer attached to the client. However, NTRconnect does not support this feature. NTRconnect’s lack of support for remote printing is not too much of a problem, as you can easily copy a document from the host to the client (and then print it). That said, if remote printing is something that you need to do on a regular basis, you’ll probably prefer the convenience of GoToMyPC or LogMeIn.
Mac Support With all three products, you can use a Mac as the client, but only NTRconnect enables you to use a Mac as the host. So, if you need to be able to remotely access a Mac, NTRconnect is your only choice.
The Tor Application
Tor is an application that uses “onion routing.” Generically, onion routing was designed as an architecture to limit a network’s vulnerability to eavesdropping and traffic analysis. It uses multiple proxy servers or relays to provide anonymous connections. Each proxy server knows only the details from the previous proxy server or the next proxy server.
The proxy servers provide anonymity for users by requesting access to resources and making it appear as if the proxy server is requesting the access, not the original user.
FYI Data leakage is also a common problem with peer-to-peer (P2P) networks such as BitTorrent. Users share data they didn’t intend to. As an example, the Top Secret plans for the U.S. president’s helicopter were leaked through a P2P network and found on servers in Iran. Some people think that organizations forbid these types of applications to prevent piracy of copyrighted material. However, the primary reason is due to the inherent security risks that most people simply don’t understand. Of course, there’s nothing wrong with helping prevent the theft of copyrighted material in the process.
Tor was derived from the Onion Routing Project managed by the U.S. Naval Research Lab. However, Tor is not an acronym for The Onion Routing project. Instead, it is simply a brand name— similar to Kleenex for facial tissues. The torproject.org Web site still uses an onion as a logo; however, Tor is not all uppercase.
The goal of Tor is to allow users to browse the Internet anonymously. Instead of going directly to an Internet site, Tor uses the computers of other Tor users as relays or proxies. Any single Tor
connection will go through multiple other computers. Interestingly, even though the U.S. Naval Research Lab originally designed Tor, it’s forbidden on
most government systems. The primary reason is related to data leakage. While the Tor network does provide a level of anonymity, the user never knows what other computers the request will go through. Data sent and received can be captured by any of these computers.
For example, in 2007 Dan Egerstad, a security professional in Sweden, collected usernames and passwords for 100 e-mail accounts of users at different embassies. He simply installed Tor on his system and then captured all the data that went through it. His computer was used as a proxy in the Tor network for thousands of users, and a simple protocol analyzer captured the data. More than the credentials, he also captured a significant number of sensitive e-mail messages from embassies and Fortune 500 companies.
NOTE You can download the Openswan RPM package at www.openswan.org. The RPM package has an extension of .rpm (from the original Red Hat Package Manager standard used by many Linux distributions today). Be aware that to download the RPM version of Openswan you must have the IPSec-tools RPM package installed on your system.
Planning a VPN Implementation
VPNs create a secure data link with a branch office, remote employee, business partner, or customer that will enable or require server access behind a firewall. VPNs can provide a secure and encrypted data stream between a firewall and a remote client or server.
This section provides you with the configuration of a permanent site-to-site VPN tunnel using Openswan, one of the most popular VPN packages for Linux.
Requirements For this implementation you will need Linux kernel 2.0, 2.2, 2.4, or 2.6.
For Linux kernels 2.0 or 2.2, use Openswan 1.0.10. For Linux kernels 2.4 and 2.6, use Openswan 2.4.x. For FreeBSD, OpenBSD, NetBSD, and OSX, use Openswan 2.5.x.
Before you attempt this simple SOHO Linux VPN, keep the following in mind:
The IPSec protocol on which VPNs are based will not tolerate network address translation (NAT) of its data packets. If your firewall does NAT, then you’ll have to disable it specifically for the packets that will traverse the VPN.
You should set up your Linux VPN box also as a firewall. Configure and test the firewall first,
and then configure the VPN. The networks at both ends of the VPN tunnel must use different IP address ranges. For example, the organization’s internal network may be using an IP address range of 192.168.0.1 to 192.168.0.254. The other network must use a different address range, such as 192.168.1.1 through 192.168.1.254. To avoid confusion, you may want to use completely different private address ranges for each network such as 172.16.y.z. or 10.x.y.z.
Permanent site-to-site VPNs require firewalls at both ends that use static IP addresses.
Figure 14-2 depicts an Openswan sample topology diagram of a VPN between two environments.
NOTE In this implementation, the external IP of the machine is listed as 12.34.56.78. The gateway IP is listed as 12.34.56.1. The internal IP of the VPN server (since it has a NIC on both the inside and the outside) is 192.168.1.1 in this example. You can change it to fit your needs.
FIGURE 14-2
Openswan sample topology diagram.
FIGURE 14-3
Installing Openswan from the source.
FIGURE 14-4
Using Openswan’s userland-only install.
Installation You can install Openswan in two different ways: by performing an RPM install or by installing it from source libgmp development libraries.
Performing an RPM Install You’ll find different instructions for installing Openswan depending on what version of UNIX/Linux you’re using. Openswan hosts a Wiki site that includes instructions for many different types of RPM installations at http://wiki.openswan.org/. This site also includes a lot of other details on installing, configuring, and troubleshooting Openswan.
Install from the Source As root, unpack your Openswan source somewhere in your drive, such as /usr/src. Figure 14-3 provides an example.
You now need to choose your install method. You can choose userland-only, for 2.6 kernels, or a KLIPS install for kernels 2.6 or earlier (2.0, 2.2, and 2.4). If you decide to use the userland-only install, change your new Openswan directory, and then make and install Openswan’s userland tools, as depicted in Figure 14-4.
Once you finish entering these commands you should be done with the install. Now all you need to do is to start Openswan and test your new install. If you decide to use KLIPS, you will have to make a modular of it, along with other Openswan programs you’ll need for the VPN. To do so, enter the command sequence shown in Figure 14-5, which will change to your new Openswan directory, make the Openswan module, and install it all.
NOTE Kernel IP Security (KLIPS) modifies the Linux kernel to support IPSec protocols.
FIGURE 14-5
Performing an Openswan’s KLIPS install.
FIGURE 14-6
Link KLIPS statically into your kernel.
FIGURE 14-7
Starting Openswan.
At this point, you can actually enhance the security of the VPN by using NAT traversal (NAT-T) support. NAT-T is a method for encapsulating IPSec ESP packets into UDP packets for passing through routers or firewalls employing Network Address Translation (NAT). To deploy NAT-T, you need to patch and rebuild your kernel. However, rebuilding the kernel is a risky operation and so should be approached cautiously.
To link KLIPS statically into your kernel (using your old kernel settings) and install other Openswan components, just follow the commands listed in Figure 14-6, then reboot your system and test your install.
NOTE For more information on installing NAT-T, check the Openswan Web site at http://wiki.openswan.org/index.php/Openswan/NATTraversal.
Start Openswan
To start Openswan, enter the command shown in Figure 14-7. This step is not necessary if you have rebooted your system, as Openswan will launch
automatically after it’s been successfully installed. You can take additional steps to secure the VPN connection. For example, you can use certificate-
based keys to secure the connection. You can follow the steps in an excellent walk-through here: http://www.linuxhomenetworking.com/wiki/index.php/ Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs.
Deployment Before you deploy your VPN, you need to start Openswan on both VPN devices for the new /etc/ipsec.conf settings to take effect. You can do that by issuing the following commands:
Once that’s done, it’s time for you to initialize the tunnel. To initialize it you can use the ipsec command to start the tunnel net-to-net. Be sure to issue the command simultaneously on the VPN
boxes at both ends of the tunnel. The IPSec SA established message highlighted in Figure 14-8 signifies a successful deployment.
FIGURE 14-8
Successfully deploying the Openswan VPN.
Testing and Troubleshooting To check that you have a successfully installed VPN you should run the command ipsec verify. If your installation was successful, you should see a screen display similar to the one depicted in Figure 14- 9.
If any of these first four checks fails, check the Troubleshooting section below on the installation screen.
Firewalls can interfere with Openswan, so you’ll want to pay attention to your firewall settings. Make sure you allow UDP 500 and ESP (protocol 50) through the firewall. This is necessary because for IPSec traffic to traverse through a firewall, you need the following ports/protocols open in both directions:
Protocol 50 ESP Protocol 51 AH (optional) UDP port 500 IKE UDP port 4500 (if you are using NAT traversal to tunnel through NAT/other firewalls)
The Smoothwall firewall works well with Openswan. You will need to do the following:
Create some name for the remote VPNs in the zones file. Describe which IPSec interface to use based on the names in the zone file. Describe how the networks named in the zones file interact in the policy file. Define the public IP address of the remote sites in the tunnels file.
Smoothwall automatically makes the rules necessary to allow IPSec for the networks named in the tunnels file.
NOTE
Another alternative for a firewall to work with Openswan is Shorewall. This firewall also works well with IPSec and Openswan. Best of all, you will find comprehensive documentation at their Web site at http://www.shorewall.net.
FIGURE 14-9
Testing Openswan’s install.
TABLE 14-1 VPN implementation best practices.
DO DON’T
Passwords Do change the original password tosomething you will remember. Don’t write down your password unless it will be stored in a safe.
Software
Do buy or upgrade antivirus detection software. Do update your virus definitions daily. Do check frequently for updated OS (operating system) patches and application patches.
Don’t go without antivirus software. Don’t ignore OS and application updates/patches. Don’t use unsafe applications, such as peer-to-peer file sharing tools or applications of unknown origin.
Firewalls Do enable built-in firewalls. Do use external standalone firewalls whenever possible.
Don’t go without either a built-in or standalone firewall.
Hardware
If connecting via a wireless interface, do disconnect or disable the wired network interface. If connecting via a wired interface, do disconnect the wireless. Do use the VPN for work purposes only.
Don’t enable or connect more than one network interface while using a VPN-connected computer. Don’t allow people to use the computer who might do so unsafely.
Services and protocols
Do disable any unneeded services or protocols.
Don’t run default services and protocols if they aren’t needed.
VPN Implementation Best Practices
The VPN is only as safe as the machine it is used on. Before deploying a VPN, review the implementation best practices, listed as dos and don’ts, in Table 14-1.
Additional steps you can use for the VPN server include:
Use strong authentication—Ensure that only authorized clients can connect. Since the VPN server will have a public IP address, it’s accessible from an Internet user anywhere in the world. If someone can easily log on to the VPN server, that person can easily access your Internet network.
Use strong encryption—The two primary encryption protocols used in VPNs today are IPSec and SSL. Either of these is strong enough to protect a VPN, but other protocols should also be carefully evaluated.
Protect the VPN server behind a firewall—Whether you’re using a host-to-gateway or gateway-to-gateway configuration, you should not put the VPN server directly on the Internet. Instead, place it behind a firewall such as in a DMZ configuration. This will provide a layer of protection from Internet attacks.
CHAPTER SUMMARY This chapter discussed the different types, design, configuration, implementation, and testing of VPNs. It also discussed the main VPN technologies available on the market and best practices in their implementation. VPNs can provide remote clients access to your internal network in a host-to-gateway configuration. They can also provide access between two offices in the same organization using a gateway-to-gateway model.
Many different VPN applications are available. Microsoft provides VPN solutions built into the server operating system. Cisco and other vendors sell VPN appliances you can install and configure easily. You can also use UNIX or Linux systems and install free VPN solutions such as Openswan.
VPNs are increasingly becoming a part of everyday life on the Internet. Many people use them to gain access to resources in their offices, such as e-mail servers and other intranet resources. This trend is certain to become more popular as many companies are finding it cheaper for their employees to work from home, relieving them of the need to lease additional office space.
Site-to-site VPNs will also continue to be deployed as companies both small and large find it increasingly necessary to share access to their main networks with remote offices. One notable area is in the realm of IP telephony, where VPNs enable all remote offices to use a single IP switchboard at the center of a VPN hub and spoke network. Intra-office communication is encrypted and the use of a single switchboard saves money.
KEY CONCEPTS AND TERMS Customer premise equipment (CPE) Gateway-to-gateway VPN Host-to-gateway VPN Internet Key Exchange v2 (IKEv2)
CHAPTER 14 ASSESSMENT
1. ________ provide(s) secure communications between external users and internal servers located behind a firewall. (Multiple answers may be correct.) A. VPNs B. IPSec C. Intranets D. Extranets E. SSL
2. A desirable feature of an operating system–based VPN is the ability to refer to remote servers by their network address translated IP addresses. True or False? A. True B. False
3. A VPN is also known as: A. A neural network B. A data-encrypted tunnel over the Internet C. A file sharing and printing server D. A bastion host E. None of the above
4. Encrypted communications using Web browsers usually use the ________ protocol.
5. An easy and cost-effective way to secure access to a network is by purchasing (an) inexpensive ________. A. Switch B. Router C. Antivirus software D. Remote terminal
E. VPN appliance
6. Most VPN appliances are designed for complex installations. True or False?
7. VPN appliances are ________. A. Not readily available B. OS specific C. Very expensive D. Secure technologies E. A and B
8. What does RDP stands for? A. Remote Desktop Processing B. Remote Desktop Protocol C. Radio Demilitarized Processing D. Recovery Dispatching Process E. Remote Dial-up Process
9. Another name for Terminal Services is: A. Remote Dial-up System B. Remote Desktop Services C. Remote Desktop System D. Radius Dial-up Services
10. GoToMyPC is a remote desktop technology that allows you to remotely access your computer from any other Internet-connected computer in the world with almost any operating system through a secure, private connection. A. True B. False
11. What are two primary methods for deploying remote-access VPNs? A. SSL and SSH B. SSL and API C. IPSec and SSL D. IPSec and SSH E. None of the above
12. Terminal Services provides the ability to: A. Host multiple, simultaneous client sessions B. Implement software bugs
C. Implement dynamic addressing D. Sync proxy servers E. All of the above
13. Terminal Services RemoteApp applications appear to users as if the applications are installed locally when they are actually running a remote server. A. True B. False
14. Microsoft’s DirectAccess: A. Is an alternative to a traditional VPN B. Is not a VPN C. Is a mix of Microsoft Access database served through a VPN D. Is a DDNS E. Is an intrusion detection system
15. Users must have physical connectivity with the internal network for the DirectAccess connection to be established. A. True B. False
16. When performing a download and install of the RPM version of Openswan, you do not need to have the IPSec-tools RPM package installed on your machine. A. True B. False
17. What are the two methods of installing Openswan? A. KLIPS and IPSec B. RPM and source libgmp development libraries C. By hand and automatically D. Remotely and through a diskette E. None of the above
18. To check that you have a successfully installed Openswan VPN you should run the command ipsec verify. A. True B. False
CHAPTER
15 Perspectives, Resources, and the Future
IN YOUR CAREER as a security professional, you will make it your business to know how to secure your organization’s IT assets, networks, and systems. You are already learning a great deal about the tools, technologies, processes, and procedures currently available. In your work, you will know how to use firewalls to secure the perimeter of the network and VPNs to secure data in transit. A deep knowledge of the current security landscape is vital to your professional success. But you need to know what’s on the road ahead, too. In this chapter you’ll learn about what’s next.
Today’s information security professionals face a daunting task. Not only do you need to understand how to secure a complex, diverse, and rapidly changing IT environment, but you also need to be aware of the challenges and threats to come. An in-depth understanding of security technologies such as VPNs and firewalls and of threats like malware and social engineering provides the foundation of your arsenal. To be truly successful, however, you also need the ability to identify and respond to trends in both the technologies and the threats under development. To keep up with attackers, you need to know what’s coming and where to get reliable, current information.
Throughout your career as an information security professional, you will encounter situations in which you will need to apply security best practices to new technologies or new architectures. You may find that you are conducting investigations, trying to determine how your infrastructure was compromised. You may be monitoring new attacks and trying to develop new defenses. Whatever challenges you face in the future will require that you leverage the experience, understanding, and best practices you’ve learned to ensure you are effective against new risks and threats.
Chapter 15 Topics
This chapter covers the following topics:
What the future holds for network security, firewalls, and VPNs
What some resources sites for network security technologies, techniques, and threats are
What some useful network security tools are
What the impact of ubiquitous wireless connectivity is
What potential uses of security technologies are
What specialized firewalls are available
What the impact of anti-hacker technologies like honeypots, honeynets, and padded cells is
What emerging network security technologies are
Chapter 15 Goals
When you complete this chapter, you will be able to:
Discuss the different types of integrated and specialized firewalls, as well as the advantages and disadvantages of each
List additional sources of information related to network security
Describe emerging IT and security trends and their impact on network security
Identify challenges and advantages presented by the new technologies and emerging threats to network security
Understand the difference between an IDS and an IPS
Discuss the future of network security, firewalls, and VPNs
What the Future Holds for Network Security, Firewalls, and VPNs
In this chapter, you will be looking to the future of network security, firewalls, and VPNs. How does a security expert discern what the future holds? A number of factors should influence
your planning as you try to draw a road map for your information security strategy:
Historical progression of threats—If you are familiar with how threats have progressed over time, you will have a better understanding of where those threats may be headed in the future. For example, 10 years ago, virtually all malware attacks were focused on operating systems. Today, malware attacks go after applications far more than operating systems. Browsers are a particularly popular target for attacks today.
Your industry—Each industry has a different focus when looking to the future. A bank will have very different requirements from a shoe store, for example. Understand your industry, network with your peers, and make sure you are looking at the proper framework for your planning.
Experts—It’s always a good idea to see what the people who predict the future of the industry
think before doing your planning. While experts can disagree over certain specific predictions, if you keep an eye on the major information sources (some of which are provided later in this chapter), you will find you can develop a pretty good idea of where information security is headed.
Vendors—Since they are frequently trying to sell you their next-generation solution, vendors usually have a biased view of the future. They can provide valuable information for your planning, however. If the vendors you work with or follow are all targeting a particular threat or technology, they view it as an area to generate revenue. If an industry targets a specific area as a source of revenue, it’s a good bet that a threat lurks there somewhere.
Role of cybersecurity in national security—In his State of the Union Speech in February 2013, President Obama highlighted the role of cybersecurity in the future of the United States. While the experienced security professional knows that nothing new has really happened, public awareness, along with that of lawmakers, heads of organizations, and—importantly— employers has increased dramatically. Every major publication from The New York Times to The Wall Street Journal and everyone in between has stated that there are not enough, and will not be enough, trained security professionals to fill the need. This reality must be as important as a part of your own career planning as it is in planning to protect your organization.
Here are some of the areas you should pay attention to as you plan your information security strategy.
Threats One area that is evolving extremely quickly is the variety of threats to your infrastructure. Several years ago, the most prevalent threats were from unsophisticated attackers whose main goal was to accomplish something they could brag about in chat rooms with their buddies. Today, organized crime has zeroed in on the huge amounts of money to be made in computer hacking. You now see targeted attacks against specific industries and companies; viruses that target credit card numbers, bank account information, and Social Security numbers; and rootkits that, once installed on a computer, turn it into a host the attacker can control remotely to attack other systems and networks. Some attackers will threaten to crash networks with denial of service attacks unless the system owner pays extortion money—the high-tech equivalent of a protection racket.
In the future, you will see more resilient networks that will mitigate the risk of traffic-based attacks, more secure operating systems and applications to resist malware, and intrusion prevention systems that will respond instantly to attacks, choking them off before they can damage your infrastructure.
Firewall Capabilities Firewalls have been adding capabilities since they were first introduced. Early firewalls contained some limited filtering and NAT capabilities and not much else. You will learn about the wide range of today’s firewall capabilities and specialties later in this chapter.
Encryption Encryption is a constantly evolving standard. In 1977, the Data Encryption Standard (DES) was specified in the Federal Information Processing Standards (FIPS) Publications. It became a national standard. The standard has since changed from DES, a 56-bit algorithm, to 3DES, an effective 168-bit algorithm, to the Advanced Encryption Standard (AES), which supports a 256-bit algorithm. The problem with encryption is the constantly improving processing power of computers. As computers get faster and more capable, with bigger and bigger memory space, encryption algorithms become easier and easier to break through brute force and other techniques.
Encryption’s popularity has grown as concerns about protecting data at rest, in transit, and while archived have come to the forefront of many industries. How many stories have you seen about the stolen laptop with 100,000 Social Security numbers on it or an application compromised by an attacker able to read data directly from a hard drive because it was stored in cleartext? Today, some government agencies (the Department of Defense, for example) require full-drive encryption for all laptops.
Recognizing the growing need for encryption, the industry is responding quickly. The AES standard was designated as the replacement for DES. It is designed to scale upward with longer keys. Keep in mind as you look into encryption solutions whether they support AES or an equivalent algorithm, and be sure that you encrypt your data everywhere it’s vulnerable. The days of relying on your VPN as the only data protection are gone. You need to secure data with encryption everywhere it can be accessed.
Authentication Another area where you can expect to see dramatic changes in future capabilities is in authentication, especially with respect to identity and access management. In the past, much of user security was based on a user ID and password. Years were spent trying to teach users what a strong password is, why they need a strong password, and why they need to change their passwords every 90 days. The effort has been largely ineffective. Users still choose poor passwords, and even when they select strong passwords, the passwords can still be cracked with sufficient computer power.
The other challenge associated with authentication is actually a user-management issue. All too often in a complex environment, the creation, permissioning, management, and eventual retiring of user accounts doesn’t work. Accounts retain permissions long after users move on to other roles, accounts remain on systems long after employees have left the organization, and, in many cases, no auditing of actions using privileged accounts takes place. Collectively, these critical tasks are known as identity and access management.
How will these challenges evolve in the future? One trend is moving away from passwords to tokens, smart cards, and biometric authentication as a replacement to user ID and password solutions.
On the identity and account management front, a number of solutions automate these activities, providing full account life-cycle management and the associated auditing capabilities many companies look for. The one challenge with these solutions is that, due to the sophistication of most corporate computing environments, they are very complex to install and maintain. It’s not just a matter of automating the creation of Active Directory accounts in most cases. Companies have multiple
application systems and authentication requirements. Making all of these components work together is not easy. Once you get them working together, however, you’ve removed a significant threat to your security landscape.
Metrics One of the biggest complaints from CIOs about information security is the lack of measures for the success of a program. Information security has moved from being an esoteric discipline practiced by a few misunderstood experts to a core business function vital to supporting the bottom line. While this evolution has been long overdue, today management expects you to quantify your contribution to the company and justify the expenditures they make to support security.
The good news is that the industry has been moving this direction for some time and has developed a number of performance metrics. The most popular is the Information Technology Infrastructure Library (ITIL), which is a set of concepts you can use to formalize your security management practice and the associated reporting. In addition, numerous solutions allow you to automate not only these processes, but also the associated measurements.
Focus Another area of significant evolution in information security is in the nature of what you are trying to protect. Initially, information security was all about keeping the bad guys out of your network. As a result, companies invested significant amounts of money in firewalls and other network security technologies.
