buku4 Network Security Fundamentals
This page intentionally left blank
Network Security
Fundamentals
Eric Cole, Ronald L. Krutz, James W. Conley,
Brian Reisman, Mitch Ruebush,
and Dieter Gollmann
with Rachelle Reese
Credits
PUBLISHER
Anne Smith
PROJECT MANAGER
Tenea Johnson
PROJECT EDITOR
Brian B. Baker
PRODUCTION EDITOR
Kerry Weinstein
MARKETING MANAGER
Jennifer Slomack
CREATIVE DIRECTOR
Harry Nolan
SENIOR EDITORIAL ASSISTANT
Tiara Kelly
COVER DESIGNER
Hope Miller
PRODUCTION MANAGER
Kelly Tavares
COVER PHOTO
Tetra Images/Getty Images
Wiley 200th Anniversary Logo designed by: Richard J. Pacifico
This book was set in Times New Roman by Aptara, Inc. and printed and bound by R. R. Donnelley. The cover
was printed by R. R. Donnelley.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States
Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of
the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923,
website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201) 748-6011,
fax (201) 748-6008, website www.wiley.com/go/permissions.
To order books or for customer service please call 1-800-CALL WILEY (225-5945).
ISBN 978-0-470-10192-6
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
ABOUT THE AUTHORS
Eric Cole is the author of Hackers Beware, Hiding in Plain Sight: Steganography
and the Art of Covert Communication, and co-author of Network Security Bible and
SANS GIAC Certification: Security Essentials Toolkit (GSEC). He has appeared as a
security expert on CBS News, 60 Minutes, and CNN Headline News.
Ronald L. Krutz is the author of Securing SCADA Systems and co-author of Network Security Bible, The CISM Prep Guide: Mastering the Five Domains of Information
Security Management, The CISSP prep guide: Mastering CISSP and CAP, Security⫹
Prep Guide, and is the founder of the Carnegie Mellon Research Institute Cybersecurity Center.
James W. Conley is co-author of Network Security Bible and has been a security
officer in the United States Navy and a senior security specialist on CIA development efforts.
Brian Reisman is co-author of MCAD/MCSD: Visual Basic .NET Windows and Web
Applications Study Guide, MCAD/MCSD: Visual Basic .Net XML Web Services and
Server Components Study Guide, MCSE: Windows Server 2003 Network Security
Design Study Guide. He is a technical trainer for Online Consulting, a Microsoft
Certified Technical Education Center, and is a contributor to MCP Magazine,
CertCities.com, and ASPToday.com.
Mitch Ruebush is co-author of MCAD/MCSD: Visual Basic .NET Windows and Web
Applications Study Guide, MCAD/MCSD: Visual Basic .Net XML Web Services and
Server Components Study Guide, MCSE: Windows Server 2003 Network Security
Design Study Guide. He is a Senior Consultant and Trainer for Online Consulting, Inc. He has been deploying, securing and developing for Windows and
UNIX platforms for 14 years.
Dieter Gollmann is Professor for Security in Distributed Applications at Hamburg
University of Technology. He is also a visiting Professor at Royal Holloway,
University of London and Adjunct Professor at the Technical University of
Denmark. Previously he was a researcher in Information Security at Microsoft
Research in Cambridge.
Rachelle Reese has been designing and developing technical training courses for
over ten years and has written a number of books on programming. She has an
MA from San Jose State University and is also a Microsoft Certified Application
Developer (MCAD).
This page intentionally left blank
PREFACE
College classrooms bring together learners from many backgrounds,
with a variety of aspirations. Although the students are in the same
course, they are not necessarily on the same path. This diversity, coupled with the reality that these learners often have jobs, families, and
other commitments, requires a flexibility that our nation’s higher
education system is addressing. Distance learning, shorter course
terms, new disciplines, evening courses, and certification programs are
some of the approaches that colleges employ to reach as many students as possible and help them clarify and achieve their goals.
Wiley Pathways books, a new line of texts from John Wiley &
Sons, Inc., are designed to help you address this diversity and the
need for flexibility. These books focus on the fundamentals, identify core competencies and skills, and promote independent learning.
Their focus on the fundamentals helps students grasp the subject,
bringing them all to the same basic understanding. These books use
clear, everyday language and are presented in an uncluttered format,
making the reading experience more pleasurable. The core competencies and skills help students succeed in the classroom and beyond,
whether in another course or in a professional setting. A variety of
built-in learning resources promote independent learning and help
instructors and students gauge students’ understanding of the content. These resources enable students to think critically about their
new knowledge and to apply their skills in any situation.
Our goal with Wiley Pathways books—with their brief, inviting
format, clear language, and core competencies and skills focus—is to
celebrate the many students in your courses, respect their needs, and
help you guide them on their way.
CASE Learning System
To meet the needs of working college students, Network Security
Fundamentals uses a four-part process called the CASE Learning
System:
▲
▲
▲
▲
C: Content
A: Analysis
S: Synthesis
E: Evaluation
viii
PREFACE
Based on Bloom’s taxonomy of learning, CASE presents key topics
in network security fundamentals in easy-to-follow chapters. The
text then prompts analysis, synthesis, and evaluation with a variety
of learning aids and assessment tools. Students move efficiently
from reviewing what they have learned, to acquiring new information and skills, to applying their new knowledge and skills to real-life
scenarios.
Using the CASE Learning System, students not only achieve
academic mastery of network security topics, but they master real-world
skills related to that content. The CASE Learning System also helps
students become independent learners, giving them a distinct advantage in the field, whether they are just starting out or seeking to
advance in their careers.
Organization, Depth, and Breadth of the Text
▲ Modular Format. Research on college students shows that they
access information from textbooks in a non-linear way. Instructors also often wish to reorder textbook content to suit the
needs of a particular class. Therefore, although Network Security
Fundamentals proceeds logically from the basics to increasingly
more challenging material, chapters are further organized into
sections that are self-contained for maximum teaching and
learning flexibility.
▲ Numeric System of Headings. Network Security Fundamentals
uses a numeric system for headings (e.g., 2.3.4 identifies the
fourth subsection of Section 3 of Chapter 2). With this system,
students and teachers can quickly and easily pinpoint topics in
the table of contents and the text, keeping class time and study
sessions focused.
▲ Core Content. The topics in Network Security Fundamentals are
organized into 12 chapters.
Chapter 1, Computer and Network Security Principles, introduces basic terminology and concepts related to security and gets
the student thinking about why it is important to take security measures to protect a network and its resources. The chapter begins with
an overview of different types of attacks. Next it discusses the three
key aspects of security: confidentiality, integrity, and authentication.
From there it moves on to discuss risk analysis, including identifying and ranking assets, threats, and vulnerabilities. The chapter concludes with an overview of security policies and standards.
