MAC Filtering

Most of the time, it’s wise to configure ACLs so that they’ll allow or deny access based on the IP address of the source or destination device. If your network is running a protocol other than Transmission Control Protocol/Internet Protocol (TCP/IP), you can filter traffic based on a Media Access Control (MAC), or hardware, address instead of an IP address. You can still use a MAC address–based ACL if you’re running TCP/IP, but keep in mind that it’s a lot easier to deal with IP addresses than MAC addresses. Another point to remember is that even though most firewalls and routers will allow you to create both IP-based and MAC-based ACLs, doing so can create an exceptionally ugly situation where access is denied when it really shouldn’t be.

Port Filtering

ACLs can also be used to filter based on port numbers as well as IP addresses. In fact, most firewalls default to allowing only the open ports that you specify. This is another version of the implicit deny (anything not allowed specifically is denied).

When managing a firewall, it’s important to know the port numbers of all traffic that needs to be allowed through it. This means that for some of your applications, you will need to read and learn the port numbers being used.

This also explains why it’s a big deal to know the port numbers of security protocols like SSL and IPSec. Successful firewall management involves being aware of and allowing only the ports to keep things running.

Virtual Private Network

No worries—VPNs aren’t really that hard to understand. A VPN fits somewhere between a LAN and WAN, and many times may seem just like a WAN link because your computer, on one LAN, connects to a different, remote LAN and uses its resources remotely. The key difference with VPNs is a big one—security! So the definition of connecting a LAN (or VLAN) to a WAN may sound the same, but a VPN is much more.

Here’s the difference: A typical WAN connects two or more remote LANs together using someone else’s network—like, say, your Internet service provider’s (ISP’s)—and a router. Your local host and router see these networks as remote networks and not as local networks or local resources. This would be a WAN in its most general definition. A VPN actually makes your local host part of the remote network by using the WAN link that connects you to the remote LAN. The VPN will make your host appear as though it’s actually local on the remote network! This means that we now have access to the remote LAN’s resources and that access is very secure.

This may sound a lot like the VLAN definition I just used in Chapter 11, “Switching and Virtual LANs,” and really, the concept is the same: “Take my host and make it appear local to the remote resources.” Just remember that for networks that are physically local, using VLANs is a good solution, but for networks that are physically remote—those that span a WAN—we’d opt for using VPNs instead.

For a simple VPN example, let’s use my home office in Boulder, Colorado. Here, I have my personal host, but I want it to appear as if it’s on a LAN in my corporate office in Dallas, Texas, so I can get to my remote servers. VPN is the solution I use for this because I need the security it provides.

Figure 13.3 shows this example of my host using a VPN connection from Boulder to Dallas, which allows me to access the remote network services and servers as if my host is right there on the same VLAN as my servers.

Why is this so important? If you answered, “Because my servers in Dallas are secure, and only the hosts on the same VLAN are allowed to connect to them and use their resources,” you nailed it! A VPN allows me to connect to these resources by locally attaching to the VLAN through a VPN across the WAN. The other option is to open up my network and servers to everyone on the Internet or another WAN service, in which case my security goes poof! So you can see that it’s a very good thing I have a VPN.

Types of VPNs are named based on the kind of role they play in a real-world business situation. There are three different categories of VPNs:

Client-to-Site (Remote-Access) VPNs Remote-access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to. It is typical that users can connect to the Internet but not to the office via their VPN client because they don’t have the correct VPN address and password. This is the most common problem and one you should always check first.

Host-to-Host VPN A host-to-host VPN is somewhat like a site-to-site in concept except that the endpoints of the tunnel are two individual hosts. In this case all traffic is protected from the time it leaves the NIC on one host until it reaches the NIC of the other host.

Site-to-Site VPNs Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay. This is probably the best solution for connecting a remote office to a main company office.

Extranet VPNs Extranet VPNs allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.