Then focus shifted from the network to the host, however, and organizations focused more on managing patches, hardening operating systems, and installing host-based firewalls.
Once the industry secured the host, attackers shifted to threatening the applications running on those hosts. IT then started focusing on integrating security into the software development lifecycle, testing and evaluating code, hiring penetration testers to try to break code deliberately, and deploying firewalls and proxy servers specifically to secure applications.
The next shift in focus for information security is a growing focus on what is truly valuable—the data itself. Ultimately, all the measures developed to date, from the network firewalls, to the host hardening, to the penetration testing, have all been about securing the data. The industry is now moving toward a data-centric security model, which is a significant paradigm shift from previous models. A data-centric model will force companies to focus on classifying and applying values to their data. While this will undoubtedly be a painful process for many companies, this approach will ultimately yield a much more secure environment.
Securing the Cloud Cloud computing is a relatively new phenomenon in computing infrastructure that involves moving computing resources out to the Internet. Resources are then shared by multiple applications and, in many cases, shared by multiple corporations. Think of how the phone networks or the electrical grid operate. These clouds are typically built using virtualization that allows for exceptional efficiencies,
but also opens up a number of new security challenges. First, to leverage the true benefits of cloud computing, you have to trust the vendor providing your
cloud. This requires a shift in focus from deploying security technologies to ensuring that your vendors are contractually obligated and physically able to keep your data secure. You also need to be able to evaluate vendors to determine how trustworthy they are. If you have the available resources, you should be auditing the vendor(s) to ensure they consistently keep your data secure.
You’ll learn about the security challenges specific to virtualization later in the chapter.
Securing Mobile Devices A rapidly growing sector of the end user computing space is the use of mobile devices like smartphones, netbooks, or tablet computers. These devices present some unique challenges. Think about how many people today receive e-mail on their smartphone, or who ran out to get a new iPad and are now reviewing confidential documents while riding the train to work. How do you secure these devices?
The good news is that once the industry identifies issues like these, it concentrates resources to work and ultimately solve the problem. The computer security industry has very few “unsolvable” issues. Already, virus protection, mobile device management, and encryption applications are available for mobile devices. The challenge you’ll typically see in both current and future technology is that these types of devices are frequently overlooked or discounted when documenting security risks. Be sure to keep these devices on your list of risks. They possess an alarming amount of storage and processing capacity, which makes it easy for an employee to inadvertently place confidential information on them.
Mobile IP The future will bring with it an increased clarity of the techniques, technologies, and protocols associated with making IP mobile, from the technology actually called Mobile IP to a potential host of other technologies, including IP Multimedia Subsystem (IMS), and including changes to the Domain Name Service and other fundamental technologies.
Bring Your Own Device (BYOD) Bring Your Own Device will increase, as will the need to secure a growing number of mobile endpoints and different operating systems and applications. The BYOD mobility aspect becomes even more important when it is considered in light of the discussion of mobility technologies and the mobility enablement of base technologies, and when you consider that employees, contractors, clients, and others need to connect securely, with potentially varying permissions, to the assets of the organization.
Resource Sites for Network Security, Firewalls, and VPNs
A variety of resource sites are available to you for more information on network security, firewalls, and VPNs. While this list of online and offline resources provides a good start, it’s impossible to cover every source. Here are some sites and books covering the critical topics just to get you started. If you need additional information, you are only a search engine click or a bookstore trip away from the answer.
At press time, all Web sites listed here were valid; however, with the mergers, acquisitions, and other changes in the industry, some of these links may change over time.
Firewall Vendors
Check Point Software—www.checkpoint.com Cisco—www.cisco.com Juniper Networks—www.juniper.net Fortinet—www.fortinet.com McAfee—www.mcafee.com Palo Alto Networks—www.paloaltonetworks.com Sophos—www.sophos.com SonicWALL—www.sonicwall.com WatchGuard—www.watchguard.com
Virtual Private Network Vendors
Citrix—www.citrix.com F5 Networks—www.f5.com Microsoft—www.microsoft.com Nortel—www.nortel.com OpenVPN—www.openvpn.net Openswan—www.openswan.org Juniper Networks—www.juniper.net Cisco—www.cisco.com
Network Security Web Sites
CERT (security research)—www.cert.org Data Breach Investigations Report (security research)—www.verizonenterprise.com/DBIR/ Gibson Research Corporation (security testing and tools)—www.grc.com HackerWhacker (firewall testing Web site)—www.hackerwhacker.com ISACA (standards/certifications)—www.isaca.org (ISC)2 (standards/certifications)—www.isc2.org
National Institute of Standards and Technology/Computer Security Research Center —csrc.nist.gov
SANS (security research and training)—www.sans.org Symantec (security vendor)—www.symantec.com
Network Security Magazine Web Sites
CSO Magazine—www.csoonline.com Data Breach Investigations Report (security research)—www.verizonenterprise.com/DBIR/ SC Magazine—www.scmagazine.com/ Search Security—searchsecurity.techtarget.com
Tools for Network Security, Firewalls, and VPNs
As you review the information security technologies that you may encounter as your information security career progresses, one of the questions you’ll probably have is, where will you find these tools?
In your studies, you’ve probably learned about a number of commercial and open source solutions for network security. Numerous commercial and open source solutions for network security tools, firewalls, and VPNs are available. Where will you find the tools of the future?
Commercial Off-the-Shelf (COTS) Software Commercial software remains the choice of corporations everywhere, and this won’t be changing any time in the future. A number of reasons account for the dominance of commercial solutions in the information security industry. They include:
The popularity of combining hardware and software into an appliance—Many of the most popular firewall, VPN, vulnerability management, intrusion detection, and other security applications will be developed and distributed in an appliance format. While some open source solutions will allow you to use standard server hardware to create an appliance-like solution, a truly open source appliance will probably be distributed as a commercial solution.
Companies rely on solutions they can support—One of the ongoing challenges with open source software is the lack of commercial support for the solutions. Highly technical people can work well within the open source support community. Support from an open source community is typically better than what comes from a commercial help desk, but corporations are generally reluctant to trust security-related solutions to that model.
The commercialization of open source solutions—Many of the most popular open source solutions are being commercialized as their developers look to generate revenue off the products. Two examples would be the Snort intrusion detection solution as well as the Nessus vulnerability scanner. Both tools were widely used and extremely popular open source
security solutions, and both are now available commercially.
Open Source Applications and Tools While it is pretty common to see companies embrace commercial tools in their production environments, you can’t discount the sheer innovation available in the open source community. Most of the tools referenced in this book are open source, and you can expect to see continued development on most of them.
Keep in mind a couple of other advantages of open source tools as you build your security tool kit. First, working with open source tools is a great way to build your information security skill set. Most security professionals cannot afford to purchase multiple commercial security applications to learn with, so leveraging open source is a cost-effective career builder.
The other value that open source security tools bring to a security professional is that these are the same tools many of the people attacking your network will use. One of the most important skills you can develop is the ability to understand the people trying to get into your systems. Learning the tools and techniques they may use by developing parallel expertise will take you far in your career. Commercial applications seldom offer the same learning opportunities. Attackers generally are not using commercial applications in their attacks, and they typically don’t draw from the same community available with open source solutions as you will to help your learning.
The Impact of Ubiquitous Wireless Connectivity
No chapter on the future of information security would be complete without a discussion of the influence of wireless connectivity on security technologies. The first thing to realize as you think about wireless is that you need to consider a variety of wireless technologies. Be sure not to focus too narrowly and miss something critical. Consider the types of wireless technologies that affect your environment:
Wireless deployed as a LAN technology—The deployment of wireless as part of the office LAN caused constant sleepless nights for security departments. Security departments used to invest countless hours test-driving their locations, searching for unsecured wireless access points on their networks. The real challenge with this technology, other than the fact that it permitted the bypassing of perimeter security controls, was that it was so convenient. Setup was so easy for an employee—particularly setting up in the default configuration, with all the attendant security issues. The good news is that the industry has made great strides in wireless security. Stronger authentication technologies like 802.1x, which requires connecting systems to be authenticated using PKI machine certificates, stronger encryption technologies, and significant improvements in user awareness, have made wireless LAN in the office a viable replacement for the wired LAN, while still affording the security you need to keep your data secure.
Public and home office wireless—Public/home office wireless is a great thing for your
employees. Take out your laptop, connect to the wireless, and you’re on the Internet, ready to surf. You can connect to the corporate network, do your banking, shop online, or just catch up on the news. What could be more convenient? As is often the case, convenience is the enemy of security. A number of security challenges present themselves with public/home office wireless. First, any unencrypted traffic sent over these wireless networks can be intercepted. Counting on Starbucks (or an employee’s cable company) to configure their wireless with the most advanced security capabilities enabled is not reasonable. Work with your users to make sure they understand the risks associated with these types of wireless. The good news from a corporate network perspective is that you are probably running a VPN for business connections, so that data should be secure.
Mobile wireless—The ubiquity of smartphones and other devices that can connect to cellular networks presents the third challenge when discussing the impact of wireless connectivity on information security. Now employees don’t need to search for a wireless hot spot before connecting to the network; they can access their mail from just about anywhere. The best defense against these risks is a combination of policy and technology. First, your policy should restrict access to company systems and e-mail to company-owned devices. That allows you some level of control over the types and configurations of devices with access to your data. Next, make sure the devices you’re using leverage the appropriate security technologies like encryption and antivirus scanning. While it’s virtually impossible to physically secure something as portable as a smartphone, you can ensure that the data on the device can’t be recovered if it is stolen or lost.
Potential Uses of Security Technologies
One ever-expanding area of discussion when looking at security technologies like firewalls, VPNs, intrusion detection, honeypots, vulnerability management, and others is the many uses for this technology. Obviously, you use security technologies to secure your data, networks, and systems. And that is certainly the primary use for security technologies. But you should be aware of some additional uses for this technology.
The core security concepts can be summed up with the acronym C-I-A. This stands for confidentiality, integrity, and availability.
Confidentiality—Confidentiality deals with keeping information, networks, and systems secure from unauthorized access. This issue is particularly critical in today’s environment in light of the high-profile leaking of people’s personal information by several large companies. These breaches in confidentiality made the headlines largely because the thefts exposed people to the potential of identity theft. Several technologies support confidentiality in an enterprise security environment. These include:
Strong encryption
Strong authentication Stringent access controls Integrity—Integrity is the consistency, accuracy, and validity of data or information. One of the goals of successful information security is to ensure that the information is protected against any unauthorized or accidental changes. The architecture should include processes and procedures to manage intentional changes, as well as the ability to detect changes.
Availability—Availability is the third core security principle, defined as a characteristic of a resource being accessible to a user, application, or computer system when required. In other words, when users need information, it’s available to them. Typically, threats to availability come in two types: accidental and deliberate. Accidental threats include natural disasters such as storms, floods, fire, earthquakes, and so forth with attendant power outages. This category also includes outages due to equipment failure, software issues, and other unplanned system, network, or user issues. The second category is related to outages that result from the exploitation of a system vulnerability. Some examples of this threat include a denial of service attack or a network worm that affects vulnerable systems and their availability. In some cases, one of the first actions you need to take following an outage is determining which category an outage fits into. Companies handle accidental outages very differently from deliberate ones.
As you continue to work in the information security field, another acronym you will encounter is GRC. This stands for governance, risk, and compliance. This is the best way to look at your security technologies from a business perspective. Look at how the security technologies you’re deploying provide much more than just securing data:
Governance—Governance includes the processes and procedures that ensure employees are following your organization’s security policy. For example, you have a policy that says that data in transit across a public network must be secured with at least 56-bit encryption. You would ensure that the only way to connect to the network is through a VPN that uses at least 56-bit encryption. This mechanism would be part of your governance efforts. Governance is generally used to demonstrate to management, customers, and auditors that your information security program is operating as outlined in your policies, procedures, and practices. If you are a service provider, you can leverage your governance capabilities to show that you can be trusted to keep clients’ information secure.
Risk—One of the foundations of any information security program is a robust risk management practice. If you don’t identify your risks, how do you know which security technologies to deploy and where? A risk is the likelihood or potential for a threat to take advantage of a vulnerability and cause harm or loss. Risk is a combination of an asset’s value, exposure level, and rate of occurrence. A goal of security is to recognize, understand, and eliminate risk. A risk management process starts with a risk assessment of your environment. Start with your critical data, applications, systems, and networks. Document the risks associated with them in a risk matrix. A typical risk matrix will contain the following:
A description of the risk The likelihood that the risk will actually occur The impact of the risk A total risk score The relevant business owner for the risk Which of the core security principles the risk affects: confidentiality, integrity, and/or availability
The appropriate strategy or strategies to deal with the risk
The last bullet is the one that’s critical with respect to security technologies—you leverage security technologies as part of the strategy to deal with the risks. One of the fastest-growing sectors in the information security field is compliance. Compliance means ensuring your company obeys internal policies as well as any applicable laws or other regulatory requirements. A good example of this is the Sarbanes-Oxley Act, which requires publicly traded companies to validate the controls securing all financial data. You will find that your security program, in conjunction with the security technologies supporting it, are critical to ensuring compliance with a growing number of regulations.
What Happens When There Is No Perimeter? If you look back to the first uses of network security, security professionals essentially put a firewall between the corporate network and the Internet. That firewall marked the perimeter of the network. As networks became more complex, companies started finding they were connecting to the Internet in more locations, so more firewalls were installed. The perimeter remained the demarcation between the Internet and the corporate network. Today, the vanishing perimeter has been the subject of many presentations, white papers, and sales pitches, as vendors try to convince organizations to invest to protect their perimeter-less environments.
VPNs extended the internal network outside the nice, neat network perimeter defined by the firewall/Internet interface. Suddenly, your network could be in any hotel or coffee shop in the country, as your employees discovered the benefits of mobile computing. To make matters worse, high capacity drives and portable storage meant that not only was your network being extended into places that you had never imagined, but your data storage was no longer contained within your office space. Critical information could be stored easily anywhere your employees wanted.
Unfortunately, that wasn’t the end of the challenges you faced as an information security professional. In addition to your employees taking your network and data anywhere they wanted, your business discovered the benefits of interconnecting with customers, vendors, suppliers, and partners. Each of these groups needed varying levels of access to your systems, networks, and data.
In addition to all the challenges with connections and data beyond your network, businesses also discovered the benefits of online commerce over the Internet. That seems harmless enough, until you realize that to do business on the Internet, you need to punch holes in the network perimeter to provide access from the Internet to your systems, networks, and data. It’s a little like installing skylights in your roof: You want the benefit of the sunlight in the house, but you don’t want leaks when it rains.
In a perfect world, upper-level management would have consulted with you before they embarked on these projects. They would have given you an unlimited budget to deploy network zones separating each of the different types of data, with firewalls and intrusion detection deployed at each level, and enough staff to monitor all the infrastructure to ensure nothing is getting past your security measures.
In reality, the first few connections were most likely put in without input from security, and these might not even be firewalled. It’s so much easier than having to justify purchasing firewalls, set up firewall rules, monitor logs, and do all the other things an organization needs to do as it opens holes in its protective perimeter.
What’s needed in this case is a clear, well-established policy with strong senior management support. The appropriate controls should be put in place to reestablish your perimeter. If you treat the risk of all these new technologies connecting to your network the same way you treat the risks posed by the Internet, you’ll mitigate the risks associated with the increasingly fluid perimeter you will be dealing with.
Specialized Firewalls Available
In this section you’ll learn about some of the specialized firewalls that are available or are coming soon, such as:
Hybrid—A hybrid firewall combines a number of different functions in a single appliance. You learned about firewalls with integrated VPN capabilities, but you can also expect to see firewalls combined with vulnerability management, intrusion detection and prevention, antivirus/anti-spyware, content filtering, or a variety of other network and security-related technologies. The key when looking into hybrid firewalls is ensuring that they will meet your specific security needs while not creating a performance bottleneck. The more functions you put on a single system, the more chances you’ll run into a performance bottleneck.
Data protection—A data protection firewall is a hybrid firewall, but deserves some additional explanation. The focus of a mature security program is to ensure that data is secure. An emerging technology is data leakage prevention (DLP), which is a technology specifically designed to ensure that your data stays within your network. When combined with firewall technologies at the perimeter of the network, a data protection firewall becomes an invaluable tool in keeping your data out of Gmail and Facebook accounts and within the internal network where it belongs.
Application—An application firewall is specifically designed to control input, output, and/or access to an application. This type of firewall became very popular when the focus of attacks shifted from operating systems to applications. An application firewall operates by monitoring the input, output, and system calls made in an application, and blocking any that do not conform to the firewall rules. An application firewall can block buffer overflow attacks, SQL injection attacks, and the majority of other application-focused attacks. Application firewalls are either network-based or host-based applications. One drawback of
application firewalls is they are typically designed for specific types of applications (i.e., Web applications or databases), whereas a standard firewall can secure many different types of applications, though not to the level an application firewall provides.
Database—A database firewall is an application designed to control the input, output, and system calls made to a database. While limited to database security, this firewall offers very granular security for databases.
Ubiquitous—This is ultimately the direction that firewalls will likely take in the future. The industry currently supports a variety of firewalls integrated into the network and the host that run on the perimeter and the core to protect demarcation between network zones. Now firewalls are moving into the virtualization area. Eventually, this intelligence and control will be pushed directly into the infrastructure and managed from a single console. Instead of controlling isolated ports on a firewall-by-firewall basis, you’ll be able to manage secure data as it flows into, out of, and through your environment from the originating host to the perimeter of your network and at all connections in between. This will allow you to reestablish the perimeter that disappeared with all the external connections to your network.
Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) Two other security technologies available to secure networks are intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). An IDS detects unauthorized user activities, attacks, and network compromises (Figure 15-1). IDSs come in two types, host-based and network-based.
An intrusion prevention system (IPS) is very similar to an IDS, except that in addition to detecting and alerting, an IPS can also take action to prevent a breach from occurring (Figure 15-2).
NOTE IDS/IPS is used largely on Internet connections, since those connections typically present the largest threat to the network. You can also deploy IDS/IPS in strategic locations on the internal network. This is an excellent idea if your internal network has connections to third-party networks such as customers, vendors, or business partners.
FIGURE 15-1
IDS detects an attack, and alerts operators—manual intervention needed.
FIGURE 15-2
IPS detects attack, alerts operators, and then modifies firewall and router configuration to address the attack.
Two common deployment methods are used when placing an IDS/IPS for protecting a network from the Internet. Each has its own advantages and disadvantages.
An unfiltered IDS/IPS installation examines the raw Internet data stream before it crosses the firewall (Figure 15-3). This provides the highest amount of visibility to attacks, but also means that a significantly higher volume of data will be monitored, with a higher possibility of false positives. During periods of high traffic, the IDS/IPS might not be able to process all the packets, and attacks can be missed.
FIGURE 15-3
Placement of the intrusion detection system so it gets unfiltered traffic for analysis.
FIGURE 15-4
An intrusion detection system deployed behind a screening firewall.
A screened IDS/IPS solution monitors traffic that gets through the screening firewall (Figure 15- 4). The advantage to this model is it dramatically reduces the amount of traffic to be monitored, reducing the chances of false positives and lost packets during high traffic volumes. A loss of visibility accompanies this model, as you cannot see attacks blocked by the screening firewall.
Effect of Honeypots, Honeynets, and Padded Cells
Honeypots, honeynets, and padded cells are complementary technologies to IDS/IPS deployments. A honeypot is a trap for hackers. A honeypot is designed to distract hackers from real targets, detect new exploitations, and learn about the identity of hackers. A honeynet is just a collection of honeypots used to present an attacker an even more realistic attack environment. A padded cell is a system that waits for an IDS to detect attackers and then transfers the attackers to a special host where they cannot do any damage to the production environment.
While these are all extremely useful technologies, not many corporate environments deploy them. You generally see these deployed by educational institutions and security research firms. Generally, corporate information security professionals are so busy securing their environment from attacks that they don’t spend time researching attack patterns. As long as the attack doesn’t succeed, they are satisfied.
Emerging Network Security Technologies
In addition to these future enhancements to security technologies, you should also be aware of three more areas of emerging security technology:
Data leakage prevention (DLP)—DLP technologies are systems that identify, monitor, and protect data in use, data in motion, and data at rest from inappropriate use, distribution, transmission, or other unauthorized actions. DLP technologies perform deep-content inspection within a scope defined by a central management console and are usually deployed at multiple locations within the environment to ensure full coverage. As the value of data continues to climb, this technology should see wider implementation. The technology is already used heavily in the financial industry. New government regulations will help drive the implementation in other sectors, most likely health care. HIPAA, HITECH, and PCI have specific data protection requirements.
Biometrics—Biometrics identify a user based on anatomical characteristics such as a fingerprint, a voice print, or iris patterns. These methods of identification have a number of advantages over passwords, tokens, or ID cards. First, biometric authentication requires the person being authenticated be physically present. Second, biometric security removes the need to remember complicated passwords. No more passwords taped under keyboards; you carry your password with you wherever you go. Finally, biometrics remove the need to carry a token or ID card with you. You don’t have to worry about not being able to work when you leave your token on the kitchen table at home. The areas where biometrics are currently being investigated include ATMs, laptops, and computer networks.
Virtualization security—As virtualization and cloud computing continue to gain ground, a new generation of virtualization-aware security tools are under development. Antivirus, vulnerability management, data leakage prevention, and IDS/IPS technologies are all being developed to run against the underlying hypervisor layer. The hypervisor layer is the hardware or software on which virtual machines run. This gives the security applications direct access to the underlying data transport layer of the virtual environment rather than forcing them to run against each virtual server, dramatically improving performance, visibility to security issues, and ease of use. In multi-tenant environments (multiple companies sharing the same virtual environment), additional security tools are being developed to ensure that no access occurs between the
virtual environments.
IP Version 6 IPv6 is the next-generation IP version and the successor to IPv4. While the main driving force for the redesign of Internet Protocol was the rapidly approaching exhaustion of IPv4 addresses, IPv6 has significant implications to future information security professionals.
IPv6 includes a native information security framework (IPSec) that provides for both data and control packets. This means that what you currently do with a traditional VPN you will be able to do natively with any IPv6 device. At a high level, that means you can run your IPSec VPN without requiring a client, but the implications are significantly more profound than just that.
In a fully IPv6 environment, any connection can use an IPSec connection. This means that any connection from a user to an application, a host to a host, or even a peer to a peer authenticates and encrypts as it passes across the network.
While the thought of a network featuring nothing but secure connections seems like a security professional’s dream configuration, you should also consider some drawbacks before kicking off your IPv6 migration project. One of the challenges with encryption is that it not only secures data from the bad guys, but it also secures the data from the good guys. A number of security technologies like IDS/IPS, content filtering, network-based antivirus, data leakage prevention, and even firewall technologies rely on being able to look at packets as they cross the network to determine how to handle them. Once those packets are encapsulated in a secure IPSec connection, all the security tools you have relied on stop working.