PREFACE
Chapter 2, Network and Server Security, discusses some best practices and techniques for mitigating the risk to servers on your network. It begins with a review of the Open Systems Interconnection
(OSI) model to ensure that students are familiar with various protocols and the layers at which they operate. From there it moves on to
discuss some best practices when securing a network: security by
design and defense in depth. Next it presents some techniques for
reducing the attack surface of a server. The chapter concludes with a
look at perimeter security, including firewalls and Network Address
Translation (NAT).
Chapter 3, Cryptography, introduces the fundamental principles
of cryptography and discusses various ways it is used to provide network and computer security. The chapter begins with a brief history
of cryptography and introduces the cast of characters commonly used
to describe cryptographic scenarios. Next it discusses symmetric
encryption and introduces the problem of how to share symmetric
keys. From there it moves on to discuss asymmetric encryption and
one of its common uses, digital signatures. Next it looks at the role
of hashes. The chapter then brings the cryptographic techniques
together to examine how they can be used to provide confidentiality,
integrity, and authentication. The chapter concludes with an overview
of public key infrastructure (PKI), using Microsoft®’s Certificate Services as an example of how you can implement a PKI.
Chapter 4, Authentication, discusses the importance of authentication and how credentials can be used to prove the identity of a user
or computer. The student is first introduced to some key authentication and concepts, including the entities that must be authenticated,
single sign-on, and mutual authentication. Next the chapter examines
the types of credentials that can be used to prove the identity of a
user or computer. The chapter then looks at some protocols used for
network authentication. The chapter concludes with a look at best
practices, including using strong passwords and limiting the times
during which or locations from which a user can log on.
Chapter 5, Authorization and Access Control, introduces students
to concepts and procedures related to limiting who can access
resources on a network. The chapter begins by discussing types of
access control that have been used historically and that are used today,
including mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). Next it examines
how access control is managed on a Windows® network. The chapter
concludes with a look at access control in a Unix® or Linux environment.
ix
x
PREFACE
Chapter 6, Securing Network Transmission, focuses on securing network perimeters and data in transit on the network. The chapter begins
with a look at some attacks that target network services and packets on
the network. Next it examines some strategies for segmenting a network
and securing network perimeters. It concludes with a look at some protocols that can be used to encrypt data on the network, including Secure
Sockets Layer (SSL), Transport Layer Security (TLS), and IP security
(IPsec).
Chapter 7, Remote Access and Wireless Security, deals with
security considerations for a network that extends past the traditional WAN. It begins with a discussion of the dangers of modems
and how to secure a network that allows dial-in access. Next it
looks at virtual private networks (VPNs). From there it moves on
to discuss how Remote Authentication Dial-in User Service
(RADIUS) or Terminal Access Controller Access Control System
(TACACS) can be used to centralize authentication for remote
access clients. The chapter concludes by examining the threats
introduced through wireless networking and steps you can take to
mitigate those threats.
Chapter 8, Server Roles and Security, examines the different roles
servers play on a network and discusses ways to mitigate the threats
associated with specific server roles. The chapter begins by discussing establishing a security baseline for the servers on a network.
Next it examines risks specific to infrastructure servers, including
domain name system (DNS), Dynamic Host Configuration Protocol
(DHCP), and Windows Internet Name Service (WINS) servers, and
how to mitigate them. It then discusses steps to take to secure
domain controllers. Next it looks at considerations for securing file
and print servers. The chapter concludes with a look at security
issues specific to application servers, such as web and database
servers.
Chapter 9, Protecting Against Malware, looks at various types of
malware and steps to take to protect computers against viruses,
worms, spyware, and other types of malicious code. The chapter
begins by defining the types of malware that typically pose a threat
to computers. Next it discusses anti-malware programs and the
importance of user education in preventing attacks. The chapter then
discusses issues related to securely browsing web sites. The chapter
concludes with a look at risks specific to email and how to mitigate
them.
Chapter 10, Ongoing Security Management, examines some key
considerations for keeping a network secure. It begins with a discussion
PREFACE
of strategies for ensuring that operating systems and applications are
kept up-to-date with the latest security patches. Next, it discusses the
importance of auditing and ongoing monitoring. Finally, the chapter
examines strategies for both in-band and out-of-band remote management.
Chapter 11, Disaster Recovery and Fault Tolerance, examines the
importance of planning for the worst. It begins by discussing three
types of plans a company should have in place to define recovery procedures when a disaster or attack occurs. Next, it covers the importance of backups. The chapter concludes with a look at fault tolerance
technologies, include Redundant Array of Independent Disks (RAID)
and failover configurations.
Chapter 12, Intrusion Detection and Forensics, introduces students to techniques used to detect a potential attack and analyze the
nature of an attack. The chapter begins with a look at intrusion
detection systems (IDS) and how they can be used to provide
advance warning of an impending attack. Next, it looks at how honeypots can be used to analyze an attacker’s methods. The chapter
concludes with a look at forensics, including procedures for preserving evidence and investigating the extent and methods used in
an attack.
Pre-reading Learning Aids
Each chapter of Network Security Fundamentals features the following
learning and study aids to activate students’ prior knowledge of the
topics and to orient them to the material.
▲ Pre-test. This pre-reading assessment tool in multiple-choice
format not only introduces chapter material, but it also helps
students anticipate the chapter’s learning outcomes. By focusing
students’ attention on what they do not know, the self-test
provides students with a benchmark against which they can
measure their own progress. The pre-test is available online at
www.wiley.com/college/cole.
▲ What You’ll Learn in This Chapter. This bulleted list focuses
on subject matter that will be taught. It tells students what they
will be learning in this chapter and why it is significant for their
careers. It will also help students understand why the chapter is
important and how it relates to other chapters in the text.
▲ After Studying This Chapter, You’ll Be Able To. This list
emphasizes capabilities and skills students will learn as a result
xi
xii
PREFACE
of reading the chapter. It sets students up to synthesize and evaluate the chapter material, and to relate it to the real world.
Within-text Learning Aids
The following learning aids are designed to encourage analysis and
synthesis of the material, support the learning process, and ensure
success during the evaluation phase:
▲ Introduction. This section orients the student by introducing
the chapter and explaining its practical value and relevance to
the book as a whole. Short summaries of chapter sections preview the topics to follow.
▲ “For Example” Boxes. Found within each section, these boxes tie
section content to real-world examples, scenarios, and applications.
▲ Figures and tables. Line art and photos have been carefully
chosen to be truly instructional rather than filler. Tables distill
and present information in a way that is easy to identify, access,
and understand, enhancing the focus of the text on essential
ideas.
▲ Self-Check. Related to the “What You’ll Learn” bullets and
found at the end of each section, this battery of short answer
questions emphasizes student understanding of concepts and
mastery of section content. Though the questions may either
be discussed in class or studied by students outside of class,
students should not go on before they can answer all questions
correctly.
▲ Key Terms and Glossary. To help students develop a professional vocabulary, key terms are bolded when they first appear
in the chapter. A complete list of key terms appears at the end
of each chapter, and all the key terms, along with brief definitions, appears in a glossary at the end of the book. Knowledge
of key terms is assessed by all assessment tools (see below).
