Chapter 9. Computer Security Technology

Chapter Objectives

After reading this chapter and completing the exercises, you will be able to do the following:

  • Evaluate the effectiveness of a scanner based on how it works

  • Choose the best type of firewall for a given organization

  • Understand antispyware methods

  • Employ intrusion detection systems to detect problems on your system

  • Understand honey pots

Introduction

Throughout this book, various aspects of computer security have been discussed. At this point in your studies, you should have a good idea of what the real dangers are and what adequate security measures include, as well as a basic understanding of the various forms of computer attacks. However, if you are striving to secure a network, you will need more technical details on the various security devices and software you might choose to employ. This chapter reviews these items and provides enough detail to allow you to make intelligent decisions about which types of products you will use.

Most of the devices described in this chapter have been mentioned and briefly described in the preceding chapters. The intent of this chapter is to delve more deeply into details of how these devices work. This information is of particular value to those who intend to eventually enter the computer security profession. Simply having a theoretical knowledge of computer security is inadequate. You must have some practical skills. This chapter will be a good starting point for gaining those skills, and the exercises at the end of the chapter will give you a chance to practice setting up and evaluating various types of firewalls, intrusion detection systems (IDSs), and antivirus applications.

Virus Scanners

A virus scanner is essentially software that tries to prevent a virus from infecting a system. This fact is probably abundantly obvious to most readers. Knowing how a virus scanner works, however, is another matter. This topic was discussed briefly in our previous discussions on viruses but will be elaborated on in this chapter.

In general, virus scanners work in two ways. First, a virus scanner may contain a list of all known virus definitions—that is, files that list known viruses and their file sizes, properties, and behaviors. Generally, one of the services that vendors of virus scanners provide is to periodically update these files. A virus definition list is typically in a small file, often called a .dat file (short for data). When you update your virus definitions, what actually occurs is that your current file is replaced by the more recent one available from the vendor. The antivirus program can then scan your PC, network, and incoming email for known virus files. Any file on your PC or attached to an email is compared to the virus definition file to see whether there are matches. With emails, this can be done by looking for specific subject lines and content. The virus definitions often also include details on the file, file size, and more. This provides a complete signature of the virus.

The second way a virus scanner can work is to look for virus-like behavior. Essentially, the scanner looks to see if the file in question is doing things that viruses typically do—things like manipulating the Registry or looking through your address book. Obviously, this second technique is essentially a best guess.

How Does a Virus Scanner Work?

Let’s take a more detailed look at how antivirus software works. An article in the July 2004 issue of Scientific American titled “How Does a Virus Scanner Work?” stated that a virus scanner is essentially software that searches for a signature or pattern of a known virus. Keep in mind that the scanner works only if you keep it updated. And, of course, it works only with known viruses. While that article may seem a bit dated now, it is still accurate.

Recall that the second way a virus scanner works is to watch for certain types of behaviors that are typical of viruses. This might include any program that attempts to write to your hard drive’s boot sector, change system files, automate your email software, or self-multiply. Programs that attempt to modify the system Registry (for Windows systems) or alter any system settings may also indicate virus infection.

Another feature that virus scanners search for is a file that will stay in memory after it executes. This is called a terminate and stay resident (TSR) program. Some legitimate programs do this, but such activity is often a sign of a virus. Additionally, some virus scanners use more sophisticated methods, such as scanning your system files and monitoring any programs that attempt to modify those files.

Whatever the behavior, antivirus software uses specific algorithms to evaluate the likelihood that a given file is actually a virus. It should be noted that modern virus scanners scan for all forms of malware, including Trojan horses, spyware, and viruses.

There is a third method, called heuristic scanning, which basically involves examining a file and is similar to signature scanning. However, with heuristic scanning, the file need not exactly match the signature. Heuristics refers to functions that rank various alternatives using a branching step in the algorithm. So, a heuristic scan checks for the likelihood of a given file being a virus, based on file characteristics rather than behavior.

It is important to differentiate between on-demand virus scanning and ongoing scanners. An ongoing virus scanner runs in the background and is constantly checking the PC for any sign of a virus. On-demand virus scanners run only when you launch them. Many modern antivirus scanners offer both options.

Keep in mind that any antivirus program will yield some false positives and some false negatives. A false positive occurs when the virus scanner detects a given file as a virus when in fact it is not. For example, a legitimate program may edit a Registry key or interact with your email address book. A false negative occurs when a virus is falsely believed to be a legitimate program.

Due to false positives, it is recommended that you not set your antivirus to automatically delete suspected viruses. Rather, they should be quarantined and the computer user notified.

Virus-Scanning Techniques

In general, there are six ways a virus scanner might scan for virus infections. Some of these were mentioned in the previous section, but they are outlined and defined here:

  • Email and attachment scanning: Since the primary propagation method for a virus is email, email and attachment scanning is the most important function of any virus scanner. Some virus scanners actually examine your email on the email server before downloading it to your machine. Other virus scanners work by scanning your emails and attachments on your computer before passing them to your email program. In either case, email and email attachments should be scanned before a user has a chance to open them and release viruses on the system.

  • Download scanning: Any time you download anything from the Internet, either via a web link or through an FTP program, there is a chance you might download an infected file. Download scanning works much like email and attachment scanning but operates on files you select for downloading.

  • File scanning: With file scanning, files on your system are checked to see whether they match any known virus. This sort of scanning is generally done on an on-demand basis instead of an ongoing basis. It is a good idea to schedule your virus scanner to do a complete scan of the system periodically. I recommend a weekly scan, preferably at a time when no one is likely to be using the computer.

  • Heuristic scanning: Heuristic scanning, briefly mentioned in the previous section, is perhaps the most advanced form of virus scanning. Because it uses rules to determine whether a file or program is behaving like a virus, heuristic scanning is one of the best ways to find a virus that is not a known virus. A new virus will not be on a virus definition list, so you must examine its behavior to determine whether it is a virus. However, this process is not foolproof. Some actual virus infections will be missed, and some nonvirus files might be suspected of being viruses.

  • Sandbox: The sandbox approach basically involves having a separate area, isolated from the operating system, in which a download or an attachment is run. Then, if it is infected, it won’t infect the operating system.

  • Machine learning: Most antivirus vendors are now working to implement basic machine learning algorithms into their antivirus software. This allows the antivirus software to adapt to changing attacks. Machine learning is only beginning to be used and is not yet well developed.

One way to accomplish sandboxing is for the operating system to set aside a protected area of memory to open the suspected file and to monitor its behavior. This is not 100% effective, but it is far safer than simply opening files on your system and hoping there is no infection.

A related concept is called a “sheep dip” machine. This is useful in corporate networks. You set up a system that is identical in configuration to your standard workstations. However, this sheep dip machine is not networked. Suspect files are opened first on the system. Then the system is monitored for a period of time for signs of infection. Once the file has cleared this check, it can then be opened on normal workstations.

