Devices, Media, and Topology Security

3C H A P T E R

Devices, Media, andTopology Security

This chapter covers the following CompTIA-specifiedobjectives for the Communications Security section ofthe Security+ exam.

Understand the basic security concepts ofnetwork devices.

. It is important for you to understand the basicsecurity concepts of network devices, such as fire-walls, routers, switches, and so on, so you can pro-tect the environment and outgoing and incomingcommunications on these devices.

Understand the basic security concepts ofstorage media devices.

. It is important for you to understand the basicsecurity concepts of storage media devices (such asthe various types of cable and removable media) soyou can protect the environment and outgoing andincoming communications on these devices.

Understand the basic security concepts ofsecurity topologies.

. It is important for you to understand the basicconcepts of security topologies (such as securityzones, VLANs, NAT, and tunneling) so you canprotect the environment and outgoing and incom-ing communications.

OBJECT IVES

06 0789728362 CH03 3/4/03 2:49 PM Page 205

Introduction 208

Understanding the Basic Security Concepts of Network and System Devices 208

Firewalls 208Packet-Filtering Firewall 209Circuit-Level Gateway 210Application-Level Gateway 215Stateful Inspection Firewall 216Other Firewall Considerations 217

Routers 220

Switches 223

Wireless and Mobile Communications 226

Modems 227

RAS 229

Telecommunications/PBX 231

IDS 232

Network Monitoring/Diagnostic 234Fault Management 235Configuration Management 235Accounting Management 235Performance Management 236Security Management 236Simple Network Management Protocol 236

RMON 242

Workstations 246

Servers 247

OUTL INE

Understanding the Basic Security Concepts of Media 248

Coaxial Cable 248

UTP/STP 249

Fiber 250

Infrared, RF, and Microwave 250

Removable Media 251Tape 251CDR 253Hard Drives and Disks 254Flashcards and Nonvolatile Memory 255Smart Cards 255

Understanding the Concepts of Security Topologies 256

Security Zones 256Bastion Host 257Screened Host Gateway 258Screened Subnet Gateway 259DMZs 262Intranets 263Extranets 264

Virtual Local Area Networks 264

Network Address Translation 265

Tunneling 267

Chapter Summary 269

Apply Your Knowledge 270

06 0789728362 CH03 3/4/03 2:49 PM Page 206

STUDY STRATEGIES

. One of the most important topics of this chap-ter is security topology and firewalls, which aresecurity controls designed specifically to protectthe infrastructure. Be sure you understand thetypes of firewalls and security topology configu-rations.

. If you have access to a Cisco router, Unixmachine, or Windows 2000 machine (betteryet, all three), make sure you are familiar withfeatures such as access lists and IP filtering.

. Set up one or more of the security topologies inyour lab.

06 0789728362 CH03 3/4/03 2:49 PM Page 207

208 Par t I EXAM PREPARATION

INTRODUCTION

This chapter takes you through the basics of media, devices, andsecurity topology. Protecting communications includes more thansecuring the software technologies and protocols covered in Chapter2, “Communication Security.” The infrastructure, including all net-work devices, servers, and data, also requires security controls on alllevels to ensure company-wide network security.

UNDERSTANDING THE BASICSECURITY CONCEPTS OF NETWORKAND SYSTEM DEVICES

Understand the basic security concepts of networkdevices.

Network devices—such as routers, firewalls, gateways, switches,hubs, and so forth—create the infrastructure of local area networks(on the corporate scale) and the Internet (on the global scale).Securing such devices is fundamental to protecting the environmentand outgoing/incoming communications. You also have to be awareof security risks and controls available in the public switched tele-phone networks (PSTN) infrastructure because PSTNs are oftenused for computer communications. This section of the chapterintroduces the security concepts applicable to physical devices, net-work topologies, and storage media.

FirewallsA firewall is a hardware device or software application installed onthe borderline of secured networks to examine and control incomingand outgoing network communications. As the first line of networkdefense, firewalls provide protection from outside attacks, but theyhave no control over attacks from within the corporate network.Some firewalls also block traffic and services that are actually legiti-mate.

TIP

Know that a firewall is a hardwareor software system designed to protect one network from anothernetwork, and be familiar with thevarious types of firewalls.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 208

Chapter 3 DEVICES, MEDIA, AND TOPOLOGY SECURITY 209

A firewall is designed to protect one network from another network.

Because network security is concentrated on configuring the firewall,or at least is built around it, a compromised firewall can mean a dis-aster for a network. For smaller companies, though, a firewall repre-sents the best investment of time and money. All things considered,a firewall is as indispensable as the Internet itself; however, youshould not rely on it exclusively for top-to-bottom network protec-tion.

Increasingly, companies are also deploying firewalls outside the edgesof networks, as well as between network segments and even on indi-vidual machines, where justified.

Three basic types of firewalls are available, in addition to one—thestateful inspection firewall—that combines the features of the threebasic types. Firewall architectures include the following:

. Packet-filtering firewall

. Circuit-level gateway

. Application-level gateway

. Stateful inspection firewall

Packet-Filtering FirewallPacket-filtering architecture involves checking network traffic forsource and destination addresses, source and destination port num-bers, and protocol types. Packet filtering allows an administrator toexclude traffic based on its source and destination addresses, and,depending on the device, it can also exclude traffic aimed at specificprotocols and ports or traffic that is sent to or from particularaddresses. This architecture functions on the Network layer (layer 3)of the Open System Interconnection (OSI) model. Most qualityrouters (not just firewalls) have packet-filtering functionality builtin. Devices made by Cisco Systems, the undisputed leader in thearea of network devices in general, employ access lists provided as afeature of the Internetwork Operating System (IOS). ForTransmission Control Protocol/Internet Protocol (TCP/IP) trafficcontrol, the two types of access lists are standard and extended.

06 0789728362 CH03 3/4/03 2:49 PM Page 209


Only extended lists allow you to check for all the previously listedcharacteristics and include some other conditions, such as secondaryconnections. These access lists can be applied to different interfacesto screen network traffic in both directions or in either direction oneach interface. You can apply an access list filter to the external inter-face so the router will discard prohibited packets before it has tospend CPU time on making a routing decision. All packets that arenot explicitly permitted are effectively rejected. Similar solutions thatcome built into the operating system can be found in Windows NTand its TCP/IP implementation, Windows 2000 with the same pro-tocol features plus IP Filtering in the local policies, many Unix-likeoperating systems, and specialized firewall platforms.

Packet-filtering solutions are considered generally less secure thancircuit-level architectures because they still allow packets inside thenetwork regardless of the communication pattern within the session.Thisopens the system to denial-of-services (DoS) attacks (bufferoverflow exploits in “allowed” applications on target machines, con-nections exhaustion, and so on).

Circuit-Level GatewayCircuit-level architecture involves monitoring TCP/IP sessionrequests between trusted hosts on the LAN and non-trusted hosts onthe Internet. This monitoring, performed on the Session layer (layer5) of the OSI model, is done to determine whether a requested ses-sion is legitimate. When hosts establish a session in TCP/IP commu-nications, they conduct a procedure called handshaking, in whichpeers agree on communication parameters in TCP SYN requests andTCP ACK responses. The firewall ensures that these session estab-lishment packets occur only when prescribed. It also verifies thevalidity of the sequence numbers used in TCP to reassemble packetsin the correct order, as shown in Figure 3.1.

F IGURE 3 .1A normal handshake.

Client(requests

connection)

Server(receives

connection)

SYN, MSS, source/destination port number

ACK

SYN, ACK, MSS, source/destination port number

TCP Three-Way Handshake

06 0789728362 CH03 3/4/03 2:49 PM Page 210


Popular attacks, such as DoS, are often launched when an attackerbegins the TCP three-step handshake sequence with a SYN packet(and thereby begins to establish a connection) that is never complet-ed. Instead, the attacker emits another SYN packet and initiatesanother connection that is also never completed (when repeatedthousands of times, it causes problems). This attack, called a SYNflood, forces a victim system to use up one of its finite number ofconnections for each connection the initiator opens. Because theserequests arrive so quickly, the victim system has no time to free dan-gling, incomplete connections before all its resources are consumed.TCP/IP standards suggest acceptable timeout periods that assume atimeout will handle some type of congestion or outage adequately.However, a massive number of connection attempts can occur dur-ing the normal default timeout period, thereby exhausting systemresources and making the system unavailable for legitimate users.These attacks are detected and prevented in circuit-level architec-tures where a security device discards suspicious requests. If youreceive 2,000 SYN (connection) requests per minute from a singlehost, you should become suspicious. Security devices can also beconfigured to do some or all of the following:

. Block any future communications from a suspicioushost—This can be problematic if an attacker is using aspoofed source address. Legitimate traffic from that addresswill be blocked as well.

. Throttle back the rate of responses to requests—You canhonor a certain number of requests per minute and discard therest.

. Expire unanswered initialization requests much morequickly than the default TCP/IP recommendations.

. Notify an administrator of a potential attack in progress.

In fact, some of these techniques are not unique to firewalls andborderline devices, but instead should be considered for company-wide deployment. This is referred to as hardening aTCP/IP stack.

NO

TE How to Harden a TCP/IP Stack A

good source of information on how toharden a TCP/IP stack in Windows2000 is published in the KnowledgeBase at http://support.microsoft.com/default.

aspx?scid=kb;en-us;q315669.Microsoft is focusing more efforts onsecurity; however, many of the newsecurity features are not well knownand are disabled in default configura-tions. This article points to a fewmodifications in the Registry, such asthose that make a Windows 2000TCP/IP stack more sensitive to recog-nizing SYN attacks, reduce the maxi-mum number of allowed connections,and reduce the keep alive setting toexpire silent connections more quickly.

06 0789728362 CH03 3/4/03 2:49 PM Page 211


The following are the most commonly used reconnaissance andattack methods:

. Ping sweep—An automated procedure of sending InternetControl Message Protocol (ICMP) echo requests (also knownas PINGs) to a range of IP addresses and recording replies.This can enable an attacker to map your network.

. Port scan—An automated procedure of initiating sessions onevery specified TCP port to see whether the host replies. If itdoes, a service is running on the target port of the machine.Different services run on default ports. For example, FTP usu-ally runs on port 21, and HTTP usually runs on port 80. Portscanning programs check ports and use responses from theseports to guess which services are running on a machine.Publicly available programs such as nmap (available fromhttp://www.insecure.org) and nessus (available at http://nessuso.org) use target system responses to valid and invaliddata to guess the manufacturer or operating system versions ofa system and to list vulnerable ports and services on scannedmachines. This is known as fingerprinting. These programs canbe used to find and close security holes on your network bysimulating attacker reconnaissance and exploit behavior. Donot use them without prior consent and knowledge of yournetwork administrator.

. Email reconnaissance—A probe in the form of a legitimateemail sent to a nonexistent recipient in an attempt to obtain anondelivery-report (NDR) reply. These reports sometimesreveal important email infrastructure elements, such as IPaddresses and hostnames. Spammers use a form of email prob-ing for different purposes, as noted in Chapter 2.

. SYN flooding or DoS—One of the first attacks to be triedagainst a target, it’s perpetrated as described in the previousparagraph. The well-known Ping of Death and User DatagramProtocol (UDP) Bomb belong to the DoS category becausethey make a target machine unavailable as the result of a bufferoverrun and a crash. These DoS attacks are not applicationspecific and can be prevented by a firewall.

06 0789728362 CH03 3/4/03 2:49 PM Page 212


. Application-specific DoS attacks—Many applications do nottake sufficient safeguards against malicious user input. Bufferoverruns occur when attackers intentionally send more datathan an application is designed to handle, causing the applica-tion to crash. A firewall cannot prevent this type of attackwithout preventing all communication with a particular appli-cation. This type of attack can be prevented by ensuring thatapplications run on your network have been tested against thistype of attack.

. IP spoofing—An attack in which the source is disguised byusing a different address as its source address. Potentially, theattacker not only escapes liability, but also appears to be atrusted source who has permission to access the system.Authentication methods, rath. firewalls, should be used in thiscase.

. Packet sniffing—As described in Chapter 2, packet sniffing isan effective reconnaissance method employed by attackers in ashared medium such as flat Ethernet. A firewall really can’t domuch against this technique, but applications aimed at detect-ing network nodes running in promiscuous mode can be used.

. Trojan horses, back doors, spyware—A common way togain control over a remote system is by installing a smallapplication on a target machine. A Trojan horse is an applica-tion that is hidden in some other type of content, such as alegitimate program. It can be used to create a new, secretaccount called a back door, or it can be used to run spyware,which collects user keystrokes for analysis. Trojan horses canalso be used to infect and control affected systems, destroy andexpose valuable company information, or use your systems aslaunching pads for further attacks from the inside. After aninternal system is infected, a firewall is not very effective pro-tection, although it can prevent certain types of traffic fromflowing between the attacker and the infected host or betweenthe infected host and other potential victims. SomeApplication-layer (layer 7) firewalls offer content filtering,which can help keep malicious Java applets and ActiveX con-trols out of your network. You must remember that a firewallis just a first line of defense—it should never be viewed as acover-all insurance policy.

06 0789728362 CH03 3/4/03 2:49 PM Page 213


. DNS transfer—An attempt to issue an ls -d <domain name>command against a DNS server in a bid to list all DNS serverrecords (tantamount to getting a map of a fortified city aboutto be invaded). All DNS servers must be configured to refusesuch a listing if the request does not originate from a precon-figured DNS replication partner. DNS was designed to be asystem open for querying, but a DNS lookup is not the sameas asking for a list of all a server’s DNS records. If a DNS software vendor does not allow disabling of the ls command,consider implementing a separate DNS server for publiclyaccessible services, such as those located in the demilitarizedzone (DMZ), or switch software vendors.

Some reconnaissance probes can reveal more than enough informa-tion for an attacker to proceed with his plan. If a potential attackerdoesn’t know about your infrastructure and cannot probe it, chancesare you are safe, at least until the next attacker tries.

You cannot guarantee that your ISP will monitor its network forsuch activity and prosecute port scanners and ping sweepers.Therefore, you want your firewall to catch these reconnaissanceattempts, log the source information, and alert administrators on-the-fly. Ping sweeps are simple to protect against, but you shouldbe aware that ICMP requests might be rejected or discarded and thatthis difference is important to attackers. Actively rejected ICMPecho requests mean that the target host is alive, which gives theattacker information. To protect against this probe, a firewall needsto discard the packet silently so the attacker’s ICMP requests appearto be sent to an unused IP address. The same goes for port scanning:a decent firewall detects a port scan in progress and rejects furtherrequests from the source IP address, sending a real-time alert to theadministrator.

Many times, attacks are daisy-chained in a bid to get as much infor-mation or cause as much damage as possible. For example, an attackcan begin with a ping sweep and when a host replies, a port scan islaunched. The port scan can find the SMTP (email) port. Next, anemail probe is sent to reveal information about the type of emailsoftware the server is running, resulting in a non-delivery receipt(NDR reply). Then, the attacker can test that specific email serverfor known vulnerabilities to see whether it is patched or can beexploited.

TIP

It is important that you understandDNS transfers.

EX

AM

NO

TE Attackers Look for Vulnerable

Systems Many attackers look for vul-nerable systems, not caring who ownsthem. These attackers are seldominterested in uncooperative systems,but they shouldn’t be the basis ofyour security policy.

A Pretty Good Reconnaissance ToolLANGuard Network Scanner can bedownloaded from http://www.gfi.com. A free, limited version isavailable that is still very useful forsecurity configuration and verificationpurposes.

A Comprehensive List ofVulnerabilities Go to http://www.astalavista.com. In addition tovulnerability walkthroughs, you canlook through security tutorials on ahost of topics, get privacy protectioninformation, and download severaltools. (Be cautious installing thetools, though; be sure you are notinstalling a Trojan horse or other mal-ware.) Also check out the BugTraqsection of http://www.securityfocus.com and the CERTadvisories at http://www.cert.org.