▲ Summary. Each chapter concludes with a summary paragraph
that reviews the major concepts in the chapter and links back
to the “What You’ll Learn” list.
Evaluation and Assessment Tools
The evaluation phase of the CASE Learning System consists of a variety
of within-chapter and end-of-chapter assessment tools that test how
well students have learned the material. These tools also encourage
PREFACE
students to extend their learning into different scenarios and higher
levels of understanding and thinking. The following assessment tools
appear in every chapter of Network Security Fundamentals:
▲ Summary Questions help students summarize the chapter’s
main points by asking a series of multiple choice and true/false
questions that emphasize student understanding of concepts and
mastery of chapter content. Students should be able to answer
all of the Summary Questions correctly before moving on.
▲ Applying This Chapter Questions drive home key ideas by
asking students to synthesize and apply chapter concepts to new,
real-life situations and scenarios.
▲ You Try It Questions are designed to extend students’ thinking, and so are ideal for discussion or writing assignments. Using
an open-ended format and sometimes based on web sources,
they encourage students to draw conclusions using chapter
material applied to real-world situations, which fosters both mastery and independent learning.
▲ Post-test should be taken after students have completed the
chapter. It includes all of the questions in the pre-test, so that
students can see how their learning has progressed and
improved.
Instructor Package
Network Security Fundamentals is available with the following teaching
and learning supplements. All supplements are available online at the
text’s Book Companion website, located at www.wiley.com/college/cole.
▲ Instructor’s Resource Guide. Provides the following aids and
supplements for teaching a network security fundamentals course:
● Teaching suggestions. For each chapter, these include a chapter
summary, learning objectives, definitions of key terms, lecture
notes, answers to select text question sets, and at least 3 suggestions for classroom activities, such as ideas for speakers to
invite, videos to show, and other projects.
▲ PowerPoint Slides. Key information is summarized in 10 to 15
PowerPoint® slides per chapter. Instructors may use these in class
or choose to share them with students for class presentations or
to provide additional study support.
▲ Test Bank. One test per chapter, as well as a mid-term, and
two finals: one cumulative, one non-cumulative. Each includes
xiii
xiv
PREFACE
true/false, multiple choice, and open-ended questions. Answers
and page references are provided for the true/false and multiple
choice questions, and page references for the open-ended questions. Questions are available in Microsoft Word and computerized test bank formats.
Student Project Manual
The inexpensive Network Security Fundamentals Project Manual contains
activities (an average of five projects per textbook chapter) designed
to help students apply textbook concepts in a practical way. Easier
exercises at the beginning graduate to more challenging projects that
build critical-thinking skills.
ACKNOWLEDGMENTS
Taken together, the content, pedagogy, and assessment elements of Network
Security Fundamentals offer the career-oriented student the most important
aspects of the network security field as well as ways to develop the skills
and capabilities that current and future employers seek in the individuals
they hire and promote. Instructors will appreciate its practical focus, conciseness, and real-world emphasis.
We would like to thank the reviewers for their feedback and suggestions during the text’s development. Their advice on how to shape Network
Security Fundamentals into a solid learning tool that meets both their needs
and those of their busy students is deeply appreciated.
We would especially like to thank the following reviewers for their significant contributions:
Delfina Najera, El Paso Community College
Jan McDanolds, Kaplan University
Laurence Dumais, American River College
We would also like to thank Carol Traver for all her hard work in formatting and preparing the manuscript for production.
This page intentionally left blank
BRIEF CONTENTS
1
2
3
4
5
6
7
8
9
10
11
12
Computer and Network Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network and Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Authorization and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Securing Network Transmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Remote Access and Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Server Roles and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Protecting Against Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Ongoing Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Fault Tolerance and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
This page intentionally left blank
CONTENTS
1
Network Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1
Importance of Computer and Network Security . . . . . . . . . . . . . . 2
1.1.1
Exposing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2
Causing System Failures. . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3
Profile of an Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.4
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.5
Security Defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2
Underlying Computer and Network Security Concepts . . . . . . . . 6
1.2.1
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.2
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.3
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.4
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.5
Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3
Threats and Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.1
Assessing Assets, Vulnerabilities and
Threats to Calculate Risk . . . . . . . . . . . . . . . . . . . . . . 12
1.3.2
Calculating Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3
Countermeasures—Risk Mitigation . . . . . . . . . . . . . . 16
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.4
Policies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4.1
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4.2
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4.3
Informing Users of the Importance of Security . . . . . . 23
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2
Network and Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.1
Network Protocols Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.1.1
Understanding Protocols . . . . . . . . . . . . . . . . . . . . . . 31
2.1.2
The Open Systems Interconnect Model . . . . . . . . . . . 32
xx
CONTENTS
2.2
2.3
2.4
3
2.1.3
The TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.1.4
TCP/IP Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Best Practices for Network Security . . . . . . . . . . . . . . . . . . . . . . 45
2.2.1
Security by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.2.2
Maintaining a Security Mindset . . . . . . . . . . . . . . . . . 47
2.2.3
Defense-in-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Securing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.3.1
Controlling the Server Configuration . . . . . . . . . . . . . 49
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Border Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.4.1
Segmenting a Network . . . . . . . . . . . . . . . . . . . . . . . . 57
2.4.2
Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.4.3
Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.4.4
Network Address Translation . . . . . . . . . . . . . . . . . . . 65
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.1
Cryptography Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.1.1.