A simple way to do this in a home or small office is to set up a virtual machine on your computer and to open suspected attachments or downloads in the virtual machine first. This virtual machine can have virus scanners running on it. Also, you can change the time in the virtual machine in order to detect logic bombs. Allow the suspect file to reside on the VM for a period of time before bringing it to the host computer.

FYI: How Most Commercial Scanners Work

  • Active code scanning: Modern websites frequently embed active codes, such as Java applets and ActiveX. These technologies can provide some stunning visual effects to any website. However, they can also be vehicles for malicious code. Scanning such objects before they are downloaded to a computer is an essential feature in any quality virus scanner.

  • False positives and false negatives: Regardless of the type of virus scanner, any antivirus software will occasionally have an error. There are two types of errors that you should be concerned with. It is possible that your antivirus software will mistake a legitimate program for a virus. For example, you might have a program that is supposed to make some adjustment to the Windows Registry or to scan your email address book. Mistaking a legitimate program for a virus is referred to as a false positive. It is also possible that your antivirus will fail to recognize a virus. This is referred to as a false negative. The best way to minimize false negatives is to keep your antivirus software updated. For false positives, it is recommended that you simply quarantine suspected viruses and not automatically delete them.

Commercial Antivirus Software

Four brands of antivirus software virtually dominate the antivirus market today, and it is typical for a company that offers a commercial scanner to also offer a free version that does not provide as many features as the commercial product. For example, AVG AntiVirus, available from www.avg.com, is a commercial product, but the company also offers the AVG AntiVirus Free Edition. McAfee, Norton, and Kaspersky are three other very well-known antivirus vendors. All four products are good choices and come with a number of options, such as spam filters and personal firewalls. Any of these four products can be purchased for a home machine for about $30 to $60 (depending on the options included). This purchase price includes a 1-year subscription to update the virus files so that the antivirus software will be able to recognize all known virus attacks, including new ones. Organizational licenses are also available to cover entire networks. Malwarebytes is another popular vendor that has both free and commercial versions.

Of course, there are other antivirus solutions available. Several free virus scanners can easily be found on the Internet. McAfee, Norton, AVG, Malwarebytes, and Kaspersky are mentioned here because they are so commonly used, and it is likely that you will encounter them frequently. But my mentioning these well-known products does not mean that I discourage you from using other systems. I do, however, strongly recommend that you stick with widely used, well-supported antivirus products.

Firewalls

A firewall is, in essence, a barrier between two computers or computer systems. The most common place to encounter a firewall is between a network and the outside world. However, firewalls on individual computers and between network segments are also quite common. At a minimum, a firewall will filter incoming packets based on certain parameters, such as packet size, source IP address, protocol, and destination port. Linux and Windows (beginning with Windows XP and including all subsequent Windows versions) ship with a simple firewall. For Windows, the firewall in Windows 7 was expanded to handle filtering of both inbound and outbound traffic. Windows 8 and Windows 10 have not significantly changed the firewall functionality in Windows. You should turn on and configure your individual computer firewalls in addition to perimeter firewalls.

In an organizational setting, you will want, at a minimum, a dedicated firewall between your network and the outside world. This might be a router that also has built-in firewall capabilities. (Cisco Systems is one company that is well known for selling high-quality routers and firewalls.) Or, it might be a server that is dedicated solely to running firewall software. Selecting a firewall is an important decision. If you lack the expertise to make such a decision, then you should arrange for a consultant to assist you in this respect.

Benefits and Limitations of Firewalls

A firewall, no matter what type you get (types are described in the next section), is basically a tool to block certain traffic. A set of rules determine what traffic to allow in and what traffic to block. Obviously, a firewall is a critical piece of your security strategy. I cannot even conceive of a reason to run a system without one. However, a firewall is not a panacea for security because it cannot block every attack. For example, a firewall won’t stop you from downloading a Trojan horse. It also cannot stop internal attacks. But a firewall can be an excellent way to stop a denial of service (DoS) attack or to prevent a hacker from scanning the internal details of your network.

Firewall Types and Components

There are numerous types of firewalls and variations on those types. But most firewalls can be grouped into one of the following three families of firewalls:

  • Packet inspection

  • Stateful packet inspection

  • Application

The following sections discuss each of these and assess the advantages and disadvantages of each.

Packet Filtering

Basic packet filtering is the simplest form of firewall. It involves looking at packets and checking to see if each packet meets the firewall rules. For example, it is common for a packet filtering firewall to consider three questions:

  • Is this packet using a protocol that the firewall allows?

  • Is this packet destined for a port that the firewall allows?

  • Is the packet coming from an IP address that the firewall has not blocked?

These are three very basic rules. Some packet filter firewalls check additional rules. But what is not checked is the preceding packets from that same source. Essentially, each packet is treated as a singular event, without reference to the preceding conversation. This makes packet filtering firewalls quite susceptible to some DoS attacks, such as SYN floods.

Stateful Packet Inspection

Any stateful packet inspection (SPI) firewall will examine each packet and deny or permit access based not only on the examination of the current packet but also on data derived from previous packets in the conversation. The firewall is therefore aware of the context in which a specific packet was sent. This makes such a firewall far less susceptible to ping floods and SYN floods, as well as less susceptible to spoofing. For example, if a firewall detects that the current packet is an ICMP packet and a stream of several thousand packets have been continuously coming from the same source IP, the firewall will see that this is clearly a DoS attack, and it will block the packets.

A stateful packet inspection firewall can also look at the actual contents of a packet, which allows for some very advanced filtering capabilities. Most high-end firewalls use the stateful packet inspection method; when possible, this is the recommended type of firewall.

Application Gateways

An application gateway (also known as application proxy or application-level proxy) is a program that runs on a firewall. When a client program, such as a web browser, establishes a connection to a destination service, such as a web server, it connects to an application gateway, or proxy. The client then negotiates with the proxy server in order to gain access to the destination service. In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This process actually creates two connections. There is one connection between the client and the proxy server, and there is another connection between the proxy server and the destination.

Once a connection is established, the application gateway makes all decisions about which packets to forward. Since all communication is conducted through the proxy server, computers behind the firewall are protected.

Essentially, an application firewall is used for specific types of applications, such as database or web server applications. It is able to examine the protocol being used (such as HTTP) for any anomalous behavior and block traffic that might get past other types of firewalls. It is common to have an application firewall that also includes stateful packet inspection.

Firewall Configurations

In addition to the various types of firewalls, there are various configuration options. The type of firewall tells you how it will evaluate traffic and hence decide what to allow and not to allow. The configuration gives you an idea of how that firewall is set up in relation to the network it is protecting. Some of the major configurations/implementations for firewalls include the following:

  • Network host-based firewall

  • Dual-homed host

  • Router-based firewall

  • Screened host

Each of these is discussed in the following sections.