SSL and SSL VPN

Next on the list is Secure Sockets Layer (SSL). This security protocol was developed by Netscape to work with its browser. It’s based on Rivest, Shamir, and Adleman (RSA) public-key encryption and used to enable secure Session layer connections over the Internet between a web browser and a web server. SSL is service independent, meaning a lot of different network applications can be secured with it—a famous one being the ubiquitous HTTP Secure (HTTPS) protocol. As time marched on, SSL was merged with other Transport layer security protocols to form a new protocol called Transport Layer Security (TLS). The latest version of Transport Layer Security (TLS 2.0) provides a number of enhancements over earlier versions. The following are the most noteworthy:

• Several improvements in the operation of a central component, the MD5/SHA-1 hashing function. Hashing functions are used to ensure that the data is not changed or altered (also known as maintaining data integrity).
• More flexibility in the choice of hashing and encryption algorithms on the part of the client and the server.
• Enhanced support for the Advanced Encryption Standard (AES).

Figure 13.4 shows the SSL connection process.

SSL VPN is really the process of using SSL to create a virtual private network (VPN). A VPN is a secured connection between two systems that would otherwise have to connect to each other through a non-secured network. Here’s what I mean: Even though I’d never really let this happen, let’s just say I could connect to the servers in my corporate office through the Internet like, snap! You know by now that this would be a very bad thing because the Internet is far from secure, right? But if I connected to those servers using a VPN with a tunneling protocol instead, anything I send from my PC to my corporate office would be locked up nice and securely.

Plus, VPNs also come in handy for data that’s being sent within a private network that you probably wouldn’t want everyone on that network to be able to see. Maybe you want a few specific computers on the intranet to be able to communicate with each other securely—like, say, the computers used by your top finance people. You wouldn’t necessarily want that data just sent off in the clear to be viewed by the office gossip, now would you? No way. So, you can put those finance folks on a VPN that’s just like having them on their own little private, secure subnetwork. Plus, what’s even cooler about this setup is that the members of your intranet’s VPN can still communicate with everyone else whenever they want; they just won’t be doing that securely—nice solution!

DTLS

Datagram Transport Layer Security (DTLS) provides security for datagram-based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. It is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees.

L2TP

Next, we have the Layer 2 Tunneling Protocol (L2TP), which was created by the Internet Engineering Task Force (IETF). It comes in handy for supporting non-TCP/IP protocols in VPNs over the Internet. L2TP is actually a combination of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technologies. A nice L2TP feature is that, because it works way down there at the Data Link layer (Layer 2) of the OSI model, it can support tons of protocols beyond just TCP/IP—a couple of biggies being Internetwork Packet Exchange (IPX) and AppleTalk. It’s a really great tool to implement if you happen to have two non-TCP/IP networks that need to be connected via the Internet.

PPTP

I just mentioned Point-to-Point Tunneling Protocol (PPTP), and even though I said it was Microsoft’s PPTP, this security protocol was really developed jointly by Microsoft, Lucent Technologies, 3COM, and a few other companies. Oh, and it’s not actually sanctioned by the IETF, but that doesn’t mean it doesn’t work. PPTP acts by combining an unsecured Point-to-Point Protocol (PPP) session with a secured session using the Generic Routing Encapsulation (GRE) protocol.

Because PPTP uses two different protocols, it actually opens up two different network sessions: so be warned, PPTP can give you some grief when passing through a router. This is a big reason you won’t find it around much nowadays. Another reason it’s going the way of the dinosaurs is that it originally gained popularity because it was the first VPN protocol to be supported by Microsoft’s dial-up networking services, and not too many of us depend on dial-up to get to the Internet anymore. As if these aren’t reasons enough for PPTP’s impending extinction, it’s also not that secure. In fact, as you’d probably expect from a first-generation security protocol, it’s now really vulnerable to spoofing attacks, which is why it’s pretty much been replaced by L2TP and IPSec.

PPTP is a VPN protocol that runs over port 1723 and allows encryption to be done at the Application (data) level. It is important to remember for the CompTIA Network+ exam that PPTP is a protocol that allows secure access to a VPN.

GRE

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate many protocols inside IP tunnels. Some examples would be routing protocols such as EIGRP and OSPF and the routed protocol IPv6. Figure 13.5 shows GRE.

