A firewall is a hardware or software component designed to protect one network from another (see Figure 3.2). Often, firewalls are deployed between a private trusted network and a public untrusted network (such as the Internet) or between two networks that belong to the same organization but are from different departments. Firewalls provide protection by controlling traffic entering and leaving a network.

Firewalls manage traffic using filters. A filter is just a rule. If a packet meets the identification criteria of a rule, then the action of that rule is applied. If a packet doesn't meet the criteria of a rule, then no action from that rule is applied, and the next rule is checked.

Firewalls usually have lots of filters, which are defined in a priority order. The first rule to match criteria with a packet defines the action to take against that packet; no other subsequent rules are checked. Thus, the first rule to apply to a packet is the only rule applied to a packet.

Filter lists are created with the most specific and detailed rules first, followed by successively more general rules, until a final default universal rule is reached, which specifies denial. Therefore, if a packet fails to meet the criteria of any earlier rule, the last "deny" rule will always be used. This way, only packets meeting the custom defined filters or rules are allowed to cross the security barrier.

Figure 3.1. A typical network infrastructure

Figure 3.2. A proxy firewall blocking network access from external networks

There are three basic types of firewalls, plus an additional form (stateful inspection) that combines the features of the first three:

The first step in effectively designing, deploying, and implementing a firewall is to design or develop a firewall policy: a security policy that focuses on the purposes, uses, functions, and security of the firewalls in an organization. This policy clearly defines how the firewall should filter traffic and the types of traffic that should be blocked or allowed.

Most firewalls are deployed with at least two network interfaces. Such firewalls are called dual-homed (see Figure 3.3) or multi-homed (for two or more NICs). Dual- or multi-homed firewalls provide a clear security distinction between one network and another; thus packets must successfully pass the filters of a firewall in order to move from one network to another. In this manner, firewalls provide strong and reliable security.

Some firewalls with three or more network interfaces can manage access to multiple networks simultaneously. One common deployment uses one of these additional network interfaces to connect to a demilitarized zone (DMZ). The DMZ hosts publicly accessible servers, such as web or FTP. The firewall provides secured but public access to the DMZ, but it prevents unauthorized access to the private network. If such a multi-homed firewall is compromised, only the systems in the DMZ are directly threatened or exposed.

When a port is opened in a firewall to allow a virtual private network (VPN) connection to take place, keep in mind that all encrypted data will pass through the firewall without being inspected or filtered. A firewall, unless it's the intended communication partner, is unable to view and inspect the contents of encrypted data.

Figure 3.3. A dual-homed firewall segregating two networks from each other

A router (see Figure 3.4) is used to connect several network segments. Routers enable traffic from one network segment to traverse into another network segment (see Figure 3.5). However, the traffic must pass through the router's filters in order to make the transition. A common router is basically a packet filtering firewall. Routers direct traffic based on a routing table and grant or deny access using access control lists (ACLs), such as rules or filters. The routing table informs the router which direction to transmit a received packet based on the best-known pathway (route).

Figure 3.4. Router connecting a LAN to a WAN

Figure 3.5. A corporate network implementing routers for segmentation and security

Routers can manage traffic for both inbound and outbound communications. An ingress filter is a traffic filter on packets coming into a secured area from outside (inbound communications). They're the best defense against IP spoofing attacks. An ingress filter should drop any packet received from an outside source that claims to have originated from an inside source.

A switch (see Figure 3.6) is like an intelligent multi-port repeater. It receives signals in one port and transmits them out the port where the intended recipient is connected. Switches can be used to connect individual systems or subnets together. They're often used to create virtual LANs (VLANs).

Switches are good defenses against sniffing attacks. A switch transmits messages only on those specific network links between the source and destination systems. A sniffer could only intercept traffic that happened to be transmitted on the segment it was connect to. Thus, using switches instead of hubs is a great defense against sniffing.

Figure 3.6. Switching between two systems

The Security+ exam focuses on 802.11 and related wireless networking technologies. This includes WTLS, WEP, WAP, 802.11x, related vulnerabilities, and site surveys.

A modem (see Figure 3.7) is a device that creates a network communication link between two computers (or networks) over a telephone line. Modems are one of the slowest remote connection methods still widely supported by operating systems. Most connections are limited to a maximum throughput of 56Kbps. However, since portable systems can use them to connect to corporate offices using any available telephone line, modems will probably be around for years to come.