A Brief History of Cryptography. . . . . . . . . . . . . . . . . 75
3.1.2
Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . . 79
3.1.3
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.1.4
Cast of Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.2
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.2.1
Understanding Symmetric Encryption . . . . . . . . . . . . 83
3.2.2
Encryption Strength . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.2.3
Stream Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.2.4
Block Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.2.5
Sharing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.3
Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.3.1
Ensuring Confidentiality with
Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . 91
CONTENTS
3.4
3.5
3.6
4
3.3.2
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4.1
Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4.2
Using Hash Functions to Ensure Integrity . . . . . . . . . 94
3.4.3
A Vulnerability When Protecting Passwords . . . . . . . . 94
3.4.4
Creating Pseudorandom Data with
Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.4.5
Keyed Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . 96
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Achieving CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.5.1
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.5.2
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.5.3
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.5.4
CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Public Key Infrastructure (PKI). . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.6.1
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.6.2
Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . 100
3.6.3
Designing a CA Hierarchy . . . . . . . . . . . . . . . . . . . . 103
3.6.4
Security Policy and PKI Implementation . . . . . . . . . 107
3.6.5
Trusting Certificates from Other Organizations . . . . 108
3.6.6
Creating an Enrollment and
Distribution Strategy . . . . . . . . . . . . . . . . . . . . . . . . 110
3.6.7
Renewing Certificates . . . . . . . . . . . . . . . . . . . . . . . . 110
3.6.8
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . 111
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1
Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.1
Interactive Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.2
Peer-to-Peer Network Logon . . . . . . . . . . . . . . . . . . 120
4.1.3
Computer Authentication. . . . . . . . . . . . . . . . . . . . . 120
4.1.4
Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . 121
4.1.5
Application Authentication . . . . . . . . . . . . . . . . . . . 123
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
xxi
xxii
CONTENTS
4.2
4.3
4.4
5
Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.2.1
Password Authentication . . . . . . . . . . . . . . . . . . . . . 125
4.2.2
One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . 128
4.2.3
Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.2.4
Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
4.3.1
LAN Manager-Based Protocols . . . . . . . . . . . . . . . . . 131
4.3.2
Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Best Practices for Secure Authentication . . . . . . . . . . . . . . . . . . 136
4.4.1
Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.4.2
Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . 139
4.4.3
Account Logon Hours . . . . . . . . . . . . . . . . . . . . . . . 140
4.4.4
Account Logon Workstation. . . . . . . . . . . . . . . . . . . 140
4.4.5
Auditing Logons. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Authorization and Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.1
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.1.1
Discretionary Access Control (DAC). . . . . . . . . . . . . 150
5.1.2
Mandatory Access Control (MAC) . . . . . . . . . . . . . . 151
5.1.3
Role-Based Access Control (RBAC). . . . . . . . . . . . . . 152
5.1.4
Principle of Least Permission . . . . . . . . . . . . . . . . . . 154
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.2
Implementing Access Control on Windows
Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.2.1
Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.2.2
Windows Access Control Model. . . . . . . . . . . . . . . . 161
5.2.3
Understanding Active Directory
Object Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.2.4
Designing Access Control for
Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
5.2.5
User Rights Assignment . . . . . . . . . . . . . . . . . . . . . . 172
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
CONTENTS
5.3
Implementing Access Control on Unix Computers . . . . . . . . . . 174
5.3.1
Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5.3.2
Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6
Securing Network Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
6.1
Analyzing Security Requirements for Network Traffic . . . . . . . . 189
6.1.1
Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
6.1.2
Considerations for Designing a Secure
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
6.1.3
Securely Transmitting Data. . . . . . . . . . . . . . . . . . . . 193
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
6.2
Defining Network Perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . 195
6.2.1
Isolating Insecure Networks Using Subnets . . . . . . . 195
6.2.2
Switches and VLANs . . . . . . . . . . . . . . . . . . . . . . . . 196
6.2.3
Using IP Address and IP Packet Filtering . . . . . . . . . 199
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
6.3
Data Transmission Protection Protocols . . . . . . . . . . . . . . . . . . 201
6.3.1
SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
6.3.2
IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.3.3
Server Message Block Signing. . . . . . . . . . . . . . . . . . 211
6.3.4
Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7
Remote Access and Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
7.1
Dial-Up Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
7.1.1
Dial-Up Networking Protocols . . . . . . . . . . . . . . . . . 222
7.1.2
Dial-Up Networking Authentication Protocols . . . . . 223
xxiii
xxiv
CONTENTS
7.2
7.3
7.4
8
7.1.3
Limiting Dial-Up Access. . . . . . . . . . . . . . . . . . . . . . 228
7.1.4
Preventing Access to the Network . . . . . . . . . . . . . . 229
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
7.2.1
Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . 231
7.2.2
L2TP and IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
7.2.3
Hardware VPN Solutions . . . . . . . . . . . . . . . . . . . . . 234
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
RADIUS and TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
7.3.1
Using RADIUS Authentication . . . . . . . . . . . . . . . . . 236
7.3.2
Using TACACS and TACACS⫹ . . . . . . . . . . . . . . . . 237
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
7.4.1
Wireless Networking Standards . . . . . . . . . . . . . . . . 239
7.4.2
Wireless Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.4.3
Preventing Intruders from Connecting to a
Wireless Network. . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.4.4
Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . 241
7.4.5
WiFi Protected Access (WPA). . . . . . . . . . . . . . . . . . 244
7.4.6
802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
7.4.7
802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
7.4.8
Designing for an Open Access Point . . . . . . . . . . . . . 253
7.4.9
Identifying Wireless Network Vulnerabilities . . . . . . 253
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Server Roles and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
8.1
Server Roles and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
8.1.1
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . 263
8.1.2
Secure Baseline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
8.1.3
Preparing to Implement the Baseline . . . . . . . . . . . . 265
8.1.4
Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 265
8.1.5
Security Configuration Wizard . . . . . . . . . . . . . . . . . 270
8.1.6
Secure Baseline Configuration for Linux Servers. . . . 272
8.1.7
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
CONTENTS
8.2
8.3
8.4
8.5
9
Securing Network Infrastructure Servers . . . . . . . . . . . . . . . . . 274
8.2.1
Securing DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . 275
8.2.2
Securing DHCP Servers . . . . . . . . . . . . . . . . . . . . . . 284
8.2.3
Securing WINS Servers . . . . . . . . . . . . . . . . . . . . . . 287
8.2.4
Securing Remote Access Servers . . . . . . . . . . . . . . . . 288
8.2.5
Securing NAT Servers. . . . . . . . . . . . . . . . . . . . . . . . 289
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Securing Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Securing File and Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . 292
8.4.1
Securing File Servers . . . . . . . . . . . . . . . . . . . . . . . . 292
8.4.2
Securing Print Servers . . . . . . . . . . . . . . . . . . . . . . . 293
8.4.3
Securing FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . 295
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Securing Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.5.1
Securing Web Servers. . . . . . . . . . . . . . . . . . . . . . . . 298
8.5.2
Securing Database Servers . . . . . . . . . . . . . . . . . . . . 301
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Protecting Against Malware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
9.1
Viruses and Other Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
9.1.1
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
9.1.2
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
9.1.3
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
9.1.4
Browser Parasites . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
9.1.5
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
9.1.6
Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
9.2
Protecting the Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
9.2.1
Antivirus Software . . . . . . . . . . . . . . . . . . . . . . . . . . 317
9.2.2
Anti-Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
9.2.3
Computer Configuration Guidelines . . . . . . . . . . . . 318
9.2.4
User Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
xxv
xxvi
CONTENTS
9.3
9.4
10
Web Browser Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
9.3.1
Web Browser Risks . . . . . . . . . . . . . . . . . . . . . . . . . . 323
9.3.2
Web Browser Technologies . . . . . . . . . . . . . . . . . . . . 324
9.3.3
Specific Threats to a Browser Session . . . . . . . . . . . . 327
9.3.4
Browser Configuration . . . . . . . . . . . . . . . . . . . . . . . 329
9.3.5
Internet Explorer Security Zones . . . . . . . . . . . . . . . 334
9.3.6
Configuring Web Features in Firefox . . . . . . . . . . . . 336
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
9.4.1
Attacks that Disclose Data . . . . . . . . . . . . . . . . . . . . 337
9.4.2
Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.4.3
Protecting Against Malcode Propagated by
Email 345
9.4.4
Mail Client Configurations . . . . . . . . . . . . . . . . . . . . 346
9.4.5
Architectural Considerations . . . . . . . . . . . . . . . . . . 347
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Ongoing Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
10.1 Managing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Security
Fundamentals
Eric Cole, Ronald L. Krutz, James W. Conley,
Brian Reisman, Mitch Ruebush,
and Dieter Gollmann
with Rachelle Reese
Credits
PUBLISHER
Anne Smith
PROJECT MANAGER
Tenea Johnson
PROJECT EDITOR
Brian B. Baker
PRODUCTION EDITOR
Kerry Weinstein
MARKETING MANAGER
Jennifer Slomack
CREATIVE DIRECTOR
Harry Nolan
SENIOR EDITORIAL ASSISTANT
Tiara Kelly
COVER DESIGNER
Hope Miller
PRODUCTION MANAGER
Kelly Tavares
COVER PHOTO
Tetra Images/Getty Images
Wiley 200th Anniversary Logo designed by: Richard J. Pacifico
This book was set in Times New Roman by Aptara, Inc. and printed and bound by R. R. Donnelley. The cover
was printed by R. R. Donnelley.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States
Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of
the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923,
website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201) 748-6011,
fax (201) 748-6008, website www.wiley.com/go/permissions.
