Firewall

A firewall is a hardware or software component designed to protect one network from another (see Figure 2.1 ). Firewalls are deployed between areas of high and low trust, like a private network and a public network (such as the Internet), or between two networks that belong to the same organization but are used by different departments. Firewalls provide protection by controlling traffic entering and/or leaving a network.

Firewalls manage traffic using filters. A filter is just a rule or set of rules. Firewall filters can also be known as access control lists (ACLs) or tuples (collections of related data items). Firewalls usually have lots of filters, which are defined in a priority order. If a packet meets the identification criteria of a rule, the action of that rule is applied. If a packet doesn’t meet the criteria of a rule, no action from that rule is applied, and the next rule is checked.

The action of a filter rule is commonly allow, deny, or log. Some firewalls use a first-match mechanism when applying rules. Allow rules enable the packet to continue toward its destination. Deny rules block the packet from going any further (effectively discarding it). When first-match is used, the first rule that applies to the packet is followed, but no other rules are considered. Thus, rules need to be placed in a priority order. Filter lists are created with the most specific and detailed rules first, followed by successively more general rules, until a final default universal rule is reached, which often specifies a denial. The log action records information about the packet into a log file. However, some firewalls (such as iptables) allow for multiple rule matches. Or they perform a consolidated or accumulated result to apply that is an amalgamation of all the rules that apply to the packet.

Firewalls following a first-match approach should have a final written rule of deny all. So any packet that does not otherwise meet a previous allow or deny rule will be discarded. Those following an amalgamation approach will not have a written deny rule; instead they have an implicit deny stance that any packet not specifically allowed will be discarded.

Therefore, if a packet fails to meet the criteria of an allow rule, the discard option will be applied. This way, only packets meeting the custom-defined allow filters or rules are allowed to cross the security barrier. In other words, firewalls are deny-by-default or implicit deny security tools.

There are four basic types of firewalls:

Packet Filter A packet filter firewall filters traffic based on basic identification items found in a network packet’s header. This includes source and destination IP address, port numbers, and protocols used. Packet-filtering firewalls operate at the Network layer (Layer 3) and the Transport layer (Layer 4) of the Open Systems Interconnection (OSI) model.

Circuit-Level Gateway A circuit-level gateway firewall filters traffic by filtering on the connection between an internal trusted host and an external untrusted host. This monitoring occurs at either the Network layer (Layer 3) or the Session layer (Layer 5) of the OSI model. This type of firewall ensures that the packets involved in establishing and maintaining the circuit (a virtual circuit or session) are valid and used in the proper manner. Once a circuit-level gateway allows a connection, no further filtering on that communication is performed.

Application-Level Gateway An application-level gateway firewall filters traffic based on user access, group membership, the application or service used, or even the type of resources being transmitted. This type of firewall operates at the Application layer (Layer 7) of the OSI model. Such a firewall can be called a proxy. Application-level gateways are focused on the aspects of a specific appliance and protocol combination as well as the content of the conversation. An application-aware firewall provides filtering services for specific applications.

Stateful Inspection Firewall A stateful inspection firewall is aware that any valid outbound communication (especially related to TCP) will trigger a corresponding response or reply from the external entity. Thus, this type of firewall automatically creates a response rule for the response on the fly. But that rule exists only as long as the conversation is taking place. This is unlike the static packet filter firewall, which requires that both an outbound rule and an inbound rule be defined at all times.

Additionally, stateful inspection firewalls can retain knowledge of previous packets in a conversation in order to detect unwanted or malicious traffic that isn’t noticeable or detectable when evaluating only individual packets. This is known as context analysis or contextual analysis.

A stateful inspection firewall may also perform deep packet inspection, which is the analysis of the payload or content of a packet. This could even include virtual reassembly of the original (or final) payload through the recombination of the payloads across multiple packets.

Thus, a stateful inspection firewall can make more intelligent and complex filtering decisions based on higher-order information. One of the key functions of this type of firewall is to ensure that each packet is part of an established Transmission Control Protocol (TCP) communication session. All rogue, or unassociated, packets are blocked.

The first step in effectively designing, deploying, and implementing a firewall is to design or develop a firewall policy: a security policy that focuses on the purposes, uses, functions, and security of the firewalls in an organization. This policy clearly defines how the firewall should filter traffic and the types of traffic that should be blocked or allowed.

Most firewalls are deployed with at least two network interfaces. Such firewalls are called dual-homed (see Figure 2.2 ) or multihomed (for two or more NICs). Dual- or multihomed firewalls provide a clear security distinction between one network and another; thus, packets must successfully pass the filters of a firewall in order to move from one network to another. In this manner, firewalls provide strong and reliable security.

Some firewalls with three or more network interfaces can manage access to multiple networks simultaneously. A common deployment uses one of these additional network interfaces to connect to a demilitarized zone (DMZ). The DMZ hosts publicly accessible servers, such as the Web or File Transfer Protocol (FTP). The firewall provides secured but public access to the DMZ, but it prevents unauthorized access to the private network. If such a multihomed firewall is compromised, only the systems in the DMZ are directly threatened or exposed.

When a port is opened in a firewall to allow a virtual private network (VPN) connection to take place, keep in mind that all encrypted data will pass through the firewall without being inspected or filtered. Unless the firewall can see the unencrypted data, perhaps as a VPN termination point, it can’t inspect the communication and, therefore, can’t provide filtering security.

An ingress filter is a traffic filter on packets coming into a secured area from outside (that is, inbound communications). An egress filter is a traffic filter on packets leaving a secured area toward the outside (outbound communications). Common ingress and egress filters perform the following functions:

• Blocking inbound packets claiming to have an internal source address
• Blocking outbound packets claiming to have an external source address
• Blocking packets with source or destination addresses listed on a block list (a list of known malicious IPs)
• Blocking packets that have source or destination addresses from the local area network (LAN) but haven’t been officially assigned to a host

Additional firewall rules are added to these common spoofing-prevention and common-sense protections based on the needs of the organization and the design of the infrastructure.

VPN concentrator

A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted. VPNs are discussed further in Chapter 3, “Architecture and Design,” in the section “Tunneling/VPN.”

A VPN concentrator is a dedicated hardware device designed to support a large number of simultaneous VPN connections, often hundreds or thousands. It provides high availability, high scalability, and high performance for secure VPN connections. With the ever-increasing need for secured communications, VPNs have become an essential tool for securing communications traversing private networks and the Internet.

A VPN concentrator can also be called a VPN server, a VPN gateway, a VPN firewall, a VPN remote access server (RAS), a VPN device, a VPN proxy, or a VPN appliance.

IPSec

Internet Protocol Security (IPSec) is a VPN protocol for IPv4 derived from the security features of IPv6. You can use IPSec in dial-up or network-to-network connections. When it’s employed over dial-up, it usually functions as the encryption protocol in an L2TP link. IPSec by itself is more suitable for network-to-network connections across normal LAN connections, high-speed WAN links, and the Internet.

IPSec isn’t a single protocol but rather a collection of protocols. Two of the primary protocols of IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP).

IPSec provides for encryption security using symmetric cryptography. This means communication partners use shared secret keys to encrypt and decrypt traffic over the IPSec VPN link. One of the mechanisms used by IPSec to manage cryptography is Internet Key Exchange (IKE); it ensures the secure exchange of secret keys between communication partners in order to establish the encrypted VPN tunnel. IKE is composed of three elements: Oakley, SKEME, and ISAKMP.

Oakley is a key generation and exchange protocol similar to Diffie-Hellman (see Chapter 6, “Cryptography and PKI”). Secure Key Exchange MEchanism (SKEME) is a means to exchange keys securely.

Internet Security Association and Key Management Protocol (ISAKMP) is used to organize and manage the encryption keys that have been generated and exchanged by Oakley and SKEME. A security association is the agreed-on method of authentication and encryption used by two entities. Without a common method of authentication, a VPN link can’t be established. So, ISAKMP is used to negotiate and provide authenticated keying material (a common method of authentication) for security associations in a secured manner. The four major functional components of ISAKMP are as follows:

• Authentication of communications peers
• Threat mitigation
• Security association creation and management
• Cryptographic key establishment and management

IPSec is a standard architecture set forth by the Internet Engineering Task Force (IETF) for setting up a secure channel to exchange information between two entities. The two entities could be two systems, two routers, two gateways, or any combination of entities. Although generally used to connect two networks, IPSec can be used to connect individual computers, such as a server and a workstation or a pair of workstations (sender and receiver, perhaps). IPSec doesn’t dictate all implementation details but is an open, modular framework that allows many manufacturers and software developers to develop IPSec solutions that work well with products from other vendors.

IPSec uses public-key cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using Internet protocols. The primary use of IPSec is for VPNs, so IPSec operates in either transport or tunnel mode. IPSec is commonly paired with L2TP as L2TP/IPSec.

The IPSec protocol provides a complete infrastructure for secured network communications. It has gained widespread acceptance and is now offered in a number of commercial operating systems out of the box.

Tunnel mode

IPSec can operate in two modes: tunnel mode and transport mode. In tunnel mode, IPSec provides encryption protection for both the payload and message header by encapsulating the entire original LAN protocol packet and adding its own temporary IPSec header (see Figure 2.3 ).

Transport mode

In transport mode, IPSec provides encryption protection for just the payload and leaves the original message header intact (see Figure 2.4 ). You should use tunnel mode when you’re connecting over an untrusted network.

AH

The Authentication Header (AH) provides assurances of message integrity and nonrepudiation. AH also provides authentication and access control and prevents replay attacks.

ESP

The Encapsulating Security Payload (ESP) provides confidentiality and integrity of packet contents. It provides encryption and limited authentication, and prevents replay attacks.

NIPS/NIDS

Intrusion detection is an important security capability. Intrusion detection systems (IDSs) are designed to detect the presence of an unauthorized intruder or unwanted activity. Generally, IDSs are used in a passive manner; they detect problems rather than eliminate them. Intrusion prevention systems (IPSs) are designed to detect attempts to gain unauthorized access and stop the attempts from becoming successful. IPSs are generally used more actively; they interact and interfere with communications of unwanted entities.

IDS and IPS security solutions are considered complementary to firewalls (see Figure 2.5 ). IDS and IPS systems can be two independent solutions, or one combined product.

There are two primary types of IDS/IPS: network (NIDS/NIPS) and host (HIDS/HIPS). A NIDS can detect malicious activity that occurs within the network (it doesn’t cross the firewall) and activity that is able to pass through the firewall. A HIDS can detect malicious activity that occurs on a single host.

The most common problem with an IDS/IPS, excluding misconfiguration, is the occurrence of false positives. A false positive occurs when legitimate traffic or user activity is mistaken for intruder activity.

A network-based IDS/IPS watches network traffic in real time (see Figure 2.6 ). It monitors network traffic patterns, scans packet header information, and may examine the contents of packets to detect security violations or attacks. A network-based IDS/IPS is reliable for detecting network-focused attacks, such as bandwidth-based denial-of-service (DoS) attacks. A NIDS/NIPS monitors network traffic, looking for any abnormal or malicious content. Based on what it detects and how it’s configured, it can respond in real time to notify administrators (a passive NIDS response) or interfere with any attack or intrusion attempts before they’re successful against the network or any internal targets (an active NIPS reaction). Most commonly, the response to malicious packets is to drop them, thus rendering their payloads ineffective. However, NIDS/NIPS can also be configured to disconnect sessions and reconfigure firewalls, as well as initiate alerts, expand monitoring, and quarantine intruders in honeypots or padded cells. A honeypot is a fictitious environment designed to fool attackers and intruders and lure them away from the private secured network (see the section “Honeypot” later in this chapter). A padded cell is a containment area that is activated only when an intrusion is detected.

A host-based IDS/IPS watches the audit trails and log files of a host system (see Figure 2.7 ). This type of IDS/IPS is limited to the auditing and logging capabilities of the host system (which includes the OS and installed applications and services). A host-based IDS/IPS can detect problems only if sufficient information is captured by the host’s auditing capabilities. It’s reliable for detecting attacks directed against a host, whether they originate from an external source or are perpetrated by a user locally logged into the host.

Common examples of HIDSs are antivirus software, antispyware scanners, and security anomaly detectors.

An IDS/IPS with active detection and response is designed to take the quickest action to reduce the potential damage caused by an intruder (see Figure 2.8 ). This response may include shutting down the server or just the affected service or disconnecting suspicious connections (see Figure 2.9 and Figure 2.10 ).

An IDS/IPS with passive detection and response takes no direct action against the intruder; instead, it may increase the amount of data being audited and recorded and notify administrators about the intrusion. An IDS/IPS is good at detecting DoS attacks; exploiting bugs, flaws, or hidden features; and port scanning. It isn’t reliable for detecting spoofed email. Passive IDS/IPS responses are usually unseen by intruders and don’t directly affect the violating activity, whereas active IDS/IPS responses are seen by intruders because they directly interrupt and interfere with violating activities.

Many tools are used for monitoring and overseeing the activities within the complex infrastructures of networks and systems, such as performance monitors, system monitors, IDSs, protocol analyzers, and so on. Many of these tools also support one or more methodologies of monitoring. These methodologies determine how a tool knows when a measurement or event is normal, abnormal, benign, malicious, and so on.

Signature-based

Signature-based detection (see Figure 2.11 ) compares event patterns against known attack patterns (signatures) stored in the IDS/IPS database. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures. However, the primary weakness of a signature-based system is that it’s unable to detect new and unknown activities or events. Thus, new zero-day attacks are unseen by a signature-based system. As new attacks are discovered and the pattern database is improved, the deployed signature-based tools need to have their local databases updated.

Anomaly

Anomaly-based detection (see Figure 2.12 ) watches the ongoing activity in the environment and looks for abnormal occurrences. An anomaly-based monitoring or detection method relies on definitions of all valid forms of activity. This database of known valid activity allows the tool to detect any and all anomalies. Anomaly-based detection is commonly used for protocols. Because all the valid and legal forms of a protocol are known and can be defined, any variations from those known valid constructions are seen as anomalies. Anomaly detection is very effective at stopping abnormal events. However, traffic or events falling within normal values doesn’t necessarily mean the contents of that event or traffic aren’t malicious in nature.

Router

A router (see Figure 2.13 ) is used to connect several network segments. Routers enable traffic from one network segment to traverse into another network segment (see Figure 2.14 ). However, the traffic must pass through the router’s filters in order to make the transition. A router with access control lists (ACLs) can be considered a simple firewall.

Routers direct traffic based on a routing table and grant or deny access using ACLs, such as rules or filters. The routing table informs the router which direction to transmit a received packet based on the best-known pathway (route).

Routers can manage traffic for both inbound and outbound communications. The router’s collection of information about the network is stored in a routing table. The routing table can be managed statically or by dynamic routing protocols.

A secure router configuration is one in which malicious or unauthorized route changes are prevented. This can be done using a few simple settings:

• Set the router’s administrator password to something unique and secret.
• Set the router to ignore all Internet Control Message Protocol (ICMP) type 5 redirect messages.
• Use a secure routing protocol that requires authentication and data encryption to exchange route data.
• Preconfigure the IP addresses of other trusted routers with which routing data can be exchanged.
• Configure management interfaces to operate only on internal interfaces, use secure protocols, and potentially be accessible only on dedicated networks.

With these simple precautions, you can improve the security of a router’s configuration. For more advanced router configuration tips, see the CIS benchmarks and configuration guides at https://www.cisecurity.org/cis-benchmarks.

Switch

A switch (see Figure 2.15 ) is a networking device used to connect many other devices together and potentially implement traffic management on their communications.

Switches generally link individual hosts, but they can also be used to link networks together. Switches receive signals in one port and transmit them out the port where the intended recipient is connected. Switches accomplish this traffic-control task by maintaining a table of the media access control (MAC) addresses of devices located off each switch port. The switch examines the source MAC address of each packet it receives and records the MAC address and the related port in its CAM (Content Addressable Memory) table. Thus the CAM table is dynamic and is constantly being updated. The switch analyzes the header of each packet it receives to determine the destination MAC address and then transmits each packet only out the port where that MAC address is known to reside. If a MAC address is encountered that isn’t known (it’s not in the CAM table), the unknown destination packet is transmitted out all ports except the ingress port.

