CHAPTER 10
Network Security
This chapter covers the following official Network+ objectives:
Summarize the purposes of physical security devices.
Explain authentication and access controls.
Given a scenario, secure a basic wireless network.
Summarize common networking attacks.
Given a scenario, implement network device hardening.
Explain common mitigation techniques and their purposes.
This chapter covers CompTIA Network+ objectives 4.1, 4.2, 4.3, 4.4, 4.5, and 4.6. For more information on the official Network+ exam topics, see the “About the Network+ Exam” section in the Introduction.
Network security is one of the toughest areas of IT to be responsible for. It seems as if a new threat surfaces on a regular basis and that you are constantly needing to learn new things just a half a step ahead of potential problems. This chapter focuses on some of the elements administrators use to keep their networks as secure as possible.
Physical Security and Device Hardening
Summarize the purposes of physical security devices.
Given a scenario, implement network device hardening.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. True or false: All unnecessary services on a server should be disabled.
2. A system that uses any two items, such as smart cards and passwords, for authentication is referred to as a _______ system.
3. True or false: Common passwords should be used on similar system devices within the same geographic confines.
Answers
1. True. Unnecessary services serve no purpose and take up overhead. They also represent extra possibilities for an attacker to exploit and use to gain access to your system(s).
2. Two-factor authentication system.
3. False. Common passwords should be avoided at all cost because they serve to weaken the security of the system.
ExamAlert
Remember that this objective begins with “Given a scenario.” That means that you may receive a drag and drop, matching, or “live OS” scenario where you have to click through to complete a specific objective-based task.
It does little good to have great network security if everything can be compromised by someone walking in your office, picking up your server, and walking out the front door with it. Physical security of the premises is equally important to an overall security implementation.
Ideally, your systems should have a minimum of three physical barriers:
The external entrance to the building, referred to as a perimeter, which is protected by motion detection, burglar alarms, external walls, fencing,
surveillance, and so on. This should be used with an access list, which should exist
to specifically identify who can enter a facility and can be verified by a security
guard or someone in authority. A mantrap can be used to limit access to only one or
two people going into the facility at a time. A properly developed mantrap includes
bulletproof glass, high-strength doors, and locks. In high-security and military environments,
an armed guard, as well as video surveillance (IP cameras and CCTVs), should be used
at the mantrap. After a person is inside the facility, additional security and authentication
may be required for further entrance.
A locked door with door access controls protecting the computer center and network
closets; you should also rely on such items as ID badges, proximity readers/key fobs,
or keys to gain access. Biometrics, such as fingerprint or retinal scans, can be used
for authentication.
The entrance to the computer room itself. This should be another locked door that
is carefully monitored and protected by keypads and cipher locks. Although you try
to keep as many intruders out with the other two barriers, many who enter the building
could be posing as someone they are not—heating and air technicians, representatives
of the landlord, and so on. Although these pretenses can get them past the first two
barriers, they should still be stopped by the locked computer room door.
Assets should have asset tracking tags attached to them that have unique identifiers
for each client device in your environment (usually just incrementing numbers corresponding
to values in a database) to help you identify and manage your IT assets. Additionally,
tamper detection devices should be installed to protect against unauthorized chassis
cover and component removal.
The objective of any physical barrier is to prevent access to computers and network systems. The most effective physical barrier implementations require that more than one physical barrier be crossed to gain access. This type of approach is called a multiple barrier system.
ExamAlert
Physical security is a recent addition to the Network+ exam. Be sure that you are familiar with the topics discussed here.
Adding Physical Security to the Mix
Physical security is a combination of good sense and procedure. The purpose of physical security is to restrict access to network equipment only to people who need it.
The extent to which physical security measures can be implemented to protect network devices and data depends largely on their location. For instance, if a server is installed in a cabinet located in a general office area, the only practical physical protection is to make sure that the cabinet door is locked and that access to keys for the cabinet is controlled. It might be practical to use other antitheft devices, but that depends on the location of the cabinet.
However, if your server equipment is located in a cupboard or dedicated room, access restrictions for the room are easier to implement and can be more effective. Again, access should be limited only to those who need it. Depending on the size of the room, this factor might introduce a number of other factors.