A common security protection added to dial-in modems is callback: a feature that disconnects the remote user immediately after authentication and then calls the remote user back at a predefined number. Callback ensures that the authenticated user is located at the correct phone number before access to the network is granted.

War dialing is a common attack against dial-in modems on a company network. Such an attack dials all the numbers in a prefix range in order to locate modems connected to computer systems. Once attackers locate a modem that answers a computer call, they can focus their efforts on breaking through the logon security barrier.

Figure 3.7. A RAS connection between a remote workstation and a Windows server using modems

A Remote Access Server (RAS) is a network server that supports connections from distant users or systems. RAS systems often support modem banks, VPN links, and even Terminal Services connections.

A private branch exchange (PBX) (also known as telecom), shown in Figure 3.8, is a computer- or network-controlled telephone system. PBXs are deployed in large organizations; they offer a wide range of telephone services, features, and capabilities including conference calls, call forwarding, paging, call logging, voicemail, call routing, and remote calling.

Remote calling is the ability to dial in to a PBX system from outside and then access a dial tone in order to place a call. The second call can be long distance, and all toll charges are accumulated on the PBX system, not on the user's telephone. This is a commonly attacked feature of PBX systems.

Methods to secure PBX systems include the following:

Figure 3.8. A modern digital PBX system integrating voice and data onto a single network connection

A Virtual Private Network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted.

An IDS can detect malicious activity that occurs within the network (it doesn't cross the firewall) and activity that is able to pass through the firewall. Intrusion Detection Systems (IDSs) are discussed in detail later in this chapter, in section 3.4.

Network monitoring and diagnostics are terms for watching the activity of an environment, looking for problems, abnormalities, intrusions, or security policy violations. This topic was discussed in Chapter 1, "General Security Concepts," in section "1.7 Understanding Auditing."

In addition to the coverage in Chapter 1 we need to mention Simple Network Management Protocol (SNMP), which is a protocol and problem-management solution. SNMP was designed as a network health-monitoring solution that allowed centralized management of a network environment. SNMP can gather audit-like data on a network level, such as throughput, bandwidth utilization, packet sizes, protocols in use, CPU utilization, open TCP sessions, IP configuration, free disk space, and so on. This information is reported back to the central management console, where the health of the network and individual components is evaluated. SNMP operates over UDP port 161.

Workstations are the computer systems that people use to interact with a network. Workstations are also called clients, terminals, or end-user computers.

Access to workstations should be restricted to authorized personnel. One method to accomplish this is to use strong authentication, such as two-factor authentication with a smartcard and a password or PIN.

Servers are the computer systems on a network that support and maintain the network. Servers provide services or share resources with the network. They require greater physical and logical security protections than workstations because they represent a concentration of assets, value, and capabilities. End users should be restricted from physically accessing servers, and they should have no reason to log on directly to a server—they should interact with servers over a network through their workstations.

A mobile device is any computer device that doesn't need to be permanently connected to a cable. These may include wireless devices as well as portable systems that can be connected to or disconnected from the network via a cable (such as notebook computers).

Wireless devices, a.k.a. mobile devices, were discussed in Chapter 2, in section "2.6 Wireless."

Coaxial cable (see Figure 3.9), commonly known as coax, is type of cable that uses a center conductor surrounded by an insulation sheath, which is surrounded by a metal braid that serves as the second conductor. This conductor, in turn, is surrounded by a final insulation covering. Coax cable used in networking is similar to that used to by cable television.

Networking coax cable comes in two forms: 10Base2 and 10Base5. 10Base2, also known as ThinNet, supports communications of 10Mbps, is a baseband form of connection, and has a maximum usage length of 185 meters (hence the 2, which is 1.85 hectometers rounded up). 10Base5, also known as ThickNet, supports communications of 10Mbps, is a baseband form of connection, and has a maximum use length of 500 meters. ThinNet uses BNC connectors (see Figure 3.10) to connect directly to a NIC or networking device. ThickNet uses vampire taps (see Figure 3.11) to connect to an external attachment unit interface (AUI), which is connected to a NIC or networking device.

Common problems with coax cable include bending it past its minimum arc radius, which breaks the center conductor; deploying it past its maximum use length, which causes attenuation (loss of signal strength due to excess cable length); and failing to properly terminate the cable (see Figure 3.12), which results in an inability to support communications.