Network Host-Based Firewalls

A network host-based firewall is a software solution installed on an existing machine with an existing operating system. The most significant concern in using this type of firewall is that no matter how good the firewall solution is, it is contingent upon the underlying operating system. In such a situation, it is absolutely critical that the machine hosting the firewall have a hardened operating system.

Dual-Homed Host

A dual-homed host is a firewall running on a server with at least two network interfaces. The server acts as a router between the network and the interfaces to which it is attached. To make this work, the automatic routing function is disabled, meaning that an IP packet from the Internet is not routed directly to the network. You can choose what packets to route and how to route them. Systems inside and outside the firewall can communicate with the dual-homed host but cannot communicate directly with each other.

Router-Based Firewall

As was previously mentioned, you can implement firewall protection on a router. In larger networks with multiple layers of protection, this is commonly the first layer of protection. Although you can implement various types of firewalls on a router, the most common type used is packet filtering. If you use a broadband connection in your home or small office, you can get a packet-filtering firewall router to replace the basic router provided to you by the broadband company. In recent years, router-based firewalls have become increasingly common and are in fact the most common type of firewall used today.

Screened Host

A screened host is really a combination of firewalls. In this configuration, you use a combination of a bastion host and a screening router. The screening router adds security by allowing you to deny or permit certain traffic from the bastion host. It is the first stop for traffic, which can continue only if the screening router lets it through.

Commercial and Free Firewall Products

A variety of commercial firewall products are available, some of them free. If all you want is a basic packet-filtering solution, you can find such a solution from many software vendors. Major antivirus software vendors (including those mentioned previously in this chapter) often offer firewall software as a bundled option with antivirus software. Other companies, such as Zone Labs, sell firewall and intrusion detection systems (IDSs). Major manufacturers of routers and hubs, such as Cisco Systems, also offer firewall products. How much security you need is difficult to determine. A bare minimum recommendation is to have a packet-filtering firewall/proxy server between your network and the Internet—but that is a bare minimum.

ZoneAlarm

Zone Labs offers the ZoneAlarm Security Suite, which provides all the tools for complete Internet security. It offers a free personal firewall solution (https://www.zonealarm.com/software/free-firewall/).

Windows 10 Windows Defender Firewall

Windows 10 ships with a fully functioning firewall, called Windows Defender Firewall. (In fact, Windows has shipped with a firewall for many years.) Windows Defender Firewall can block inbound and outbound packets. To access it, click the Start button and type Firewall. Figure 9.1 shows Windows Defender Firewall.

The windows defender firewall is shown.
Figure 9.1 Windows 10 Windows Defender Firewall.

Note that Windows Defender Firewall looks very similar to the firewall in Windows Server 2012 and 2016, but it is different from the firewall in Windows 7.

Beginning with Windows Server 2008 and for all versions after that, Windows includes stateful packet inspection firewalls. With Windows Defender Firewall for Windows 10, you can set different rules for outbound and inbound traffic. For example, your standard workstation will probably allow outbound HTTP traffic on port 80, but you might not want to allow inbound traffic (unless you are running a web server on that workstation).

You can also set up rules for a port, a program, a custom rule, or one of the many predefined rules that Microsoft allows you to select. You can also choose not only to allow or block a connection but to allow it only if it is secured by IPsec. This means you have three options for any connection.

Rules can allow or block given applications or ports. You can also have different rules for inbound and outbound traffic. The rules allow you to decide whether a particular type of communication is blocked or allowed. You can have different settings for inbound and outbound traffic. You can set rules for individual ports (all 65,554 available network ports) and for applications. The rules in the Windows 7 firewall give you a lot of flexibility.

Most importantly, you can apply rules differently depending on where traffic comes from. You can set up rules for three areas or profiles:

  • Domain: For computers authenticated on your domain.

  • Public: For computers from outside your network. You would treat outside traffic more carefully than traffic coming from another machine in your domain.

  • Private: Private refers to traffic from your own computer.

Firewall Logs

Firewalls are excellent tools for attempting to ascertain what has happened after an incident has occurred. Almost all firewalls, regardless of type or implementation, will log activity. These logs can provide valuable information that can assist in determining the source of an attack, methods used to attack, and other data that might help either locate the perpetrator of an attack or at least prevent a future attack using the same techniques. Any security-conscious network administrator should make it a routine habit to check the firewall logs.

Antispyware

Antispyware, as discussed earlier in this book, scans your computer to see whether there is spyware running on your machine. This is an important element of computer security software that was at one time largely ignored. Even today, not enough people take spyware seriously or guard against it. Most antispyware works by checking your system for known spyware files. Each application must simply be checked against a list of known spyware. This means that you must maintain some sort of subscription service so that you can obtain routine updates to your spyware definition list. Most antivirus solutions now also check for spyware.

In today’s Internet climate, running antispyware is as essential as running antivirus software. Failing to do so can lead to serious consequences. Personal data, and perhaps sensitive business data, could easily be leaking out of your organization without your knowledge. And, as was pointed out earlier in this book, it is entirely possible for spyware to be the vehicle for purposeful industrial espionage.

Barring the use of antispyware, or even in conjunction with such software, you can protect yourself via your browser’s security settings, as discussed in a previous chapter. Additionally, several times throughout this book, you have been warned to be cautious about attachments and Internet downloads. You would also be well advised to avoid downloading various Internet “enhancements,” such as skins and toolbars. If you are in an organization, prohibiting such downloads should be a matter of company policy. Unfortunately, many websites today require some sort of add-in such as Flash in order to function properly. The best advice for this situation is to only allow add-ins on trusted, well-known sites.

IDSs

IDSs have become much more widely used in the past few years. Essentially, an IDS inspects all inbound and outbound port activity on a machine/firewall/system, looking for patterns that might indicate break-in attempts. For example, if an IDS finds that a series of ICMP packets were sent to each port in sequence, this probably indicates that the system is being scanned by network-scanning software, such as Cerberus. This type of scan is often a prelude to an attempt to breach system security, and it can be very important to know that someone is performing preparatory steps to infiltrate your system.

Entire volumes have been written on how IDSs work. This chapter cannot hope to cover that much information. However, it is important that you have a basic idea of how these systems work.

The sections that follow will first examine the broad categories in which IDSs tend to be viewed and then look at some specific approaches to IDSs. While this information is not all inclusive, the following sections do address the most common terminology used.

IDS Categorization

There are a number of ways in which IDSs can be categorized. The most common IDS categorizations are as follows:

  • Passive IDSs

  • Active IDSs (also called intrusion prevention systems, or IPSs)

Passive IDSs

A passive IDS just monitors suspicious activity and logs it. In some cases, an IDS may notify the administrator of the activity in question. This is the most basic type of IDS. Any modern system should have, at a minimum, a passive IDS along with the firewall, antivirus, and other basic security measures.