Servers and other key networking components are those to which you need to apply the greatest level of physical security. Nowadays, most organizations choose to locate servers in a cupboard or a specific room.
Access to the server room should be tightly controlled, and all access doors must be secured by some method, whether it is a lock and key or a retinal scanning system. Each method of server room access control has certain characteristics. Whatever the method of server room access, it should follow one common principle: control. Some access control methods provide more control than others.
Lock and Key
If access is controlled by lock and key, the number of people with a key should be restricted to only those people who need access. Spare keys should be stored in a safe location, and access to them should be controlled.
Following are some of the features of lock-and-key security:
Inexpensive: Even a good lock system costs only a few hundred dollars.
Easy to maintain: With no back-end systems and no configuration, using a lock and key is the easiest
access control method.
Less control than other methods: Keys can be lost, copied, and loaned to other people. There is no record of access
to the server room and no way to prove that the key holder is entitled to enter.
Tip
If you use a lock and key for security, make sure that all copies of the original key are stamped DO NOT COPY. That way, it is more difficult for someone to get a copy because reputable key cutters will not make copies of such keys.
Swipe Card and PIN Access
If budgets and policies permit, swipe card and PIN entry systems are good choices for managing physical access to a server room. Swipe card systems use a credit card-sized plastic card read by a reader on the outside of the door. To enter the server room, you must swipe the card (run it through the reader), at which point it is read by the reader, which validates it. Usually, the swipe card’s use to enter the room is logged by the card system, making it possible for the logs to be checked. In higher-security installations, it is common to have a swipe card reader on the inside of the room as well so that a person’s exit can be recorded.
Although swipe card systems have relatively few disadvantages, they do need specialized equipment so that they can be coded with users’ information. They also have the same drawbacks as keys in that they can be lost or loaned to other people. However, the advantage that swipe cards have over key systems is that swipe cards are hard to copy.
PIN pads can be used alone or with a swipe card system. PIN pads have the advantage of not needing any kind of card or key that can be lost. For the budget conscious, PIN pad systems that do not have any logging or monitoring capability and can be purchased for a reasonable price. Following are some of the characteristics of swipe card and PIN pad systems:
Moderately expensive: Some systems, particularly those with management capabilities, are quite expensive.
Enhanced controls and logging: Each time people enter the server room, they must key in a number or use a swipe
card. This process enables systems to log who enters and when.
Some additional knowledge required: Swipe card systems need special software and hardware that can configure the cards.
Someone has to learn how to do this.
Biometrics
Although they might still seem like the realm of James Bond, biometric security systems are becoming far more common: Biometric systems work by using some unique characteristic of a person’s identity—such as a fingerprint, a palm print, or a retina scan—to validate that person’s identity.
Although the price of biometric systems has been falling over recent years, they are not widely deployed in small to midsized networks. Not only are the systems themselves expensive, but also their installation, configuration, and maintenance must be considered. Following are some of the characteristics of biometric access control systems:
Very effective: Because each person entering the room must supply proof-of-person evidence, verification
of the person entering the server area is as close to 100% reliable as you can get.
Nothing to lose: Because there are no cards or keys, nothing can be lost.
Expensive: Biometric security systems and their attendant scanners and software are still relatively
expensive and can be afforded only by organizations that have a larger budget; however,
prices are sure to drop as more people turn to this method of access control.
Two-Factor and Multifactor Authentication
When two or more access methods are included as part of the authentication process, you’re implementing a multifactor system. A system that uses any two items—such as smart cards and passwords—is referred to as a two-factor authentication system. A multifactor system can consist of a two-factor system, a three-factor system, and so on. As long as more than one factor is involved in the authentication process, it is considered a multifactor system.
For obvious reasons, the two or more factors employed should not be from the same category. Although you do increase difficulty in gaining system access by requiring the user to enter two sets of username/password combinations, it is preferred to pair a single username/password combination with a biometric identifier or other check.
Note
Be sure that you understand that two-factor authentication is a subset of multifactor authentication.
Secured Versus Unsecured Protocols
As you know, any network needs a number of protocols to function. This includes both LAN and WAN protocols. Not all protocols are created the same. Some are designed for secure transfer, and others are not. Table 10.1 lists several protocols and describes their use.