To order books or for customer service please call 1-800-CALL WILEY (225-5945).
ISBN 978-0-470-10192-6
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
ABOUT THE AUTHORS
Eric Cole is the author of Hackers Beware, Hiding in Plain Sight: Steganography
and the Art of Covert Communication, and co-author of Network Security Bible and
SANS GIAC Certification: Security Essentials Toolkit (GSEC). He has appeared as a
security expert on CBS News, 60 Minutes, and CNN Headline News.
Ronald L. Krutz is the author of Securing SCADA Systems and co-author of Network Security Bible, The CISM Prep Guide: Mastering the Five Domains of Information
Security Management, The CISSP prep guide: Mastering CISSP and CAP, Security⫹
Prep Guide, and is the founder of the Carnegie Mellon Research Institute Cybersecurity Center.
James W. Conley is co-author of Network Security Bible and has been a security
officer in the United States Navy and a senior security specialist on CIA development efforts.
Brian Reisman is co-author of MCAD/MCSD: Visual Basic .NET Windows and Web
Applications Study Guide, MCAD/MCSD: Visual Basic .Net XML Web Services and
Server Components Study Guide, MCSE: Windows Server 2003 Network Security
Design Study Guide. He is a technical trainer for Online Consulting, a Microsoft
Certified Technical Education Center, and is a contributor to MCP Magazine,
CertCities.com, and ASPToday.com.
Mitch Ruebush is co-author of MCAD/MCSD: Visual Basic .NET Windows and Web
Applications Study Guide, MCAD/MCSD: Visual Basic .Net XML Web Services and
Server Components Study Guide, MCSE: Windows Server 2003 Network Security
Design Study Guide. He is a Senior Consultant and Trainer for Online Consulting, Inc. He has been deploying, securing and developing for Windows and
UNIX platforms for 14 years.
Dieter Gollmann is Professor for Security in Distributed Applications at Hamburg
University of Technology. He is also a visiting Professor at Royal Holloway,
University of London and Adjunct Professor at the Technical University of
Denmark. Previously he was a researcher in Information Security at Microsoft
Research in Cambridge.
Rachelle Reese has been designing and developing technical training courses for
over ten years and has written a number of books on programming. She has an
MA from San Jose State University and is also a Microsoft Certified Application
Developer (MCAD).
This page intentionally left blank
PREFACE
College classrooms bring together learners from many backgrounds,
with a variety of aspirations. Although the students are in the same
course, they are not necessarily on the same path. This diversity, coupled with the reality that these learners often have jobs, families, and
other commitments, requires a flexibility that our nation’s higher
education system is addressing. Distance learning, shorter course
terms, new disciplines, evening courses, and certification programs are
some of the approaches that colleges employ to reach as many students as possible and help them clarify and achieve their goals.
Wiley Pathways books, a new line of texts from John Wiley &
Sons, Inc., are designed to help you address this diversity and the
need for flexibility. These books focus on the fundamentals, identify core competencies and skills, and promote independent learning.
Their focus on the fundamentals helps students grasp the subject,
bringing them all to the same basic understanding. These books use
clear, everyday language and are presented in an uncluttered format,
making the reading experience more pleasurable. The core competencies and skills help students succeed in the classroom and beyond,
whether in another course or in a professional setting. A variety of
built-in learning resources promote independent learning and help
instructors and students gauge students’ understanding of the content. These resources enable students to think critically about their
new knowledge and to apply their skills in any situation.
Our goal with Wiley Pathways books—with their brief, inviting
format, clear language, and core competencies and skills focus—is to
celebrate the many students in your courses, respect their needs, and
help you guide them on their way.
CASE Learning System
To meet the needs of working college students, Network Security
Fundamentals uses a four-part process called the CASE Learning
System:
▲
▲
▲
▲
C: Content
A: Analysis
S: Synthesis
E: Evaluation
viii
PREFACE
Based on Bloom’s taxonomy of learning, CASE presents key topics
in network security fundamentals in easy-to-follow chapters. The
text then prompts analysis, synthesis, and evaluation with a variety
of learning aids and assessment tools. Students move efficiently
from reviewing what they have learned, to acquiring new information and skills, to applying their new knowledge and skills to real-life
scenarios.
Using the CASE Learning System, students not only achieve
academic mastery of network security topics, but they master real-world
skills related to that content. The CASE Learning System also helps
students become independent learners, giving them a distinct advantage in the field, whether they are just starting out or seeking to
advance in their careers.
Organization, Depth, and Breadth of the Text
▲ Modular Format. Research on college students shows that they
access information from textbooks in a non-linear way. Instructors also often wish to reorder textbook content to suit the
needs of a particular class. Therefore, although Network Security
Fundamentals proceeds logically from the basics to increasingly
more challenging material, chapters are further organized into
sections that are self-contained for maximum teaching and
learning flexibility.
▲ Numeric System of Headings. Network Security Fundamentals
uses a numeric system for headings (e.g., 2.3.4 identifies the
fourth subsection of Section 3 of Chapter 2). With this system,
students and teachers can quickly and easily pinpoint topics in
the table of contents and the text, keeping class time and study
sessions focused.
▲ Core Content. The topics in Network Security Fundamentals are
organized into 12 chapters.
Chapter 1, Computer and Network Security Principles, introduces basic terminology and concepts related to security and gets
the student thinking about why it is important to take security measures to protect a network and its resources. The chapter begins with
an overview of different types of attacks. Next it discusses the three
key aspects of security: confidentiality, integrity, and authentication.
From there it moves on to discuss risk analysis, including identifying and ranking assets, threats, and vulnerabilities. The chapter concludes with an overview of security policies and standards.