06 0789728362 CH03 3/4/03 2:49 PM Page 214


ATTACK EXAMPLE

An attacker receives an email from someone’s free Web emailaccount—a very safe and anonymous communication medium. Heuses the email’s headers and notes the message’s path from thevery first communication point until it reached him. This first pointis the IP address of the email sender as it was assigned by her ISP.Next, the attacker uses PING, nslookup, and whois to find the ISP’sdomain name, address, and administrative contacts, as well aswhich name servers are responsible for that domain. Then heissues an ls –d command against one of the name servers and,with luck, receives a full list of IP addresses and hostnames usedon that ISP’s network. Using a ping sweep to locate active hostsand then port scanning to detect services on those active boxes,he launches attacks against vulnerable applications.

If the ISP uses descriptive names in its DNS, an attacker can learnabout physical connection types and the estimated bandwidth ofthe target. In a worst case scenario, if crashing or breaking intothat machine is not possible, social engineering can still work forthe attacker.

A good firewall also prevents non-application-specific denial-of-service attacks and, in some cases, even provides content filtering ifit is an Application-level gateway.

Application-Level GatewayAn Application-level gateway is known as a proxy, and it functions onthe highest layer of the OSI model: the Application layer. A proxyserver basically inserts itself between an internal client (inside thenetwork perimeter) and an external server (outside the networkperimeter) for the express purpose of monitoring and sanitizingexternal communications. (For example, a proxy can remove refer-ences to internal or private IP addresses from client communicationsbefore emitting them onto a public network segment, thereby hid-ing information about network internals and details from outsiders.)

IN THE FIELD

06 0789728362 CH03 3/4/03 2:49 PM Page 215


When a packet travels all the way up the TCP/IP stack on a proxyserver, software developers can implement application-based securitycontrols. Therefore, user access can be controlled on an individualbasis, group policies can be applied, content types can be restricted,and so on. The higher up the OSI model that a proxy can operate,the more controls that can be implemented; however, there might besome costs in either performance or flexibility. Some applicationswill not run properly (because the protocols they use can’t be prox-ied), or such applications might need to be specially configured tooperate in the presence of a proxy server (such implementations arecalled proxyable or proxy aware when they can be made to work witha proxy server).

Stateful Inspection FirewallThe fourth type of firewall architecture, stateful inspection, combinesthe aspects of the three basic architectures explained in the previoussections. Stateful inspection firewalls not only examine packets at theNetwork layer, but also gather information about the packet’s com-munications session from all layers to determine whether a packet isvalid in the context in which it is received. For example, when acommunications session is opened, the session is recorded in a statetable. Subsequent session packets are checked against this state tableto verify that they are valid in the context of the session. A packetthat is already part of a valid session does not have to be comparedto all the rules, which speeds up processing. Packets that do notmake sense in the context of an open session can be discarded.Likewise, packets that attempt to exercise questionable or unwantedcommands or activities can be blocked, and questionable patterns ofactivity (attempts at dangling synchronization, invalid segment sizes,and so forth) can be discarded. This prevents potential attacks fromgetting underway or denials of service from succeeding, but requirescomplex custom configurations to work.

Granted, firewalls residing higher up the OSI model can perform thesame inspections that lower-level implementations can, but they aremore complex to write (leaving the potential for overlooked backdoors and lots of bugs), more complicated to maintain, and lesscomplicated to attack as a result of the first two. However, provid-ing that the software was written correctly and is deployed andmaintained correctly, this provides the best security level.

06 0789728362 CH03 3/4/03 2:49 PM Page 216


Other Firewall ConsiderationsIn addition to the four core firewall architectures, a few other ele-ments that administrators have to consider are involved in thedesigning of a firewall solution:

. Network policy

. Service access policy

. Firewall design policy

. Authentication policy

Network PolicyNetwork policy deals with general network use issues, subdividedinto high-level policy and low-level policy. High-level policy deals with“why”; low-level policy deals with how to place administrative controls on the network. On the high level, companies normallystipulate which applications can be used on the network, whichapplications can communicate with the outside world, which appli-cations can talk to local clients from the outside, and which condi-tions must be met for exceptions to be allowed.

Low-level policy details specifically which commands will be used onthe firewalls to actually lock them down. Many companies are miss-ing this important element, which in turn leads to on-the-fly, poorlydesigned solutions that are not effective as security controls. If thecompany grows dependent on an on-the-fly solution and the engi-neer who implemented it leaves the company, successors will have tofigure out why and how it works. After network policy is defined,the high-level portion should be communicated to the new andexisting employees who need to be aware of what is allowed on thenetwork and how it is allowed.

Service Access PolicyService access policy, an extension to the network policy and overallorganizational guidelines, should deal with issues of communicationsbetween the local network and remote services available on theInternet (and vice versa). Firewalls can be used to exclude the inter-nal use of unauthorized external services and the unauthorized exter-nal use of internal services.

06 0789728362 CH03 3/4/03 2:49 PM Page 217


Firewall Design PolicyFirewall design policy refers to one of the two fundamental ways fire-walls deal with the traffic rules defined by the administrators. Theyallow what is expressly permitted and deny the rest, or they denywhat is expressly prohibited and allow the rest. For obvious reasons,“deny-all unless expressly permitted” is much more secure than theopposite. Every packet goes through the list from top to bottom, andif a match is not found, the packet is rejected. Thus, entries repre-senting the most frequent kinds of traffic should be placed higher upthe list to make a quick match and minimize overhead.

Authentication PoliciesAuthentication policies deal with issues of establishing secure, effec-tive user authentication. Older methods of authentication, such asclear-text passwords, are no longer considered secure. The authenti-cation methods used in today’s networks must be secure enough tobe useless in the hands of an interceptor. (Many technologies thatcan be used for this purpose are discussed in Chapter 2.)

In most cases, Application-level authentication is involved on a per-application or per-user basis without the involvement of firewalls.This is also true about lower-level network services, such as virtual pri-vate networking (VPN), where specialized devices establish a tunnel.

Generally, firewalls should not be called on to perform authentica-tion services for general users or access. All that a firewall should becalled on to handle is the traffic it should block (when rules or filtersare violated) or allow to pass through for a connection to be estab-lished (when no untoward or unwanted patterns, addresses, or activi-ties are detected). Firewall authentication policy comes into playonly for firewall configuration. Whenever possible, use only securemethods for remote access to security devices. Telnet sessions,although quick and easy to establish, are inherently unsecure andcan jeopardize network control. Instead, use secure shell (SSH)wherever possible. If a firewall does not support SSH, create a third-party SSH server for management purposes in the demilitarized zone(see the “Security Zones” section later in the chapter for more aboutDMZ and security zones). Then, configure the firewall to allow SSHin and to allow Telnet connections only from within the DMZ onthe internal interface. This protects the public portion of the man-agement session and (generally) 95% of the risk is eliminated. Youcan use a VPN link as an alternative to an SSH session; either way,communications will be encrypted and indecipherable to snoopers.

06 0789728362 CH03 3/4/03 2:49 PM Page 218


Even hardware firewalls are running highly specialized software thatallows them to be configured and monitored remotely. All passwordand Telnet session protection rules apply in a standard fashion. Thatis, don’t use Telnet to manage security devices remotely; this is tanta-mount to putting an expensive bleeding-edge digital security lock onyour front door and advertising the passkey in the local daily. UseSSH where possible. If your firewall does not support SSH, create athird-party SSH server for management purposes in the demilita-rized zone, and configure the firewall to allow SSH in and to allowTelnet connections only from within the DMZ on the internalinterface. This protects the public portion of the management ses-sion and (generally) 95% of the risk is eliminated. You can use VPNas an alternative to SSH.

As always, use complex passwords of eight or more characters withmixed case and at least one digit and one punctuation mark.Programs are available that force users to choose secure passwords byrefusing passwords that appear in the dictionary, are too short, or donot contain at least a few nonalphabetic characters.

Passwords should never be birthdays, family member or pet names,nicknames, or other easily guessed words. Passwords should alsonever be shared with anyone, especially not by email, via instantmessage, or over the phone. Passwords should not be stored on oraround your workstation, and you should not use the password“remembering” features of popular browsers.

Passwords should be changed on a regular basis. Most companies usea rotation period between one and three months. More frequentpassword changes tempt employees to write passwords down, andless frequent password changes increase the chances of a passwordbeing discovered through either guessing or simple mistakes.

Periodic audits of accounts and automatic account expiration canensure that users do not retain access to restricted areas after they nolonger need it.

Be sure that the highest privilege levels are assigned to no less thantwo and no more than four senior engineers for fail-over purposes.(That is, if one engineer is on vacation, the other one is not likely tobe absent, too.)

NO

TE Secure Password System A more

secure form of password system isavailable for both Unix and Windowshosts. Called S/KEY (sometimesdenoted as SKEY, or winkey forWindows clients), this technologyuses one-time hashed 64-bit valuesas defined in RFCs 1760 and 2289 toprevent passphrases from ever tra-versing the network in the clear. Thefacility generates one-time passwords(which can be used only once, basedon a user password associated withthe skey command). Users get astring of six English words in return,which can be used to log in once to asystem. Many routers, firewalls, andother network devices now work withthis type of facility.

06 0789728362 CH03 3/4/03 2:49 PM Page 219


Configure alerting and lockout for failed login attempts. In addition,allow configuration changes only from certain hosts inside the inter-nal network or from a particular local subnet to increase the chancesthat your security infrastructure will not be compromisedcatastrophically.

RoutersA router is a physical network device (usually running proprietarysoftware) that is used to connect several network segments into onenetwork or an existing large network into smaller subnets. Routersoperate on the Network layer of the OSI model and unite multiplephysical network segments into a single seamless, logical network byunderstanding how to forward traffic from a sender to ultimatelyreach an intended receiver. This means that routing behavior isinfluenced strongly by the protocols in use. To some extent, there-fore, understanding routing also requires understanding howNetwork layer protocols behave.

Various LAN protocols that were developed many years ago are stillaround. They do, however, employ certain techniques that arefamous for not scaling well as an enterprise grows. You must takenetwork protocols into account when considering routing designs.Some protocols require you to design specialized solutions to com-pensate for nonscalable or less secure protocol features. Broadcastsand service advertisements are just two types of protocol featuresthat can require special routing solutions (or workarounds). Thenext few paragraphs discuss the following protocols: NetBIOSEnhanced User Interface (NetBEUI), Internetwork PacketExchange/Sequenced Packet Exchange (IPX/SPX), and TCP/IP pro-tocols, for example.

NetBEUI supports only local, bridged (flat) networks; has noaddressing capabilities; is not routable; and relies on broadcastsentirely. This protocol is fairly old, but it can still occur in someremote locations—most likely because of legacy application issues.NetBEUI is the easiest protocol to deploy because no configurationis required. Owing to broadcast traffic overhead and lack of logicalor physical organization, NetBEUI is not recommended for net-works with 30 or more nodes. It is therefore the worst protocol forscalability and should not be the focus for security efforts because itsupports no security features.

NO

TE Finding More Information on

Firewalls Point your browser tohttp://csrc.nist.gov/

publications/nistpubs/

800-10/node1.html. Another goodintroductory firewall document fromCisco is available athttp://www.cisco.com/warp/

public/cc/pd/rt/800/prodlit/

fire_wp.htm.

TIP

Know that a router is an OSINetwork layer (layer 3) device thatconnects two or more networks androutes traffic between them; theyalso act as packet filtering and circuit-level firewalls.E

XA

M

06 0789728362 CH03 3/4/03 2:49 PM Page 220


IPX/SPX is a routable Novell protocol that is still widely used.Although Novell switched to TCP/IP recently, IPX/SPX has a signif-icant deployed base and remains supported and widely used. IPXhas one significant scalability shortcoming: The more servers andnetwork resources added, the more broadcast traffic is generated inthe form of periodic service advertising protocol (SAP) announce-ments. SAP packets inform the network about resource availability.When scaling, it might not be desirable to propagate such advertise-ments owing to traffic overhead or for security reasons (an advertise-ment is also an invitation, after all).

Routers can help mitigate issues by dividing a larger broadcastdomain into smaller subdomains. By acting as a SAP relay agent,routers can aggregate and forward all broadcast advertisements fromany NetWare system only as required. Remote segments need toreceive directed summarized updates, sent to other routers on othersubnets. You can also implement access lists to control access to spe-cific protocols from specific subnets and to limit distribution of SAPinformation, thereby controlling who can locate (and access) net-work resources.

TCP/IP is the de-facto standard protocol for all new networks,whereas other protocols are maintained only for legacy applicationsor backward-compatibility. TCP/IP has been around for severaldecades and provides numerous built-in techniques for effective con-trol of transmissions over LANs and WANs alike. It has an elaborateaddressing scheme well suited for subnetting and routing, althoughsome proprietary environments can still affect overall networkdesign. Consider older Windows Networking built on TCP/IP withWindows Internet Naming Service (WINS), Dynamic HostConfiguration Protocol (DHCP), Remote Access Service (RAS), andcomputer browser issues. Most importantly, TCP/IP scales extremelywell.

Generally speaking, you should not mix protocols, unless businessrequirements dictate otherwise. Multiprotocol environments aremore difficult to maintain, more difficult to troubleshoot, and lessefficient because each protocol imposes overhead and maintenancetraffic that subtracts from available bandwidth. Furthermore, recallfrom the firewall section of this chapter that the smaller an attacksurface is, the lower the likelihood of it being hacked. Each protocol has its own vulnerabilities, and some protocols rely onbroadcasting service advertisements, which are inherently unsecure.

06 0789728362 CH03 3/4/03 2:49 PM Page 221


However, if using such protocols is a business requirement, routingprovides solutions that can contain broadcast traffic within specificsubnets and make the overall network more efficient and secure. Inaddition, routers can employ access lists to reject unwanted traffic.

As the basis of the network infrastructure, routers must be securedboth physically and logically using the guidelines discussed in the“Other Firewall Considerations” section earlier in this chapter.Routers can be configured from a physically attached console or viaa network connection such as an SSH session.

A router directs a packet to its network or Internet destination usingrouting protocols to exchange information and determine routingdecisions. These concepts and protocols could fill a book, but forthis discussion, just be aware that routing exists in an intranetbetween routing devices and on the ISP network between a bordergateway router and a router.

Routers maintain routing tables that are consulted every time apacket needs to be redirected from one interface or segment toanother. Routes can be added manually to the routing table—a verysecure but less-manageable method, depending on the size of thenetwork—or be updated automatically using routing protocols suchas the following:

. Routing Information Protocol (RIP)/RIPv2

. Interior Gateway Routing Protocol (IGRP)

. Enhanced Interior Gateway Routing Protocol (EIGRP)

. Open Shortest Path First (OSPF), Border Gateway Protocol(BGP)

. Exterior Gateway Protocol (EGP)

. Intermediate System-Intermediate System (IS-IS)

Protocols such as RIP, IGRP, and OSPF are used internally to propa-gate route information as it changes, such as when a link goes downor the network needs to converge or become aware of the downedsegment. BGP and EGP are used externally to exchange routeupdates between your gateway router and the ISP. Some routing pro-tocols send updates at preconfigured intervals; some replicate theupdates immediately as they are triggered.

