TE
AM
FL
Y

Network Security:
A Beginner’s Guide

ABOUT THE AUTHOR
Eric Maiwald, CISSP
Eric Maiwald is the Chief Technology Officer for Fortrex Technologies, where he oversees all security research and training activities for the company. Mr. Maiwald also performs assessments, develops policies, and implements security solutions for large
financial institutions, services firms, and manufacturers. He has extensive experience in
the security field as a consultant, security officer, and developer. Mr. Maiwald holds a
Bachelors of Science in Electrical Engineering from Rensselaer Polytechnic Institute and a
Masters of Engineering in Electrical Engineering from Stevens Institute of Technology
and is a Certified Information Systems Security Professional. He is a named inventor on
patent numbers 5,577,209, “Apparatus and Method for Providing Multi-level Security for
Communications among Computers and Terminals on a Network” and 5,872,847,
“Using Trusted Associations to Establish Trust in a Computer Network.” Mr. Maiwald is
a regular presenter at a number of well-known security conferences and is an editor of the
SANS Windows Security Digest.

ABOUT THE TECHNICAL REVIEWER
Mark Cusick
Mark Cusick is currently Director, Security Services, Fortrex Technologies, an information security solutions provider based in Gaithersburg, Maryland (www.fortrex.com).
Mr. Cusick is directly responsible for all security service activities at Fortrex Technologies. He has personally been involved in numerous assessments along with developing
policies and implementing security solutions for most Fortrex clients.
Prior to joining Fortrex Technologies Inc., Mr. Cusick was the Director of the U.S.
Army’s Technical Counterintelligence School at Ft. Meade, Maryland. In this capacity,
he was responsible for the development of all training and doctrinal publications relating to the conduct of highly sensitive and complex national-level investigations involving actual and attempted technical penetrations of the most sensitive facilities
worldwide. Mr. Cusick directed the development of new courses of instruction in the
areas of computer security and information warfare.
A retired U.S. Army Warrant Officer, Mr. Cusick has over 30 years experience in the
security and information security field.

Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

Network Security:
A Beginner’s Guide
ERIC MAIWALD

Osborne/McGraw-Hill
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto

Copyright © 2001 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by
any means, or stored in a database or retrieval system, without the prior written permission of the publisher.
0-07-219443-x
The material in this eBook also appears in the print version of this title: 0-07-213324-4.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate
training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212)
904-4069.

TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the
work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and
retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works

based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your
right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES
AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE
WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR
OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its
licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will
be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error
or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any
indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even
if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
DOI: 10.1036/007219443x

This book is dedicated to my wife, Kay, and my two sons, Steffan and Joel, who put
up with a lot of long days and lost time during the writing of this book.

This page intentionally left blank.

AT A GLANCE

Part I

Information Security Basics

▼ 1
▼ 2
▼ 3

What Is Information Security? . . . . . . . . .
Types of Attacks . . . . . . . . . . . . . . . . .
Information Security Services . . . . . . . . .

Part II

Ground Work

▼
▼
▼
▼

▼

4
5
6
7
8

Legal Issues in Information Security
Policy . . . . . . . . . . . . . . . . .
Managing Risk . . . . . . . . . . . .
Information Security Process . . . .
Information Security Best Practices

.
.
.
.
.

.
.
.
.
.

Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

3
15
27

. 41
. 57
. 79
. 93
. 115

vii

viii

Network Security: A Beginner’s Guide

Part III
▼
▼
▼
▼
▼
▼

9
10
11
12
13
14

Part IV
▼ 15
▼ 16

▼ 17
Part V
▼
▼
▼
▼

▼

A
B
C
D

Practical Solutions
Internet Architecture . . . .
Virtual Private Networks . .
E-Commerce Security Needs
Encryption . . . . . . . . . .
Hacker Techniques . . . . .

Intrusion Detection . . . . .

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.

.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

133
167
181
207
235
261

Platform-Specific Implementations
Unix Security Issues . . . . . . . . . . . . . . . 285
Windows NT Security Issues . . . . . . . . . . 307
Windows 2000 Security Issues . . . . . . . . . 321
Appendixes
The Process Project Plan . . . . . . . . . .
Unix vs. Windows: Which Is More Secure?
Resources to Learn More About Security .
Incident Response Procedure Testing
Scenarios . . . . . . . . . . . . . . . . . .