A GRE tunnel interface supports a header for each of the following:

• A passenger protocol or encapsulated protocols like IP or IPv6, which is the protocol being encapsulated by GRE
• GRE protocol
• A Transport delivery protocol, typically IP

GRE tunnels have the following characteristics:

• GRE uses a protocol-type field in the GRE header so any Layer 3 protocol can be used through the tunnel.
• GRE is stateless and has no flow control.
• GRE offers no security.
• GRE creates additional overhead for tunneled packets—at least 24 bytes.

IPSec

On the other hand, IP Security (IPSec) was designed by the IETF for providing authentication and encryption over the Internet. It works at the Network layer of the OSI model (Layer 3) and secures all applications that operate in the layers above it. Because it’s sanctioned by the IETF and designed to work with IPv4 and IPv6, it’s got a huge amount of industry support, so it’s the standard for VPNs on the Internet today.

The two major protocols you’ll find working in IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP). AH serves up authentication services only—no encryption—but ESP provides both authentication and encryption abilities. Both of these protocols can be used with either mode discussed in the following paragraphs.

The AH protocol within IPSec isn’t compatible with networks running Network Address Translation (NAT).

IPSec works in two modes: transport mode and tunneling mode. Transport mode creates a secure tunnel between two devices end to end. This means that regardless of how many foreign networks (including the Internet) the packet traverses, it is protected. The data is protected by authentication and/or encryption. Figure 13.6 illustrates a TCP/IP packet and a TCP/IP packet in transport mode using AH. ESP can also be used with transport mode.

On the other hand, in tunnel mode, the tunnel is created between two endpoints, such as two routers or two gateway servers, protecting all traffic that goes through the tunnel. It is commonly used between two offices to protect all traffic going between the offices regardless of the source and destination. Figure 13.7 first shows a TCP/IP packet and then depicts one using ESP in tunnel mode. AH can also be used with tunnel mode.

You can see here that when data is tunneled in this way, hackers can’t even see what transport protocol you’re using, let alone decipher the data you’re transmitting.

ISAKMP

Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify, and delete security associations (SAs). SAs contain information required to execute security services, such as header authentication and payload encapsulation. ISAKMP’s real value is its ability to provide a framework for safely transferring key and authentication data independent of the key generation technique, encryption algorithm, and authentication mechanism. ISAKMP is integrated into another security mechanism we have already discussed, IPSec.

Symmetrical Encryption Keys

Using symmetrical key encryption, both the sender and receiver have the same key and use it to encrypt and decrypt all messages. The downside of this technique is that it becomes hard to maintain the security of the key. When the keys at each end are different, it is called asymmetrical or public key. We’ll talk about that right after we discuss some encryption standards.

Public-Key Encryption

Public-key encryption uses the Diffie-Hellman algorithm, which employs a public key and a private key to encrypt and decrypt data. This is called asymmetric encryption. It works like this: The sending machine’s public key is used to encrypt a message that is decrypted by the receiving machine with its private key. It’s a one-way communication, but if the receiver wants to send a return message, it does so via the same process. If the original sender doesn’t have a public key, the message can still be sent with a digital certificate that’s often called a digital ID, which verifies the sender of the message.

Figure 13.8 shows public-key-encrypted communication between User X and User Y.

Here’s a cool factoid for you—Diffie-Hellman refers to all public-key algorithms. Whitfield Diffie and Martin Hellman from the Stanford Research Institute invented public-key encryption. They introduced the dual-key concept in their 1976 paper “New Directions in Cryptography.”

RSA Data Security

Rivest, Shamir, and Adleman (RSA) encryption is a public-key algorithm named after the three scientists from MIT who created it. They formed a commercial company in 1977 to develop asymmetric keys and nailed several U.S. patents. Their encryption software is used today in electronic commerce protocols.

For more information about RSA Data Security, go to www.rsa.com.

Pretty Good Privacy (PGP)

In the early 1990s, Phil Zimmerman (also from MIT) wrote most of the code for this freely available version of public-key encryption designed to encrypt data for email transmission. Zimmerman basically compared email to postcards, because anyone can read email messages traversing the Internet just as they can postcards traveling through the postal service. By contrast, he compared an encrypted message to a letter mailed inside an envelope. Figure 13.9 shows the PGP encryption system.