06 0789728362 CH03 3/4/03 2:49 PM Page 222


Routing protocols employ different techniques to prevent routingloops (when a packet is rerouted indefinitely without finding thedestination). Some of these techniques are

. Counting to infinity

. Route poisoning

. Split horizon

Later revisions of each of these routing protocols authenticate areplicating partner in a different way, and knowing how each worksis extremely important in avoiding trouble situations, such as these:

. A hacker sending a route update to your network and poison-ing (marking as downed) an important route to cause a DoScondition

. The creation of a routing loop that overloads the router andcauses the network to become very slow and appear over-utilized

. The update of a route to send all outbound traffic to a differ-ent host, which would then forward it to the ISP, launching anactive interception or man-in-the-middle attack

Of course, no matter how secure the routing protocol, the first ruleis to change the default password on the router itself. Failing to cre-ate a unique password practically invites attackers to wreak havoc onyour network.

SwitchesSometimes referred to as microsegmentation, switching increases theperformance of traditional media by reducing collision domains andfacilitating media access. Classic switches operate on the Data Linklayer (layer 2) of the OSI model and can be considered a multiportbridge with high-port density.

06 0789728362 CH03 3/4/03 2:49 PM Page 223


Switches have superceded more traditional hubs (multiportrepeaters), which are no longer capable of accommodating adequatemedia access. In addition to facilitating congestion and media-contention problems, a hub is considered highly unsecure because itenables a flat network (a network segment with many network nodessharing the same communication channel and seeing communica-tions of every other network node in the segment), which is vulnera-ble to packet sniffers. (A switch can provide protection against acasual user attempting to pry into the network but needs additionalsecurity, such as port access control and MAC filtering, against ARPpoisoning, sniffers, and other more advanced threats.)

Over time, networks designed on traditional Ethernet technologiesgrew in size, and network node density was constantly increasing. Atthe same time, software was developing and introducing new network-intensive client/server applications that exercised lengthierand more bandwidth-intensive transmissions. Software advance-ments introduced multitasking in the Windows world, adding to theexisting functions in the Unix environment, and added to the stress-es on the aging Ethernet network technologies.

Here is a simple explanation of the slowdown:

1. Before a workstation can transmit, it listens to the wire andattempts to sense existing activity in the network segment.

2. If a transmission is sensed, the workstation must wait a ran-dom amount of time and sense again until the wire is clear oftransmissions.

3. When the wire is transmission-free, the workstation can com-mence its own transmission. However, when more than oneworkstation attempts to transmit a signal on the wire at thesame time, a collision occurs and the segment is jammed.

4. Transmitting workstations then wait a random amount of timeand attempt to retransmit.

06 0789728362 CH03 3/4/03 2:49 PM Page 224


This regime is characteristic of shared media such as Ethernet and iscalled collision sense multiple access/collision detect (CSMA/CD) todescribe the type of circuitry involved. Apple Computer implementsa similar approach called collision sense multiple access/collisionavoidance (CSMA/CA). This differs from CSMA/CD in that it usesexplicit signals ready to send (RTS) and clear to send (CTS) beforeaccessing the network media—this approach avoids collisions ratherthan detecting them (hence, the difference in their names).

As the number of workstations attempting transmissions on a net-work segment increases, the chance of a collision increases. Withmore transmissions and collisions, the network becomes over-saturated and slows down.

A collision domain is a collection of network nodes that belong tothe same shared network segment. LAN switching effectively splitsbroad collision domains into smaller domains or even dedicated net-work segments and significantly reduces or completely eliminatescollisions and transmission delays. It also effectively doubles trans-mission capabilities by using full-duplex technology, meaning it usesall four pairs of CAT5 cable: two pairs to transmit and the other twoto receive signals.

With recent improvements in switching technology, cost per switchport has steadily decreased, turning switching into a sound technolo-gy investment. In addition to fixing media-contention issues, aswitch can help prevent packet sniffing and increase overall networksecurity. You should implement switching if media contention prob-lems exist or if the chances of attracting a sniffer are high (for exam-ple, in your business’s guest offices or conference rooms where thepublic can access corporate LAN services). Although switches canenhance network security, they are not security devices per se andshould not be considered a replacement for purpose-built securitydevices.

Switch security, as with firewalls and routers, requires both physicaland virtual security controls. A switch has proprietary software thatenables remote configuration of the switching operating system.Restrict physical access to devices where you can—at the networkaccess point if possible or deeper into the distribution and core lay-ers of the network. Employ strong authentication and passwordpolicies to secure virtual and local console access to the device’s oper-ating system and configuration.

TIP

Know that a switch operates at theData Link layer (layer 2) of the OSImodel and that it can be used tocreate virtual LANs.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 225


Wireless and Mobile CommunicationsWireless communications security was discussed in detail in Chapter2. You need to remember that Wireless Application Protocol (WAP)applications are vulnerable to attacks at the WAP gateway. At thispoint, data streams are decrypted from Secure Sockets Layer (SSL)and are encrypted into Wireless Transport Layer Security (WTLS)for transfer to WAP devices. There is a brief time when the datastream is unencrypted. So, if the gateway infrastructure is not ade-quately protected, the entire WAP system is at risk. This vulnerabili-ty is especially common in developing countries where infrastructureinvestments can take budgetary precedence over security invest-ments.

Some companies that don’t specialize in mobile communicationsmight provide WAP applications and services. These companies usu-ally pass their WAP traffic to a third-party WAP gateway. The WAPtraffic leaves the provider’s protected (we assume) network encryptedin SSL. When it is decrypted at the gateway before being reencrypt-ed in WTLS, it can be compromised; the provider has no controlover the security of the WAP server.

Providers could avoid this vulnerability by operating their own WAPservers, but this is not a practical solution for two reasons: WAPbroadcasting requires very costly equipment investments, and thetechnology is difficult to maintain and upgrade. It would be prohibi-tively complex to coordinate switching WAP clients between WAPservice providers.

WAP communication cannot be considered safe in its present imple-mentation. Therefore, WAP devices are inherently unsecure as well.In addition to the WAP specification flaw, mobile devices are easilylost or stolen. A company must be aware of these risks and considerwhich, if any, WAP implementations are suitable for its purposes.

Corporate wireless 802.11x-based infrastructures, on the other hand,have matured, and most types of known attacks are extremely diffi-cult to conduct in the presence of strong authentication and encryp-tion technologies. Risks primarily are attributed to the nature ofmobile devices: They are small, valuable, and preferred over otherpersonal items among thieves. All security discussions about physicaland virtual device security in the context of switches, routers, andfirewalls also apply to wireless access point devices used at the accesslevel of the wireless network infrastructure.

06 0789728362 CH03 3/4/03 2:49 PM Page 226


ModemsModems are gradually becoming a relic of “last mile” communica-tions. They are being supplanted by high-speed cable and DSL con-nections that are significantly faster and not much more expensivethan dial-up access. Although modems still can be found in somecorporations and small/home office environments, most companiesnow use a more centralized administration and security model. Acorporate network environment provides a single point of access tothe Internet for all workstations and is guarded by a firewall or othersecurity controls.

Some companies might still rely on modems, and some migratedenvironments might still have unused (and possibly forgotten)modems installed and connected to telephone lines.

Another reason companies might have modems and modem poolsattached and connected to their networks is RAS, which is coveredin Chapter 2 and in the following section.

No matter how good its firewall, a network’s security can be com-promised through a single PC connected to both the network and amodem.

War-dialing attacks take advantage of network-accessible modemsadministrators have forgotten or did not know how to secure. A wardialer is an automated software application that dials a given rangeof phone numbers to determine whether any are actually serviced bymodems—indicated by returning dual tone multifrequency(DTMF) tones—and accepting dial-in requests. Telecom-munications providers employ anti-war dialing software thatattempts to detect war-dialing activity and disable any subsequentattempts; unfortunately, this protection works only if the numbersare dialed in sequence.

After a dial-in request has been accepted by a victim modem, theattacker can initiate password-cracking routines and compromise thesystem in a matter of time. Real-time attack-alerting systems areunlikely to detect a war-dialing attempt because the attack takesplace in a seldom- or never-used part of the system. Fortunately,because modem communications are being replaced by more securetechnologies, war dialing has become an unlikely threat for a LAN.

NO

TE Finding More Information on War

Dialing Point your browser tohttp://www.att.com/isc/docs/

war_dial_detection.pdf. This is awhite paper on war-dialing detectionwritten by AT&T.

06 0789728362 CH03 3/4/03 2:49 PM Page 227


Conventional dial-tone modems, with their low throughput, are rel-atively easy to flood with useless traffic. This is just one way to causea denial of service through modems.

Dial-tone modems have two basic operation modes: transmissionand command. When switched on, a modem enters command modeand awaits instructions from the terminal to begin transmissions.After communication has been established, the modem looks for cer-tain patterns in the data flow that signal it to drop the connectionand return to command mode.

The Hayes Corporation developed and patented one such sequenceconsisting of three escape sequences bounded by two pauses in thecommunication stream. The two pauses mark the escape symbols asan actual termination request, not a coincidental matching patternin the data stream. To avoid paying royalties to Hayes, some equipment manufacturers have devised their own (sometimes incom-patible or faulty) techniques. Attackers could create wide-scale dis-connects by sending a normal data pattern containing certain char-acter sequences (that these “alternative solutions” would interpret astermination requests) via email messages, mailing lists, and IRC chatsessions.

Cable and DSL modems are not vulnerable to dial-tone modemattacks, but an always-on connection to the Internet presents its owndangers. Encryption and firewall solutions must be used for protec-tion against potential attacks over high-speed residential media.

Always-on access significantly increases the chances that an attackerwill find and compromise a system. Often home users are not tech-nically sophisticated enough to take the appropriate safeguardsagainst attacks. Any system connected to the Internet should employa properly configured firewall.

Cable modems also present an additional vulnerability because theyprovide Internet access using a shared coaxial cable. Potentially, alltraffic to and from a machine connected to a cable modem is visibleto other cable users in the area. Any cable modem traffic that access-es a network must be encrypted to prevent network compromises.

06 0789728362 CH03 3/4/03 2:49 PM Page 228


RASRemote Access Server (RAS) technologies are described in detail inChapter 2. Modern technologies such as VPN use standard corpo-rate network infrastructures such as firewalls and existing authentica-tion systems. A dial-up modem pool, however, is an RAS device thatis fairly distinct from the rest of the network. The following securitycontrols can be used to protect the RAS point of entry to the corpo-rate network:

. Using strong authentication

. Forcing callback to a preset number

. Using two-factor authentication

. Allowing dial-in only

. Restricting users who are allowed to dial in

. Restricting dial-in hours

. Using account lockout and strict password policies

. Restricting allowed protocols

. Restricting access to specific servers

. Configuring real-time alerting system

. Enforcing and review RAS logging

The items on this list can be complimented by other techniques.

Strong authentication helps protect against war dialers and unautho-rized attempts to gain access to an otherwise secure environment.The Challenge-Handshake Authentication Protocol (CHAP),described in RFC 1994, or Microsoft’s extended CHAP, described inRFC 2433, is a more secure approach than sending passwords inclear text where they can be intercepted on a PBX switch. (You learnmore about telecom and PBX in the next section.) Challenge hand-shake authentication is much less vulnerable to replay attacksbecause the challenge is not the same every time.

06 0789728362 CH03 3/4/03 2:49 PM Page 229


The callback feature disconnects the incoming dial-in request andimmediately initiates a call-back connection, to either a predefinednumber or a number specified by the user. Using a predefined call-back number is more secure because it eliminates the war dialingthreat and controls the telephone numbers that can establish con-nections. Callback virtually assures the identity of the person at theother end, but it does not eliminate PBX eavesdropping or softwarebugs in RAS software that can cause significant trouble.

Two-factor authentication can be used when a callback policy isimpossible—for example, when a user travels frequently. Devicessuch as the Cisco AS Series use a password and a second identifyingpiece of data provided by a physical device that contains a smallclock chip and a special algorithm to generate codes. Neither thepassword nor the device alone can be used to gain access.

Restricting dial-in hours can limit potential exposure to attackersseeking access and trying to brute-force a password by repeatedlydialing in and trying new combinations. Often, automated attackstry to establish connections outside standard business hours to avoidimmediate intervention by network security administrators.

A strict lockout policy can also help prevent brute-force attacks.After a designated number of failed login attempts, the systemshould automatically disable a user account.

RAS logs should be reviewed frequently and systematically, lookingfor connection attempts from unfamiliar phone numbers, repeatedconnection attempts, connection attempts at odd hours, and anyother activity that seems suspicious.

Restricting dial-in access to one or a few servers limits network expo-sure in the event of a successful break-in.

Restricting dial-in access to just one or a few network protocols canalso limit the effects of a successful break-in.

A real-time alerting system that notifies an administrator of suspi-cious activity as it occurs can help prevent or curtail unauthorizedaccess. Real-time alert systems must be monitored, however, so it ismost effective to use them in combination with either 24-hour mon-itoring or limited dial-up hours.

06 0789728362 CH03 3/4/03 2:49 PM Page 230


Like all network devices, RAS modem pools should be located in ahighly secure place (such as a server room) that guarantees physicalsecurity and is accessible only to authorized administrative person-nel. The platform used for dial pools, such as a Cisco AS-seriesaccess server, also should be secured as described earlier in the“Firewalls,” “Routers,” and “Switches” sections.

When all the previous security controls are implemented, the RASenvironment becomes fairly secure and poses a challenge to potentialattackers. However, these controls will not protect (even cumulative-ly) from the following three items:

. PBX vulnerabilities

. RAS software bugs, buffer overflows, and DoS attacks

. Social engineering

Historically, RAS software bugs were abundant in Windows applica-tions and on the Windows NT platform in particular, but this hasimproved a great deal since the release of Windows 2000. Regardlessof the operating system brand and version, vendor security patchesshould be applied as soon as they are available.

Social engineering is a favorite method of gaining access to otherwiseimpregnable systems, and combined with a public PBX infrastruc-ture, this poses a threat that is not feasible to contain.

Telecommunications/PBXAttackers have targeted telecommunications infrastructure for years.Originally, attackers sought to gain free long-distance service. As theInternet became more popular and dial-up access became a de-factocommunication technology for residential and corporate RAS con-nections, telephone switch access also meant that an attacker couldeavesdrop on communication sessions and decode all the transmit-ted information. Clear-text authentication, Telnet, email, and FileTransfer Protocols were all in danger of being intercepted—even in aseemingly secure scenario where a user dialed in to a corporate net-work and accessed corporate resources from within the corporateinfrastructure.

06 0789728362 CH03 3/4/03 2:49 PM Page 231


Some PBX hacking efforts were concentrated on accessing localloops that are out of commission. Local loops are numbers thatbelong to a telephone company and are no longer in public servicebut are still active. These decommissioned numbers allowed hackersto rack up thousands of dollars in long-distance charges that thetelephone company could not bill to anyone because the numberswere no longer registered.

Another attack on telephone company infrastructure that is of moreinterest to our discussion allows a hacker to gain access to one ormore telephone company switches. Switches have secret dial-in num-bers that allow the telephone company and switch manufacturers to dial in and administer the switch remotely. Instead of regularusername/password combinations, some manufacturers, such asNortel Networks, employ a pool of challenge phrases that are pre-sented to the dialer on a random basis. The dialer is expected torespond with a matching answer to get into the system. After thedialer is in the switch, she can wiretap any line, hijack a dial tone,and establish complete control of the lines serviced by that switch.Getting the challenge/response codes from the telephone companyor the manufacturer isn’t easy, but some switches use default user-names and passwords without implementing any sophisticated secu-rity controls.

An attacker can use social engineering to trick a telephone companyor manufacturer employee to give away the secret telephone numberto a switch in a telephone conversation. One of the most famousconvicted hackers in the U.S. claimed that he had control of tele-phone company switches that serviced all of Nevada. The level ofdetail he presented makes his claim plausible and also makes it seemprobable that something similar could happen again.