Active IDSs

An active IDS, also called an IPS, takes the added step of shutting down the suspect communication. Whether one uses an IDS or IPS is a decision that must be made after a thorough risk analysis.

Just as with antivirus software, it is possible for an IDS to have a false positive. It might suspect that something is an attack when in fact it is legitimate traffic. Imagine that an active IDS is looking at threshold monitoring to determine if an attack is occurring. A particular user normally works between the hours of 8 a.m. and 5 p.m. and uses a relatively small amount of bandwidth. If the IDS detects the user at 10 p.m. using 10 times his normal bandwidth, it might perceive that this is an attack and shut down the offending traffic. However, it may be found later that this was a legitimate user working late on a critical project that was due to a client the next day, and the IPS prevented that from happening. This is a false positive.

This is an excellent place to consider risk analysis. You have to weigh the hazards of false positives against the risk of allowing an attack to proceed undetected before deciding whether a passive IDS or an IPS is appropriate for your organization. It is often the case that different network segments will have different risk profiles. You may find that a passive IDS is appropriate for most of your network but that an IPS is needed for the most sensitive network segments.

Identifying an Intrusion

There are really two ways of identifying an intrusion. The first method is signature based. This is similar to the signatures used by antivirus. However, IDS signatures cover issues beyond malware. For example, certain DoS attacks have specific signatures that can be recognized.

The second method is statistical anomaly. Essentially, any activity that seems outside normal parameters and far enough outside the given parameters to be a likely attack is identified as a probable attack. Any number of activities can trigger this type of alert, such as a sudden increase in bandwidth utilization or user accounts accessing resources they have never accessed before.

Most IDSs use both forms of attack identification. The two real issues for selecting an IDS are its ease of use and its signature database. There are certainly other considerations, such as price, but ease of use and its signature database are the most important in deciding on an IDS.

IDS Elements

Whether it is an active IDS or a passive IDS, and regardless of whether it is commercial or open source, certain elements/terms are common to all IDSs:

  • A sensor is the IDS component that collects data and passes it to the analyzer for analysis.

  • The analyzer is the component or process that analyzes the data collected by the sensor.

  • The manager is the IDS interface used for management. It is a software component of the IDS.

  • The operator is the person primarily responsible for the IDS.

  • Notification is the process or method by which the IDS manager makes the operator aware of an alert.

  • An activity is an element of a data source that is of interest to the operator. It may or may not be a possible attack.

  • An event is any activity that is deemed to be suspicious and a possible attack.

  • An alert is a message from the analyzer indicating that an event has occurred.

  • The data source is raw information that the IDS is analyzing to determine if there has been an event.

All these elements are part of an IDS and function together to capture traffic, analyze that traffic, and report anomalous activity to the operator of the IDS. An IPS has additional elements that enable it to shut down offending traffic.

Snort

A number of vendors supply IDSs, and each has unique strengths and weaknesses. Which system is best for your environment depends on many factors, including the network environment, security level required, budget constraints, and skill level of the person who will be working directly with the IDS. One popular open-source IDS is Snort, which can be downloaded for free from www.snort.org.

We will examine Snort briefly in this section. While it is not the only IDS available, it is free, and that makes it an attractive option for many people. We will walk through the basic configuration of Snort for Windows.

First, you must visit www.snort.org and register (for free). Then download the Snort installation program and the latest rules. Make certain you download the installer that has an .exe extension. The .rpm extensions are for Linux. Also, I have found that certain versions of Microsoft Internet Explorer do not work well with the Snort website, so it is recommended that you use an alternative browser such as Mozilla Firefox.

Once you have downloaded both the rules and the installation program, start the installation. Most of it is quite simple. There is a screen that asks you if you wish to support database connectivity. For most live situations, you would want to dump your Snort records to some database. However, for demonstration purposes, choose I Do Not Plan to Log to a Database. Figure 9.2 shows the installation options.

The snort installation options are depicted.
Figure 9.2 Snort installation options.

Other than this, simply use all default settings. At the end, the installation program will also attempt to install WinPCAP. If for some reason this fails, you will need to download and install it separately. WinPCAP is an open-source tool for capturing packets, and all IDSs depend on packet capturing.

After you copy the rules you downloaded from wherever you saved them to C:snort ules, you need to copy the configuration file from C:snort ulesetcsnort.conf to C:snortetc. Open that configuration file using WordPad, not Notepad. (Notepad does not support word wrap, and it will be difficult to read the configuration file in Notepad.)

You need to change the HOME_NET any to your machine’s IP address, as shown in Figure 9.3. In a live situation, you would also set the other IP addresses (for the web server, SQL server, DNS server, and so on).

The syntax of snort configuration file is shown.
Figure 9.3 HOME_NET address.

Now you need to find and change the rule paths, which are Linux-style paths, as shown in Figure 9.4.

The syntax of Linux-style paths is given that reads as follows, the path to your rules tiles (this can be a relative path); note for windows users: you are advised to make this an absolute path, such as c:snort
ules var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC RULE PATH ../preprocrules.
Figure 9.4 Linux-style paths.

You need to change them to Windows-style paths, as shown in Figure 9.5.

The syntax of Windows-style paths reads as follows, var RULE_PATH c:snort
ules; var SO_RULE_PATH c:snort
ulesso_rules; var PREPROC RULE PATH c:snort
ulespreprocrules.
Figure 9.5 Windows-style paths.

You now need to find and change the library paths. This is a bit difficult because the names of the paths and the files are a bit different in Windows. The Linux-style library paths will look like the ones shown in Figure 9.6.

The syntax of Linux style library paths is given which reads as follows: the path to dynamic preprocessor libraries, dynamic preprocessor directory /usr/local/lib/snort_dynamicpreprocessor/; path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so; path to dynamic rules libraries # dynamicdetection directory /usr/local/lib/snort_dynamicrules.
Figure 9.6 Linux-style library paths.

You can find your Windows pathnames and filenames by looking in the folder shown in Figure 9.7.

A screenshot shows the location of two folders from the root directory of gateway C. Two folders, snort_dynamicengine and snort_dynamicpreprocessor are located under the snort library.
Figure 9.7 Windows-style library paths.

Note

If you find that you do not have a particular file or path in your system, just make sure it is commented out in the configuration file.

You must find the reference data and change it from Linux-style paths to Windows-style paths, as shown in Figure 9.8.

The syntax of reference paths reads as follows: metadata reference date. do not modify these lines; include CA5nortNetcNclammification.config; include Ct1SnortNeteNreferenee.config.
Figure 9.8 Reference paths.

You are almost done. Now search for this:

#output log_tcp dump

and after it, add this line:

output alert_fast: alert.ids

Note

The pound sign (#) indicates a comment.