Figure 3.9. Coaxial cable construction

Figure 3.10. Common BNC connectors

Figure 3.11. A vampire tap and a T-connector on a coax

Figure 3.12. Network termination in a coax network

Twisted pair is the most common form of networking cable. It looks similar to a telephone cable, but twisted pair cabling has more wires, and its RJ-45 connector is slightly larger than the RJ-11 or RJ-14 connectors used by telephone cables. Twisted pair cabling is known as 10BaseT. It supports 10Mbps of throughput, is a baseband form of connection (see Figure 3.13), and has a maximum use length of 100 meters. The T in the name indicates that the cable conductors are twisted rather than the maximum use length as was the case for 10Base2 and 10Base5.

There are two forms of 10BaseT wiring: unshielded twisted pair (UTP) and shielded twisted pair (STP) (see Figure 3.14). The only difference between the two is that STP has a metal foil insulator wrapped around it just nder its exterior plastic sleeve. This provides STP with a slightly greater resistance to electromagnetic interference (EMI) and reduces the effect of EMI on other cables.

Figure 3.13. Baseband versus broadband signaling

Figure 3.14. UTP and STP cable construction

Higher throughput forms of twisted pair include 100BaseT and 1000BaseT, which are 100Mbps (megabit Ethernet) and 1Gbps (gigabit Ethernet) respectively.

UTP and STP are commonly categorized according to their ability to support various speeds of throughput (bandwidth) for communications. Table 3.1 shows the common UTP/STP cable specifications.

Generally, twisted pair wiring is more susceptible to EMI than coax, with UTP the more vulnerable of the two. Twisted pair wiring is also vulnerable to excess cable length, which causes attenuation.

Fiber optic cable (see Figure 3.15) uses pulses of light instead of electric pulses to transmit data. Thus, fiber optic cable isn't susceptible to EMI. It's also considered invulnerable to most eavesdropping and interception attacks.

Fiber optic cabling offers throughputs in excess of 1Gbps and has maximum deployment lengths of 2km to 26km. The drawbacks of fiber optic cabling include its expense; the difficulty of installing it; and its susceptibility to breakage due to cable stress, stretching, and bending.

Figure 3.15. Commonly used fiber connectors

Removable media drives are generally considered both a convenience and a security vulnerability. The ability to add and remove storage media to a computer system makes it more versatile. However, it also makes it vulnerable to data theft and malicious code planting.

Removable media include the electronic, logical, or digital storage mechanisms listed in the following sections as well as printed materials. Any time media is no longer needed, it should be properly destroyed to prevent disclosure of sensitive and confidential information to unauthorized entities. For example, failing to destroy printouts or burned CDs may provide dumpster-diving attackers with treasures.

Security zones are additional divisions or segments of a basic LAN-to-Internet connection that allow for supplementary layers of security and control (see Figure 3.16). Each security zone is an area of a network that has a single defined level of security. That security may focus on authorized access, preventing access, protecting confidentiality and integrity, or limiting traffic flow. Different security zones usually host different types of resources with different levels of sensitivity.

The Security+ exam focuses on three specific zones: DMZ, intranet, and extranet.

Figure 3.16. A typical LAN connection to the Internet

DMZ (Demilitarized Zone)

A demilitarized zone (DMZ) (see Figure 3.17) is an area of a network that is designed specifically for public users to access. Access to a DMZ is usually controlled or restricted by a firewall and router system. The DMZ acts as a buffer network between the public untrusted Internet and the private trusted LAN. If the DMZ as a whole or individual systems within the DMZ are compromised, the private LAN is unaffected and uncompromised.

Figure 3.17. A typical DMZ

A DMZ gives an organization the ability to offer information services, such as Web, FTP, and e-mail, to both the public and internal clients without compromising the security of the private LAN. Often a DMZ is deployed through the use of a multihomed firewall. Such a firewall has three interfaces: one to the Internet, one to the private LAN, and one to the DMZ.

Extranet

An extranet (see Figure 3.19) is an intranet that functions as a DMZ for business-to-business transactions. It allows an organization to offer specialized services to business partners, suppliers, distributors, or customers. Extranets are based on TCP/IP and often use the common Internet information services, such as Web, FTP, and e-mail. Extranets aren't accessible to the general public.

Figure 3.18. An intranet network

Figure 3.19. A typical extranet between two organizations

A virtual local area network (VLAN) consists of subnets that are logically created out of a single physical network. They're often created using switches (see Figure 3.20). Basically, the ports on a switch are numbered; each port is assigned the designation VLAN1 by default. By assigning ports other designations, such as VLAN2 or VLAN3, you can create additional virtual networks.