With the limited deployment of IPv6, significant development on solutions to overcome these challenges hasn’t occurred yet, but it will be a subject of great interest as the use of IPv6 expands.
VPNs, Firewalls, and Virtualization Here are some areas that look to the future of virtualization that you should think about.
Virtualization and VPN deployment are examples; some SSL VPNs have the ability to provide a unique virtual VPN configuration for each individual user group. Much like other types of virtualization, a virtualized SSL VPN allows you to separate the physical and logical use of the VPN. In the future, this capability could extend to IPSec VPNs as well. While this technology offers some unique abilities when configuring secure VPN contexts for different user groups, the additional complexity is something you need to know. A misconfigured virtual VPN context could expose parts of your network to groups that should not have access to them. For example, if you are using a virtualized VPN to provide customers access to a help desk ticketing system, and you inadvertently grant that context access to your intranet where all your pricing information resides, you expose the organization’s proprietary data to unnecessary risk.
Firewalls are another technology that is starting to permit virtualization. Currently, some firewalls on the market can partition into multiple virtual firewalls. Each virtual firewall appears to be a separate firewall with its own security policy, interfaces, and configuration. This allows you to use your firewall hardware more efficiently than you might otherwise, but once again, additional risks occur with the deployment of virtual firewalls.
First, while firewalls exist that support this technology, not all of them support all their features in the virtualized environment. Before you deploy a virtualized firewall, be sure it supports all the features you need to meet your business and security requirements. While this is a very promising technology, it’s also very new, and sometimes early adopters can find themselves encountering issues the vendor didn’t discover during the quality assurance processes.
Next, you are relying on the logical segregation of firewalls rather than the physical separation offered by multiple physical firewalls. While this technology remains new, do some testing before deploying virtual firewalls into a critical environment. Finding that there’s a way to bypass the virtual security and move from one virtual environment to another would not be good if you are using the firewall to separate two customers connected to your network.
Finally, this model suffers from the same complexity challenges with respect to the virtual VPNs. Any time you have a solution that offers greater flexibility, you also open the possibility for greater complexity. Complex environments are almost always more difficult to secure, monitor, and manage than simple environments.
However, in spite of all the challenges associated with virtualizing security technologies like VPN and firewalls, a compelling business case exists for leveraging hardware more effectively in a virtualized environment. Be sure you understand the technology thoroughly before deploying it. Information security is seldom a forgiving field for learning as you go.
Steganography Steganography is the art and science of writing hidden messages so that only the sender and intended recipient know a message exists. Steganography is the ultimate security through obscurity technology.
Probably the most well known technique for steganography in the modern era is the embedding of additional information in a digital image. An image before and after a message has been embedded in it appears unchanged to the naked eye. But if you run the image through the proper program, the secret message appears. However, steganography has been around a lot longer than digital images, and it can take many forms. Simply writing a message in invisible ink on the page of a book is a form of steganography.
The main advantage of steganography is that messages do not arouse suspicion. If you encrypt an e-mail message and send it, and the message is intercepted, then whoever intercepted the message assumes there’s something sensitive in the message. If however, you send a copy of a picture of your kids at the amusement park with a message embedded in the photo, unless the intercepting party knows the coded message is coming, they will not give it any special attention. Encrypted messages protect the message. Steganographic messages protect the data as well as the intentions of the sender and the receiver.
Anti-Forensics The final topic for discussion in this chapter is the use of anti-forensics. Anti-forensics are a series of techniques designed to try to frustrate forensic investigators and their digital forensic techniques.
Forensic techniques are well known to the information security community and, by extension, to the hacker community as well. As a result, hackers have developed an arsenal of counter-techniques
they use to foil investigations. If they can prevent the investigator from recovering usable evidence, they stand a better chance of avoiding discovery or prosecution. Some of these techniques are also used to hide rootkits and other malware.
Some examples of anti-forensic tools and techniques include:
Securely overwriting data Overwriting metadata Designing code that won’t run when the system is in debugging mode Designing code that won’t run in a virtual machine Preventing a system from entering safe mode or debugging mode Running all code from an external device like a USB drive Tampering with file system date and time stamps Running in read-only mode to prevent the system from updating file information.
You should be familiar with the concepts associated with anti-forensics, but unless you plan to become a forensic investigator, you probably won’t encounter any of these except possibly securely overwriting data.
CHAPTER SUMMARY In this chapter, you learned about a number of topics dealing with the future of security technologies and some of the significant emerging security threats. Future information security tools may come from the commercial or the open source communities, and you learned about the pros and cons of both of those areas of development.
Governance, risk, and compliance are the pillars of good policy for guiding your use of security technologies. While the obvious use for security technologies is to provide security, when all is said and done, information security needs to be a business enabler, created with an understanding of the business requirements and the bottom line. The days of deploying information security technologies based solely on management’s fear of security incidents are long gone.
Changes in networking technologies on the security perimeter can affect how network security operates. Firewall specialization includes hybrid, data protection, application, database, and ubiquitous firewalls. IDS, IPS, and other complementary technologies, such as honeypots, honeynets, padded cells, steganography, and anti-forensics, are essential elements in modern secure networks.
KEY CONCEPTS AND TERMS Anti-forensics Data leakage prevention (DLP) Digital forensic techniques Information Technology Infrastructure Library (ITIL) IP Multimedia Subsystem (IMS) Mobile IP
CHAPTER 15 ASSESSMENT
1. Pick the two most common IDS/IPS deployment models: A. Bypass B. Unfiltered C. Tunneled D. Intranet E. Screened
2. Which of the following are types of specialized firewalls? A. Data protection B. Host C. Application D. Hybrid E. Network
3. Two technologies used to identify attack techniques and patterns include ________ and ________.
4. Techniques used to counter digital investigations are known as ________.
5. Pick the two changing areas to watch when developing your information security road map. A. Security industry focus B. Vendors C. Computer processing power D. Cloud computing
E. Network design
6. The technique of hiding a secret message in plain sight is known as ________.
7. Which of the following is a potential disadvantage of IPv6 from a security perspective? A. Additional address space B. Less flexible than IPv4 C. Industry support D. Maturity of the standard E. Ubiquitous encryption
8. Identifying a user based on anatomical characteristics is known as ________.
9. Which of the following are biometric characteristics? A. Default password B. Fingerprint C. Iris pattern D. Voice print E. Token
10. Which of the following are considered complementary technologies to an IDS/IPS implementation? A. Honeypot B. Encryption C. VPN D. Padded cell E. Virtual firewall
11. A device that monitors network traffic and alerts during an attack is an ________.
12. A device that monitors network traffic and alerts and takes action without manual intervention during an attack is an ________.
13. Which of the following contribute to the erosion of the network perimeter? A. Specialized firewalls B. VPN C. IPS/IDS D. Cloud computing E. Business partner connections
14. The act of ensuring your company obeys internal policies and any applicable laws is known as ________.
15. The processes and procedures used to ensure employees are following corporate security policies are known collectively as ________.
16. Identify one risk associated with the use of a public wireless connection. A. Encryption B. Virus C. Data interception D. Data corruption E. Social engineering
17. What is one advantage to commercial security solutions that might make a company select them over open source equivalents? A. Flexibility B. Support C. Cost D. Availability E. Value
18. Which of the following might be included in a risk register? A. Risk description B. Impact C. Cost D. Business owner E. Continuity planning
19. Which of the following are considered core security principles when discussing the uses of security technologies? A. Confidentiality B. Governance C. Integrity D. Risk E. Compliance
20. When an IDS detects an attack, it can direct the attacker to a host where the attacker cannot do any damage. This host is known as a ________.
Answer Key APPENDIX A
CHAPTER 1 Fundamentals of Network Security 1. C 2. E 3. A 4. B 5. C 6. E 7. D 8. B 9. B 10. A 11. A 12. E 13. B and C 14. D 15. E 16. B 17. D 18. C 19. E 20. E
CHAPTER 2 Firewall Fundamentals 1. B 2. C 3. A 4. E 5. D 6. B 7. C 8. B 9. A 10. E 11. E 12. E 13. D 14. A 15. D 16. D 17. B 18. C 19. D 20. B 21. C 22. A 23. E
CHAPTER 3 VPN Fundamentals 1. D 2. B 3. E 4. A 5. B 6. C 7. A 8. E 9. A 10. C 11. D 12. D 13. D 14. D 15. A 16. B 17. A 18. B 19. A 20. D 21. C 22. C 23. B 24. A 25. D
CHAPTER 4 Network Security Threats and Issues 1. C 2. A 3. D 4. E 5. C 6. D 7. E 8. C 9. B 10. E 11. A 12. A 13. C 14. B 15. D 16. D 17. C 18. E 19. A 20. C
CHAPTER 5 Network Security Implementation 1. C 2. E 3. C 4. A 5. A 6. D 7. D 8. C 9. B 10. A 11. E 12. B 13. D 14. A 15. D 16. C 17. B 18. D 19. C 20. A
CHAPTER 6 Network Security Management 1. D 2. B 3. E 4. C 5. D 6. A 7. E 8. E 9. A 10. E 11. D 12. B 13. C 14. C 15. E 16. E 17. B 18. E 19. A 20. D
CHAPTER 7 Exploring the Depths of Firewalls 1. B 2. A 3. D 4. C 5. E 6. D 7. E 8. D 9. B 10. C 11. C 12. wirespeed 13. A 14. C 15. E 16. E 17. C 18. C 19. C 20. E
CHAPTER 8 Firewall Deployment Considerations 1. B 2. E 3. D 4. B 5. A 6. D 7. B 8. C 9. D 10. B 11. E 12. D 13. C 14. A 15. D 16. D 17. B 18. D 19. A 20. B
CHAPTER 9 Firewall Management and Security Concerns 1. B 2. E 3. D 4. B 5. B 6. A 7. C 8. B 9. D 10. E 11. A 12. C 13. C 14. C 15. B 16. A 17. B 18. D 19. B 20. D
CHAPTER 10 Using Common Firewalls 1. A, C, and E 2. D 3. B and D 4. B 5. A 6. inbound, outbound 7. B 8. A, C, and E 9. C 10. B 11. A 12. B 13. A, C, D, and E 14. D 15. A, B, C, D, and E (all) 16. outside
17. port forwarding 18. A 19. B 20. throughput CHAPTER 11 VPN Management
1. E 2. C 3. Three of the following: Denial of service attack, missing patches, backdoor attack, unpublished vulnerability in the code, weak client security, weak authentication, weak encryption key selection, social engineering 4. SSL, IPSec 5. A and D 6. anonymity 7. C and E 8. VPN policy 9. B, C, and D 10. A, B, and D 11. privacy 12. patch/update 13. B 14. two-factor or token/biometric 15. redundant 16. C and D 17. B 18. A, B, and D 19. A and C 20. circuits
CHAPTER 12 VPN Technologies 1. B and D 2. C and E 3. 3DES 4. SSL and IPSec 5. A and B 6. network address translation (NAT) 7. C and D 8. platform independent 9. B, C, and D 10. B and D 11. request for comments (RFC) 12. virtualization 13. A, B, and E 14. L2F and PPTP 15. SSH 16. A, C, and E 17. B, C, and F 18. A, B, D, and E 19. A and D 20. Secure Sockets Layer
CHAPTER 13 Firewall Implementation 1. C 2. B 3. A 4. B 5. C 6. D 7. B 8. B 9. E 10. True 11. A 12. C 13. B 14. B 15. False 16. D 17. C
CHAPTER 14 Real-World VPNs 1. A and D 2. B 3. B 4. Secure Socket Layer (SSL) 5. E 6. False 7. D 8. B 9. B 10. A 11. C 12. A 13. A 14. A 15. B 16. B 17. B 18. B
CHAPTER 15 Perspectives, Resources, and the Future 1. B and E 2. A, C, and D 3. honeypots and honeynets 4. anti-forensics 5. A and D 6. steganogrophy 7. E 8. biometrics 9. B, C, and D 10. A and D 11. IDS or IPS 12. IPS 13. B, D, and E 14. compliance 15. governance 16. C 17. B 18. A, B, and D 19. A and C 20. padded cell
Standard Acronyms APPENDIX B
3DES triple data encryption standard ACD automatic call distributor AES Advanced Encryption Standard ANSI American National Standards Institute AP access point API application programming interface B2B business to business B2C business to consumer BBB Better Business Bureau BCP business continuity planning C2C consumer to consumer CA certificate authority CAP Certification and Accreditation Professional CAUCE Coalition Against Unsolicited Commercial Email CCC CERT Coordination Center CCNA Cisco Certified Network Associate CERT Computer Emergency Response Team CFE Certified Fraud Examiner CISA Certified Information Systems Auditor CISM Certified Information Security Manager CISSP Certified Information System Security Professional CMIP Common Management Information Protocol COPPA Children’s Online Privacy Protection CRC cyclic redundancy check CSI Computer Security Institute CTI Computer Telephony Integration DBMS database management system
DDoS distributed denial of service DES Data Encryption Standard DMZ demilitarized zone DoS denial of service DPI deep packet inspection DRP disaster recovery plan DSL digital subscriber line DSS Digital Signature Standard DSU data service unit EDI Electronic Data Interchange EIDE Enhanced IDE FACTA Fair and Accurate Credit Transactions Act FAR false acceptance rate FBI Federal Bureau of Investigation FDIC Federal Deposit Insurance Corporation FEP front-end processor FRCP Federal Rules of Civil Procedure FRR false rejection rate FTC Federal Trade Commission FTP file transfer protocol GIAC Global Information Assurance Certification GLBA Gramm-Leach-Bliley Act HIDS host-based intrusion detection system HIPAA Health Insurance Portability and Accountability Act HIPS host-based intrusion prevention system HTTP hypertext transfer protocol HTTPS HTTP over Secure Socket Layer HTML hypertext markup language IAB Internet Activities Board IDEA International Data Encryption Algorithm IDPS intrusion detection and prevention IDS intrusion detection system IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force InfoSec information security IPS intrusion prevention system
IPSec IP Security
IPv4 Internet protocol version 4 IPv6 Internet protocol version 6 IRS Internal Revenue Service (ISC)2 International Information System Security Certification Consortium ISO International Organization for Standardization ISP Internet service provider ISS Internet security systems ITRC Identity Theft Resource Center IVR interactive voice response LAN local area network MAN metropolitan area network MD5 Message Digest 5 modem modulator demodulator NFIC National Fraud Information Center NIDS network intrusion detection system NIPS network intrusion prevention system NIST National Institute of Standards and Technology NMS network management system OS operating system OSI open system interconnection PBX private branch exchange PCI Payment Card Industry PGP Pretty Good Privacy PKI public key infrastructure RAID redundant array of independent disks RFC Request for Comments RSA Rivest, Shamir, and Adleman (algorithm) SAN storage area network SANCP Security Analyst Network Connection Profiler SANS SysAdmin, Audit, Network, Security SAP service access point SCSI small computer system interface SET Secure electronic transaction SGC server-gated cryptography SHA Secure Hash Algorithm
S-HTTP secure HTTP
SLA service level agreement SMFA specific management functional area SNMP Simple Network Management Protocol SOX Sarbanes-Oxley Act of 2002 (also Sarbox) SSA Social Security Administration SSCP Systems Security Certified Practitioner SSL Secure Sockets Layer SSO single system sign-on STP shielded twisted cable TCP/IP Transmission Control Protocol/Internet Protocol TCSEC Trusted Computer System Evaluation Criteria TFTP Trivial File Transfer Protocol TNI Trusted Network Interpretation UDP User Datagram Protocol UPS uninterruptible power supply UTP unshielded twisted cable VLAN virtual local area network VOIP Voice over Internet Protocol VPN virtual private network WAN wide area network WLAN wireless local area network WNIC wireless network interface card W3C World Wide Web Consortium WWW World Wide Web
Glossary of Key Terms
802.1x | Port or portal authentication. A mechanism commonly used by network devices, such as firewalls, routers, switches, and wireless access points, to perform authentication of users before allowing communication to continue across or through the device. The authentication can take place locally on the device or go to an authentications service, such as a credit card payment system, PKI, or directory service.
A
Access control | The process or mechanism of granting or denying use of a resource; typically applied to users or generic network traffic. Access control list (ACL) | Mechanism defining traffic or an event to apply an authorization control of allow or deny against. Often used interchangeably with the terms rule and filter in relation to firewalls. An ACL focuses on controlling a specific user or client’s access to a protocol or port. Active threat | A form of threat that takes some type of initiative to seek out a target to compromise. These can be hackers, intruders, or automated worms. In any case, an active threat seeks out vulnerable targets. If you don’t have reasonable security measures and the active threat discovers your system, you might be at risk for a compromise. Advanced persistent threat (APT) | A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The purpose of such an attack is to steal data, not to damage the network or organization. Sectors with high-value information, such as national defense, manufacturing, and the financial industry, are commonly the target of such attacks. Adware | Unwanted software that displays advertisements. Often linked with spyware. Agent | A malicious software program distributed by a hacker to take over control of a victim’s computers. Also known as a bot or a zombie. Agents are commonly used to construct botnets. Alert | A notification from a firewall that a specific event or packet was detected. Alerts notify administrators of events that may need real-time human response or attention. Algorithm | A set of rules and procedures, usually mathematical in nature. Algorithms can define how the encryption and decryption processes operate. Often very complex, many algorithms are publicly known; anyone can investigate and analyze the strengths and weaknesses of an algorithm. Alternate data stream (ADS) | A feature added to the NTFS file system to support files from POSIX, OS/2, and Macintosh. ADS supports multiple resource forks for file objects. Hackers use ADS to hide files. Annualized loss expectancy (ALE) | The calculation of the total loss potential across a year for a given asset and a specific threat. ALE calculations are part of risk assessment. ALE = SLE × ARO.
Annualized rate of occurrence (ARO) | A probability prediction based on statistics and historical occurrences on the likelihood of how many times in the next year is a threat going to cause harm. ARO
is used in the ALE calculation. Anomaly-based detection | A form of intrusion detection system/intrusion prevention system (IDS/IPS) based on a defined normal, often defined using rules similar to firewall rules. All traffic or events that fail to match defined normal are considered anomalies and potentially malicious. Anonymity | The ability for a network or system user to remain unknown. A number of tools and techniques provide anonymity when connected to a network, although the underlying network protocols make true anonymity very difficult. Anti-forensics | A series of tools and techniques used to prevent forensic examination from identifying an attack or attacker. AppleTalk | A legacy protocol developed by Apple Inc. for use in networks hosting mainly Macintosh computers. Mostly replaced by TCP/IP. Appliance | A hardware product that is dedicated to a single primary function. The operating system or firmware of the hardware device is hardened and its use is limited to directly and exclusively supporting the intended function. Firewalls, routers, and switches are typical appliances. Appliance firewall | A hardened hardware firewall. Application Layer (Layer 7) | The top or seventh layer of the OSI model. This layer is responsible for enabling communications with host software, including the operating system. The Application Layer is the interface between host software and the network protocol stack. The sub-protocols of this layer support specific applications or types of data. Application firewall | A type of firewall that filters on a specific application’s content and session information. Application gateway | See application firewall. Application proxy | See application firewall. Arbitrary code execution | An exploit that allows a hacker to run any command line function on a compromised system. Buffer overflow attacks and SQL injection attacks can often allow arbitrary code execution. ARP spoofing | The falsification of ARP replies to trick the requestor into sending frames to a system other than its intended destination. Asset | Anything you use in a business process to accomplish a business task. Asset value (AV) | The cumulative value of an asset based on both tangible and intangible values. AV supports the SLE calculation. Asymmetric cryptography | A means of encoding and decoding information using related but different keys for each process. A key used to encode cannot decode, and vice versa. Cryptography based on algorithms that use either key pairs or some other special mathematical mechanism. Asymmetric cryptography that uses key pairs is commonly known as public key cryptography. Different keys serve different purposes. Different keys are used by different members of the communication session. Some systems use something different from keys altogether.
Asymmetric digital subscriber line (ADSL) | A form of the digital subscriber line technology, which enables faster data transmission over copper telephone lines than a conventional voice band modem can provide. Attack surface | Portions of a software system that unauthenticated users can run. Auditing | Act of conducting an audit. Auditing can be the action of a system that is recording user activity and system events into an audit log. Auditing can also be the action of an auditor who checks for compliance with security policies and other regulations. Auditor | Either an outside consultant or an internal member of the information technology staff. The auditor performs security audits, confirms that auditing is sufficient, and investigates audit trails produced by system auditing. In the case of regulatory compliance, auditors should be external and independent of the organization under audit. Authentication | The process of confirming the identity of a user. Also known as logon. Authentication, authorization, and accounting (AAA) services | Programs used to control access to computer resources, enforce policies, audit usage, and provide billing information. Examples include RADIUS, TACACS, 802.1x, LDAP, and Active Directory. Authentication Header (AH) | A protocol that provides integrity protection for packet headers and data, as well as user authentication. Authenticity | The security service of the combination of authentication and access control (authorization) that provides either the identity of the sender of a message or controls who is the receiver of a message. Authorization | Defining what users are allowed and not allowed to do. Also known as access control. Availability | When a system is usable for its intended purpose. The security service that supports access to resources in a timely manner. If availability becomes compromised, a denial of service is taking place. Avalanche effect | A common feature of hash algorithms. This effect ensures that small changes in the input data produce large changes in the outputted hash value. A single binary digit change in a file should produce a clearly recognizable difference in the resultant hash value. Awareness | Basic security training that focuses on common or basic security elements that all employees must know and abide by. Less rigorous than training or education.
B
Backdoor | Unauthorized access to a system.
A backdoor is any access method or pathway that circumvents access or authentication mechanisms. Backup | The process of making copies of data onto other storage media. The purpose of a backup is to protect against data loss by having additional onsite or offsite copies of data that can be restored when necessary. Banner | A message sent by a service in response to a valid or invalid query. A banner can confirm communication is functioning properly or announce an error. Some banners disclose the product name and version number of the service.
Banner grabbing | The act of capturing or extracting banners from services. Hackers often perform banner grabbing after port scanning to learn what service is active on a port. Bastion host | A firewall positioned at the initial entry point where a network interfaces with the Internet. It serves as the first line of defense for the network. Also known as a sacrificial host. Bastion host OS | A system designed, built, and deployed specifically to serve as a frontline defense for a network. Behavioral-based detection | A form of IDS/IPS detection based on a recording of real-world traffic as a baseline for normal. All traffic or events that fail to match the normal baselines are considered abnormal and potentially malicious. Blacklist | A type of filtering in which all activities or entities are permitted except for those on the blacklist. Also known as a block list. Blog | A contraction of the words “web” and “log,” it is a form of Web site where the site owner posts messages, images, and videos for the public to view and potentially comment on. Blogs are commonly a platform for discussing issues, causes, or interests. Border sentry | A description often applied to firewalls positioned on network zone transitions or gateway locations. Botnet army | A network of zombie/bot/agent–compromised systems controlled by a hacker.