. . 343
. . 353
. . 361
. . 363

Index . . . . . . . . . . . . . . . . . . . . . . . . 375

CONTENTS
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xxiii
xxv

Part I
Information Security Basics

▼ 1 What Is Information Security? . . . . . . . . . . . . . . . . . . . . . . . .
Defining Information Security . . . . . . . . .
Brief History of Security . . . . . . . . . . . .
Physical Security . . . . . . . . . . . . .
Communications Security . . . . . . . .
Emissions Security . . . . . . . . . . . .
Computer Security . . . . . . . . . . . .
Network Security . . . . . . . . . . . . .
Information Security . . . . . . . . . . .
Why Security Is a Process, Not Point Products
Anti-Virus Software . . . . . . . . . . .
Access Controls . . . . . . . . . . . . . .
Firewalls . . . . . . . . . . . . . . . . . .
Smart Cards . . . . . . . . . . . . . . . .
Biometrics . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

3
4
5
5
5
6
7
8
9
10
10
10
11
11
11

ix

Network Security: A Beginner’s Guide

Intrusion Detection . . . . . .
Policy Management . . . . .
Vulnerability Scanning . . . .
Encryption . . . . . . . . . . .
Physical Security Mechanisms

.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

12
12
12
12
12

▼ 2 Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15
16
16
16
17
18
21
21
22
22
22
23
23
23
23
23
23
25
25
25
25

AM
FL
Y

Access Attacks . . . . . . . . . . . . . . . . . . . . . . . .
Snooping . . . . . . . . . . . . . . . . . . . . . . . .
Eavesdropping . . . . . . . . . . . . . . . . . . . .
Interception . . . . . . . . . . . . . . . . . . . . . .
How Access Attacks Are Accomplished . . . . . .
Modification Attacks . . . . . . . . . . . . . . . . . . . .
Changes . . . . . . . . . . . . . . . . . . . . . . . .
Insertion . . . . . . . . . . . . . . . . . . . . . . . .
Deletion . . . . . . . . . . . . . . . . . . . . . . . .
How Modification Attacks Are Accomplished . .
Denial-of-Service Attacks . . . . . . . . . . . . . . . . .
Denial of Access to Information . . . . . . . . . . .
Denial of Access to Applications . . . . . . . . . .
Denial of Access to Systems . . . . . . . . . . . . .
Denial of Access to Communications . . . . . . . .
How Denial-of-Service Attacks Are Accomplished
Repudiation Attacks . . . . . . . . . . . . . . . . . . . .
Masquerading . . . . . . . . . . . . . . . . . . . . .
Denying an Event . . . . . . . . . . . . . . . . . . .
How Repudiation Attacks Are Accomplished . .

TE

x

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

▼ 3 Information Security Services . . . . . . . . . . . . . . . . . . . . . . . . .
Confidentiality . . . . . . . . . . . . . . . . . . . . .
Confidentiality of Files . . . . . . . . . . . . . .
Confidentiality of Information in Transmission
Traffic Flow Confidentiality . . . . . . . . . . .
Attacks That Can Be Prevented . . . . . . . . .
Integrity . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity of Files . . . . . . . . . . . . . . . . . .
Integrity of Information Transmission . . . . .
Attacks That Can Be Prevented . . . . . . . . .
Availability . . . . . . . . . . . . . . . . . . . . . . .
Backups . . . . . . . . . . . . . . . . . . . . . .
Fail-Over . . . . . . . . . . . . . . . . . . . . . .
Disaster Recovery . . . . . . . . . . . . . . . . .
Attacks That Can Be Prevented . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

27
28
28
29
29
30
30
31
33
33
33
34
34
34
34

Contents

Accountability . . . . . . . . . . . . . .
Identification and Authentication
Audit . . . . . . . . . . . . . . . .
Attacks That Can Be Prevented .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

34
35
36
37

▼ 4 Legal Issues in Information Security . . . . . . . . . . . . . . . . . . . . .