Switches are good defenses against sniffing attacks from random clients within a network. Sniffing is the act of capturing network traffic for analysis; sniffing attacks occur when sniffing is done without authorization. Switches transmit messages only on those specific network links between the source and destination systems.

A sniffer can only intercept traffic that happens to be transmitted on the segment it’s connected to. Thus, using switches instead of hubs is a great defense against sniffing.

However, there are logical and physical attacks to overcome this protection. If a hacker can gain physical access, he can connect to the audit/monitor/mirror ports or reconfigure the switch to obtain full access to all the data it sees. If a hacker has only logical (network) access to the switch, then a MAC flooding attack can overload a switch’s CAM table in order to drop valid MAC addresses and populate the table with invalid MAC addresses.

When this attack is successful, the switch may revert to a hub-like fault-tolerance mode, transmitting data out all ports instead of only a single port. This type of attack is often called active sniffing, because the hacker has to attack the switch (or sometimes hosts on the network with Address Resolution Protocol [ARP] flooding attacks) to obtain access to all network traffic. Advanced switches have native IDS-like detection and defense features to prevent MAC flooding attacks from being successful.

Proxy

A proxy server is a variation of an application firewall or circuit-level firewall. A proxy server is used as a proxy or middleman between clients and servers. Often a proxy serves as a barrier against external threats to internal clients. This is usually performed by utilizing network address translation (NAT). NAT hides the Internet Protocol (IP) configuration of internal clients and substitutes the IP configuration of the proxy server’s own public external network interface card (NIC) in outbound requests. This effectively prevents external hosts from learning the internal configuration of the network. A proxy server typically has the default setting to ignore all external queries and only manage communications that are responses from previous queries. In addition to features such as NAT, proxy servers can provide caching and site or content filtering.

Transparent

If a client is not configured (Figure 2.16, left) to send queries directly to a proxy but the network routes outbound traffic to a proxy anyway, then a transparent proxy is in use. A nontransparent proxy is in use when a client is configured (Figure 2.16, right) to send outbound queries directly to a proxy.

Load balancer

A load balancer is used to spread or distribute network traffic load across several network links or network devices. The purpose of load balancing is to obtain more optimal infrastructure utilization, minimize response time, maximize throughput, reduce overloading, and eliminate bottlenecks. Although load balancing can be used in a variety of situations, a common implementation is spreading a load across multiple members of a server farm or cluster. A load balancer might use a variety of techniques to perform load distribution, as described in Table 2.1.

Load balancing can be either a software service or a hardware appliance. Load balancing can also incorporate many other features, depending on the protocol or application, including caching, Secure Sockets Layer (SSL) offloading, compression, buffering, error checking, filtering, and even firewall and IDS capabilities.

Access point

Wireless networking has become common on both corporate and home networks. Properly managing wireless networking for reliable access as well as security isn’t always easy. This section examines various wireless security issues.

Wireless cells are the areas in a physical environment where a wireless device can connect to a wireless access point. Wireless cells can leak outside the secured environment and allow intruders easy access to the wireless network. You should adjust the strength of the wireless access point (WAP) to maximize authorized user access and minimize intruder access. Doing so may require unique placement of WAPs, shielding, and noise transmission.

802.11 is the IEEE standard for wireless network communications. Various versions (technically called amendments) of the standard have been implemented in wireless networking hardware, including 802.11a, 802.11b, 802.11g, and 802.11n. 802.11x is sometimes used to collectively refer to all of these specific implementations as a group; however, 802.11 is preferred because 802.11x is easily confused with 802.1x, which is an authentication technology independent of wireless. Each version or amendment of the 802.11 standard has offered slightly better throughput: 2 Mbps, 11 Mbps, 54 Mbps, and 200+ Mbps, respectively, as described in Table 2.2. The 802.11 standard also defines Wired Equivalent Privacy (WEP), which provides eavesdropping protection for wireless communications.

Wireless networking has made networking more versatile than ever before. Workstations and portable systems are no longer tied to a cable but can roam freely around an office or environment—anywhere within the signal range of the deployed WAPs. However, this freedom comes at the cost of additional vulnerabilities. Wireless networks are subject to the same threats and risks as any cabled network, plus there are the additional issues of distance eavesdropping and packet sniffing as well as new forms of DoS and intrusion.

When you’re deploying wireless networks, you should deploy WAPs configured to use infrastructure mode rather than ad hoc mode. Ad hoc mode means that any two wireless networking devices, including two wireless network interface cards (NICs), can communicate without a centralized control authority. Infrastructure mode means that a WAP is required, wireless NICs on systems can’t interact directly, and the restrictions of the WAP for wireless network access are enforced.

Infrastructure mode includes several variations, including stand-alone, wired extension, enterprise extended, and bridge. A stand-alone mode infrastructure occurs when there is a WAP connecting wireless clients to each other but not to any wired resources. The WAP serves as a wireless hub exclusively. A wired extension mode infrastructure occurs when the WAP acts as a connection point to link the wireless clients to the wired network. An enterprise extended mode infrastructure occurs when multiple WAPs are used to connect a large physical area to the same wired network. Each WAP uses the same extended service set identifier (ESSID) so that clients can roam the area while maintaining network connectivity, even if their wireless NICs change associations from one WAP to another. A bridge mode infrastructure occurs when a wireless connection is used to link two wired networks. This often uses dedicated wireless bridges and is used when wired bridges are inconvenient, such as when linking networks between floors or buildings.

The IEEE 802.11 standard defines two methods that wireless clients can use to authenticate to WAPs before normal network communications can occur across the wireless link. These two methods are open system authentication (OSA) and shared key authentication (SKA). OSA means no real authentication is required. As long as a radio signal can be transmitted between the client and WAP, communications are allowed. It’s also the case that wireless networks using OSA typically transmit everything in clear text, thus providing no secrecy or security. SKA means that some form of authentication must take place before network communications can occur. The 802.11 standard defines one optional technique for SKA known as Wired Equivalent Privacy (WEP). More information about wireless encryption is located the Chapter 6 section “Given a scenario, install and configure wireless security settings.”

SIEM

A centralized application to automate the monitoring of network systems is essential to many organizations. There are many terms used to describe such a solution, including Security Information and Event Management (SIEM), Security Information Management (SIM), and Security Event Management (SEM). An entire organization’s IT infrastructure can be monitored through real-time event analysis using these types of enterprise-level monitoring systems. SIEM can use triggers or thresholds that oversee specific features, elements, or events that will send alerts or initiate alarms when specific values or levels are breached. This can be seen as a more advanced system than that provided by SNMP (Simple Network Management Console). SNMP focuses on pulling information from network devices; however, it can use trap messages to inform the management console when an event or threshold violation occurs on a monitored system.

SIEMs can be used to monitor the activity of a cluster of email servers. As the email servers log events, the SIEM agent monitors the log for events of interest. If one is noticed, then the SIEM agent forwards the details of the event to the central management SIEM system. The master SIEM analysis engine determines the severity of the event and whether it relates to other recent events, and it may trigger either a notification to be sent to an administrator or an alarm requesting immediate response. An example of SIEM operating to prevent a problem from becoming significant enough to interrupt mission-critical communications would be if an email server begins to have a backlog of unprocessed messages due to a strong surge or increase in inbound messages. The SIEM can notice this change in normal operations and inform the administrators long before the situation becomes a DoS and the system fails to keep up with communications or begins to drop, delete, overwrite, or otherwise lose messages.

SIEMs typically have a wide range of configuration options that allow IT personnel to select which events and occurrences are of importance to the organization. Thus, SIEM allows for customization of monitoring and alerting based on the organization’s specific business processes, priorities, and risks. A SIEM solution will include agents for any type of server and may include hooks into network appliances, such as switches, routers, firewalls, IDSs, IPSs, VPNs, and WAPs (Figure 2.17 ). Thus, a SIEM is an important monitoring and analysis tool for large organizations with a wide variety of systems and devices. The reports from a SIEM solution will keep the IT and security staff informed of the overall state of the environment, and alarms and alerts will enable them to respond promptly to concerns or compromises.

SIEM can often perform more tasks than just event monitoring; it can also serve as a NAC (network access control) solution by monitoring the configuration and patch status of systems throughout the network. SIEM can provide asset tracking, MAC monitoring, IP management, and system inventory oversight, and can even monitor for unauthorized software installations—whether implemented by a user or via malware infection.

DLP

Data loss prevention (DLP) refers to systems specifically implemented to detect and prevent unauthorized access to, use of, or transmission of sensitive information. DLP can include hardware and software elements designed to support this primary goal. It may involve deep packet inspection, storage and transmission encryption, contextual assessment, monitoring authorizations, and centralized management.

A wide range of security measures can be implemented that provide DLP benefits; these include blocking use of email attachments, setting strict job-specific authorization, blocking cut-and-paste, preventing use of portable drives, and setting all storage to be encrypted by default. However, keep in mind that while DLP will reduce the occurrence of accidental data loss and data leakage, anyone intentionally violating company security rules may still find a means to subvert such protections.

Many regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act (GLBA), Basel II, and PCI DSS, either directly require DLP solutions or strongly imply the need for DLP.

USB blocking

Many data loss and data leakage events take place via USB storage devices, which have significant capacity compared to their size. They are convenient to use as well as easy to hide, lose, or steal. Disabling the use of USB storage devices when setting network use policy can significantly reduce data loss and data leakage that occurs based on portable USB storage.

It might also be worth considering blocking the use of memory cards, such as SD cards and microSD cards. These types of memory cards are almost as ubiquitous as USB drives. And, don’t overlook the fact that most mobile phones can function as USB storage when attached to a computer via a USB cable (Figure 2.18 ). Mobile phones can thus provide writable access to both their internal memory storage and any expanded storage, such as SD or microSD cards.

NAC

Network Access Control (NAC) involves controlling access to an environment through strict adherence to and implementation of security policy. The goals of NAC are to prevent or reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control. These goals can be achieved through the use of strong, detailed security policies that define all aspects of security control, as well as filtering, prevention, detection, and response for every device from client to server and for every internal or external communication. NAC is meant to be an automated detection and response system that can react in real time to ensure that all monitored systems are current on patches and updates and are in compliance with the latest security configurations.

NAC can be implemented with either a pre-admission philosophy or a post-admission philosophy. Using the pre-admission philosophy, a system must meet all current security requirements (such as patch application and antivirus updates) before it’s allowed to communicate with the network. The post-admission philosophy says that allow/deny decisions are made based on user activity, which is based on a predefined authorization matrix. NAC can also be deployed with aspects of both of these philosophies.

Other issues related to NAC include using a client/system agent versus overall network monitoring (agentless); using out-of-band versus in-band monitoring; and resolving any remediation, quarantine, or captive portal strategies.

A typical operation of an agent-based NAC system would be to install a NAC monitoring agent on each managed system. The NAC agent downloads a configuration file on a regular basis, possibly daily, to check the current configuration baseline requirements against the local system. If the system is not compliant, it can be quarantined into a remediation subnet where it can communicate only with the NAC server. The NAC agent can download and apply updates and configuration files to bring the system into compliance. Once compliance is achieved, the NAC agent returns the system to the normal production network.

Many organizations have released products with the NAC concept in mind (often in the title of their offering), including Cisco, McAfee, Symantec, and so on. There are many open- source solutions as well.

Mail gateway

A mail gateway or email gateway is an add-on security filter used to reduce the risk of malicious and wasteful emails. A mail gateway filters out malware, phishing scams, and spam messages from inbound mail before they are deposited into a recipient’s inbox folder. A mail gateway can also be used to filter outbound messages. Such egress filtering can be a component of DLP or provide some additional protection against distribution of PII (personally identifiable information).

Spam filter

Spam is any type of email that is undesired and/or unsolicited. Think of spam as the digital equivalent of junk mail and door-to-door solicitations.

Spam is a problem for numerous reasons:

• Some spam carries malicious code such as viruses, logic bombs, or Trojan horses.
• Some spam carries social engineering attacks (also known as hoax email).
• Unwanted email wastes your time while you sort through it looking for legitimate messages (Figure 2.19 ).
• Spam wastes Internet resources: storage capacity, computing cycles, and throughput.

The primary countermeasure against spam is an email filter. An email filter is a list of email addresses, domain names, or IP addresses where spam is known to originate. If a message is received from one of the listed spam sources, the email filter blocks or discards it. Some email filters are becoming as sophisticated as antivirus scanners. These email filters can examine the header, subject, and contents of a message to look for keywords or phrases that identify it as a known type of spam, and then take the appropriate actions to discard, quarantine, or block the message.

In addition to client application or client-side spam filters, there are enterprise spam tools. Some enterprise tools are stand-alone devices, often called anti-spam appliances, whereas others are software additions to internal enterprise email servers. The benefit of enterprise spam filtering is that it reduces spam distribution internally by blocking and discarding unwanted messages before they waste storage space on email servers or make their way to clients.

However, email spam filters are problematic. Just because a message includes keywords that are typically found in spam doesn’t mean every message with those words is spam. Some legitimate, if not outright essential, messages include spam words. One method of addressing this issue is for the spam-filtering tool to place all suspected spam messages into a quarantine folder. Users can peruse this folder for misidentified messages and retrieve them.

Another important issue to address when managing spam is spoofed email. A spoofed email is a message that has a fake or falsified source address. When an email server receives an email message, it should perform a reverse lookup on the source address of the message. If the source address is fake or nonexistent, the message should be discarded. Other methods of detecting or blocking spoofed messages include checking source addresses against blacklists and filtering on invalid entries in a message header.

A spam filter is a software or hardware tool whose primary purpose is to identify and block, filter, or remove unwanted messages (that is, spam). Spam is most commonly associated with email, but spam also exists in instant messaging (IM), Short Message Service (SMS), Usenet, and web discussions, forums, comments, and blogs. Because spam consumes a substantial amount of resources worldwide, it’s essential to filter and block it at every opportunity. Failing to block spam allows it to waste resources, consume bandwidth, and distract workers from productive activities. Spam can also be a common source of malware infections via links and attachments.

Bridge

A traditional network bridge was a device used to link local LANs together. The local LANs were originally hub-based networks. With the implementation of switches, the network bridge is no longer a common device used in a typical network deployment.

Another new concern that is related to bridging is when a single system has two active network interfaces, such as one to the company network and the other to an Internet connection. In these situations, it is usually important to ensure that bridging is not enabled. On some systems, this feature is known as IP forwarding. Bridging or IP forwarding allows traffic to flow directly between the two connected interfaces without filters. This is not a secure network configuration.

As IPv6 is deployed, many organizations will adopt an IPv4-to-IPv6 tunnel, proxy, or bridge. This may allow an organization to retain IPv4 use in some sections of their network or interface with an Internet service provider that only supports IPv4.

SSL/TLS accelerators

SSL accelerators or TLS accelerators are used to offload the operation of encryption to a dedicated hardware device. This frees up resources on a server or system itself while still maintaining the security of the connection. By allowing a dedicated SSL/TLS hardware accelerator to manage secure connections, more efficient encryption is available to more concurrent sessions.

SSL decryptors

An SSL decryptor or TLS decryptor is a dedicated device used to decode secure communications for the purpose of filtering and monitoring. An SSL/TLS decryptor can be deployed in line or be used for out-of-band management. When deployed in line, the decryptor serves as an SSL/TLS offloader; it is where the encryption and decryption of a communication is handled rather than being managed by the Web or email server itself. Such an inline implementation also enables the use of load balancing to distribute communication loads across a number of hosting servers.

An out-of-band monitoring tool only needs to decrypt communications for filtering rather than also needing to encrypt outbound messages. Such a configuration provides the filtering or IDS/IPS systems with a plain-text version of the communications.

Media gateway

A media gateway is any device or service that converts data from one communication format to another. A media gateway is often located at the intersection of two different types of networks. Media gateways are commonly used with VoIP systems, where a conversion from IP-based communications to analog or digital is needed.

Hardware security module

The hardware security module (HSM) is a cryptoprocessor used to manage and store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication. An HSM is often an add-on adapter or peripheral, or it can be a TCP/IP network device. HSMs include tamper protection to prevent their misuse even if an attacker gains physical access.

HSMs provide an accelerated solution for large (2,048+ bit) asymmetric encryption calculations and a secure vault for key storage. Many certificate authority systems use HSMs to store certificates; ATM and POS bank terminals often employ proprietary HSMs; hardware SSL accelerators can include HSM support; and DNSSEC-compliant DNS servers use HSM for key and zone file storage.