The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Another term for zombie. Botnet | A network of zombie/bot/agent–compromised systems controlled by a hacker.
The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Bots | Malicious software programs distributed by hackers to take over control of victims’ computers. Also known as agents or zombies. Bots are commonly used to construct botnets. Bottleneck | Any restriction on the performance of a system. Can be caused by a slower component or a pathway with insufficient throughput. A bottleneck causes other components of system to work slower than their optimum rate. Breach | Any compromise of security. Any violation of a restriction or rule whether caused by an authorized user or an unauthorized outsider. Bridge | A network device that forwards traffic between networks based on the MAC address of the Ethernet frame. A bridge forwards only packets whose destination address is on the opposing network. Bring Your Own Device (BYOD) | A policy of allowing or even encouraging employees, contractors, and others to connect their own computers, smartphones, and other devices to their organization’s networks. BYOD can save expenses and afford employees more autonomy, but it can also compromise security. Brute-force password attack | A form of password or encryption key cracking attack that tries all possible valid combinations from a defined set of possibilities (e.g., a set of characters or hex values). Brute-force attacks will eventually generate a valid solution given enough time, assuming the hacker uses the correct set of possibilities. Buffer overflow | A condition in which a memory buffer exceeds its capacity and extends its contents
into adjacent memory. Often used as an attack against poor programming techniques or poor software quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash. Bump in the stack | A term for a firewall that is implemented via software. Bump in the wire | A term for a firewall that is a separate hardware implementation. Business continuity plan | A plan to maintain the mission-critical functions of the organization in the event of a problem that threatens to take business processes offline. The goal of business continuity planning is to prevent the interruption of business tasks, even with a damaged environment and reduced resources. Business task | Any activity necessary to meet an organization’s long-term goals. Business tasks are assigned to employees and other authorized personnel via their job descriptions.
C
Caching | Retention of Internet content by a proxy server. Various internal clients may access this content and provide it to subsequent requesters without the need to retrieve the same content from the Internet repeatedly. Centralized logging system | A technique of storing or copying log events to a centralized logging server. This mechanism is used to create a redundant copy of all log files in a single warehousing location. A common example of this is syslog. Certificate Authority (CA) | A trusted third-party entity that issues digital certificates to verify and validate identities of people, organizations, systems, and networks digitally. Channel | A communication pathway, circuit, or frequency dedicated or reserved for a specific transmission. Chip creep | The slow movement of a chip out of its socket or solder points because of expansion and contraction caused by extreme temperature fluctuations. Chokepoint | Similar to a bottleneck, but deliberately created within a network infrastructure. A chokepoint is a controlled pathway through which all traffic must cross. At this point, filtering to block unwanted communication or monitoring can occur. Ciphertext | The seemingly random and unusable output from a cryptographic function applied to original data. Ciphertext is the result of encryption. Decryption converts ciphertext back into plaintext. Circuit | A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a session or a state. Circuit firewall | A filtering device that allows or denies the initial creation of a circuit, session, or state, but performs no subsequent filtering on the circuit once established. Circuit proxy | See circuit firewall. Client | A host on a network. A client is the computer system, which supports user interaction with the
network. Users employ a client to access resources from the network. Users can also employ a client generically as any hardware or software product to access a resource. For example, standard e-mail software is a client. Client/server network | A form of network where certain computers are designated as “servers” to host resources shared with the network. The remaining computers are designated as “clients” to enable users to access shared resources. Most client/server networks employ directory services and single sign-on. Also known as a domain. Client-to-server VPN | A VPN created between a client and a server either within the same local network or across a WAN link or intermediary network to support secure client interaction with the services of a resource host. Also known as a host-to-host VPN. Clipper chip | A chipset developed and promoted by the U.S. government as an encryption device to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and was discontinued in 1996. Closed source | A type of software product that is pre-compiled and whose source code is undisclosed. Cluster | A logical division of data composed of one or more sectors on a hard drive. A cluster is the smallest addressable unit of drive storage, usually 512, 1,024, 2,048, or 4,096 bytes, depending on the logical volume size. Cold calling | A tactic of pursuing and extracting information for the purpose of making a sale or performing a social engineering attack. A cold call presupposes little or no knowledge of the person answering the phone. It requires the caller to be able to pick up on vocal and word clues, be knowledgeable about human nature, and adapt quickly to changes in conversation. Command shell | A software interface with a system that allows code execution. A command shell is often the focus of an attack. If a hacker gains access to a command shell, he or she can perform arbitrary code execution. Also known as a terminal window or a command prompt. For example, in Windows, the command shell prompt is usually “C:\>”. Commercial firewall | A firewall product designed for larger networks. Usually a commercial firewall is a hardware device. Common Gateway Interface (CGI) script | The Common Gateway Interface (CGI) is a standard that defines how Web server software can delegate the generation of Web pages to a console application. Such applications are known as CGI scripts. They can be written in many programming languages, although scripting languages are often used. Compliance audit | A detailed and thorough review of the deployed security infrastructure compared with the organization’s security policy and any applicable laws and regulations. Compression | Removal of redundant or superfluous data or space to reduce the size of a data set. Compression consumes less storage space and increases the speed of data transmission. Confidentiality | The security service of preventing access to resources by unauthorized users, while supporting access to authorized users. Content filtering | A form of filtering that focuses on traffic content. Application proxies perform most content filtering. Contract worker | An outsider brought into an organization to work on a temporary basis. Contracted
workers can be consultants, temporary workers, seasonal workers, contractors, or even day-laborers. Contracted workers potentially represent a greater risk than regular, full-time regular employees because they might lack loyalty, not see the company as worthy of protection, might not be accountable after a project ends, and so on. Cookie filter | A cookie is a small text file used by Web browsers and servers to track Web sessions. A cookie filter blocks the sending and receiving of cookies. Blocking cookies can reduce some threats of session tracking and identify theft, but can also disable many Web-based services such as online purchasing. Corporate firewall | An appliance firewall placed on the border or edge of an organization’s network. Cost/benefit analysis | The final equation of risk analysis to assess the relative benefit of a countermeasure against the potential annual loss of a given asset exposed to a specific threat. Covert channel | An unknown, secret pathway of communication. Covert channels can be timing or storage-based. Cross-site scripting (XSS) | The malicious insertion of scripting code onto a vulnerable Web site. The results of an XSS attack can include the corruption of the data on the Web site or identity theft of the site’s visitors. Cryptography | The art and science of hiding information from unauthorized third parties. Cryptography is divided into two main categories: encryption and decryption. Customer premise equipment (CPE) | A customer premise equipment-based VPN. This VPN is also known as a VPN appliance.
D
Data leakage prevention (DLP) | A distributed data protection technology that leverages deep analysis, context evaluation, and rules configured from a central console to ensure confidential information remains secure while in use, in transit, and at rest Data Link Layer (Layer 2) | The second layer of the OSI model responsible for physical addressing (MAC addresses) and supporting the network topology, such as Ethernet. Database-based detection | A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events. All traffic or events that match an item in the database is considered abnormal and potentially malicious. Also known as signature, knowledge, and pattern-matching based detection. Dead-man switch | A form of auto-initiation switch that triggers when the ongoing prevention mechanism fails. Common dead-man switches include firewalls and hand grenades. If the firewall stops functioning, the connection is severed. If a person dies while holding a live grenade, the safety latch opens and the grenade explodes. Decryption | The process of converting cipher text back into plain text. Dedicated connection | A network connection that is always on and available for immediate transmission of data. Most leased lines are dedicated connections. Dedicated leased lines | See dedicated connection and leased line.
De-encapsulation | The action of processing the contents of a header, removing that header, and sending the remaining payload up to the appropriate protocol in the next higher layer in the OSI model. Default allow | A security stance that allows all communications except those prohibited by specific deny exceptions. Also known as allow by default. Default deny | A security stance that blocks all access to all resources until a valid authorized explicit exception is defined. Defense in depth | A tactic of protection involving multiple layers or levels of security components. Based on the idea that multiple protections create a cumulative effect that will require an attacker to breach all layers, not just one. Demilitarized zone (DMZ) | A type of perimeter network used to host resources designated as accessible by the public from the Internet. Denial of service (DoS) attack | A form of attack that attempts to compromise availability. DoS attacks are usually of two types: flaw exploitation and flooding. DDoS (Distributed Denial of Service) often involves the distribution of robots, zombies, or agents to thousands or millions of systems that are then used to launch a DoS attack against a primary target. Deny by default/allow by exception | A security stance that prevents all communications except those enabled by specific allow exceptions. Also known as default deny. Deterrent | A form of security defense that focuses on discouraging a perpetrator with disincentives such as physical harm, social disgrace, or legal consequences. A deterrent can also be a defense that is complex or difficult to overcome, such as strong encryption, multifactor authentication, or stateful inspection filtering. Dialer | A rogue program that automatically dials a modem to a pre-defined number. Sometimes this is to auto-download additional malware to the victim or to upload stolen data from the victim. In other cases, the dialer calls premium rate telephone numbers to rack up massive long distance charges. Dictionary password attack | A form of password or encryption key-cracking attack that uses a pre- constructed list of potential passwords or encryption keys. Digital certificate | An electronic proof of identity issued by a certificate authority (CA). A digital certificate is an entity’s public key encoded by the CA’s private key. Digital envelope | A secure communication based on public-key cryptography that encodes a message or data with the public key of the intended recipient. Digital forensic techniques | Identifying, extracting, and evaluating evidence obtained from digital media such as computer hard drives, CDs, DVDs and other digital storage device Digital signature | A public-key cryptography–based mechanism for proving the source (and possibly integrity) of a signed dataset or message. A digital signature uses the private key of a sender. Not the same as a “digitized signature,” which is a digital image of handwriting. Directory service | A network service that maintains a searchable index or database of network hosts and shared resources. Often based on a domain name system (DNS). An essential service of large networks. Disaster recovery plan | A plan to restore the mission-critical functions of the organization once they have been interrupted by an adverse event. The goal of disaster recovery planning is to return the
business to functional operation within a limited time to prevent the failure of the organization due to the incident Disgruntled employee | A worker who feels wronged by his or her employer and who may take malicious, unethical, potentially illegal actions to exact revenge on the organization. Distributed denial of service (DDoS) | An attack that uses multiple remotely controlled software agents disseminated across the Internet. Because the denial of service attack comes from multiple machines simultaneously, it is “distributed.” DDoS attacks can include flooding, spam, eavesdropping, interception, MitM, session hijacking, spoofing, packet manipulation, distribution of malware, hosting phishing sites, stealing passwords, cracking encryption, and more. Distributed LAN | A LAN whose components are in multiple places that are interconnected by WAN VPN links. Diversity of defense | An approach to security similar to defense in depth, in that it supports multiple layers, but unlike it, in that it uses a different security mechanism at each, or most, of the layers. DNS poisoning | A form of exploitation in which the data on a DNS server are falsified so subsequent responses to DNS resolution queries are incorrect. DNS poisoning can wage man-in-the-middle attacks. DNS spoofing | A form of exploitation in which unauthorized or rogue DNS server responds to DNS queries with false, spoofed resolutions. DNS poisoning can wage man-in-the-middle attacks. Domain | A client/server network managed by a directory service. Domain Name System (DNS) | A network service that resolves fully qualified domain names (FQDNs) into their corresponding IP address. DNS is an essential service of most networks and their directory services. Domain registration | The information related to the owners and managers of a domain name accessed through domain registrar’s Web sites and whois lookups. A domain registration might include a physical address, people’s names, e-mail addresses, and phone numbers. This information is useful in waging social engineering attacks. Downtime | Any planned or unplanned period when a network service or resource is not available. Downtime can be caused by attack, hardware failure, or scheduled maintenance. Most organizations strive to minimize downtime through security and system management. Dual-homed firewall | A firewall that has two network interfaces. Each network interface is located in a unique network segment. This allows for true isolation of the segments and forces the firewall to filter all traffic moving from one segment to another. Dumpster diving | A type of reconnaissance in which an attacker examines an organization’s trash or other discarded items to learn internal or private information. The results of dumpster diving are often used to wage social engineering attacks. Dynamic packet filtering | The process of automatically created temporary filters. In most cases, the filters allow inbound responses to previous outbound requests. Also called stateful inspection.
E
Eavesdropping | The act of listening in on digital or audio conversations. Network eavesdropping
usually requires a sniffer, protocol analyzer, or packet capturing utility. Eavesdropping may be able to access unencrypted communication, depending on where it occurs. Edge router | A router positioned on the edge of a private network. Usually an edge router is the last device owned and controlled by an organization before an ISP or telco connection. Education | The third and highest level of obtaining security knowledge that leads to career advancement. Security education is broad and not necessarily focused on specific job tasks or assignments. More rigorous than awareness or training. Egress filtering | Filtering traffic as it attempts to leave a network, which can include monitoring for spoofed addresses, malformed packets, unauthorized ports and protocols, and blocked destinations. Electronic Privacy Information Center (EPIC) | A public interest research group in Washington, D.C., established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and Constitutional values in the information age. It pursues a wide range of activities, including privacy research, public education, conferences, litigation, publications, and advocacy. It maintains two of the world’s most popular privacy sites—epic.org and privacy.org —and publishes the online EPIC Alert every two weeks with information about emerging privacy and civil liberties issues. Encapsulating Security Payload (ESP) | The second core IPSec security protocol; it can perform authentication to provide integrity protection, although not for the outermost IP header. Encapsulation | The process of enclosing or encasing one protocol or packet inside another protocol or packet. Also known as “tunneling.” Encapsulation allows for communications to cross intermediary networks that might be incompatible with the original protocol. Encapsulation is distinct from encryption, but many encapsulation protocols include encryption. Encryption | The process of converting original data into a chaotic and unusable form to protect it from unauthorized third parties. Decryption returns the data back to its original, usable form. Enumeration | The process of discovering sufficient details about a potential target to learn about network or system vulnerabilities. Enumeration often starts with operating system identification, followed by application identification, then extraction of information from discovered services. Exploit | An attack tool, method, or technique a hacker uses to take advantage of a known vulnerability or flaw in a target system. Exposure factor (EF) | The potential amount of harm from a specific threat stated as a percentage. Used in the calculation of SLE. Extranet | A type of perimeter network used to host resources designated as accessible to a limited group of external entities, such as business partners or suppliers, but not by the public. Often, access to an extranet requires the use of a virtual private network or VPN, especially when access originates from the Internet. Extranet VPN | A VPN used to grant outside entities access into a perimeter network; used to host resources designated as accessible to a limited group of external entities, such as business partners or suppliers, but not the general public.
F
Fail-open | A failure response resulting in open and unrestricted access or communication.
Fail-safe | A failure response resulting in a secured or safe level of access or communication. Fail-secure | A failure response resulting in a secured or safe level of access or communication. Fair queuing | A technique of load balancing that operates by sending the next transaction to the firewall with the least current workload. False negative | An event that does not trigger an alarm but should have, due to the traffic or event actually being abnormal and/or malicious. This is the unwanted non-detection of a malicious event. False positive | An event that triggers an alarm but should not have, due to the traffic or event actually being benign. This is the unwanted false alarm that wastes time and resources pursuing a non- malicious event. File encryption | A form of security protection that protects individual files by scrambling the contents in such a way as to render them unusable by unauthorized third parties. File Transfer Protocol (FTP) | A protocol and a data exchange system commonly used over TCP/IP networks, including the Internet, but which is unencrypted and performs authentication and data transfer in plaintext. Filter | A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic. A filter expresses the intention to block or deny unwanted items of concern. Also known as a rule or ACL. Filtering | The process of inspecting content against a set of rules or restrictions to enforce allow- and-deny operations on that content. Firewalls and other security components use filtering. Firewalking | A hacking technique used against static packet filtering firewalls to discover the rules or filters controlling inbound traffic. Firewall | A network security device or host software that filters communications, usually network traffic, based on a set of predefined rules. Unwanted content is denied and authorized content is allowed. Also known as a sentry device. Flaw exploitation attack | A form of DoS that uses a software specific exploit to cause the interruption of availability. Once you apply the appropriate patch, the system is no longer vulnerable to this particular exploit. Flooding | An attack, usually resulting in a DoS, in which hackers direct massive amounts of traffic toward a target to fully consume available bandwidth or processing capabilities. Footprinting | The act of researching and uncovering information about a potential attack target. Also known as reconnaissance. Fragmentation | This occurs when a dataset is too large for maximum supported size of a communication container, such as a segment, packet, or frame. The original dataset divides into multiple sections or fragments for transmission across the size-limited medium, then reassembles on the receiving end. Fragmentation can sometimes corrupt or damage data or allow outsiders to smuggle malicious content past network filters. Frame | The collection of data at the Data Link Layer (Layer 2) of the OSI model, defined by the Ethernet IEEE 802.3 standard, that consists of a payload from the Network Layer (Layer 3) to which an Ethernet header and footer have been attached. Fully qualified domain name (FQDN) | A complete Internet host name including a top-level domain
name, a registered domain name, possibly one or more sub-domain names, and a host name. Examples include: www.itttech.edu and maps.google.com. A DNS is used to resolve FQDNs into IP addresses. Fuzzing tools | Hacking and testing utilities that use a brute force technique to craft packets and other forms of input directed toward the target. Fuzzing tools stress a system to push it to react improperly, to fail, or to reveal unknown vulnerabilities.
G
Gateway | An entrance or exit point to a controlled space. A firewall is often positioned at a gateway of a network to block unwanted traffic. Gateway-to-gateway VPN | A VPN model used to connect to offices together such as a main office and a remote office. It is also referred to as a site-to-site VPN. General purpose OS | An operating system such as Windows, Linux, Mac OS, UNIX, which can support a wide variety of purposes and functions, but which, when used as a bastion host OS, must be hardened and locked down.
H
Hacker | A person who performs hacking. Modern use of this term now implies malicious or criminal intent by the hacker, although criminals are more correctly known as “crackers.” An “ethical hacker” obtains the permission of the owner of a system before hacking. Hacking | The act of producing a result not intended by the designer of a system. Hackers may perform such acts out of curiosity or malice. Malicious hacking is known as “cracking,” but many people typically call all these actions “hacking,” regardless of intent. Hacktivism | Politically or socially motivated hacking, seen by activists as a form of civil disobedience in the interest of free speech and human rights, but seen by its opponents as a form of cyberterrorism. Hairpinning | A process by which malicious code can enter from a non-secure network, and make a hairpin, or sharp turn and enter a secure network with little or no trouble because it is entering from a secure and verified endpoint. Hairpinning is a particular issue for organizations whose work-at-home employees want to connect to both an unsecure network and a VPN at the same time. Hardening | The process of securing or locking down a host against threats and attacks. This can include removing unnecessary software, installing updates, and imposing secure configuration settings. Hardware address | The physical address assigned to a network interface by the manufacturer. Also known as the MAC address. Hardware firewall | An appliance firewall. A hardened computer product that hosts firewall software exclusively. Hardware VPN | A dedicated device hosting VPN software. Also known as an appliance VPN. Hardware VPNs can connect hosts and/or networks. Hash algorithm | A set of mathematical rules and procedures that produces a unique number from a dataset. See hash and hashing.
Hash or hash value | The unique number produced by a hash algorithm when applied to a dataset. A hash value verifies the integrity of data. Hashing | The process of verifying data integrity. Hashing uses hash algorithms to produce unique numbers from datasets, known as hash values. If before and after hash values are the same, the data retain integrity. Header | The additional data added to the front of a payload at each layer of the OSI model that includes layer-specific information. Hierarchical File System (HFS) | A storage device file system developed by Apple Inc. for use on Macintosh computers. HFS supports multiple resource forks for file objects. Hijacking | This attack occurs when a hacker uses a network sniffer to watch a communications session to learn its parameters. The hacker then disconnects one of the session’s hosts, impersonates the offline system, and then begins injecting crafted packets into the communication stream. If successful, the hacker takes over the session of the offline host, while the other host is unaware of the switch. Honeynet | A collection of multiple honeypots in a network for the purposes of luring and trapping hackers. Honeypot | A closely monitored system that usually contains a large number of files that appears to be valuable or sensitive, and serves as a trap for hackers. A honeypot distracts hackers from real targets, detects new exploitations, and learns the identities of hackers. Host | A node that has a logical address assigned to it, usually an IP address. This typically implies that the node operates at and/or above the Network Layer. This would include clients, servers, firewalls, proxies, and even routers. The term excludes switches, bridges, and other physical devices such as repeaters and hubs. In most cases, a host either shares or accesses resources and services from other hosts. Host firewall | A software firewall installed on a client or server. Host VPN | A VPN endpoint located on a host client or server. A host VPN relies on either a native feature of the operating system or a third-party application. Host-to-gateway VPN | A VPN model where the remote client connects to the VPN server to gain access to the internal network. Host-to-host VPN | A VPN created between two individual hosts across a local or intermediary network. Host-to-host VPNs is also known as client-to-server or remote-to-office or remote-to-home VPNs. Host-to-site VPN | A VPN created between a host and a network across a local or intermediary network. Also known as a remote access VPN. HOSTS file | A static file on every IP-enabled host where FQDN-to-IP address resolutions can be hard-coded. Hybrid attack | A form of password or encryption key-cracking attack that combines dictionary attacks with brute force attacks. A dictionary list provides seed values to a brute force attack tool that makes modifications to the seed value. A very effective attack against users who mistakenly believe that changing a few characters or adding a few characters to a base password is actually improving the password’s strength. For example, hybrid attacks may combine dictionary words with a digit or
two to increase the likelihood of obtaining a successful result. Hybrid VPN | A form of VPN establishing a secure VPN over trusted VPN connections.
I
ICMP redirect | An announcement message sent to hosts to adjust the routing table. ICMP type 5 messages are known as redirects. Hackers can use ICMP redirects to perform man-in-the-middle or session hijacking attacks. Identity and access management (IAM) | The security discipline that enables the right individuals to access the right resources at the right times consistent with organizational policy. Identity proofing | The act of authentication. Confirming the identity of a user or host. IDS insertion | An attack that exploits the nature of a network-focused IDS to collect and analyze every packet to trick the IDS into thinking an attack took place when it actually hasn’t. The common purpose of IDS injection attacks is to trick signature or pattern matching detection of malicious network events. Incident response plan | A predefined procedure to react to security breaches to limit damage, contain the spread of malicious content, stop compromise of information, and promptly restore the environment to a normal state. Information Technology Infrastructure Library (ITIL) | A set of concepts and practices that provide detailed descriptions and comprehensive checklists, tasks and procedures for common IT practices. The Security Management section is based on the ISO 27002 standard. Ingress filtering | Filtering traffic as it attempts to enter a network. This can include monitoring for spoofed addresses, malformed packets, unauthorized ports and protocols, and blocked destinations. Insertion attack | An exploit-based on the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks include SQL injection, IDS insertion, and rogue devices. Instant message (IM) | A form of near real-time text communication. Also known as chat, IRC, and SMS messaging. Intangible cost (or value) | Costs or values not directly related to budgetary funds. They can include but are not limited to research and development, marketing edge, competition value, first to market, intellectual property, public opinion, quality of service, name recognition, repeat customers, loyalty, honesty, dependability, assurance, reliability, trademarks, patents, privacy, and so on. Integrated Services Digital Network (ISDN) | A set of communications standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network. Integrity | The security service of preventing unauthorized changes to data. Intentional electromagnetic interference (IEMI) | The result of an intentional discharge made to damage or destroy electronic equipment ranging from cell phones to computers and servers. Interception attack | Any attack that positions the attacker inline with a session between a client and server. Such attacks typically allow the hacker to eavesdrop and manipulate the contents of the session. Also known as a man-in-the-middle attack.
