Chapter 9. Computer Security Technology

Chapter Objectives

After reading this chapter and completing the exercises, you will be able to do the following:

Evaluate the effectiveness of a scanner based on how it works

Choose the best type of firewall for a given organization

Understand antispyware methods

Employ intrusion detection systems to detect problems on your system

Understand honey pots

Most of these devices have been mentioned and briefly described in the preceding chapters. The intent of this chapter is to delve more deeply into details of how these devices work. This information is of particular value to those readers who intend to eventually enter the computer security profession. Simply having a theoretical knowledge of computer security is inadequate. You must have some practical skills. This chapter will be a good starting point for gaining those skills, and the exercises at the end of the chapter will give you a chance to practice setting up and evaluating various types of firewalls, intrusion detection systems (IDSs), and antivirus applications.

In general, virus scanners work in two ways. The first method is that they contain a list of all known virus definitions. The virus definitions are simply files that list known viruses, their file size, properties, and behavior. Generally, one of the services that vendors of virus scanners provide is a periodic update of this file. This list is typically in a small file, often called a .dat file (short for data). When you update your virus definitions, what actually occurs is that your current file is replaced by the more recent one on the vendor’s website.

The antivirus program can then scan your PC, network, and incoming email for known virus files. Any file on your PC or attached to an email is compared to the virus definition file to see whether there are matches. With emails, this can be done by looking for specific subject lines and content. The virus definitions often also include details on the file, file size, and more. This provides a complete signature of the virus.

The second way a virus scanner can work is to look for virus-like behavior. Essentially, the scanner is looking to see if the file in question is doing things that viruses typically do—things like manipulating the Registry or looking through your address book. Obviously, this second technique is essentially a best guess.

Recall that the second way a virus scanner works is to watch for certain types of behaviors that are typical of a virus. This might include any program that attempts to write to your hard drive’s boot sector, change system files, automate your email software, or self-multiply. Programs that attempt to modify the system Registry (for Windows systems) or alter any system settings may also be indicative of a virus.

Another feature that virus scanners search for is a file that will stay in memory after it executes. This is called a Terminate and Stay Resident (TSR) program. Some legitimate programs do this, but it is often a sign of a virus. Additionally, some virus scanners use more sophisticated methods, such as scanning your system files and monitoring any program that attempts to modify those files.

Whatever the behavior, antivirus software uses specific algorithms to evaluate the likelihood that a given file is actually a virus. It should be noted that modern virus scanners scan for all forms of malware, including Trojan horses, spyware, and viruses.

There is a third method, called heuristic scanning. This is basically examining the file itself and is similar to signature scanning. However, in this case the file need not exactly match the signature. Heuristics refers to functions that rank various alternatives using a branching step in the algorithm. So the Heuristic scan checks to see the likelihood of a given file being a virus. This is based on file characteristics rather than behavior.

It is important to differentiate between on-demand virus scanning and ongoing scanners. An ongoing virus scanner runs in the background and is constantly checking your PC for any sign of a virus. On-demand virus scanners run only when you launch them. Many modern antivirus scanners offer both options.

Keep in mind that any antivirus program will have some false positives and some false negatives. A false positive occurs when the virus scanner detects a given file as a virus, when in fact it is not. For example, a legitimate program may edit a Registry key or interact with your email address book. A false negative occurs when a virus is falsely believed to be a legitimate program.

Due to false positives, it is recommended that you do not set your antivirus to automatically delete suspected viruses. Rather, they should be quarantined and the computer user notified.

Email and attachment scanning: Since the primary propagation method for a virus is email, email and attachment scanning is the most important function of any virus scanner. Some virus scanners actually examine your email on the email server before downloading it to your machine. Other virus scanners work by scanning your emails and attachments on your computer before passing it to your email program. In either case, the email and its attachments should be scanned prior to your having any chance to open them and release the virus on your system.

Download scanning: Anytime you download anything from the Internet, either via a web link or through some FTP program, there is a chance you might download an infected file. Download scanning works much like email and attachment scanning but does so on files you select for downloading.

File scanning: This is the type of scanning in which files on your system are checked to see whether they match any known virus. This sort of scanning is generally done on an on-demand basis instead of an ongoing basis. It is a good idea to schedule your virus scanner to do a complete scan of the system periodically. I recommend a weekly scan, preferably at a time when no one is likely to be using the computer.