IDSIntrusion detection systems (IDSs) are designed to provide the networkwith more sophisticated protection than that offered by firewalls.IDS can come in different packages: as a standalone hardware devicethat eavesdrops on traffic, as a software application for a dedicatedserver, or as hardware add-in modules for existing firewalls. IDSs canbe categorized based on three main parameters:

TIP

Be familiar with why telecom andPBX equipment is susceptible toattacks and how to reduce the like-lihood of attacks.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 232


. Active or passive analysis—A passive IDS system monitorsattacks in progress and just tells the administrator that her net-work is under attack. An active IDS system takes a preconfig-ured action against the intruder to protect the network againstan attack in progress.

. Host or network analysis—Host-based IDS resides on net-work hosts and monitors system logs, communications, filesystems, and processes for suspicious activities. Network IDSmonitors network traffic and looks for suspicious traffic. A keytool used by IDS is signature matching. A signature is a stringof data used to identify a potential attack; it includes a defini-tion of the protocol and header information and packet datathat is characteristic of an attack.

. Misuse or anomaly analysis—Misuse IDSs are designed tolook for network traffic patterns, such as host port scanning,that match attack patterns stored in the attack pattern data-base. If network traffic matches one of the known patterns, anaction or alert is triggered. Anomaly IDSs use norms that areestablished by the network administrator to define what isacceptable traffic and what is suspicious traffic. An examplemight be the number of ICMP echo requests that are allow-able in a given time frame. Any traffic pattern outside thenorm triggers an action or alert.

Both IDS and firewalls protect networks, but where and how theydo so differs. Firewalls are designed to prevent attacks before theyhappen by keeping offending traffic offsite. If attackers are smartenough to get through a tightly locked firewall, the IDS comes intoplay. It detects attacks that penetrated the first line of defense.Therefore, the IDS acts as a safety net for firewalls. Also, IDS canprevent application-specific attacks that the majority of firewalls areindifferent to and are designed to catch attacks in progress withinthe network as well, not just on the boundary between private andpublic networks.

06 0789728362 CH03 3/4/03 2:49 PM Page 233


The biggest advantage of the more sophisticated IDS is the capabili-ty to conduct stateful packet matching. That is, not only are certainpackets filtered on a per-packet basis, but the whole communicationsession is also examined with a knowledge of which types and quan-tities of packets are normally expected. IDSs can provide an excellentlevel of protection against attacks of all kinds, but they require tun-ing to become an effective tool in your network. With so many vari-ations and approaches to monitoring, you need to select theapproach from which your company would benefit the most. IDS isdiscussed more thoroughly in Chapter 4, “Intrusion Detection,Baselines, and Hardening.”

Network Monitoring/DiagnosticCertain accepted practices in the industry are not yet standards butare pioneered by the companies or organizations that make stan-dards. One of these practices deals with network monitoring anddiagnostics. The industry recommends a structured approach to net-work management that includes fault management, configurationmanagement, accounting management, performance management,and security management. This approach is referred to as FCAPS.This section discusses the framework of FCAPS and provides anoverview of network monitoring protocols and security-relatedissues.

FCAPS is not a proprietary framework. It was developed by theInternational Organization for Standardization (ISO) to address net-work management issues. FCAPS, as originally defined, specificallyfocuses on the technical aspects of running the network infrastruc-ture. It does not include the management of expenses, people, orsoftware and server hardware (except for the network interfacecards).

However, today’s networks and business requirements are more inte-grated, to the extent that a major network fault or security breachcan bring a large corporation to a standstill. Therefore, most compa-nies have integrated network and systems monitoring and manage-ment practices anyway. This is usually because of cost savings,advanced management software that is available, personnel issues, orbusiness limitations. The following sections cover integrated networkand systems monitoring and management practices.

NO

TE Getting More Information on IDS

For more information and pros andcons of each method employed inIDSs, visit http://www.cisco.com/warp/public/cc

/pd/sqsw/sqidsz/prodlit/idssa_wp.

htm, a Cisco white paper on the art of IDS.

TIP

Be familiar with the various types of IDS.

Be familiar with the FCAPS.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 234


Fault ManagementFault management embodies all the tasks and duties related to net-work monitoring and troubleshooting. It is paramount to establishthat a problem exists in the network in the shortest amount of time,determine what the cause is, eliminate the cause, verify that the ser-vice has been restored, and document (or log) the problem in a faultdocumentation or system monitoring log.

Configuration ManagementConfiguration management encompasses network configuration,device configuration, and all network and otherwise relevant set-tings. Support personnel must know the network configuration totroubleshoot a problem in a timely fashion. Personnel turnover, net-work size, and configuration complexity necessitate configurationdocumentation. Network items such as IP addresses, DNS settings,DHCP settings, subnet masks and default gateways, router configu-rations, network maps, and other network configuration informa-tion should be kept up-to-date and accessible to support personnel.Having this documentation on hand can help determine whether arouter configuration has been tampered with and is also invaluablewhen recovering from a catastrophic network event.

Accounting ManagementAccounting management consists of knowing exactly what a net-work system is built with and includes recording the exact modelnumbers and specifications of all network components and equip-ment and gathering and keeping all hardware and software inventorydata up-to-date and available. Combined with other data providedby FCAPS, this is a valuable source of information for determiningwhere the system needs tuning or upgrading to increase productivityor eliminate network bottlenecks or security risks. This segment ofFCAPS is also concerned with billing users, if appropriate, and mea-suring and logging network resource usage.

06 0789728362 CH03 3/4/03 2:49 PM Page 235


Performance ManagementPerformance management involves baselining the network and ana-lyzing trends to detect network problems and plan upgrades to, areplacement of, and development of the network infrastructure. Theidea behind performance management is to identify problems beforethey occur by analyzing all network statistics and relevant indicators.It involves periodically benchmarking or measuring network statis-tics and comparing them with acceptable standards as identified inthe network design documents. Criteria can include such values asdata transfer rates, network and segment utilization, CPU usage, col-lision rates, broadcast rates, CRC error rates, queuing issues, and soon. Knowing network baselines can make certain types of attacks orconsequences obvious. Performance management is closely tied withfault, configuration, accounting, and security management.

Security ManagementSecurity management is one of the most important areas of FCAPSand one that directly concerns this discussion (although you mighthave noticed that all areas of FCAPS enhance network security inone way or another). Security encompasses data encryption andintegrity, authentication, securing data transmissions and networknodes, and managing overall security requirements by weightingthem against usability of the network and ease-of-use from a user’sperspective. Security management involves a thorough understand-ing and analysis of available technologies—both hardware and soft-ware. Designing and implementing a secure network isn’t enough.Security must be proactively managed to avoid new exploits, repairnewly discovered design flaws, upgrade and enhance existing operat-ing systems and embedded software, and take advantage of newsecurity and data protection technologies.

Simple Network Management ProtocolThe Simple Network Management Protocol (SNMP, RFC 1157)was developed in the 1980s as a temporary solution to the networkmanagement problems that arose from growing network infrastruc-tures. Although it had a simple and effective design, it was meant tobe a stop-gap measure until better solutions were developed.

TIP

Be familiar with the various types ofmanagement.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 236


However, over time, it has become apparent that these other solu-tions have enormous financial and infrastructure demands and thatonly large companies can afford them. Therefore, SNMP hasbecome a widely deployed de-facto standard for network manage-ment.

The benefits of SNMP-based solutions include but are not limitedto the following:

. Industry standard

. Hardware independent

. Relatively simple to code

. Extensible and customizable

The purpose of SNMP is to enable the flow or exchange of manage-ment information between network nodes and enable managementof the network environment. The SNMP protocol is an Application-level protocol and is implemented by an SNMP agent. SNMP man-agement infrastructure consists of three main components:

. SNMP managed node—Any network-enabled device runningan SNMP agent—for example, a hub, router, switch, Unix sta-tion, or Windows station.

. SNMP agent—A software agent that stores and retrievesdevice-specific information from its Management InformationBase (MIB) and that is aware of local aspects of hardware orsoftware. SNMP agents interact asynchronously with theSNMP network management station to supply informationabout exceeded thresholds and warnings and to apply changes(set thresholds) received from the management station.

. SNMP network management station—The focal point ofthe SNMP infrastructure that makes all management informa-tion available to NOC operators. It displays a list of warningsand errors reported by the agents, allows a certain amount ofconfiguration control, and provides exhaustive statistical infor-mation on network operation. Management stations queryagents, configure thresholds, and acknowledge warnings. Thisis used as yet another defense front in the overall corporatesecurity domain.

06 0789728362 CH03 3/4/03 2:49 PM Page 237


Figure 3.2 shows the SNMP architecture.

SNMP ManagedNetwork NMS1

NMS2Unix PC

Windows PC

Router

SwitchSNMPAgent

MIB

SNMPAgent

MIB

SNMPAgent

MIB

SNMPAgent

MIB

F IGURE 3 .2SNMP architecture.

In Microsoft environments, an SNMP managed node is a Windowsworkstation; an SNMP agent is a software component called SNMPService; and the SNMP network management station is third-partyenterprise software. A few predominant network management sta-tion products exist, with HP OpenView being the most well-knownproduct. Similar solutions are available from Sun, IBM, and DEC,and an open source network management product called OpenNMSis also available.

The SNMP protocol exists in three versions: SNMPv1, SNMPv2,and SNMPv3. SNMPv3 was approved as an Internet standard bythe Internet Engineering Standards Group in March 2002. Its pri-mary difference from prior versions is that it provides security mech-anisms to authenticate the origin of data, verify the integrity of data,ensure the privacy of data, and make messages time sensitive to pre-vent replay attacks.

It is important to recognize that SNMP agents are implemented bya variety of vendors and that each implementation can be affecteddifferently by inherent protocol vulnerabilities. Some SNMP imple-mentations might contain decoding problems that make a devicevulnerable to denials of service, buffer overflows, or hostile takeoverattacks. Countermeasures include disabling SNMP, filtering outsideaccess to SNMP services and ports, and allowing only SNMP trafficon management networks. See the CERT Advisory CA-2002-03 forvulnerability and workaround information about specific SNMPimplementations.

06 0789728362 CH03 3/4/03 2:49 PM Page 238


SNMP Management Information BaseSNMP defines standards for device information organization andcommunication between agents and management stations. The fol-lowing are two standards that are included in SNMP:

. Structure of Management Information (SMI)—Covered inRFC 1902, this is an OSI standard that governs how a datastructure should be organized. The purpose of maintaining adatabase of management information is to make the informa-tion easily accessible and organize it in a logical manner.Management information within devices is organized into ahierarchical structure of objects that have properties and val-ues. SNMP follows the logical structure, objects, properties,and values as defined by SMI. SNMP is employed to readthese values and adjust them as appropriate.

. Abstract Syntax Notation One (ASN.1)—The syntax stan-dard for all SNMP messages between agents and networkmanagement stations. Because ASN.1 is a standard, it providesreliable interoperability between different vendors.

Management Information Base (MIB), now in its second revision(MIB II, RFC 1213), is the data storage facility that houses SMI-compatible data structures in the SNMP agent. MIB exposes vendor-specific and device-specific information to the SNMP agentrunning on the device, thereby making it available to the manage-ment infrastructure. Examples of data available through MIB are anIP address, routing table, open TCP sessions, subnet mask, free diskspace, current CPU utilization, and so on. For each object stored inthe MIB, several properties are defined, such as the name of theobject, unique identifier, description, data type, and access permis-sions. When requesting the object data, properties are returned withcorresponding values.

Certain object properties, such as CPU utilization or number ofFTP sessions, are read-only; others can be configured from the cen-tral location.

06 0789728362 CH03 3/4/03 2:49 PM Page 239


Messages, Communities, and Trap Destinations

Management stations and agents exchange information over UDPusing the default port 161 for general messages and default port 162for traps. Normally, the network management station sends a requestfor data and an SNMP agent retrieves that data from the MIB anddelivers it back to the network management station. However, theSNMP agent is also allowed to initiate communication with the sta-tion when a trap event occurs. A trap event is a trigger for an alarmto be generated and delivered to the management station. An alarmcan be generated by unauthorized system usage, by exceeding config-ured thresholds, or by some types of hardware failure. The fourmajor types of messages are explained in the following list:

. GET—Used and initiated by the management station to requestinformation from the managed node. This request is acceptedand processed by the agent.

. GET-NEXT—Used in the same way as GET to request the nextobject after the first object in a group was requested. This sortof enumeration is convenient for requesting arrays of data. Forexample, when retrieving a list of open TCP connections, afew different connections can exist, but they all belong to thesame type of object in the MIB.

. GET-BULK—Used to indicate that maximum datagram transfersize should be used when pulling large amounts of manage-ment data, initiating the transfer from the management station. Again, the agent is the processing and transmittingcomponent in this case.

. SET—This type of message is used when a MIB object proper-ty value must be changed, providing that it has read/writeaccess permissions. This communication is sent from the man-agement station and accepted and processed by the agent com-mitting the changes to its MIB.

. TRAP—Also known as NOTIFY message. Trap events trigger trapmessages to be sent from the agent to the management station.These trap events are defined by the management station andusually represent critical device conditions. The agent submitsthese traps, and the management station processes them, gen-erating an alarm. Alarms can be acknowledged after they havebeen looked at by the network management personnel. SNMPtraps are submitted on an asynchronous basis.

06 0789728362 CH03 3/4/03 2:49 PM Page 240


. INFORM—Allows the exchange of trap information between sev-eral management stations without having to query agentsagain.

Trap Destinations

Every agent has to be configured with at least one trap destinationto be capable of sending traps. A trap destination is essentially an IPaddress, an IPX address, or the hostname of a target managementstation running SNMP management software that can accept andprocess traps and generate alarms. Trap destination is a very impor-tant security configuration that, if modified, can reveal a lot ofinformation about the host and network infrastructure to unautho-rized individuals.

CommunitiesAll agents and management stations must belong to an SNMP com-munity. Communities can be thought of as shared strings, and theirpurpose is to provide a basic form of authenticating SNMP mes-sages. They can almost be thought of as workgroups or domains inthe SNMP world, although they share absolutely no relationship.SNMP and management stations that belong to the same communi-ty can accept messages from each other and communicate as definedin the community properties. Depending on your SNMP agentimplementation, you could set whether this should be a read-onlycommunication and from which hosts the SNMP agent shouldaccept messages.

You need to define hard-to-guess community strings to prevent secu-rity holes from appearing in the network. The trouble with commu-nity strings in SNMPv1 and SNMPv2 is that they are passed inplain text, which makes them vulnerable to packet sniffing. After acommunity string becomes known or is guessed, an attacker cangain a lot of information about the host being queried, pivotal con-figuration settings, and potential system vulnerabilities. In SNMPv3,additional privacy measures make the detection of the communitystring more difficult.

06 0789728362 CH03 3/4/03 2:49 PM Page 241


Specifics of SNMPv2SNMPv2 is based on the first version of the protocol and is designedto extend the functionality of its predecessor somewhat. Similar toSNMPv1, SNMPv2 is based on SMI. However, it introduces newdata types and enhances some existing ones. It also implements SMImodules, the capability to group different information into modules,and capability and compliance statements.

SNMPv2 implements two new protocol operations, or messagetypes: GET-BULK and INFORM, which aren’t supported in theprevious version. Also, packet data units (PDUs) formats are notcompatible between the two protocols. Because of message formatand type enhancements, the two versions are effectively renderedincompatible.

To manage all SNMP devices regardless of their version, anSNMPv2-based management environment has to either use SNMPproxies to translate messages between versions or use managementproducts that are capable of identifying and adapting to the versionof SNMP running on each managed device. SNMP proxies act asintermediaries between management hosts and managed devices thatdo not share the same communication standard. Their purpose is toreceive messages from the management host, analyze the request,and issue the appropriate version command or commands to the tar-get device. Proxies collect the response or responses and forwardthese to the network management station. In some instances, oneSNMPv2 request is translated to several SNMPv1 requests due tomessage type enhancements in v2.