Intermediary network | Any network, network link, or channel located between the endpoints of a VPN. Often the Internet. Internal personnel | Any worker or person who is physically present within the building or who has authorization to remotely connect into the network. Internal personnel are the most common cause of security violations. Internet Assigned Numbers Authority (IANA) | The entity responsible for global coordination of IP addressing, DNS root, and other Internet protocol resources. Internet Control Message Protocol (ICMP) | A commonly used protocol found in the Network Layer (Layer 3). ICMP rides as the payload of an IP packet. ICMP supports network health and testing. Commonly abused by hackers for flooding and probing attacks. Internet Engineering Task Force (IETF) | The standards body for Internet-related engineering specifications. Internet Key Exchange v2 (IKEv2) | The second and latest version of the IKE protocol. Internet Relay Chat (IRC) | A real-time text communication system. Hackers commonly use IRC as a way to communicate anonymously and control botnets. Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) | A legacy protocol developed by Novell for their NetWare networking product. Mostly replaced by TCP/IP. Intrusion detection system (IDS) | A security mechanism to detect unauthorized user activities, attacks, and network compromise. An IDS can respond in a passive manner through alerts and logging or in an active manner by disconnecting an offending session. Intrusion prevention system (IPS) | A security mechanism to detect and prevent attempts to breach security. IP address | The temporary logical address assigned to hosts on a network. An IP address is managed and controlled at the Network Layer (Layer 3) of the OSI model by IP (Internet Protocol). IPv4 addresses are 32-bit addresses presented in human-friendly dotted-decimal notation. IPv6 addresses are 128-bit address presented in a special hexadecimal grouping format. IP Multimedia Subsystem (IMS) | An architectural framework for delivering IP multimedia services; IMS would carry packet communications in all known forms over wireless or landline, everything from traditional telephony to video on demand (VoD). IPSec | IP protocol encryption services extracted from IPv6 to be used as an add-on component for IPv4. IPSec provides tunnel mode and transport mode encrypted Network Layer connections between hosts and/or networks.
J
Job description | An essential part of security and an extension of the written security policy. The job description defines the business tasks for each person within the organization. This in turn prescribes the authorization personnel need to accomplish these assigned tasks.
K
Kerberos | A computer network authentication protocol that allows nodes communicating over a non-
secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. It was designed as a client-server model, and it provides mutual authentication—both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Key or encryption key | The unique number used to guide an algorithm in the encryption and decryption process. A valid key must be within the keyspace of an algorithm. Key exchange | The cryptographic function ensuring that both endpoints of a commutation have the same symmetric key. Key exchange occurs by simultaneous key generation or with a digital envelope. Key pair | The set of associated keys including a public key and a private key used by public key cryptography. Only the public key can decrypt data encrypted by the private key, and vice versa. Keyspace | The range of valid keys used by an algorithm. Keyspace is the bit length of the keys supported by the algorithm. Keystroke logger | Malware that records all keyboard input and transmits the keystroke log to a hacker. Knowledge-based detection | A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events. All traffic or events that match an item in the database is considered abnormal and potentially malicious. Also known as signature, database, and pattern-matching–based detection.
L
LAN-to-LAN VPN | A VPN between two networks over an intermediary network. Also known as WAN VPN and site-to-site VPN. Layer 2 Forwarding (L2F) Protocol | An early communications protocol that competed with Point- to-Point Tunneling Protocol. Layer 2 Tunneling Protocol (L2TP) | An older protocol largely replaced by IPSec and SSL/TLS- based VPNs in production environments, but still in use in some older environments. Leased line | A network communications line leased from an ISP or telco service. A leased line is usually a dedicated line between network locations or to the Internet. Leetspeak | A somewhat secret form of communication or language hackers use based on replacing letters with numbers, symbols, or other letters that somewhat resemble the original characters. For example, “elite” becomes “eleet,” and then becomes “31337.” Load balancer | A system or device (hardware or software) that takes the load coming into a set of servers and ensure that the load is balanced between or among the servers. Load balancing | A network traffic management technique to spread the workload or traffic levels across multiple devices to maintain availability, uptime, and high-performance at wirespeed. Local area network (LAN) | A network confined to a limited geographic distance. Generally, a LAN is comprised of segments that are fully owned and controlled by the host organization as opposed to using lines leased from telcos. Log | A log is a recording or notation of activities. Many security services, applications, and network
resources automatically create a log of all events. Also known as an event log or a log file. Logging | The act of creating or recording events into a log. Similar to auditing and monitoring. Logic bomb | Malware that acts like an electronic land mine. Once a hacker places a logic bomb in a system, it remains dormant until a triggering event takes place. The trigger can be a specific time and date, the launching of a program, the typing of a specific keyword, or accessing a specific URL. Once the trigger occurs, the logic bomb springs its malicious event on the unsuspecting use. Logical address | A temporarily assigned address given to a host. IP address is a common example of a logical address. Most logical addresses exist at the Network Layer (Layer 3) of the OSI model.
M
MAC spoofing | The act of a hacker changing the MAC address of their network interface. Commonly used to bypass MAC filtering on a wireless access point by impersonating a valid client. Malicious code | Any software that was written with malicious intent. Administrators use anti-virus and anti-malware scanners to detect and prevent malicious code (also known as malware) from causing harm within a private network or computer. Management interface | The command line or graphical interface used to control and configure a device. Often accessible through a console (CON) port on the device or through a logical interface across the network. Man-in-the-middle (MinM) attack | This attack occurs when a hacker is positioned between a client and a server and the client is fooled into connecting with the hacker computer instead of the real server. The attack performs a spoofing attack to trick the client. As a result, the connection between the client and server is proxied by the hacker. This allows the hacker to eavesdrop and manipulate the communications. Maximum Transmission Unit (MTU) | The largest amount of data that a datagram can hold based on the limitations of the networking devices managing a given segment. As an MTU changes across a communication path, a datagram may be fragmented to comply with the MTU restriction. Mean time between failures (MTBF) | A rating on some hardware devices expressing the average length of time between significant failures. Mean time to failure (MTTF) | A rating on some hardware devices expressing the average length of time until the first significant failure is likely to happen. Media Access Control (MAC) address | The physical address assigned to a network interface by the manufacturer. The MAC address is a 48-bit binary address presented in as hexadecimal pairs separated by colons. The first half of a MAC address is known as the Organizationally Unique Identifier (OUI) or vender ID, the last half is the unique serial number of the NIC. Metacharacter | A character that has a special meaning assigned to it and recognized as part of a scripting or programming language. Metacharacters should be filtered, escaped, or blocked to prevent script injection attacks. Escaping metacharacters is a programmatic tactic to treat all characters as basic ASCII rather than as something with special meaning or purpose. Mission-critical | The state or condition of an asset or process vitally important to the long-term existence and stability of an organization. If a mission-critical element is interrupted or removed, it often results in the failure of the organization.
MITRE | The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. It sponsors a vulnerability research, cataloging, and information organization: http://cve.mitre.org/. Mobile code | A form of software transmitted to and executed on a client. Hackers can use mobile code for malicious purposes. Mobile IP | A standard communications protocol designed to let mobile device users move from one network to another while maintaining a permanent IP address; this concept is also known as IP mobility. Mobile IP for IPv4 is described in RFC 5944. Mobile IPv6, designed to work with next generation of the Internet Protocol, is covered in RFC 6275. Modeling | The process of simulating and testing a new concept, design, programming, technique, and so forth before deployment into a production environment. Modeling often occurs before piloting. Monitoring | The act of watching for abnormal or unwanted circumstances. Commonly used interchangeably with logging and auditing. Monkey-in-the-middle attack | Another term for man-in-the-middle attack. Multifactor authentication | Authentication that requires multiple valid proofs of identity used in simultaneous combination.
N
National Information Infrastructure (NII) | The product of the High Performance Computing and Communication Act of 1991. It was a telecommunications policy buzzword, which was popularized during the Clinton administration under the leadership of Vice President Al Gore. It was a proposed advanced, seamless web of public and private communications networks, interactive services, interoperable hardware and software, computers, databases, and consumer electronics to put vast amounts of information at users’ fingertips. National Institute of Standards and Technology (NIST) | NIST is a non-regulatory federal agency within the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. As part of its mission, the NIST performs vulnerability research, cataloging, and information distribution: http://nvd.nist.gov/. National Security Agency (NSA) | The National Security Agency/Central Security Service (NSA/CSS) is a cryptologic intelligence agency of the United States government, administered as part of the United States Department of Defense. It is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves cryptanalysis. It is also responsible for protecting U.S. government communications and information systems from similar agencies elsewhere, which involves cryptography. Native firewall | A firewall within an operating system or hardware device placed there by the vendor or manufacturer. Can also include firewalls not necessarily installed by default, but which you can add to a system through an update or patch installation. NetBIOS Extended User Interface (NetBEUI) | An application-programming interface (API) developed by IBM in 1985 to emulate NetBIOS on a token ring network. Still used by Microsoft to describe a Transport Layer protocol for file and print sharing over Ethernet, which technically is
better termed NetBIOS Frames (NBF). NBF makes extensive use of broadcast messages and thus introduces additional traffic to a network. Network access control (NAC) | A mechanism that limits access or admission to a network based on the security compliance of a host. Network address translation (NAT) | A service that converts between internal addresses and external public addresses. This conversion is performed on packets as they enter or leave the network to mask and modify the internal client’s configuration. The primary purpose of NAT is to prevent internal IP and network configuration details from being discovered by external entities, such as hackers. Network Layer (Layer 3) | The third layer of the OSI model. This layer is responsible for logical addressing (IP addresses) and routing traffic. Network News Transfer Protocol (NNTP) | The protocol used by the USENET message service. USENET is a persistent message service that allows anyone to post and read messages from over 100,000 named, categorized, topical newsgroups. Network security | The collection of security components assembled in a network to support secure internal and external communications. Network security depends on upon host security. Network security operates to protect the network as a whole, rather than as individual systems. New Technology File System (NTFS) | A file format developed by Microsoft commonly used on Windows systems. NTFS offers file security, large volume size, large file size, and alternate data streams (ADS). Nmap | A network mapping tool that performs network scanning, port scanning, OS identification, and other types of network probing. Nmap is available at http://www.insecure.org/. Node | Any device on the network that can act as the endpoint of a communication. This includes clients, servers, switches, routers, firewalls, and anything with a network interface that has a MAC address. A node is a component that can receive communication with, rather than one that communication only through or across. For example, network cables and patch panels are not nodes. Non-authenticating query service | Any communication exchange that does not verify the identity of the endpoints of a communication and accepts any properly formed response as valid. DNS and ARP are common examples. Hackers can easily spoof such a service. Non-dedicated connection | A network connection not always on and available for immediate transmission of data. A connection must be established through a negation process before the channel is open and ready for data transmission. Dial-up, ISDN, and DSL lines are non-dedicated connections. Nonrepudiation | A security service that ensures that a sender cannot deny sending a message. This service can be provided by public key cryptography, typically through a digital signature.
O
One-time pad | A form of cryptography in which each encryption key is used once before being discarded. Keys are pseudorandom and never repeat. Key length must match message length, so that each character is encrypted with a unique key character. One-way function | A mathematical operation performed in one direction relatively easily; reversing
the operation is impossible—or nearly so. Open source | A type of software product that may or may not be pre-compiled and whose source code is freely disclosed and available for review and modification. Opportunistic hackers | A person who takes advantages of unique or abnormal situations to perform malicious actions, but who would not initiate such actions otherwise. Optical carrier (OC) | A form of network carrier line, often leased or dedicated, which uses fiber optic cables for very high-speed connections. An OC-1 connection supports a throughput of 51.84 Mbps. OS/2 | A multi-tasking operating system developed jointly by Microsoft and IBM. First released in 1987, it lost nearly its entire market share to Windows after the two companies ceased collaboration in 1990. IBM discontinued support in 2006. Open Systems Interconnection (OSI) Reference Model | A standard conceptual tool used to discuss protocols and their functions. The OSI model has seven layers. Each layer can communicate with its peer layer on the other end of a communication session. While the OSI model helps to discuss protocols, most protocols are not in full compliance with it. Out of band | A method of communication through an alternative route, mechanism, or pathway than the current one employed (the current communication is known as “in band”). Commonly used as a technique for secured data exchange or verification of an identity.
P
Packet | The collection of data at the Network Layer (Layer 3) of the OSI model. It consists of the payload from the Transport Layer (Layer 4) above and the Network Layer header. IP packets are a common example. Padded cell | Specialized host used to place an attacker into a system where the intruder cannot do any harm. Partition | A logical division of a hard drive that can be formatted with a file system. Passive threat | Any harmful code or site that depends upon the user’s actions to be accessed or activated. If users never visit an infected site or do not perform the risky activity, the threat never reaches them. A passive threat is similar to a virus in that it depends upon the activity of the user to activate, infect, and spread. Patch management | The procedure of watching for the release of new updates from vendors, testing the patches, obtaining approval, then overseeing the deployment and implementation of updates across the production environment. Payload | The non-header component of a PDU/segment/packet/frame. The payload is the data received from the layer above that includes the above layer’s header and its payload. Permission | An ability to interact with a resource that is granted or denied to a user through some method of authorization or access control, such as access control lists (ACLs) Personal firewall | Typically a software host firewall installed on a home computer or network client. Can also refer to SOHO hardware firewalls such as those found on DSL and cable modems and wireless access points.
Phishing | An attack that seeks to obtain information from a victim by presenting false credentials or luring victims to an attack site. Phishing can occur face to face, over the phone, via e-mail, on a Web site, or through IM. Physical address | The hardware address assigned to a network interface by the manufacturer. Also known as the MAC address. Physical Layer (Layer 1) | The bottom or first layer of the OSI model. This layer converts data into transmitted bits over the physical network medium. Piloting | Using a new service, device, configuration, software, and so on to a limited number of testing hosts before rolling out the new component to the entire production environment. Piloting often occurs after modeling. Also called beta testing. Ping sweep | A network scan that sends ICMP type 8 echo requests to a range of IP addresses to obtain ICMP type 0 echo responses. A ping sweep can discover active systems and identify the IP addresses in use. Playback attack | See replay attack. Point-to-Point Protocol (PPP) | A protocol commonly used in establishing a direct connection between two networking nodes. Point-to-Point Tunneling Protocol (PPTP) | An early proprietary protocol from Microsoft. Pop-up blocker | A software tool that prevents or restricts Web sites from automatically opening additional tabs or windows without the user’s consent. These additional windows are known as pop- ups or pop-unders. Pop-ups are commonly used as methods of advertising, as well as elements in social engineering and distribution of malicious code. Port address translation | An extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. Port-based network access (admission) control (PNAC) | A form of network access control or admission control (NAC) used on individual network access devices, such as firewalls, VPN gateways, and wireless routers, to offload authentication to a dedicated authentication server/service. Only after valid authentication are communications with or across the network device allowed. Port forwarding | The function of routing traffic from an external source received on a specific pre- defined IP address and port combination (also known as a socket) to an internal resource server. Also known as reverse proxy and static NAT. Port number | The addressing scheme used at the Transport Layer (Layer 4) of the OSI model. There are 65,535 ports, each of which can in theory support a single simultaneous communication. Port scanning | A network scan that sends various constructions of TCP or UDP packets to determine the open or closed state of a port. Tools such as nmap are used to perform port scanning. POSIX | A variant of the UNIX operating system. Supported by Windows NT 4.0, but not in any subsequent version of Windows. POSIX used the ADS feature of NTFS. Post Office Protocol (POP) | An Application Layer protocol used by e-mail clients to receive messages from an e-mail server. The default TCP/IP port is 110, and it does not encrypt communications. The companion SMTP protocol sends messages to an e-mail server. Presentation Layer (Layer 6) | The sixth layer of the OSI model translates the data received from
host software into a format acceptable to the network. This layer also performs this task in reverse for data coming from the network to host software. Principle of least privilege | The guideline that all users should be granted only the minimum level of access and permission required to perform their assigned job tasks and responsibilities. Privacy | Keeping information about a network or system user from being disclosed to unauthorized entities. While typically focused on private information like a Social Security number, medical records, credit card number, cellular phone number, etc., privacy concerns extend to any data that represents personally identifiable information (also known as PII). Private branch exchange (PBX) | A type of business telephone network. PBX systems allow for multiple phone extensions, voice mailboxes, and conference calling. PBX systems require specialized equipment. PBX systems are largely being replaced by VOIP (Voice over IP) solutions. Private IP address | The ranges of IP addresses defined in RFC 1918 for use in private networks that are not usable on the Internet. Private key | The key of the public key cryptography key pair kept secret and used only by the intended entity. The private key decodes information encoded with its associated public key, encrypting information that can be decrypted only by its associated public key. This process validates the identity of the originator and creates a digital signature. Privilege | An increased ability to interact with and modify the operating system and desktop environment granted or denied to a user through some method of authorization or access control, such as user rights on a Windows system. Privilege escalation | The act of obtaining a higher level of privilege or access for a user account or a session. A tactic employed by hackers once they intrude into a network through the compromise of a normal user account. Professional hacker | A criminal whose objective is to compromise IT infrastructures. Whether operating as individuals, offering mercenary hacking services, or functioning as members of a criminal ring, professional hackers focus time and energy on becoming effective cyber attackers. A professional hacker is someone who contracts out his or her hacking skills to others. Proprietary OS | An operating system built exclusively to run on a bastion host device. Most appliance firewalls employ a proprietary operating system. Protocol Data Unit (PDU) | The collection of data at the Session, Presentation, and Application layers (Layers 5–7) of the OSI model. Proxy attack | See man-in-the-middle attack. Proxy manipulation | An attack in which a hacker modifies the proxy settings on a client to redirect traffic to another system, such as the hacker’s own machine. The hacker may host a proxy server in addition to eavesdropping and manipulating the redirected traffic. Proxy server | A network service that acts as a “middle man” between a client and server. A proxy can hide the identity of the client, filter content, perform NAT services, and cache content. Pseudo random number generator (PRNG) | The mechanism of computer systems that produces partially random numbers using a complex algorithm and a seed value that is usually time based. Computers are currently unable to produce true random numbers and a PRNG approximates randomness.
Public IP address | Any address that is valid for use on the Internet. This excludes specially reserved addresses such as loopback (127.0.0.1–127.255.255.255), RFC 1918 addresses, and the Windows APIPA addresses (169.254.0.0–169.254.255.255). Organizations lease public addresses from an Internet Service Provider (ISP). Public key | The key of the public key cryptography key pair shared with other entities with whom the holder of the private key wishes to correspond. The public key decodes messages encoded with its associated private key, originates messages that only the holder of the associate private key can decrypt, and creates digital envelopes. Public key cryptography | A subset of asymmetric cryptography based on the use of key pair sets. Public key cryptography uses public and private keys to create digital envelopes and digital signatures. Public key infrastructure (PKI) | A combination of several cryptographic components to create a real-world solution that provides secure communications, storage, and identification services. Commonly uses symmetric encryption, asymmetric/public key encryption, hashing, and digital certificates. In most cases, when PKI refers to authentication, digital certificates are used as credentials. Public network | Any network that accessible by entities from outside an organization. Most often, use of this term implies the Internet, but many other public networks exist. Pwned | A leetspeak word derived from a common IRC typo of “owned.” Used to mean hacking and taking over control of a computer or network.
R
Reconnaissance | The act of learning as much as possible about a target before attempting attacks. Reconnaissance consists of collecting data about the target from multiple sources online and offline. Effective reconnaissance is done covertly, without tipping off the target about the research. Reconnaissance can also be called footprinting, discovery, research, and information gathering. Recreational hacker | Someone who enjoys exploring and learning about computer technology but may put an organization’s network at risk by bringing in unapproved software, experimenting on the network, or just trying an exploit to “see if it works.” Redundancy | The feature of network design that ensures the existence of multiple pathways of communication. The purpose is to prevent or avoid single points of failure. Redundant array of independent disks (RAID) | A disk set management technology that gains speed and fault tolerance. RAID can provide some protection against hard drive failure, but does not protect against software or data compromises, such as virus infection. Regional Internet Registry (RIR) | The five regional organizations that oversee and monitor the allocation and registration of IP addresses (both IPv4 and IPv6). RIR consists of American Registry for Internet Numbers (ARIN), RIPE Network Coordination Center (RIPE NCC), Asia-Pacific Network Information Centre (APNIC), Latin American and Caribbean Internet Address Registry (LACNIC) and African Network Information Centre (AfriNIC). Rekeying | The process of triggering the generation of a new symmetric encryption key and secure exchange of that key. Rekeying can take place based on time, idleness, volume, randomness, or
election. Remote access | A communications link that enables access to network resources using a wide area network (WAN) link to connect to a geographically distant network. In effect, remote access creates a local network link for a system not physically local to the network. Over a remote access connection, a client system can technically perform all the same tasks as a locally connected client, with the only difference being the speed or the bandwidth of the connection. Remote access server (RAS) or network access server (NAS) | A network server that accepts inbound connections from remote clients. Also known as a network access server (NAS). Remote access VPN | Another name for host-to-site VPN. Remote-to-home VPN | A VPN used to connect a remote or mobile host into a home computer or network. Also known as a host-to-host VPN. Remote-to-office VPN | A VPN used to connect a remote or mobile host into office network workstation. Also known as a host-to-host VPN. Remote control | The ability to use a local computer system to remotely take control of another computer over a network connection. Often used for remote technical assistance. Replay attack | This attack occurs when a hacker uses a network sniffer to capture network traffic and then retransmits that traffic back on to the network at a later time. Replay attacks often focus on authentication traffic in the hope that retransmitting the same packets that allowed the real user to log into a system will grant the hacker the same access. Request for comments (RFC) | A document that defines or describes computer and networking technologies. These documents are published by the Internet Engineering Task Force, the standards body for Internet engineering specifications. RFCs exist for hardware, operating systems, protocols, security services, and much more. Resources | Any data item or service available on a computer or network accessible by a user to perform a task. Return on Investment (ROI) | A business evaluation technique to determine whether an investment will earn back equivalent or greater benefit within a specific time. Reverse caching | A means of providing faster access to static content for external users accessing internal Web servers. Reverse proxy | The function of routing traffic from an external source received on a specific pre- defined IP address and port combination (also known as a socket) to an internal resource server. Also known as port forwarding and static network address translation (NAT). RFC 1918 addresses | IP addresses that, by convention, are not routed outside a private or closed network. Class A: 10.0.0.0–10.255.255.255; Class B: 172.16.0.0–172.31.255.255; Class C: 192.168.0.0–192.168.255.255 Risk | The likelihood or potential for a threat to take advantage of a vulnerability and cause harm or loss. Risk is a combination of an asset’s value, exposure level, and rate of occurrence of the threat. A goal of security is to recognize, understand, and eliminate risk. Risk assessment | Risk assessment is the process of examining values, threat levels, likelihoods, and total cost of compromise versus the value of the resource and the cost of the protection. This involves the use of values and calculations, such as AV, EF, SLE, ARO, ALE, and the cost/benefit equation.