In Figure 13.9, the document is encrypted with a session key, which is then encrypted with the public key of the recipient. Then the ciphertext and the encrypted session key are sent to the recipient. Since the recipient is the only person with the matching private key, only they can decrypt the session key and then use it to decrypt the document.

Zimmerman distributed the software for personal use only, and as the name implies, it’s really pretty good security.

RSA Data Security and the U.S. federal government both had a problem with Zimmerman’s product—the RSA complained about patent infringement, and the government actually decided to prosecute Zimmerman for exporting munitions-grade software. The government eventually dropped the charges, and now a licensing fee is paid to RSA, so today, PGP and other public-key-related products are readily available.

Don’t let the name fool you! PGP is a highly secure encryption standard.

RAS

Remote Access Services (RAS) is not a protocol but refers to the combination of hardware and software required to make a remote-access connection. The term was popularized by Microsoft when the company began referring to its Windows NT–based remote-access tools by this name. Users would dial in via a modem, be authenticated by the server, and then be asked for their username and password just as if they were on the local network. Once logged in, users had access to data on the internal network just as if they were logged in locally. Figure 13.10 gives you an idea of what this would look like.

RAS itself was not secure, but there are options within RAS to include a secure protocol for tunneling, such as PPTP, and for authentication, such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication Protocol (EAP). RAS is versatile because it supports several other network protocols in addition to TCP/IP.

RDP

Remote Desktop Protocol (RDP) allows users to connect to a computer running Microsoft’s Remote Desktop Services, but a remote computer must have the right kind of client software installed for this to happen. Most Windows-based operating systems include an RDP client, and so do most other major operating systems, like Linux, Solaris, and Mac OS X. Microsoft’s RDP client software is called either Remote Desktop Connection (RDC) or Terminal Services Client (TSC). Microsoft began calling all terminal services products Remote Desktop with Windows Server 2008 R2. RDP uses TCP port 3389.

After establishing a connection, the user sees a terminal window that’s basically a preconfigured window that looks like a Windows desktop or another operating system’s desktop. From there, the user on the client computer can access applications and files available to them by using the remote desktop.

The most current version of RDP is RDP 10.0. When logged in using RDP, clients are able to access local files and printers from the remote desktop just as if they were logged into the network. RDP offers 128-bit encryption using the RC4 encryption algorithm and also offers TLS 1.0 support.

PPP

Point-to-Point Protocol (PPP) is a Layer 2 protocol that provides authentication, encryption, and compression services to clients logging in remotely. ISPs use PPP a lot to authenticate clients dialing in with a dial-up modem or a DSL or cable modem. Many network servers that provide remote-access services (such as RAS) can also use PPP as an authentication protocol.

PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) is an extension of PPP. Its purpose is to encapsulate PPP frames within Ethernet frames.

The need for PPPoE was born out of the need to deal with the massive increase in high-speed Internet connections. Service providers offering customers high-speed access using Asymmetric Digital Subscriber Line (ADSL) or cable modems needed a way to offer the authentication and encryption services of PPP. A Remote Authentication Dial In User Service (RADIUS) server—something I’ll get into a bit later in this chapter—is commonly used to manage PPPoE connections.

PPPoE works in two stages: discovery and session. In the discovery phase, the MAC addresses of the endpoints are exchanged so that a secure PPP connection can be made. During this phase, a session ID is also created that’s used to facilitate further data transmission during the session. Then, a point-to-point connection is created and the session stage begins.

ICA

Independent Computing Architecture (ICA) is a protocol designed by Citrix Systems to provide communication between servers and clients. The most common application that uses ICA is Citrix’s WinFrame, which administrators can use to set up Windows applications on a Windows-based server and then allow clients with virtually any operating system to access those applications. Client computers running Linux, Unix, or Mac OSs can access Windows-based applications with the help of WinFrame, giving network administrators all kinds of flexibility with client operating systems. But again, there’s a downside—connections like these tend to be slow because of the huge amount of translation that’s required to enable the client and server to communicate with each other properly.