Heuristic scanning: This was briefly mentioned in the previous section. Perhaps the most advanced form of virus scanning, this uses rules to determine whether a file or program is behaving like a virus and is one of the best ways to find a virus that is not a known virus. A new virus will not be on a virus definition list, so you must examine its behavior to determine whether it is a virus. However, this process is not foolproof. Some actual virus infections will be missed, and some nonvirus files might be suspected of being a virus.

Sandbox: Another approach is the sandbox approach. This basically means that you have a separate area, isolated from the operating system, in which a download or attachment is run. Then if it is infected, it won’t infect the operating system.

One way to accomplish sandboxing is for the operating system to set aside a protected area of memory to open the suspected file and to monitor its behavior. This is not 100% effective, but it is far safer than simply opening files on your system and hoping there is no infection.

A related concept is called a “sheep dip” machine. This is useful in corporate networks. You set up a system that is identical in configuration to your standard workstations. However, this sheep dip machine is not networked. Suspect files are opened first on this system. Then the system is monitored for a period of time for signs of infection. Once the file has cleared this check, it can then be opened on normal workstations.

A simple way to do this in a home or small office is to set up a virtual machine on your computer and to open suspected attachments or downloads in the virtual machine first. This virtual machine can have virus scanners running on it. Also, you can change the time in the virtual machine in order to detect logic bombs. Allow the suspect file to reside on the VM for a period of time before bringing it to the host computer.

Malwarebytes is another popular product that has both free and commercial versions. Of course, there are other antivirus solutions available. Several free virus scanners can easily be found on the Internet. McAfee, Norton, AVG, Malwarebytes, and Kapersky are mentioned here because they are so commonly used, and it is likely that you will encounter them frequently. But that is not to indicate that I am discouraging you from using other systems. I do strongly recommend that you stick with widely used, well-supported antivirus products.

In an organizational setting, you will want, at a minimum, a dedicated firewall between your network and the outside world. This might be a router that also has built-in firewall capabilities. (Cisco Systems is one company that is well known for high-quality routers and firewalls.) Or, it might be a server that is dedicated solely to running firewall software. Selecting a firewall, however, is an important decision. If you lack the expertise to make that decision, then you should arrange for a consultant to assist you in this respect.

Packet inspection

Stateful packet inspection

Application

The following sections will discuss each of these and assess the advantages and disadvantages of each.

1. Is this packet using a protocol that the firewall allows?

2. Is this packet destined for a port that the firewall allows?

3. Is the packet coming from an IP address that the firewall has not blocked?

Those are three very basic rules. Some packet filter firewalls have additional rules to check. But what is not checked is the preceding packets from that same source. Essentially, each packet is treated as a singular event without reference to the preceding conversation. That makes packet filtering firewalls quite susceptible to some DoS attacks, such as SYN floods.

The SPI firewall can also look at the actual contents of the packet, which allows for some very advanced filtering capabilities. Most high-end firewalls use the stateful packet inspection method; when possible, this is the recommended type of firewall.

Once a connection is established, the application gateway makes all decisions about which packets to forward. Since all communication is conducted through the proxy server, computers behind the firewall are protected.

Essentially, an application firewall is one that is used for specific types of applications such as database or web server. It is able to examine the protocol being used (such as HTTP) for any anomalous behavior and block traffic that might get past other types of firewalls. It is common to have an application firewall that also includes stateful packet inspection.

Network host–based

Dual-homed host

Router-based firewall

Screened host

Each of these is discussed in the following sections.

Outpost Firewall, available from www.agnitum.com/products/outpost/, is a product designed for the home or small office user. Like the Zone Labs product, it has both a free version and an enhanced commercial version. Information on this product is shown in Figure 9.1. Note that the free version is an older version of the software and does not include many of the enhancements of the commercial version. But it may be sufficient for your needs.

Listed and shown next are other sources for information on free firewall protection. Each of these websites offers links to a number of sources for free firewall protection as well as to other useful security tools. You may want to explore these sites as well as add them to your list of resource sites:

http://www.zonealarm.com/software/free-firewall/

https://www.comodo.com/home/internet-security/firewall.php

In today’s Internet climate, running antispyware is as essential as running antivirus software. Failing to do so can lead to serious consequences. Personal data, and perhaps sensitive business data, could easily be leaking out of your organization without your knowledge. And, as was pointed out earlier in this book, it is entirely possible for spyware to be the vehicle for purposeful industrial espionage.