Risk management | Performing risk assessment, and then acting on the results to reduce or mitigate risk. Often risk assessment establishes a new security policy and then aids in revising it over time. Rogue access point | An access point set up and configured by a hacker to fool users into connecting with it. The hacker may then use the connection to carry out an attack such as a man-in-the-middle attack. Role or job role | A collection of tasks and responsibilities defined by a security policy or job description for an individual essential productivity, or security position. Rootkit | A form of malware that hackers can upload and deploy on a target system. It often replaces multiple components of the host operating system with altered code. Round-robin | A form of load balancing which hands out tasks in a repeating non-priority sequence. Router | A network device responsible for directing traffic towards its stated destination along the best-known current available path. RRDool | A round-robin database tool intended to handle time-series data like network bandwidth, temperatures, CPU load, and so on. The data are stored in a round-robin database (circular buffer); thus the system storage footprint remains constant over time. Rule | A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic. Also known as a filter or ACL. Rule set | The list of rules on a firewall (or router or switch) that determine what traffic is and is not allowed to cross the filtering device. Most rule sets employ a first-match-apply-action process.
S
Sacrificial host | A firewall positioned at the initial entry point where a network interfaces with the Internet serving as the first line of defense for the network. Also known as a bastion host. Scalability | The ability of a product or service to provide adequate performance across changes in size, load, scope, or volume. Scanning | The act of probing a network using custom crafted packets. Scanning can determine the IP addresses in use and whether ports are open or closed. The tool nmap can be used to perform scanning. Screening router | A router that can perform basic static packet filtering services in addition to routing functions. A screening router is the predecessor of modern firewalls. Script kiddie | A new, inexperienced, or ignorant hacker who uses pre-built attack tools and scripts instead of writing his or her own or customizing existing ones. Even though a derogatory term in the hacker community, “script kiddie” still describes a serious threat to network security. Sector | A subdivision of computer storage medium that represents a fixed size of user-accessible data. Magnetic disks typically have 512-byte sectors; optical disks have 2,048-byte sectors. When a device is formatted, sectors are grouped into clusters. Secure Shell (SSH) | A network protocol that allows data exchange using a secure channel between two networked devices. It is used primarily on GNU/Linux and UNIX based systems to access shell accounts. SSH was a replacement for Telnet and other insecure remote shells, which send
information, notably passwords, in plaintext, rendering them susceptible to packet analysis. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet. Secure Sockets Layer (SSL) | A security protocol that operates at the top of the Transport Layer (Layer 4) and resides as the payload of a TCP session. Netscape designed SSL in 1997 for secure Web e-commerce, but it can encrypt any traffic above the Transport Layer. It uses public key certificates to identify the endpoints of session and uses symmetric encryption to protect transferred data. SSL v3.0 is the last version of SSL; TLS is replacing SSL. Secured VPN | A VPN that uses encryption to protect the confidentiality of its transmissions. Security objectives | Sets of stated purposes or targets for network security activity. Standard objectives are confidentiality, integrity, and availability. Objectives are generally more oriented towards achieving or maintaining the goals, such as ensuring the confidentiality of resources. Security policy | A written document prescribing security goals, missions, objectives, standards, procedures, and implementations for a given organization. Also identifies what assets need protection based on their value. Security stance | An organization’s filtering configuration; in essence, its answer to the question, “What should be allowed and what should be blocked?” Security Technical Implementation Guides (STIGS) | A security guideline, procedure, or recommendation manual. Security through obscurity | A form of security based on hiding details of a system, or creating convolutions that are difficult to understand. Such strategies do not usually resist a persistent attack, and are used when true security is poorly understood or the perceived threat is insufficient to overcome the obscure methodology. For example, proprietary source encryption algorithms can be labeled security through obscurity, as no forum for peer review or for formal testing exists to examine whether the methodology is cryptographically sound. Segment | The collection of data at the Transport Layer (Layer 4) of the OSI model. It consists of the payload from the Session Layer (Layer 5) above and the Transport Layer header. TCP segments are a common example. (Note: UDP segments are called datagrams as they are connectionless, rather than connection-oriented). Senior management | The individual or group of highest controlling and responsible authority within an organization. Ultimately the success or failure of network security rests with senior management. Separation of duties | An administrative rule whereby no single individual possesses sufficient rights to perform certain actions. Achieved by dividing administrative level tasks and powers among compartmentalized administrators. Server | A host on a network. A server is the computer system that hosts resources accessed by users from clients. Service level agreement (SLA) | A contractual commitment by a service provider or support organization to its customers or users. Session | A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a circuit or a state. Session hijacking | When a hacker is able to take over a connection after a client has authenticated
with a server. To perform this attack, a hacker must eavesdrop on the session to learn details, such as the addresses of the session endpoints and the sequencing numbers. With this information, the hacker can desynchronize the client, take on the client’s addresses, and then inject crafted packets into the data stream. If the server accepts the initial false packets as valid, then the session has been hijacked. Session Layer (Layer 5) | The fifth layer of the OSI model. This layer manages the communication channel, known as a session, between the endpoints of the network communication. A single transport layer connection between two systems can support multiple simultaneous sessions. Shell code | The content of an exploit to be executed on or against a target system. Signature-based detection | A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events. All traffic or events that match an item in the database is considered abnormal and potentially malicious. Also known as database, knowledge, and pattern-matching–based detection. Simple Mail Transfer Protocol (SMTP) | An Application Layer protocol used by e-mail clients to send messages to an e-mail server and is also used to relay messages between e-mail servers. The default TCP/IP port is 25, and it does not encrypt communications. The companion POP protocol receives messages from an e-mail server. Single-factor authentication | The use of only a single element of validation or verification to prove the identity of a subject. Considered much weaker than multi-factor authentication. Single loss expectancy (SLE) | The calculation of the loss potential across of a single incident for a given asset and a specific threat. SLE calculations are part of risk assessment. SLE = AV × EF. Single point of failure | Any element of a system or network infrastructure, which is the primary or only pathway through which a process occurs. The compromise of such an element could result in system failure. Network design should avoid single points of failure by including redundancy and defense in depth. Single sign-on (SSO) | A network security service that allows a user to authenticate to an entire domain through a single client log on process. All domain members will accept this single authentication. Local authorization is used to control access to individual resources. Such a single authentication can be more complex, since multiple logons for each individual server are not required. Site-to-site VPN | A VPN used to connect networks. Also known as a LAN-to-LAN VPN and WAN VPN. Slack space | The unused portion of the last cluster allocated to a stored file. It may contain remnants of prior files stored in that location. Hackers can hijack slack space to create hidden storage compartments. Slideware | An industry term referring to any product that appears in a vendor’s PowerPoint slide deck, but is not yet available in one of its products. Also sometimes known as “vaporware.” Sniffer | A software utility or hardware device that captures network communications for investigation and analysis. Also known as packet analyzer, network analyzer, and protocol analyzer. Social engineering | The craft of manipulating people into performing tasks or releasing information that violates security. Social engineering relies on telling convincing lies to manipulate people or take advantage of the victim’s desire to be helpful.
Socket | The combination of an IP address and a port number as a complete address. Software firewall | A host firewall installed on a client or server. Software VPN | A VPN crafted by software rather than hardware. Software VPN may be a feature of the operating system or a third-party application. SOHO (small office, home office) network | Any small network, workgroup, or client/server, deployed by a small business, a home-based business, or just a family network in a home. Spam | Unwanted and often unsolicited messages. Spam is not technically malicious software, but spam can have a serious negative effect on IT infrastructures through sheer volume. Estimates vary, but spam may represents up to 95 percent of all e-mail (which implies for every legitimate e-mail there are up to 19 unrelated spam e-mails.) Split tunnel | A VPN connection that allows simultaneous access to the secured VPN link and unsecured access to the Internet across the same connection. Spoofing | The falsification of information. Often spoofing is the attempt to hide the true identity of a user or the true origin of a communication. Spyware | An advancement of keystroke logging to monitor and record many other user activities. Spyware varies greatly, but it can collect a list of applications launched, URLs visited, e-mail sent and received, chats sent and received, and names of all files opened. It can also record network activity, gather periodic screen captures, and even recording from a microphone or Web cam. Can be linked with adware. SQL injection | A form of Web site/application attack in which a hacker submits SQL expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell. State | A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a session or a circuit. Stateful inspection | The process of automatically tracking sessions or states to allow inbound responses to previous outbound requests. Also called dynamic packet filtering. Static electricity discharge (SED) or Electrostatic discharge (ESD) | A sudden and momentary electric current, usually of high voltage and low amperage, that flows between two objects. Commonly caused by low humidity environments. Humans, polyester, and plastics are prone to static build-up. SED can damage most computer components. Static NAT | The static coding of a translation pathway across a NAT service. Also known as port forwarding and reverse proxy. Static packet filtering | A method of filtering using a static or fixed set of rules to filter network traffic. The rules can focus on source or destination IP address, source or destination port number, IP header protocol field value, ICMP types, fragmentation flags, and IP options. Static packet filtering is therefore mainly focused on the Network Layer (Layer 3), but can also include Transport Layer (Layer 4) elements. Static packet filtering focuses on header contents and does not examine the payload of packets or segments. Sunk cost | Time, money, and effort already spent on a project, event, or device. In economics, sunk costs are irrelevant to future decisions. Emotionally, however, people often use sunk costs as a rationalization to continue failing processes or procedures. Switch | A device, which provides network segmentation through hardware. Across a switch,
temporary dedicated electronic communication pathways are created between the endpoints of a session (such as a client and server). This switched pathway prevents collisions. Additionally, switches allow the communication to use the full potential throughput capacity of the network connection, instead of 40 percent or more being wasted by collisions (as occurs with hubs). Symmetric cryptography | Cryptography based on algorithms that use a single shared secret key. The same key encrypts and decrypts data and the same key must be shared with all communication partners of the same session. Synchronous dynamic random access memory (SDRAM) | Dynamic random access memory (DRAM) that has a synchronous interface. Traditionally, dynamic random access memory (DRAM) has an asynchronous interface, which means that it responds as quickly as possible to changes in control inputs. SDRAM has a synchronous interface, meaning that it waits for a clock signal before responding to control inputs and is therefore synchronized with the computer’s system bus. Systems Network Architecture (SNA) | A legacy networking protocol developed by IBM commonly used to support communications between mainframes. Mostly replaced by TCP/IP.
T
Tangible cost (or value) | Costs or values directly related to budgetary funds. They can include, but are not limited to: purchase, license, maintenance, management, administration, support, utilities, training, troubleshooting, hardware, software, updates/upgrades, and so forth. Tcpdump | A common packet analyzer that runs at the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Telco | Short for telecommunications company or corporation. Used to refer to any company that sells or leases WAN connection services whether wired or wireless. Telecommuting | The act of working from a home, remote, or mobile location while connecting into “the employer’s private network, often using a VPN. Telnet | A protocol and a service used to remotely control or administer a host through a plaintext command line interface. Terminal server/services/session | A modern form of legacy thin client operation. A thin client software utility connects to a central terminal server, which simulates remote control. A terminal service system can support multiple simultaneous terminal client connections. When terminal services are in use, the client workstation coverts to thin client status. All operations of storage and processing then take place on the terminal server. Thin client computing | A legacy terminal concept used to control mainframes. Thin clients had no local processing or storage capability. Modern thin clients simulate these limitations and perform all operations on the terminal server, remote control server, or thin client server. Threat | Any potential harm to a resource or node on the network. Threats can be natural or artificial, caused by mother nature or man, or by the result of ignorance or malicious intent. Threats originate internally and externally. Traceroute | A computer network tool used to show the route taken by packets across an IP network. An IPv6 variant, traceroute6, is also widely available.
Traffic congestion | The problem when too much data crosses a network segment. This results in reduced throughput, increased latency, and lost data. Training | The second level of knowledge distribution offered by an organization to educate users about job task focused security concerns. More rigorous than awareness; less rigorous than education. Transmission Control Protocol (TCP) | The connection-oriented protocol operating at the Transport Layer (Layer 4) of the OSI model. Transport Layer (Layer 4) | The fourth layer of the OSI model. This layer formats and handles data transportation. This transportation is independent of and transparent to the application. Transport Layer Security (TLS) | A security protocol that operates at the top of the Transport Layer (Layer 4) and resides as the payload of a TCP session. It uses public key certificates to identify the endpoints of session and uses symmetric encryption to protect transferred data. TLS 1.0 is the replacement for SSL 3.0. Transport mode encryption | A form of encryption also known as point-to-point or host-to-host encryption. Transport mode encryption protects only the payload of traffic and leaves the header in plain-text original form. Trapdoor | A form of unauthorized access to a system. A trapdoor is any access method or pathway that circumvents access or authentication mechanisms. Also known as a backdoor. Triple-homed firewall | A firewall that has three network interfaces. Each network interface is located in a unique network segment. This allows for true isolation of the segments and forces the firewall to filter all traffic traversing from one segment to another. Trojan horse | A mechanism of distribution or delivery more than a specific type of malware. The Trojan horse embeds a malicious payload within a seemingly benign carrier or host program. When the host program is executed or otherwise accessed, the malware is delivered. The gimmick of a Trojan horse is the act of fooling someone (a type of social engineering attack) into accepting the Trojan program as safe. Trust | Confidence in the expectation that others will act in your best interest, or that a resource is authentic. On computer networks, trust is the confidence that other users will act in accordance with the organization’s security rules and not attempt to violate stability, privacy, or integrity of the network and its resources. Trusted Platform Module (TPM) | A dedicated microchip found on some motherboards that host and protect the encryption key for whole hard drive encryption. Trusted third party | A mechanism of authentication using a third entity known and trusted by two parties. The trusted third party allows the two communicating parties, who were originally strangers to each other, to establish an initial level of inferred trust. Trusted VPN | A VPN whose components are wholly owned by the organization it serves. Tunnel mode encryption | A form of encryption also known as site-to-site, LAN-to-LAN, gateway- to-gateway, host-to-LAN, and remote access encryption. Tunnel mode encryption performs a complete encapsulation of the original traffic into a new tunneling protocol. The entire original header and payload are encrypted and a temporary link or tunnel header guides the data across the intermediary network. Tunneling | The act of transmitting a protocol across an intermediary network by encapsulating it in
another protocol. See encapsulation. Two-factor authentication | A method of proving identity using two different authentication factors. Authentication factors are something you know, something you have, or something you are. Examples include a smart card (something you have) with a PIN (something you know), a biometric device (something you are) coupled with a password (something you know), or a proximity card (something you have) that activates a fingerprint reader (something you are).
U
Unified threat management (UTM) | The deployment of a firewall as an all-encompassing primary gateway security solution. The idea behind UTM is a single device can be designed to perform firewall filtering, IPS, antivirus scanning, anti-spam filtering, VPN end-point hosting, content filtering, load-balancing, detailed logging, and potentially other security services, performance enhancements, or extended capabilities. Universal participation | The principle that for an organization’s security policy to be effective, everyone must be forced to work within it and follow its rules. Unpartitioned space | The area on a storage device not contained within a partition. Unpartitioned space is not directly accessible by the OS. Upstream filtering | The management of traffic by a firewall or other filtering device located one or more hops away (upstream) from a private network. URL injector | Malware that replaces URLs in HTTP GET requests for alternative addresses. These injected URLs cause a different Web page to appear in the browser than the one requested by the user’s request. These replaced Web pages could be advertisement sites, generate traffic to falsify search engine optimization (SEO), or lead to fake or spoofed sites. USENET newsgroups | Persistent public messaging forums accessed over the NNTP (Network News Transfer Protocol). USENET has existed since 1980. Although the Web, e-mail, and BitTorrent are more widely known, USENET is still in use today. User Datagram Protocol (UDP) | The connectionless protocol operating at the Transport Layer (Layer 4) of the OSI model.
V
Virtual private network (VPN) | A mechanism to establish a secure remote access connection across an intermediary network, often the Internet. This allows inexpensive insecure links to replace expensive security links. VPNs allow for cheap long-distance connections established over the Internet. Both endpoints need only a local Internet link. The Internet itself serves as a “free” long- distance carrier. VPNs employ encapsulation and tunneling protocols, such as IPSec. Virus | Malware that needs a host object to infect. Most viruses infect files, such as executables, device drivers, DDLs, system files, and sometimes even document, audio, video, and image files. Some viruses infect the boot sector of a storage device, including hard drives, floppies, optical discs, and USB drives. Viruses are spread through the actions of users, and spread file-to-file (compare to worms). VPN appliance | A hardware VPN device.
VPN Fingerprinting | A technique used by an attacker to identify the vendor, and in some cases, the software version, of a VPN server. Vulnerability | A weakness or flaw in a host, node, or any other infrastructure component that a hacker can discover and exploit. Security management aims to discover and eliminate such vulnerabilities. Vulnerability management | The technology and business processes used to identify, track, and mitigate known weaknesses on hosts within a computing environment. Vulnerability scanning | A form of investigation that aims at checking whether or not a target system is subject to attack based on a database of tests, scripts, and simulated exploits.
W
WAN VPN | A VPN between two networks over an intermediary network. Also known as LAN-to- LAN VPN and site-to-site VPN. Wardialing | A method of discovering active modems by dialing a range of phone numbers. Wardriving | A method of discovering wireless networks by moving around a geographic area with a detection device. Wardriving | A method of discovering wireless networks by moving around a geographic area with a detection device. Weakest link | A security stance based on a repeating process of locating the least secure element of an infrastructure and securing it and then identifying a new weakest link and securing it. Whitelist | A type of filtering concept where the network denies all activities except for those on the white list. Also known as an “allow” or “permissions list.” Whois | A tool used to view domain registration information. Whois is a command line function of Linux and Unix, but is also a tool on most domain registrar Web sites. Whole hard drive encryption | The process of encrypting an entire hard drive rather than just individual files. In most cases, whole hard drive encryption provides better security against unauthorized access than file encryption, because it encrypts temporary directories and slack space. Wide area network (WAN) | A network not limited by any geographic boundaries. A WAN network can span a few city blocks, reach across the globe, and even extend into outer space. A distinguishing characteristic of a WAN is its use of leased or external connections and links. Often, telcos own these external connections. Wirespeed | The maximum communication or transmission capability of a network segment. Often used to describe a network device’s ability to perform tasks on traffic, while being able to maintain overall network transmission speeds without introducing delay, lag, or latency. Workgroup | A form of networking where each computer is a peer. Peers are equal to each other in terms of how much power or controlling authority any one system has over the other members of the same workgroup. All workgroup members are on equal footing because they can manage their own local resources and users, but not those of any other workgroup member. Worm | Malware that does not need a host object; instead, a worm is a self-sustaining program in its own right. Worms are designed around specific system flaws. The worm scans other systems for this
flaw and exploits the flaw to gain access to another victim. Once hosted on another system, the worm seeks to spread itself by repeating the process. Worms can act as carriers to deposit other forms of malicious code as they multiply and spread across networked hosts. Wrapper | A tool used to create Trojan horses by embedding malware inside of a host file or program. Write-once read-many (WORM) | A form of storage device that can be written to once, but once written cannot be electronically altered. Examples include DVD-R, WORM tapes, and WORM hard drives.
Z
Zero-day exploits | New and previous unknown attacks for which are there no current specific defenses. “Zero day” refers to the newness of an exploit, which may be known in the hacker community for days or weeks. When such an attack occurs for the first time, defenders are given zero days of notice (hence the name.) Such attacks usually exploit previously unidentified system flaws. Zeroization | The process of purging a storage device by writing zeros to all addressable locations on the device. A zeroized device contains no data remnants that other users could potentially recover. Zombie | A malicious software program distributed by a hacker to take over control of a victim’s computer. Also known as a bot or an agent. Zombies are commonly used to construct botnets (or zombie armies). Zombie army | A network of zombie/bot/agent-compromised systems controlled by a hacker. The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Another term for botnet. Zone of risk | Any segment, subnet, network, or collection of networks that represent a certain level of risk. The higher the risk, the higher the security need to protect against that risk. The less the risk of a zone, the lower security need because fewer threats exist or existing threats are less harmful. The flip side of risk zones is zones of trust. Zone of trust | Any segment, subnet, network, or collection of networks that represent a certain level of trust. Highly trusted zones require less security, while low trusted zones require more security. The flip side of trust zones is zones of risk.
References
Beaver, Kevin. Hacking For Dummies. 3rd ed. Indianapolis: Wiley Publishing, Inc., 2010. Bhaiji, Yusuf. Network Security Technologies and Solutions. Indianapolis: Cisco Press, 2008. Bott, Ed. “The malware numbers game: how many viruses are out there?” The Ed Bott Report, April
15, 2012. http://www.zdnet.com/blog/bott/the-malware-numbers-game-how-many-viruses-are- out-there/4783 (accessed May 2, 2013).
Cheswick, William R., Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker. 2nd ed. Boston: Addison-Wesley Professional, 2003.
Cisco Systems. “IKEv2 Packet Exchange and Protocol Level Debugging,” 2013. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf2932.shtml (accessed June 17, 2013).
Cisco Systems. Internetworking Technologies Handbook, Virtual Private Networks. http://www.cisco.com/en/US/docs/internetworking/technology/handbook/VPN.html (accessed July 15, 2010).
CNN. “How the President’s secret helicopter plans wound up in Iran.” March 2009. http://ac360.blogs.cnn.com/2009/03/10/how-the-presidents-secret-helicopter-plans-wound-up- iran/ (accessed July 15, 2010).
Cole, Eric. Hiding in Plain Sight: Steganography and the Art of Covert Communication. Indianapolis: Wiley Publishing, Inc., 2003.