Recent versions of Cisco IOS software support all three versions ofSNMP standards and eliminate the need for proxies when managingCisco hardware.

RMONThe Remote Monitoring (RMON) specification can be consideredan extension to the SNMP standard and is based on RFC 1271. Itwas defined in the early 1990s and is based on the similar standardsas SNMP. It also relies on the MIB structure of information andSMI. As seen in RFC 1271, availability of RMON statistics andinformation can prove pivotal in designing and assessing networksecurity. Its purpose is to deliver network information grouped intothe following major monitoring elements:

06 0789728362 CH03 3/4/03 2:49 PM Page 242


. Statistics group—Contains statistical information collected byan RMON probe from each of the configured interfaces onthe device. It provides detailed counter information, character-izing network traffic on each monitored interface. Reportednumbers include

• Packets dropped, sent

• Bytes sent

• Broadcast packets and multicast packets

• CRC errors, runts, giants, collisions

• Fragments, jabbers

• Counters for packets in the byte size ranges of 64–128,128–256, 256–512, 512–1024, and 1024–1518

. History group—As the name suggests, this group includesinformation that is sampled over a period of time at regularintervals and is stored for later analysis. It includes items sam-pled, sampling intervals, and number of samples.

. Alarm group—If alarm thresholds are configured on anRMON-monitored device, statistics data is sampled periodi-cally to be compared to threshold values. If threshold levels areexceeded, an alarm is generated and posted to the alarm table.

. Host group—Contains basic statistical information on thehosts discovered in the network. This information includeshost addresses, number of packets sent and received, numberof multicast and broadcast transmissions, and other pertinentinformation.

. HostTopN group—Designed to prepare top lists of hostsbased on certain configurable criteria. It can be used to com-pile top error lists, for example, and identify major sources oferrors and faulty or improperly configured equipment in thenetwork. It also can reveal break-in attempts and brute-forceincursions. Information included here is statistics, hosts beingrated, and duration and sampling rate of the compilation.

06 0789728362 CH03 3/4/03 2:49 PM Page 243


. Matrix group—Stores statistics on conversations between par-ticipating hosts. Each time a new conversation is initialized, itis verified with the group and is added if missing. Informationin the matrix group includes source and destination addresses,packet counts, bytes transferred, and number of errors. Thisinformation can prove indispensable when analyzing and plan-ning network usage, as well as when designing IDSs.

. Filter group—Contains streams of packets that are logged ifthey match a specified formula. This allows for detailed application-based or protocol-based communication statisticsanalysis on a given device. It can also be used for event genera-tion. Criteria that can be specified include various packet para-meters.

. Packet capture group—As the name implies, it allows thelogging and analysis of actual packets. Parameters that can bespecified include capture buffer size, status, and number ofcaptured packets.

. Event group—Controls event generation and notification ona monitored device. It works together with the alarm group,controlling the amount and periodicity of alerts. It providesinformation about the event type, event description, and timeof the latest occurrence.

Implementing all these groups isn’t mandatory, and most vendorsopt to implement the groups that provide the most basic and funda-mental information first. However, some of the groups are depen-dent on others and cannot be implemented without implementingother groups as well. For example, the alarm group depends on theimplementation of the event group.

RMON can provide crucial information for the following securitypurposes:

. Network security and real-time host metrics and configuration.

. Network monitoring and operations information critical tosupporting networks and ensuring proactive monitoring,including alarms.

06 0789728362 CH03 3/4/03 2:49 PM Page 244


. Matrix information that describes data flows, characters, andquality and supplies network and security designers with oneof the most critical parts of information needed to ensureeffective designs.

. Packet capture, traffic analysis, and decoding capabilities nec-essary for troubleshooting and design.

. Historical information for trend analysis, baselining, and per-formance monitoring, needed to effectively design and supportnetworks. It is used by both groups: network operations andnetwork architecture/engineering personnel.

. Network accounting and billing applications can use data pro-vided by RMON for business and financial purposes.

Cisco Systems includes RMON functionality in its IOS software.However sophisticated, this information is only as useful as it isaccessible. Centralized RMON configuration management, analysis,and tuning is necessary, and several software packages are availableto be deployed as add-ons to HP Openview, IBM, Sun, and DECsolutions. Some can even be operated independently without theneed for implementing expensive management infrastructure.

NETWORK MANAGEMENT STATIONS

Network management stations collect a large amount of criticalnetwork information and are considered to be the most likely tar-gets of intruder attacks. These network management stations arevery visible in the network because most systems “chat” with thestation on a consistent basis. Make sure network management sta-tions are secure physically and network-wise. It would be reason-able to implement a separate management subnet and ensure thatit is protected by at least a router with an access list.

You should be aware that the traffic between monitoring agents andmanagement stations can slow down your network if you have alarge number of hosts. Polling can take from as little as 800 bytesto up to more than 2 kilobytes per host. Multiply this by the num-ber of hosts on your network, and the traffic load can become pro-hibitive.

06 0789728362 CH03 3/4/03 2:49 PM Page 245


WorkstationsWorkstation security is often overlooked, but this is one of the mostattractive areas to intruders because it is the path of least resistanceto deploying an attack. It is not unusual for users to be naive and tooccasionally click links when they read “click this link” or to openemails with potentially suspect or downright ominous subject lines,especially if the company is not in an IT-related industry. Averagenon-IT users are not as aware of Internet risks as their IT counter-parts are. (Note the usage of the word average here. It means that inevery environment, you are likely to encounter exceptionally awareand, unfortunately, exceptionally unaware individuals. A single caseof exceptional unawareness is enough to bring a network down.)Unfortunately, Internet risks are not the only risks that can exist inan organization. Basic user protection controls from Internet risksare covered in Chapter 2, but the following is a list of other risksyou must protect against:

. Workstation and laptop theft

. Natural disasters, fire (arson)

. Physical access by unauthorized personnel (visitors)

. Physical failures of workstation components

See Chapter 7, “Physical Security, Disaster Recovery, and BusinessContinuity,” for more information on these subjects.

You can’t prevent things such as natural disasters and physical fail-ures of components; however, you can prevent catastrophic informa-tion loss when a disaster occurs by implementing a corporate-widebackup policy. A comprehensive policy should mandate the storageof all company files on a dedicated network server that is located ina secure environment and that runs nightly backups. Backup tapesshould be properly labeled with date and volume information, rotat-ed, and stored offsite for further protection. One item many admin-istrators overlook is the testing of backup media. It is not enough torun a nightly backup; the backup must be tested to ensure that itcan actually be used to restore data. In addition, you might want totest the tape on various devices to ensure it works on other devicesand not just yours.

06 0789728362 CH03 3/4/03 2:49 PM Page 246


In the area of theft, two solutions are available. The most obvious isa security lock. Every laptop comes with a hook for a security lockthat can be used to deter all theft attempts. Similar locks exist fordesktop workstations, as well. (These devices are particularly usefulin schools, universities, walk-in printing shops, Internet cafes, andother public places that can be difficult to control.) To protect theinformation that must reside on a laptop or workstation, encryptindividual files or encrypt the file system. The Windows EncryptingFile System (EFS) makes it impossible to read file information with-out appropriate login credentials.

If your company has regular visitors who might pose a risk, considerbuying disk drive locks to ensure that critical information cannot beextracted using a disk drive. Some manufacturers now produceworkstations without floppy drives. Securing floppy access also prevents employees from bringing in infected files. In addition tophysical prevention, train employees to always log off or lock theirunattended workstations. Combined, these methods will also pre-vent a visitor from booting a system from a floppy drive.

ServersEverything discussed in the workstation section applies just as wellto the servers. Naturally, servers are more sensitive to attacks.Therefore, all servers (and as much network equipment as possible)must be isolated in a server room or an ISP co-location facility andmust be locked to prevent any type of unauthorized physical access.Visitors to these premises must be justified and supervised. No mat-ter how rigorously your software is configured to guard your net-work from hackers, if a nighttime cleaning person can accidentallyswitch off the box while dusting it or knock a $15,000 piece ofequipment over, your protective measures have failed. One majorcorporation spent thousands of dollars investigating how someonewas sabotaging server backup tapes, only to find that the magneticinterference from a motorized floor buffer was erasing the tapes intheir storage rack. Make sure that access to the room is limited toauthorized personnel only; use server racks that have locking capa-bilities; and when selecting server hardware, assess its physical securi-ty controls in addition to its other features. We talk more aboutlocking down servers in Chapter 4.

06 0789728362 CH03 3/4/03 2:49 PM Page 247


UNDERSTANDING THE BASICSECURITY CONCEPTS OF MEDIA

Understand the basic security concepts of storage mediadevices.

Chapter 2 provided details of securing communications on most lay-ers of the OSI model except the Physical layer (layer 1). If an attackis launched against the signal on the wire, hackers might be able tocopy information as it flows in the form of bits. This might not beas dangerous if an appropriate software encryption mechanism isemployed in the transmission. Depending on the communicationmedium, hackers might be able to steal either information or band-width.

Coaxial CableCoaxial cables are made of a core wire with an outer metallic shieldused to reduce interference. Often, the shield is made of a metallicWeb, with or without an additional metal-foil wrapping surroundingthe core conductor. The cable is then surrounded by a plastic cover-ing, called a sheath. Coaxial cables are no longer deployed en masse,but they are still abundant in legacy environments. Two types ofcoax cables are used: 10BASE-2 and 10BASE-5. On a 10BASE-2cable, a signal can travel a distance of 185 meters at a speed of10Mbps before it appreciably attenuates. On a thicker 10BASE-5cable, signals can travel a distance of up to 500 meters at the samespeed.

Because the electrical signal is conducted by a single core wire,someone can easily tap the wire by piercing the sheath. He wouldthen be able to eavesdrop on the conversations of all the hostsattached to the segment because 10BASE-2 coaxial cabling imple-ments broadband transmission technology and assumes many hostsconnected to the same wire. Coaxial cable is still popular in campusareas, especially 10BASE-5 (or Thicknet), because of its greatertransmission length. Coaxial cables have no physical transmissionsecurity and can be easily tapped without interrupting regular trans-missions and without detection.

06 0789728362 CH03 3/4/03 2:49 PM Page 248


UTP/STPUnshielded twisted pair (UTP) is the main cabling type in LANstoday. Seven types of UTP cable are available, but the most popularand widely deployed is category five (CAT5). CAT5E allows trans-missions of up to 1Gbps at a distance of 100 meters, and it is madeup of eight individual wires twisted in pairs (hence the name).Twisted pairs prevent crosstalk between the wires. UTP has noshielding and is prone to radio frequency interference (RFI) andelectromagnetic interference (EMI); however, its installation is rela-tively simple and its cost low. In half-duplex deployments, only fourof the eight wires are used and a device might not simultaneouslytransmit and receive. In a full-duplex (switched) environment, alleight wires are used: Two pairs are used to send, and the other twopairs are used to receive data. UTP uses RJ45 cable connectors forcable termination and connectivity. UTP is used in Ethernet topolo-gies and is a shared communication medium unless a switch is used,in which case Unicast communications are conducted between thedevices involved.

STP is analogous to UTP with a slight modification: It is shielded,which means it can withstand EMI and RFI much better than UTPdoes. STP is used in token-ring topologies.

Both UTP and STP can be tapped, although it is physically a littletrickier than tapping coaxial cable because of the physical structureof STP and UTP cable. The major difference from coaxial cable isthe connection method. Whereas coaxial cable runs from computerto computer, twisted pair cabling runs from computer to concentrator—hub, repeater, bridge, switch, Multi-Station AccessUnit (MSAU), and so on. Therefore, the service is more vulnerableto abuse and theft in those concentration spots. You need to keepconcentrators in the server room (if cabling distances permit) or inwiring closets. At a minimum, keep distribution and core devicessecured from unauthorized access. At the same time, authorized per-sonnel must have ready access to patch panels, and cables must beclearly marked and available for visual inspection.

06 0789728362 CH03 3/4/03 2:49 PM Page 249


FiberFiber-optic cabling has many advantages over more traditional twist-ed pair cabling. Fiber is designed for short- and long-range transmis-sions at speeds higher than 1Gbps. It uses light pulses for signaltransmission, making it immune to RFI and EMI. However, somedisadvantages are that it is still quite expensive compared to moretraditional cabling, it is less forgiving of physical stress, and it ismore difficult to install.

As far as security is concerned, fiber cabling eliminates the tappingof electrical signals that is possible in the case of twisted pair andcoax. Tapping fiber cable without service interruption and speciallyconstructed equipment is impossible, which makes stealing serviceor eavesdropping on traffic significantly more difficult.

Infrared, RF, and MicrowaveOne obvious disadvantage of open-air signal transmission technolo-gies is the lack of clearly defined boundaries. Wired networks have aphysical signal path that can be secured. In broadcast, however, it istheoretically possible for anyone to tune a receiver to the frequencyof your transmission and eavesdrop on it without anyone knowingabout it. In the early days of wireless LAN technologies, it was evenpossible to use network services without authenticating. All anintruder had to do was to choose a site and do a site survey by scan-ning the frequency bands to find services. Signal spread spectrumtechnology made wireless transmission somewhat more secure, butonly to a certain point. Frequency-hopping sequences are not secret;instead they are openly published standards.

The fact that modern wireless facilities have security controls thatprevent unauthorized use of the medium and services does not makethe open-air medium safe from eavesdropping. IR transmissions areconsidered safer than radio transmissions because the communicat-ing devices use an invisible light spectrum range and require a directline of sight with each other. This makes eavesdropping on the com-munications without being noticed more complicated. But the tech-nology itself is not technically immune to eavesdropping; infraredsignals can be recorded using cameras with infrared filters. The onlyway to be sure of wireless communication security is to use strongauthentication algorithms such as PKI and to encrypt all your com-munications.

TIP

Know which types of media are sus-ceptible to which types of interfer-ence.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 250


Removable MediaRemovable media poses a security risk because of two main prob-lems. First, classified or confidential information can be stolen,destroyed, or misused. The loss or exposure of business, financial, orconsumer information can cause serious damage to a company’scompetitiveness or reputation. Second, system, policy, or infrastruc-ture information can give intruders enough information to mountfuture attacks.

Why do companies use removable media? With the storage densityand capacity available today, using removable media might not seemrelevant. However, even if a company has a few storage area network(SAN) devices that provide terabytes of storage space, it still needs toback up its files and databases. Remember, offsite storage of backupsis a crucial part of a disaster recovery plan. The second reason thatsome companies might still have large amounts of sensitive informa-tion on removable media is because they have relied on removablemedia at some point in the past to control access or provide addi-tional storage and the media has not been disposed of yet.

Various types of removable media include tape, CD-R, hard drives,flash cards, and smart cards, and they are covered in detail in the fol-lowing sections.

TapeTape devices use magnetic storage and are extremely popular inbackup technologies because of the amount of data that can fit on astorage unit (tape). It is the medium of choice for backing up mission-critical systems that often contain sensitive customer infor-mation, databases, and files. Tape backups are also widely used toback up system configuration and account information, whichmeans they often contain system Registry and network user accountdatabases.

Several backup types can be employed in disaster recovery strategies,and they are not specific to tape devices. (See Chapter 7 for full cov-erage on backups.) For the purposes of this discussion, the securityperson needs to be aware of the most popular backup strategies,which are as follows:

. Full backup—Contains the entire set of data being backed upand is most sensitive to theft because the information it con-tains is readily available in full.

06 0789728362 CH03 3/4/03 2:49 PM Page 251


. Incremental backup—Works with the full backup and doesnot contain a full copy of the information. Instead, it containsall the information that was modified between the time of theincremental backup and previous incremental or full backup.In case of theft, incremental information taken out of contextmight or might not represent value to the offender, but it cer-tainly represents risk to the company.