One common example of an HSM is the trusted platform module (TPM). This special chip found on many portable system motherboards can be used to store the master encryption key used for whole drive encryption.

Exam Essentials

Understand firewalls. Firewalls provide protection by controlling traffic entering and leaving a network. They manage traffic using filters or rules.

Know the types of firewalls. The three basic types of firewalls are packet filtering, circuit-level gateway, and application-level gateway. A fourth type combines features from these three and is called a stateful inspection firewall.

Understand implicit deny. Implicit deny is the default security stance that says if you aren’t specifically granted access to or privileges for a resource, you’re denied access by default.

Comprehend application-based vs. network-based firewalls. An application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a service and all users. A network firewall is a hardware device, typically called an appliance, designed for general network filtering. A network firewall is designed to provide broad protection for an entire network.

Understand stateful vs. stateless firewalls. A stateless firewall analyzes packets on an individual basis against the filtering ACLs. The context of the communication or previous packets are not used to make an allow or deny decision on the current packet. A stateful firewall monitors the state or session of the communication; it evaluates previous packets and potentially other communications and conditions when making an allow or deny decision for the current packet.

Understand VPN concentrators. A VPN concentrator is a dedicated hardware device designed to support a large number of simultaneous VPN connections, often hundreds or thousands. It provides high availability, high scalability, and high performance for secure VPN connections.

Know IPsec. IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode or tunnel mode. It can be used to establish direct communication between computers or to set up a VPN between networks.

Understand AH and ESP. IPSec isn’t a single protocol but rather a collection of protocols. Two of the primary protocols of IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides authentication of the sender’s data; ESP provides encryption of the transferred data as well as limited authentication.

Understand tunnel mode and transport mode. In tunnel mode, IPSec provides encryption protection for both the payload and the message header by encapsulating the entire original LAN protocol packet and adding its own temporary IPSec header. In transport mode, IPSec provides encryption protection for just the payload and leaves the original message header intact.

Understand IKE. Internet Key Exchange (IKE) ensures the secure exchange of secret keys between communication partners in order to establish an encrypted VPN tunnel.

Understand ISAKMP. Internet Security Association and Key Management Protocol (ISAKMP) is used to negotiate and provide authenticated keying material (a common method of authentication) for security associations in a secured manner. The four major functional components of ISAKMP are authentication of communications peers, threat mitigation, security association creation and management, and cryptographic key establishment and management.

Know split tunnel. A split tunnel is a VPN configuration that allows a VPN-connected system to access both the organizational network over the VPN and the Internet directly at the same time. The split tunnel thus grants a simultaneously open connection to the Internet and the organizational network.

Understand IDS. An intrusion detection system (IDS) is an automated system that either watches activity in real time or reviews the contents of audit logs in order to detect intrusions or security policy violations. The two types of IDS are network-based and host-based.

Understand NIDS. A network-based IDS (NIDS) watches network traffic in real time. It’s reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.

Understand HIDS. A host-based IDS (HIDS) watches the audit trails and log files of a host system. It’s reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged into the host.

Know detection mechanisms. Signature detection compares event patterns against known attack patterns (signatures) stored in the IDS database. Anomaly detection watches the ongoing activity in the environment and looks for abnormal occurrences.

Understand response methods. An IDS with active detection and response is designed to take the quickest action to reduce potential damage caused by an intruder. This response may include shutting down the server or the affected service or disconnecting suspicious connections. An IDS with passive detection and response takes no direct action against the intruder; instead, it may increase the amount of data being audited and recorded and notify administrators about the intrusion.

Understand behavior-based detection. A behavior-based monitoring or detection method relies on the establishment of a baseline or a definition of normal and benign. Once this baseline is established, the monitoring tool is able to detect activities that vary from that standard of normal.

Understand signature-based detection. A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures.

Understand anomaly-based detection. An anomaly-based monitoring or detection method relies on definitions of all valid forms of activity. This database of known valid activity allows the tool to detect all anomalies.

Know routers. Routers enable traffic from one network segment to traverse into another network segment. However, the traffic must pass through the router’s filters in order to make the transition.

Understand router access control lists. Access control lists (ACLs) are used to define who is allowed or denied permission to perform a specified activity or action. ACLs are commonly associated with object access but also apply to communications. In many cases, firewalls, routers, and switches use ACLs as a method of security management.

Understand switches. A switch is a networking device used to connect other devices together and potentially implement traffic management on their communications. It receives signals in one port and transmits them out the port where the intended recipient is connected. Switches are often used to create virtual local area networks (VLANs).

Comprehend loop protection. A loop in networking terms is a transmission pathway that repeats itself. Loop protection includes STP for Ethernet and the IP header TTL value.

Understand proxy. A proxy server is a variation of an application-level firewall or circuit-level firewall. A proxy server is used as a proxy or middleman between clients and servers.

Understand load balancers. A load balancer is used to spread or distribute network traffic load across several network links or network devices. The purpose of load balancing is to obtain optimal infrastructure utilization, minimize response time, maximize throughput, reduce overloading, and eliminate bottlenecks.

Understand wireless access points. A wireless access point is the network management device that supports and manages an infrastructure mode wireless network.

Be familiar with 802.11 and 802.11a, b, g, n, and 802.11n (150+ Mbps). 802.11 is the IEEE standard for wireless network communications. Versions include 802.11a (2 Mbps), 802.11b (11 Mbps), and 802.11g (54 Mbps). The 802.11 standard also defines Wired Equivalent Privacy (WEP).

Understand MAC filters. A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices.

Understand SSID broadcast. Wireless networks traditionally announce their SSIDs on a regular basis in a special packet known as the beacon frame. When the SSID is broadcast, any device with an automatic detect and connect feature can see the network and initiate a connection with it.

Know the antenna types. A wide variety of antenna types can be used for wireless clients and base stations. These include omnidirectional pole antennas as well as many directional antennas such as Yagi, cantenna, panel, and parabolic.

Understand site surveys. A site survey is the process of investigating the presence, strength, and reach of WAPs deployed in an environment. This task usually involves walking around with a portable wireless device, taking note of the wireless signal strength, and mapping it on a plot or schematic of the building.

Understand SIEM. Security Information and Event Management (SIEM) is a centralized application to automate the monitoring and real-time event analysis of network systems.

Comprehend DLP. Data loss prevention (DLP) is the idea of systems specifically implemented to detect and prevent unauthorized access to, use of, or transmission of sensitive information. DLP can include hardware and software elements designed to support this primary goal.

Understand NAC. Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent or reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.

Understand a mail gateway. A mail gateway or email gateway is an add-on security filter used to reduce the risk of malicious and wasteful emails. A mail gateway filters out malware, phishing scams, and spam messages from inbound mail before they are deposited into a recipient’s inbox folder.

Be aware of spam. Spam is undesired or unsolicited email. It’s a problem for numerous reasons:

• Spam can be the carrier for malicious code such as viruses, logic bombs, and Trojan horses.
• Spam can be the carrier of a social engineering attack (hoax email).
• Unwanted email wastes your time while you’re sorting through it looking for legitimate messages.
• Spam wastes Internet resources such as storage capacity, computing cycles, and throughput.

Understand SPIM. SPIM is a term used to refer to spam over IM (instant messaging).

Understand bridges. A traditional network bridge was a device used to link local LANs together. Another new concern that is related to bridging is when a single system has two active network interfaces.

Know SSL/TLS accelerators. SSL accelerators or TLS accelerators are used to offload the operation of encryption to a dedicated hardware device. This frees up resources on a server or system itself while still maintaining the security of the connection.

Understand SSL decryptors. An SSL decryptor or TLS decryptor is a dedicated device used to decode secure communications for the purpose of filtering and monitoring.

Understand media gateways. A media gateway is any device or service that converts data from one communication format to another. A media gateway is often located at the intersection of two different types of networks.

Understand HSMs. The hardware security module (HSM) is a cryptoprocessor used to manage and store digital-encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication.

Protocol analyzer

A protocol analyzer is a tool used to examine the contents of network traffic. Commonly known as a sniffer, a protocol analyzer can be a dedicated hardware device or software installed on a typical host system. In either case, a protocol analyzer is first a packet-capturing tool that can collect network traffic and store it in memory or on a storage device. Once a packet is captured, it can be analyzed either with complex automated tools and scripts or manually. A protocol analyzer usually places the NIC into promiscuous mode in order to see and capture all packets on the local network segment rather than just those with the destination MAC address of the computer’s local NIC. In promiscuous mode, the NIC ignores the destination MAC addresses of packets and collects each one it sees.

Once a network packet is collected, it’s either saved to the hard drive in a log file or retained in memory in a buffer. The protocol analyzer can examine individual packets down to the binary level. Most analyzers or sniffers automatically parse out the contents of the header into an expandable outline form (Figure 2.20 ). Any configuration or setting can be easily seen in the header details. The payload of packets is often displayed in both hexadecimal and ASCII.

Sniffers typically offer both capture filters and display filters. A capture filter is a set of rules to govern which packets are saved into the capture file or buffer and which are discarded. Capture filters are used to collect only packets of interest and keep the number of retained packets to a minimum. A display filter is used to show only those packets from the packet file or buffer that match your requirements. Display filters act like search queries to locate packets of interest.

Protocol analyzers vary from simple raw packet-capturing tools to fully automated analysis engines. There are both open-source (such as Wireshark) and commercial (such as Omnipeek and NetScout) options.

Protocol analyzers can be used to discover communication problems caused by hardware and software issues. They can detect protocol anomalies that may be due to misconfiguration, malfunction, or malicious intent. Often, when security administrators attempt to track down a network communication problem or discover the source of an attack, they use a protocol analyzer.

Sniffer may either be a synonym for protocol analyzer or may mean a distinct type of product. A sniffer is generally a packet- (or frame-) capturing tool, whereas a protocol analyzer is able to decode and interpret packet/frame contents.

A protocol analyzer is used by network administrators throughout their internal network, within a DMZ, and even on the open Internet to evaluate network communications. When there are odd or unexplained network events occurring, a protocol analyzer might be useful in capturing traffic related to the event to diagnose and troubleshoot the issue. Protocol analyzers can capture live traffic to assist administrators in determining the cause of communication failures or service and application issues based on header values and payload data.

Network scanners

A network scanner is usually a form of port scanner that adds enumeration techniques in order to inventory the devices found on a network. A network scanner can use a variety of detection techniques to discover the presence of a system on a network, whether a valid device or a rogue system. These techniques include ping sweeping, port scanning, and promiscuous mode detections.

Ping sweeping is the activity of using ICMP Type 8 Echo Request packets to trigger ICMP Type 0 Echo Reply packets from any system within a specific subnet. However, only systems that are not filtering or ignoring ICMP will respond.

Port scanning can be used to detect the presence of an open port. If an open port is detected, it means that there is a system present at the IP address probed. Open TCP ports will always respond with a SYN/ACK reply if they are sent a SYN-flagged initial packet. However, if port probes are sent too quickly, intelligent firewalls can block open port responses.

Promiscuous mode detection is accomplished by sending out queries or requests but addressing them to a MAC address that is not in use on the network. Any NIC in normal mode will ignore the request, but NICs in promiscuous mode will accept the query and respond. This trick or technique will detect any system that is in promiscuous mode, but may otherwise not respond to other techniques.

A network scanner is often used to locate and identify devices on a network. Administrators may use network scanners to inventory the network and look for rogue or out-of-place systems.

Wireless scanners/cracker

A wireless scanner is used to detect the presence of a wireless network. Any wireless network that is not enclosed in a Faraday cage can be detected, since the base station will be transmitting radio waves. A Faraday cage is an enclosure that filters or blocks all target frequencies of radio waves in order to prevent cross-boundary eavesdropping. Wireless networks that have their SSID broadcast disabled are detectable, since they are still transmitting radio signals.

A wireless scanner is able to quickly determine whether there are wireless networks in the area, what frequency and channel they are using, their network name, and what level of encryption is in use. A wireless scanner is also able to discern the MAC addresses of the base station and all connected clients because the Ethernet header in the wireless communications will be in plain text even with WPA-2 encryption.

Once a wireless network is discovered, WEP network encryption can be compromised in moments due to its poor implementation of RC4. WPA networks, which are also based on RC4, are better, but their encryption can be cracked in less than 12 hours. Only WPA-2 encryption based on AES is currently impossible to crack.

Most organizations that are not using a Faraday cage to contain their wireless signals are providing a potential attack avenue to hackers. Even with a WPA-2 encrypted network, an attacker can discover the MAC addresses of all wireless devices, take note of the volume and timing of traffic, and implement effective DoS attacks.

Wireless scanners are used by network administrators to monitor and evaluate the health of their wireless networks. A wireless scanner can be used to confirm WAP configuration, inventory wireless clients, and assist in tracking down rogue or unauthorized wireless devices.

Password cracker

The strength of a password is generally measured in the amount of time and effort required to break the password through various forms of cryptographic attacks. These attacks are collectively known as password cracking or password guessing. A weak password invariably uses only alphanumeric characters; often employs dictionary or other common words; and may include user profile–related information such as birthdates, Social Security numbers, and pet names. A strong password is longer, more complex, unique, and changed on a regular basis.

A password is typically stored as its hash. A password hash does not contain the password characters, but it is a representation of the password produced by the hashing algorithm. Future authentication events hash the user’s newly presented characters to the stored hash. If the two hashes match, the user is authenticated; if not, they are rejected.

Password hashes can be attacked using reverse engineering, reverse hash matching (aka rainbow table attack), or a birthday attack. These attack methods are commonly used by password-cracking tools. Hashes can’t be reversed or “decrypted,” so this is generally a secure system. But because the hash algorithm used by commercial software is known (or can be easily discovered), password crackers can be written to exploit the stored password hashes.

Passwords are usually stored in a hashed format for the security provided by the one-way process. However, even though it isn’t possible to reverse the hash process directly, it’s possible to reverse-engineer a hash. Reverse-engineering a hash (aka reverse hash matching) is the idea of taking a potential data set, hashing it, and then comparing it to the hash you wish to crack. By repeating that process until it succeeds or the options are exhausted with different potential data sets (possible passwords), the hacker can reveal (crack) passwords.

This form of hashing attack exploits the mathematical characteristic that if two messages are hashed and their hashes are the same, the messages must be the same. This can be written as H(M)=H(M') therefore M=M'.

Weak passwords are short or are otherwise easy to guess. Weak passwords often allow hackers or unscrupulous employees to obtain access to another person’s logon credentials. Compromising weak passwords is possible through a wide variety of attacks, including password guessing or cracking.

Password guessing is an attack aimed at discovering the passwords employed by user accounts. There are several forms of password-guessing attack tools: some attempt to guess passwords by attacking a logon prompt, others try to extract passwords directly from an accounts database, and still others attempt to capture authentication traffic and extract passwords out of the network packet. In most cases, the latter two options employ birthday attack (reverse hash matching) methods to discover the password used by a user account.

There are innumerable password-guessing and cracking tools on the Internet. No matter what tool is used to discover passwords, the most important countermeasure against password crackers is to use long, complex passwords and change them on a regular basis.

Password-cracking tools compare hashes from potential passwords with the hashes stored in the accounts database (obtained or stolen through any number of means). Potential passwords are either generated on the fly using all possible combinations of characters or pulled from a precompiled list of passwords (known as dictionary lists). Each potential password is hashed, and that hash value is compared with the accounts database. If a match is found, the password-cracker tool has discovered a password for a user account. Birthday attacks, rainbow table attacks, dictionary attacks, and brute-force attacks, initially described in Chapter 1, are prime examples of password-cracking attacks.

A password cracker is used by system administrators to stress-test the strength of their users’ passwords. Any password discovered by an administrator-controlled password cracker must be changed to something stronger and more resistant to password-cracking techniques. Password crackers should be used on an isolated offline system in order to prevent attackers from using legitimate password-auditing activities as a means to steal credentials.

Vulnerability scanner

A vulnerability scanner is a tool used to scan a target system for known holes, weaknesses, or vulnerabilities. These automated tools have a database of attacks, probes, scripts, and so on that are run against one or more systems in a controlled manner. Vulnerability scanners are designed to probe targets and produce a report of the findings. They can be used from within a private network to test internal systems directly or from outside the network to test border devices against breaching attacks.