Barring the use of antispyware, or even in conjunction with such software, you can protect yourself via your browser’s security settings as was discussed in a previous chapter. Additionally, several times throughout this book, you have been warned to be cautious about attachments and Internet downloads. You would also be well advised to avoid downloading various Internet “enhancements,” such as “skins” and “toolbars.” If you are in an organization, prohibiting such downloads should be a matter of company policy. Unfortunately, many websites today require some sort of add-in such as Flash in order to function properly. The best advice for this situation is to only allow add-ins on trusted, well-known sites.

Entire volumes have been written on how IDS systems work. This chapter cannot hope to cover that much information. However, it is important that you have a basic idea of how these systems work.

The sections that follow will first examine the broad categories in which IDS systems tend to be viewed and then will also look at some specific approaches to IDS. While this information is not all inclusive, it does address the more common terminology used.

Passive IDS

Active IDS (also called Intrusion Prevention System, or IPS)

Imagine an IDS that is looking at threshold monitoring to determine if an attack is occurring. A particular user normally works between the hours of 8 a.m. and 5 p.m. and uses a relatively small amount of bandwidth. The IDS detects the user at 10 p.m. using 10 times his normal bandwidth. This seems like it might be an attack, and the active IDS (IPS) shuts down the offending traffic. However, it is later found that this was a legitimate user working late on a critical project that was due to a client the next day, and your IPS prevented that from happening.

This is an excellent place to consider risk analysis. You have to weigh the hazards of false positives against the risk of allowing an attack to proceed undetected before deciding if a passive IDS or an IPS is appropriate for your organization. It is often the case that different network segments will have different risk profiles. You may find that a passive IDS is appropriate for most of your network but that an IPS is needed for the most sensitive network segments.

The second method is statistical anomaly. Essentially, any activity that seems outside normal parameters and far enough said parameters to be a likely attack is identified as a probable attack. Any number of activities can trigger this type of alert. An example can be a sudden increase in bandwidth utilization or user accounts accessing resources they have never accessed before.

Most IDSs will use both forms of attack recognition. The two real issues for selecting an IDS are its ease of use and its signature database. There are certainly other considerations such as price, but those two are the most central to deciding on an IDS.

A sensor is the IDS component that collects data and passes it to the analyzer for analysis.

The analyzer is the component or process that analyzes the data collected by the sensor.

The manager is the IDS interface used for management. It is a software component to the IDS.

The operator is the person primarily responsible for the IDS.

Notification is the process or method by which the IDS manager makes the operator aware of an alert.

An activity is an element of a data source that is of interest to the operator. It may or may not be a possible attack.

An event is any activity that is deemed to be suspicious and a possible attack.

An alert is a message from the analyzer indicating that an event has occurred.

The data source is the raw information that the IDS is analyzing to determine if there has been an event.

All these elements are part of an IDS and function together to capture traffic, analyze that traffic, and report anomalous activity to the operator of the IDS. An IPS will have additional elements capable of shutting down offending traffic.

We will examine Snort briefly in this section. While it is not the only IDS available, it is free, and that makes it an attractive option for many people. We will walk through the basic configuration of Snort for Windows.

First you must visit www.snort.org and register. It is free. Then download the Snort installation program and the latest rules. Make certain you download the installer that has an .exe extension. The .rpm extensions are for Linux. Also, I have found that certain versions of Microsoft Internet Explorer do not work well with the Snort website, so it is recommended that you use an alternative browser such as Mozilla Firefox.

Once you have downloaded both the rules and the installation, start the installation. Most of it is quite simple. There is a screen that asks you if you wish to support database connectivity. For most live situations, you would want to dump your Snort records to some database. However, for demonstration purposes, choose “I do not plan to log to a database,” as shown in Figure 9.2.

Other than this, simply use all default settings. At the end of the install, it will also attempt to install WinPCAP. If for some reason this fails, you will need to download and install it separately. WinPCAP is an open source tool for capturing packets. All IDSs depend on packet capturing.

Now copy rules you downloaded from wherever you saved them to C:snort ules. Then copy the configuration file from C:snort ulesetcsnort.conf to C:snortetc. Open that configuration file using WordPad, not Notepad. Notepad does not support word wrap, and it will be difficult to read the configuration file in Notepad.

The first step is to change the HOME_NET any to your machine’s IP address, as shown in Figure 9.3. In a live situation, we would also set the other IP addresses (web server, SQL server, DNS server, and so on).

Now you need to find and change the rules paths. They will have Linux-style paths, as shown in Figure 9.4.

You will need to change them to Windows-style paths, as shown in Figure 9.5.

You will now need to find and change the library paths. This is a bit harder because the names of the paths and the files are a bit different in Windows. The Linux style library paths will appear as the ones shown in Figure 9.6.

You can find your Windows pathnames and filenames by looking in the folder shown in Figure 9.7.

Note: If you find that you do not have a particular file or path in your system, just make sure it is commented out in the configuration file.

You must find the reference data and change it from Linux-style paths to Windows-style paths, as shown in Figure 9.8.

You are almost done. Now search for

#output log_tcp dump

and after that put this line

output alert_fast: alert.ids

Note: the pound sign (#) indicates a comment.

Now you will need to use the command line to start Snort. Simply navigate to C:snortin. There are several different ways to start Snort. Many of the common ones are shown here in Table 9.1. I recommend you try the simplest first.

Snort is free and open source, but many people have a great deal of difficulty working with it the first time. The slightest error in your configuration file or the command-line startup will cause it to not run correctly. The purpose of this section is just to introduce you to Snort. For more information on Snort, try the following:

Snort Manual: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/

Writing your own Snort rules: http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm

A honey pot achieves two goals. First, it will take the attacker’s attention away from the data you wish to protect. Second, it will provide what appears to be interesting and valuable data, thus leading the attacker to stay connected to the fake server, giving you time to try to track them. There are commercial solutions, like Specter (www.specter.com). These solutions are usually quite easy to set up and include monitoring/tracking software. You may also find it useful to check out www.honeypots.org for more information on honey pots in general, and on specific implementations.

This is often done by using what is commonly referred to as a honey pot. Essentially, you set up a fake system, possibly a server that appears to be an entire subnet. You make that system look very attractive by perhaps making it appear to have sensitive data, such as personnel files, or valuable data, such as account numbers or research. The actual data stored in this system is fake. The real purpose of the system is to carefully monitor the activities of any person who accesses the system. Since no legitimate user ever accesses this system, it is a given that anyone accessing it is an intruder.

PAP: Password Authentication Protocol is the simplest form of authentication and the least secure. Usernames and passwords are sent unencrypted, in plain text. This is obviously a very old method that is not used anymore. However, in the early days of computing, there were no widely available packet sniffers, and security was far less of a concern.

SPAP: Shiva Password Authentication Protocol is an extension to PAP that does encrypt the username and password that is sent over the Internet.

CHAP: Challenge Handshake Authentication Protocol calculates a hash after the user has logged in. Then it shares that hash with the client system. Periodically the server will ask the client to provide that hash. (This is the challenge part.) If the client cannot, then it is clear that the communications have been compromised. MS-CHAP is a Microsoft-specific extension to CHAP. The steps are basically these:

1. After the handshake phase is complete, the authenticator (often the server) sends a “challenge” message to the peer.

2. The peer responds with a value calculated using a “one-way hash” function.

3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection should be terminated.

4. At random intervals, the authenticator sends a new challenge to the peer and repeats steps 1 to 3.

The entire goal of CHAP is to not only authenticate, but periodically reauthenticate, thus preventing session hijacking attacks.

EAP: A framework frequently used in wireless networks and point-to-point connections. It was originally defined in RFC 3748 but updated since then. It handles the transport of keys and related parameters. There are several versions of EAP. It has many variations, including these:

LEAP: Lightweight Extensible Authentication protocol was developed by Cisco and has been used extensively in wireless communications. LEAP is supported by many Microsoft operating systems including Windows 7 and later versions. LEAP uses a modified version of MS-CHAP.

Extensible Authentication Protocol—Transport Layer Security: This utilizes TLS in order to secure the authentication process. Most implementations of EAP-TLS utilize X.509 digital certificates to authenticate the users.

Protected Extensible Authentication Protocol (PEAP): This encrypts the authentication process with an authenticated TLS tunnel. PEAP was developed by a consortium including Cisco, Microsoft, and RSA Security. It was first included in Microsoft Windows XP.

Kerberos: Kerberos is used widely, particularly with Microsoft operating systems. It was invented at MIT and derives its name from the mythical three-headed dog that was reputed to guard the gates of Hades. The system is a bit complex, but the basic process is as follows:

When a user logs in, the authentication server verifies the user’s identity and then contacts the ticket-granting server. (These are often on the same machine.) The ticket-granting server sends an encrypted “ticket” to the user’s machine. That ticket identifies the user as being logged in. Later when the user needs to access some resource on the network, the user’s machine uses that ticket-granting ticket to get access to the target machine. There is a great deal of verification for the tickets, and these tickets expire in a relatively short time.

The elements of Kerberos follow:

Principal: A server or client that Kerberos can assign tickets to.

Authentication server (AS): Server that authorizes the principal and connects it to the ticket-granting server.

Ticket-granting server (TGS): Provides tickets.

Key distribution center (KDC): A server that provides the initial ticket and handles TGS requests. Often it runs both AS and TGS services. It must be noted that Kerberos is one of the most widely used authentication protocols. Europe often uses an alternative SESAME Secure European System for Applications in a multivendor environment.

X.509 is an international standard for the format and information contained in a digital certificate. X.509 is the most common type of digital certificate in the world. It is a digital document that contains a public key signed by the trusted third party that is known as a certificate authority, or CA.

The following are the basic items in an X.509 certificate. There can be other optional information:

Version: This is the version of X.509 that this certificate complies with.

Certificate holder’s public key: This is the primary way of getting someone’s public key from his X.509 certificate.

Serial number: This is a unique identifier for this certificate.

Certificate holder’s distinguished name: This is often a domain name or email associated with a certificate.

Certificate’s validity period: One year is the most common validity period.

Unique name of certificate issuer: This is the certificate authority that issued this certificate.

Digital signature of issuer: This field, and the next, are used to verify the certificate itself.

Signature algorithm identifier: Identifies the actual digital signature algorithm used.

Let us see how this works in a common scenario. You visit your bank’s website. In order to get the bank’s public key, your browser will download that bank’s digital certificate. But there is a problem. Could someone have set up a fake site, claiming to be your bank? Could that person have also generated a fake certificate claiming to be the bank? Yes, it’s possible. This is one place digital certificates help us out. Your browser will look at the certificate issuer listed on the certificate and first ask if that is a CA that your browser trusts. Assuming it is, then your browser communicates with that CA to get that CA’s public key. (Recall from Chapter 8 that a digital signature is created with a private key and verified with the public key.) The browser uses that CA public key to verify the CA signature on the certificate. If this is a fake certificate, the digital signature won’t be recognized. This means a certificate not only provides you with the certificate holder’s public key, but also gives you a method of verifying that entity with a trusted third party.

It should be noted that unlike X.509 certificates, PGP (Pretty Good Privacy) certificates are not issued by a CA and don’t have a mechanism for third-party verification. They are usually only used for email communication. That is because it is assumed that you know who you are emailing, and verifying that identity is not required.

There are some other terms and concepts in digital certificates you need to be familiar with. Let us begin with a CA, the entity that issues you a digital certificate. For example, Comodo, Symantec, Digicert, GoDaddy, Verisign, and Thawte are all well-known certificate authorities. When you purchase a certificate from one of these vendors, they first verify who you are. (That can be as simple as matching your credit card with the domain you are buying the certificate for, or it can be far more involved.)

Since verifying a certificate user can be time consuming, many CAs offload that process to a registration authority (RA), who will then notify the CA to issue the certificate (or not to).

A CRL (certificate revocation list) is a list of certificates issued by a CA that are no longer valid. CRLs are distributed in two main ways: In the push model, the CA automatically sends the CRL out a regular interval. In the pull model, the CRL is downloaded from the CA by those who want to see it to verify a certificate. The problem is that CRL is not real-time checking. Thus, the newer answer is “Online Certificate Status Checking Protocol” OCSP; the idea is to have a protocol that checks in real time if the certificate is still valid.

When visiting websites that have an HTTPS at the beginning, rather than HTTP, the S denotes secure. That means traffic between your browser and the web server is encrypted. This is usually done with either SSL (Secure Sockets Layer) or TLS (Transport Layer Security). SSL, the older of the two technologies, was developed by Netscape. SSL and TLS are both asymmetric systems.