. Differential backup—Similar to incremental, with the onlydifference being that the archive flag is not reset after the dif-ferential backup is run. This causes every differential backup tocopy information changed since the last full backup, regardlessof when the last differential backup was made. This backupstrategy is more risky in respect to theft because larger chunksof sequential data can be stored on tape the further away fromthe last full backup it gets.

. Copy backup—Very similar to a full backup in that it takes acomplete snapshot of the system at the time of backup. Theonly difference between copy backup and full backup comesinto play in database environments where transactional loggingis employed. A copy backup takes a copy of the system as it isrunning at that moment, whereas a full backup commits thelogs to the database first and then backs up the database. Froma security perspective, the loss of a tape with a copy backup istantamount to losing a tape with a full backup.

In addition to these backup strategies, companies employ tape rota-tion and retention policies to have a safety net if something goeswrong.

Backup is just one small part of an overall disaster recovery and con-tingency plan. Despite obvious security threats, backups must bedone on a regular basis for every computer whose physical failure orloss would cause any amount of inconvenience. Every companyshould determine its own rotation and retention strategies, depend-ing on the needs and nature of the information. Tapes that are goingout of rotation and into archive must be stored offsite in safe depositboxes or similar secure environments. Offsite storage ensures busi-ness continuity in the case of natural or manmade disasters. SeeChapter 7 for more information.

06 0789728362 CH03 3/4/03 2:49 PM Page 252


CDRRecordable or rewritable compact discs (CD-Rs or CD-RWs, respec-tively) can be used for the same purpose as tape backups in smallercompanies where information might not change as frequently orwhere the volume of information is smaller. However, CDs are typi-cally used for backup or distribution of individual projects to clients,offline content distribution, proprietary software or algorithm trans-fer, or similar purposes. This does not diminish the sensitivity of theinformation, and hence protection measures discussed in the previ-ous section apply to CDs as well.

If a CD is no longer useful or is not working correctly, it must bemade safe to discard. Formal as well as physical processes can beused to do this.

Disposal of MediaThe following three concepts apply to all removable media units:

. Declassification—A formal process of assessing the riskinvolved in discarding particular information. You should con-sider all possible situations if this information ends up in thewrong hands, becomes known to the public, and so forth. Is itpossible to use it against the company? Is it proprietary?Would it damage the company’s market posture or competitiveplans? Would it cause litigation or civil or criminal liabilities?If the information being discarded is innocuous or obsoleteand therefore does not present any risk to the company, it cansafely be declassified if no other threats are uncovered throughthe risk assessment.

. Sanitization—The process of removing the information fromthe media as fully as possible, making it almost impossible torestore it even for data recovery specialists. Sanitization has noeffect on the classification of the information. Depending onthe media type, sanitization might or might not apply. To san-itize media, you can use a process such as magnetic degaussingor magnetic overwriting.

. Destruction—Physically destroying the media and, therefore,the information stored on it. Other than destruction, there areno safe methods of completely removing all traces of informa-tion stored on a removable media device.

06 0789728362 CH03 3/4/03 2:49 PM Page 253


Because of the nature of CDs and CD-Rs, sanitization is not applic-able to these media, and either declassification or destruction shouldbe used (or both). Concerning destruction, only authorized, clearedpersonnel should ever have access to the media decommissioned fordestruction.

Every company should have media disposal policies in place. It isimportant to follow company disposal standards and to know whatobligations contracts with other companies or agencies impose onmedia disposal requirements. A listing of Department of Defensemedia disposal standards can be found at http://www.cerberussystems.com/INFOSEC/stds/sanitize.htm.

Hard Drives and DisksHard drives and disks are magnetic media, and in addition todestruction and declassification, sanitization can be used. Theprocesses employed by sanitization are

. Degaussing—Also called demagnetizing, it is applicable tomagnetic storage devices. Degaussing works by applying areverse magnetic field to the magnetic media and reducingmagnetic density to null. This makes all the previously storeddata unreadable. Degaussing is considered very safe.

. Overwriting—Applicable to magnetic storage devices, itinvolves an operation of completely rewriting every addressablebit pattern on the media with a single bit pattern (all 0s), veri-fying that the operation was successful, rewriting the bit pat-tern again using the opposite bit pattern (all 1s), and verifyingagain. This process must be repeated as many times as isrequired by the classification level of the information beingsanitized.

. Disconnection—For volatile memory devices such as RAM,all sources of power must be disconnected including backupand BIOS batteries and the computing device must begrounded before sanitization is considered complete.

. Removal of information—For laser printers and copiers onwhich a large amount of declassified information is printedand copied, you need to remove traces of the classified infor-mation from the drums for the device to be considered sani-tized.

NO

TE Physical Security on Computer

Systems Just because systemsdon’t include ports for removablemedia (such as a caddy for removablehard drives) doesn’t mean somebodycan’t attach such a device. Today,compact USB-based hard disks smallenough to fit on a keychain offer up to2GB of storage space and can con-ceivably be mounted on any systemwith a USB port. Not only does thisunderscore the overwhelming need forphysical security on computer sys-tems (thereby denying intruders theopportunity to use such devices), butit also argues that publicly accessiblemachines should be locked down sothat unwanted devices cannot bemounted or used on that equipment.

06 0789728362 CH03 3/4/03 2:49 PM Page 254


Flashcards and Nonvolatile MemoryFlashcards and EEPROM devices are contained in many devices ofvarying sizes and purposes and can contain traces of classified orconfidential information, such as customer data in the case of flash-cards or proprietary software in the case of EEPROM. Companiesshould consider sanitizing or destroying these components whenupgrading or discarding equipment.

Smart CardsSmart cards are widely used in cell phones and mobile devices tostore customer ID information for providers to identify their sub-scribers in the network. They also store a personal phone book,Short Message Service (SMS) messages, and a log of incoming andoutgoing calls. In corporate computing requirements, smart cardsare replacing conventional username/password authentication mech-anisms because they allow personal X.509 digital certificates to beused for user authentication and network logon purposes.Remember from the encryption discussion in Chapter 2 that digitalsignatures are impossible to forge and X.509 certificates are used indigital signing. Therefore, the company must be extremely vigilantregarding how these smart cards are used, distributed, and serviced.A single lost or stolen card can pose a company-wide risk of anintruder gaining unauthorized access to the site.

Smart cards often carry employee and company credentials printedon them, which makes identifying the target easy. Clearly, the rightsmart card in the wrong hands is a recipe for disaster. Therefore,companies must institute and enforce extremely strict smart cardpolicies that make employees treat these identification devices withextreme caution and report lost or stolen cards immediately.Administrators, in turn, can revoke issued certificates or disable useraccounts, making the smart card a piece of useless plastic.

Another area of concern for the company in this case is disgruntledemployees and headcount reduction. A process must be in place toensure that all employees leaving the company relinquish their cardsin a timely fashion. Administrators can then put the certificatesstored on the cards on the revocation list and reprogram the cards toissue to new employees.

TIP

Know the types of removable mediaand the security risks involved witheach.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 255


UNDERSTANDING THE CONCEPTS OFSECURITY TOPOLOGIES

Understand the basic security concepts of security topologies.

The concepts of security topologies are based on firewalls and theirapplication to specific network design scenarios. Topologies consistof hardware devices and security zones that are created with thesedevices. The remainder of this chapter provides an overview of howfirewalls are used to segment the network into security zones andcreate various security topologies. The following security topics arecovered in more detail in the following sections:

. Security zone topologies

. VLANs

. NAT

. Tunneling

Security ZonesThe three major types of security topologies are as follows:

. Bastion host

. Screened host gateway

. Screened subnet gateway

Various combinations of these three basic security topologies canyield additional categories that combine the benefits and disadvan-tages of the fundamental topologies, but for the purposes of our dis-cussion we will concentrate on these three.

06 0789728362 CH03 3/4/03 2:49 PM Page 256


Bastion HostA bastion host is a dual-homed device—that is, a device with twonetwork interfaces. It can be a specialized hardware device (CiscoPIX, Checkpoint Firewall, and so on); a router running access lists(most Cisco and other routers are capable of this); or a PC runningWindows 2000 or later, Unix, or another operating system that sup-ports routing rules definitions or traffic-filtering mechanisms. Anyrouting between the interfaces on the dual-homed device is disabledand specialized software (IP Security in Windows 2000, Cisco IOS,and so on) is configured to allow only certain types of trafficthrough while excluding the rest of the traffic.

This type of firewall secures the network by filtering communica-tions based on different configurable criteria, such as port numbers(traffic type), source or destination IP addresses or IP subnets,whether the connection is a secondary connection to an alreadyestablished communication session (file transfer requests of an FTPsession), and so on. Regardless of hardware configuration, IP for-warding (routing) must be disabled between the two network inter-faces and the process of forwarding packets between interfaces mustbe controlled by specialized software. A bastion host is used to con-nect the outside network (unsecure extranet) with the inside net-work (secured intranet), and in most cases, it is one of the firstdevices public traffic hits on its way into your network.

The more specialized this device or software is, the more unlikely itis that someone will be able to exploit a flaw in its overall design.Therefore, it is highly recommended that only specialized devices ormachines dedicated to securing the network border be used as bas-tion hosts. The number and diversity of features and applicationsrunning on any given device are sometimes referred to as the attacksurface. Keeping the attack surface small makes a more secure bas-tion host.

In addition to the purposes outlined previously, a specialized solu-tion is more likely to maintain desirable performance levels withoutintroducing bottlenecks and lags.

Bastion host solutions are most common to small corporate net-works, small branches or remote locations, and home office ortelecommuter environments. Figure 3.3 depicts the basic elements ofa device built as the bastion host.

NO

TE Dedicated Hardware and Software for

Specific Purposes Is Secure Forsmaller companies that are short oncash, this might seem too expensive,but using cobbled-together solutionsopens the infrastructure to potentiallydevastating attacks that could ruin asmall business. If you have a Webserver exposed to the public, it shouldbe just that: a Web server (that is, itshould not host mailing and databaseapplications). This is especially trueabout firewalls of any type or topology.A firewall device is the first line ofdefense against network intrusions,and the less software features thatare installed on it, the smaller theattack surface is.

06 0789728362 CH03 3/4/03 2:49 PM Page 257


Screened Host GatewayA screened host gateway is a packet-filtering device, usually also arouter, which communicates only with a designated application gate-way inside the secured network. No other traffic is allowed in or outof a screened host gateway. The basic functionality is the same as abastion host; however, a few important differences exist. Unlike witha bastion host, the network design incorporates an application gate-way. Traffic coming in from the Internet is filtered based on what isconsidered to be safe. If a data stream is deemed safe (based on theconfiguration), it is forwarded to the application gateway. The appli-cation gateway then determines how to handle this stream and redi-rects it to an appropriate information server or workstation in thenetwork. The process works in reverse for outgoing communica-tions. The screened host gateway ignores all outgoing traffic that isnot coming from the application gateway.

An application gateway is a one-interface device, whereas a screenedhost gateway is a dual-homed device (just as a bastion host firewallis). Therefore, an application gateway does not need a special subnet—it can be just another network node in the corporate orproduction subnet as far as network design is concerned. An applica-tion gateway also runs a few application services (hence, the name),redirecting traffic it receives from the borderline filter to the systemsinside the network. The borderline filter (screened host gateway) canalso be configured to allow redirection of certain types of traffic con-sidered to be safe directly to the systems inside the network. DNSrequests or Telnet sessions are examples of such traffic.

F IGURE 3 .3Bastion host firewall.

Internet

Bastion host firewall

Int1: 10.1.1.1 Int2: 194.35.28.34

Local area network

06 0789728362 CH03 3/4/03 2:49 PM Page 258


Compared to a bastion host, the screened host gateway scenario ismore likely to let certain types of offending traffic slip throughunnoticed. In the case of a bastion host, all rules are configured onone device (if it’s a pool of devices serving several redundant connec-tions, the same configuration can be applied to other devices in thepool). With application gateways, two devices need to be configuredvery carefully: the borderline packet filter and the application gate-way itself. This leaves room for unnoticed configuration errors andloopholes that might not be discovered until an attack has been exe-cuted, which is too late. Another reason this solution is less secure isbecause the packet filter is configured in a rather generic fashion,usually allowing “all or none” requests of configured types, whichforwards all those requests to the application gateway indiscriminate-ly. Because the application gateway’s attack surface is significantlygreater than that of the bastion host, greater potential exists that theapplication gateway can be compromised.

Application gateways do provide greater flexibility, albeit at theexpense of security. It might be more convenient to take advantageof the modularity implemented with the two types of devices in thisscenario, each responsible for its own functions. Packet filtering rulescan be difficult to configure and even more difficult to maintain onone device where you have to manage permit/reject rules for morethan one internal system in the absence of an application gateway.The difficulty of creating rules for a single device that must allowonly specific types of traffic to reach only specific hosts can createsecurity holes. With a bastion host, administrators often create rulesthat are too permissive, especially after receiving numerous com-plaints from special case users who cannot receive legitimate traffic.In these instances, a screened host gateway can be more secure.

Figure 3.4 depicts a typical screened host gateway deployment set ofelements.

Screened Subnet GatewayThe third type of topology is called a screened subnet gateway.Screened subnet gateway architecture includes two screened hostgateway devices that isolate the LAN from the Internet, creatingwhat is known as a screened subnet, or DMZ, between them. Thearchitecture also includes a proxy server (bastion host).

06 0789728362 CH03 3/4/03 2:49 PM Page 259


This architecture is essentially a combination of the bastion host andscreened host gateway architectures discussed in the previous section.Traditionally, this approach offers the best solution because traffic iscontrolled more granularly and the design has built-in redundancy;it isolates the internal network with more than one layer of security.Public inbound traffic is restricted to and is allowed only in theDMZ subnet. Outbound traffic flows through the DMZ, which cre-ates anonymity for the requesting clients on the LAN. The onlyobvious disadvantage of this mixed architecture is that it is morecomplex than the other two; however, the complexity is partially off-set by the fact that different components of this mixed architecturehave their own functions and areas of responsibility. In effect, theplanning requires the most effort, not the actual configuration.

Consider the deployment scenario depicted in Figure 3.4. In theDMZ are application servers the public needs to be able to access tocommunicate with internal clients. You would therefore place certaincritical application systems inside that subnet, as shown in Figure3.5. For example, your email servers, Web servers, DNS servers, FTPservers, and other public-facing information servers would need tobe located in the screened subnet. This does not compromise thesecurity of these application systems because at least one bastion hoststill exists on the borderline between the DMZ subnet and the unse-cure extranet. This bastion host would be configured to allow com-munications initiated from the public, nontrusted clients specific tothe applications the DMZ servers provide (in this case, SMTP [TCPport 25], DNS [TCP 53], FTP [TCP 21], and HTTP [TCP 80]).

F IGURE 3 .4A screened host gateway.

Internet

Screened host gateway

Int1: 10.1.1.1 Int2: 194.35.28.34

Network clients

Local area network

Application gateway

06 0789728362 CH03 3/4/03 2:49 PM Page 260


All other communications from the public to internal clients on theLAN or any other communications not explicitly allowed into theDMZ would be rejected. Optionally, you could place a rule to for-ward certain requests to certain internal machines, but this has to bejustified by corporate or production requirements.

InternetScreened subnet

gateway

WWW, DNS,email servers

Network clients

DMZ

Local area network

Screened subnet gateway

F IGURE 3 .5A screened subnet gateway.