SSH

Secure Shell is a network protocol that is designed as an alternative to command-based utilities such as Telnet that transmit requests and responses in clear text. It creates a secure channel between the devices and provides confidentiality and integrity of the data transmission. It uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.

This public key is placed on any computer that must allow access to the owner of a matching private key (the owner keeps the private key in secret). The private key is never transferred through the network during authentication.

Out-of-band management

Out of band management refers to any method of managing the server that does use the network. An example of this technology is Integrated Lights-Out, or iLO, a technology embedded into HP servers that allows for out of band management of the server. The physical connection is an Ethernet port that will be on the server and will be labeled ILO. In Figure 13.11, one of these ILO ports is shown in an HP Moonshot chassis (these hold blade servers). HP iLO functions out-of-the-box without additional software installation regardless of the servers’ state of operation giving you complete access to the server from any location via a web browser or the iLO Mobile App.

VNC

Virtual Network Computing (VNC) is a remote desktop sharing system that uses the Remote Frame Buffer (RFB) protocol. It is platform independent and provides an experience much like Remote Desktop Protocol (RDP).

VNC includes the following components:

• VNC server: Software that runs on the machine sharing its screen
• VNC client (or viewer): Software on the machine that is remotely receiving the shared screen
• VNC protocol (RDP)

One big difference in VNC and RDP is that VNC sends raw pixel data (which does make it work on any desktop type) while RDP uses graphic primitives or higher-level commands for the screen transfer process.

Disabling Accounts

This is important, so remember it—when a user leaves the organization, you have these three options:

• Leave the account in place.
• Delete the account.
• Disable the account.

The first option is not so good because if you just leave the account in place, anyone (including the user to whom it belonged) can still log in as that user if they know the password. This is clearly very bad security, but deleting the account presents its own set of problems. If you delete an account, the numeric ID associated with that user (UID in Unix, SID in Windows Server) will be lost, and it’s through this magic number that passwords and rights to network resources are associated with the user account. This can be a good thing—but if you create a new user account with the same name as the one you deleted, the identification number of the new account will be different from the old one, so none of its settings will be there for the new account.

This means that disabling an account until you’ve made a decision about what should happen to it is your best bet because you’ll probably just want to rename the account when someone new is hired. When you disable an account, it still exists, but no one can use it to log in. Another good time to disable an account is when someone leaves for an extended period, like taking maternity/paternity leave or other medical leaves or going on sabbatical.

Because it’s really common for companies today to have contract and temporary employees, you need to know how to manage temporary accounts that will be used for only a short time and then disabled.

Managing these temporary accounts is easy—you just set the account to expire on the employee’s expected last day of work.

Setting Up Anonymous Accounts

Anonymous accounts allow only extremely limited access for a large number of users who all log in with the same username—for instance, anonymous or guest. These logins are frequently used to access FTP files; you gain access when you log in with the username anonymous and enter your email address as the password.

Sometimes people don’t use their real email addresses. If you really want to know where a user is located on the Internet, use third-party software to verify IP addresses and Internet domain names.

It’s obviously a very bad idea to use anonymous accounts for regular network access—you just can’t track them. All Windows Server products from Windows NT on come with the anonymous account Guest disabled, and it’s usually a good thing to leave it that way. When you want to enable that account, like at a public kiosk, make sure you carefully manage what it is able to access by implementing strict group policies.

Some web servers create an Internet user account to allow anonymous access to the website through which a user is allowed to access the web server over the network. The password is always blank, and you never see a request to log in to the server because it’s done automatically. Without this kind of account, no one would be able to access your web pages.

Do not rename the Internet user account or set a password because if you do so, the general public won’t be able to view your website. If you want to secure documents, use a separate secure HTTP or Windows server.

Limiting Connections

There is a good reason to limit how many times a user can connect to the network. Users should normally be logged in to the network for one instance because they can only be in one place at a time. So if your system is telling you that someone is logged in from more than one place, it’s probably because someone else is using their account. By disallowing simultaneous connections, only a single user at a single workstation can gain access to the network using a specific user account. But there are times that some users need to log in multiple times to use certain applications or perform certain tasks, and you can allow that specific user to have multiple concurrent connections.