Now you need to use the command line to start Snort. Simply navigate to C:snortin. There are several different ways to start Snort. Many of the common ones are listed in Table 9.1. I recommend that you try the simplest one first.

Table 9.1 Snort Commands

Command

Purpose

snort -v

Start Snort as just a packet sniffer.

snort -vd

Start Snort as a packet sniffer but have it sniff packet data rather than just the headers.

snort -dev -l ./log

Start Snort in logging mode so it logs packets.

snort -dev -l ./log -h 192.168.1.1/24 -c snort.conf (replacing 192.168.1.1/24 with your IP address)

Start Snort in IDS mode.

Snort is free and open source, but many people have a great deal of difficulty working with it at first. The slightest error in your configuration file or the command-line startup will cause it to not run correctly. The purpose of this section is just to introduce you to Snort. For more information on Snort, see the following sites:

Honey Pots

A honey pot is an interesting technology. Essentially, it assumes that an attacker is able to breach your network security, and it would be best to distract that attacker away from your valuable data. Therefore, a honey pot involves creating a server that has fake data—perhaps an SQL server or Oracle server loaded with fake data, and just a little less secure than your real servers. Then, since none of your actual users ever access this server, monitoring software is installed to alert you when someone does access this server.

A honey pot achieves two goals. First, it takes the attacker’s attention away from the data you wish to protect. Second, it provides what appears to be interesting and valuable data, thus leading the attacker to stay connected to the fake server, giving you time to try to track the attacker. Commercial solutions, such as Specter (www.specter.com), are available. These solutions are usually quite easy to set up and include monitoring/tracking software. You may also find it useful to check out www.honeypots.org for more information on honey pots in general and on specific implementations.

Database Activity Monitoring

Database activity monitoring (DAM) involves monitoring and analyzing database activity that operates independently of the database management system (DBMS). It is separate from the DBMS auditing, logging, and monitoring. Database activity monitoring and prevention (DAMP) is an extension to DAM that goes beyond monitoring and alerting to also blocking unauthorized activities.

Other Preemptive Techniques

Besides IDS, antivirus, firewalls, and honey pots, there are a variety of preemptive techniques an administrator can use to attempt to reduce the chances of a successful attack being executed against a network.

Intrusion Deflection

Intrusion deflection is becoming increasingly popular among security-conscious administrators. The essence of it is quite simple: An attempt is made to attract the intruder to a subsystem set up for the purpose of observing intruders. This is done by tricking the intruder into believing that he has succeeded in accessing system resources when, in fact, he has been directed to a specially designed environment. Being able to observe the intruder while he practices his art will yield valuable clues and can lead to his arrest.

Intrusion deflection is often done by using a honey pot. Essentially, you set up a fake system, possibly a server that appears to be an entire subnet. You make that system look very attractive by perhaps making it appear to contain sensitive data, such as personnel files, or valuable data, such as account numbers or research. The actual data stored in this system is fake. The real purpose of the system is to carefully monitor the activities of any person who accesses the system. Since no legitimate user ever accesses this system, it is a given that anyone accessing it is an intruder.

Intrusion Deterrence

Intrusion deterrence involves simply trying to make a system seem like a less palatable target. In short, an attempt is made to make any potential reward from a successful intrusion attempt appear more difficult than it is worth. This approach includes tactics such as attempting to reduce the apparent value of the system’s worth through camouflage, which essentially means working to hide the most valuable aspects of the system. Another tactic in this methodology involves raising the perceived risk of a potential intruder being caught. This can be done in a variety of ways, including conspicuously displaying warnings and warning of active monitoring. The perception of the security of a system can be drastically improved, even when the actual system security has not been improved.

Authentication

When a user logs on to a system, the system needs to authenticate her (and sometimes the user needs to authenticate the system). There are many authentication protocols. A few of the most common ones are briefly described here:

  • PAP: Password Authentication Protocol is the simplest form of authentication and the least secure. Usernames and passwords are sent unencrypted, in plain text. This is obviously a very old method that is not used anymore. However, in the early days of computing, there were no widely available packet sniffers, and security was far less of a concern.

  • SPAP: Shiva Password Authentication Protocol is an extension to PAP that encrypts the username and password that are sent over the Internet.

  • CHAP: Challenge Handshake Authentication Protocol calculates a hash after the user has logged in. Then it shares that hash with the client system. Periodically the server will ask the client to provide that hash. (This is the challenge part.) If the client cannot provide it, then it is clear that the communications have been compromised. MS-CHAP is a Microsoft-specific extension to CHAP. These are the basic steps:

    1. After the handshake phase is complete, the authenticator (often the server) sends a “challenge” message to the peer.

    2. The peer responds with a value calculated using a “one-way hash” function.

    3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection should be terminated.

    4. At random intervals, the authenticator sends a new challenge to the peer and repeats steps 1 to 3.

    The goal of CHAP is to not only authenticate but to periodically reauthenticate, thus preventing session hijacking attacks.

  • EAP: Extensible Authentication Protocol is a framework frequently used in wireless networks and point-to-point connections. It was originally defined in RFC 3748 but has been updated since then. It handles the transport of keys and related parameters. There are several versions of EAP, and it has many variations, including these:

    • LEAP: Lightweight Extensible Authentication Protocol was developed by Cisco and has been used extensively in wireless communications. LEAP is supported by many Microsoft operating systems, including Windows 7 and later versions. LEAP uses a modified version of MS-CHAP.

    • EAP-TLS: Extensible Authentication Protocol–Transport Layer Security uses TLS to secure the authentication process. Most implementations of EAP-TLS utilize X.509 digital certificates to authenticate the users.

    • PEAP: Protected Extensible Authentication Protocol encrypts the authentication process with an authenticated TLS tunnel. PEAP was developed by a consortium including Cisco, Microsoft, and RSA Security. It was first included in Microsoft Windows XP.

  • Kerberos: Kerberos is used widely, particularly with Microsoft operating systems. It was invented at MIT and derives its name from the mythical three-headed dog that was reputed to guard the gates of Hades. The system is a bit complex, but the basic process is as follows: When a user logs in, the authentication server verifies the user’s identity and then contacts the ticket-granting server. (These servers are often on the same machine.) The ticket-granting server sends an encrypted ticket to the user’s machine. That ticket identifies the user as being logged in. Later, when the user needs to access some resource on the network, the user’s machine uses that ticket-granting ticket to get access to the target machine. There is a great deal of verification for the tickets, and these tickets expire in a relatively short time.

More on Kerberos

Since Kerberos is so widely used, it bears a bit closer look than the other authentication methods. In this section we will look a bit more in depth at Kerberos. If this is your first exposure to Kerberos, you may need to read this section more than once to really digest it. While there are variations, the basic process is shown in Figure 9.9. (Note that Figure 9.9 is a very simplified overview of Kerberos and omits some steps that are discussed later in this section.)