PREFACE
Chapter 2, Network and Server Security, discusses some best practices and techniques for mitigating the risk to servers on your network. It begins with a review of the Open Systems Interconnection
(OSI) model to ensure that students are familiar with various protocols and the layers at which they operate. From there it moves on to
discuss some best practices when securing a network: security by
design and defense in depth. Next it presents some techniques for
reducing the attack surface of a server. The chapter concludes with a
look at perimeter security, including firewalls and Network Address
Translation (NAT).
Chapter 3, Cryptography, introduces the fundamental principles
of cryptography and discusses various ways it is used to provide network and computer security. The chapter begins with a brief history
of cryptography and introduces the cast of characters commonly used
to describe cryptographic scenarios. Next it discusses symmetric
encryption and introduces the problem of how to share symmetric
keys. From there it moves on to discuss asymmetric encryption and
one of its common uses, digital signatures. Next it looks at the role
of hashes. The chapter then brings the cryptographic techniques
together to examine how they can be used to provide confidentiality,
integrity, and authentication. The chapter concludes with an overview
of public key infrastructure (PKI), using Microsoft®’s Certificate Services as an example of how you can implement a PKI.
Chapter 4, Authentication, discusses the importance of authentication and how credentials can be used to prove the identity of a user
or computer. The student is first introduced to some key authentication and concepts, including the entities that must be authenticated,
single sign-on, and mutual authentication. Next the chapter examines
the types of credentials that can be used to prove the identity of a
user or computer. The chapter then looks at some protocols used for
network authentication. The chapter concludes with a look at best
practices, including using strong passwords and limiting the times
during which or locations from which a user can log on.
Chapter 5, Authorization and Access Control, introduces students
to concepts and procedures related to limiting who can access
resources on a network. The chapter begins by discussing types of
access control that have been used historically and that are used today,
including mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). Next it examines
how access control is managed on a Windows® network. The chapter
concludes with a look at access control in a Unix® or Linux environment.
ix
x
PREFACE
Chapter 6, Securing Network Transmission, focuses on securing network perimeters and data in transit on the network. The chapter begins
with a look at some attacks that target network services and packets on
the network. Next it examines some strategies for segmenting a network
and securing network perimeters. It concludes with a look at some protocols that can be used to encrypt data on the network, including Secure
Sockets Layer (SSL), Transport Layer Security (TLS), and IP security
(IPsec).
Chapter 7, Remote Access and Wireless Security, deals with
security considerations for a network that extends past the traditional WAN. It begins with a discussion of the dangers of modems
and how to secure a network that allows dial-in access. Next it
looks at virtual private networks (VPNs). From there it moves on
to discuss how Remote Authentication Dial-in User Service
(RADIUS) or Terminal Access Controller Access Control System
(TACACS) can be used to centralize authentication for remote
access clients. The chapter concludes by examining the threats
introduced through wireless networking and steps you can take to
mitigate those threats.
Chapter 8, Server Roles and Security, examines the different roles
servers play on a network and discusses ways to mitigate the threats
associated with specific server roles. The chapter begins by discussing establishing a security baseline for the servers on a network.
Next it examines risks specific to infrastructure servers, including
domain name system (DNS), Dynamic Host Configuration Protocol
(DHCP), and Windows Internet Name Service (WINS) servers, and
how to mitigate them. It then discusses steps to take to secure
domain controllers. Next it looks at considerations for securing file
and print servers. The chapter concludes with a look at security
issues specific to application servers, such as web and database
servers.
Chapter 9, Protecting Against Malware, looks at various types of
malware and steps to take to protect computers against viruses,
worms, spyware, and other types of malicious code. The chapter
begins by defining the types of malware that typically pose a threat
to computers. Next it discusses anti-malware programs and the
importance of user education in preventing attacks. The chapter then
discusses issues related to securely browsing web sites. The chapter
concludes with a look at risks specific to email and how to mitigate
them.
Chapter 10, Ongoing Security Management, examines some key
considerations for keeping a network secure. It begins with a discussion
PREFACE
of strategies for ensuring that operating systems and applications are
kept up-to-date with the latest security patches. Next, it discusses the
importance of auditing and ongoing monitoring. Finally, the chapter
examines strategies for both in-band and out-of-band remote management.
Chapter 11, Disaster Recovery and Fault Tolerance, examines the
importance of planning for the worst. It begins by discussing three
types of plans a company should have in place to define recovery procedures when a disaster or attack occurs. Next, it covers the importance of backups. The chapter concludes with a look at fault tolerance
technologies, include Redundant Array of Independent Disks (RAID)
and failover configurations.
Chapter 12, Intrusion Detection and Forensics, introduces students to techniques used to detect a potential attack and analyze the
nature of an attack. The chapter begins with a look at intrusion
detection systems (IDS) and how they can be used to provide
advance warning of an impending attack. Next, it looks at how honeypots can be used to analyze an attacker’s methods. The chapter
concludes with a look at forensics, including procedures for preserving evidence and investigating the extent and methods used in
an attack.
Pre-reading Learning Aids
Each chapter of Network Security Fundamentals features the following
learning and study aids to activate students’ prior knowledge of the
topics and to orient them to the material.
▲ Pre-test. This pre-reading assessment tool in multiple-choice
format not only introduces chapter material, but it also helps
students anticipate the chapter’s learning outcomes. By focusing
students’ attention on what they do not know, the self-test
provides students with a benchmark against which they can
measure their own progress. The pre-test is available online at
www.wiley.com/college/cole.
▲ What You’ll Learn in This Chapter. This bulleted list focuses
on subject matter that will be taught. It tells students what they
will be learning in this chapter and why it is significant for their
careers. It will also help students understand why the chapter is
important and how it relates to other chapters in the text.
▲ After Studying This Chapter, You’ll Be Able To. This list
emphasizes capabilities and skills students will learn as a result
xi
xii
PREFACE
of reading the chapter. It sets students up to synthesize and evaluate the chapter material, and to relate it to the real world.
Within-text Learning Aids
The following learning aids are designed to encourage analysis and
synthesis of the material, support the learning process, and ensure
success during the evaluation phase:
▲ Introduction. This section orients the student by introducing
the chapter and explaining its practical value and relevance to
the book as a whole. Short summaries of chapter sections preview the topics to follow.
▲ “For Example” Boxes. Found within each section, these boxes tie
section content to real-world examples, scenarios, and applications.
▲ Figures and tables. Line art and photos have been carefully
chosen to be truly instructional rather than filler. Tables distill
and present information in a way that is easy to identify, access,
and understand, enhancing the focus of the text on essential
ideas.
▲ Self-Check. Related to the “What You’ll Learn” bullets and
found at the end of each section, this battery of short answer
questions emphasizes student understanding of concepts and
mastery of section content. Though the questions may either
be discussed in class or studied by students outside of class,
students should not go on before they can answer all questions
correctly.
▲ Key Terms and Glossary. To help students develop a professional vocabulary, key terms are bolded when they first appear
in the chapter. A complete list of key terms appears at the end
of each chapter, and all the key terms, along with brief definitions, appears in a glossary at the end of the book. Knowledge
of key terms is assessed by all assessment tools (see below).