You may also want to limit the specific location from which a user logs in because most of the time, your users will be logging on to the network only from their own workstations. This makes sense, but this rule isn’t usually enforced because sometimes users move around without taking their computers with them, or they log in at someone else’s station to get their jobs done. So unless you require super tight security, imposing this rule can really complicate your job because it requires a lot of administration. Windows Server products can limit which station(s) a user is allowed to log in from, but they don’t do so by default. A Windows feature that is enabled by default is not allowing average users to log in at the server console because they shouldn’t be working directly on a server. They can do some serious damage accidentally!

Renaming the Maintenance Account

Network operating systems automatically give the network maintenance (or administration) account a default name. On Windows servers, it’s (surprise) Administrator, and in Unix it’s root. So it should be crystal clear that if you don’t change this account name, bad guys already have half the information they need to break into your network. The only thing they’re missing is the password—yikes!

By all means, rename that account to something cool and creative that you’ll remember but that would be really hard for someone to guess—and don’t write it on a Post-it and stick it to the server. Here’s a “do not use” list of names:

• Admin
• Administrator
• Analyst
• Audit
• Comptroller
• Controller
• Manager
• Root
• Super
• Superuser
• Supervisor
• Wizard
• Any variation on the above

Minimum Length

Strong passwords should be at least 8 characters (the more, the merrier), but they shouldn’t be any longer than 15 characters to make them easier to remember. You absolutely must specify a minimum length for passwords because a short password is easily cracked—after all, there are only so many combinations of three characters, right? The upper limit depends on the capabilities of your operating system and the ability of your users to remember complex passwords. Here’s what I call “The Weak List” for passwords—never use them!

• The word password (Not kidding—people actually do this!)
• Proper names
• Your pet’s name
• Your spouse’s name
• Your children’s names
• Any word in the dictionary
• A license plate number
• Birth dates
• Anniversary dates
• Your username
• The word server
• Any text or label on the PC or monitor
• Your company’s name
• Your occupation
• Your favorite color
• Any of the above with a leading number
• Any of the above with a trailing number
• Any of the above spelled backward

There are more, but you get the idea, and these really are the most commonly used brainless passwords.

Using Characters to Make a Strong Password

The good news is that solid passwords don’t have to be in ancient Mayan to be hard to crack. They just need to include a combination of numbers, letters, and special characters—that’s it. Special characters aren’t letters or numbers but symbols like $ % ^ # @). Here’s an example of a strong password: tqbf4#jotld. Looks like gibberish, but remember that famous sentence, “The quick brown fox jumped over the lazy dog”? Well, this particular password uses the first letter of each word in that sentence with a 4# thrown in the middle of it. Sweet—solid and easy to remember. You can do this with favorite quotes, song lyrics, and so on, with a couple of numbers and symbols stuck in the middle. Just make sure you don’t sing the song or quote Shakespeare every time you log in!

If you want to test the strength of passwords to make sure they’re nice and tight, you can use auditing tools like crack programs that try to guess passwords. Clearly, if that program has a really tough time or even fails to crack the password, you have a good one. By the way, don’t just use a regular word preceded by or ending with a special character because good crack programs strip off the leading and trailing characters during decryption attempts.

Password-Management Features

All network operating systems include built-in features for managing passwords to help ensure that your system remains secure and that passwords cannot be easily hacked with crack programs. These features usually include automatic account lockouts and password expiration.

Automatic Account Lockouts

Hackers, and even people who forget their passwords, usually try to log in by guessing passwords. This is why most network operating systems will lock you out after a few unsuccessful attempts. Some will even disable the account. Once that happens, the user won’t be able to log in to that account even if they enter the correct password. This feature prevents a potential hacker from running an automated script to crack account passwords by continuously attempting to log in using different character combinations.