41
42
42
43
43
43
44
44
45
50
51
51
51
51
52
52
53
53
54
54
55
56

Part II
Ground Work

U.S. Criminal Law . . . . . . . . . . . . . . . . . . . . . . .
Computer Fraud and Abuse (18 US Code 1030) . .
Credit Card Fraud (18 US Code 1029) . . . . . . . .
Copyrights (18 US Code 2319) . . . . . . . . . . . .
Interception (18 US Code 2511) . . . . . . . . . . . .
Access to Electronic Information (18 US Code 2701)
Other Criminal Statutes . . . . . . . . . . . . . . . .
State Laws . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples of Laws in Other Countries . . . . . . . . . . .
Australia . . . . . . . . . . . . . . . . . . . . . . . . .
The Netherlands . . . . . . . . . . . . . . . . . . . .
United Kingdom . . . . . . . . . . . . . . . . . . . .
Prosecution . . . . . . . . . . . . . . . . . . . . . . . . . .
Evidence Collection . . . . . . . . . . . . . . . . . .
Contacting Law Enforcement . . . . . . . . . . . . .
Civil Issues . . . . . . . . . . . . . . . . . . . . . . . . . . .
Employee Issues . . . . . . . . . . . . . . . . . . . .
Downstream Liability . . . . . . . . . . . . . . . . .
Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . .
Customer Information . . . . . . . . . . . . . . . . .
Health Information . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

▼ 5 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy Is Important . . . . . . . . . . . . .
Defining How Security Should Be .
Putting Everyone on the Same Page
Types of Policy . . . . . . . . . . . . . . .
Information Policy . . . . . . . . . .
Security Policy . . . . . . . . . . . .
Computer Use Policy . . . . . . . . .
Internet Use Policy . . . . . . . . . .
Mail Policy . . . . . . . . . . . . . . .
User Management Procedures . . .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

57
58
58
58
59
59
61
65
66
66
67

xi

xii

Network Security: A Beginner’s Guide

System Administration Procedure . .
Incident Response Procedure . . . . .
Configuration Management Procedure
Design Methodology . . . . . . . . . .
Disaster Recovery Plans . . . . . . . .
Creating Appropriate Policy . . . . . . . . .
Defining What Is Important . . . . . .
Defining Acceptable Behavior . . . . .
Identifying Stakeholders . . . . . . . .
Defining Appropriate Outlines . . . .
Policy Development . . . . . . . . . .
Deploying Policy . . . . . . . . . . . . . . .
Gaining Buy-In . . . . . . . . . . . . .
Education . . . . . . . . . . . . . . . .
Implementation . . . . . . . . . . . . .
Using Policy Effectively . . . . . . . . . . .
New Systems and Projects . . . . . . .
Existing Systems and Projects . . . . .
Audits . . . . . . . . . . . . . . . . . .
Policy Reviews . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

68
69
71
72
73
74
74
75
75
75
75
76
76
76
77
77
77
77
78
78

▼ 6 Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79
80
80
81
85
86
87
87
88
88
89
90
90
91
91
91
92

What Is Risk? . . . . . . . . . . . . . .
Vulnerability . . . . . . . . . . .
Threat . . . . . . . . . . . . . . .
Threat + Vulnerability = Risk . .
Identifying the Risk to an Organization
Identifying Vulnerabilities . . . .
Identifying Real Threats . . . . .
Examining Countermeasures . .
Identifying Risk . . . . . . . . . .
Measuring Risk . . . . . . . . . . . . .
Money . . . . . . . . . . . . . . .
Time . . . . . . . . . . . . . . . .
Resources . . . . . . . . . . . . .
Reputation . . . . . . . . . . . . .
Lost Business . . . . . . . . . . .
Methodology for Measuring Risk

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

. . .
. . .
. .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

▼ 7 Information Security Process . . . . . . . . . . . . . . . . . . . . . . . . .
Assessment . . . . . . . . . .
Network . . . . . . . . .
Physical Security . . . .
Policies and Procedures

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

93
95
97
98
99

Contents

Precautions . . . . . . . . . . . . . . . . .
Awareness . . . . . . . . . . . . . . . . . .
People . . . . . . . . . . . . . . . . . . . .
Workload . . . . . . . . . . . . . . . . . .
Attitude . . . . . . . . . . . . . . . . . . .
Adherence . . . . . . . . . . . . . . . . . .
Business . . . . . . . . . . . . . . . . . . .
Assessment Results . . . . . . . . . . . . .
Policy . . . . . . . . . . . . . . . . . . . . . . . .
Choosing the Order of Policies to Develop
Updating Existing Policies . . . . . . . . .
Implementation . . . . . . . . . . . . . . . . . .
Security Reporting Systems . . . . . . . .
Authentication Systems . . . . . . . . . .
Internet Security . . . . . . . . . . . . . .
Intrusion Detection Systems . . . . . . . .
Encryption . . . . . . . . . . . . . . . . . .
Physical Security . . . . . . . . . . . . . .
Staff . . . . . . . . . . . . . . . . . . . . . .
Awareness Training . . . . . . . . . . . . . . .
Employees . . . . . . . . . . . . . . . . . .
Administrators . . . . . . . . . . . . . . .
Developers . . . . . . . . . . . . . . . . . .
Executives . . . . . . . . . . . . . . . . . .
Security Staff . . . . . . . . . . . . . . . .
Audit . . . . . . . . . . . . . . . . . . . . . . . .
Policy Adherence Audits . . . . . . . . .
Periodic and New Project Assessments .
Penetration Tests . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

101
101
102
102
103
103
103
104
104
105
105
106
106
107
108
108
109
109
110
110
110
111
111
112
112
112
112
113
113

▼ 8 Information Security Best Practices . . . . . . . . . . . . . . . . . . . . . .

115
116
116
117
119
119
122
123
124
124
125
126
127

Administrative Security . . .
Policies and Procedures
Resources . . . . . . . .
Responsibility . . . . . .
Education . . . . . . . .
Contingency Plans . . .
Security Project Plans . .
Technical Security . . . . . . .
Network Connectivity .
Virus Protection . . . . .
Authentication . . . . .
Audit . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

xiii

xiv

Network Security: A Beginner’s Guide

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backup and Recovery . . . . . . . . . . . . . . . . . . . . . .
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . .

127
128
129

Part III
Practical Solutions

▼ 9 Internet Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Services to Offer . . . . . . . . . . . . . . . . .
Mail . . . . . . . . . . . . . . . . . . . . .
Web . . . . . . . . . . . . . . . . . . . . .
Internal Access to the Internet . . . . . .
External Access to Internal Systems . .
Control Services . . . . . . . . . . . . . .
Services Not to Offer . . . . . . . . . . . . . .
Communications Architecture . . . . . . . . .
Single-Line Access . . . . . . . . . . . .
Multiple-Line Access to a Single ISP . .
Multiple-Line Access to Multiple ISPs .
Demilitarized Zone . . . . . . . . . . . . . . .
Defining the DMZ . . . . . . . . . . . .
Systems to Place in the DMZ . . . . . .
Appropriate DMZ Architectures . . . .
Firewalls . . . . . . . . . . . . . . . . . . . . .
Types of Firewalls . . . . . . . . . . . .
Firewall Configurations . . . . . . . . .
Firewall Rule Set Design . . . . . . . . .
Network Address Translation . . . . . . . . .
What Is Network Address Translation?
Private Class Addresses . . . . . . . . .
Static NAT . . . . . . . . . . . . . . . . .
Dynamic NAT . . . . . . . . . . . . . . .
Partner Networks . . . . . . . . . . . . . . . .
Use of Partner Networks . . . . . . . . .
Setup . . . . . . . . . . . . . . . . . . . .
Addressing Issues . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

▼ 10 Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Virtual Private Networks
User VPNs . . . . . . . . . . . . . .
Benefits of User VPNs . . . .
Issues with User VPNs . . . .
Managing User VPNs . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

133
134
134
134
135
135
136
137
138
138
140
143
145
145
146
148
152
153
156
159
159
160
160
161
162
163
163
163
163
167
168
170
170
171
173

Contents

Site VPNs . . . . . . . . . .
Benefits of Site VPNs .
Issues with Site VPNs
Managing Site VPNs .
Standard VPN Techniques .
VPN Server . . . . . .
Encryption Algorithms
Authentication System

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

173
174
174
175
176
176
179
179

▼ 11 E-Commerce Security Needs . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .

181
182

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

183
184
185
186
186
187
187
188
188
189
189
190
191
191
192
192
197
197
198
199
199
200
200
201
202
203
203
204
205
205

E-Commerce Services . . . . . . . . . . . . . . . . . .
Differences Between E-Commerce Services and
Regular DMZ Services . . . . . . . . . . . .
Examples of E-Commerce Services . . . . . . .
Availability . . . . . . . . . . . . . . . . . . . . . . .
Business-to-Consumer Issues . . . . . . . . . .
Business-to-Business Issues . . . . . . . . . . .
Global Time . . . . . . . . . . . . . . . . . . . .
Client Comfort . . . . . . . . . . . . . . . . . .
Cost of Downtime . . . . . . . . . . . . . . . .
Solving the Availability Problem . . . . . . . .
Client-Side Security . . . . . . . . . . . . . . . . . . .
Communications Security . . . . . . . . . . . .
Saving Information on the Client System . . .
Repudiation . . . . . . . . . . . . . . . . . . . .
Server-Side Security . . . . . . . . . . . . . . . . . . .
Information Stored on the Server . . . . . . . .
Protecting the Server from Attack . . . . . . .
Application Security . . . . . . . . . . . . . . . . . .
Proper Application Design . . . . . . . . . . .
Proper Programming Techniques . . . . . . . .
Showing Code to the World . . . . . . . . . . .
Configuration Management . . . . . . . . . . .
Database Server Security . . . . . . . . . . . . . . . .
Database Location . . . . . . . . . . . . . . . .
Communication with the E-Commerce Server
Internal Access Protection . . . . . . . . . . . .
E-Commerce Architecture . . . . . . . . . . . . . . .
Server Location and Connectivity . . . . . . .
Availability . . . . . . . . . . . . . . . . . . . .
Vulnerability Scanning . . . . . . . . . . . . . .
Audit Information and Problem Detection . .

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

xv

xvi

Network Security: A Beginner’s Guide

▼ 12 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption Concepts . . . . . . . . . . . . . . . . .
Encryption Terms . . . . . . . . . . . . . . . .
Attacks Against Encryption . . . . . . . . . .
Private Key Encryption . . . . . . . . . . . . . . . .
What Is Private Key Encryption? . . . . . . .
Substitution Ciphers . . . . . . . . . . . . . .
One-Time Pads . . . . . . . . . . . . . . . . .
Data Encryption Standard . . . . . . . . . . .
Triple DES . . . . . . . . . . . . . . . . . . . .
Password Encryption . . . . . . . . . . . . . .
The Advanced Encryption Standard: Rijndael
Other Private Key Algorithms . . . . . . . .
Public Key Encryption . . . . . . . . . . . . . . . .
What Is Public Key Encryption . . . . . . . .
Diffie-Hellman Key Exchange . . . . . . . . .
RSA . . . . . . . . . . . . . . . . . . . . . . . .
Other Public Key Algorithms . . . . . . . . .
Digital Signatures . . . . . . . . . . . . . . . . . . .
What Is a Digital Signature? . . . . . . . . . .
Secure Hash Functions . . . . . . . . . . . . .
Key Management . . . . . . . . . . . . . . . . . . .
Key Creation . . . . . . . . . . . . . . . . . .
Key Distribution . . . . . . . . . . . . . . . .
Key Certification . . . . . . . . . . . . . . . .
Key Protection . . . . . . . . . . . . . . . . .
Key Revocation . . . . . . . . . . . . . . . . .
Trust . . . . . . . . . . . . . . . . . . . . . . . . . .
Hierarchy . . . . . . . . . . . . . . . . . . . .
Web . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

▼ 13 Hacker Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Hacker’s Motivation . . . . .
Challenge . . . . . . . . .
Greed . . . . . . . . . . . .
Malicious Intent . . . . . .
Historical Hacking Techniques
Open Sharing . . . . . . .
Bad Passwords . . . . . .
Unwise Programming . .
Social Engineering . . . .
Buffer Overflows . . . . .
Denial of Service . . . . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