▲ Summary. Each chapter concludes with a summary paragraph
that reviews the major concepts in the chapter and links back
to the “What You’ll Learn” list.
Evaluation and Assessment Tools
The evaluation phase of the CASE Learning System consists of a variety
of within-chapter and end-of-chapter assessment tools that test how
well students have learned the material. These tools also encourage
PREFACE
students to extend their learning into different scenarios and higher
levels of understanding and thinking. The following assessment tools
appear in every chapter of Network Security Fundamentals:
▲ Summary Questions help students summarize the chapter’s
main points by asking a series of multiple choice and true/false
questions that emphasize student understanding of concepts and
mastery of chapter content. Students should be able to answer
all of the Summary Questions correctly before moving on.
▲ Applying This Chapter Questions drive home key ideas by
asking students to synthesize and apply chapter concepts to new,
real-life situations and scenarios.
▲ You Try It Questions are designed to extend students’ thinking, and so are ideal for discussion or writing assignments. Using
an open-ended format and sometimes based on web sources,
they encourage students to draw conclusions using chapter
material applied to real-world situations, which fosters both mastery and independent learning.
▲ Post-test should be taken after students have completed the
chapter. It includes all of the questions in the pre-test, so that
students can see how their learning has progressed and
improved.
Instructor Package
Network Security Fundamentals is available with the following teaching
and learning supplements. All supplements are available online at the
text’s Book Companion website, located at www.wiley.com/college/cole.
▲ Instructor’s Resource Guide. Provides the following aids and
supplements for teaching a network security fundamentals course:
● Teaching suggestions. For each chapter, these include a chapter
summary, learning objectives, definitions of key terms, lecture
notes, answers to select text question sets, and at least 3 suggestions for classroom activities, such as ideas for speakers to
invite, videos to show, and other projects.
▲ PowerPoint Slides. Key information is summarized in 10 to 15
PowerPoint® slides per chapter. Instructors may use these in class
or choose to share them with students for class presentations or
to provide additional study support.
▲ Test Bank. One test per chapter, as well as a mid-term, and
two finals: one cumulative, one non-cumulative. Each includes
xiii
xiv
PREFACE
true/false, multiple choice, and open-ended questions. Answers
and page references are provided for the true/false and multiple
choice questions, and page references for the open-ended questions. Questions are available in Microsoft Word and computerized test bank formats.
Student Project Manual
The inexpensive Network Security Fundamentals Project Manual contains
activities (an average of five projects per textbook chapter) designed
to help students apply textbook concepts in a practical way. Easier
exercises at the beginning graduate to more challenging projects that
build critical-thinking skills.
ACKNOWLEDGMENTS
Taken together, the content, pedagogy, and assessment elements of Network
Security Fundamentals offer the career-oriented student the most important
aspects of the network security field as well as ways to develop the skills
and capabilities that current and future employers seek in the individuals
they hire and promote. Instructors will appreciate its practical focus, conciseness, and real-world emphasis.
We would like to thank the reviewers for their feedback and suggestions during the text’s development. Their advice on how to shape Network
Security Fundamentals into a solid learning tool that meets both their needs
and those of their busy students is deeply appreciated.
We would especially like to thank the following reviewers for their significant contributions:
Delfina Najera, El Paso Community College
Jan McDanolds, Kaplan University
Laurence Dumais, American River College
We would also like to thank Carol Traver for all her hard work in formatting and preparing the manuscript for production.
This page intentionally left blank
BRIEF CONTENTS
1
2
3
4
5
6
7
8
9
10
11
12
Computer and Network Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network and Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Authorization and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Securing Network Transmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Remote Access and Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Server Roles and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Protecting Against Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Ongoing Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Fault Tolerance and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
This page intentionally left blank
CONTENTS
1
Network Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1
Importance of Computer and Network Security . . . . . . . . . . . . . . 2
1.1.1
Exposing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2
Causing System Failures. . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3
Profile of an Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.4
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.5
Security Defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2
Underlying Computer and Network Security Concepts . . . . . . . . 6
1.2.1
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.2
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.3
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.4
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.5
Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3
Threats and Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.1
Assessing Assets, Vulnerabilities and
Threats to Calculate Risk . . . . . . . . . . . . . . . . . . . . . . 12
1.3.2
Calculating Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3
Countermeasures—Risk Mitigation . . . . . . . . . . . . . . 16
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.4
Policies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4.1
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4.2
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4.3
Informing Users of the Importance of Security . . . . . . 23
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2
Network and Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.1
Network Protocols Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.1.1
Understanding Protocols . . . . . . . . . . . . . . . . . . . . . . 31
2.1.2
The Open Systems Interconnect Model . . . . . . . . . . . 32
xx
CONTENTS
2.2
2.3
2.4
3
2.1.3
The TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.1.4
TCP/IP Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Best Practices for Network Security . . . . . . . . . . . . . . . . . . . . . . 45
2.2.1
Security by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.2.2
Maintaining a Security Mindset . . . . . . . . . . . . . . . . . 47
2.2.3
Defense-in-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Securing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.3.1
Controlling the Server Configuration . . . . . . . . . . . . . 49
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Border Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.4.1
Segmenting a Network . . . . . . . . . . . . . . . . . . . . . . . . 57
2.4.2
Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.4.3
Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.4.4
Network Address Translation . . . . . . . . . . . . . . . . . . . 65
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.1
Cryptography Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.1.1.