Illustration of the Kerberos system is shown.
Figure 9.9 Kerberos.

The elements of Kerberos follow:

  • Principal: A server or client that Kerberos can assign tickets to.

  • Authentication server (AS): A server that authorizes the principal and connects it to the ticket-granting server.

  • Ticket-granting server (TGS): A server that provides tickets.

  • Key distribution center (KDC): A server that provides the initial ticket and handles TGS requests. Often it runs both the AS and TGS. It must be noted that Kerberos is one of the most widely used authentication protocols. Europe often uses an alternative, SESAME (Secure European System for Applications in a Multivendor Environment).

Kerberos in More Detail

This section provides a more detailed understanding of Kerberos. Most of the process consists of messages, denoted by letters, being sent between the client and the key distribution center (KDC). First, the AS generates a secret key by creating a hash of the user password and then sends two messages to the client:

  • Message A: This is the client/TGS session key, encrypted with the secret key of the client.

  • Message B: The TGT includes the client ID, client network address, and validity period.

The messages are encrypted using the key the AS generated. Then the user attempts to decrypt Message A with a secret key generated by the client hashing the user’s entered password. If that entered password does not match the password the AS found in the database, then the hashes don’t match, and the decryption won’t work. If it does work, then Message A contains the client/TGS session key that can be used for communications with the TGS. Message B is encrypted with the TGS secret key and cannot be decrypted by the client. (Notice that the password is never actually sent across the network.)

When requesting services, the client sends the following messages to the TGS:

  • Message C: This message is composed of the TGT from Message B and the ID of the requested service.

  • Message D: This message is an authenticator (which is composed of the client ID and the timestamp), encrypted using the client/TGS session key.

Upon receiving Messages C and D, the TGS retrieves Message B out of Message C. It decrypts Message B by using the TGS secret key. This gives it the client/TGS session key. Using this key, the TGS decrypts Message D (the authenticator) and sends the following two messages to the client:

  • Message E: This is the client-to-server ticket (which includes the client ID, client network address, validity period, and client/server session key) encrypted using the service’s secret key.

  • Message F: This is the client/server session key encrypted with the client/TGS session key.

Upon receiving Messages E and F from the TGS, the client has enough information to authenticate itself to the service server (SS). The client connects to the SS and sends the following Message E (the client-to-server ticket, encrypted using the service’s secret key) along with this new message:

  • Message G: This is the new authenticator, which includes the client ID and a timestamp and is encrypted using the client/server session key.

The SS decrypts Message E using its own secret key to retrieve the client/server session key. Using the sessions key, SS decrypts Message G and sends the following message to the client to confirm its true identity and willingness to serve the client:

  • Message H: This is the timestamp in the client’s authenticator.

The client decrypts the confirmation (Message H) by using the client/server session key and checks whether the timestamp is correct. If it is, the client can trust the server and can start issuing service requests to the server. The server then provides the requested services to the client.

Yes, this process is quite convoluted—intentionally so. However, you have probably used this authentication method many times, even if you weren’t aware of it. It is very common.

Digital Certificates

It seems very likely that you have heard the term digital certificate previously. The first thing you may wonder is what does a digital certificate do? Recall our discussions of asymmetric cryptography in Chapter 8, “Encryption.” We mentioned that the public key can be disseminated widely since it can only be used to encrypt messages to us. Well, how does one provide people with a public key? The most common method is via a digital certificate. The digital certificate contains the user’s public key, along with other information. However, a digital certificate can provide much more. It can provide a means for authenticating that the holder of the certificate is who she claims to be.

X.509 is an international standard for the format and information contained in a digital certificate. X.509 is the most common type of digital certificate in the world. It is a digital document that contains a public key signed by the trusted third party that is known as a certificate authority, or CA.

The following are the basic items in an X.509 certificate, though there can be other optional information:

  • Version: This is the version of X.509 that this certificate complies with.

  • Certificate holder’s public key: This is the primary way of getting someone’s public key from his X.509 certificate.

  • Serial number: This is a unique identifier for this certificate.

  • Certificate holder’s distinguished name: This is often a domain name or an email address associated with a certificate.

  • Certificate’s validity period: One year is the most common validity period.

  • Unique name of certificate issuer: This is the certificate authority that issued this certificate.

  • Digital signature of issuer: This field and the next are used to verify the certificate.

  • Signature algorithm identifier: This identifies the digital signature algorithm used.

Let us see how this works in a common scenario. Say that you visit your bank’s website. In order to get the bank’s public key, your browser will download that bank’s digital certificate. But there is a problem. Could someone have set up a fake site, claiming to be your bank? Could that person have also generated a fake certificate, claiming to be the bank? Yes, it’s possible. This is one place digital certificates help us out. Your browser will look at the certificate issuer listed on the certificate and first ask if that is a CA that your browser trusts. If it is, then your browser communicates with that CA to get that CA’s public key. (Recall from Chapter 8 that a digital signature is created with a private key and verified with the public key.) The browser uses that CA public key to verify the CA signature on the certificate. If this is a fake certificate, the digital signature won’t be recognized. This means a certificate not only provides you with the certificate holder’s public key but also gives you a method of verifying that entity with a trusted third party.

It should be noted that unlike X.509 certificates, PGP (Pretty Good Privacy) certificates are not issued by a CA and don’t have a mechanism for third-party verification. They are usually used only for email communication. This is because it is assumed that you know who you are emailing, so verifying that identity is not required.

There are some other terms and concepts related to digital certificates that you need to be familiar with. Let us begin with a CA, the entity that issues you a digital certificate. Comodo, Symantec, DigiCert, GoDaddy, Verisign, and Thawte are all well-known certificate authorities. When you purchase a certificate from one of these vendors, it first verifies who you are. (This can be as simple as matching your credit card number with the domain you are buying the certificate for, or it can be far more involved.)

Since verifying a certificate user can be time-consuming, many CAs offload that process to a registration authority (RA), which notifies the CA about whether to issue the certificate.

A CRL (certificate revocation list) is a list of certificates issued by a CA that are no longer valid. CRLs are distributed in two main ways: In the push model, the CA automatically sends the CRL out at regular intervals. In the pull model, the CRL is downloaded from the CA by those who want to see it to verify a certificate. The problem is that a CRL does not involve real-time checking. Thus, the newer answer is “Online Certificate Status Checking Protocol” OCSP; the idea is to have a protocol that checks in real time if the certificate is still valid.

SSL/TLS

What sort of encryption is used on bank websites and for e-commerce? In general, symmetric algorithms are faster and require a shorter key length to be as secure as asymmetric algorithms. However, there is the problem of how to securely exchange keys. Most e-commerce solutions use an asymmetric algorithm to exchange symmetric keys and then use the symmetric keys to encrypt the data.