———. Network Security Bible. Indianapolis: Wiley Publishing, Inc., 2009. Comer, Douglas E. Internetworking with TCP/IP, Vol 1. 5th ed. Upper Saddle River, NJ: Prentice
Hall, 2005. Davies, Joseph, and Elliot Lewis. Deploying Virtual Private Networks with Microsoft Windows
Server 2003 (Technical Reference). Redmond, WA: Microsoft Press, 2003. Davis, Michael, Sean Bodmer, and Aaron LeMasters. Hacking Exposed Malware and Rootkits. New
York: McGraw-Hill Osborne Media, 2009. Defense Information Systems Agency (DISA). “Information Assurance Support Environment (IASE),
Security Checklists.” http://iase.disa.mil/stigs/checklist/index.html (accessed July 15, 2010). Defense Information Systems Agency (DISA). “Information Assurance Support Environment (IASE),
Security Technical Implementation Guides (STIGS).” http://iase.disa.mil/stigs/stig/index.html (accessed July 15, 2010).
DeLaet, Gert, and Gert Schauwers. Network Security Fundamentals. Indianapolis: Cisco Press, 2004
Douligeris, Christos, and Dimitrios N. Serpanos. Network Security: Current Status and Future
Directions. Hoboken, NJ: Wiley-IEEE Press, 2007. Dr. K. Hackers’ Handbook 3.0 (Expanded, Revised and Updated): Includes WiFi, Identity Theft,
Information Warfare and Web 2.0. New York: Carlton Books, 2009. Erickson, Jon. Hacking: The Art of Exploitation. 2nd ed. San Francisco: No Starch Press, 2008. Feilner, Markus. OpenVPN: Building and Integrating Virtual Private Networks. Packt Publishing,
2006. Ford, Jerry Lee Jr. Absolute Beginner’s Guide to Personal Firewalls. Indianapolis: Que, 2007. Frenkel, Sheila, et al. “Guide to Ipsec VPNs: Recommendations of the National Institute of Standards
and Technology.” Special publication 800-77. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 2005.
Gibson, Darril. MCITP Windows Server 2008 Server Administrator Study Guide. Indianapolis: Sybex, 2008.
Graves, Kimberly. CEH Certified Ethical Hacker Study Guide. Indianapolis: Sybex, 2010. Gregg, Michael. Certified Ethical Hacker Exam Prep. Indianapolis: Que, 2006. Harris, Shon. CISSP All-in-One Exam Guide. 5th ed. New York: McGraw-Hill Osborne Media,
2010. ———, Allen Harper, Chris Eagle, and Jonathan Ness. Gray Hat Hacking, Second Edition: The
Ethical Hacker’s Handbook. New York: McGraw-Hill Osborne Media, 2007. Huang, Qiang, and Jazib Frahim. SSL Remote Access VPNs. Indianapolis: Cisco Press, 2008. IETF RFC Repository. http://www.ietf.org/rfc.html (accessed July 15, 2010). Internet Engineering Task Force (IETF). “Internet Key Exchange (IKEv2) Protocol.” December 2005.
http://tools.ietf.org/html/rfc4306 (accessed July 15, 2010). Irwin, Mike, Charlie Scott, and Paul Wolfe. Virtual Private Networks. 2nd ed. Sebastopol, CA:
O’Reilly Media, 1998. ISA Server.org. “Setting Up the Windows XP PPTP and L2TP/IPSec client.”
http://www.isaserver.org/img/upl/vpnkitbeta2/xpvpnclient.htm (accessed July 15, 2010). Katz, Jonathan, and Yehuda Lindell. Introduction to Modern Cryptography: Principles and
Protocols. Chapman & Hall/CRC, 2007. Komar, Brian, Ronald Beekelaar, and Joern Wettern. Firewalls for Dummies. 2nd ed. Indianapolis:
Wiley Publishing, Inc., 2003. Kozierok, Charles. The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference.
San Francisco: No Starch Press, 2005. Krawetz, Neal. Introduction to Network Security. Charles River Media, 2006. Lewis, Mark. Comparing, Designing, and Deploying VPNs. Indianapolis: Cisco Press, 2006. Linux Home Networking. “Configuring Linux VPNs.”
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs (accessed July 15, 2010).
Liu, Dale, and Stephanie Miller, Mark Lucas, Abhishek Singh, and Jennifer Davis. Firewall Policies and VPN Configurations. Rockland, MA: Syngress, 2006.
Long, Johnny, Jack Wiles, Scott Pinzon, and Kevin D. Mitnick. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Rockland, MA: Syngress, 2008.
Lyon, Gordon Fyodor. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. City: Nmap Project, 2009.
Mairs, John. VPNs: A Beginner’s Guide. New York: McGraw-Hill Osborne Media, 2001. Maiwald, Eric. Network Security: A Beginner’s Guide. 2nd ed. New York: McGraw-Hill Osborne
Media, 2003. McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Network Security Secrets and
Solutions. 6th ed. New York: McGraw-Hill Osborne Media, 2009. Merkow, Mark S. Virtual Private Networks for Dummies. Indianapolis: Wiley Publishing, Inc., 1999. Metheringham, Nigel. “IPSec/Netkey interaction with IPTables/Netfilter.” Openswan open forum
entry. http://lists.openswan.org/pipermail/users/2005-August/006101.html (accessed July 15, 2010).
Microsoft Technet. “DirectAccess Technical Overview.” http://technet.microsoft.com/library/dd637827.aspx (accessed July 15, 2010).
Mitnick, Kevin D., William L. Simon, and Steve Wozniak. The Art of Deception: Controlling the Human Element of Security. Indianapolis: Wiley Publishing, Inc., 2003.
———, and William L. Simon. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. Indianapolis: Wiley Publishing, Inc., 2005.
MITRE Corporation. “MITRE’s Common Vulnerability Database (CVE).” http://cve.mitre.org/ (accessed July 15, 2010).
National Institute of Standards and Technology (NIST), National Vulnerability Database. http://nvd.nist.gov/ (accessed July 15, 2010).
Nichols, Randall K., and Panos C. Lekkas. Wireless Security: Models, Threats, and Solutions. New York: McGraw-Hill Osborne Media, 2001.
Noonan, Wes, and Ido Dubrawsky. Firewall Fundamentals. Indianapolis: Cisco Press, 2006. Off-line certificate enrolment on Windows 2000/XP.
http://www.jacco2.dds.nl/networking/certutil.html (accessed June 21, 2010). Peltier, Thomas R. Information Security Risk Analysis. 3rd ed. Auerbach Publications, 2010. Philipp, Aaron, David Cowen, and Chris Davis. Hacking Exposed Computer Forensics. 2nd ed.
New York: McGraw-Hill Osborne Media, 2009. PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto.
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm (accessed July 15, 2010).
Real Time Enterprises, Incorporated. “Create a IPSEC + Certificates MMC.” http://support.real- time.com/open-source/ipsec/index.html (accessed July 15, 2010).
Rhodes-Ousley, Mark, Roberta Bragg, and Keith Strassberg. Network Security: The Complete Reference. New York: McGraw-Hill Osborne Media, 2003.
Ruston, Chris, and Chris Peiris. How to Cheat at Designing Security for a Windows Server 2003 Network. Rockland, MA: Syngress, 2006.
SANS. “The Top Cyber Security Risks.” http://www.sans.org/top-cyber-security-risks/?ref=top20 (accessed July 15, 2010).
Scarfone, Karn, and Paul Hoffman. Guidelines on Firewalls and Firewall Policy: Special Publication 800-41, Revision 1. Washington: National Institute of Standards and Technology (NIST), 2009.
Schneier, Bruce. Schneier’s Cryptography Classics Library: Applied Cryptography, Secrets and Lies, and Practical Cryptography. Indianapolis: Wiley Publishing, Inc., 2007.
———. Secrets and Lies: Digital Security in a Networked World. Indianapolis: Wiley Publishing, Inc., 2004.
Schudel, Gregg, and David J. Smith. Router Security Strategies: Securing IP Network Traffic Planes. Indianapolis: Cisco Press, 2008.
SearchNetworking.com. “Authentication, authorization, and accounting (AAA)” (n.d.) http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting (accessed June 17, 2013).
———. “Packet” (n.d.) http://searchnetworking.techtarget.com/definition/packet (accessed June 17, 2013)
———. “Port Address Translation (PAT)” (n.d.). http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT (accessed June 17, 2013).
Security Focus. “Embassy leaks highlight pitfalls of Tor. September, 2007.” http://www.securityfocus.com/news/11486 (accessed July 15, 2010).
Shinder, Thomas W. The Best Damn Firewall Book Period. 2nd ed. Rockland, MA: Syngress, 2008. SmoothWall Community Forums. http://community.smoothwall.org/forum/ (accessed July 15, 2010). SmoothWall Limited. http://www.smoothwall.net/ (accessed July 15, 2010). SmoothWall Open Source Project. http://www.smoothwall.org/ (accessed July 15, 2010). Snader, Jon C. VPNs Illustrated: Tunnels, VPNs, and IPsec. Boston: Addison-Wesley Professional,
2005. Stevens, W. Richard, and Gary R. Wright. TCP/IP Illustrated, Volumes 1–3. Boston: Addison-
Wesley Professional, 1994. Stewart, James Michael. CompTIA Security+ Review Guide: SY0-201. Indianapolis: Sybex, 2008. ———, Ed Tittel, and Mike Chapple. CISSP: Certified Information Systems Security Professional
Study Guide. 4th ed. Indianapolis: Sybex, 2008. Strassberg, Keith, Gary Rollie, and Richard Gondek. Firewalls: The Complete Reference. New
York: McGraw-Hill Osborne Media, 2002. Sweeney, T., (2000, April 3). Businesses Lock In On VPN Outsourcing Options Providers of virtual
private network services put a new spin on the outsourcing spiel. InformationWeek. http://www.informationweek.com/780/vpn.htm (accessed July 15, 2010).
“Using a Linux L2TP/IPsec VPN server.” May 2010. http://www.jacco2.dds.nl/networking/openswan-l2tp.html (accessed July 15, 2010).
Virtual Private Network Consortium. http://www.vpnc.org/ (accessed July 15, 2010).
Volonino, Linda, and Ian Redpath. e-Discovery for Dummies. Indianapolis: Wiley Publishing, Inc, 2009.
Vyncke, Eric, and Christopher Paggen. LAN Switch Security: What Hackers Know About Your Switches. Indianapolis: Cisco Press, 2007.
Whitman, Michael E., Herbert J. Mattord, Richard Austin, and Greg Holden. Guide to Firewalls and Network Security. Florence, KY: Course Technology/Cengage Learning Inc., 2008.
Yuan, Ruixi, and W. Timothy Strayer. Virtual Private Networks: Technologies and Solutions. Boston: Addison-Wesley Professional, 2001.
Zwicky, Elizabeth D., Simon Cooper, and D. Brent Chapman. Building Internet Firewalls. 2nd ed. Sebastopol, CA: O’Reilly Media, 2000.
Index
The index that appeared in the print version of this title was intentionally removed from the eBook. Please use the search function on your eReading device to search for terms of interest. For your reference, the terms that appear in the print index are listed below.
128-bit key 802.1x 2048-bit asymmetric key
A
AAA. See authentication, authorization, and accounting acceptable use policy (AUP) access control. See also authorization access control list (ACL) access management accidental threats accidents accounting ACL. See access control list active sniffing active threats addressing administrator account password ADS. See alternate data streams ADSL. See Asymmetrical Digital Subscriber Line Advanced Encryption Standard (AES) advanced persistent threat (APT) adware adware scanner. See anti-malware scanners agents AH. See Authentication Header ALE. See annualized loss expectancy alerts algorithm encryption standard (AES) algorithms allow by default
allow by exception allow-exception rule alternate data streams (ADS) annualized loss expectancy (ALE) annualized rate of occurrence (ARO) anomaly-based detection anonymity anonymous connectivity anti-forensics anti-malware scanners anti-SPAM filters anti-spyware scanner antivirus scanners anycast address AppleTalk appliance firewalls appliance format application conflicts application firewall application gateway Application Layer (Layer 7) application-level firewall application proxy application proxy firewalls APT. See advanced persistent threat arbitrary code execution ARO. See annualized rate of occurrence ARP flooding ARP spoofing asset value (AV) assets asymmetric cryptography Asymmetrical Digital Subscriber Line (ADSL) at-firewall authentication attack surface attacking audit capabilities auditing auditors AUP. See acceptable use policy authentication authentication, authorization, and accounting (AAA) Authentication Header (AH)
authenticity authorization AV. See asset value availability availability attack avalanche effect awareness
B
Back Orifice backdoor account attack backdoors Backtrack backups bandwidth for VPN banner banner grabbing basic packet filtering bastion host bastion host OS behavioral-based detection benign address best practices biometrics BIOS/firmware flashing BitTorrent blacklist blogs “Blue Screen of Death” boot sector border firewall border sentry border-crossing communications botnet army botnets bots bottlenecks. See also chokepoint boundary networks breach bricking bridges Bring Your Own Device (BYOD)
brute force attack brute-force password attack buffer overflows buffers build-it-yourself firewall bump-in-the-stack bump-in-the-wire business continuity plan business operations business tasks BYOD. See Bring Your Own Device bypass VPN implementation
C
CA. See Certificate Authority cable modem devices caching centralized logging system CERN. See European Laboratory for Particle Physics Certificate Authority (CA) CGI scripts. See Common Gateway Interface scripts channels chip creep chokepoint ciphertext circuit circuit firewall circuit proxy Cisco Cisco Linksys wireless router client virtualization. See desktop virtualization clients client/server network client-side configuration client-to-server VPNs Clipper Chip closed source software cloud backup storage cloud computing cloud implementation clusters code testing coding errors
cold calling co-location of Web server command-line-based interface command shell commercial firewall commercial hardware firewall commercial off-the-shelf (COTS) software commercial software firewall commercial VPNs Common Gateway Interface (CGI) scripts communication encryption communications in business environment communications pathways communications to block compartmentalization compliance compliance auditing compression compromise computer viruses conditional trust confidentiality configuration errors configuration of VPN configuration scans Connection Protocol containment content filtering contract workers cookie filters corporate firewall VPN termination cost/benefit analysis cost-effective network security COTS software. See commercial off-the-shelf software covert channels CPE. See customer premise equipment credential sharing cross-site scripting (XSS) Cryptcat cryptography customer premise equipment (CPE) cybersecurity role
D
data at rest data encryption. See encryption Data Encryption Standard (DES) data integrity data leakage data leakage prevention (DLP) Data Link Layer (Layer 2) data origin authentication data protection firewall database-based detection database firewall data-centric security model data-encrypted tunnel DDoS attacks. See distributed denial of service attacks dead-man switch decryption dedicated application-specific proxy firewall dedicated connection dedicated leased lines de-encapsulation default allow default deny default-deny rule default password default-permit stance defense in depth defensive programming technique delay deliberate threats demilitarized zone (DMZ)-based implementation demilitarized zones (DMZs) denial of service (DoS) denial of service (DoS) attacks deny by default deny by exception deny exception rule deployment of a VPN DES. See Data Encryption Standard desktop virtualization detailed implementation plans detection deterrence
deterrent device firmware replacement options DHCP. See Dynamic Host Configuration Protocol dialers dial-up modem connections dictionary attacks dictionary password cracking Diffie-Hellmann digital certificates digital envelope digital forensic techniques digital signatures digital subscriber line (DSL) modems DirectAccess directory services disaster recovery plan disasters disgruntled employees distributed denial of service (DDoS) attacks distributed LAN diversity of defense divide and conquer DLP. See data leakage prevention DMZ pinholes DMZ Web server DMZs. See demilitarized zones DNS. See Domain Name System DNS poisoning DNS spoofing documentation do-it-yourself firewall Domain Name System (DNS) domain registrations domains domains of IT infrastructure DoS. See denial of service DoS attacks. See denial of service attacks downtime DSL modems. See digital subscriber line modems dual IP stacks dual-homed firewall dual-stack migration strategy dumpster diving duplicate servers
dynamic addressing dynamic filtering system Dynamic Host Configuration Protocol (DHCP) dynamic NAT dynamic packet filtering dynamic password token
E
easy access management console port or interface easy-access power switch eavesdropping ECC. See elliptical curve cryptography edge routers education EF. See exposure factor efficient network security egress filtering electricity consumption Electronic Privacy Information Center (EPIC) electrostatic discharge (ESD) elliptical curve cryptography (ECC) Encapsulating Security Payload (ESP) encapsulation encapsulation protocols. See also tunneling protocols encrypted protocols encryption encryption filtering encryption key sets encryption level endpoint security enhancements for firewall enumeration EPIC. See Electronic Privacy Information Center equipment selection for secure network design eradication, incident response ESD. See electrostatic discharge ethernet frame ethical hackers ethical hacking. See penetration testing European Laboratory for Particle Physics (CERN) experts exploitation of system vulnerability
exploits exposure factor (EF) external attacks external entities threats external service access external threats external-only communications extranet VPNs extranets
F
factory defaults fail-close state fail-open state fail-safe security stance fail-safe/fail-secure response fail-secure state failures fair queuing fallback attacks false negative false positives Federal Information Processing Standards (FIPS) Publications file encryption file sharing File Transfer Protocol (FTP) filtering filters firewalking firewall checklist firewall filtering firewall implementation firewall limitation firewall logging firewall management firewall monitoring firewall policy firewall rules firewall specialization firewall-to-firewall VPN firewall troubleshooting firewalls
firmware flash memory on-board chip flaw exploitation attacks flexibility flooding focus for information security follow-up, incident response footprinting forced universal participation Forefront Unified Access Gateway (UAG) forensic techniques formal change management forms-based authentication Fport FQDNs. See fully qualified domain names fragmentation fragmentation attacks frames free software FTP. See File Transfer Protocol full mesh of leased lines fully qualified domain names (FQDNs) future developments fuzzing tools
G
gateway gateway-to-gateway VPN general filter firewall general purpose OSs goals of network security GoToAssist GoToMyPC governance governance, risk, and compliance (GRC) granular access control graphical user interface (GUI)-based interface growth scenario contingencies GUI-based interface. See graphical user interface-based interface
H
hackers hacking
hacktivism hairpinning handoff authentication hard drives hardening firewall hardening host hardening networks hardening servers hardening systems hardware address hardware failures hardware firewalls hardware VPNs hardware/software platform hashing hash algorithm hash value hashing headers heat HFS. See hierarchical file system hierarchical file system (HFS) hijacking attack home office wireless home routers honeynets honeypots host host firewalls. See also software firewall host security controls host software firewall host VPN software product hosting HOSTS file host-to-gateway VPN host-to-host VPN host-to-site VPN Hot Standby Router Protocol (HSRP) HotSpotShield HotSpotVPN HSRP. See Hot Standby Router Protocol HTTP Proxy HTTPS. See Hypertext Transfer Protocol Secure
hybrid attack hybrid firewall hybrid VPN Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol Secure (HTTPS)
I
IAM. See identity and access management IANA. See Internet Assigned Numbers Authority ICMP. See Internet Control Message Protocol ICMP redirect identity identity and access management (IAM) identity proofing IDS. See intrusion detection systems IDS insertion IEEE 802.1x IEMI. See intentional electromagnetic interference IETF. See Internet Engineering Task Force IKEv2. See Internet Key Exchange v2 IM. See instant message IMS. See IP Multimedia Subsystem inbound rules for firewall inbound traffic incident response incident response plan individual firewall industry-standard protocol information gathering. See reconnaissance information security professionals Information Technology Infrastructure Library (ITIL) infrastructure ingress filtering in-person policy training insertion attacks installer-induced security threats instant message (IM) intangible costs and value Integrated Services Digital Network (ISDN) integrity intentional electromagnetic interference (IEMI) interception attack
intermediary network internal code planting internal compliance audits internal firewall internal-only traffic internal personnel internally connected VPN Internet Assigned Numbers Authority (IANA) Internet Café VPNs Internet Connection Sharing service Internet connectivity Internet Control Message Protocol (ICMP) Internet Engineering Task Force (IETF) Internet Key Exchange (IKE) Internet Key Exchange v2 (IKEv2) Internet Protocol Security (IPSec) Internet Protocol version Internet Protocol version 4 (IPv4) Internet Protocol version 6 (IPv6) Internet relay chat (IRC) channel Internet service provider (ISP) devices Internet threats Internet-based Traceroute tools Internet-facing servers Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) intranet intranet VPNs intruders intrusion and incident response plan intrusion detection systems (IDS) intrusion prevention systems (IPS) inventory of communications IP addresses IP block IP forwarding IP Multimedia Subsystem (IMS) IP Network Address Translator IPS. See intrusion prevention systems IPSec. See Internet Protocol Security IPSec VPNs IPSec-tools RPM package IPv4. See Internet Protocol version 4 IPv6. See Internet Protocol version 6
IPX/SPX. See Internetwork Packet Exchange/Sequenced Packet Exchange IRC channel. See Internet relay chat channel ISDN. See Integrated Services Digital Network ISP devices. See Internet service provider (ISP) devices IT infrastructure domains IT infrastructure threats ITIL. See Information Technology Infrastructure Library
J
JanusVM job description
K
Keep It Simple: Security (KISS) Kerberos Kernel IP Security (KLIPS) key exchange key pairs key space keycard security keystroke logger knowledge-based detection known addresses
L
laboratory tests LAN. See local area network; wireless local area network LAN Domain. See Local Area Network Domain LAN infrastructure security LANMAN hash LAN-to-LAN VPNs LAN-to-WAN Domain latency Layer 2 Forwarding (L2F) Layer 3 of the OSI model Layer 7 of the OSI model Layer 2 Transport Protocol (L2TP) Layer 2 Tunneling Protocol (L2TP) layered security approach layers of OSI model leased lines
leetspeak Linksys access points Linux firewalls load balancers load balancing load-related performance local area network (LAN) Local Area Network (LAN) Domain local host location of VPN location-aware anti-theft software log contents log file analysis log file analysis tools logging logging on. See authentication logic bomb logical address logical security checklist LogMeIn Loki loophole
M
MAC address. See Media Access Control address MAC addresses MAC spoofing Mac support mainframe malicious address malicious code malicious code scanner malicious hackers malicious traffic malware management management interfaces man-in-the-middle (MitM) attacks maximum transmission unit (MTU) MBSA. See Microsoft Baseline Security Analyzer mean time between failures (MTBF) mean time to failure (MTTF)
Media Access Control (MAC) address metacharacters metrics Microsoft Baseline Security Analyzer (MBSA) Microsoft Point-to-Point Encryption (MPPE) mission-critical issue mission-critical process MitM attacks. See man-in-the-middle attacks MITRE mobile code mobile devices Mobile IP mobile wireless modeling modems module-based VPN monitoring monkey-in-the-middle attack MPPE. See Microsoft Point-to-Point Encryption MSTSC command MTBF. See mean time between failures MTTF. See mean time to failure MTU. See maximum transmission unit multicast address multifactor authentication multi-homed firewall multiple LANs multiple-layered defense. See also defense in depth Murphy’s Law
N
NAC. See network access control NAC service. See network access/admission control service NAS. See network access server NAT. See network address translation NAT-compatible encryption protocols National Information Infrastructure (NII) National Institute of Standards and Technology (NIST) national security National Security Agency (NSA) National Vulnerability Database native firewall