Now, you can install any other application gateways in the DMZ tomake external resources available to your internal clients, and viceversa. This application gateway can provide an extra layer of securityin cases where Application-layer security is necessary. Thus, adminis-trators can have control over traffic leaving internal networks andinitiating bidirectional communications with the outside world on auser level. Good examples of an application gateway are a CERN-compliant proxy server, Microsoft Internet Security and Acceleration(ISA) Server 2000, or some similar software product. From an inter-nal client’s perspective, they can either be configured to talk to theoutside world directly, only receiving email, DNS, and corporateintranet Web services from the DMZ, or be restricted to talking onlyto application gateways and information servers in the DMZ. Anexternal borderline bastion host would then be responsible for block-ing outbound communications that originate internally.

With a screened subnet topology, two local subnet IP addresses areneeded to implement this architecture. One subnet address is usedwithin the DMZ, and another subnet (which can be subnetted fur-ther) is used for internal network segments.

06 0789728362 CH03 3/4/03 2:49 PM Page 261


IP ADDRESSING

A few words need to be mentioned here about IP addressing. Usingpublicly routed IP addressing for your LAN design is very unsecure.Not only does it allow direct communications between outsidehosts and internal clients (at least in theory), but it also wastesscarce public IP address space. After Internet Protocol Version 6(IPv6) is widely accepted and deployed, more IP addresses will beavailable for public communications. Nonetheless, even without theproblem of scarcity, using private addressing internally is muchmore secure and much more maintainable.

The “Network Address Translation” section that appears later inthis chapter provides more information on public and privateaddressing. For the moment, suffice it to say that the combinationof NAT plus private IP addresses helps avoid the need to renumberinternal networks if an organization ever contemplates changingfrom one service provider to another. Because ISPs are the primarysource of public IP addresses, you can sidestep the need to renum-ber entire networks (only the public interfaces in your network needto change) only by avoiding the use of public addresses.

Disadvantages of this architecture are the complexity of implementa-tion and the possibility of firewall policy violations when conduitsare administratively allowed from the borderline firewall through theDMZ and into the internal network. However, this second disad-vantage is not unique to the screened subnet scenario. This scenariois by far the most flexible and secure topology because of its capabili-ty to completely eliminate inside/outside communications and con-duct everything through a strictly controlled middleman called theDMZ.

DMZsA DMZ can be viewed as a layer of privacy between the corporateinfrastructure and the Internet, exposing only those systems thatmust be known to the public. Strict authentication and encryptioncan add to the security the two firewall devices provide to make theinternal network impenetrable. Demilitarized zones can also be cre-ated with just one firewall device with three network interface cardson board, as depicted in Figure 3.6.

TIP

Know the three major types ofsecurity zones.

EX

AM

06 0789728362 CH03 3/4/03 2:49 PM Page 262


In Figure 3.6, an intranet and the Internet are separated by a singledevice and both of these segments are attached to separate interfaces.The third interface is attached to a separate network segment thateffectively is an alternative DMZ and an extranet. This alternativesolution compromises a little bit of security (an intruder has tobreak only one firewall as opposed to two), but with proper plan-ning, good hardware, and solid configuration, this is highly unlikely.Companies can opt to use this method in situations where securityis a must but the budget does not allow for two well-designed fire-walls.

IntranetsAs can be inferred from the discussion in the preceding section, anintranet is the portion of a network that belongs to and is controlledby a company. It is not necessarily just the inside LAN segment; itcan also include the DMZ segment, WAN links to remote locations,and the remote locations. The definition of an intranet is somewhatblurry, and opinion varies as to whether a DMZ can properly beconsidered part of the intranet. However, one rule is that if a portion of the infrastructure belongs to the company and the com-munications links are managed and secured by the company, theseelements are encompassed in the definition of an intranet.

F IGURE 3 .6An alternative DMZ configuration.

Internet

WWW, DNS,email servers

Network clients

Local area network

DMZ

Screened subnet gateway, 3 network

interfaces

06 0789728362 CH03 3/4/03 2:49 PM Page 263


Security requirements for intranets (with the exception of the DMZ)are usually significantly lower than with extranets or the Internet,although this might not be true in certain organizations. (A goodexample is a university, where firewalls are used to protect staff net-works from student networks.) In classical examples, some accessseparation exists between departments, branches, and geographicallocations, but by and large, company resources are accessible andtrusted within the intranet, which is open to authorized personneland members of the company.

More recently, security organizations such as SANS have been advo-cating an approach called Defense in Depth that calls for multiplelayers of security, mixed brands of defense devices, and overlappingareas of security coverage to make network penetration significantlymore difficult for attackers. In addition, the deployment of securitydevices within the intranet can help contain breaches of networksecurity and limit the scope of an attack.

ExtranetsThe notion of an extranet is even blurrier than that of an intranet. Itrefers to the practice of allowing partners, whose network space isoutside the company’s control, to use some of the resources availableon the intranet, usually in the DMZ.

The extranet is a public portion of the company’s IT infrastructurethat allows certain resources to be accessed by outside users, such aspartners and resellers, with proper authorization and authentication.The DMZ serves as a security cushion between the extranet and theintranet. Although it is technically located within the intranet, theDMZ can serve as the extranet as well. Resources on the extranettrust and honor only requests that have been authenticated using areliable authentication technology such as PKI or digital certificates.

Virtual Local Area NetworksA virtual local area network (VLAN) unites network nodes logicallyinto the same broadcast domain regardless of whether they are physi-cally united. A VLAN can create a logically stable environmentwhen computers are not physically stationary or are not physicallyclose. For example, network administrators and technical personnelcan roam a complex corporate environment but, regardless of theirphysical connection locations, still need access to their administra-tive resources.

06 0789728362 CH03 3/4/03 2:49 PM Page 264


At the same time, a VLAN can allow one broadcast domain to besplit into two or more domains that restrict access to certain net-work resources. This can be a handy addition to user managementand security strategy for the company.

VLANs are implemented using a technology known as tagging. The802.1Q standard defines a Q-tag mechanism that allows markingframe headers with tags that identify VLANs. VLAN-aware networkdevices look for Q-tags in frames and make appropriate forwardingdecisions. A VLAN is therefore a software solution that enables thecreation of unique Q-tag identifiers to be assigned to ports on net-work switching devices. One switch port can be a member of manyVLANs.

Network Address TranslationNetwork address translation (NAT) enables the use of public IPaddress space by devices that use private IP address space. A NATdevice creates and maintains mappings between private IP addressspace, invisible to the outside world, and public IP address spacethat can communicate with external resources.

Private address ranges, defined in RFC 1918, are special addressranges in class A, B, and C networks that can freely be used by orga-nizations internally. Their key feature is that addresses within theseranges are considered nonroutable on the Internet. If your organiza-tion is connected to the Internet, it is recommended that privateaddress ranges be used on the LAN.

Private addressing through NAT provides three major benefits. First,routable network address space is preserved because the Internetcommunity is running out of available addresses rather quickly. Thesecond benefit is that because private addressing is nonroutable, it isharder (but not impossible) for intruders to penetrate the perimeterof your network. Third, if you change Internet service providers,your public IP address changes, but your private network addressescan remain the same.

As a security measure, NAT deprives intruders of the direct access toLAN workstations that they would have with public IP addresses.Instead, intruders must break through the NAT and, in most cases,a firewall that secures the Internet connection.

06 0789728362 CH03 3/4/03 2:49 PM Page 265


Workstations communicate with outside networks through the NATdevice. Each outgoing request dynamically creates a mapping on theNAT device, and NAT proceeds with the outgoing request, acting asa proxy. When it gets the reply, it looks up the mapping and for-wards the information to the original requester. In the same fashion,static mappings can be created to instruct NAT to forward certainrequests to certain hosts on the inside network.

In a variation of NAT called port address translation (PAT), the ideais the same, but instead of creating address-based mappings, port-based mappings are employed on a higher level up the OSI model.This becomes useful in situations where IP addresses on the publicinterface of a NAT device are scarce, allowing many internal IPaddresses to be mapped to a single external IP address and differenti-ating between the channels using port assignments.

NAT can also be used for address translation between multiple pro-tocols, which measurably improves security and provides for moreinteroperability in heterogeneous networks. For more informationabout NAT, see RFC 2663 at http://www.ietf.org/rfc/rfc2663.txt.

The private address ranges are as follows:

. Class A—10.0.0.0 network is reserved for private addressing.Valid host IDs are from 10.0.0.1 to 10.255.255.254.

. Class B—172.16.0.0–172.31.0.0 networks are reserved forprivate addressing. Valid host IDs are from 172.16.0.1 to172.31.255.254.

. Class C—192.168.0.0 network is reserved for private address-ing. Valid host IDs are from 192.168.0.1 to 192.168.255.254.

For companies that do not have and do not plan to have anyInternet connectivity, any network address range will work as long asit accommodates the company’s host number needs.

Another address range to keep in mind when designing IP addressspace is Microsoft’s Automatic Private IP Addressing (APIPA).Microsoft implemented APIPA in Windows 98 and Windows 2000clients. If these workstations are configured as DHCP clients and noDHCP server is available at the time of a DHCP lease request, aclient automatically is configured with an address from 169.254.0.1to 169.254.255.254.

NO

TE NAT Does Not Work Well with IPSec

A NAT device must strip the headersoff incoming packets and attach itsown headers before sending the pack-ets on. This might not be possible inthe IPSec channel where informationis encrypted.

06 0789728362 CH03 3/4/03 2:49 PM Page 266


TunnelingTunneling, also known as virtual private networking (VPN), posessome particular security challenges. When using VPN with firewalls,you need to define a set of firewall rules that permits the tunneling.Unfortunately, after a VPN tunnel is created, it is considered a com-munication channel that has already passed necessary securitychecks. In most popular solutions, VPN traffic is not filtered by afirewall. After establishing a communications channel, a remote usercould funnel any traffic through, bypassing the rules instituted bythe firewall. Furthermore, when encryption is used in a tunnel, fil-tering is impossible because the firewall does not see the contentsdue to end-to-end encryption between the peers.

Some topological solutions are possible for these problems. Onesuch solution is to deploy the VPN host in parallel with an internalfirewall and then force decrypted traffic to pass through the firewall.Another possible solution is to use the VPN features of some fire-wall products such as PIX and Checkpoint firewalls. In addition, thethreat of malicious traffic traveling through VPN is greatly reducedif the remote host employs adequate security measures. This canrequire more IT support for remote users, especially less technicallysophisticated users, but it can greatly enhance security.

NO

TE Creating VPN Solutions for Home

Offices When creating VPN solutionsfor the purpose of telecommuting andworking from home, keep in mind thatrequiring the use of an applicationgateway for public Web and DNS traf-fic for remote users can cause perfor-mance problems at higher volumes.Such a requirement means the clientmust send and receive large volumesof encrypted traffic that could safelytravel directly between public Websites and the remote client withouthaving to go through the corporateVPN channel. Encryption/decryption,unless it is performed by dedicatedhardware, is resource intensive forboth the client and server. Be sure tofactor in the costs of dedicated hard-ware or existing hardware upgradeswhen evaluating solutions.

ESSENCE OF THE CASEHere are the essential elements in this case:

. Secure the corporate environment using aset of firewalls.

. Set up a DMZ segment and place publiclyaccessible servers and services in that seg-ment.

. Secure customer communications using anyof the means discussed in Chapter 2. (Thiscan include using public encryption algo-rithms and digital certificates for authentica-tion purposes.)

. Plan, test, and implement a disaster recoveryprocedure, including tape backups.

. Ensure that the information stored on thebackup tapes in-house and offsite is accessi-ble only to authorized and cleared personnel,and ensure that security guidelines are hon-ored.

. Secure the server room and communicationpatch panels, and implement user policiesthat would mandate server-side informationstorage.

CASE STUDY: BRIGHT PICTURE SOLUT IONS, INC.

continues

06 0789728362 CH03 3/4/03 2:49 PM Page 267


SCENAR IOBright Picture Solutions, Inc. (BPS) is in the print-ing and publishing business. The company hasseveral branches across the United States andoffices in Canada, the UK, Germany, Hong Kong,Japan, and Australia. It serves retail customersthrough many specialty shop locations in majorcities in these countries, and it deals with a largenumber of wholesale customers through theInternet and wholesale printing and pickup out-lets. Publishers can submit their work require-ments and content through the Internet and pickit up or have it delivered. The company has expe-rienced a fair amount of growth and expects con-tinued growth as well.

BPS wants to achieve several objectives. First, itwants to ensure that its IT infrastructure issecured from Internet-based incursions. Second,the company wants to secure data feed transfersbetween its clients, partners, and the company.Third, the company wants to ensure businesscontinuity in the event of a disaster by designinga comprehensive disaster recovery plan. Thisplan must also ensure that customer informationand publishing materials will not be lost in theevent of a system outage.

ANALYS ISThe process should begin with the company cre-ating a secure network infrastructure. On thelocal LAN and in the DMZ, private addressranges should be used to reduce the risk ofdirect communication between potential intrudersand the DMZ systems, bypassing firewall andNAT devices.

CASE STUDY: BRIGHT PICTURE SOLUT IONS, INC.

All servers accessible to the public will go intothe DMZ, and communications between thesehosts and outside systems will be tightlyscreened by the firewalls. Communication encryp-tion should be configured between the clientsand partners of the company according to thepolicy.

Partners need access to certain systems locatedin the DMZ, and they need more privileges andservices made accessible than retail customerswho might use the Web servers. This accesseffectively translates into an extranet concept, soin effect, the company will be implementingextranet functionality in the DMZ segment.

A disaster recovery solution must be implement-ed to ensure that no single point of failure existsand that the customer submissions and informa-tion databases are recoverable in case of a cata-strophic failure. Tape backups should be plannedto rotate on a weekly or bi-weekly basis, andarchive tapes should be sent offsite for safe stor-age twice per month.

All server equipment must be locked down in asecure, ventilated, and humidified server room.The same requirements apply to cabling racks,patch panels, and network infrastructure equip-ment such as distribution and core switches androuters.

continued

06 0789728362 CH03 3/4/03 2:49 PM Page 268


This chapter provided an overview of basic security concepts andcontrols that can be used by administrators to secure physical devicesand media. One of the most important topics, controlling who canaccess the network and how, was further expanded.

Firewalls are the focal points of overall network access policy. Severaltypes of firewalls provide network security on various levels of theOSI model. However, they are all designed for one purpose: to keepthe intruders out. Depending on their architectures, firewalls canrecognize less complex attack patterns and alert administrators ortake action to restrict all communications from the source of anattack. Firewalls can be used to implement three basic securitytopologies, ranging from a standalone security device; to a stand-alone security device limited to talking to one or more applicationgateways; to multiple security devices transforming a portion of theintranet into a secure, publicly accessible zone called a DMZ. Email,DNS, and Web servers are typically placed in the DMZ zone wherestrict access rules apply to all incoming connections.

In addition to securing the network with physical devices, adminis-trators must ensure that communication and storage media as wellas critical network devices are secure. This means cabling concentra-tors and infrastructure equipment must be locked in server rooms orwiring closets, and physical server access must be monitored,restricted, and tightly controlled.

Removable media security concerns most organizations because ofbackup technologies and the vast acceptance of magnetic tapedevices as de-facto standard backup media. Backup is one of themajor components of a disaster recovery plan. Backup media mustbe properly labeled, guarded, and archived offsite. An archiving planshould also include the decommissioning of archived backups.

CHAPTER SUMMARY

KEY TERMS• Degaussing

• Demilitarized zone (DMZ)

• Extranet

• FCAPS

• Firewall

• Intranet

• Intrusion detection system (IDS)

• Magnetic overwrite

• Network address translation(NAT)

• Public branch exchange (PBX)

• Public switched telephone network(PSTN)

• Reconnaissance

• Remote monitoring (RMON)

• Router

• Shielded twisted pair (STP)

• Simple Network ManagementProtocol (SNMP)

• Switch

• Unshielded twisted pair (UTP)

• Virtual local area network(VLAN)

06 0789728362 CH03 3/4/03 2:49 PM Page 269


A P P LY YO U R K N O W L E D G E

Exercises

3.1 Configuring Windows 2000 Server IPFiltering

This exercise demonstrates how to configure IP filter-ing on a Windows 2000 Server using the Local SecuritySettings MMC console. Windows 2000 has built-insecurity controls that can help restrict certain trafficfrom entering the server or the network segment it isservicing. This should not be used as an alternative tohardware firewalls, but the idea is similar.