207
208
209
210
211
211
212
212
213
216
216
217
218
219
219
220
221
223
224
224
226
226
226
228
228
228
230
230
230
233
235
236
236
237
238
239
239
240
241
242
242
244

Contents

Methods of the Untargeted Hacker
Targets . . . . . . . . . . . . .
Reconnaissance . . . . . . . .
Attack Methods . . . . . . . .
Use of Compromised Systems
Methods of the Targeted Hacker .
Targets . . . . . . . . . . . . .
Reconnaissance . . . . . . . .
Attack Methods . . . . . . . .
Use of Compromised Systems

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

249
249
249
251
251
256
256
256
259
260

▼ 14 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

261
263
263
265
265
266
266
268
271
274
275
276
276
276
279

Types of Intrusion Detection Systems . . . . . .
Host-Based IDS . . . . . . . . . . . . . . . .
Network-Based IDS . . . . . . . . . . . . .
Is One Type of IDS Better? . . . . . . . . . .
Setting Up an IDS . . . . . . . . . . . . . . . . . .
Defining the Goals of the IDS . . . . . . . .
Choosing What to Monitor . . . . . . . . .
Choosing How to Respond . . . . . . . . .
Setting Thresholds . . . . . . . . . . . . . .
Implementing the System . . . . . . . . . .
Managing an IDS . . . . . . . . . . . . . . . . . .
Understanding What an IDS Can Tell You
Understanding What an IDS Is Telling You
Investigating Suspicious Events . . . . . .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

Part IV
Platform-Specific Implementations

▼ 15 Unix Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up the System . . . . . . . . .
Startup Files . . . . . . . . . . . .
Services to Allow . . . . . . . . .
System Configuration Files . . .
Patches . . . . . . . . . . . . . . .
User Management . . . . . . . . . . . .
Adding Users to the System . . .
Removing Users from the System
System Management . . . . . . . . . .
Auditing a System . . . . . . . .
Log Files . . . . . . . . . . . . . .

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
. .
. .
. .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

285
286
286
287
292
297
297
297
299
299
299
300

xvii

xviii

Network Security: A Beginner’s Guide

Hidden Files . . . . . . . . . .
SUID and SGID Files . . . . .
World-Writable Files . . . . .
Looking for Suspicious Signs

.
.
.
.

.
.
.
.

.
.
.
.

301
301
301
302

▼ 16 Windows NT Security Issues . . . . . . . . . . . . . . . . . . . . . . . . .

307
308
308
311
315
315
316
316
316
317
318
318

Setting Up the System . . . . . . . . .
Registry Settings . . . . . . . . .
System Configuration Settings .
User Management . . . . . . . . . . . .
Adding Users to the System . . .
Setting File Permissions . . . . .
Removing Users from the System
System Management . . . . . . . . . .
Auditing a System . . . . . . . .
Log Files . . . . . . . . . . . . . .
Looking for Suspicious Signs . .

.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

▼ 17 Windows 2000 Security Issues . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up the System . . . . . . . . .
Local Security Policy Settings . .
System Configuration . . . . . .
User Management . . . . . . . . . . . .
Adding Users to the System . . .
Setting File Permissions . . . . .
Removing Users from the System
System Management . . . . . . . . . .
The Secedit Command . . . . . .
Auditing a System . . . . . . . .
Log Files . . . . . . . . . . . . . .
Looking for Suspicious Signs . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

321
322
322
325
331
331
333
333
334
335
337
338
339

Part V
Appendixes

▼ A The Process Project Plan . . . . . . . . . . . . . . . . . . . . . . . . . .
Assessment Phase . . . . . .
Planning . . . . . . . .
Information Gathering
Analysis . . . . . . . .
Presentation . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

343
345
345
346
346
347

Contents

Critical Fixes Phase .
Assessment . .
Policy . . . . . .
Implementation
Training . . . .
Audit . . . . . .
Update Phase . . . .
Assessment . .
Policy . . . . . .
Implementation
Training . . . .
Audit . . . . . .
Ongoing Work Phase
Assessment . .
Policy . . . . . .
Implementation
Training . . . .
Audit . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

347
347
347
348
348
349
349
349
350
350
350
350
351
351
351
351
351
351

▼ B Unix vs. Windows: Which Is More Secure? . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.

353
354
355
356
356
357
358
358

▼ C Resources to Learn More About Security . . . . . . . . . . . . . . . . . . .

361

▼ D Incident Response Procedure Testing Scenarios . . . . . . . . . . . . . .

363
364
364
364
364
365
365
365
365
366
366
366
366
366

Times Change . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viruses, Trojan Horses, and Worms, Oh My! . . . . . . . . . .
Operating System Vulnerabilities vs. Application Vulnerabilities
Interactive vs. Non-Interactive . . . . . . . . . . . . . . . . . .
Source Code or No Source Code . . . . . . . . . . . . . . . . .
Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Scenario 1—Web Page Hack . . . . . . . . . . .
Initial Indications . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . .
What the Team Will Find . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . .
Variations . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . .
Scenario 2—Unexplained High Traffic Volume
Initial Indications . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . .
What the Team Will Find . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

xix

Network Security: A Beginner’s Guide

AM
FL
Y

Scenario 3—Files Modified by Unknown Person . . .
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .
Scenario 4—Unauthorized Service Found on a System
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Variations . . . . . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .
Scenario 5—System Log File Missing . . . . . . . . . .
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .
Scenario 6—The Network Is Slow . . . . . . . . . . . .
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .
Scenario 7—Internal Router Attack . . . . . . . . . . .
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .
Scenario 8—Virus Attack . . . . . . . . . . . . . . . . .
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .
Scenario 9—The IDS Reports an Attack . . . . . . . .
Initial Indications . . . . . . . . . . . . . . . . . .
What Really Happened . . . . . . . . . . . . . .
What the Team Will Find . . . . . . . . . . . . .
Scenario Closeout . . . . . . . . . . . . . . . . . .
Variation . . . . . . . . . . . . . . . . . . . . . . .
Recommended Use . . . . . . . . . . . . . . . . .

TE

xx

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

366
367
367
367
367
367
367
368
368
368
368
368
368
369
369
369
369
369
369
369
370
370
370
370
370
370
370
370
371
371
371
371
371
371
371
371
372
372
372
372
372
372
372
372

Contents

Scenario 10—Extortion . . . .
Initial Indications . . . .
What Really Happened
What the Team Will Find
Scenario Closeout . . . .
Variations . . . . . . . .
Recommended Use . . .

▼

. . . .
. . . .
. . . .
. . .
. . . .
. . . .
. . . .

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

372
373
373
373
373
373
373

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

375

xxi

This page intentionally left blank.

ACKNOWLEDGMENTS
T

his book could not have been written without the help of a number of
people. Most notable in their help were those people I work with, including Mark Cusick, Stephen Edwards, Bill Sieglein, and Lee Kelly as
well as the other members of Fortrex. Two others provided a lot of information for which I am very grateful: Ted Whitehouse and Brian Ford. Of course,
none of this could have been possible without the help from the people at
Osborne/McGraw-Hill, most notably Jane Brownlow, Ross Doll, and
LeeAnn Pickrell.

Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

xxiii

This page intentionally left blank.

INTRODUCTION
N

etwork Security: A Beginner’s Guide. It seems that the title of this book
defines what it is about pretty well. But this book is not just a beginner’s guide. In writing this book, I attempted to pick out the issues
that confront me on a day-to-day basis. Most of these issues caused me
much consternation over the years, and it would have been very helpful for
me to have had all of this information at my fingertips.

Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

xxv

xxvi

Network Security: A Beginner’s Guide

Security has become more and more of an issue in recent years. We are constantly
hearing about the successful penetration of Web sites and organizations. In response to
these stories, more and more vendors are appearing with tools that offer some protection.
From looking at all of this information, it would appear that the big issues in security can
be solved with technology. Unfortunately, security issues are much more complex than
that. At the very bottom, security is a people issue. No matter how much technology we
throw at this problem, the best we can do is to make the job of the security practitioner a
little easier. We will not solve the basic problem with technology, but we can manage the
security problem through the dedicated application of well–thought out security processes and procedures. Hopefully, this book will provide you with the basic tools you
will need to manage your security issues.
The book is divided into four main parts plus some good information in the appendices:

PART I: “INFORMATION SECURITY BASICS”
Part I provides you with a basic understanding of what information security is. Proper
terms are defined from both the attack perspective and the defensive services perspective.
▼

Chapter 1: “What Is Information Security?” Chapter 1 provides the basic
definition of information security. This is derived by looking at what is being
protected (information) and what security really is. The history of security is
included to show how the concept has changed over time and to show the thinking
behind the various developments. The history section will also go into the reasons
for the failures over the years leading us into the current environment of little or no
security. Finally, the chapter will identify several of the common myths that have
been put forward by various vendors and communities and why they provide
false and misleading information.

■

Chapter 2: “Types of Attacks” Chapter 2 discusses the basic forms of attack
and how each can be used to do harm to an organization. Each basic form of
attack is dissected and examples are provided as to how each one is
accomplished.

▲

Chapter 3: “Information Security Services” Chapter 3 discusses the basic
security services that can be used to protect information and systems from
attack. Each basic service is discussed and examples are provided as to how
each one can be accomplished. This chapter also covers how each service can
be used to defeat the four types of attacks.

PART II: “GROUND WORK”
Part II provides you with the ground work for a security program. To begin a program,
security professionals need an understanding of the law, how policy is to be used, the
management of risk, and the process of implementing and managing security. This section concludes with a discussion of best practices in the area of security.

Introduction

▼

Chapter 4: “Legal Issues in Information Security” Chapter 4 introduces
the legal issues surrounding information security. Existing U.S. federal law is
identified and discussed as are examples of state law. The laws of other
countries are discussed to compare and contrast those laws to U.S. law. The
key point here is the differences that exist in the interpretation of criminal
activity. Liability issues are discussed briefly to show that there are significant
noncriminal legal issues in security. The next section covers privacy. This is
a new area of the Internet law and has potential consequences for many
companies. Lastly, this chapter will focus on the types of activities a company
should engage in if they want to prosecute an intruder.

■

Chapter 5: “Policy” Chapter 5 discusses the need for policy. After showing
why policy is important, the chapter discusses the various types of policy that an
organization should create. The discussion then progresses to how appropriate
policies can be created and, once created, how policy can be deployed and used
effectively.

■

Chapter 6: “Managing Risk” Chapter 6 focuses on the identification of risk
areas within an organization. The key concept for this chapter is to move
thinking from threats (attackers) and vulnerabilities (places where attackers can
get in) to risk (the ramifications to an organization if an attack is successful). First,
risk is defined, and then a methodology is laid out to identify risk. Finally, the
chapter discusses how to measure risk.

■

Chapter 7: “Information Security Process” Chapter 7 pulls all of the ground
work together and shows how to implement an information security program.
Each phase of the process is discussed from a “doing it” perspective.

▲

Chapter 8: “Information Security Best Practices” Chapter 8 focuses on the
“what” (in comparison to Chapter 7’s “how”). Best practices are a combination of
administrative security measures and technical security measures. This chapter
defines the “perfect” security program. It also discusses how the “perfect”
program never exists and how close a program should be to the ideal is tied back
to the risk management philosophy of the organization.

PART III: PRACTICAL SOLUTIONS
Part III provides you with detailed technical information regarding architecture, e-commerce
sites, encryption, and intrusion detection. This section also provides information on how
hackers seek to target networks and the specific techniques that are used to attack a site.
▼

Chapter 9: “Internet Architecture” Chapter 9 provides detailed discussions
about connecting to the Internet. This chapter goes over key architecture issues,
the meaning of terms, and how each piece can be used to secure the Internet
connection to an organization.

xxvii

xxviii

Network Security: A Beginner’s Guide

■

Chapter 10: “Virtual Private Networks” Chapter 10 discusses the uses of
Virtual Private Networks (VPNs) and how they can be set up and managed.

■

Chapter 11: “E-Commerce Security Needs” Chapter 11 discusses the issues
involved in setting up an e-commerce site. The chapter discusses each area of
an e-commerce project and identifies the issues in each area that may lead to a
security breach. For each issue identified, potential solutions are identified.

■

Chapter 12: “Encryption” Chapter 12 provides information on encryption
and how it can (and should) be used to enhance security. Basic encryption
concepts are defined first. Then the basics of private and public key systems