native operating system firewall NAT-PT. See Network Address Translation–Protocol Translation NAT-T. See NAT-Traversal NAT-Traversal (NAT-T) natural disasters necessary business tasks Nessus Nessus vulnerability scanning NetBEUI. See NetBios Extended User Interface NetBios Extended User Interface (NetBEUI) NetBus Netcat Netscape. Version 1.0 Netstat network access control (NAC) Network Access Protocol network access server (NAS) network access/admission control (NAC) service network address translation (NAT) Network Address Translation–Protocol Translation (NAT-PT) network and resource availability threats network compartmentalization. See compartmentalization network design network infrastructures examples network interface card (NIC) network interface controller (NIC) network issues, internal and external Network Layer (Layer 3) Network Layer of the OSI model Network News Transfer Protocol (NNTP) network performance network security network security components network security design “Network Tools” network topologies. See topologies network traffic access control security policy new technology file system (NTFS) NIC. See network interface card NII. See National Information Infrastructure NIST. See National Institute of Standards and Technology nmap NNTP. See Network News Transfer Protocol
node node security no-exceptions policy non-authenticating query service non-content-filtering firewalls non-dedicated connection nonrepudiation normal baseline NSA. See National Security Agency NTFS. See new technology file system N-Tier deployment NTRconnect
O
OC line. See optical carrier line offsite storage off-the-shelf firewall one-time pad encryption systems one-way function mathematical operation Onion Router application, The. See Tor application onion routing online remote VPN options online storage onsite storage open source software Open Systems Interconnection (OSI) Reference Model open-source applications and tools open-source product open-source software network firewall open-source VPNs Openswan operating system-based VPNs operating systems (OSs) OPM. See Other People’s Money, Inc. opportunistic hackers optical carrier (OC) line OS/2 OSI model. See Open Systems Interconnection (OSI) Reference Model OSs. See operating systems Other People’s Money, Inc. (OPM) out of band communication outbound rules for firewall
outbound traffic overlapping
P
package filtering firewall packet filtering packet filtering firewall packet header packet payload packet sniffer PacketiX VPN padded cells partition passive threats password cracking password-protected homegroup PAT. See port address translation patch management patches payloads PBX. See private branch exchange pcAnywhere peer systems peer-to-peer (P2P) communications peer-to-peer (P2P) networks penetration testing performance perimeter perimeter network permissions personal communications personal firewall personal hardware firewall personal software firewall personal/individual VPN personally identifiable information (PII) personnel activity monitoring phishing physical access physical addresses physical attacks physical damage
Physical Layer (Layer 1) physical security physical threats PII. See personally identifiable information piloting PING ping command ping sweeps PKI. See Public Key Infrastructure placement of firewalls plaintext protocols platform independence play configuration playback attacks plug configuration PNAC. See port-based network access control Point-to-Point Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP) POP. See Post Office Protocol pop-up blockers port address translation (PAT) port forwarding port numbers port scanning port validation portability of equipment portal authentication port-based network access (admission) control (PNAC) ports POSIX Post Office Protocol (POP) post-attack activities post-mortem assessment review power faults power switch PPP. See Point-to-Point Protocol PPTP. See Point-to-Point Tunneling Protocol preparation, incident response Presentation Layer (Layer 6) prevention principle of least privilege privacy private branch exchange (PBX)
private IP address private key private messages private networks private VPN privilege control privilege escalation privileged access privileges PRNG. See pseudo random number generator proactive security management professional hackers proprietary OSs protocol encryption protocols proxies proxy attack proxy firewall proxy manipulation proxy servers proxy-based encryption pseudo random number generator (PRNG) public IP addresses public key public key cryptography Public Key Infrastructure (PKI) public networks public wireless public-key cryptography PuTTY application pwned
Q
QoS. See quality of service quality of service (QoS)
R
rack mountable equipment RADIUS-based authentication RAID. See redundant array of independent disks random challenge-response dialog
RAS. See remote access server RDC. See Remote Desktop Connection RDP. See Remote Desktop Protocol reconnaissance recovery recreational hackers redundancy redundant array of independent disks (RAID) Regional Internet Registry (RIR) regular self-assessment rekeying processes remote access Remote Access Domain remote access policy remote access server (RAS) remote access VPN Remote Assistance remote connection remote control Remote Desktop Connection (RDC) Remote Desktop Protocol (RDP) Remote Desktop Services remote hacking remote or mobile host remote printing remote VPN connection remote-to-home VPN remote-to-office VPN removable case removable media replay attacks requests for comments (RFCs) research. See reconnaissance reset button resources resources sites response return on investment (ROI) reverse caching reverse proxy reverse proxy firewall service RFC 791 RFC 1918
RFC 1918 addresses RIR. See Regional Internet Registry risk risk assessment risk management risk matrix Rivest-Shamir-Adelman (RSA) rogue access point rogue device insertion rogue DHCP ROI. See return on investment roles rootkits round robin round robin database tool (RRDtool) routers RPM install of Openswan RRDtool. See round robin database tool RSA. See Rivest-Shamir-Adelman rule sets rules rule-set ordering
S
sabotage sacrificial host scalability scanning scope/binding nature statement screened IDS/IPS solution screening routers script kiddie SDRAM. See synchronous dynamic random access memory search engine sectors secure network design. See network design secure remote access Secure Shell (SSH) protocol Secure Socket Tunneling Protocol (SSTP) Secure Sockets Layer (SSL) Secure Sockets Layer (SSL)–based tunneling protocols Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
secured VPN. See also virtual private network (VPN) security security assessment security association (SA) security assurance security checklist security goals security infrastructure security management security mistakes security objectives security policies security stance security strategy security suite firewall Security Technical Implementation Guides (STIGs) security technologies security through obscurity security troubleshooting security zones SED. See static electricity discharge segment self-assessments sender fragmentation senior management separation of duties servers service level agreement (SLA) service set identifier (SSID) services tab of SmoothWall session session hijacking Session Layer (Layer 5) shell code ShieldsUP! port scanning tool Shorewall firewall Shrew Soft sieve firewall signature-based detection Simple Mail Transfer Protocol (SMTP) simple network management protocol (SNMP) simplicity simulated firewall test
single-factor authentication single loss expectancy (SLE) single point of failure single sign-on (SSO) site-to-site VPNs Skype SLA. See service level agreement slack space SLE. See single loss expectancy slideware sliding window of recorded traffic small office/home office (SOHO) SmoothWall firewall SmoothWall software SMTP. See Simple Mail Transfer Protocol SNA. See System Network Architecture sniffer SNMP. See simple network management protocol Snort Snort intrusion detection software Snort intrusion detection solution social engineering socket software coding errors software firewall software firewall products software host firewalls software VPNs SOHO. See small office/home office Solera DS series of network forensic appliances solid VPN policy spam split knowledge. See separation of duties split tunnel spoofed addresses spoofing spyware spyware scanner. See anti-malware scanners SQL injection SSH protocol. See Secure Shell protocol SSID. See service set identifier SSL. See Secure Sockets Layer SSL VPNs
SSO. See single sign-on SSTP. See Secure Socket Tunneling Protocol stability of VPNs state management stateful inspection stateful inspection filtering stateful inspection firewalls static addressing static electricity static electricity discharge (SED) static filtering firewalls static IP static NAT static packet filtering steganography STIGs. See Security Technical Implementation Guides storage covert channel strong authentication strong encryption subnet architecture subnetting sub-protocols SubSeven suite-member firewalls sunk cost switches symmetric cryptography symptoms synchronous dynamic random access memory (SDRAM) syslog System Network Architecture (SNA) System/Application Domain system-by-system–based security Systems/Applications Domain
T
TACACS+. See Terminal Access Controller Access-Control System Plus tangible costs and value targets of hackers TCP. See Transmission Control Protocol tcpdump command TCP/IP. See Transmission Control Protocol/Internet Protocol
TCPView telcos. See telecommunication service providers telecommunication service providers (telcos) telecommuting telnet Terminal Access Controller Access-Control System Plus (TACACS+) terminal services testing testing firewall theft thin client computing third-party software firewalls third-party trust system threats time stamps timing covert channel TLS. See Transport Layer Security tools topology Tor application TPM chip. See Trusted Platform Module chip traceroute command traceroute tools traffic and trend analysis traffic congestion traffic generation traffic inventory traffic loads training transaction security translation migration strategy Transmission Control Protocol (TCP) Transmission Control Protocol/Internet Protocol (TCP/IP) transparent network security Transport Layer (Layer 4) Transport Layer Protocol Transport Layer Security (TLS) transport mode encryption transport mode (host-to-host) of IPSec trapdoor trapping intruders and violators triple-homed firewall Trojan horse
troubleshooting trust Trusted Platform Module (TPM) chip trusted third party trusted VPN trustworthy TS RemoteApp TS Web Access tunnel mode encryption tunnel mode of IPSec tunneling tunneling migration strategy tunneling protocols two-factor authentication
U
UAG. See Forefront Unified Access Gateway ubiquitous firewall UDP. See User Datagram Protocol unauthorized software unauthorized tunnels unfiltered IDS/IPS installation unicast address unified threat management (UTM) Uninterruptible Power Supply (UPS) universal denial rule universal participation unknown zero-day attacks unpartitioned space updates UPS. See Uninterruptible Power Supply upstream filtering URL injectors usability USENET newsgroups User Authentication Protocol user awareness User Datagram Protocol (UDP) User Domain user training userland-only install UTM. See unified threat management
V
Van Eck phreaking vaporware. See slideware vendors Verizon Data Breach Investigations Report violations of security violators virtual firewall test virtual firewalls Virtual Local Area Network (VLAN) virtual private network (VPN) virtual reassembly Virtual Router Redundancy Protocol (VRRP) virtualization virtualization security virtualized firewall virtualized network environment virtualized networks virtualized SSL VPN virus VLAN. See Virtual Local Area Network VMware voluntary compliance VPN. See virtual private network VPN appliances VPN authorization VPN link VRRP. See Virtual Router Redundancy Protocol vulnerabilities vulnerability assessments vulnerability management vulnerability research vulnerability scanning
W
wake-on-LAN WAN. See distributed LAN; wide area network WAN Domain WAN VPN connections wardialing wardriving
weakest link security stance Web browsers Web server Web-based GUI Web-based policy training well-known port numbers white-list controls whitelists whois whole hard drive encryption wide area network (WAN) Windows Firewall Windows Server 2008 Network Access WinZapper tool wired networks wireless access points wireless connectivity wireless local area network (LAN) wireless networking wireless technologies Wireshark wirespeed functions workgroup Workstation Domain WORM storage device. See write-once read-many storage device worms wrappers write-once read-many (WORM) storage device written firewall policy written security policy
X
XSS. See cross-site scripting
Z
zero-day attacks zero-day exploits zeroization zombie army zombies zone file
zone of risk zones of trust
- Cover
- Title Page
- Copyright
- Contents
- Preface
- Part One: Foundations of Network Security
- Chapter 1 Fundamentals of Network Security
- What Is Network Security?
- What Is Trust?
- Who—or What—Is Trustworthy?
- What Are Security Objectives?
- What Are You Trying to Protect?
- Seven Domains of a Typical IT Infrastructure
- Goals of Network Security
- How Can You Measure the Success of Network Security?
- Why Are Written Network Security Policies Important?
- Planning for the Worst
- Who Is Responsible for Network Security?
- Examples of Network Infrastructures and Related Security Concerns
- Workgroups
- SOHO Networks
- Client/Server Networks
- LAN Versus WAN
- Thin Clients and Terminal Services
- Remote Control, Remote Access, and VPN
- Boundary Networks
- Strengths and Weaknesses of Network Design
- Enhancing the Security of Wired Versus Wireless LAN Infrastructures
- Internal and External Network Issues
- Common Network Security Components Used to Mitigate Threats
- Hosts and Nodes
- IPv4 Versus IPv6
- Firewall
- Virtual Private Networks
- Proxy Servers
- Network Address Translation
- Routers, Switches, and Bridges
- The Domain Name System
- Directory Services
- Intrusion Detection Systems and Intrusion Prevention Systems
- Network Access Control
- Chapter Summary
- Key Concepts and Terms
- Chapter 1 Assessment
- Chapter 2 Firewall Fundamentals
- What Is a Firewall?
- What Firewalls Cannot Do
- Why Do You Need a Firewall?
- What Are Zones of Risk?
- How Firewalls Work and What Firewalls Do
- TCP/IP Basics
- OSI Reference Model
- Sub-Protocols
- Headers and Payloads
- Addressing
- Types of Firewalls
- Ingress and Egress Filtering
- Types of Filtering
- Static Packet Filtering
- Stateful Inspection and Dynamic Packet Filtering
- Network Address Translation (NAT)
- Application Proxy
- Circuit Proxy
- Content Filtering
- Software Versus Hardware Firewalls
- IPv4 Versus IPv6 Firewalls
- Dual-Homed and Triple-Homed Firewalls
- Placement of Firewalls
- Chapter Summary
- Key Concepts and Terms
- Chapter 2 Assessment
- Chapter 3 VPN Fundamentals
- What Is a Virtual Private Network?
- What Are the Benefits of Deploying a VPN?
- What Are the Limitations of a VPN?
- What Are Effective VPN Policies?
- VPN Deployment Models and Architecture
- Tunnel Versus Transport Mode
- The Relationship Between Encryption and VPNs
- Symmetric Cryptography
- Asymmetric Cryptography
- Hashing
- What Is VPN Authentication?
- VPN Authorization
- Chapter Summary
- Key Concepts and Terms
- Chapter 3 Assessment
- Chapter 4 Network Security Threats and Issues
- Hacker Motivation
- Favorite Targets of Hackers
- Threats from Internal Personnel and External Entities
- The Hacking Process
- Fallback Attacks
- Common IT Infrastructure Threats
- Hardware Failures and Other Physical Threats
- Natural Disasters
- Accidents and Intentional Concerns
- Malicious Code (Malware)
- Advanced Persistent Threat
- Fast Growth and Overuse
- Wireless Versus Wired
- Eavesdropping
- Replay Attacks
- Insertion Attacks
- Fragmentation Attacks, Buffer Overflows, and XSS Attacks
- Fragmentation Attacks
- Buffer Overflows
- XSS (Cross-Site Scripting) Attacks
- Man-in-the-Middle, Session Hijacking, and Spoofing Attacks
- Man-in-the-Middle Attacks
- Session Hijacking
- Spoofing Attacks
- Covert Channels
- Network and Resource Availability Threats
- Denial of Service (DoS)
- Distributed Denial of Service (DDoS)
- Hacker Tools
- Social Engineering
- Chapter Summary
- Key Concepts and Terms
- Chapter 4 Assessment
- Part Two: Technical Overview of Network Security, Firewalls, and VPNs
- Chapter 5 Network Security Implementation
- Seven Domains of a Typical IT Infrastructure
- Network Design and Defense in Depth
- Protocols
- Common Types of Addressing
- IPv6
- Controlling Communication Pathways
- Hardening Systems
- Equipment Selection
- Authentication, Authorization, and Accounting
- Communication Encryption
- Hosts: Local-Only or Remote and Mobile
- Redundancy
- Endpoint Security
- Clients
- Servers
- Routers
- Switches
- Firewalls and Proxies
- Chapter Summary
- Key Concepts and Terms
- Chapter 5 Assessment
- Chapter 6 Network Security Management
- Network Security Management Best Practices
- Fail-Secure, Fail-Open, and Fail-Close Options
- Physical Security
- Watching for Compromise
- Incident Response
- Trapping Intruders and Violators
- Why Containment Is Important
- Imposing Compartmentalization
- Using Honeypots, Honeynets, and Padded Cells
- Essential Host Security Controls
- Backup and Recovery
- User Training and Awareness
- Network Security Management Tools
- Security Checklist
- Network Security Troubleshooting
- Compliance Auditing
- Security Assessment
- Configuration Scans
- Vulnerability Scanning
- Penetration Testing
- Post-Mortem Assessment Review
- Chapter Summary
- Key Concepts and Terms
- Chapter 6 Assessment
- Chapter 7 Firewall Basics
- Firewall Rules
- Authentication, Authorization, and Accounting
- Monitoring and Logging
- Understanding and Interpreting Firewall Logs and Alerts
- Intrusion Detection
- Limitations of Firewalls
- Improving Performance
- The Downside of Encryption with Firewalls
- Firewall Enhancements
- Management Interfaces
- Chapter Summary
- Key Concepts and Terms
- Chapter 7 Assessment
- Chapter 8 Firewall Deployment Considerations
- What Should You Allow and What Should You Block?
- Common Security Strategies for Firewall Deployments
- Security Through Obscurity
- Least Privilege
- Simplicity
- Defense in Depth
- Diversity of Defense
- Chokepoint
- Weakest Link
- Fail-Safe
- Forced Universal Participation
- Essential Elements of a Firewall Policy
- Software and Hardware Options for Firewalls
- Benefit and Purpose of Reverse Proxy
- Use and Benefit of Port-Forwarding
- Considerations for Selecting a Bastion Host OS
- Constructing and Ordering Firewall Rules
- Evaluating Needs and Solutions in Designing Security
- What Happens When Security Gets in the Way of Doing Business?
- Chapter Summary
- Key Concepts and Terms
- Chapter 8 Assessment
- Chapter 9 Firewall Management and Security
- Best Practices for Firewall Management
- Security Measures in Addition to a Firewall
- Selecting the Right Firewall for Your Needs
- The Difference Between Buying and Building a Firewall
- Mitigating Firewall Threats and Exploits
- Concerns Related to Tunneling Through or Across a Firewall
- Testing Firewall Security
- Important Tools for Managing and Monitoring a Firewall
- Troubleshooting Firewalls
- Proper Firewall Implementation Procedure
- Responding to Incidents
- Chapter Summary
- Key Concepts and Terms
- Chapter 9 Assessment
- Chapter 10 Using Common Firewalls
- Individual and Small Office/Home Office (SOHO) Firewall Options
- Uses for a Host Software Firewall
- Examples of Software Firewall Products
- Using Windows 7’s Host Software Firewall
- Using a Linux Host Software Firewall
- Managing the Firewall on an ISP Connection Device
- Converting a Home Router into a Firewall
- Commercial Software Network Firewalls
- Open-Source Software Network Firewalls
- Appliance Firewalls
- Virtual Firewalls
- Simple Firewall Techniques
- Chapter Summary
- Key Concepts and Terms
- Chapter 10 Assessment
- Chapter 11 VPN Management
- VPN Management Best Practices
- Developing a VPN Policy
- Developing a VPN Deployment Plan
- Bypass Deployment
- Internally Connected Deployment
- DMZ-Based Implementation
- VPN Threats and Exploits
- Commercial or Open Source VPNs
- Differences Between Personal and Enterprise VPNs
- Balancing Anonymity and Privacy
- Protecting VPN Security to Support Availability
- The Importance of User Training
- VPN Troubleshooting
- Chapter Summary
- Key Concepts and Terms
- Chapter 11 Assessment
- Chapter 12 VPN Technologies
- Differences Between Software and Hardware Solutions
- Software VPNs
- Hardware VPNs
- Differences Between Layer 2 and Layer 3 VPNs
- Internet Protocol Security (IPSec)
- Layer 2 Tunneling Protocol (L2TP)
- Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
- SSL/TLS and VPNs
- Secure Shell (SSH) Protocol
- Establishing Performance and Stability for VPNs
- Performance
- Stability
- Using VPNs with Network Address Translation (NAT)
- Types of Virtualization
- Desktop Virtualization
- SSL VPN Virtualization
- Differences Between Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6)
- The TCP/IP Protocol Suite
- IPv4 Challenges
- IPv6
- IPSec and IPv6
- Chapter Summary
- Key Concepts and Terms
- Chapter 12 Assessment
- Part Three: Implementation, Resources, and the Future
- Chapter 13 Firewall Implementation
- Constructing, Configuring, and Managing a Firewall
- SmoothWall
- Examining Your Network and Its Security Needs
- What to Protect and Why
- Preserving Privacy
- Firewall Design and Implementation Guidelines
- Selecting a Firewall
- Hardware Requirements for SmoothWall
- Planning a Firewall Implementation with SmoothWall
- Firewalling a Big Organization: Application-Level Firewall and Package Filtering, a Hybrid System
- Firewalling a Small Organization: Packet Filtering or Application-Level Firewall, a Proxy Implementation
- Firewalling in a Subnet Architecture
- Installing a Firewall with SmoothWall
- Configuring a Firewall with SmoothWall
- Elements of Firewall Deployment
- Performing Testing with SmoothWall
- Firewall Troubleshooting
- Additional SmoothWall Features
- Firewall Implementation Best Practices
- Chapter Summary
- Key Concepts and Terms
- Chapter 13 Assessment
- Chapter 14 Real-World VPNs
- Operating System–Based VPNs
- VPN Appliances
- Configuring a Typical VPN Appliance
- Client-Side Configuration
- Remote Desktop Protocol
- Using Remote Control Tools
- Using Remote Access
- The Technology for Remote Use
- Choosing Between IPSec and SSL Remote Access VPNs
- Terminal Services
- TS RemoteApp
- TS Web Access
- Microsoft DirectAccess
- DMZ, Extranet, and Intranet VPN Solutions
- Intranet VPNs
- Extranet VPNs
- Internet Café VPNs
- Online Remote VPN Options
- Security
- Wake-on-LAN Support
- File Sharing
- Remote Printing
- Mac Support
- The Tor Application
- Planning a VPN Implementation
- Requirements
- Installation
- Deployment
- Testing and Troubleshooting
- VPN Implementation Best Practices
- Chapter Summary
- Key Concepts and Terms
- Chapter 14 Assessment
- Chapter 15 Perspectives, Resources, and the Future
- What the Future Holds for Network Security, Firewalls, and VPNs
- Threats
- Firewall Capabilities
- Encryption
- Authentication
- Metrics
- Focus
- Securing the Cloud
- Securing Mobile Devices
- Mobile IP
- Bring Your Own Device (BYOD)
- Resource Sites for Network Security, Firewalls, and VPNs
- Tools for Network Security, Firewalls, and VPNs
- Commercial Off-the-Shelf (COTS) Software
- Open Source Applications and Tools
- The Impact of Ubiquitous Wireless Connectivity
- Potential Uses of Security Technologies
- What Happens When There Is No Perimeter?
- Specialized Firewalls Available
- Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)
- Effect of Honeypots, Honeynets, and Padded Cells
- Emerging Network Security Technologies
- IP Version 6
- VPNs, Firewalls, and Virtualization
- Steganography
- Anti-Forensics
- Chapter Summary
- Key Concepts and Terms
- Chapter 15 Assessment
- Appendix A: Answer Key
- Appendix B: Standard Acronyms
- Glossary of Key Terms
- References
- Index