When an account is on lockdown, guards—I mean, network staff—will have to unlock the account if the network operating system doesn’t unlock it after a preset period. In any high-security network, it’s a good idea to require an administrator to manually unlock every locked account instead of setting the network operating system to do it automatically. This way, the administrator will be sure to know about any possible security breaches.

Be careful not to lock yourself out. With many network operating systems, only administrators can reset passwords, so if you happen to be the administrator and you lock yourself out, only another administrator can unlock your account. Embarrassing, yes, but what if you’re the only administrator? You’re in trouble then, because even though many network operating system vendors do have solutions to this humiliating little problem, the cost of those solutions isn’t going to be cheap!

It’s good to know that Windows-based servers allow you to configure accounts to be locked out after a number of bad login attempts, but the default Administrator account is exempt from this happening. This might sound convenient for you, but it’s actually a security risk. You should definitely rename this account, and it’s also a good idea not to use it for day-to-day administration. Create a new administrator account (with a different name, of course), and use it for administrative purposes instead.

Password Expiration and Password Histories

Unlike a good wine, even really good passwords don’t age well over time; they just become more likely to be cracked. This is why it’s good to set passwords so that they expire after a specific amount of time. Most organizations set up passwords to expire every 30 to 45 days, after which the network’s users all must reset their passwords either immediately or during a preset grace period. The grace period is usually limited to a specific number of login attempts, or it may allow a couple of days.

By default, each network operating system delimits a specific password-expiration period that bad guys usually know about. So make sure you reset that time period to something other than the default, in accordance with your security policy.

Older network operating systems allowed users to reset their passwords back to their original form after using an intermediary password for a while, but today’s network operating systems prevent this by employing password histories that consist of a record of the past several passwords used by a specific user. This record prevents users from using any password that’s stored in the password history. If they try, the password will fail, and the operating system will then request a password change. What this means to you, the system administrator, is that if your security policy dictates that passwords be reset every two weeks, you should make sure your password history can hold at least 20 passwords. This would prevent a user from reusing a password until the password is at least 10 months old (two changes per month). They’ll forget that password by then!

By the way, your more experienced users know about this history feature, and because coming up with a really tight password takes a little thought, when savvy users create ones they really like, they may have a hard time letting go. Maybe they just want to avoid the hassle of creating a tight new password and remembering it, so they’ll try to find ways to get out of doing that by getting around the password-history feature. For instance, I knew one guy who actually admitted that he just changed his password as many times as it took to defeat the history log and then changed it one last time to his beloved, original password—all of which took him only about five minutes to accomplish.

You can force users to change their passwords to ones that are unique because the latest operating systems require unique passwords and can, depending on the network operating system, store more than 20 passwords. This feature makes it a whole lot harder to revert to any previous passwords. But it’s still possible for users to beat the system, so don’t rely completely on it.

RADIUS

Although its name implies it, the Remote Authentication Dial In User Service (RADIUS) is not a dial-up server. Like pretty much everything else, it originated that way, but it’s evolved into more of a verification service. Today, RADIUS is an authentication and accounting service that’s used for verifying users over various types of links, including dial-up. Many ISPs use a RADIUS server to store the usernames and passwords of their clients in a central spot through which connections are configured to pass authentication requests. RADIUS servers are client-server-based authentication and encryption services maintaining user profiles in a central database.

RADIUS is also used in firewalls. Purposed this way, when a user wants to access a particular TCP/IP port, they must provide a username and a password. The firewall then contacts the RADIUS server to verify the credentials given. If the verification is successful, the user is granted access to that port.

RADIUS is an authentication server that allows for domain-level authentication on both wired and wireless networks.

TACACS+

The Terminal Access Controller Access-Control System Plus (TACACS+) protocol is also a AAA method and an alternative to RADIUS. Like RADIUS, it is capable of performing authentication on behalf of multiple wireless APs, RAS servers, or even LAN switches that are 802.1X capable. Based on its name, you would think it’s an extension of the TACACS protocol (and in some ways it is), but the two definitely are not compatible.

Here are two major differences between TACACS+ and RADIUS:

• RADIUS combines user authentication and authorization into one profile, but TACACS+ separates the two.
• TACACS+ utilizes the connection-based TCP protocol, but RADIUS uses UDP instead.