When visiting websites that have an HTTPS at the beginning, rather than HTTP, the S denotes Secure. It means traffic between your browser and the web server is encrypted—usually with either SSL (Secure Sockets Layer) or TLS (Transport Layer Security). SSL and TLS are both asymmetric systems.

SSL, the older of the two technologies, is used to allow for transport-layer security via public key encryption. SSL was developed by Netscape for transmitting private documents via the Internet. By convention, URLs that require an SSL connection start with https instead of http. There have been several versions:

  • Unreleased v1 (Netscape)

  • Version 2, released in 1995 (and had many flaws)

  • Version 3, released in 1996 (RFC 6101)

  • Standard TLS1.0 (RFC 2246), released in 1999

  • TLS 1.1, defined in RFC 4346 in April 2006

  • TLS 1.2, defined in RFC 5246 in August 2008 (and based on the earlier TLS 1.1 specification)

  • TLS 1.3, defined in RFC 8446 in August 2018

Figure 9.10 shows the basic process of establishing an SSL/TLS connection.

A step-wise procedure for establishing the SSL/TSL connection between client machine, certificate authority, and the server is shown.
Figure 9.10 SSL/TLS.

The process involves several complex steps, as defined here:

  1. The client sends the server information regarding the client’s cryptographic capabilities, including what algorithms it is capable of, what hashing algorithms it can use for message integrity, and related information.

  2. The server responds by selecting the best encryption and hashing that both the client and server are capable of and sends this information to the client. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client’s certificate.

  3. The client uses the information sent by the server to authenticate the server. This means authenticating the digital certificate with the appropriate CA. If this fails, the browser warns the user that the certificate cannot be verified. If the server can be successfully authenticated, the client proceeds to the next step. (However, modern computers ship with the certificates for the major CAs. These are usually in a certificate store on the computer. Thus to validate a certificate from a given CA, the client computer only has to get that CA’s digital certificate from its own store.)

  4. Using all data generated in the handshake thus far, the client creates the pre-master secret for the session, encrypts it with the server’s public key that it received from the server’s X.509 certificate, and then sends the encrypted pre-master secret to the server.

  5. If the server has requested client authentication, then the server will also authenticate the client’s X.509 certificate. This does not happen in most e-commerce and banking websites.

  6. Both the client and the server use the master secret to generate the session keys. These are symmetric keys (such as AES) that will be used throughout the session to encrypt information between the client and the server.

  7. The client sends a message to the server, informing it that future messages from the client will be encrypted with the session key.

  8. The server sends a message to the client, informing it that future messages from the server will be encrypted with the session key.

This process not only allows for secure exchange of a symmetric key but also enables verification of the server and (optionally) verification of the client. This is how secure web traffic is accomplished.

Virtual Private Networks

A VPN (or virtual private network) essentially provides a way to use the Internet to create a virtual connection between a remote user or site and a central location. The packets sent back and forth over this connection are encrypted, thus making it private. The VPN must emulate a direct network connection.

Three different protocols are used to create VPNs:

  • Point-to-Point Tunneling Protocol (PPTP)

  • Layer 2 Tunneling Protocol (L2TP)

  • Internet Protocol Security (IPsec)

These protocols are discussed in more depth in the following sections.

Point-to-Point Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP) is the oldest of the three protocols used in VPNs. It was originally designed as a secure extension to Point-to-Point Protocol (PPP). PPTP was originally proposed as a standard in 1996 by the PPTP Forum—a group of companies that included Ascend Communications, ECI Telematics, Microsoft, 3Com, and U.S. Robotics. It adds the features of encrypting packets and authenticating users to the older PPP protocol. PPTP works at the data link layer of the OSI model (discussed in Chapter 2, “Networks and the Internet”).

PPTP offers two different protocols for authenticating the user: Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP). EAP was actually designed specifically for PPTP and is not proprietary. CHAP is a three-way process whereby the client sends a code to the server, the server authenticates it, and then the server responds to the client. CHAP also periodically reauthenticates a remote client, even after the connection is established.

PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt packets. MPPE is actually a version of DES. DES is still useful for many situations; however, newer versions of DES, such as DES 3, are preferred.

Layer 2 Tunneling Protocol

Layer 2 Tunneling Protocol (L2TP) was explicitly designed as an enhancement to PPTP. Like PPTP, it works at the data link layer of the OSI model. It has several improvements over PPTP. First, it offers more and varied methods for authentication: PPTP offers two methods (CHAP and EAP), whereas L2TP offers five (CHAP, EAP, PAP, SPAP, and MS-CHAP).

Besides making more authentication protocols available for use, L2TP offers other enhancements. PPTP will only work over standard IP networks, whereas L2TP will work over X.25 networks (a common protocol in phone systems) and ATM (Asynchronous Transfer Mode, a high-speed networking technology) system. L2TP also uses IPsec for encryption.

IPsec

Internet Protocol Security (IPsec) is the newest of the three VPN protocols. One of the differences between IPsec and the other two methods is that it encrypts not only the packet data (recall the discussion of packets in Chapter 2) but also the header information. It also has protection against unauthorized retransmission of packets. This is important because one trick that a hacker can use is to simply grab the first packet from a transmission and use it to get his own transmissions to go through. Essentially, the first packet (or packets) has to contain the login data. If you simply re-send that packet (even if you cannot crack its encryption), you will be sending a valid logon and password that can then be followed with additional packets. Preventing unauthorized retransmission of packets prevents this from happening.

IPsec operates in one of two modes: Transport mode, in which only the payload is encrypted, and Tunnel mode, in which both data and IP headers are encrypted. Following are some basic IPsec terms:

  • Authentication headers (AHs) provide connectionless integrity and data origin authentication for IP packets.

  • Encapsulating Security Payload (ESP) provides origin authenticity, integrity, and confidentiality protection of packets. It offers encryption-only and authentication-only configurations.

  • Security associations (SAs) provide the parameters necessary for AH or ESP operations. SAs are established using Internet Security Association and Key Management Protocol (ISAKMP).

  • Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange.

  • Internet Key Exchange (IKE and IKEv2) is used to set up a SA by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used.

Essentially during the initial establishment of an IPsec tunnel, SAs are formed. These SAs have information such as what encryption algorithm and what hashing algorithms will be used in the IPsec tunnel. (Recall that we discussed encryption in some depth in Chapter 8.) IKE is primarily concerned with establishing these SAs. ISAKMP allows the two ends of the IPsec tunnel to authenticate to each other and to exchange keys.

Wi-Fi Security

Wireless networks are commonly used today, and it is important to consider wireless network security. There are three Wi-Fi security protocols, ranging from the oldest and least secure (WEP) to the most recent and most secure (WPA3). They are each briefly described here.