Figure 3.20. A typical segmented VLAN

VLANs function in much the same way as traditional subnets. In order for communications to travel from one VLAN to another, the switch operates as a router to control and filter traffic between its VLANs.

VLANs are used to logically segment a network without altering its physical topology. They're easy to implement, have little administrative overhead, and are a hardware-based solution.

VLANs let you control and restrict broadcast traffic and reduce a network's vulnerability to sniffers. Broadcast traffic isn't automatically forwarded from one VLAN to another, and the sniffer can only see traffic on the segment to which it's connected. This feature of a switch to block broadcasts between VLANs helps protect against broadcast storms. A broadcast storm is a flood of unwanted broadcast network traffic.

In order for systems to communicate across the Internet, they must have an Internet-capable TCP/IP address. Unfortunately, leasing a sufficient number of public IP addresses to assign one to every system on a network is expensive. Plus, assigning public IP addresses to every system on the network means those systems can be accessed (or at least addressed) directly by external benign and malicious entities. One method around this issue is to use network address translation (NAT) (see Figure 3.21).

Figure 3.21. A typical Internet connection to a local network

NAT converts the private IP addresses of internal systems found in the header of network packets into public IP addresses. It performs this operation on a one-to-one basis: Thus a single leased public IP address can allow a single internal system to access the Internet. Since Internet communications aren't usually permanent or dedicated connections, a single public IP address could effectively support three or four internal systems if they never needed Internet access simultaneously. So, when NAT is used, a larger network only needs to lease a small number of public IP addresses.

NAT provides several benefits:

Closely related to NAT is port address translation (PAT), which allows a single public IP address to host up to 65,536 simultaneous communications from internal clients (a theoretical maximum, practically you should limit the number to 10 or less in most cases). Instead of mapping IP addresses on a one-to-one basis, PAT also uses the TCP port numbers to host multiple simultaneous communications across each public IP address.

The use of the term NAT in the IT industry has come to include the concept of PAT. Thus, when you hear or read about NAT, you can assume that the material is referring to PAT. This is true for most Microsoft Windows operating systems and services; it's also true of the Security+ exam.

Using a special protocol, such as a VPN protocol, to create a communication pathway, known as a tunnel, across an intermediary, often untrusted, network. The concept of tunneling is the basis of VPNs.

A network based IDS (Figure 3.23) watches network traffic in real time. It monitors network traffic patterns, scans packet header information, and may examine the contents of packets to detect security violations or attacks. A network-based IDS is reliable for detecting network-focused attacks, such as bandwidth-based Denial of Service (DoS) attacks.

Figure 3.23. A network-based IDS placement in a network determines what data will be analyzed.

A host-based IDS (Figure 3.24) watches the audit trails and log files of a host system. This type of IDS is limited to the auditing and logging capabilities of the host system (which includes the operating system and installed applications and services). A host-based IDS can detect problems only if sufficient information is captured by the host's auditing capabilities. It's reliable for detecting attacks directed against a host, whether they originate from an external source or are perpetrated by a user locally logged in to the host.

Figure 3.24. A host-based IDS interacting with the operating system

A honey pot (Figure 3.30) is a fictitious environment designed to fool and lure attackers and intruders away from the private secured network. A honey pot is often deployed as a buffer network between an untrusted network, such as the Internet, business partners, or a DMZ, and the private network.

The honey pot looks and acts like a real system or network, but it contains no valuable or legitimate data or resources. Intruders may be fooled into wasting their time attacking and infiltrating a honey pot instead of your actual network. All the activity in the honey pot is monitored and recorded.

The purpose of deploying a honey pot is to provide an extra layer of protection for your private network and to gather sufficient evidence for prosecution against malicious intruders and attackers. A honey pot can often gather sufficient information to determine the identity of the intruder; the type of data, resource, or system being attacked or focused on; and the methods and tools of attack.

Figure 3.30. A network honey pot deceives an attacker and gathers intelligence.

When a security breach or perimeter violation is detected, incident response must be initiated. The goal of a planned and documented incident response is to limit the amount of damage caused by the incident, to recover the environment as quickly as possible, and to gather information about the incident and the perpetrator in order to prevent a reoccurrence and pursue legal prosecution.