Even though both are commonly used today, because of these two reasons TACACS+ is considered more stable and secure than RADIUS.

Figure 13.15 shows how TACACS+ works.

Just to clarify things, in the IT world, accounting has nothing to do with money. Here’s what I mean: When a TACACS+ session is closed, the information in the following list is logged, or accounted for. This isn’t a complete list; it’s just meant to give you an idea of the type of accounting information that TACACS+ gathers:

• Connection start time and stop time
• The number of bytes sent and received by the user
• The number of packets sent and received by the user
• The reason for the disconnection

The only time the accounting feature has anything to do with money is if your service provider is charging you based on the amount of time you’ve spent logged in or for the amount of data sent and received.

MD5

The MD5 message-digest algorithm was designed by Ron Rivest, and while it has been shown to have some flaws that cause many to prefer SHA (described in the next section), those flaws are not considered fatal and it is still widely used to ensure the integrity of transmission. As is the case with most hashing processes, the hash is created from the clear text and then sent along with the clear-text message. At the other end, a second hash of the clear-text data is created using the same algorithm, and if the two hashes match, the data is deemed to be unchanged.

SHA

Secure Hash Algorithm is a family of algorithm versions, much like MD5 having multiple versions on its way to becoming MD5. It is published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). It operates as any hash does and is considered to be superior to MD5.

Posture Assessment

When devices attempt to access the network, the devices are examined closely, which is called a posture assessment. The following items can be checked:

• Anti-malware updates
• Operating system updates
• Windows Registry settings

When the assessment is complete and is positive, admission is granted. If problems are found, admission may be denied and the user notified that action must be taken, or the device may be directed to a remediation server that can install missing updates or quarantine the device if necessary.

Guest Network

When a device is attempting to connect to a network using a form of network access control, the device is first placed in a guest network until a posture assessment is performed. Until it is either approved or remediated, it will remain in the guest network. The guest network will not allow access to the balance of the network to prevent the device from introducing issues to the network.

Persistent vs. Nonpersistent Agents

Network access control systems can be deployed using either persistent or nonpersistent agents on the devices. A persistent agent is one that is installed on a NAC client and starts when the operating system loads. This agent provides functionality that may not be present in the nonpersistent agent, such as system-wide notifications and alerts and auto and manual remediation.

A nonpersistent agent is one that is used to assess the device only during the onetime check-in at login, usually through a captive web portal. The nonpersistent or dissolvable agent is removed from the device when the authentication web page is closed. It can be used to support the assessment of endpoints not owned by the organization and as such can help to make a Bring Your Own Device (BYOD) policy possible.

Captive Portal

When a wireless network is in use, one method of securing access to the WLAN is using a captive portal. This is a web page to which users are directed when they attempt to connect to the WLAN. This web page may ask for network credentials, or in the case of a guest network it may only ask for agreement to the usage policy of the guest network.

Quarantine Network

When a guest machine is found to be out of compliance with the security posture required by a NAC system, the device is placed in a quarantine network, which prevents the device from exposing the rest of the network to the security risks that have been identified by the posture assessment. It will remain in this quarantine network until it is able to pass the assessment.

In cases where the NAC system supports remediation, the device may be connected to a remediation server that can make the required changes or updates to the system. Once the remediation is complete and the device is able to pass the assessment, it is then allowed to proceed on to the protected network.

Edge vs. Access Control

While controlling access to the network at the edge or boundary of the network (typically using firewalls) is certainly a proven method of protecting a network, it is somewhat of a blunt instrument of access control. Certainly the use of certain protocols and services can be prevented, and firewalls can even be granular enough to single out IP addresses and subnets, but at some point more sophisticated means of control are indicated.

Access controls that are applied where the resource resides often can be much more granular and can be more easily placed under the control of the resource owner. It is also less likely that mistakes in the application of access control lists on the resource will cause the type of widespread access problems that mistakes in ACLs on firewalls may have.

In today’s network, there is a place for both access and edge control. Understanding the role that each can play and properly utilizing them can result in a layered approach to network security.