The following assumptions are made in this exercise:The server is a member or a standalone box, there is aDMZ segment, the server was built to host the compa-ny Web site, and HTTP is not being used.

Estimated Time: 7 minutes

1. Select Start, Programs, Administrative Tools,Local Security Settings.

2. In the navigation tree, right-click IP SecurityPolicies on Local Machine, and then selectManage IP Filter Lists and Filter Actions. Theconfiguration applet appears.

3. Before you can define IP filter lists, you need tocreate a new filter action. Click the Manage FilterAction tab.

4. On the Manage Filter Action page, click Add. Awizard dialog box pops up. Click Next.

5. In the Name text box, type Block and click Next.

6. From the Filter Action list, select Block and clickNext. Click Finish. The filter action for rejectingunwanted traffic is created. Now you can use itto define access lists.

7. Switch back to the Manage IP Filter Lists tab,and click Add. On the IP Filter List page, clickAdd again to define a new IP filter.

8. A wizard dialog box appears; click Next. In thesource address drop-down box, select Any IPAddress. Click Next.

9. In the Destination IP Address drop-down boxselect My IP Address. Click Next.

10. In Protocol Type, select TCP and click Next.

11. On the IP Protocol Port page, leave the FromThis Port option unchanged. Click To This Port,and type 80 for the Web server port; then clickNext.

12. Click Finish. The IP filter for Web traffic hasbeen created.

13. Repeat steps 7–12 one more time to add defini-tions for port 3389 to allow terminal server con-nections for remote server management.

14. When you’re finished, type the name for your listand click Close. Click Close again to go back tothe Local Security Settings MMC console.

15. Now that you have IP filter lists and filter actionsdefined, you can create an IP security policy.Right-click IP Security Policies on Local Machineand select Create IP Security Policy.

16. A wizard appears. Click Next. Type the name foryour policy and click Next.

17. Uncheck the Activate the Default Response Rulecheck box and click Next. Click Finish to createthe new policy, and the policy properties windowwill appear.

18. Uncheck the Use Wizard check box at the bot-tom of the page and click Add.

19. On the following page, select the All ICMPTraffic rule and click the Filter Action tab. SelectBlock Action and click OK. Notice that the poli-cy has been updated with the new rule.

06 0789728362 CH03 3/4/03 2:49 PM Page 270



20. Repeat steps 18 and 19 for all IP traffic (assign ablock action) and your custom IP filter list(assign a Permit action). Click Close to finish andgo back to the MMC. Note that a new policy hasbeen created in the right pane.

21. To activate the policy, right-click the policy andselect Assign. The policy takes effect immediately.Now test that the only traffic allowed to the boxis Web and Terminal Services traffic.

This exercise shows how to protect a Web server fromreceiving unwanted traffic. If planned carefully, allservers of significance, at least in the DMZ, shouldhave a similar security control implemented as a secondline of defense in addition to the firewall. This ensuresthat the servers are still hard to crack on an individualbasis even if the firewall is compromised.

You can use the import/export feature of the IPFiltering snap-in to define policies once per each servertype and then distribute them to other boxes that havethe same functions to save time. Please note that thistype of security does restrict unwanted traffic to thebox, but that is all it does. Web server security shouldbe carefully considered and implemented, including theWeb server software and the Web applications the serv-er is running. For IP filtering to work, you must havethe IPSEC Agent service running.

3.2 Configuring an IP Access List on aCisco Router

This exercise is an extension of the previous exercise,and it demonstrates how to create a similar IP accesslist on a Cisco router.

This exercise assumes that a router running IOS soft-ware has a minimum of two network interfaces, one ofwhich is connected to the Web server segment of theDMZ. The DMZ interface has an IP of 10.1.1.3/24,and the Web segment interface has an IP of10.1.20.1/24.

Estimated Time: 5 minutes

1. Start a Telnet session and connect to the router’sIP address (10.1.1.3/24). Log in and switch tothe privileged mode by typing enable.

2. Enter configuration mode by typing config t.

3. Define an access list by issuing the followingcommand:

access-list 110 permit tcp any 10.1.20.0 0.0.0.255 eq www

This command creates access list 110 (if noaccess lists were previously defined as number110) and adds a permit rule to allow Web trafficfrom any host to pass into the Web segment.

4. For detailed access-list usage syntax, type access-list ?.

5. You might want to add more traffic rules to allowTerminal Services management traffic in. Forexample, type the following:

access-list 110 permit tcp any 10.1.20.0 0.0.0.255 eq 3389

6. Don’t forget that an implicit access-list 110deny ip any any exists at the end of any IP list.To make troubleshooting easier later in theprocess, you might want to add this command,too.

7. Enter DMZ interface configuration mode(assuming it is the first Ethernet interface on thebox, type int e0).

8. To assign access list 110 to interface e0 to screenall incoming traffic out (and prevent it frombeing forwarded to the Web segment interface),type ip access-group 110 in.

9. To save the configuration changes, exit the inter-face and terminal configuration modes and typewrite mem to copy running configuration intostartup configuration. Test your setup.

06 0789728362 CH03 3/4/03 2:49 PM Page 271



Review Questions1. What is the purpose of a firewall and what are

the three main architectures of firewalls?

2. What are the three basic security topologies creat-ed using firewalls?

3. What is the purpose of an IDS? How is it differ-ent from a firewall?

4. What are the main architectures of IDSs?

5. What is the purpose of access lists employed onrouting devices?

6. Explain NAT functionality and the reasons forusing NAT.

7. Describe the protocols used in network monitor-ing and management.

8. What are the basic physical access security con-trols? Explain each.

Exam Questions1. Your company is in the process of setting up a

DMZ segment. You have to allow file sharingand Windows management console traffic frominternal systems to enter the DMZ segment.Which TCP ports do you have to open? (Choosetwo.)

A. 110

B. 139

C. 135

D. 161

E. 131

F. 23

2. Your company is in the process of setting up aDMZ segment. You have to allow FTP and Webbrowser requests from internal systems to enterthe DMZ segment. Which TCP ports do youhave to open? (Choose three.)

A. 20

B. 21

C. 25

D. 80

E. 110

F. 135

3. During regular security audits and log checking,you suspect that the organization is under attackand someone is using or is attempting to useresources on the internal network. You are con-fused because the IP addresses in the log filesbelong to trusted partner companies. Which ofthe following is likely to be happening?

A. Hijacking

B. Replaying

C. Spoofing

D. Social engineering

4. During regular security audits and log checking,you notice that one of your users is accessing filesafter midnight, when she is normally never activeon the network outside normal business hours.When you ask her whether she has been workinglate at night, she denies having done so. Whichof the following is most likely to explain what’soccurring?

A. Hijacking

B. Replaying

06 0789728362 CH03 3/4/03 2:49 PM Page 272



C. Spoofing

D. Social engineering

5. You are securing the network with firewall tech-nologies. You want to prevent certain types oftraffic from certain IP addresses and subnets fromentering your secured segment of the network.Which technology should be used to achieve this?

A. NAT

B. VLAN

C. Static packet filter

D. IDS

6. What type of firewall technique monitors theconnection throughout the communication ses-sion, checking the validity of IP packet streams?

A. Static inspection

B. Stateful inspection

C. Dynamic inspection

D. Non-stateful inspection

7. Your company has a firewall that talks exclusivelyto an intermediary host that verifies the validityof requests at the Application level, authenticatesand hides user identity, and serves as a communi-cations portal. In addition to the firewall, whatelse is used in this setup?

A. Switch

B. Router

C. Subnet screener

D. Application gateway

Answers to Review Questions1. A firewall is a hardware device or a software

application installed on the border of securednetworks with the purpose of examining andcontrolling incoming and outgoing networkcommunications. Firewalls are the first line ofnetwork defense. The three basic architectures ofthe firewalls are packet filtering, circuit level, andapplication level. One more architecture typeincludes all three of the basic types: statefulinspection.

2. A bastion host is a dual-homed device (a devicewith two network interfaces). Any routingbetween the interfaces on that device is disabled,and specialized software (IP Security policies inWin2K, Cisco IOS, and so on) is configured toallow certain types of traffic in while keeping therest out of the network.

A screened host gateway is a packet-filteringdevice, usually also a router, which communicatesonly with a designated application gateway insidethe secured network. No other traffic is allowedin or out of the screened host gateway. Basicfunctionality is the same as a bastion host. If adata stream is deemed safe (based on the configu-ration), it is forwarded to the application gate-way. The application gateway then determineshow to handle the stream.

A screened subnet gateway includes two screenedhost gateway devices that isolate the LAN fromthe Internet, creating what is known as a screenedsubnet or demilitarized zone (DMZ) betweenthem. The architecture also includes a proxy serv-er (bastion host). This architecture is essentially acombination of the bastion host architecture andscreened host gateway architecture.

06 0789728362 CH03 3/4/03 2:49 PM Page 273



3. An IDS is an intrusion detection system. Its pur-pose is to detect known attack patterns in com-munication streams. An IDS is designed to detectmore sophisticated attacks than those that fire-walls can handle on-the-fly. Firewalls are designedto prevent attacks before they happen by keepingoffending traffic offsite. If attackers are smartenough to get through a tightly locked down fire-wall, this is where the IDS comes into play: Itdetects attacks in progress that were able to pene-trate the first line of defense. Usually, IDS doesnot prevent attacks but generates alarms aboutattacks in progress, acting as a safety net for fire-walls.

4. Active or passive analysis, host or network analy-sis, and anomaly or misuse analysis are threemain IDS architectures.

5. Access lists can be configured on routing devicesto effectively act like packet-filtering firewalls.This should not be used as the first line ofdefense, but it certainly can be used to createsecurity fallback mechanisms in the network incase of a firewall compromise.

6. NAT is used to enable address translationbetween private, nonroutable addresses and exter-nal public address for communication in thepublic network. This is achieved using mappingsthat the NAT device creates and maintains. Eachoutgoing request dynamically creates a mappingon the NAT device, and NAT proceeds with theoutgoing request, acting as a proxy. When it getsthe reply, the NAT device looks up the mappingand forwards the information back to the originalrequester. In the same fashion, static mappingscan be created to instruct NAT to forward certainrequests to certain hosts on the inside network.

By using NAT, you can preserve scarce publicroutable IP addresses and provide an additionallayer of security because internal systems are notdirectly accessible using public addresses. Also, inthe event of a service provider change, you do nothave to reassign new IP addresses to your internalnetworks.

7. The Simple Network Management Protocol(SNMP) was developed as a temporary solutionto network management requirements arisingfrom growing network infrastructures. The pur-pose of SNMP is to enable the flow or exchangeof management information between networknodes and to enable a network management envi-ronment. Three versions of SNMP are available.The most recent version, SNMPv3, providesauthentication and data integrity safeguards thatthe first two versions do not have. The RemoteMonitoring (RMON) specification can be con-sidered an extension to the SNMP standard. It isbased on similar standards to SNMP and relieson Management Information Base (MIB) struc-tures and SMI. The purpose of RMON is todeliver network information grouped into ninemajor monitoring elements. Availability ofRMON statistics and information can prove piv-otal in designing and assessing network security.

8. To secure infrastructure equipment from poten-tial theft and unauthorized physical access, allvital equipment (servers, routers and switches,cable patch panels, modems, backup devices andremovable media, and so on) must be stored inan isolated location with controlled and restrictedaccess. This location must be humidified andventilated and should be monitored by video sur-veillance systems.

06 0789728362 CH03 3/4/03 2:49 PM Page 274



Answers to Exam Questions1. B, C. To enable file transfer using Windows shar-

ing, traffic for port 139 needs to be allowed topass through the firewall. You might want to con-sider opening ports 137 and 138 to allowNetBIOS traffic for name resolution to work, butport 139 is sufficient for sharing if you are plan-ning to reference DMZ servers by IP addresses oruse manual WINS entries or lmhosts files in theinternal segment. Port 135 must be open to allowRPC traffic (remote procedure calls are usedextensively by Windows management tools).

2. A, B, D. Ports 20 and 21 are associated withFTP, where 20 is used for file transfer data and21 for command and control data. Port 80 isassociated with HTTP, the protocol Webbrowsers use to request service and receiveresponses. Port 25 (answer C) is associated withthe Simple Mail Transfer Protocol and is notmentioned in the requirements. Port 110 (answerE) is associated with POP3, the protocol manyemail clients use to download email from a serverto a local machine.

3. C. Spoofing is the most likely reason for this con-fusion. Spoofing allows attackers to misrepresentthe source of the requests and masquerade asvalid sources. Hijacking (answer A) involves tak-ing over an existing session by seeking to antici-pate next-packet sequence values and “jumpinginto” a traffic stream before the legitimate usercan respond. Replaying (answer B) involves cap-turing and reusing historical (previously legiti-mate) traffic to try to compromise security andgain unauthorized access. Social engineering(answer D) involves an attempt to talk humanusers into divulging access information (accounts,passwords, and so forth) to enable unauthorizedusers to compromise security and use legitimatecredentials to gain access.

4. D. Social engineering involves an attempt to talkhuman users into divulging access information(accounts, passwords, and so forth) to enableunauthorized users to compromise security anduse legitimate credentials to gain access.Somebody has obtained this user’s account andpassword information and is using it to accessresources to which she’s entitled. At the bare min-imum, disabling this account and providing herwith a new account/password combination iswarranted (and it might make sense to monitorthe old account to try to locate or identify themalefactor). Hijacking (answer A) involves break-ing into active sessions, which does not matchthe pattern you’ve observed. Replaying (answerB) involves capturing and replaying previouslegitimate network activity to compromise systemsecurity; this doesn’t match the pattern, either.Spoofing (answer C) involves reporting a networkaddress that doesn’t actually match the intruder’sreal address; it doesn’t match the pattern, either.

5. C. Static packet filtering is the simplest solutionavailable to implement basic filtering of networktraffic based on source, destination addresses, andprotocol types.

6. B. Stateful inspection monitors the connectionthroughout the communication session, checkingthe validity of the IP packet stream.

7. D. An application gateway is used in some secu-rity topologies to act as the intermediary betweenusers and services. Application gateways commu-nicate and service all requests through the fire-wall.

06 0789728362 CH03 3/4/03 2:49 PM Page 275



Online Material

1. HOW TO: Harden the TCP/IP Stack AgainstDenial of Service Attacks in Windows 2000(http://support.microsoft.com/default.aspx?scid=kb;en-us;q315669).

2. Keeping Your Site Comfortably Secure: AnIntroduction to Internet Firewalls(http://csrc.nist.gov/publications/nistpubs/800-10/node1.html).

3. Local Area Detection of Incoming War DialActivity (http://www.att.com/isc/docs/war_dial_detection.pdf).

4. White Paper: Internet Security for SmallBusinesses (http://www.cisco.com/warp/public/cc/pd/rt/800/prodlit/fire_wp.htm).

5. White Paper: The Science of IntrusionDetection System Attack Identification(http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/idssa_wp.htm).

Publications

1. Chappell, Laura. Advanced Cisco RouterConfiguration. Indianapolis, IN: Cisco Press,1998.

2. Microsoft Corporation. Windows 2000 ServerTCP/IP Core Networking Guide. Redmond,WA: Microsoft Press, 2002.

Suggested Readings and Resources

06 0789728362 CH03 3/4/03 2:49 PM Page 276

Date post:	18-Dec-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Devices, Media, and Topology Security

Documents