A Brief History of Cryptography. . . . . . . . . . . . . . . . . 75
3.1.2
Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . . 79
3.1.3
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.1.4
Cast of Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.2
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.2.1
Understanding Symmetric Encryption . . . . . . . . . . . . 83
3.2.2
Encryption Strength . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.2.3
Stream Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.2.4
Block Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.2.5
Sharing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.3
Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.3.1
Ensuring Confidentiality with
Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . 91
CONTENTS
3.4
3.5
3.6
4
3.3.2
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4.1
Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4.2
Using Hash Functions to Ensure Integrity . . . . . . . . . 94
3.4.3
A Vulnerability When Protecting Passwords . . . . . . . . 94
3.4.4
Creating Pseudorandom Data with
Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.4.5
Keyed Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . 96
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Achieving CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.5.1
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.5.2
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.5.3
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.5.4
CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Public Key Infrastructure (PKI). . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.6.1
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.6.2
Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . 100
3.6.3
Designing a CA Hierarchy . . . . . . . . . . . . . . . . . . . . 103
3.6.4
Security Policy and PKI Implementation . . . . . . . . . 107
3.6.5
Trusting Certificates from Other Organizations . . . . 108
3.6.6
Creating an Enrollment and
Distribution Strategy . . . . . . . . . . . . . . . . . . . . . . . . 110
3.6.7
Renewing Certificates . . . . . . . . . . . . . . . . . . . . . . . . 110
3.6.8
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . 111
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1
Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.1
Interactive Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.2
Peer-to-Peer Network Logon . . . . . . . . . . . . . . . . . . 120
4.1.3
Computer Authentication. . . . . . . . . . . . . . . . . . . . . 120
4.1.4
Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . 121
4.1.5
Application Authentication . . . . . . . . . . . . . . . . . . . 123
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
xxi
xxii
CONTENTS
4.2
4.3
4.4
5
Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.2.1
Password Authentication . . . . . . . . . . . . . . . . . . . . . 125
4.2.2
One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . 128
4.2.3
Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.2.4
Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
4.3.1
LAN Manager-Based Protocols . . . . . . . . . . . . . . . . . 131
4.3.2
Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Best Practices for Secure Authentication . . . . . . . . . . . . . . . . . . 136
4.4.1
Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.4.2
Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . 139
4.4.3
Account Logon Hours . . . . . . . . . . . . . . . . . . . . . . . 140
4.4.4
Account Logon Workstation. . . . . . . . . . . . . . . . . . . 140
4.4.5
Auditing Logons. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Authorization and Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.1
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.1.1
Discretionary Access Control (DAC). . . . . . . . . . . . . 150
5.1.2
Mandatory Access Control (MAC) . . . . . . . . . . . . . . 151
5.1.3
Role-Based Access Control (RBAC). . . . . . . . . . . . . . 152
5.1.4
Principle of Least Permission . . . . . . . . . . . . . . . . . . 154
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.2
Implementing Access Control on Windows
Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.2.1
Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.2.2
Windows Access Control Model. . . . . . . . . . . . . . . . 161
5.2.3
Understanding Active Directory
Object Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.2.4
Designing Access Control for
Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
5.2.5
User Rights Assignment . . . . . . . . . . . . . . . . . . . . . . 172
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
CONTENTS
5.3
Implementing Access Control on Unix Computers . . . . . . . . . . 174
5.3.1
Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5.3.2
Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6
Securing Network Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
6.1
Analyzing Security Requirements for Network Traffic . . . . . . . . 189
6.1.1
Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
6.1.2
Considerations for Designing a Secure
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
6.1.3
Securely Transmitting Data. . . . . . . . . . . . . . . . . . . . 193
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
6.2
Defining Network Perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . 195
6.2.1
Isolating Insecure Networks Using Subnets . . . . . . . 195
6.2.2
Switches and VLANs . . . . . . . . . . . . . . . . . . . . . . . . 196
6.2.3
Using IP Address and IP Packet Filtering . . . . . . . . . 199
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
6.3
Data Transmission Protection Protocols . . . . . . . . . . . . . . . . . . 201
6.3.1
SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
6.3.2
IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.3.3
Server Message Block Signing. . . . . . . . . . . . . . . . . . 211
6.3.4
Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7
Remote Access and Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
7.1
Dial-Up Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
7.1.1
Dial-Up Networking Protocols . . . . . . . . . . . . . . . . . 222
7.1.2
Dial-Up Networking Authentication Protocols . . . . . 223
xxiii
xxiv
CONTENTS
7.2
7.3
7.4
8
7.1.3
Limiting Dial-Up Access. . . . . . . . . . . . . . . . . . . . . . 228
7.1.4
Preventing Access to the Network . . . . . . . . . . . . . . 229
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
7.2.1
Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . 231
7.2.2
L2TP and IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
7.2.3
Hardware VPN Solutions . . . . . . . . . . . . . . . . . . . . . 234
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
RADIUS and TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
7.3.1
Using RADIUS Authentication . . . . . . . . . . . . . . . . . 236
7.3.2
Using TACACS and TACACS⫹ . . . . . . . . . . . . . . . . 237
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
7.4.1
Wireless Networking Standards . . . . . . . . . . . . . . . . 239
7.4.2
Wireless Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.4.3
Preventing Intruders from Connecting to a
Wireless Network. . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.4.4
Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . 241
7.4.5
WiFi Protected Access (WPA). . . . . . . . . . . . . . . . . . 244
7.4.6
802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
7.4.7
802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
7.4.8
Designing for an Open Access Point . . . . . . . . . . . . . 253
7.4.9
Identifying Wireless Network Vulnerabilities . . . . . . 253
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Server Roles and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
8.1
Server Roles and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
8.1.1
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . 263
8.1.2
Secure Baseline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
8.1.3
Preparing to Implement the Baseline . . . . . . . . . . . . 265
8.1.4
Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 265
8.1.5
Security Configuration Wizard . . . . . . . . . . . . . . . . . 270
8.1.6
Secure Baseline Configuration for Linux Servers. . . . 272
8.1.7
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
CONTENTS
8.2
8.3
8.4
8.5
9
Securing Network Infrastructure Servers . . . . . . . . . . . . . . . . . 274
8.2.1
Securing DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . 275
8.2.2
Securing DHCP Servers . . . . . . . . . . . . . . . . . . . . . . 284
8.2.3
Securing WINS Servers . . . . . . . . . . . . . . . . . . . . . . 287
8.2.4
Securing Remote Access Servers . . . . . . . . . . . . . . . . 288
8.2.5
Securing NAT Servers. . . . . . . . . . . . . . . . . . . . . . . . 289
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Securing Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Securing File and Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . 292
8.4.1
Securing File Servers . . . . . . . . . . . . . . . . . . . . . . . . 292
8.4.2
Securing Print Servers . . . . . . . . . . . . . . . . . . . . . . . 293
8.4.3
Securing FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . 295
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Securing Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.5.1
Securing Web Servers. . . . . . . . . . . . . . . . . . . . . . . . 298
8.5.2
Securing Database Servers . . . . . . . . . . . . . . . . . . . . 301
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Protecting Against Malware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
9.1
Viruses and Other Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
9.1.1
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
9.1.2
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
9.1.3
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
9.1.4
Browser Parasites . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
9.1.5
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
9.1.6
Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
9.2
Protecting the Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
9.2.1
Antivirus Software . . . . . . . . . . . . . . . . . . . . . . . . . . 317
9.2.2
Anti-Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
9.2.3
Computer Configuration Guidelines . . . . . . . . . . . . 318
9.2.4
User Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
xxv
xxvi
CONTENTS
9.3
9.4
10
Web Browser Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
9.3.1
Web Browser Risks . . . . . . . . . . . . . . . . . . . . . . . . . . 323
9.3.2
Web Browser Technologies . . . . . . . . . . . . . . . . . . . . 324
9.3.3
Specific Threats to a Browser Session . . . . . . . . . . . . 327
9.3.4
Browser Configuration . . . . . . . . . . . . . . . . . . . . . . . 329
9.3.5
Internet Explorer Security Zones . . . . . . . . . . . . . . . 334
9.3.6
Configuring Web Features in Firefox . . . . . . . . . . . . 336
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
9.4.1
Attacks that Disclose Data . . . . . . . . . . . . . . . . . . . . 337
9.4.2
Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.4.3
Protecting Against Malcode Propagated by
Email 345
9.4.4
Mail Client Configurations . . . . . . . . . . . . . . . . . . . . 346
9.4.5
Architectural Considerations . . . . . . . . . . . . . . . . . . 347
Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Ongoing Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
10.1 Managing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . .