Network Security Bible 2005
Network Security
Bible
Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley
Network Security
Bible
Network Security
Bible
Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley
Network Security Bible
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 0-7645-7397-7
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1B/SZ/RS/QU/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal
Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355,
E-Mail: brandreview@wiley.com.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND
SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A
PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL
MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION.
THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL,
ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES
OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR
SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES
NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR
WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT
INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK
WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in
electronic books.
Library of Congress Cataloging-in-Publication Data
Cole, Eric.
Network security bible / Eric Cole, Ronald Krutz, James W. Conley.
p. cm.
ISBN 0-7645-7397-7 (pbk.)
1. Computer security. 2. Computer networks — Security measures. 1. Krutz, Ronald L., 1938- II. Conley,
James W. III. Title.
QA76.9.A25C5985 2005
005.8—dc22
2004025696
Trademarks: Wiley, the Wiley logo, and related trade dress are registered trademarks of John Wiley & Sons, Inc. and/or its
affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks
are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned
in this book.
To Kerry, Jackson, and Anna, who provide constant
inspiration and energy. EBC
To my family — the real meaning of life. RLK
To my beautiful wife, Jill, and handsome children, Matthew and Andrew. JWC
Credits
Acquisitions Editor
Carol Long
Technical Editor
Patrick Santy
Editorial Manager
Mary Beth Wakefield
Vice President & Executive Group
Publisher
Richard Swadley
Vice President and Publisher
Joseph B. Wikert
Project Coordinators
Maridee Ennis
Erin Smith
Graphics and Production Specialists
Sean Decker
Carrie A. Foster
Denny Hager
Joyce Haughey
Quality Control Technician
Amanda Briggs
John Greenough
Leeann Harney
Proofreading and Indexing
TECHBOOKS Production Services
About the Authors
Dr. Eric Cole is the best-selling author of Hackers Beware and one of the highestrated speakers on the training circuit. Eric has earned rave reviews for his ability
to educate and train network security professionals worldwide. He has appeared on
CNN and has been interviewed on various TV programs, including “CBS News” and
“60 Minutes.”
An information security expert for more than 15 years, Eric holds several professional certificates and helped develop several certifications and corresponding
courses. He obtained his M.S. in Computer Science at the New York Institute of
Technology and recently earned his Doctorate degree in Network Steganography
from Pace University.
Eric has created and directed corporate security programs for several large organizations, built numerous security consulting practices, and worked for more than
five years at the Central Intelligence Agency. He is currently Chief Scientist for The
Sytex Group, Inc Information Research Center, where he heads up cutting-edge
research.
Dr. Ronald L. Krutz is a Senior Information Security Researcher in the Advanced
Technology Research center of The Sytex Group, Inc. In this capacity, he works with
a team responsible for advancing the state of the art in information systems security. He has more than 30 years of experience in distributed computing systems,
computer architectures, real-time systems, information assurance methodologies,
and information security training. He holds the CISSP and ISSEP information security certifications.
He has been an information security consultant at REALTECH Systems Corporation
and BAE Systems, an associate director of the Carnegie Mellon Research Institute
(CMRI), and a professor in the Carnegie Mellon University Department of Electrical
and Computer Engineering. Ron founded the CMRI Cybersecurity Center and was
founder and director of the CMRI Computer, Automation, and Robotics Group. He is
a former lead instructor for the (ISC)2 CISSP Common Body of Knowledge review
seminars. Ron is also a Distinguished Special Lecturer in the Center for Forensic
Computer Investigation at the University of New Haven, a part-time instructor in the
University of Pittsburgh Department of Electrical and Computer Engineering, and a
Registered Professional Engineer. In addition, he is the author of six best-selling
publications in the area of information systems security. Ron holds B.S., M.S., and
Ph.D. degrees in Electrical and Computer Engineering.
James W. Conley is a Senior Researcher in the Advanced Technology Research
Center of The Sytex Group, Inc. He has more than 20 years of experience in security,
beginning as a Security Officer in the United States Navy, then as a Senior Security
Specialist on CIA development efforts, and now as a security professional with certifications of CISSP/Security+/CCNA. Additionally, he has over 18 years of experience
in project management, software engineering, and computer science. He has a
strong foundation in personnel management, software development, and systems
integration. Prior to joining Sytex, he held prominent positions in various companies, such as Chief Information Officer, Director of Security, Vice President of
Security Solutions, and finally as President/CEO (ThinkSecure, LLC). Jim has extensive experience developing applications and securing systems in both UNIX and
Windows environments, and has a B.S. in Physics, M.S. in Computer Science, and is
pursuing a Ph.D. in Machine Learning at George Mason University, Fairfax, Virginia.
Contents at a Glance
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I: Security Principles and Practices . . . . . . . . . . . . . . . . . . 1
Chapter 1: Information System Security Principles . . . . . . . . . . . . . . . . . . 3
Chapter 2: Information System Security Management . . . . . . . . . . . . . . . . 43
Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . . . . . . . 79
Part II: Operating Systems and Applications
. . . . . . . . . . . . . . 97
Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . . . . . . . . 201
Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Part III: Network Security Fundamentals . . . . . . . . . . . . . . . . 365
Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . . . . . . . . 417
Part IV: Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Chapter 16: Applications of Secure/Covert Communication . . . . . . . . . . . . 529
Part V: The Security Threat and the Response . . . . . . . . . . . . . 555
Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . 557
Chapter 18: Security Assessments, Testing, and Evaluation . . . . . . . . . . . . 591
Chapter 19: Putting Everything Together . . . . . . . . . . . . . . . . . . . . . . . 613
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Contents
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I: Security Principles and Practices
1
Chapter 1: Information System Security Principles . . . . . . . . . . . . 3
Key Principles of Network Security . . . . . . . . . . . . . . . . . . . . . . . . 3
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Other important terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Formal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The systems engineering process . . . . . . . . . . . . . . . . . . . . . 5
The Information Assurance Technical Framework . . . . . . . . . . . . 6
The Information Systems Security Engineering process . . . . . . . . 11
The Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . 21
Information systems security and the SDLC . . . . . . . . . . . . . . . 22
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Risk management and the SDLC . . . . . . . . . . . . . . . . . . . . . . 33
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 2: Information System Security Management . . . . . . . . . 43
Security Policies . . . . . . . . . . . . . . . . . . . . . . .
Senior management policy statement . . . . . . . .
Standards, guidelines, procedures, and baselines .
Security Awareness . . . . . . . . . . . . . . . . . . . . .
Training . . . . . . . . . . . . . . . . . . . . . . . . .
Measuring awareness . . . . . . . . . . . . . . . . .
Managing the Technical Effort . . . . . . . . . . . . . . .
Program manager . . . . . . . . . . . . . . . . . . .
Program management plan . . . . . . . . . . . . .
Systems engineering management plan . . . . . .
Configuration Management . . . . . . . . . . . . . . . . .
Primary functions of configuration management .
Definitions and procedures . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
43
44
45
46
46
47
48
48
48
48
56
56
57
xii
Contents
Business Continuity and Disaster Recovery Planning
Business continuity planning . . . . . . . . . .
Disaster recovery planning . . . . . . . . . . . .
Physical Security . . . . . . . . . . . . . . . . . . . . .
Controls . . . . . . . . . . . . . . . . . . . . . . .
Environmental issues . . . . . . . . . . . . . . .
Fire suppression . . . . . . . . . . . . . . . . . .
Object reuse and data remanence . . . . . . . .
Legal and Liability Issues . . . . . . . . . . . . . . . .
Types of computer crime . . . . . . . . . . . . .
Electronic monitoring . . . . . . . . . . . . . . .
Liability . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
59
60
64
67
68
72
73
74
75
75
76
76
77
Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . 79
Control Models . . . . . . . . . . . . . . . . . . . . . .
Discretionary access control . . . . . . . . . . .
Mandatory access control . . . . . . . . . . . .
Non-discretionary access control . . . . . . . .
Types of Access Control Implementations . . . . . .
Preventive/Administrative . . . . . . . . . . . .
Preventive/Technical . . . . . . . . . . . . . . .
Preventive/Physical . . . . . . . . . . . . . . . .
Detective/Administrative . . . . . . . . . . . . .
Detective/Technical . . . . . . . . . . . . . . . .
Detective/Physical . . . . . . . . . . . . . . . . .
Centralized/Decentralized access controls . . .
Identification and Authentication . . . . . . . . . . .
Passwords . . . . . . . . . . . . . . . . . . . . .
Biometrics . . . . . . . . . . . . . . . . . . . . .
Single Sign-On . . . . . . . . . . . . . . . . . . .
Databases . . . . . . . . . . . . . . . . . . . . . . . . .
Relational databases . . . . . . . . . . . . . . .
Other database types . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . .
RADIUS . . . . . . . . . . . . . . . . . . . . . . .
TACACS and TACACS+ . . . . . . . . . . . . . .
Password Authentication Protocol . . . . . . .
Challenge Handshake Authentication Protocol
Callback . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
79
79
80
81
81
81
82
82
82
83
83
84
84
85
85
86
90
90
92
93
93
93
94
94
95
95
Contents
Part II: Operating Systems and Applications
97
Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . 99
Windows Security at the Heart of the Defense . . . . . . .
Who would target me? . . . . . . . . . . . . . . . . . .
Be afraid . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft recommendations . . . . . . . . . . . . . .
Out-of-the-Box Operating System Hardening . . . . . . . .
Prior to system hardening . . . . . . . . . . . . . . .
The general process of system hardening . . . . . .
Windows 2003 new installation example . . . . . . .
Specifics of system hardening . . . . . . . . . . . . .
Securing the typical Windows business workstation
Securing the typical Windows gaming system . . . .
Installing Applications . . . . . . . . . . . . . . . . . . . . .
Antivirus protection . . . . . . . . . . . . . . . . . . .
Personal firewalls . . . . . . . . . . . . . . . . . . . .
Secure Shell . . . . . . . . . . . . . . . . . . . . . . . .
Secure FTP . . . . . . . . . . . . . . . . . . . . . . . .
Pretty Good Privacy . . . . . . . . . . . . . . . . . . .
Putting the Workstation on the Network . . . . . . . . . . .
Test the hardened workstation . . . . . . . . . . . . .
Physical security . . . . . . . . . . . . . . . . . . . . .
Architecture . . . . . . . . . . . . . . . . . . . . . . . .
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion detection systems . . . . . . . . . . . . . .
Operating Windows Safely . . . . . . . . . . . . . . . . . . .
Separate risky behavior . . . . . . . . . . . . . . . . .
Physical security issues . . . . . . . . . . . . . . . . .
Configuration issues . . . . . . . . . . . . . . . . . . .
Configuration control . . . . . . . . . . . . . . . . . .
Operating issues . . . . . . . . . . . . . . . . . . . . .
Upgrades and Patches . . . . . . . . . . . . . . . . . . . . .
Keep current with Microsoft upgrades and patches .
Keep current with application upgrades and patches
Keep current with antivirus signatures . . . . . . . .
Use the most modern Windows version . . . . . . . .
Maintain and Test the Security . . . . . . . . . . . . . . . .
Scan for vulnerabilities . . . . . . . . . . . . . . . . .
Test questionable applications . . . . . . . . . . . . .
Be sensitive to the performance of the system . . . .
Replace old Windows systems . . . . . . . . . . . . .
Periodically re-evaluate and rebuild . . . . . . . . . .
Monitoring . . . . . . . . . . . . . . . . . . . . . . . .
Logging and auditing . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
101
101
102
103
105
105
105
107
110
114
114
115
116
118
118
119
119
120
120
120
120
121
122
122
122
124
125
127
130
138
138
139
139
140
140
141
141
141
142
142
143
144
xiii
xiv
Contents
Clean up the system . . . . . . . . . .
Prepare for the eventual attack . . . .
Attacks Against the Windows Workstation
Viruses . . . . . . . . . . . . . . . . . .
Worms . . . . . . . . . . . . . . . . . .
Trojan horses . . . . . . . . . . . . . .
Spyware and ad support . . . . . . .
Spyware and “Big Brother” . . . . . .
Physical attacks . . . . . . . . . . . .
TEMPEST attacks . . . . . . . . . . . .
Backdoors . . . . . . . . . . . . . . . .
Denial-of-service attacks . . . . . . .
File extensions . . . . . . . . . . . . .
Packet sniffing . . . . . . . . . . . . .
Hijacking and session replay . . . . .
Social engineering . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
144
145
145
145
146
147
148
149
149
150
150
151
151
152
152
152
153
Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . 155
The Focus of UNIX/Linux Security . .
UNIX as a target . . . . . . . . .
UNIX/Linux as a poor target . .
Open source issues . . . . . . .
Physical Security . . . . . . . . . . . .
Limiting access . . . . . . . . . .
Detecting hardware changes . .
Disk partitioning . . . . . . . . .
Prepare for the eventual attack .
Controlling the Configuration . . . . .
Installed packages . . . . . . . .
Kernel configurations . . . . . .
Operating UNIX Safely . . . . . . . . .
Controlling processes . . . . . .
Controlling users . . . . . . . . .
Encryption and certificates . . .
Hardening UNIX . . . . . . . . . . . . .
Configuration items . . . . . . .
TCP wrapper . . . . . . . . . . .
Checking strong passwords . . .
Packet filtering with iptables . .
Summary . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
155
155
157
158
160
161
162
163
164
166
166
167
174
174
187
194
196
196
198
198
199
200
Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . 201
Web Browser and Client Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Privacy versus security . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Web browser convenience . . . . . . . . . . . . . . . . . . . . . . . . 202
Contents
Web browser productivity and popularity
Web browser evolution . . . . . . . . . . .
Web browser risks . . . . . . . . . . . . . .
Issues working against the attacker . . . .
How a Web Browser Works . . . . . . . . . . . .
HTTP, the browser protocol . . . . . . . .
Cookies . . . . . . . . . . . . . . . . . . . .
Maintaining state . . . . . . . . . . . . . . .
Caching . . . . . . . . . . . . . . . . . . . .
Secure Socket Layer . . . . . . . . . . . . .
Web Browser Attacks . . . . . . . . . . . . . . . .
Hijacking attack . . . . . . . . . . . . . . . .
Replay attack . . . . . . . . . . . . . . . . .
Browser parasites . . . . . . . . . . . . . .
Operating Safely . . . . . . . . . . . . . . . . . . .
Keeping current with patches . . . . . . .
Avoiding viruses . . . . . . . . . . . . . . .
Using secure sites . . . . . . . . . . . . . .
Securing the network environment . . . .
Using a secure proxy . . . . . . . . . . . . .
Avoid using private data . . . . . . . . . .
General recommendations . . . . . . . . .
Web Browser Configurations . . . . . . . . . . .
Cookies . . . . . . . . . . . . . . . . . . . .
Plugins . . . . . . . . . . . . . . . . . . . . .
Netscape-specific issues . . . . . . . . . . .
Internet Explorer–specific issues . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
202
203
204
205
205
205
208
210
212
212
216
216
217
218
219
220
220
220
222
223
223
224
225
225
226
230
231
236
Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . 237
What Is HTTP? . . . . . . . . .
How Does HTTP Work? . . . .
HTTP implementation .
Persistent connections
The client/server model
Put . . . . . . . . . . . .
Get . . . . . . . . . . . .
Burstable TCP . . . . .
HTML . . . . . . . . . .
Server Content . . . . . . . .
CGI scripts . . . . . . .
PHP pages . . . . . . . .
Client Content . . . . . . . . .
JavaScript . . . . . . . .
Java . . . . . . . . . . .
ActiveX . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
237
239
242
244
248
249
250
250
251
252
252
253
254
254
255
257
xv
xvi
Contents
State . . . . . . . . . . . . . . . . . .
What is state? . . . . . . . . . .
How does it relate to HTTP? .
What applications need state?
Tracking state . . . . . . . . . .
Cookies . . . . . . . . . . . . .
Web bugs . . . . . . . . . . . .
URL tracking . . . . . . . . . .
Hidden frames . . . . . . . . .
Hidden fields . . . . . . . . . .
Attacking Web Servers . . . . . . . .
Account harvesting . . . . . .
SQL injection . . . . . . . . . .
E-commerce Design . . . . . . . . . .
Physical location . . . . . . . .
Summary . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
260
260
260
260
261
261
264
265
265
266
266
266
267
269
269
271
Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . 273
The E-mail Risk . . . . . . . . . . . . . . .
Data vulnerabilities . . . . . . . . .
Simple e-mail versus collaboration
Spam . . . . . . . . . . . . . . . . . .
Maintaining e-mail confidentiality .
Maintaining e-mail integrity . . . . .
E-mail availability issues . . . . . .
The E-mail Protocols . . . . . . . . . . . .
SMTP . . . . . . . . . . . . . . . . . .
POP . . . . . . . . . . . . . . . . . . .
IMAP . . . . . . . . . . . . . . . . . .
E-mail Authentication . . . . . . . . . . .
Plain login . . . . . . . . . . . . . . .
Login authentication . . . . . . . . .
APOP . . . . . . . . . . . . . . . . . .
NTLM/SPA . . . . . . . . . . . . . . .
+OK logged onPOP before SMTP . .
Kerberos and GSSAPI . . . . . . . .
Operating Safely When Using E-mail . . .
Be paranoid . . . . . . . . . . . . . .
Mail client configurations . . . . . .
Application versions . . . . . . . . .
Architectural considerations . . . .
SSH tunnel . . . . . . . . . . . . . . .
PGP and GPG . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
273
273
274
285
288
289
290
290
290
294
295
296
296
297
297
298
299
299
300
300
301
302
302
303
307
308
Contents
Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . 309
Purpose of DNS . . . . . . . . . . . . . . . . .
Forward lookups . . . . . . . . . . . . .
Reverse lookups . . . . . . . . . . . . .
Alternative Approaches to Name Resolution
Security Issues with DNS . . . . . . . . . . . .
Misconfigurations . . . . . . . . . . . .
Zone transfers . . . . . . . . . . . . . .
Predictable query IDs . . . . . . . . . .
Recursion and iterative queries . . . .
DNS Attacks . . . . . . . . . . . . . . . . . . .
Simple DNS attack . . . . . . . . . . . .
Cache poisoning . . . . . . . . . . . . .
Designing DNS . . . . . . . . . . . . . . . . . .
Split DNS . . . . . . . . . . . . . . . . . .
Split-split DNS . . . . . . . . . . . . . . .
Master Slave DNS . . . . . . . . . . . . . . . .
Detailed DNS Architecture . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
310
315
316
318
319
321
322
325
325
326
327
327
329
329
329
331
331
332
Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . 333
General Server Risks . . . . . . . . . . . . . . . . . . . .
Security by Design . . . . . . . . . . . . . . . . . . . . .
Maintain a security mindset . . . . . . . . . . . .
Establishing a secure development environment
Secure development practices . . . . . . . . . . .
Test, test, test . . . . . . . . . . . . . . . . . . . . .
Operating Servers Safely . . . . . . . . . . . . . . . . . .
Controlling the server configuration . . . . . . . .
Controlling users and access . . . . . . . . . . . .
Passwords . . . . . . . . . . . . . . . . . . . . . . .
Monitoring, auditing, and logging . . . . . . . . .
Server Applications . . . . . . . . . . . . . . . . . . . . .
Data sharing . . . . . . . . . . . . . . . . . . . . . .
Peer to peer . . . . . . . . . . . . . . . . . . . . . .
Instant messaging and chat . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part III: Network Security Fundamentals
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
333
334
335
340
344
351
354
354
356
357
357
358
358
362
363
364
365
Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . 367
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
The Open Systems Interconnect Model . . . . . . . . . . . . . . . . . . . . 368
xvii
xviii
Contents
The OSI Layers . . . . . . . .
The Application layer .
The Presentation layer
The Session Layer . . .
The Transport layer . .
The Network layer . . .
The Data Link layer . .
The Physical layer . . .
The TCP/IP Model . . . . . . .
TCP/IP Model Layers . . . . .
Network Address Translation
Summary . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
369
369
370
370
371
372
373
374
375
377
379
379
Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . 381
Electromagnetic Spectrum . . . . . . . . . . . . .
The Cellular Phone Network . . . . . . . . . . . .
Placing a Cellular Telephone Call . . . . . . . . .
Wireless Transmission Systems . . . . . . . . . .
Time Division Multiple Access . . . . . . .
Frequency Division Multiple Access . . . .
Code Division Multiple Access . . . . . . .
Wireless transmission system types . . . .
Pervasive Wireless Data Network Technologies
Spread spectrum . . . . . . . . . . . . . . .
Spread spectrum basics . . . . . . . . . . .
IEEE Wireless LAN Specifications . . . . . . . . .
The PHY layer . . . . . . . . . . . . . . . .
The MAC layer . . . . . . . . . . . . . . . .
IEEE 802.11 Wireless Security . . . . . . . . . . .
WEP . . . . . . . . . . . . . . . . . . . . . .
WEP security upgrades . . . . . . . . . . .
802.11i . . . . . . . . . . . . . . . . . . . . .
Bluetooth . . . . . . . . . . . . . . . . . . . . . .
Wireless Application Protocol . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
381
383
385
386
386
386
387
388
393
393
393
397
398
398
400
400
402
408
413
414
416
Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . 417
Network Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Public networks . . . . . . . . . . . . . . . . . . . . . . . . . .
Semi-private networks . . . . . . . . . . . . . . . . . . . . . . .
Private networks . . . . . . . . . . . . . . . . . . . . . . . . . .
Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Address Translation . . . . . . . . . . . . . . . . . . . . . .
Basic Architecture Issues . . . . . . . . . . . . . . . . . . . . . . . .
Subnetting, Switching, and VLANs . . . . . . . . . . . . . . . . . . .
Address Resolution Protocol and Media Access Control Addresses
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
418
418
418
419
419
420
422
424
426
Contents
Dynamic Host Configuration Protocol and Addressing Control .
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packet filtering firewalls . . . . . . . . . . . . . . . . . . . .
Stateful packet filtering . . . . . . . . . . . . . . . . . . . .
Proxy firewalls . . . . . . . . . . . . . . . . . . . . . . . . .
Disadvantages of firewalls . . . . . . . . . . . . . . . . . . .
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . .
Types of intrusion detection systems . . . . . . . . . . . .
Methods and modes of intrusion detection . . . . . . . . .
Responses to Intrusion Detection . . . . . . . . . . . . . . . . .
Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Part IV: Communications
.
.
.
.
.
.
.
.
.
.
.
.
428
429
430
432
433
434
435
436
439
442
442
444
445
Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . 447
General Terms . . . . . . . . . . . . . . . . . . . . . . . . .
Historic Cryptography . . . . . . . . . . . . . . . . . . . .
Substitution ciphers . . . . . . . . . . . . . . . . . .
Ciphers that shaped history . . . . . . . . . . . . .
The Four Cryptographic Primitives . . . . . . . . . . . .
Random number generation . . . . . . . . . . . . .
Cast Introduction . . . . . . . . . . . . . . . . . . . . . . .
Symmetric Encryption . . . . . . . . . . . . . . . . . . . .
Stream ciphers . . . . . . . . . . . . . . . . . . . . .
Block ciphers . . . . . . . . . . . . . . . . . . . . . .
Sharing keys . . . . . . . . . . . . . . . . . . . . . .
Asymmetric Encryption (Two-Key Encryption) . . . . . .
Using a Certificate Authority . . . . . . . . . . . . .
Using a web of trust . . . . . . . . . . . . . . . . . .
Digital signatures . . . . . . . . . . . . . . . . . . . .
Hash functions . . . . . . . . . . . . . . . . . . . . .
Keyed hash functions . . . . . . . . . . . . . . . . .
Putting These Primitives Together to Achieve CIA . . . .
The Difference Between Algorithm and Implementation
Proprietary Versus Open Source Algorithms . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
448
449
449
455
455
456
460
460
462
463
465
467
468
469
470
471
473
473
475
476
477
Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . 479
Where Hidden Data Hides . . . . . . . .
Where Did It Come From? . . . . . . . .
Where Is It Going? . . . . . . . . . . . . .
Overview of Steganography . . . . . . .
Why do we need steganography?
Pros of steganography . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
479
481
482
482
483
484
xix
xx
Contents
Cons of steganography . . . . . . . . . . . . . . . . . . . . . . .
Comparison to other technologies . . . . . . . . . . . . . . . . .
History of Steganography . . . . . . . . . . . . . . . . . . . . . . . . .
Using steganography in the fight for the Roman Empire . . . .
Steganography during war . . . . . . . . . . . . . . . . . . . . .
Core Areas of Network Security and Their Relation to Steganography
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional goals of steganography . . . . . . . . . . . . . . . . .
Principles of Steganography . . . . . . . . . . . . . . . . . . . . . . . .
Steganography Compared to Cryptography . . . . . . . . . . . . . . .
Protecting your ring example . . . . . . . . . . . . . . . . . . . .
Putting all of the pieces together . . . . . . . . . . . . . . . . . .
Types of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . .
Original classification scheme . . . . . . . . . . . . . . . . . . .
New classification scheme . . . . . . . . . . . . . . . . . . . . .
Color tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Products That Implement Steganography . . . . . . . . . . . . . . . .
S-Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hide and Seek . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jsteg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EZ-Stego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Image Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Digital Picture Envelope . . . . . . . . . . . . . . . . . . . . . . .
Camouflage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Gif Shuffle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spam Mimic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steganography Versus Digital Watermarking . . . . . . . . . . . . . .
What is digital watermarking? . . . . . . . . . . . . . . . . . . .
Why do we need digital watermarking? . . . . . . . . . . . . . .
Properties of digital watermarking . . . . . . . . . . . . . . . . .
Types of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . .
Invisible watermarking . . . . . . . . . . . . . . . . . . . . . . .
Visible watermarking . . . . . . . . . . . . . . . . . . . . . . . .
Goals of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . . .
Digital Watermarking and Stego . . . . . . . . . . . . . . . . . . . . . .
Uses of digital watermarking . . . . . . . . . . . . . . . . . . . .
Removing digital watermarks . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
485
485
488
488
489
490
490
491
491
491
492
493
493
494
495
496
497
501
503
503
506
508
511
512
514
516
517
519
520
521
521
521
522
522
523
523
524
524
526
526
Chapter 16: Applications of Secure/Covert Communication . . . . . 529
E-mail . . . . . . . . . . . .
POP/IMAP protocols
Pretty Good Privacy
Kerberos . . . . . . .
Authentication Servers . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
530
530
531
532
534
Contents
Working Model . . . . . . . . . . . . . . . . . . .
Public Key Infrastructure . . . . . . . . . . . . .
Public and private keys . . . . . . . . . . .
Key management . . . . . . . . . . . . . . .
Web of trust . . . . . . . . . . . . . . . . . .
Virtual Private Networks . . . . . . . . . . . . . .
Design issues . . . . . . . . . . . . . . . . .
IPSec-based VPN . . . . . . . . . . . . . . .
IPsec header modes . . . . . . . . . . . . .
PPTP/PPP-based VPNs . . . . . . . . . . . .
Secure Shell . . . . . . . . . . . . . . . . . .
Secure Sockets Layer/Transport Layer Security
SSL Handshake . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Part V: The Security Threat and the Response
.
.
.
.
.
.
.
.
.
.
.
.
.
.
535
537
538
540
541
541
543
544
545
547
548
549
550
554
555
Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . 557
Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . .
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Review of Common Attacks . . . . . . . . . . . . . . . . . . .
Denial-of-service/Distributed denial-of-service attacks
Back door . . . . . . . . . . . . . . . . . . . . . . . . . .
Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . .
Man-in-the-middle . . . . . . . . . . . . . . . . . . . . .
Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCP/Hijacking . . . . . . . . . . . . . . . . . . . . . . . .
Fragmentation attacks . . . . . . . . . . . . . . . . . . .
Weak keys . . . . . . . . . . . . . . . . . . . . . . . . . .
Mathematical attacks . . . . . . . . . . . . . . . . . . .
Social engineering . . . . . . . . . . . . . . . . . . . . .
Port scanning . . . . . . . . . . . . . . . . . . . . . . . .
Dumpster diving . . . . . . . . . . . . . . . . . . . . . .
Birthday attacks . . . . . . . . . . . . . . . . . . . . . .
Password guessing . . . . . . . . . . . . . . . . . . . . .
Software exploitation . . . . . . . . . . . . . . . . . . .
Inappropriate system use . . . . . . . . . . . . . . . . .
Eavesdropping . . . . . . . . . . . . . . . . . . . . . . .
War driving . . . . . . . . . . . . . . . . . . . . . . . . .
TCP sequence number attacks . . . . . . . . . . . . . .
War dialing/demon dialing attacks . . . . . . . . . . . .
Intrusion Detection Mechanisms . . . . . . . . . . . . . . . .
Antivirus approaches . . . . . . . . . . . . . . . . . . .
Intrusion detection and response . . . . . . . . . . . .
IDS issues . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
557
557
559
559
560
560
561
561
561
562
562
563
563
564
564
564
565
565
566
566
567
567
567
567
567
568
571
xxi
xxii
Contents
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . .
Purposes . . . . . . . . . . . . . . . . . . . . . . .
Honeypot categories . . . . . . . . . . . . . . . . .
When to use a honeypot . . . . . . . . . . . . . . .
When not to use a honeypot . . . . . . . . . . . .
Current solutions . . . . . . . . . . . . . . . . . . .
Honeynet Project . . . . . . . . . . . . . . . . . . .
Incident Handling . . . . . . . . . . . . . . . . . . . . . .
CERT/CC practices . . . . . . . . . . . . . . . . . .
Internet Engineering Task Force guidance . . . .
Layered security and IDS . . . . . . . . . . . . . .
Computer Security and Incident Response Teams
Security Incident Notification Process . . . . . .
Automated notice and recovery mechanisms . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
573
573
574
575
575
576
577
577
578
583
584
585
587
588
589
Chapter 18: Security Assessments, Testing, and Evaluation . . . . . 591
Information Assurance Approaches and Methodologies . . . . . .
The Systems Security Engineering Capability Maturity Model
NSA Infosec Assessment Methodology . . . . . . . . . . . . .
Operationally Critical Threat, Asset,
and Vulnerability Evaluation . . . . . . . . . . . . . . . . .
Federal Information Technology Security
Assessment Framework . . . . . . . . . . . . . . . . . . . .
Certification and Accred
Bible
Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley
Network Security
Bible
Network Security
Bible
Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley
Network Security Bible
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 0-7645-7397-7
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1B/SZ/RS/QU/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal
Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355,
E-Mail: brandreview@wiley.com.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND
SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A
PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL
MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION.
THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL,
ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES
OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR
SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES
NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR
WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT
INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK
WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in
electronic books.
Library of Congress Cataloging-in-Publication Data
Cole, Eric.
Network security bible / Eric Cole, Ronald Krutz, James W. Conley.
p. cm.
ISBN 0-7645-7397-7 (pbk.)
1. Computer security. 2. Computer networks — Security measures. 1. Krutz, Ronald L., 1938- II. Conley,
James W. III. Title.
QA76.9.A25C5985 2005
005.8—dc22
2004025696
Trademarks: Wiley, the Wiley logo, and related trade dress are registered trademarks of John Wiley & Sons, Inc. and/or its
affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks
are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned
in this book.
To Kerry, Jackson, and Anna, who provide constant
inspiration and energy. EBC
To my family — the real meaning of life. RLK
To my beautiful wife, Jill, and handsome children, Matthew and Andrew. JWC
Credits
Acquisitions Editor
Carol Long
Technical Editor
Patrick Santy
Editorial Manager
Mary Beth Wakefield
Vice President & Executive Group
Publisher
Richard Swadley
Vice President and Publisher
Joseph B. Wikert
Project Coordinators
Maridee Ennis
Erin Smith
Graphics and Production Specialists
Sean Decker
Carrie A. Foster
Denny Hager
Joyce Haughey
Quality Control Technician
Amanda Briggs
John Greenough
Leeann Harney
Proofreading and Indexing
TECHBOOKS Production Services
About the Authors
Dr. Eric Cole is the best-selling author of Hackers Beware and one of the highestrated speakers on the training circuit. Eric has earned rave reviews for his ability
to educate and train network security professionals worldwide. He has appeared on
CNN and has been interviewed on various TV programs, including “CBS News” and
“60 Minutes.”
An information security expert for more than 15 years, Eric holds several professional certificates and helped develop several certifications and corresponding
courses. He obtained his M.S. in Computer Science at the New York Institute of
Technology and recently earned his Doctorate degree in Network Steganography
from Pace University.
Eric has created and directed corporate security programs for several large organizations, built numerous security consulting practices, and worked for more than
five years at the Central Intelligence Agency. He is currently Chief Scientist for The
Sytex Group, Inc Information Research Center, where he heads up cutting-edge
research.
Dr. Ronald L. Krutz is a Senior Information Security Researcher in the Advanced
Technology Research center of The Sytex Group, Inc. In this capacity, he works with
a team responsible for advancing the state of the art in information systems security. He has more than 30 years of experience in distributed computing systems,
computer architectures, real-time systems, information assurance methodologies,
and information security training. He holds the CISSP and ISSEP information security certifications.
He has been an information security consultant at REALTECH Systems Corporation
and BAE Systems, an associate director of the Carnegie Mellon Research Institute
(CMRI), and a professor in the Carnegie Mellon University Department of Electrical
and Computer Engineering. Ron founded the CMRI Cybersecurity Center and was
founder and director of the CMRI Computer, Automation, and Robotics Group. He is
a former lead instructor for the (ISC)2 CISSP Common Body of Knowledge review
seminars. Ron is also a Distinguished Special Lecturer in the Center for Forensic
Computer Investigation at the University of New Haven, a part-time instructor in the
University of Pittsburgh Department of Electrical and Computer Engineering, and a
Registered Professional Engineer. In addition, he is the author of six best-selling
publications in the area of information systems security. Ron holds B.S., M.S., and
Ph.D. degrees in Electrical and Computer Engineering.
James W. Conley is a Senior Researcher in the Advanced Technology Research
Center of The Sytex Group, Inc. He has more than 20 years of experience in security,
beginning as a Security Officer in the United States Navy, then as a Senior Security
Specialist on CIA development efforts, and now as a security professional with certifications of CISSP/Security+/CCNA. Additionally, he has over 18 years of experience
in project management, software engineering, and computer science. He has a
strong foundation in personnel management, software development, and systems
integration. Prior to joining Sytex, he held prominent positions in various companies, such as Chief Information Officer, Director of Security, Vice President of
Security Solutions, and finally as President/CEO (ThinkSecure, LLC). Jim has extensive experience developing applications and securing systems in both UNIX and
Windows environments, and has a B.S. in Physics, M.S. in Computer Science, and is
pursuing a Ph.D. in Machine Learning at George Mason University, Fairfax, Virginia.
Contents at a Glance
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I: Security Principles and Practices . . . . . . . . . . . . . . . . . . 1
Chapter 1: Information System Security Principles . . . . . . . . . . . . . . . . . . 3
Chapter 2: Information System Security Management . . . . . . . . . . . . . . . . 43
Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . . . . . . . 79
Part II: Operating Systems and Applications
. . . . . . . . . . . . . . 97
Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . . . . . . . . 201
Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Part III: Network Security Fundamentals . . . . . . . . . . . . . . . . 365
Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . . . . . . . . 417
Part IV: Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Chapter 16: Applications of Secure/Covert Communication . . . . . . . . . . . . 529
Part V: The Security Threat and the Response . . . . . . . . . . . . . 555
Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . 557
Chapter 18: Security Assessments, Testing, and Evaluation . . . . . . . . . . . . 591
Chapter 19: Putting Everything Together . . . . . . . . . . . . . . . . . . . . . . . 613
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Contents
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I: Security Principles and Practices
1
Chapter 1: Information System Security Principles . . . . . . . . . . . . 3
Key Principles of Network Security . . . . . . . . . . . . . . . . . . . . . . . . 3
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Other important terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Formal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The systems engineering process . . . . . . . . . . . . . . . . . . . . . 5
The Information Assurance Technical Framework . . . . . . . . . . . . 6
The Information Systems Security Engineering process . . . . . . . . 11
The Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . 21
Information systems security and the SDLC . . . . . . . . . . . . . . . 22
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Risk management and the SDLC . . . . . . . . . . . . . . . . . . . . . . 33
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 2: Information System Security Management . . . . . . . . . 43
Security Policies . . . . . . . . . . . . . . . . . . . . . . .
Senior management policy statement . . . . . . . .
Standards, guidelines, procedures, and baselines .
Security Awareness . . . . . . . . . . . . . . . . . . . . .
Training . . . . . . . . . . . . . . . . . . . . . . . . .
Measuring awareness . . . . . . . . . . . . . . . . .
Managing the Technical Effort . . . . . . . . . . . . . . .
Program manager . . . . . . . . . . . . . . . . . . .
Program management plan . . . . . . . . . . . . .
Systems engineering management plan . . . . . .
Configuration Management . . . . . . . . . . . . . . . . .
Primary functions of configuration management .
Definitions and procedures . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
43
44
45
46
46
47
48
48
48
48
56
56
57
xii
Contents
Business Continuity and Disaster Recovery Planning
Business continuity planning . . . . . . . . . .
Disaster recovery planning . . . . . . . . . . . .
Physical Security . . . . . . . . . . . . . . . . . . . . .
Controls . . . . . . . . . . . . . . . . . . . . . . .
Environmental issues . . . . . . . . . . . . . . .
Fire suppression . . . . . . . . . . . . . . . . . .
Object reuse and data remanence . . . . . . . .
Legal and Liability Issues . . . . . . . . . . . . . . . .
Types of computer crime . . . . . . . . . . . . .
Electronic monitoring . . . . . . . . . . . . . . .
Liability . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
59
60
64
67
68
72
73
74
75
75
76
76
77
Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . 79
Control Models . . . . . . . . . . . . . . . . . . . . . .
Discretionary access control . . . . . . . . . . .
Mandatory access control . . . . . . . . . . . .
Non-discretionary access control . . . . . . . .
Types of Access Control Implementations . . . . . .
Preventive/Administrative . . . . . . . . . . . .
Preventive/Technical . . . . . . . . . . . . . . .
Preventive/Physical . . . . . . . . . . . . . . . .
Detective/Administrative . . . . . . . . . . . . .
Detective/Technical . . . . . . . . . . . . . . . .
Detective/Physical . . . . . . . . . . . . . . . . .
Centralized/Decentralized access controls . . .
Identification and Authentication . . . . . . . . . . .
Passwords . . . . . . . . . . . . . . . . . . . . .
Biometrics . . . . . . . . . . . . . . . . . . . . .
Single Sign-On . . . . . . . . . . . . . . . . . . .
Databases . . . . . . . . . . . . . . . . . . . . . . . . .
Relational databases . . . . . . . . . . . . . . .
Other database types . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . .
RADIUS . . . . . . . . . . . . . . . . . . . . . . .
TACACS and TACACS+ . . . . . . . . . . . . . .
Password Authentication Protocol . . . . . . .
Challenge Handshake Authentication Protocol
Callback . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
79
79
80
81
81
81
82
82
82
83
83
84
84
85
85
86
90
90
92
93
93
93
94
94
95
95
Contents
Part II: Operating Systems and Applications
97
Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . 99
Windows Security at the Heart of the Defense . . . . . . .
Who would target me? . . . . . . . . . . . . . . . . . .
Be afraid . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft recommendations . . . . . . . . . . . . . .
Out-of-the-Box Operating System Hardening . . . . . . . .
Prior to system hardening . . . . . . . . . . . . . . .
The general process of system hardening . . . . . .
Windows 2003 new installation example . . . . . . .
Specifics of system hardening . . . . . . . . . . . . .
Securing the typical Windows business workstation
Securing the typical Windows gaming system . . . .
Installing Applications . . . . . . . . . . . . . . . . . . . . .
Antivirus protection . . . . . . . . . . . . . . . . . . .
Personal firewalls . . . . . . . . . . . . . . . . . . . .
Secure Shell . . . . . . . . . . . . . . . . . . . . . . . .
Secure FTP . . . . . . . . . . . . . . . . . . . . . . . .
Pretty Good Privacy . . . . . . . . . . . . . . . . . . .
Putting the Workstation on the Network . . . . . . . . . . .
Test the hardened workstation . . . . . . . . . . . . .
Physical security . . . . . . . . . . . . . . . . . . . . .
Architecture . . . . . . . . . . . . . . . . . . . . . . . .
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion detection systems . . . . . . . . . . . . . .
Operating Windows Safely . . . . . . . . . . . . . . . . . . .
Separate risky behavior . . . . . . . . . . . . . . . . .
Physical security issues . . . . . . . . . . . . . . . . .
Configuration issues . . . . . . . . . . . . . . . . . . .
Configuration control . . . . . . . . . . . . . . . . . .
Operating issues . . . . . . . . . . . . . . . . . . . . .
Upgrades and Patches . . . . . . . . . . . . . . . . . . . . .
Keep current with Microsoft upgrades and patches .
Keep current with application upgrades and patches
Keep current with antivirus signatures . . . . . . . .
Use the most modern Windows version . . . . . . . .
Maintain and Test the Security . . . . . . . . . . . . . . . .
Scan for vulnerabilities . . . . . . . . . . . . . . . . .
Test questionable applications . . . . . . . . . . . . .
Be sensitive to the performance of the system . . . .
Replace old Windows systems . . . . . . . . . . . . .
Periodically re-evaluate and rebuild . . . . . . . . . .
Monitoring . . . . . . . . . . . . . . . . . . . . . . . .
Logging and auditing . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
101
101
102
103
105
105
105
107
110
114
114
115
116
118
118
119
119
120
120
120
120
121
122
122
122
124
125
127
130
138
138
139
139
140
140
141
141
141
142
142
143
144
xiii
xiv
Contents
Clean up the system . . . . . . . . . .
Prepare for the eventual attack . . . .
Attacks Against the Windows Workstation
Viruses . . . . . . . . . . . . . . . . . .
Worms . . . . . . . . . . . . . . . . . .
Trojan horses . . . . . . . . . . . . . .
Spyware and ad support . . . . . . .
Spyware and “Big Brother” . . . . . .
Physical attacks . . . . . . . . . . . .
TEMPEST attacks . . . . . . . . . . . .
Backdoors . . . . . . . . . . . . . . . .
Denial-of-service attacks . . . . . . .
File extensions . . . . . . . . . . . . .
Packet sniffing . . . . . . . . . . . . .
Hijacking and session replay . . . . .
Social engineering . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
144
145
145
145
146
147
148
149
149
150
150
151
151
152
152
152
153
Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . 155
The Focus of UNIX/Linux Security . .
UNIX as a target . . . . . . . . .
UNIX/Linux as a poor target . .
Open source issues . . . . . . .
Physical Security . . . . . . . . . . . .
Limiting access . . . . . . . . . .
Detecting hardware changes . .
Disk partitioning . . . . . . . . .
Prepare for the eventual attack .
Controlling the Configuration . . . . .
Installed packages . . . . . . . .
Kernel configurations . . . . . .
Operating UNIX Safely . . . . . . . . .
Controlling processes . . . . . .
Controlling users . . . . . . . . .
Encryption and certificates . . .
Hardening UNIX . . . . . . . . . . . . .
Configuration items . . . . . . .
TCP wrapper . . . . . . . . . . .
Checking strong passwords . . .
Packet filtering with iptables . .
Summary . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
155
155
157
158
160
161
162
163
164
166
166
167
174
174
187
194
196
196
198
198
199
200
Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . 201
Web Browser and Client Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Privacy versus security . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Web browser convenience . . . . . . . . . . . . . . . . . . . . . . . . 202
Contents
Web browser productivity and popularity
Web browser evolution . . . . . . . . . . .
Web browser risks . . . . . . . . . . . . . .
Issues working against the attacker . . . .
How a Web Browser Works . . . . . . . . . . . .
HTTP, the browser protocol . . . . . . . .
Cookies . . . . . . . . . . . . . . . . . . . .
Maintaining state . . . . . . . . . . . . . . .
Caching . . . . . . . . . . . . . . . . . . . .
Secure Socket Layer . . . . . . . . . . . . .
Web Browser Attacks . . . . . . . . . . . . . . . .
Hijacking attack . . . . . . . . . . . . . . . .
Replay attack . . . . . . . . . . . . . . . . .
Browser parasites . . . . . . . . . . . . . .
Operating Safely . . . . . . . . . . . . . . . . . . .
Keeping current with patches . . . . . . .
Avoiding viruses . . . . . . . . . . . . . . .
Using secure sites . . . . . . . . . . . . . .
Securing the network environment . . . .
Using a secure proxy . . . . . . . . . . . . .
Avoid using private data . . . . . . . . . .
General recommendations . . . . . . . . .
Web Browser Configurations . . . . . . . . . . .
Cookies . . . . . . . . . . . . . . . . . . . .
Plugins . . . . . . . . . . . . . . . . . . . . .
Netscape-specific issues . . . . . . . . . . .
Internet Explorer–specific issues . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
202
203
204
205
205
205
208
210
212
212
216
216
217
218
219
220
220
220
222
223
223
224
225
225
226
230
231
236
Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . 237
What Is HTTP? . . . . . . . . .
How Does HTTP Work? . . . .
HTTP implementation .
Persistent connections
The client/server model
Put . . . . . . . . . . . .
Get . . . . . . . . . . . .
Burstable TCP . . . . .
HTML . . . . . . . . . .
Server Content . . . . . . . .
CGI scripts . . . . . . .
PHP pages . . . . . . . .
Client Content . . . . . . . . .
JavaScript . . . . . . . .
Java . . . . . . . . . . .
ActiveX . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
237
239
242
244
248
249
250
250
251
252
252
253
254
254
255
257
xv
xvi
Contents
State . . . . . . . . . . . . . . . . . .
What is state? . . . . . . . . . .
How does it relate to HTTP? .
What applications need state?
Tracking state . . . . . . . . . .
Cookies . . . . . . . . . . . . .
Web bugs . . . . . . . . . . . .
URL tracking . . . . . . . . . .
Hidden frames . . . . . . . . .
Hidden fields . . . . . . . . . .
Attacking Web Servers . . . . . . . .
Account harvesting . . . . . .
SQL injection . . . . . . . . . .
E-commerce Design . . . . . . . . . .
Physical location . . . . . . . .
Summary . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
260
260
260
260
261
261
264
265
265
266
266
266
267
269
269
271
Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . 273
The E-mail Risk . . . . . . . . . . . . . . .
Data vulnerabilities . . . . . . . . .
Simple e-mail versus collaboration
Spam . . . . . . . . . . . . . . . . . .
Maintaining e-mail confidentiality .
Maintaining e-mail integrity . . . . .
E-mail availability issues . . . . . .
The E-mail Protocols . . . . . . . . . . . .
SMTP . . . . . . . . . . . . . . . . . .
POP . . . . . . . . . . . . . . . . . . .
IMAP . . . . . . . . . . . . . . . . . .
E-mail Authentication . . . . . . . . . . .
Plain login . . . . . . . . . . . . . . .
Login authentication . . . . . . . . .
APOP . . . . . . . . . . . . . . . . . .
NTLM/SPA . . . . . . . . . . . . . . .
+OK logged onPOP before SMTP . .
Kerberos and GSSAPI . . . . . . . .
Operating Safely When Using E-mail . . .
Be paranoid . . . . . . . . . . . . . .
Mail client configurations . . . . . .
Application versions . . . . . . . . .
Architectural considerations . . . .
SSH tunnel . . . . . . . . . . . . . . .
PGP and GPG . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
273
273
274
285
288
289
290
290
290
294
295
296
296
297
297
298
299
299
300
300
301
302
302
303
307
308
Contents
Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . 309
Purpose of DNS . . . . . . . . . . . . . . . . .
Forward lookups . . . . . . . . . . . . .
Reverse lookups . . . . . . . . . . . . .
Alternative Approaches to Name Resolution
Security Issues with DNS . . . . . . . . . . . .
Misconfigurations . . . . . . . . . . . .
Zone transfers . . . . . . . . . . . . . .
Predictable query IDs . . . . . . . . . .
Recursion and iterative queries . . . .
DNS Attacks . . . . . . . . . . . . . . . . . . .
Simple DNS attack . . . . . . . . . . . .
Cache poisoning . . . . . . . . . . . . .
Designing DNS . . . . . . . . . . . . . . . . . .
Split DNS . . . . . . . . . . . . . . . . . .
Split-split DNS . . . . . . . . . . . . . . .
Master Slave DNS . . . . . . . . . . . . . . . .
Detailed DNS Architecture . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
310
315
316
318
319
321
322
325
325
326
327
327
329
329
329
331
331
332
Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . 333
General Server Risks . . . . . . . . . . . . . . . . . . . .
Security by Design . . . . . . . . . . . . . . . . . . . . .
Maintain a security mindset . . . . . . . . . . . .
Establishing a secure development environment
Secure development practices . . . . . . . . . . .
Test, test, test . . . . . . . . . . . . . . . . . . . . .
Operating Servers Safely . . . . . . . . . . . . . . . . . .
Controlling the server configuration . . . . . . . .
Controlling users and access . . . . . . . . . . . .
Passwords . . . . . . . . . . . . . . . . . . . . . . .
Monitoring, auditing, and logging . . . . . . . . .
Server Applications . . . . . . . . . . . . . . . . . . . . .
Data sharing . . . . . . . . . . . . . . . . . . . . . .
Peer to peer . . . . . . . . . . . . . . . . . . . . . .
Instant messaging and chat . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part III: Network Security Fundamentals
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
333
334
335
340
344
351
354
354
356
357
357
358
358
362
363
364
365
Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . 367
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
The Open Systems Interconnect Model . . . . . . . . . . . . . . . . . . . . 368
xvii
xviii
Contents
The OSI Layers . . . . . . . .
The Application layer .
The Presentation layer
The Session Layer . . .
The Transport layer . .
The Network layer . . .
The Data Link layer . .
The Physical layer . . .
The TCP/IP Model . . . . . . .
TCP/IP Model Layers . . . . .
Network Address Translation
Summary . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
369
369
370
370
371
372
373
374
375
377
379
379
Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . 381
Electromagnetic Spectrum . . . . . . . . . . . . .
The Cellular Phone Network . . . . . . . . . . . .
Placing a Cellular Telephone Call . . . . . . . . .
Wireless Transmission Systems . . . . . . . . . .
Time Division Multiple Access . . . . . . .
Frequency Division Multiple Access . . . .
Code Division Multiple Access . . . . . . .
Wireless transmission system types . . . .
Pervasive Wireless Data Network Technologies
Spread spectrum . . . . . . . . . . . . . . .
Spread spectrum basics . . . . . . . . . . .
IEEE Wireless LAN Specifications . . . . . . . . .
The PHY layer . . . . . . . . . . . . . . . .
The MAC layer . . . . . . . . . . . . . . . .
IEEE 802.11 Wireless Security . . . . . . . . . . .
WEP . . . . . . . . . . . . . . . . . . . . . .
WEP security upgrades . . . . . . . . . . .
802.11i . . . . . . . . . . . . . . . . . . . . .
Bluetooth . . . . . . . . . . . . . . . . . . . . . .
Wireless Application Protocol . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
381
383
385
386
386
386
387
388
393
393
393
397
398
398
400
400
402
408
413
414
416
Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . 417
Network Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Public networks . . . . . . . . . . . . . . . . . . . . . . . . . .
Semi-private networks . . . . . . . . . . . . . . . . . . . . . . .
Private networks . . . . . . . . . . . . . . . . . . . . . . . . . .
Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Address Translation . . . . . . . . . . . . . . . . . . . . . .
Basic Architecture Issues . . . . . . . . . . . . . . . . . . . . . . . .
Subnetting, Switching, and VLANs . . . . . . . . . . . . . . . . . . .
Address Resolution Protocol and Media Access Control Addresses
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
418
418
418
419
419
420
422
424
426
Contents
Dynamic Host Configuration Protocol and Addressing Control .
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packet filtering firewalls . . . . . . . . . . . . . . . . . . . .
Stateful packet filtering . . . . . . . . . . . . . . . . . . . .
Proxy firewalls . . . . . . . . . . . . . . . . . . . . . . . . .
Disadvantages of firewalls . . . . . . . . . . . . . . . . . . .
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . .
Types of intrusion detection systems . . . . . . . . . . . .
Methods and modes of intrusion detection . . . . . . . . .
Responses to Intrusion Detection . . . . . . . . . . . . . . . . .
Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Part IV: Communications
.
.
.
.
.
.
.
.
.
.
.
.
428
429
430
432
433
434
435
436
439
442
442
444
445
Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . 447
General Terms . . . . . . . . . . . . . . . . . . . . . . . . .
Historic Cryptography . . . . . . . . . . . . . . . . . . . .
Substitution ciphers . . . . . . . . . . . . . . . . . .
Ciphers that shaped history . . . . . . . . . . . . .
The Four Cryptographic Primitives . . . . . . . . . . . .
Random number generation . . . . . . . . . . . . .
Cast Introduction . . . . . . . . . . . . . . . . . . . . . . .
Symmetric Encryption . . . . . . . . . . . . . . . . . . . .
Stream ciphers . . . . . . . . . . . . . . . . . . . . .
Block ciphers . . . . . . . . . . . . . . . . . . . . . .
Sharing keys . . . . . . . . . . . . . . . . . . . . . .
Asymmetric Encryption (Two-Key Encryption) . . . . . .
Using a Certificate Authority . . . . . . . . . . . . .
Using a web of trust . . . . . . . . . . . . . . . . . .
Digital signatures . . . . . . . . . . . . . . . . . . . .
Hash functions . . . . . . . . . . . . . . . . . . . . .
Keyed hash functions . . . . . . . . . . . . . . . . .
Putting These Primitives Together to Achieve CIA . . . .
The Difference Between Algorithm and Implementation
Proprietary Versus Open Source Algorithms . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
448
449
449
455
455
456
460
460
462
463
465
467
468
469
470
471
473
473
475
476
477
Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . 479
Where Hidden Data Hides . . . . . . . .
Where Did It Come From? . . . . . . . .
Where Is It Going? . . . . . . . . . . . . .
Overview of Steganography . . . . . . .
Why do we need steganography?
Pros of steganography . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
479
481
482
482
483
484
xix
xx
Contents
Cons of steganography . . . . . . . . . . . . . . . . . . . . . . .
Comparison to other technologies . . . . . . . . . . . . . . . . .
History of Steganography . . . . . . . . . . . . . . . . . . . . . . . . .
Using steganography in the fight for the Roman Empire . . . .
Steganography during war . . . . . . . . . . . . . . . . . . . . .
Core Areas of Network Security and Their Relation to Steganography
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional goals of steganography . . . . . . . . . . . . . . . . .
Principles of Steganography . . . . . . . . . . . . . . . . . . . . . . . .
Steganography Compared to Cryptography . . . . . . . . . . . . . . .
Protecting your ring example . . . . . . . . . . . . . . . . . . . .
Putting all of the pieces together . . . . . . . . . . . . . . . . . .
Types of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . .
Original classification scheme . . . . . . . . . . . . . . . . . . .
New classification scheme . . . . . . . . . . . . . . . . . . . . .
Color tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Products That Implement Steganography . . . . . . . . . . . . . . . .
S-Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hide and Seek . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jsteg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EZ-Stego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Image Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Digital Picture Envelope . . . . . . . . . . . . . . . . . . . . . . .
Camouflage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Gif Shuffle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spam Mimic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steganography Versus Digital Watermarking . . . . . . . . . . . . . .
What is digital watermarking? . . . . . . . . . . . . . . . . . . .
Why do we need digital watermarking? . . . . . . . . . . . . . .
Properties of digital watermarking . . . . . . . . . . . . . . . . .
Types of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . .
Invisible watermarking . . . . . . . . . . . . . . . . . . . . . . .
Visible watermarking . . . . . . . . . . . . . . . . . . . . . . . .
Goals of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . . .
Digital Watermarking and Stego . . . . . . . . . . . . . . . . . . . . . .
Uses of digital watermarking . . . . . . . . . . . . . . . . . . . .
Removing digital watermarks . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
485
485
488
488
489
490
490
491
491
491
492
493
493
494
495
496
497
501
503
503
506
508
511
512
514
516
517
519
520
521
521
521
522
522
523
523
524
524
526
526
Chapter 16: Applications of Secure/Covert Communication . . . . . 529
E-mail . . . . . . . . . . . .
POP/IMAP protocols
Pretty Good Privacy
Kerberos . . . . . . .
Authentication Servers . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
530
530
531
532
534
Contents
Working Model . . . . . . . . . . . . . . . . . . .
Public Key Infrastructure . . . . . . . . . . . . .
Public and private keys . . . . . . . . . . .
Key management . . . . . . . . . . . . . . .
Web of trust . . . . . . . . . . . . . . . . . .
Virtual Private Networks . . . . . . . . . . . . . .
Design issues . . . . . . . . . . . . . . . . .
IPSec-based VPN . . . . . . . . . . . . . . .
IPsec header modes . . . . . . . . . . . . .
PPTP/PPP-based VPNs . . . . . . . . . . . .
Secure Shell . . . . . . . . . . . . . . . . . .
Secure Sockets Layer/Transport Layer Security
SSL Handshake . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Part V: The Security Threat and the Response
.
.
.
.
.
.
.
.
.
.
.
.
.
.
535
537
538
540
541
541
543
544
545
547
548
549
550
554
555
Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . 557
Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . .
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Review of Common Attacks . . . . . . . . . . . . . . . . . . .
Denial-of-service/Distributed denial-of-service attacks
Back door . . . . . . . . . . . . . . . . . . . . . . . . . .
Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . .
Man-in-the-middle . . . . . . . . . . . . . . . . . . . . .
Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCP/Hijacking . . . . . . . . . . . . . . . . . . . . . . . .
Fragmentation attacks . . . . . . . . . . . . . . . . . . .
Weak keys . . . . . . . . . . . . . . . . . . . . . . . . . .
Mathematical attacks . . . . . . . . . . . . . . . . . . .
Social engineering . . . . . . . . . . . . . . . . . . . . .
Port scanning . . . . . . . . . . . . . . . . . . . . . . . .
Dumpster diving . . . . . . . . . . . . . . . . . . . . . .
Birthday attacks . . . . . . . . . . . . . . . . . . . . . .
Password guessing . . . . . . . . . . . . . . . . . . . . .
Software exploitation . . . . . . . . . . . . . . . . . . .
Inappropriate system use . . . . . . . . . . . . . . . . .
Eavesdropping . . . . . . . . . . . . . . . . . . . . . . .
War driving . . . . . . . . . . . . . . . . . . . . . . . . .
TCP sequence number attacks . . . . . . . . . . . . . .
War dialing/demon dialing attacks . . . . . . . . . . . .
Intrusion Detection Mechanisms . . . . . . . . . . . . . . . .
Antivirus approaches . . . . . . . . . . . . . . . . . . .
Intrusion detection and response . . . . . . . . . . . .
IDS issues . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
557
557
559
559
560
560
561
561
561
562
562
563
563
564
564
564
565
565
566
566
567
567
567
567
567
568
571
xxi
xxii
Contents
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . .
Purposes . . . . . . . . . . . . . . . . . . . . . . .
Honeypot categories . . . . . . . . . . . . . . . . .
When to use a honeypot . . . . . . . . . . . . . . .
When not to use a honeypot . . . . . . . . . . . .
Current solutions . . . . . . . . . . . . . . . . . . .
Honeynet Project . . . . . . . . . . . . . . . . . . .
Incident Handling . . . . . . . . . . . . . . . . . . . . . .
CERT/CC practices . . . . . . . . . . . . . . . . . .
Internet Engineering Task Force guidance . . . .
Layered security and IDS . . . . . . . . . . . . . .
Computer Security and Incident Response Teams
Security Incident Notification Process . . . . . .
Automated notice and recovery mechanisms . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
573
573
574
575
575
576
577
577
578
583
584
585
587
588
589
Chapter 18: Security Assessments, Testing, and Evaluation . . . . . 591
Information Assurance Approaches and Methodologies . . . . . .
The Systems Security Engineering Capability Maturity Model
NSA Infosec Assessment Methodology . . . . . . . . . . . . .
Operationally Critical Threat, Asset,
and Vulnerability Evaluation . . . . . . . . . . . . . . . . .
Federal Information Technology Security
Assessment Framework . . . . . . . . . . . . . . . . . . . .
Certification and Accred