Wired Equivalent Privacy

Wired Equivalent Privacy (WEP) uses the stream cipher RC4 to secure data and a CRC-32 checksum for error checking. Standard WEP uses a 40-bit key (known as WEP-40) with a 24-bit initialization vector (IV) to effectively form 64-bit encryption. 128-bit WEP uses a 104-bit key with a 24-bit IV.

Because RC4 is a stream cipher, the same traffic key must never be used twice. The problem with WEP is that the committee that created it was composed of very good computer professionals who thought they knew enough about cryptography but did not. They reused the IV, which defeats the entire purpose of an IV and leaves the protocol open to attacks. A simple search of YouTube for “how to crack WEP” will yield a deluge of videos on techniques for cracking WEP.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was definitely an improvement over WEP. First, WPA uses AES, which is a very good encryption algorithm. In addition, WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically generates a new key for each packet. So even if you crack a WPA key, there will be a different key for the next packet.

WPA2

WPA2 is the most widely used Wi-Fi security today, and if it is at all possible, this is what you should be using. WPA2, which is based on the IEEE 802.11i standard, provides Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP), which provides data confidentiality, data origin authentication, and data integrity for wireless frames. (Some of these terms you should recall from Chapter 8.) CBC prevents known plain text attacks.

The MAC preserves message integrity and ensures that packets are not altered in transit, either accidentally or intentionally. This means that WPA2 uses very strong encryption along with message integrity.

WPA3

WPA3, which was released on 2018, has many interesting features. Among its more interesting new properties is that all traffic to and from the wireless access point (WAP) is encrypted. WPA3 also requires attackers to interact with your Wi-Fi for every password guess they attempt, which makes brute-force attacks less likely to be successful.

Summary

It is absolutely critical that every network have a firewall and proxy server between the network and the outside world. It is critical that all machines in a network (servers and workstations alike) have updated virus protection. It is also a good idea to consider implementing an IDS and antispyware. In the upcoming exercises, you will have an opportunity to practice setting up various types of firewalls and IDSs.

Test Your Skills

Multiple Choice Questions

1. Which of the following is the most common way for a virus scanner to recognize a virus?

A. To compare a file to known virus attributes

B. To use complex rules to look for virus-like behavior

C. To look for only TSR programs

D. To look for TSR programs or programs that alter the Registry

2. What is one way of checking emails for virus infections?

A. Block all emails with attachments.

B. Block all active attachments (for example, ActiveX, scripting).

C. Look for subject lines that are from known virus attacks.

D. Look for emails from known virus sources.

3. What are TSR programs?

A. Terminal signal registry programs, which alter the system Registry

B. Terminate and system remove programs, which erase themselves when complete

C. Terminate and scan remote programs, which scan remote systems prior to terminating

D. Terminate and stay resident programs, which stay in memory after you shut them down

4. What is the name for scanning that depends on complex rules to define what is and is not a virus?

A. Rules-based scanning (RBS)

B. Heuristic scanning

C. TSR scanning

D. Logic-based scanning (LBS)

5. Which of the following is not one of the basic types of firewalls?

A. Screening firewall

B. Application gateway

C. Heuristic firewall

D. Circuit-level gateway

6. Which of the following is the most basic type of firewall?

A. Screening firewall

B. Application gateway

C. Heuristic firewall

D. Circuit-level gateway

7. Which of the following is a disadvantage to using an application gateway firewall?

A. It is not very secure.

B. It uses a great deal of resources.

C. It can be difficult to configure.

D. It can only work on router-based firewalls.

8. What does SPI stand for?

A. Stateful packet inspection

B. System packet inspection

C. Stateful packet interception

D. System packet interception

9. What is the term for a firewall that is software installed on an existing server?

A. Network host-based firewall

B. Dual-homed firewall

C. Router-based firewall

D. Screened host

10. What is a major weakness with a network host-based firewall?

A. Its security depends on the underlying operating system.

B. It is difficult to configure.

C. It can be easily hacked.

D. It is very expensive.

11. What is the term for blocking an IP address that has been the source of suspicious activity?

A. Preemptive blocking

B. Intrusion deflection

C. Proactive deflection

D. Intrusion blocking

12. What is the term for a fake system designed to lure intruders?

A. Honey pot

B. Faux system

C. Deflection system

D. Entrapment

13. Which of the following is the correct term for making a system less attractive to intruders?

A. Intrusion deterrence

B. Intrusion deflection

C. Intrusion camouflage

D. Intrusion avoidance

14. What method do most IDS software implementations use?

A. Anomaly detection

B. Preemptive blocking

C. Intrusion deterrence

D. Infiltration

15. How do most antispyware packages work?

A. By using heuristic methods

B. By looking for known spyware

C. The same way antivirus scanners work

D. By seeking out TSR cookies

Exercises

Exercise 9.1: Setting Up a Firewall

Microsoft Windows (in every version since XP, including Windows 10) and Linux both offer built-in packet-filtering firewalls of some sort. Ideally, if you have access to both operating systems, the best exercise is to experiment with setting up firewalls for both.

  1. Using the documentation for whichever operating system you have, decide what packets you wish to block.

  2. Set your firewall to filter those packets.

Exercise 9.2: Router-Based Firewalls

This exercise is for students with access to a lab router-based firewall.

  1. Consult your router documentation for instructions on how to configure the firewall.

  2. Configure your router-based firewall to block the same items you chose to block in Exercise 9.1.

Exercise 9.3: Evaluating Firewalls

Write a brief essay explaining whether you think the router-based solution or the built-in operating system solution is best. Explain your reasons.

Exercise 9.4: Active Code

Using the Web or other resources, find out why blocking active code (for example, ActiveX scripts) might or might not be a good idea in some situations. Write a brief essay explaining your position.

Exercise 9.5: Hardware Used by a Company

Visit the IT department of a company and ascertain what hardware it uses in its computer system’s defense. Does the company use a hardware firewall in addition to a software firewall? What form of intrusion detection software does it use? Does it use antivirus and antispyware software on the workstations within the company? Write a brief report summarizing your findings.

Projects

Project 9.1: How Does the Microsoft Firewall Work?

Using Microsoft documentation, the Web, and other resources, find out what methodologies the Microsoft Windows (whichever version you are using) firewall uses. Write a brief essay explaining the strengths and weaknesses of that approach. Also discuss situations in which you feel that approach is adequate and those in which it might be inadequate.

Project 9.2: How Does Antivirus Software Work?

Using documentation from the vendor, the Web, or other resources, find out what methodology Norton AntiVirus uses, as well as the methods that McAfee uses. Armed with this information, write a brief essay comparing and contrasting any differences. Also discuss situations in which one might be recommended over the other.

Project 9.3: Using Snort

This is a longer project and appropriate for groups.

Go to the Snort.org website (www.snort.org) and download Snort. Using the vendor documentation or other resources, configure Snort. Then use port scanners on the machine that has Snort configured and note whether Snort detects the scan.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.206.48