SSL is a technology employed to allow for transport-layer security via public key encryption. SSL was developed by Netscape for transmitting private documents via the Internet. By convention, URLs that require an SSL connection start with https instead of http. There have been several versions:

Unreleased v1 (Netscape)

Version 2 released in 1995 but had many flaws

Version 3 released in 1996 RFC 6101

Standard TLS1.0 RFC 2246 released in 1999

TLS 1.1 was defined in RFC 4346 in April 2006

TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 spec

TLS 1.3 July 2014

The basic process of establishing an SSL/TLS connection is shown in Figure 9.10.

The process involves several complex steps, as defined here:

1. The client sends the server information regarding the client’s cryptographic capabilities. That includes what algorithms it is capable of, what hashing algorithms it can use for message integrity, and related information.

2. The server responds by selecting the best encryption and hashing that both client and server are capable of and sends this information to the client. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client’s certificate.

3. The client uses the information sent by the server to authenticate the server. This means authenticating the digital certificate with the appropriate CA. If this fails the browser warns the user that the certificate cannot be verified. If the server can be successfully authenticated, the client proceeds to the next step.

4. Using all data generated in the handshake thus far, the client creates the pre-master secret for the session, encrypts it with the server’s public key that it received from the server’s X.509 certificate, and then sends the encrypted pre-master secret to the server.

5. If the server has requested client authentication, then the server will also authenticate the client’s X.509 certificate. This does not happen in most e-commerce and banking websites.

6. Both the client and the server use the master secret to generate the session keys. These are symmetric keys (such as AES) that will be used throughout the session to encrypt information between the client and the server.

7. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key.

8. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key.

This process provides a process to not only securely exchange a symmetric key, but also to verify the server and (optionally) verify the client. This is how secure web traffic is accomplished.

There are three different protocols that are used to create VPNs:

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

Internet Protocol Security (IPsec)

These are each discussed in more depth in the following sections.

PPTP offers two different methods of authenticating the user: Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP). EAP was actually designed specifically for PPTP and is not proprietary. CHAP is a three-way process whereby the client sends a code to the server, the server authenticates it, and then the server responds to the client. CHAP also periodically reauthenticates a remote client, even after the connection is established.

PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt packets. MPPE is actually a version of DES. DES is still useful for many situations; however, newer versions of DES, such as DES 3, are preferred.

Besides more authentication protocols available for use, L2TP offers other enhancements. PPTP will only work over standard IP networks, whereas L2TP will work over X.25 networks (a common protocol in phone systems) and ATM (asynchronous transfer mode, a high-speed networking technology) systems. L2TP also uses IPsec for its encryption.

IPsec operates in one of two modes: Transport mode, in which only the payload is encrypted, and Tunnel mode, in which both data and IP headers are encrypted. Following are some basic IPsec terms:

Authentication Headers (AHs) provide connectionless integrity and data origin authentication for IP packets.

Encapsulating Security Payloads (ESPs) provide origin authenticity, integrity, and confidentiality protection of packets. These have encryption-only and authentication-only configurations.

Security Associations (SAs) provide the parameters necessary for AH or ESP operations. SAs are established using the Internet Security Association and Key Management Protocol.

The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange.

Internet key exchange (IKE and IKEv2) is used to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used.

Essentially during the initial establishment of an IPsec tunnel, security associations (SAs) are formed. These SAs have information such as what encryption algorithm and what hashing algorithms will be used in the IPsec tunnel. Recall that we discussed encryption in some depth in Chapter 8. IKE is primarily concerned with establishing these SAs. ISAKMP allows the two ends of the IPsec tunnel to authenticate to each other and to exchange keys.

Because RC4 is a stream cipher, the same traffic key must never be used twice. The problem with WEP is that the committee who created it was composed of very good computer professionals who thought they knew enough about cryptography, but did not. They reuse the IV. That defeats the entire purpose of an IV and leaves the protocol open to attacks. A simple search of YouTube for “how to crack WEP” will yield a deluge of videos on techniques for cracking WEP.

The MAC preserves message integrity and ensures that packets were not altered in transit, either accidentally or intentionally. This means that WPA2 uses very strong encryption along with message integrity.

A. To compare a file to known virus attributes

B. To use complex rules to look for virus-like behavior

C. To only look for TSR programs

D. To look for TSR programs or programs that alter the Registry

2. What is one way of checking emails for virus infections?

A. Block all emails with attachments.

B. Block all active attachments (for example, ActiveX, scripting).

C. Look for subject lines that are from known virus attacks.

D. Look for emails from known virus sources.

3. What are TSR programs?

A. Terminal Signal Registry programs that alter the system Registry

B. Terminate and System Remove programs that erase themselves when complete

C. Terminate and Scan Remote programs that scan remote systems prior to terminating

D. Terminate and Stay Resident programs that actually stay in memory after you shut them down

4. What is the name for scanning that depends on complex rules to define what is and is not a virus?

A. Rules-based scanning (RBS)

B. Heuristic scanning

C. TSR scanning

D. Logic-based scanning (LBS)

5. Which of the following is not one of the basic types of firewalls?

A. Screening firewall

B. Application gateway

C. Heuristic firewall

D. Circuit-level gateway

6. Which of the following is the most basic type of firewall?

A. Screening firewall

B. Application gateway

C. Heuristic firewall

D. Circuit-level gateway

7. Which of the following is a disadvantage to using an application gateway firewall?

A. It is not very secure.

B. It uses a great deal of resources.

C. It can be difficult to configure.

D. It can only work on router-based firewalls.

8. What is SPI?

A. Stateful packet inspection

B. System packet inspection

C. Stateful packet interception

D. System packet interception

9. What is the term for a firewall that is simply software installed on an existing server?

A. Network host based

B. Dual-homed

C. Router based

D. Screened host

10. What is a major weakness with a network host–based firewall?

A. Its security is dependent on the underlying operating system.

B. It is difficult to configure.

C. It can be easily hacked.

D. It is very expensive.

11. What is the term for blocking an IP address that has been the source of suspicious activity?

A. Preemptive blocking

B. Intrusion deflection

C. Proactive deflection

D. Intrusion blocking

12. What is the term for a fake system designed to lure intruders?

A. Honey pot

B. Faux system

C. Deflection system

D. Entrapment

13. Which of the following is the correct term for simply making your system less attractive to intruders?

A. Intrusion deterrence

B. Intrusion deflection

C. Intrusion camouflage

D. Intrusion avoidance

14. What method do most IDS software implementations use?

A. Anomaly detection

B. Preemptive blocking

C. Intrusion deterrence

D. Infiltration

15. How do most antispyware packages work?

A. By using heuristic methods

B. By looking for known spyware

C. The same way antivirus scanners work

D. By seeking out TSR cookies

Microsoft Windows (every version since XP, including Windows 10) and Linux both offer built-in packet-filtering firewalls of some sort.

1. Using the documentation for whichever operating system you have, decide what packets you wish to block.

2. Set your firewall to filter those packets.

Note: Ideally, if you have access to both operating systems, the best exercise is to experiment setting up firewalls for both.

EXERCISE 9.2: Router-Based Firewalls

Note: This exercise is for those labs with access to a lab router-based firewall.

1. Consult your router documentation for instructions on how to configure the firewall.

2. Configure your router-based firewall to block the same items you chose to block in Exercise 1.

EXERCISE 9.3: Evaluating Firewalls

Write a brief essay explaining whether you think the router-based solution or the built-in operating system solution is best. Explain your reasons.

EXERCISE 9.4: Active Code

Using the Web or other resources, find out why blocking active code (for example, ActiveX scripts) might or might not be a good idea for some situations. Write a brief essay explaining your position.

EXERCISE 9.5: Hardware Used by a Company

Visit the IT department of a company and ascertain what hardware they use in their computer system’s defense. Do they use a hardware firewall in addition to a software firewall? What form of intrusion detection software do they use? Do they use antivirus and antispyware on the workstations within the company? Write a brief report summarizing your findings.

Using Microsoft documentation, the Web, and other resources, find out what methodologies the Microsoft Windows (whichever version you are using) firewall uses. Write a brief essay explaining the strengths and weaknesses of that approach. Also discuss situations in which you feel that approach is adequate and those in which it might be inadequate.

PROJECT 9.2: How Does Antivirus Software Work?

Using documentation from the vendor, the Web, or other resources, find out what methodology Norton AntiVirus uses, as well as the methods that McAfee uses. Armed with this information, write a brief essay comparing and contrasting any differences. Also discuss situations in which one might be recommended over the other.

PROJECT 9.3: Using Snort

Note: This is a longer project and appropriate for groups.

Go to the Snort.org website (www.snort.org/) and download Snort. Using the vendor documentation or other resources, configure Snort. Then use port scanners on the machine that has Snort configured and note whether Snort detects the scan.