Note that vulnerability scanner is often used as a general term for a tool that performs any sort of security assessment or that could be used in a security evaluation. This is evident in that this term appears multiple times on the objectives list. Here, the term is used to refer to a specific tool that checks for symptoms of weakness. Be sure to consider this on the exam and look for context clues to decipher the intention of a question.

Vulnerability scanners are designed not to cause damage while they probe for weaknesses, but they can still inadvertently cause errors, slower network performance, and downtime. Thus, it’s important to plan their use and prepare for potential recovery actions.

Vulnerability scanners can be commercial products, such as Retina, or open-source, such as Nessus. Most organizations take advantage of several vulnerability scanners in order to gain the most complete perspective on their security status. Each time a vulnerability scanner is to be used, it should be updated from the vendor.

A vulnerability scanner should be used on a regular basis to identify vulnerabilities, weaknesses, and misconfigurations in all parts of a company network.

Configuration compliance scanner

A configuration compliance scanner is a form of manually operated NAC. It is a tool that quickly scans a system to check whether approved updates and patches are installed and whether the system is in compliance with security and general system configuration settings.

A configuration compliance scanner should be used by system administrators on a regular basis to check for and monitor the settings status of the devices on the network.

Exploitation frameworks

An exploitation framework is a vulnerability scanner that is able to fully exploit the weaknesses it discovers. It can be an automated or manual exploit assessment tool. For example, Metasploit is an open-source exploitation framework, and Immunity Canvas and Core Impact are commercial exploitation frameworks. Often an exploitation framework allows for customization of the test elements as well as the crafting of new tests to deploy against your environment’s targets.

An exploitation framework does have additional risk compared to that of a vulnerability scanner, as it attempts to fully exploit any discovered weaknesses. Thus, it is important to make sure a reliable backup has been created and that an incident response policy (IRP) is in effect that can recover damaged data or systems promptly. The purpose or goal of an exploitation framework is not to intentionally cause harm, but the thoroughness of the philosophy of testing can inadvertently cause data loss or downtime.

An exploitation framework is an advanced vulnerability scanner that should be used by system administrators and security administrators to stress-test the security stance of the IT infrastructure. Regular scans and evaluations using an exploitation framework will assist IT managers with finding and resolving security concerns before they are discovered by an attacker.

Data sanitization tools

Data sanitization is the concept of removing data from a storage device so that it is no longer recoverable. Standard operating system functions of deletion and formatting leave data remnants behind that can be recovered by undelete data recovery utilities. This is because deletion and formatting only mark storage device sectors as available without actually removing any existing data. Data sanitization overwrites existing data with new data in order to prevent data recovery. The overwriting process can write random data, all 1’s, all 0’s (known as zeroization), or some repeated pattern of 1’s and 0’s.

Data sanitization tools should be used by anyone discarding, recycling, or reselling a computer system or storage device. Due to the risk of data remnant recovery and data loss/leakage, all storage devices should be sanitized before they leave your secured environment.

Steganography tools

See the Chapter 6 section “Steganography” for a discussion of this topic.

Honeypot

A honeypot is a fictitious environment designed to fool attackers and intruders and lure them away from the private secured network (see Figure 2.21 ). A honeypot is often deployed as a buffer network between an untrusted network, such as the Internet, business partners, or a DMZ, and the private network. In this position, the honeypot serves as a decoy and distraction for attackers.

The honeypot looks and acts like a real system or network, but it doesn’t contain any valuable or legitimate data or resources. Intruders may be fooled into wasting their time attacking and infiltrating a honeypot instead of your actual network. All the activity in the honeypot is monitored and recorded.

The purpose of deploying a honeypot is to provide an extra layer of security, specifically a detection mechanism, for your private network and to gather information about attacks and, potentially, sufficient evidence for prosecution against malicious intruders and attackers. A honeypot can often gather sufficient information to determine the identity of the intruder; the type of data, resource, or system being attacked or focused on; and the methods and tools of attack.

Honeypots are effective if they’re easier for a hacker or intruder to find than the real private LAN being protected. They should be modestly secured so they seem like a real network, but not overly secured. The goal is to distract attackers and lure them away from your intranet so you can learn about new attacks and potentially be able to track down criminals for prosecution. If a honeypot seems too easy to access or doesn’t react and behave like a real production network, experienced hackers and intruders won’t be fooled and may be provoked to find and attack your actual production network.

Another form of honeypot is known as a padded cell. Whereas a honeypot is usually a distracting network that is always on, a padded cell is a containment area that is activated only when an intrusion is detected or when an unauthorized command or software launch or execution is attempted.

A honeypot can be used whenever there is a risk of an attacker finding a way to breach a shared resource that is not for public consumption. Honeypots are of little value in front of a public web server or a known email system, but can be effective in front of systems that are not publicly accessible.

Backup utilities

Backup utilities create backups of data onto alternate storage devices. Backups are insurance against data loss. Only when a backup is available can damaged, deleted, or corrupted data be restored. Backup utilities can be configured to perform backups on an automated basis at specific periods or time intervals.

Please see the Chapter 5 section, “Backup concepts,” for details about various types of backups.

Backup utilities should be used to provide a recovery option for data sets, including system and device configurations. Backups should either be continuous or implemented on a periodic basis. Backups are the only available insurance against data loss.

Banner grabbing

Banner grabbing is the process of capturing the initial response or welcome message from a network service. A banner grab occurs when a request for data or identity is sent to a service on an open port and that service responds with information that may directly or indirectly reveal its identity. Often the banner discloses the application’s identity, version information, and potentially much more. A common method of banner grabbing against web servers is to use the telnet client to send a plain-text query. This can be accomplished by opening a command prompt, typing telnet www.apache.org 80, pressing Enter, typing HEAD / HTTP/1.0, and pressing Enter a few more times. This should result in the display of an HTTP 200 OK message (Figure 2.22 ), which often includes a Server line that identifies the specific web server product in use. Banner grabbing is a common technique used by both hackers and researchers to learn more about an unknown system across a network connection.

Banner grabbing can be used when an attacker or an administrator wishes to learn more about a targeted system. If a banner can be retrieved from a target system, it often includes details as to the product and version of the application running on a port as well as information regarding the underlying operating system.

Passive vs. active

A passive tool, technique, or technology is one that monitors a situation but doesn’t do anything about it. This can include recording details, launching analysis engines, and notifying administrators. Passive actions or tools don’t affect an event and are unseen (or unnoticed) by the event (or subject of the event).

An active tool, technique, or technology is one that intercedes in a situation in order to alter events or chance outcomes. This can include altering settings, opening or closing ports, rebooting devices, restarting services, launching applications, disconnecting clients, restoring data, and so on. Active actions or tools affect the event and are thus detectable by the event or the subjects of the event.

Passive tools are to be used when monitoring is preferred over reaction, such as when watching allowed activities. Active tools are to be used when response and containment, such as stopping breach attempts, are more important than ongoing information gathering.

Command line tools

Some security tools are command-line tools. Here is a list of some of the command-line tools you should be familiar with for the Security+ exam.

A scenario that might involve the use of several of these tools is during an investigation to seek out a potential rogue system in a private network. The nmap tool can be used to detect the presence of systems by performing an array of port scans. The ping tool can be used to verify that the target’s IP address is active and in use. The tracert command can be used to determine the router closest to the target system. The arp command can be used to determine the MAC address of the rogue system from its IP address. The nslookup or dig tool might be used to determine whether the rogue machine is registered with the directory service’s DNS system. The tcpdump tool can be run to collect packets sent to or received from the target system. And netcat might be used to attempt to connect to any open ports on the target system in order to perform banner grabbing or other information discovery probing activities.

Ping

Internet Control Message Protocol (ICMP) is a network health and link-testing protocol. ICMP operates in Layer 3 as the payload of an IP packet. It’s the protocol commonly used by tools such as ping, traceroute, and pathping. Most uses of ICMP revolve around its echo-request to echo-reply system. ICMP is also used for error announcement or transmission. However, ICMP provides information only when a packet is actually received. If ICMP request queries go unanswered, or ICMP replies are lost or blocked, then ICMP provides no information.

ICMP is also a protocol commonly used for network scanning and malicious attacks. When it’s used as a network-scanning protocol, ping sweeps are used to identify the IP addresses in use. However, because ICMP can be ignored or blocked, this makes it an unreliable host-discovery tool. As for malicious attacks, ICMP abuses include Ping of Death, Smurf, and Loki.

The Ping of Death creates multiple packet fragments that are reassembled on the target to create an ICMP/IP packet that is larger than the maximum valid size of 65,535 bytes. On unprotected systems, this can cause freezing or rebooting.

Smurf abuses ICMP by using it in a flooding attack. An attacker sends ICMP echo requests to the directed broadcast addresses of numerous networks with insecure Internet-accessible router or firewall interfaces. These requests are spoofed so they appear to come from the victim’s IP address. Each recipient of the echo request sends back an echo reply to the victim, causing a flood of traffic to DoS the victim.

Loki is a tool that uses ICMP as an encapsulation or tunnel protocol. Effectively, Loki uses ICMP like an unencrypted VPN. It operates across network boundaries that allow outbound ICMP echo requests and their corresponding inbound echo replies.

ICMP functions or operates around a signaling system known as Type and Code. There are roughly 40 defined types for ICMP; the five most common (and relevant for the Security+ exam) are listed in Table 2.3.

ICMP type	Description
8	Echo request
0	Echo reply
11	Time exceeded
3	Destination unreachable
5	Redirect

Some types have further detailed designations using codes. For example, Type 3 destination unreachable has 14 codes used to provide more specific detail about the reason or cause of the type. A common example, Type 3, Code 3—which means destination unreachable, destination port unreachable—is the standard response from a closed UDP port when packets are sent to it.

The ping command employs the ICMP Type 8 and Type 0 messages. On the Windows platform, ping sends out four echo requests (Figure 2.23 ), whereas on most other platforms, such as Linux, it indefinitely repeats the transmission of an echo request until the tool is terminated. If the target system is operating and able to respond, an echo request is sent back to the requesting system. If the echo request is received, ping confirms this information by displaying messages about the replies, which include the size, round-trip time, and resulting TTL. If no reply is received, the tool displays the error “Request timed out.” A positive result confirms the ability to access the remote system. The “Request timed out” error, however, does not necessarily mean the remote system is offline—it can also mean the system is too busy to respond, the routing to the target is flawed, the system is blocking ICMP, or the system is not responding to ICMP. Thus, using ICMP-based ping is an unreliable means to determine whether a system is present and online.

Experiment with the ping command from your own system’s command prompt. Use the ping –h command to view the syntax details.

ICMP Type 11 time exceeded in addition to Types 8 and 0 are used by tracert (see later section, “tracert”). Type 3 is often received when access to a destination is denied or fails. There is usually a sub-code returned with the Type 3 ICMP message that gives more specific information regarding the reason for the failure (https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol). The Type 5 redirect was used to temporarily implement a static route detour, but due to hacker abuses this type is generally ignored by public routers.

netstat

The command netstat displays information about TCP sessions of a system. The output options include displaying the source and destination IP address and port number of active connections (Figure 2.24 ), listing the program associated with a connection, showing traffic bytes, displaying Ethernet statistics, showing the FQDN for external addresses, and displaying the routing table.

Experiment with the netstat command from your own system’s command prompt. Use the netstat –h command to view the syntax details.

tracert

The command tracert (Windows) or traceroute (Linux) is used to discover the route between a local system and a remote system. tracert uses the ICMP protocol. It sends toward the destination the same ICMP Type 8 echo request that is used by ping, but it manipulates the IP header’s TTL. The first wave of three requests has a TTL of only 1. The first router decrements the TTL by 1 to discover that the TTL is zero. Once the TTL has reached zero, the router discards the request packet and crafts a new ICMP Type 11 Time Exceeded message, which is sent back to the origin. The origin system uses the source IP address of the Type 11 packet, which is the IP address of a router, in a reverse DNS lookup. If there is a PTR (pointer) record for the IP address, the domain name of the router is displayed along with the IP address. If there is no domain name associated with the IP address, then only the IP address is shown. Each subsequent query has an incremented TTL, which continues until a default maximum 30 hops is reached or a Type 0 echo reply is received from the target (Figure 2.25 ).

Experiment with the tracert command from your own system’s command prompt. Use the tracert –h command to view the syntax details.

nslookup/dig

The command-line tools nslookup and dig are used to perform manual DNS queries. The nslookup tool is found on Windows, and the dig tool is on Linux. These tools initially perform queries against the system’s configured DNS server. However, it is possible to refocus the tools to an alternate DNS server to perform queries.

Experiment with the nslookup and dig commands from your own system’s command prompt. On Windows, the nslookup tool can be used in interactive or noninteractive mode. The interactive mode allows for numerous sequential commands to be issued while inside the nslookup interface (Figure 2.26 ). To launch nslookup in interactive mode, issue the command nslookup and then, to see a list of syntax, enter ?. Noninteractive mode singular commands can be issued using command syntax. To view the syntax, enter nslookup -?. On Linux, issue the dig -? command to view the syntax of this tool.

arp

The arp command is used to display or manipulate the contents of the ARP cache. The ARP cache shows the current table of associations between a MAC address and an IP address. With the arp tool you can view the current ARP cache (Figure 2.27 ), delete entries, or add new entries.

Experiment with the arp command from your own system’s command prompt. Use the arp -? command to view the syntax details.

ipconfig/ip/ifconfig

The Windows command-line tool ipconfig is used to display IP configuration and make some modifications to the interface. The ipconfig command can display summary or full interface configurations (Figure 2.28 ), release a DHCP-assigned IP address, trigger a DHCP renewal of an IP address, purge the DNS cache, and show the contents of the DNS cache.

Experiment with the ipconfig command from your own Windows system’s command prompt. Use the command ipconfig /? to view the syntax details.

The Linux command tools ifconfig and ip are used to manipulate the configuration settings of network interface cards. The ifconfig command is older and is slated to be replaced by the ip command. These tools can be used to show current NIC configuration (Figure 2.29 ), enable and disable an interface, set an IP address, and remove an IP address. The ip command can be used to perform many other network-related functions, including adding ARP cache entries, showing the routing table, and changing the routing table.

Experiment with the ifconfig and ip commands from your own Linux system’s command prompt. Use the command ifconfig -h or ip –h to view the syntax details.

tcpdump

The command tool tcpdump is a raw packet-capturing utility (Figure 2.30 ) found on Linux. It can be used to capture packets into a capture file. It supports command-line capture filters in order to collect specific packets. The output capture file can be examined by a number of other tools, including GUI packet analysis utilities such as Wireshark.

Experiment with the tcpdump command from your own system’s command prompt. Use the command tcpdump /h to view the syntax details.

nmap

The command nmap is a network mapper or port scanner. The nmap tool can be used to perform a wide range of network discovery and enumeration functions, including ping sweeping, port scanning (Figure 2.31 ), application identification, operating system identification, firewall and IDS evasion, and a plethora of script functions to discover details about target applications and OSs. Zenmap is a GUI interface to nmap.

Please experiment with the nmap command from your own system’s command prompt. Use the command nmap -h to view the syntax details.

netcat

The netcat command is a flexible network utility used to write to or read from TCP and UDP network connections. Its command tool is just nc. This tool can be used to redirect standard input and output over network pathways, even for tools and utilities which do not have network capabilities natively. In addition to redirecting input and output, it can also be used as a basic port scanner (Figure 2.32 ), perform file transfers, act as a port listener, and even serve as a remote control backdoor.

Please experiment with the nc command from your own system’s command prompt. Use the command nc -h to view the syntax details. Netcat is getting increasingly difficult to find, as it is no longer a stand-alone project. To get the command, readers will need to either install nmap and get it bundled with that project, or install one of the forks like cryptocat.

Exam Essentials

Understand protocol analyzers A protocol analyzer is a tool used to examine the contents of network traffic.

Understand network scanners A network scanner is usually a form of port scanner which adds enumeration techniques in order to inventory the devices found on a network.