ExamAlert
You will most certainly be asked questions on secure protocols and when they might be used. Review Table 10.1 before taking the Network+ exam.
Additional Device Hardening
In addition to physically securing network devices and opting to run secure protocols in favor of unsecured ones, some steps an administrator should take to further hardening include the following:
Change default credentials: The easiest way for any unauthorized individual to access a device is by using the
default credentials. Many routers, for example, come configured with an “admin” account
and a simple value for the password (“admin,” “password,” and so on). Anyone owning
one of those routers knows those values and could use them to access any other of
the same make if the values have not been changed. To make it more difficult for unauthorized
users to access your devices, change those default usernames and passwords as soon
as you start using them.
Avoid common passwords: It is a good thing to preach password security to users, but often administrators
are guilty of using too-simplistic passwords on network devices such as routers, switches,
and the like. Given the large number of devices in question, sometimes the same passwords
are also used on multiple devices. Common sense tells every administrator that this
is wrong, but often it is done anyway with the hope that no miscreant will try to
gain unauthorized access. Don’t be that administrator: use complex passwords and use
a different password for each device, increasing the overall security of your network.
Upgrade firmware: There is a reason why each firmware update is written. Sometimes, it is to optimize
the device or make it more compatible with other devices. Other times, it is to fix
security issues and/or head off identified problems. Keep firmware on your production
machines current after first testing the upgrades on lab machines and verifying that
you’re not introducing any unwanted problems by installing.
Apply patches and updates: Just as firmware upgrades are intended to strengthen or solve problems, patches and
updates do the same with software (including operating systems). Test each release
on a lab machine(s) to make sure you are not adding to network woes, and then keep
your software current to harden it.
Verify file hashes: File hashing is used to verify that the contents of files are unaltered. A hash is
often created on a file before it is downloaded and then hashed after the download
so the two values can be compared to make sure the contents are the same. When downloading
files—particularly upgrades, patches, and updates—check hash values and use this one
test to keep from installing those entities that have had Trojan horses attached to
them.
Disable unnecessary services: Every unnecessary service that is running on a server is akin to another door on
a warehouse that someone unauthorized may choose to sneak in. Just as an effective
way to secure a warehouse is to reduce the number of doors to only those needed, so
too is it recommended that a server be secured by removing (disabling) services not
in use.
Generate new keys: Keys are used as a part of the encryption process, particularly with public key encryption
(PKI), to encrypt and decrypt messages. The longer you use the same key, the longer
the opportunity becomes for someone to crack that key. To increase security, generate
new keys on a regular basis: The commands to do so will differ based on the utility
that you are creating the keys for.
Disable unused ports: Disabling unnecessary services (mentioned previously) increases security by removing
doors that someone could use to enter the server. Similarly, IP ports that are not
needed for devices also represent doors that could be used to sneak in. It is highly
recommended that unused ports be disabled to increase security along with device ports
(both physical and virtual ports).
ExamAlert
The items appearing in the bulleted list are the topics beneath objective 4.5; make sure you know them for the exam.
Cram Quiz
1. Which of the following is used to verify that the contents of files are unaltered?
A. Key generation
B. File hashing
C. Biometrics
D. Asset tracking
2. Which of the following is a secure alternative to Telnet that enables secure sessions to be opened on a remote host?
A. SSH
B. RSH
C. IPsec
D. RDP
3. Which of the following can be used to limit access to only one or two people going into the facility at a time?
A. Mantrap
B. Min cage
C. Tholian web
D. Cloud minder
4. Which of the following systems use a credit card-sized plastic card that is read by a reader on the outside of the door?
A. Contiguity reader
B. Key fob
C. Swipe card
D. Cipher lock
Cram Quiz Answers
1. B. File hashing is used to verify that the contents of files are unaltered.
2. A. SSH is a secure alternative to Telnet that enables secure sessions to be opened on a remote host.
3. A. A mantrap can be used to limit access to only one or two people going into the facility at a time.
4. C. Swipe card systems use a credit card-sized plastic card read by a reader on the outside of the door. To enter the server room, you must swipe the card (run it through the reader), at which point it is read by the reader, which validates it.
Authentication and Access Controls
Explain authentication and access controls.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. True or false: Filtering network traffic using a system’s MAC address typically is done using an ACL.