The best way to respond to security violations is to have an incident response plan to follow. This plan defines and describes the procedures to perform in the event of an incident. One of the first steps that should occur when an incident is detected or suspected is to contact the incident response team, which will then follow the procedures in the incident response plan.

Some of the elements commonly found in an incident response plan include:

It's important not to log off the system or shut down the computer, since these actions may damage or alter evidence.

In the process of responding to an incident, an important goal is to contain the problem. Containment means to limit the scope of damage and to prevent other systems or resources from being negatively affected. Containment is especially important when the incident includes virus infection, remote control access, a Trojan horse, a logic bomb, or the use of hacker tools. Malicious use of these components may leave residual elements that are activated at a later time.

Depending on the type of incident (for example, an intrusion attack across a Internet link), the incident response team may choose to disconnect or terminate a network segment or ISP connection. Once an incident has been contained, the incident response team is responsible for documenting the incident and making recommendations about how to improve the environment to prevent a reoccurrence. A final step in incident response is to evaluate the response plan and procedures and improve them as necessary.

Operating system hardening is the process of reducing vulnerabilities, managing risk, and improving the security provided by or for an operating system. This is usually accomplished by taking advantage of an operating system's native security features and supplementing them with add-on applications, such as firewalls, antivirus software, and malicious-code scanners.

Hardening an operating system includes protecting the system from both intentional directed attacks and unintentional or accidental damage. This can include implementing security countermeasures as well as fault-tolerant solutions for both hardware and software. Some of the actions that are often included in a system hardening procedure include :

Two aspects of operating system hardening that should not be overlooked are the file system and updates.

Network hardening takes the concept of operating system hardening and applies it to the network. In this instance, the network includes those components on each system that support network communications: the NIC, device drivers, and protocols, as well as the network media (cables or wireless) and network devices (routers, switches, hubs, and so on). Every aspect of a network should be as secure as possible to minimize the potential entry points for an intruder or malicious code. By improving the security of the network, you gain security for each individual system.

Network hardening includes the activities of applying firmware updates and managing configuration issues.

Application hardening is the task of imposing security on required applications and services. This usually involves tuning and configuring the native security features of the installed software and installing supportive security applications as needed. When you're developing new applications in house, it's also important to include security design, implementation, and integration throughout the development process.

Application hardening is often seen as a subelement of operating system hardening. In fact, many of the same steps and procedures used to lock down an operating system are used to harden an application or service. In addition to the general notion of disabling any unneeded protocols and services, you should also disable any unneeded features, functions, or capabilities of a service or protocol based on the server's role and the capabilities your organization needs.

In addition to the hardening steps already discussed, you should be familiar with the additional steps to secure common roles found on a network. These include:

The following sections detail additional steps relevant to the server function that haven't already been included in the previous discussions of operating system, networking, and application hardening.

E-mail Servers

A common problem with e-mail is that it's the most prevalent distribution mechanism for malicious code on the Internet. Rigid antivirus scanning (see Figure 3.31) and attachment monitoring are necessary to prevent this essential business communication tool from being a serious vulnerability.

Figure 3.31. E-mail virus scanner on an e-mail server

To prevent the transmission of e-mails from nonexistent domains (spoofed source addresses), an e-mail server should perform a reverse DNS lookup on all received messages before transmitting or forwarding them.

E-mail should be protected through the use of software and logical security mechanisms as well as an acceptable use policy. The acceptable use policy will reduce the level of user misuse and abuse of the company's e-mail capabilities.

Note

Most of the general e-mail security issues, especially those related to SMTP and encryption, are discussed in Chapter 2.

File/Print Servers

A file server is a network server that offers file access to network clients (see Figure 3.32). An FTP server is an example of a public or Internet file server, but any type of server that users can use to upload and/or download files is a file server. Methods to secure file servers include restricting access to authorized users, logging activity, and imposing quota limits on storage space usage.

Figure 3.32. Network share connection

A print server is a network server offering a shared network printer for use by network users. Methods to secure print servers include restricting access to authorized users and logging activity. The ability to manage printers, especially to update device drivers, should be restricted to administrators.

Directory Services

A directory service server is often called a domain controller or an authentication server. It's responsible for managing access to the resources of a network (Figure 3.33). A directory service is a form of telephone directory for the resources within a network. It includes a list of all servers, clients, users, groups, and shared resources such as files and printers.

Note

Directory services are discussed in Chapter 2, in section "2.4 Directory Security."

Figure 3.33. Directory structure showing the unique identification of a user