Comprehend wireless scanners/crackers A wireless scanner is used to detect the presence of a wireless network. Once a wireless network is discovered, WEP network encryption can be compromised with a wireless cracker in moments, due to its poor implementation of RC4. WPA networks, which are also based on RC4, are better, but their encryption can be cracked in less than 12 hours.

Understand hashing attacks. Hashing can be attacked using reverse engineering, reverse hash matching, or a birthday attack. These attack methods are commonly used by password-cracking tools.

Know vulnerability scanners. A vulnerability scanner is a tool used to scan a target system for known holes, weaknesses, or vulnerabilities. These automated tools have a database of attacks, probes, scripts, and so on that are run against one or more systems in a controlled manner.

Understand configuration compliance scanners A configuration compliance scanner is a form of manually operated NAC. It is a tool that quickly scans a system to check whether or not approved updates and patches are installed and whether the system is in compliance with security and general system configuration settings.

Be aware of exploitation frameworks An exploitation framework is a vulnerability scanner that is able to fully exploit the weaknesses it discovers.

Understand data sanitization Data sanitization is the concept of removing data from a storage device so that it is no longer recoverable.

Understand honeypots. A honeypot is a fictitious environment designed to fool attackers and intruders and lure them away from the private secured network. The purpose of deploying a honeypot is to provide an extra layer of protection for your private network and to gather sufficient evidence for prosecution against malicious intruders and attackers.

Understand backup utilities Backup utilities create backups of data on alternate storage devices.

Know banner grabbing. Banner grabbing is the process of capturing the initial response or welcome message from a network service. Often the banner discloses the application’s identity, version information, and potentially much more.

Comprehend a variety of command, line tools You should be familiar with several command, line tools, including ping, netstat, tracrt, nslookup/dig, arp, ipconfig/ip/ifconfig, tcpdump, nmap, and netcat.

Understand ICMP Internet Control Messaging Protocol (ICMP) is a network health and link-testing protocol. It operates in Layer 3 as the payload of an IP packet. ICMP is the protocol commonly used by tools such as ping, traceroute, and pathping.

Unencrypted credentials/clear text

It is no longer an acceptable practice to allow authentication to take place over a plain-text or clear-text communication channel. All authentication, without exception, should be encrypted. When an authentication mechanism is discovered to be using clear-text transmission, it is important to cease the use of that system until its authentication solution is secured.

All credentials that might have been transmitted over plain text should be changed. A preferred means of securing authentication would be to salt passwords before they are hashed (see the Chapter 6 section “Salt, IV, nonce”), then use a robust transmission encryption system such as TLS, SSH, or IPSec.

When older insecure versions of services, such as FTP (Figure 2.33 ), Telnet, or even HTTP, are in use, troubleshooting the presence of unencrypted credentials that are transmitted in clear text is valuable. These older protocols and services do not encrypt authentication by default, and thus are a target for an eavesdropping event in which an attacker could discover account credentials.

Logs and events anomalies

A securely managed environment should be recording logs of all system and user events. When an anomaly in the logged events is discovered, the response should address the specific violation. However, when the anomaly is with the logging system itself, this also requires specific and immediate attention.

When the logging, auditing, and even tracking systems of the environment are malfunctioning, it may be prudent to block all external access to the system until the issue is resolved. If possible, restrict access to the more sensitive and valuable data systems as long as monitoring is not operational.

Promptly determine whether the issue can be resolved from within the current system or if a backup version of the system needs to be restored to re-enable the logging mechanisms.

Be sure to back up and preserve the logs as they currently exist. Verify that proper authorization is still assigned to the services performing the logging and auditing to ensure they can still write to the log files. Verify that there is sufficient storage capacity on the target drives. Recheck that user authorization is properly configured, which typically means that only specific administrators have any level of access to the log files.

If your organization suspects intrusions, other security violations, or simply odd system or application behavior, it would be a good idea to review log files and event records for anomalies. Look for anything that stands out as atypical for the device, system, or network.

Permission issues

Permissions or privileges are abilities granted to users over individual objects, such as files and printers. (By contrast, user rights are abilities granted to users over the operating system, such as the ability to reboot or install device drivers.) It is important to assign permissions so that users have sufficient privileges to accomplish their work tasks, but do not have any substantial additional capabilities. This is known as the principle of least privilege.

When users have too much privilege, the organization is at a higher risk than necessary. When users have too little privilege, they are unable to accomplish their work responsibilities.

To assess permission issues, an administrator first must understand what permissions and privileges a user needs to do their job, and then determine the current effective permissions for the user on the objects they need access to. This is done by accumulating the permissions granted, either through group memberships or to the user account directly, and then removing any denials of permissions. If the resulting effective permissions are not correct for the position, then adjustments need to be made by adding or removing the user from a group or adding or removing user-specific permissions. Permission issues can also be related to users having access to resources they should not. These are addressed by removing any specific user allows, removing a user from a group, removing a group from access, or adding a specific user or group denial for the object.

Troubleshooting permission issues is necessary whenever a user is unable to access a resource that they previously were able to access or that they should be able to access. In large environments, it is common for a user account to be a member of numerous groups. Thus, it is possible that the permissions and privileges granted by one group are removed by another. Review the effective permissions for the affected user on the respective resources and compare the settings to other similar resources that the user is able to access.

Access violations

An access violation can be described as either an unauthorized logon event or an unauthorized resource access event, which occurs when a person accesses a system for which they do not have authorization. However, if they performed a valid logon with their credentials, the fault is with the configuration of the authentication and authorization systems. The administrator needs to adjust the configurations to prevent the logon event from occurring in the future.

Similarly, if a valid user is able to access a resource they should not be able to access, this is a failure of authorization. An administrator should reassess and reconfigure the authorization configuration, specifically effective permissions for the user and from the object’s perspective (see the previous section).

Whenever there is an anomaly in system activities, executables or other files that are not authorized appear, or expected files and applications are not present, it is good troubleshooting practice to consider whether access violations have occurred. If an unauthorized local or remote access event has taken place, it may have left behind changes to the system, which may be noticed by attentive administrators or users.

Certificate issues

Certificate issues can be related to a wide range of potential misconfigurations, policy violations, or missing information. If an end user is unable to verify a digital certificate, they might not trust the CA that issued it. If this is the case, the CA should be reviewed to determine if they are an entity worthy of being trusted, and if they are, the CA’s public key should be added to the trusted roots list (TRL) on the client.

If a customer of a CA abuses their certificate by using it in a criminal activity, changing their confirmed identity, or otherwise violating the terms of the certificate policy, then the CA should revoke the certificate.

If an end user is still accepting a revoked certificate, it may be that their client utility is unable to download the certificate revocation list (CRL) or is unable to query the online certificate status protocol (OCSP) service. To resolve this issue, update the client utility and/or alter its configuration to use the correct address of the CA to access these revocation status–checking resources.

Troubleshooting certificate authentication should take place whenever an authentication event fails, especially if the event has been successful previously. Look for any changes to the system, software, configuration, or networking. Review the root CA’s certificate and verify that the subject’s certificate is still valid and has not been revoked.

For more information on certificates and certificate management, please see the Chapter 6 section “Given a scenario, implement public key infrastructure.”

Data exfiltration

When data exfiltration occurs, an outsider or unauthorized entity has gained access to internal data. This is a data loss or data leakage event. To respond to this situation, first determine what information or data was involved and what risk or consequences are likely due to the leakage. Next, address the entity violating the security policy. If they are an employee, this may mean a stern reprimand, a termination, or filing criminal charges. If they are an external entity, filing criminal charges may be the only option. Discover the means by which the exfiltration occurred and implement new countermeasures to prevent the same violation from taking place again.

Troubleshooting data exfiltration should include reviewing logs of user activity, checking authorization settings, and investigating whether new vulnerabilities have been recently discovered related to your systems.

Misconfigured devices

Attackers will take every advantage possible when attempting to violate a target organization. This includes seeking out misconfigured devices to be used as a point of intrusion. A misconfigured device may interfere with normal communications or may allow for security breaches. Troubleshooting misconfigured devices should include evaluating the current settings against the documented settings baseline, checking access logs for recent use or modification, and reviewing vulnerability disclosures for new concerns.

Access points

A misconfigured wireless access point is a popular target for attackers seeking to gain access into a private network. Common problems include running out-of-date firmware, leaving default configurations in place, not securing access to the management console, and failing to implement strong authentication and encryption (Figure 2.34 ). These issues are resolved by installing current firmware, customizing settings (especially security), locking down management interface access to require encryption and strong authentication from a wired connection, and using WPA-2 encryption either with a long and complex PER/PSK password or by leveraging robust multifactor authentication from a network-accessible AAA service using ENT/IEEE 802.1x.

For more information on wireless security, please see the wireless sections of Chapter 3, “Given a scenario, implement secure network architecture concepts” and Chapter 6, “Given a scenario, install and configure wireless security settings.”

Weak security configurations

Poor or weak security configurations are to be avoided. Old or nonstandard compliance features should be disabled and replaced with current standards-compliant security settings. This may require upgrading equipment, updating firmware, and electing to set more robust configurations that might block older systems from being able to gain access.

Troubleshooting weak security configurations should occur on a regular basis. Every IT device should be evaluated as to its current and preferred configuration state. IT administrators should review baseline security recommendations as well as vulnerability disclosures. Keep in mind that default settings are never secure settings.

Personnel issues

People are always the weakest link in security because they can make mistakes, be fooled into causing harm, or intentionally violate company security. It is important to consider the risks that personnel represent to your organization and implement security strategies to minimize and handle those risks.

Troubleshooting personnel issues should include verifying that all personnel have attended awareness training on standard minimum security activities and requirements, evaluating the use and activity logs of personnel, and determining whether the violation was intentional, coerced, accidental, or due to ignorance.

Unauthorized software

Unauthorized software can be a cause of malware infection or a violation of use licenses. Workers should not be given authority to install software of their choosing; instead users should only be able to use software installed by system administrators. Stand-alone or portable programs can be limited by using whitelisting so that only preapproved executables are allowed to function on a system.

If unauthorized software is discovered on a system, determine who installed the application, and whether it is one of the following:

• A legitimate application useful for work tasks
• Potentially malicious
• Just not work-related

The person should be reprimanded and potentially fired if they have repeatedly violated company policy. If the user circumvented software installation prevention measures, then reinforce those security measures or supplement them with more restrictive prevention techniques.

An example of unauthorized software is when a worker monitors the network in order to collect credentials, PII, or other sensitive data by installing a network sniffer. Troubleshooting unauthorized software should include implementing a whitelisting policy that prohibits the installation or execution of unauthorized code, monitoring execution activity of workers, and tracking abnormal network communications back to their system of origin (which can indicate the use of unauthorized software).

Baseline deviation

All company systems should be operating within expected parameters and compliant with a defined baseline. If a system is determined to be out of baseline, then the system should be removed from the production network in order to investigate the cause. If the deviation was caused by a malicious event, then investigate and respond as discussed in earlier sections. If the deviation was due to normal work-related actions and activities, it may be necessary to update the baseline and/or implement more restrictive system modification policies, such as whitelisting or using static systems. A static system is an environment where users can make either no changes or only temporary and minor changes that are discarded once the user logs out.

License compliance violation (availability/integrity)

License compliance is important to an organization to avoid legal complications. All software in use on company equipment needs to be used in accordance with its license. If software is discovered that is not properly licensed, it should be removed immediately. An investigation should determine how the software made its way onto the system. If the software is needed for a business task, then a proper and valid license should be obtained before reinstalling it.

One common license compliance violation is to purchase a specific number of installation or use licenses for a software product but then accidentally or intentionally install more versions than were licensed. This might be seen as a means to support availability of a business task or resource, but it is at the cost of the integrity of the organization.

Asset management

Asset management is the process of keeping track of the hardware and software implemented by an organization. This management process is used to ensure that updates, revisions, replacements, and upgrades are properly implemented as well as to make sure that all company assets are accounted for. If asset management fails, new equipment may be obtained unnecessarily as sufficient equipment is on premises, but not inventoried properly. This could result in loss, theft, or mistakenly discarding equipment misidentified as excess or old that is actually needed for business tasks.

On a regular basis, maybe quarterly or yearly, a manual inventory should be performed in order to compare and adjust any automated or digital inventory and asset management system. If the process shows reliable asset management, the frequency of manual verification can be relaxed.

Authentication issues

Authentication is a key element in system security. Authentication is the first element of AAA services, which also include authorization and accounting. Without reliable authentication, it is not possible to hold users accountable for their actions.

Authentication issues include when user credentials are violated, when a user is impersonated, or when a user is unable to log in. If user credentials are known to have been violated, such as when a user database has been remotely accessed by attackers or user credentials were transmitted in clear text, then all user credentials need to be invalidated and reset.

If a user has been impersonated, the account should be disabled during the investigation. If the issue can be resolved, the credentials on the account can be reset and use returned to the original user. If the violation was severe or criminally related, keep the violated account disabled and create a new account with robust credentials for the user.

If a user was unable to log in, this could be due to an authentication service failure or a communications issue. Rebooting and/or resetting systems should resolve minor problems. The user may have provided the wrong credentials, forgotten them, or attempted to use previous credentials. This may require that the credentials be reset and that the user attempt authorization again. If the user has never attempted authentication from a specific system, check for compatibility issues. If the authentication failure is a new issue, look for anything that may have changed since the last successful logon. Changes to the system, whether intentional and approved or accidental, may be the cause of the problem. Reversing changes or reconfiguring the system may be needed to restore authentication function for the user. It may also be helpful to determine whether the issue is unique to one user, or some or all other users are affected.

Exam Essentials

Know the issue of unencrypted credentials. It is no longer an acceptable practice to allow authentication to take place over a plain-text or clear-text communication channel. All authentication, without exception, should be encrypted.

Understand access violations. An access violation can be either an unauthorized logon event or an unauthorized resource access event.

Comprehend troubleshooting certificate issues. Certificate issues can be related to a wide range of potential misconfigurations, policy violations, or missing information.

Understand data exfiltration. When data exfiltration occurs, an outsider or unauthorized entity has gained access to internal data. This is a data loss or data leakage event.

Know about personnel issues. People are always the weakest link in security—they can make mistakes, be fooled into causing harm, or intentionally violate company security.

Understand the issue of unauthorized software. Unauthorized software can be a cause of malware infection or a violation of use licenses.

Understand the issue of baseline deviation. All company systems should be operating within expected parameters and compliant with a defined baseline. If a system is determined to be out of baseline, the system should be removed from the production network in order to investigate the cause.

Be aware of the issue of license compliance violation. License compliance is important to an organization in order to avoid legal complications. All software in use on company equipment needs to be used in accordance with its license.

HIDS/HIPS

A host-based IDS (HIDS) monitors a local machine for symptoms of unwanted activity. See the discussion of HIDS/HIPS earlier in this chapter in the section “NIPS/NIDS.”

The output of a HIDS or HIPS can include alerts or reports. An alert is an indicator of an immediate event that has just occurred or is continuing to occur. After reviewing the contents of the alert, the administrator should formulate a response to address the issue promptly with a focus on minimizing further harm. A report is a record of alerts and other information related to the time frame of monitoring and the systems being monitored. These reports should be reviewed regularly. If serious issues are discovered in a report, actions should be taken to stop further harm and prevention technologies should be implemented to stop a recurrence.

If an intrusion event has taken place, there may be a record of it. By analyzing and interpreting the output of a HIDS/HIPS, we can determine whether an intrusion was attempted, whether the attack was successful, and what systems were targeted by the attacker.

Antivirus

Antivirus software is an essential security application (Figure 2.35 ). It’s one example of a host IDS. It monitors the local system for evidence of malware in memory, in active processes, and in storage. Most antivirus products can remove detected malicious code and repair most damage it causes.

In order for antivirus software to be effective, it must be kept current with daily signature-database updates. It’s also important to use the most recent engine, because new methods of detection and removal are found only in the most current versions of antivirus software.

The output from an antivirus or antimalware product is an alert or alarm when malware is discovered by the live system monitor, or a report if discovered by the systemwide file scan. A live malware event may cause the antivirus product to respond automatically or prompt the user. Responses may include malware removal or quarantine. Removal of infected files may result in lost data, and quarantine may provide an option for removing the malware elements while retaining the data. If a backup exists, then removal may be preferred, but if there is no backup of the infected files, quarantine is preferred.

Antispam software is a variation on the theme of antivirus software. It specifically monitors email communications for spam and other forms of unwanted email in order to stop hoaxes, identity theft, waste of resources, and possible distribution of malicious software. Some antivirus software products include an antispam component. An antispam product may produce a brief report of the messages it discarded or quarantined. However, in most cases the user will need to view the contents of the quarantined spam folder to see what was identified as suspicious.

Spyware monitors your actions and transmits important details to a remote system that spies on your activity. For example, spyware might wait for you to log in to a banking website and then transmit your username and password to the creator of the spyware. Alternatively, it might wait for you to enter your credit card number on an e-commerce site and then transmit the number to a fraudster to resell on the black market.

Adware, although quite similar to spyware in form, has a different purpose. It uses a variety of techniques to display advertisements on infected computers. The simplest forms of adware display pop-up ads on your screen while you surf the Web. More nefarious versions may monitor your shopping behavior and redirect you to competitor websites.

In both cases, you need an antispyware scanner to detect, remove, and repel spyware and adware. Some antivirus products include antispyware features. However, it may be a good idea to run an antispyware scanner that comes from a vendor different from the antivirus scanner vendor. The output of antispyware and anti-adware products is very similar to that of antivirus products.

When a system is infected by a known malware, the antivirus should detect the unwanted code and initiate either a removal or a quarantining of the offending file(s). The output from an antivirus tool can be analyzed and interpreted in order to understand what specific form of malware was detected and the response performed by the protection software.

File integrity check

File integrity checking is the activity of comparing the current hash of a file to the stored/previous hash of a file. A file integrity checking utility will either display an alert or produce a report of the files that do not pass their hash-based integrity check. When a file’s integrity is violated, the response should be to replace the file with a valid version from backup. Review the log files to determine the source of the change, and then take appropriate action to prevent the reoccurrence of the integrity violation.

The output of a file integrity check utility can be analyzed and interpreted in order to understand which files did not have integrity. With this knowledge, it may be possible to review file change logs to determine when the files were modified and what person or software performed the modifications.

Host-based firewall

A host-based or personal software firewall is a security application that is installed on client systems. A client firewall is used to provide protection for the client system from the activities of the user and from communications from the network or Internet. A personal firewall must be kept current with patches and updates. It can often limit communications to approved applications and protocols and can usually prevent externally initiated connections.

The output of a host-based firewall may be to prompt the user whether or not to grant outbound communication privileges to a software program or alert the user of an attempt to violate existing inbound and outbound firewall rules. If a valid program is requesting network access, it can be granted. But if network access is not authorized or the program is unknown, this request should be denied.

Analyzing and interpreting the output of a host-based firewall can determine if intrusion or DoS attacks were attempted against the host or if host software attempted to egress the system to attack other systems.

Application whitelisting

Application whitelisting is a security option that prohibits unauthorized software from executing. Whitelisting is also known as deny by default or implicit deny. In application security, whitelisting prevents any software, including malware, from executing unless it’s on the preapproved exception list: the whitelist. This is a significant departure from the typical device-security stance, which is to allow by default and deny by exception (also known as blacklisting).

Due to the growth of malware, an application whitelisting approach is one of the few options remaining that shows real promise in protecting devices and data. However, no security solution is perfect, including whitelisting. All known whitelisting solutions can be circumvented with kernel-level vulnerabilities and application configuration issues.

A whitelisting solution may produce an output report detailing the attempts to launch unapproved software and a record of each approved software’s execution. This report can be used to determine whether additional software needs to be added to the whitelist or its existing approved applications should be reconsidered.

Application whitelisting may produce logs regarding the attempts of users to execute software that is not included on the approved list. Analyzing and interpreting this output can help determine whether additional software needs to be approved or whether users are attempting to perform unauthorized tasks for personal benefit or attempt work tasks for which they are not trained, skilled, or authorized.

Removable media control

Removable media drives, and removable storage in general, are considered both a convenience and a security vulnerability. The ability to add storage media to and remove it from a computer system makes it more versatile. However, using removable media also makes the hosted content vulnerable to data theft and malicious code planting.

Removable media include the electronic, logical, and digital storage mechanisms listed in the following sections as well as printed materials. When media are no longer needed, they should be properly destroyed to prevent disclosure of sensitive and confidential information to unauthorized entities. For example, failing to destroy printouts or burned CDs may provide dumpster-diving attackers with treasures.

Tape is a removable medium commonly used for backup purposes. It’s a form of sequential storage, so data elements are written and read in sequential order rather than semi-randomly as with hard drives. Tape media often support larger storage capacities than most removable media, excluding hard drives. This makes them suited for backup operations.

Recordable compact disks (CD-Rs) include the wide range of optical media that can be written to. These include CDR, CD-RW, DVD-R, DVD-RW, Blu-Ray disc recordable (BD-R), and numerous other variants. Writable CDs and DVDs are often inappropriate for network backups due to their size (a maximum of 650 MB for CD-R/RW and 4 GB or more for DVD-R/RW), but they’re useful for personal (home) or client-level backups. BD-Rs have a capacity of 25 GB to 50 GB, which can prove useful in some environments (such as SoHo), but they aren’t a widely implemented solution. Regardless, the data on a CD isn’t protected and thus is vulnerable to unauthorized access if you don’t maintain physical control over the media.

Hard drives are usually thought of as a computer’s permanent internal storage device. This is true, but hard drives are also available in removable formats. These include hard drives that are plugged into the case or attached by SCSI, eSATA, USB, or IEEE 1394 (FireWire) connections with their own external power-supply connections.

Diskettes, or floppies, are removable media that can store only a small amount of data (about 1.4 MB). However, even though they’re small, they represent a significant security threat to a protected environment if they get into the wrong hands—not to mention the possibility that they can be used to introduce malware onto a system. Although this type of storage media is becoming less common, it is still a security concern when present.

A flashcard, or memory card, is a form of storage that uses EEPROM or NVRAM memory chips in a small-form-factor case. Flashcards often use USB connectors or are themselves inserted into devices, such as MP3 players and digital cameras. Some flashcards are almost as small as a quarter and are therefore easy to conceal.

Smartcards can be used for a wide variety of purposes. They can be used as an authentication factor (specifically, as a Type 2 authentication factor, commonly known as something you have). When used as such, the smartcard hosts a memory chip that stores a password, PIN, certificate, private key, or digital signature. The authentication system uses this stored data item to verify a user’s identity. Smartcards are used as an authentication mechanism by networks, portable computers, PDAs, satellite phones, Public Key Infrastructure (PKI) devices, and more. A smartcard can even function as a credit card (like the American Express Blue card).

A smartcard can also be used as a storage device. Most smartcards have a limited amount of storage, but sometimes, being able to move a few kilobytes of data is all someone needs to steal something of great value. Account numbers, credit card numbers, and a user’s private key are all small items that can be very valuable.

Any removable media can typically be secured using file-by-file encryption or whole-drive encryption (Figure 2.36 ). This may let you move the media from place to place with reasonable assurance that the stored data can’t be easily accessed if lost or stolen.

Removable media controls are used to prohibit and monitor the use of portable storage devices. These tools should create a log of the user of valid and approved devices as well as any attempts to use unauthorized devices. Such controls may create audit logs of allowed and attempted/denied use of various media. These logs can be analyzed and interpreted in order to track down users who are violating company policy or attempting to perform unauthorized activities, such as data leakage or inappropriate data storage or sharing.

Advanced malware tools

Advanced malware tools may relate to scanners that include ransomware, rootkits, and potentially unwanted programs (PUPs) in their detection database. A PUP can include any type of questionable software, such as sniffers, password crackers, network mappers, port scanners, and vulnerability scanners. Although these are all legitimate applications for authorized administrators, they are unlikely to be approved tools for standard users.

When an advanced malware tool detects an unapproved executable, it will alert the administrator. The tool should also initiate an automated removal or quarantine whenever possible. In some cases, automated removal is not possible, so an administrator will have to address the concern manually. The specific steps to be performed are based on the type of malicious code or unwanted software discovered and what effect it has had on the system so far. In the worst-case scenarios, the current system will be removed from the production network, drives may be replaced, and a new secure and safe system image will be restored.

The output of advanced malware tools can be analyzed and interpreted to discover business tasks that are exposing the organization to infection as well as to pinpoint which users are performing risky behaviors.

Patch management tools

Patch management is the formal process of ensuring that updates and patches are properly tested and applied to production systems. Security is always a moving target. A system that is secure today may be vulnerable tomorrow. New methods of attacks, new attack tools, new viruses, new weaknesses, accidents in your environment, and much more can cause new risks, threats, and vulnerabilities at any time. Staying vigilant in the face of new security issues is essential in today’s business environment. One method for staying as secure as possible is to install updates from vendors.

Using vendor updates to OSs, applications, services, protocols, device drivers, and any other software is the absolute best way to protect your environment from known attacks and vulnerabilities. Not all vendor updates are security related, but any error, bug, or flaw that can be exploited to result in damaged data, disclosure of information, or obstructed access to resources should be addressed.

The best way to keep your systems updated is by using a good patch-management system that includes the following steps:

1. Watch vendor websites for information about updates.
2. Sign up for newsletters, discussion groups, or notifications.
3. Download all updates as they’re made available. Be sure to verify all downloads against the vendor-provided hashes.
4. Test all updates on nonproduction systems.
5. Document changes to your test systems, and plan the implementation on production systems.
6. Back up production systems before implementing updates.
7. Implement updates on production systems.
8. Evaluate the effect of the updates on the production systems.
9. If negative effects are discovered, roll back the update.

Patch management can be implemented via a manual process, or you can use an intelligent software tool to automate this essential activity. An example of intelligent patch-management software for Windows environments is Microsoft’s Windows Server Update Services (WSUS) software. WSUS provides administrators with a centralized means of patch management, distribution, and installation. There are similar product solutions for other OSs and mixed-OS environments. Although security involves more than just patch management, security management requires that patches and updates are properly installed.

A hotfix is often a single-issue update (however, there are some multi-issue hotfixes) that corrects a single problem. Hotfixes aren’t as thoroughly tested as other updates—they’re quickly designed and released to deal with immediate issues and problems. You should install them if you’re experiencing the problem they’re designed to correct or if you’re threatened by the vulnerability they’re designed to address.

Service packs are collections of hotfixes and other previously unreleased updates and features as a single entity. They’re thoroughly tested and generally should be applied to all systems once they’re made available. Service packs may be cumulative, so you need to apply only the most recent service pack to keep your systems current. When a service pack isn’t cumulative, it requires a specific base level of previous patches before it can be applied.

A patch is an update that corrects programming flaws that cause security vulnerabilities. Patches are single-issue utilities that are more thoroughly tested than hotfixes.

The output from a patch management tool will be a report indicating that monitored systems are or are not in compliance with the approved updates. Some patch management systems may be able to automatically apply approved patches, whereas others require the administrator to install updates manually.

UTM

An all-in-one security appliance is a hardware device designed to operate inline between an Internet connection and a network. Its goal is to detect and filter all manner of malicious, wasteful, or otherwise unwanted traffic. These devices can be called security gateways or unified threat management (UTM) systems. They’re implemented to perform firewall, IDS, IPS, and NATing functions and to provide DoS protection, spam filtering, virus scanning, privacy protection, web filtering, spyware blocking, and activity tracking. Some all-in-one security appliances also provide server-side services for hosting web applications and wireless security features.

For some organizations, a single product that provides so many features is a cost-saving measure. In other environments, especially larger enterprises, it may not be the optimum choice.

Since a UTM is a combination of products, the output of the UTM will either be unique reports from each of the subfeatures or a single report with an amalgamation of results from all tools. Responses to the UTM report should be based on the specific item discovered and will follow the same procedures as discussed earlier in this section.

DLP

Data loss prevention (DLP) is the system designed to reduce and/or prevent data loss or data leakage to external unauthorized entities. If a violation of DLP occurs, its report should indicate the data that was involved, the user(s) related to the breach, and the applications involved in the exfiltration.

The response to a DLP issue is to evaluate the value of the leaked asset to determine the severity or priority of the response. It may dictate that legal proceedings be started against the internal and external entities involved with the violation. The user involved with violating DLP restrictions may need to be retrained, have their job privileges reduced, and potentially be terminated. The applications and systems that enabled the loss event to occur need to be adjusted to block the reoccurrence of the violation. This might be an indicator that the existing DLP solution is insufficient and needs additional buttressing.

Data execution prevention

Data execution prevention (DEP) is a memory security feature of many operating systems aimed at blocking a range of memory abuse attacks, including buffer overflows. DEP blocks the execution of code stored in areas of memory designated as data-only areas. However, DEP is not foolproof and some forms of buffer overflow attacks are unhampered by it.

When DEP fails, there may not be any specific official output, log, or report of the situation. Some DEP solutions may create a memory abuse attempt log, but it may not record events that were designed to specifically violate the DEP protections. Often the only result is when an administrator happens to notice that malware or unauthorized code is executing on a system where DEP was present. The response should be to terminate the offending code and remove it from the system. If the means by which the code gained execution access to the system is determined, then additional patches or filters should be installed to prevent the exploitation of the same process.

Web application firewall

A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors. It’s intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks.

A related device is the web security gateway, which is a web-content filter (often URL and content keyword–based) that also supports malware scanning. In most cases, a web security gateway is implemented by an organization to provide better enforcement of employee web activity policies. Some web security gateways incorporate non-web features as well, including instant messaging (IM) filtering, email filtering, spam blocking, and spoofing detection.

URL filtering, also known as web filtering, is the act of blocking access to a site based on all or part of the URL used to request access. URL filtering can focus on all or part of a fully qualified domain name (FQDN), specific path names, specific filenames, specific file extensions, or entire specific URLs. Many URL-filtering tools can obtain updated master URL block lists from vendors as well as allow administrators to add or remove URLs from a custom list.

Content inspection is the security-filtering function in which the contents of the application protocol payload are inspected. Often such inspection is based on keyword matching. A master blacklist of unwanted terms, addresses, or URLs is used to control what is or isn’t allowed to reach a user.

Malware inspection is the use of a malware scanner (also known as an antivirus scanner or spyware scanner) to detect unwanted software content in network traffic. If malware is detected, it can be blocked or logged and/or trigger an alert.

Many firewalls, especially application firewalls and proxies, include URL filtering, content inspection, and malware inspection as additional security features.

Application-aware devices are security devices, such as firewalls, IDSs, IPSs, and proxies, that operate at the higher layers of the protocol stack in order to provide focused security filtering and analysis of the content of specific communications. Such devices are designed around a specific application or service, such as the Web, email, IM, file transfers, database interactions, and so on. Often, application-aware devices are able to provide deep content inspection and filtering based on their focus on specific applications and protocols.

The output of a web application firewall or web security gateway is similar to that of a firewall, IDS, or UTM. The output may be a real-time alert or an after-the-fact report. The output should be evaluated and appropriate responses determined, as discussed in prior sections of this chapter.

Exam Essentials

Understand antivirus software. Antivirus software is an essential security application. Antivirus software is one example of a host IDS. It monitors the local system for evidence of malware in memory, in active processes, and in storage.

Comprehend file integrity checking. File integrity checking is the activity of comparing the current hash of a file to the stored/previous hash of a file.

Understand host-based firewalls. A host-based or personal software firewall is a security application that is installed on client systems. A client firewall is used to provide protection for the client system from the activities of the user and from communications from the network or Internet.

Know about application whitelisting. Application whitelisting is a security option that prohibits unauthorized software from executing. Whitelisting is also known as deny by default or implicit deny.

Understand removable media control. Removable media drives, and removable storage in general, are considered both a convenience and a security vulnerability. The ability to add storage media to and remove it from a computer system makes it more versatile. However, using removable media also makes the hosted content vulnerable to data theft and malicious code planting.

Understand advanced malware tools. Advanced malware tools may relate to scanners that include ransomware, rootkits, and potentially unwanted programs (PUPs) in their detection database.

Be aware of patch management tools. Patch management is the formal process of ensuring that updates and patches are properly tested and applied to production systems.

Understand UTMs. An all-in-one security appliance or unified threat management (UTM) is a hardware device designed to operate inline between an Internet connection and a network. Its goal is to detect and filter all manner of malicious, wasteful, or otherwise unwanted traffic.

Understand DLP. Data loss prevention (DLP) is the system designed to reduce the occurrence of and/or prevent data loss or data leakage to external unauthorized entities. If a violation of DLP occurs, its report should indicate the data that was involved, the user(s) related to the breach, and the applications involved in the exfiltration.

Know about DEP. Data execution prevention (DEP) is a memory security feature of many operating systems aimed at blocking a range of memory abuse attacks, including buffer overflows. DEP blocks the execution of code stored in areas of memory designated as data-only areas.

Understand web application firewalls. A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors. It’s intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks.

Connection methods

Mobile devices may support a number of various connection options. These may be network connections that link to an external provider, such as a telco, or the local private network. A basic understanding of each concept is important for the Security+ exam.

For any organization, it is important to consider the scenarios where workers are in need of reliable communications. These may be standard in-office employees, telecommuters, or even those on location at a client’s facility. Only consider deploying those services that can provide reliable and secure (encrypted) communications.

SATCOM

SATCOM, or satellite communication, is a means of audio and data transmission using satellites orbiting in near-earth orbit (Figure 2.37 ). SATCOM devices benefit from nearly complete service coverage, thanks to the broad footprint of a signal transmitted from 100+ miles above the surface of the planet. The data transmission speeds of SATCOM are rather poor compared to those of terrestrial solutions, but it may be the only available option in many remote locations.

SATCOM communications are encrypted in most cases to prevent eavesdropping from others elsewhere in the transmission footprint of the signal from the satellite. However, the encryption is only applied to the communication between the portable device and the satellite and between the satellite and the ground station. Once the communication reaches the ground station, it is likely then transmitted over a landline, cellular, or data connection in plain text form. Always pre-encrypt any sensitive communications before sending them over a SATCOM connection.

Mobile device management concepts

Smartphones and other mobile devices present an ever-increasing security risk as they become more and more capable of interacting with the Internet as well as corporate networks. Mobile devices often support memory cards and can be used to smuggle malicious code into or confidential data out of organizations. Mobile devices often contain sensitive data such as contacts, text messages, email, and possibly notes and documents. The loss or theft of a mobile device could mean the compromise of personal and/or corporate secrets.

Mobile devices are becoming the target of hackers and malicious code. It’s important to keep nonessential information off portable devices, run a firewall and antivirus product (if available), and keep the system locked and/or encrypted (if possible).

Many mobile devices also support USB connections to perform synchronization of communications and contacts with desktop and/or notebook computers as well as the transfer of files, documents, music, video, and so on.

Additionally, mobile devices aren’t immune to eavesdropping. With the right type of sophisticated equipment, most mobile phone conversations can be tapped into—not to mention the fact that anyone within 15 feet can hear you talking. Be careful what you discuss over a mobile phone, especially when you’re in a public place.

A wide range of security features are available on mobile devices. However, support for a feature isn’t the same thing as having a feature properly configured and enabled. A security benefit is gained only when the security function is in force. Be sure to check that all desired security features are operating as expected on your device.

When personally owned devices are allowed to enter and leave a secured facility without limitation, oversight, or control, the potential for harm is significant. Most portable electronics, especially mobile phones, audio players, and digital cameras, can be used as storage devices. This can allow malicious code to be brought in or sensitive data secreted out. Additionally, any device with a camera feature can take photographs of sensitive information or locations. A device owned by an individual can be referenced using any of these terms: portable device, mobile device, personal mobile device (PMD), personal electronic device or portable electronic device (PED), and personally owned device (POD).

Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Many MDM solutions support a wide range of devices and can operate across many service providers. You can use MDM to push or remove apps, manage data, and enforce configuration settings both over the air (across a carrier network) and over WiFi connections. MDM can be used to manage company-owned devices as well as personally owned devices (such as in a bring-your-own-device [BYOD] environment).

Device security is the range of potential security options or features that may be available for a mobile device. Not all portable electronic devices (PEDs) have good security features. But even if devices have security features, they’re of no value unless they’re enabled and properly configured. Be sure to consider the security options of a new device before you make a purchase decision.

Remote wipe

Remote wipe or remote sanitation is to be performed if a device is lost or stolen. A remote wipe lets you delete all data and possibly even configuration settings from a device remotely. The wipe process can be triggered over mobile phone service or sometimes over any Internet connection (Figure 2.38 ). However, a remote wipe isn’t a guarantee of data security. Thieves may be smart enough to prevent connections that would trigger the wipe function while they dump out the data. Additionally, the remote wipe is usually just a deletion of user data and resetting the device back to factory conditions. A skilled thief may be able to undelete data files after the wiping process. A way to improve the benefit of remote wipe is to keep the mobile device’s storage encrypted. Thus, an undelete operation would only recover encrypted files and most likely not allow the attacker to decode the data.

Enforcement and monitoring for:

Allowing mobile devices to connect to or interact with company networks and resources puts the organization at greater risk. A company should define mobile device security policies that attempt to address and minimize the security issues related to the following list of concerns.

Third-party app stores

The first-party app stores of Apple iTunes and Google Play (Figure 2.39 ) are reasonable sources for apps for use on the typical or standard iOS and Android smartphone or device. For Android devices, the second-party Amazon Underground app store is also a worthwhile source of apps. However, most other sources of apps for either smart device platform are labeled as third-party app stores. These app stores often have less rigorous rules regarding hosting an app. On Android devices, simply enabling a single feature to install apps from unknown sources allows the use of the Amazon Underground app store as well as any other non-Google source. For Apple iOS devices, you are limited to the official iTunes App Store unless you jailbreak or root the device (which is not usually a security recommendation).

When a mobile device is being managed by an organization, especially when using an MDM, most third-party sources of apps will be blocked. Such third-party app sources represent a significant increase in risk of data leakage or malware intrusion to an organizational network.

Carrier unlocking

Most mobile devices purchased directly from a telco are carrier locked. This means you are unable to use the device on any other telco network until the carrier lock is removed or carrier unlocked. Once you fully own a device, the telco should freely carrier unlock the phone, but you will have to ask for it specifically, as shown in Figure 2.40 ; they do not do so automatically. If you have an account in good standing and are traveling to another country with compatible telco service, you may be able to get a telco to carrier unlock your phone for your trip so you can temporarily use another SIM card for local telco services.

Having a device carrier unlocked is not the same as rooting. Carrier unlocked status only allows the switching out of SIMs in order to use the service from another telco (which is technically possible only if your device uses the same radio frequencies as the telco).

A carrier unlocked device should not represent any additional risk to an organization; thus there is likely no need for a prohibition of carrier unlocked devices on company networks.

Deployment models

A number of deployment models are available for allowing and/or providing mobile devices for employees to use while at work and to perform work tasks when away from the office. However, before discussing these, we’ll look at several additional concerns that a mobile device policy must address regarding the use of a personal or portable electronic device (PED) in relation to the organization’s IT infrastructure and business tasks.

Data Ownership When a personal device is used for business tasks, comingling of personal data and business data is likely to occur. Some devices can support storage segmentation, but not all devices can provide data-type isolation. Establishing data ownership can be complicated. For example, if a device is lost or stolen, the company may wish to trigger a remote wipe, clearing the device of all valuable information. However, the employee will often be resistant to this, especially if there is any hope that the device will be found or returned. A wipe removes all business and personal data, which may be a significant loss to the individual—especially if the device is recovered, because then the wipe would seem to have been an overreaction. Clear policies about data ownership should be established. Some MDM solutions can provide data isolation/segmentation and support business data sanitization without affecting personal data.

The mobile device policy regarding data ownership should address backups for mobile devices. Business data and personal data should be protected by a backup solution—either a single solution for all data on the device or separate solutions for each type or class of data. This reduces the risk of data loss in the event of a remote-wipe event as well as device failure or damage.

Support Ownership When an employee’s mobile device experiences a failure, a fault, or damage, who is responsible for the device’s repair, replacement, or technical support? The mobile device policy should define what support will be provided by the company and what support is left to the individual and, if relevant, their service provider.

Patch Management The mobile device policy should define the means and mechanisms of patch management for a personally owned mobile device. Is the user responsible for installing updates? Should the user install all available updates? Should the organization test updates prior to on-device installation? Are updates to be handled over the air (via service provider) or over WiFi?

Antivirus Management The mobile device policy should dictate whether antivirus, antimalware, and antispyware scanners are to be installed on mobile devices. The policy should indicate which products and apps are recommended for use, as well as the settings for those solutions.

Forensics The mobile device policy should address forensics and investigations as related to mobile devices. Users need to be aware that in the event of a security violation or a criminal activity, their devices might be involved. This would mandate gathering evidence from those devices. Some processes of evidence-gathering can be destructive, and some legal investigations require the confiscation of devices.

Privacy The mobile device policy should address privacy and monitoring. When a personal device is used for business tasks, the user often loses some or all of the privacy they enjoyed prior to using their mobile device at work. Workers may need to agree to be tracked and monitored on their mobile devices, even when not on company property and outside of work hours. A personal device in use under the mobile device policy should be considered by the individual to be quasi-company property.

On-boarding/off-boarding The mobile device policy should address personal mobile device on-boarding and off-boarding procedures. Mobile device on-boarding includes installing security, management, and productivity apps along with implementing secure and productive configuration settings. Mobile device off-boarding includes a formal wipe of the business data along with the removal of any business-specific applications. In some cases, a full device wipe and factory reset may be prescribed.

Adherence to Corporate Policies A mobile device policy should clearly indicate that using a personal mobile device for business activities doesn’t exclude a worker from adhering to corporate policies. A worker should treat mobile equipment as company property and thus stay in compliance with all restrictions, even when off premises and during off hours.

User Acceptance A mobile device policy needs to be clear and specific about all the elements of using a personal device at work. For many users, the restrictions, security settings, and MDM tracking implemented under a mobile device policy will be much more onerous than they expect. Thus, organizations should make the effort to fully explain the details of a mobile device policy prior to allowing a personal device into the production environment. Only after an employee has expressed consent and acceptance, typically through a signature, should their device be on-boarded.

Architecture/Infrastructure Considerations When implementing a mobile device policy, organizations should evaluate their network and security design, architecture, and infrastructure. If every worker brings in a personal device, the number of devices on the network may double. This requires planning to handle IP assignments, communications isolation, data-priority management, increased intrusion detection system (IDS)/intrusion prevention system (IPS) monitoring load, as well as increased bandwidth consumption, both internally and across any Internet link. Most mobile devices are wireless enabled, so this will likely require a more robust wireless network and dealing with WiFi congestion and interference. A mobile device policy needs to be considered in light of the additional infrastructure costs it will trigger.

Legal Concerns Company attorneys should evaluate the legal concerns of mobile devices. Using personal devices in the execution of business tasks probably means an increased burden of liability and risk of data leakage. Mobile devices may make employees happy, but they might not be worthwhile or cost-effective for the organization.

Acceptable Use Policy The mobile device policy should either reference the company acceptable use policy or include a mobile device–specific version focusing on unique issues. With the use of personal mobile devices at work, there is an increased risk of information disclosure, distraction, and accessing inappropriate content. Workers should remain mindful that the primary goal when at work is to accomplish productivity tasks.

Exam Essentials

Know the basics of various connection methods. You should have a basic understanding of the various mobile device connection methods, including cellular, WiFi, SATCOM, Bluetooth, NFC, ANT, infrared, and USB.

Understand mobile device security. Device security involves the range of potential security options or features that may be available for a mobile device. Not all portable electronic devices (PEDs) have good security features. PED security features include full device encryption, remote wiping, lockout, screen locks, GPS, application control, storage segmentation, asset tracking, inventory control, mobile device management, device access control, removable storage, and disabling of unused features.

Be familiar with mobile device security management concepts. Smartphones and other mobile devices present an ever-increasing security risk as they become more and more capable of interacting with the Internet as well as corporate networks. Mobile devices are becoming the target of hackers and malicious code. A wide range of security features are available on mobile devices. Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources.

Understand mobile device application management. Application control or application management is a device management solution that limits which applications can be installed on a device. It can also be used to force specific applications to be installed or to enforce the settings of certain applications in order to support a security baseline or maintain other forms of compliance.

Understand mobile device content management. Content management involves controlling mobile devices and their access to content hosted on company systems, as well as controlling access to company data stored on mobile devices.

Know how to perform a mobile device remote wipe. Remote wipe or remote sanitation should be performed if a device is lost or stolen. A remote wipe lets you delete all data and possibly even configuration settings from a device remotely.

Understand mobile device geofencing. Geofencing is the designation of a specific geographical area, which is then used to implement features on mobile devices. A geofence can be defined by GPS coordinates, a wireless indoor positioning system (IPS), or the presence or lack of a specific wireless signal.

Understand mobile device geolocation. Geolocation or geotagging is the ability of a mobile device to include details about its location in any media created by the device.

Know how to use mobile device screen lock. A screen lock is designed to prevent someone from being able to casually pick up and use your phone or mobile device.

Be familiar with mobile device push notification services. Push notification services are able to send information to your device rather than having the device (or its apps) pull information from an online resource.

Understand mobile device context-aware authentication. Context-aware authentication is an improvement on traditional authentication means. Contextual authentication will evaluate the origin and context of a user’s attempt to access a system.

Be able to describe mobile device containerization. Containerization is the next stage in the evolution of the virtualization trend for internally hosted systems and cloud providers/services. Containerization can be used in relation to mobile devices by hosting the primary OS on a containerization host in the company cloud; then the actual mobile device is used only as a remote-control interface to the OS container, rather than having the business apps and company data on the device itself.

Understand mobile device storage segmentation. Storage segmentation is used to artificially compartmentalize various types or values of data on a storage medium. On a mobile device, the device manufacturer and/or the service provider may use storage segmentation to isolate the device’s OS and preinstalled apps from user-installed apps and user data.

Know the security issues with third-party app stores. Third-party app sources represent a significant increase in risk of data leakage or malware intrusion to an organizational network.

Define rooting and jailbreaking. Rooting or jailbreaking is the action of breaking the digital rights management (DRM) security on the bootloader of a mobile device in order to be able to operate the device with root or full-system privileges.

Understand sideloading. Sideloading is the activity of installing an app on a device by bringing the installer file to the device through some form of file transfer or USB storage method rather than installing from an app store.

Be familiar with custom firmware. Mobile devices come preinstalled with a vendor- or telco-provided firmware or core operating system. If a device is rooted or jailbroken, it can allow the user to install alternate custom firmware in place of the default firmware. Custom firmware may remove bloatware included by the vendor or telco, add or remove features, and streamline the OS to optimize performance.

Understand carrier unlock. Most mobile devices purchased directly from a telco are carrier locked. This means you are unable to use the device on any other telco network until the carrier lock is removed or carrier unlocked.

Know how to use firmware OTA updates. Firmware OTA updates are upgrades, patches, and improvements to the existing firmware of a mobile device that are downloaded from the telco or vendor over the air (OTA).

Define USB OTG. USB On-The-Go (OTG) is a specification that allows mobile devices with a USB port to act as a host and use other standard peripheral USB equipment, such as storage devices, mice, keyboards, and digital cameras.

Define WiFi Direct. WiFi Direct is a means for wireless devices to connect directly to each other without the need for a middleman base station.

Define tethering. Tethering is the activity of sharing the cellular network data connection of a mobile device with other devices. The sharing of data connection can take place over WiFi, Bluetooth, or USB cable.

Understand mobile device application security. The applications and functions used on a mobile device need to be secured. Related concepts include key management, credential management, authentication, geotagging, encryption, application whitelisting, and transitive trust/authentication.

Define BYOD. Bring your own device (BYOD) is a policy that allows employees to bring their own personal mobile devices to work and then use those devices to connect to (or through) the company network to access business resources and/or the Internet. Although BYOD may improve employee morale and job satisfaction, it increases security risks to the organization. Related issues include data ownership, support ownership, patch management, antivirus management, forensics, privacy, on-boarding/off-boarding, adherence to corporate policies, user acceptance, architecture/infrastructure considerations, legal concerns, acceptable use policies, and onboard cameras and video.

Define COPE. COPE stands for corporate owned, personally enabled. It allows the organization to purchase devices and provide them to employees. Each user is then able to customize the device and use it for both work activities and personal activities.

Define CYOD. CYOD stands for choose your own device. This concept provides users with a list of approved devices from which to select the device to implement.

Be familiar with corporate-owned mobile strategies. A corporate-owned mobile strategy is when the company purchases mobile devices that can support compliance with the security policy. These devices are to be used exclusively for company purposes, and users should not perform any personal tasks on the devices.

Understand VDI and VMI. Virtual desktop infrastructure (VDI) is a means to reduce the security risk and performance requirements of end devices by hosting virtual machines on central servers that are remotely accessed by users. This has led to virtual mobile infrastructure (VMI), in which the operating system of a mobile device is virtualized on a central server.

Protocols

TCP/IP is the primary protocol suite in use on the Internet and most private networks across the planet. TCP/IP is a protocol suite that wasn’t originally designed around a global network concept, nor was security a primary feature. However, TCP/IP is the primary protocol used on the Internet, and many security protocols and add-on features are supported by IP and TCP.

General knowledge of the TCP/IP suite is necessary for the Security+ exam, but it’s assumed to be a prerequisite knowledge base primarily derived from the CompTIA Network+ certification. If you aren’t generally versed in TCP/IP, please consult Network+ study materials or research TCP/IP online.

IPv4 is in widespread use with a 32-bit addressing scheme. Most of the public network is still IPv4 based; however, available public IPv4 addresses are scarce. IPv4 (as well as IPv6) operates at the Network layer, or Layer 3, of the OSI protocol stack.

IPv6 was finalized in RFC 2460 in 1998. It uses a 128-bit addressing scheme, eliminates broadcasts and fragmentation, and includes native communication-encryption features. It was enabled officially on the Internet on June 6, 2012. The move to IPv6 is still occurring slowly, but the pace is beginning to increase. To see the progress of worldwide public deployment of IPv6, see Google’s IPv6 Statistics page (Figure 2.41 ) at https://www.google.com/intl/en/ipv6/statistics.html.

There is not a scenario where using a secure protocol would be a bad idea. In every data communication, use a secure protocol if one exists. And if a secure form of a specific protocol does not exist, then configure a VPN between endpoints to run the insecure protocol across in order to gain protection for the transaction.

SSH

Secure Shell (SSH) is a secure replacement for Telnet and many of the Unix “r” tools, such as rlogon, rsh, rexec, and rcp. While Telnet provides remote access to a system at the expense of plain-text communication, SSH transmissions are cipher text and thus are protected from eavesdropping. SSH operates over TCP port 22. SSH is the protocol most frequently used with a terminal editor program such as HyperTerminal in Windows, Minicom in Linux, or PuTTY in both. An example of SSH use would involve remotely connecting to a switch or router in order to make configuration changes.

SSH offers a means by which a secure command-line, text-only interface connection with a server, router, switch, or similar device can be established over any distance. You can perform many command-line or scriptable activities through the SSH connection, as shown in Figure 2.42 .

SSH transmits both authentication traffic and data in a secured encrypted form. Thus, no information is exchanged in clear text. SSH is a very flexible tool. It can be used as a secure Telnet replacement; it can be used to encrypt protocols similar to TLS, such as SFTP; and it can be used as a VPN protocol.

S/MIME

Because email is natively insecure, several encryption options have been developed to add security to email used over the Internet. Two of the most common solutions are Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP).

S/MIME is an Internet standard for encrypting and digitally signing email. S/MIME takes the standard MIME element of email, which enables email to carry attachments and higher-order textual information (fonts, color, size, layout, and so on), and expands this to include message encryption. S/MIME uses a hybrid encryption system that combines RSA (an asymmetric encryption scheme) and AES (a symmetric encryption algorithm) to encrypt and protect email.

S/MIME works by taking the original message from the server, encrypting it using a symmetric encryption key, and then attaching it to a new blank email. The symmetric encryption key is itself encrypted or enveloped using the recipient’s public key, and then attached to the blank email as well. The new blank email includes the sender’s and receiver’s email addresses to control routing of the message to its destination. The receiver must then strip off the attachments, open the envelope using their private key to extract the symmetric key, and then decrypt the original message. When email encryption is used in this manner, confidentiality is protected.

As shown in Figure 2.43, the basic process is as follows:

1. The sender’s system generates a random symmetric key.
2. The sender encrypts the message with the random symmetric key.
3. The symmetric key is enveloped (encrypted) using the recipient’s public key.
4. The message and the envelope are sent to the recipient.
5. The recipient opens (decrypts) the envelope using the recipient’s private key to extract the symmetric key.
6. The recipient decrypts the message using the symmetric key.

The process of encrypting email isn’t complex; however, it’s cumbersome in implementation. Fortunately, the native S/MIME support in most email clients automates the process. The only restriction to the S/MIME email solutions is that all communication partners must have compatible S/MIME products installed and use a common or compatible source for their asymmetric encryption key pairs.

S/MIME is a standards-based email security solution. An example of a proprietary, open-source email security solution is Pretty Good Privacy (PGP). Please see this concept discussion in the Chapter 6 section “PGP/GPG.”

LDAPS

A directory service is a managed list of network resources. It is effectively a network index or network telephone book of the systems and their shared resources. Through the use of a directory service, large networks are easier to navigate, manage, and secure. Active Directory from Microsoft, OpenLDAP, and legacy eDirectory (or NDS) from Novell are examples of directory services. All three are based on Lightweight Directory Access Protocol (LDAP).

LDAP is a standardized protocol that enables clients to access resources within a directory service. A directory service is a network service that provides access to a central database of information, which contains detailed information about the resources available on a network. LDAP follows the x.500 standard, which defines what a directory service is and how it is to be constructed and organized (at least from a foundational infrastructure perspective). Clients can interact with directory service resources through LDAP by using authentication that consists of at least a username and password.

LDAP directory structures are hierarchical data models that use branches like a tree and that have a clearly identified and defined root (see Figure 2.44 ). LDAP operates over TCP ports 389 (plain text) and 636 (secure). There are two connection mechanisms used for plain-text authentication. They are known by the terms anonymous bind (no authentication) and simple bind (plain-text password authentication). It’s important to secure LDAP rather than allow it to operate in a plain-text insecure form. This is accomplished by enabling the Simple Authentication and Security Layer (SASL) on LDAP, which implements Transport Layer Security (TLS) on the authentication of clients as well as all data exchanges. This results in LDAP Secured (LDAPS). This isn’t the only means to secure LDAP, but it’s the method addressed on Security+.

HTTPS

The World Wide Web is a vast, global, ad hoc collection of online information and storefronts. The primary protocol that supports the Web is Hypertext Transfer Protocol (HTTP). HTTP enables the transmission of Hypertext Markup Language (HTML) documents (the base page elements of a website) and embedded multimedia components such as graphics and mobile code (see Figure 2.45 ). Without HTTP, there would be no Web. However, HTTP is an insecure protocol: it doesn’t offer anything in the way of secure authentication or data encryption for web communications. Fortunately, numerous add-on protocols and mechanisms provide these and other security services to the information superhighway.

HTTP operates over TCP port 80. It’s a plain-text or clear-text communication protocol; thus, it offers no security or privacy to transactions. When SSL or TLS is used to secure transactions, this is known as Hypertext Transfer Protocol over SSL (HTTPS) or Hypertext Transfer Protocol Secured (HTTPS). You can recognize when secure web communications are occurring using SSL or TLS because the URL begins with HTTPS and a locked padlock icon appears in the status bar at the bottom of the browser window.

It’s important not to confuse HTTPS with a similarly named protocol, Secure HTTP (S-HTTP). S-HTTP isn’t in widespread use. The primary differences are that S-HTTP doesn’t use SSL; it encrypts individual web page elements rather than the entire web communication session using SSH, and it can only be used to support HTTP. Overall, S-HTTP is less secure than HTTPS.

Use cases

There is an ever-expanding collection of use cases where data transfers, audio communications, or other information exchanges are in need of secure protocols. This section highlights several of these that may be mentioned on the Security+ exam.

Remote access

A remote access server (RAS) is a network server that supports connections from distant users or systems. RAS systems often support modem banks, VPN links, and even terminal services connections.

A modem (see Figure 2.46 ) is a device that creates a network communication link between two computers (or networks) over a telephone line. Modems are one of the slowest remote-connection methods still widely supported by OSs. Most connections are limited to a maximum throughput of 56 Kbps. However, because portable systems can use them to connect to corporate offices using any available telephone line, modems will probably be around for years to come.

A common security protection added to dial-up modems is callback, a feature that disconnects the remote user immediately after authentication and then calls back the remote user at a predefined number. Callback ensures that the authenticated user is located at the correct phone number before access to the network is granted.

War dialing is a common attack against dial-up modems on a company network. Such an attack dials all the numbers in a prefix range in order to locate modems connected to computer systems. Once attackers locate a modem that answers a computer call, they can focus their efforts on breaking through the logon security barrier.

As networks grow, it becomes more common for them to support remote connections, whether dial-up, wireless wide area networks (WWANs), or virtual private networks (VPNs). The access-control and -protection issues involved in managing and administering remote access connections are generally called communications security.

Networks exist to share resources. In order to share resources, all entities on a network must share a common protocol. But in order for the protocol to function, a communication medium must be in place to provide support for the transfer of that protocol and its hosted communication data between one system and another. Often that medium is a network cable, such as a Cat5e (also known as twisted-pair cabling).

However, the communication medium could be wireless, a VPN link, a dial-up link, a terminal services link, or even a remote-control link. In any case, understanding the technology and the security implications of each of these communication media is an essential part of administering an environment.

One mechanism often used to help control the complexities of remote connectivity is a remote access policy. Remote access server policies (RAS policies) are additional gauntlets of requirements that remote users must be in compliance with to gain access to the internal resources of the LAN. RAS policies can require specific OSs and patch levels, restrict time and date access, mandate authentication mechanisms, and confirm the caller ID and/or MAC address of the remote client. After a connection is established, RAS policies can be used to enforce idle timeout disconnects, define the maximum connect time, mandate minimal encryption levels, enforce IP packet filters, define IP address parameters, and force specific routing paths.

Remote authentication is a catchphrase that refers to any mechanism used to verify the identity of remote users. Several well-known examples of remote authentication include RADIUS, TACACS, 802.1x, and Challenge Handshake Authentication Protocol (CHAP). Originally, remote authentication referred to solutions that supported authentication mechanisms for dial-up telecommuters. Today, it includes any authentication technology that can be used for remote users, whether connecting over dial-up, VPN, or wireless.

Telephony is the collection of methods by which telephone services are provided to an organization or the mechanisms by which an organization uses telephone services for either voice and/or data communications. Traditionally, telephony included plain old telephone service (POTS) or public switched telephone network (PSTN) service combined with modems. However, this has expanded to include PBX, VoIP, and VPN.

A private branch exchange (PBX) (also known as telecom), shown in Figure 2.47, is a computer- or network-controlled telephone system. PBXs are deployed in large organizations; they offer a wide range of telephone services, features, and capabilities, including conference calls, call forwarding, paging, call logging, voicemail, call routing, and remote calling.

Remote calling is the ability to dial in to a PBX system from outside and then access a dial tone in order to place a call. The second call can be long distance, and all toll charges are accumulated on the PBX system, not on the user’s telephone. This is a commonly attacked feature of PBX systems.

Methods to secure PBX systems include the following:

• Disabling maintenance features
• Changing all default passwords, accounts, and access codes
• Enabling logging
• Restricting long-distance calling
• User awareness and training

Voice over IP (VoIP) is a tunneling mechanism used to transport voice and/or data over a TCP/IP network. VoIP has the potential to replace or supplant PSTN because it’s often less expensive and offers a wider variety of options and features. VoIP can be used as a direct telephone replacement on computer networks as well as mobile devices. However, VoIP is able to support video and data transmission to allow videoconferencing and remote collaboration on projects. VoIP is available in both commercial and open-source options. Some VoIP solutions require specialized hardware to either replace traditional telephone handsets/base stations or allow these to connect to and function over the VoIP system. Some VoIP solutions are software only, such as Skype, and allow the user’s existing speakers, microphone, or headset to replace the traditional telephone handset. Others are more hardware based, such as magicJack, which allows the use of existing PSTN phone devices plugged into a USB adapter to take advantage of VoIP over the Internet. Often, VoIP-to-VoIP calls are free (assuming the same or compatible VoIP technology), whereas VoIP-to-landline calls are usually charged a per-minute fee. While most VoIP protocols support encryption, it is often disabled by default or not available due to connecting to a noncompatible recipient (such as calling from a computer VoIP tool to a landline.

Exam Essentials

Understand TCP/IP. TCP/IP is the primary protocol suite in use on the Internet and most private networks across the planet.

Know IPv4. IPv4 is in widespread use with a 32-bit addressing scheme and operates at the Network layer or Layer 3 of the OSI protocol stack.

Understand IPv6. IPv6 uses a 128-bit addressing scheme, eliminates broadcasts and fragmentation, and includes native communication-encryption features.

Be familiar with DNS. DNS is the hierarchical naming scheme used in both public and private networks. It links IP addresses and human-friendly fully qualified domain names (FQDNs) together.

Understand DNSSEC. DNSSEC (Domain Name System Security Extensions) is a security improvement to the existing DNS infrastructure. The primary function of DNSSEC is to provide reliable authentication between devices when performing DNS operations.

Comprehend SSH. Secure Shell (SSH) is a secure replacement for Telnet, rlogon, rsh, and RCP. It can be called a remote-access or remote-terminal solution. SSH encrypts authentication and data traffic, and it operates over TCP port 22.

Understand Telnet. Telnet is a terminal-emulation network application that supports remote connectivity for executing commands and running applications but doesn’t support transfer of files. Telnet uses TCP port 23.

Know the common applications of cryptography to secure electronic mail. The emerging standard for encrypted messages is the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. The other popular email security protocol is Phil Zimmerman’s Pretty Good Privacy (PGP).

Understand SRTP SRTP (Secure Real-Time Transport Protocol or Secure RTP) is a security improvement over Real-Time Transport Protocol (RTP) that is used in many Voice over IP (VoIP) communications. SRTP aims to minimize the risk of VoIP DoS through robust encryption and reliable authentication.

Know LDAP. Lightweight Directory Access Protocol (LDAP) is used to allow clients to interact with directory service resources. LDAP is based on x.500 and uses TCP ports 389 and 636. It uses a tree structure with a district root.

Understand LDAPS. LDAPS (LDAP Secured) is accomplished by enabling the Simple Authentication and Security Layer (SASL) on LDAP, which implements Transport Layer Security (TLS) on the authentication of clients as well as all data exchanges.

Be aware of FTP. File Transport Protocol (FTP) is an in-the-clear file-exchange solution. An FTP server system is configured to allow authenticated or anonymous FTP clients to log on in order to upload or download files. FTP employs TCP ports 20 and 21.

Understand FTPS. FTPS is FTP Secure or FTP SSL, which indicates that it’s a variation of FTP secured by SSL (or now TLS). This FTP service variation is distinct from SFTP, which is SSH-secured FTP.

Understand SFTP Secure FTP (SFTP) is a secured alternative to standard or basic FTP that encrypts both authentication and data traffic between the client and server. SFTP employs SSH to provide secure FTP communications.

Know TFTP. Trivial File Transfer Protocol (TFTP) is a simple file-exchange protocol that doesn’t require authentication. It operates on UDP port 69.

Understand SNMP. Simple Network Management Protocol (SNMP) is a standard network-management protocol supported by most network devices and TCP/IP-compliant hosts. These include routers, switches, bridges, WAPs, firewalls, VPN appliances, modems, printers, and so on.

Be familiar with SSL and TLS. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used to encrypt traffic between a web browser and a web server. TLS is the updated replacement for Netscape’s SSL. Through the use of SSL or TLS, web surfers can make online purchases, interact with banks, and access private information without disclosing the contents of their communications. SSL and TLS can make web transactions private and secure.

Understand HTTPS. When SSL or TLS is used to secure transactions, it’s known as Hypertext Transfer Protocol over SSL or Hypertext Transfer Protocol Secured (HTTPS).

Be aware of secure POP/IMAP. Securing Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) is accomplished by implementing TLS (or SSL in the past) encryption. This converts these protocols into POPS (or POP3S) and IMAPS (or IMAP4S) and also alters their ports from 110 to 995 and 143 to 993, respectively.