2. True or false: LDAP is a protocol that provides a mechanism to access and query directory services systems.
3. Which access control model uses an access control list (ACL) to determine access?
Answers
1. True. Filtering network traffic using a system’s MAC address typically is done using an ACL.
2. True. LDAP (Lightweight Directory Access Protocol) is a protocol that provides a mechanism to access and query directory services systems.
3. Discretionary access control (DAC) uses an access control list (ACL) to determine access. The ACL is a table that informs the operating system of the rights each user has to a particular system object, such as a file, a folder, or a printer.
Access control describes the mechanisms used to filter network traffic to determine who is and who is not allowed to access the network and network resources. Firewalls, proxy servers, routers, and individual computers all can maintain access control to some degree by protecting the edges of the network. By limiting who can and cannot access the network and its resources, it is easy to understand why access control plays a critical role in security strategy. Several types of access control strategies exist, as discussed in the following sections.
Be sure that you can identify the purpose and types of access control.
Mandatory Access Control
Mandatory access control (MAC) is the most secure form of access control. In systems configured to use mandatory access control, administrators dictate who can access and modify data, systems, and resources. MAC systems are commonly used in military installations, financial institutions, and, because of new privacy laws, medical institutions.
MAC secures information and resources by assigning sensitivity labels or attributes to objects and users. When users request access to an object, their sensitivity level is compared to the object’s. A label is a feature applied to files, directories, and other resources in the system. It is similar to a confidentiality stamp. When a label is placed on a file, it describes the level of security for that specific file. It permits access by files, users, programs, and so on that have a similar or higher security setting.
Discretionary Access Control
Unlike mandatory access control, discretionary access control (DAC) is not enforced from the administrator or operating system. Instead, access is controlled by an object’s owner. For example, if a secretary creates a folder, he decides who will have access to that folder. This access is configured using permissions and an access control list (ACL).
DAC uses an ACL to determine access. The ACL is a table that informs the operating system of the rights each user has to a particular system object, such as a file, a folder, or a printer. Each object has a security attribute that identifies its ACL. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file (or all the files in a folder), to write to the file or files, and to execute the file (if it is an executable file or program).
Microsoft Windows servers/clients, Linux, UNIX, and Mac OS are among the operating systems that use ACLs. The list is implemented differently by each operating system.
In Windows Server products, an ACL is associated with each system object. Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users. The user can also be a role name, such as “secretary” or “research.” For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administrator or the object owner creates the ACL for an object.
Note
A server on a network that has the responsibility of being a repository for accounts (user/computer) is often referred to as a network controller. A good example of this is a domain controller on a Microsoft Active Directory–based network.
Rule-Based Access Control
Rule-based access control (RBAC) controls access to objects according to established rules. The configuration and security settings established on a router or firewall are a good example.
When a firewall is configured, rules are set up that control access to the network. Requests are reviewed to see if the requestor meets the criteria to be allowed access through the firewall. For instance, if a firewall is configured to reject all addresses in the 192.166.x.x IP address range, and the requestor’s IP is in that range, the request would be denied.
In a practical application, RBAC is a variation on MAC. Administrators typically configure the firewall or other device to allow or deny access. The owner or another user does not specify the conditions of acceptance, and safeguards ensure that an average user cannot change settings on the devices.
Role-Based Access Control
Note
Note that both rule-based and role-based access control use the acronym RBAC.
In role-based access control (RBAC), access decisions are determined by the roles that individual users have within the organization. Role-based access requires the administrator to have a thorough understanding of how a particular organization operates, the number of users, and each user’s exact function in that organization.
Because access rights are grouped by role name, the use of resources is restricted to individuals who are authorized to assume the associated role. For example, within a school system, the role of teacher can include access to certain data, including test banks, research material, and memos. School administrators might have access to employee records, financial data, planning projects, and more.
The use of roles to control access can be an effective means of developing and enforcing enterprise-specific security policies and for streamlining the security management process.
Roles should receive only the privilege level necessary to do the job associated with that role. This general security principle is known as the least privilege concept. When people are hired in an organization, their roles are clearly defined. A network administrator creates a user account for a new employee and places that user account in a group with people who have the same role in the organization.
Least privilege is often too restrictive to be practical in business. For instance, using teachers as an example, some more experienced teachers might have more responsibility than others and might require increased access to a particular network object. Customizing access to each individual is a time-consuming process.
ExamAlert
Although a Security+ objective and concept, you might be asked about the concept of least privilege. This refers to assigning network users the privilege level necessary to do the job associated with their role—nothing more and nothing less.
RADIUS and TACACS+
Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote-access server. As a network’s remote-access implementation grows, reliance on a single remote-access server might be impossible, and additional servers might be required. RADIUS can help in this scenario.
ExamAlert
RADIUS is a protocol that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services.
RADIUS functions as a client/server system. The remote user dials in to the remote-access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote-access server running RADIUS client software); the connection is either established or rejected based on the information received.
Terminal Access Controller Access Control System (TACACS) is a security protocol designed to provide centralized validation of users who are attempting to gain access to a router or NAS. Like RADIUS, TACACS is a set of security protocols designed to provide AAA of remote users. TACACS+ is a proprietary version of TACACS from Cisco and is the implementation commonly in use in networks today. TACACS+ uses TCP port 49 by default.
Although both RADIUS and TACACS+ offer AAA services for remote users, some noticeable differences exist:
TACACS+ relies on TCP for connection-oriented delivery. RADIUS uses connectionless
UDP for data delivery.
RADIUS combines authentication and authorization, whereas TACACS+ can separate their
functions.
ExamAlert
Both RADIUS and TACACS+ provide authentication, authorization, and accounting services. One notable difference between TACACS+ and RADIUS is that TACACS+ relies on the connection-oriented TCP, whereas RADIUS uses the connectionless UDP.
Kerberos Authentication
Kerberos is an Internet Engineering Task Force (IETF) standard for providing authentication. It is an integral part of network security. Networks, including the Internet, can connect people from all over the world. When data travels from one point to another across a network, it can be lost, stolen, corrupted, or misused. Much of the data sent over networks is sensitive, whether it is medical, financial, or otherwise. A key consideration for those responsible for the network is maintaining the confidentiality of the data. In the networking world, Kerberos plays a significant role in data confidentiality.
In a traditional authentication strategy, a username and password are used to access network resources. In a secure environment, it might be necessary to provide a username and password combination to access each network service or resource. For example, a user might be prompted to type in her username and password when accessing a database, and again for the printer, and again for Internet access. This is a time-consuming process, and it can also present a security risk. Each time the password is entered, there is a chance that someone will see it being entered. If the password is sent over the network without encryption, it might be viewed by malicious eavesdroppers.
Kerberos was designed to fix such problems by using a method requiring only a single sign-on. This single sign-on enables a user to log in to a system and access multiple systems or resources without the need to repeatedly reenter the username and password. Additionally, Kerberos is designed to have entities authenticate themselves by demonstrating possession of secret information.
Kerberos is one part of a strategic security solution that provides secure authentication services to users, applications, and network devices by eliminating the insecurities caused by passwords stored or transmitted across the network. Kerberos is used primarily to eliminate the possibility of a network “eavesdropper” tapping into data over the network—particularly usernames and passwords. Kerberos ensures data integrity and blocks tampering on the network. It employs message privacy (encryption) to ensure that messages are not visible to eavesdroppers on the network.
For the network user, Kerberos eliminates the need to repeatedly demonstrate possession of private or secret information.
ExamAlert
Kerberos is a nonproprietary protocol and is used for cross-platform authentication. It’s the main authentication protocol used with Windows servers.
Kerberos is designed to provide strong authentication for client/server applications by using secret key cryptography. Cryptography is used to ensure that a client can prove its identity to a server (and vice versa) across an unsecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all their communications to ensure privacy and data integrity.
ExamAlert
Kerberos enables secure authentication over an unsecure network such as the Internet.
The key to understanding Kerberos is to understand its secret key cryptography. Kerberos uses symmetric key cryptography, in which both client and server use the same encryption key to cipher and decipher data.
In secret key cryptography, a plain-text message can be converted into cipher text (encrypted data) and then converted back into plain text using one key. Thus, two devices share a secret key to encrypt and decrypt their communications. Figure 10.1 shows the symmetric key process.
ExamAlert
Another cryptography method in use is asymmetric key cryptography, or public key cryptography. In this method, a device has both a public and private key. The private key is never shared. The public key is used to encrypt the communication, and the private key is used for decrypting.
Kerberos authentication works by assigning a unique key, called a ticket, to each client that successfully authenticates to a server. The ticket is encrypted and contains the user’s password, which is used to verify the user’s identity when a particular network service is requested. Each ticket is time stamped. It expires after a period of time, and a new one is issued. Kerberos works in the same way that you go to a movie. First, you go to the ticket counter, tell the person what movie you want to see, and get your ticket. After that, you go to a turnstile and hand the ticket to someone else, and then you’re “in.” In simplistic terms, that’s Kerberos.
ExamAlert
You should know that the security tokens used in Kerberos are known as tickets.
Local Authentication
Most of the time, the goal is to authenticate the user using a centralized authentication server or service of some type. When that cannot be done—such as when there is no Internet connectivity available—then authentication is done locally by the operating system using values stored within it. In Windows, for example, the Local Authentication Subsystem (LASS) performs this function and allows users access to the system after their stored username and password variables match.
Lightweight Directory Access Protocol
Lightweight Directory Access Protocol (LDAP) is a protocol that provides a mechanism to access and query directory services systems. In the context of the Network+ exam, these directory services systems are most likely to be UNIX based or Microsoft Active Directory based. Although LDAP supports command-line queries executed directly against the directory database, most LDAP interactions are via utilities such as an authentication program (network logon) or locating a resource in the directory through a search utility.
Using Certificates
A public key infrastructure (PKI) is a collection of software, standards, and policies combined to enable users from the Internet or other unsecured public networks to securely exchange data. PKI uses a public and private cryptographic key pair obtained and shared through a trusted authority. Services and components work together to develop the PKI. Some of the key components of a PKI include the following:
Certificates: A form of electronic credentials that validates users, computers, or devices on the
network. A certificate is a digitally signed statement that associates the credentials
of a public key to the identity of the person, device, or service that holds the corresponding
private key.
Certificate authorities (CAs): CAs issue and manage certificates. They validate the identity of a network device
or user requesting data. CAs can be either independent third parties, known as public
CAs, or they can be organizations running their own certificate-issuing server software,
known as private CAs.
Certificate templates: Templates used to customize certificates issued by a certificate server. This customization
includes a set of rules and settings created on the CA and used for incoming certificate
requests.
Certificate revocation list (CRL): A list of certificates that were revoked before they reached the certificate expiration
date. Certificates are often revoked because of security concerns, such as a compromised
certificate.
Auditing and Logging
Auditing is the process of monitoring occurrences and keeping a log of what has occurred on a system. A system administrator determines which events should be audited. Tracking events and attempts to access the system helps prevent unauthorized access and provides a record that administrators can analyze to make security changes as necessary. It also provides administrators with solid evidence if they need to look into improper user conduct.
Caution
Be sure that you can identify the purpose of authentication, authorization, and accounting.
The first step in auditing is to identify what system events to monitor. After the system events are identified, in a Windows environment, the administrator can choose to monitor the success or failure of a system event. For instance, if “logon” is the event being audited, the administrator might choose to log all unsuccessful logon attempts, which might indicate that someone is attempting to gain unauthorized access. Conversely, the administrator can choose to audit all successful attempts to monitor when a particular user or user group is logging on. Some administrators prefer to log both events. However, overly ambitious audit policies can reduce overall system performance.
Multifactor Authentication Factors
Previously in this chapter, multifactor authentication was defined as having two or more access methods included as part of the authentication process; the examples given were using smart cards and passwords. The factors used in authentication systems or methods are based on one or more of these five factors:
Something you know, such as a password or PIN
Something you have, such as a smart card, token, or identification device
Something you are, such as your fingerprints or retinal pattern (often called biometrics)
Somewhere you are (based on geolocation)
Something you do, such as an action you must take to complete authentication
Access Control
Today, there are many ways to establish access into networks. You could fill an entire tome with a discussion of the possibilities. CompTIA has reduced the topics associated with this subject to six: 802.1x, NAC, port security, MAC filtering, captive portal, and access control lists. The last item was discussed with discretionary access control at the beginning of this section; what follows discusses each of the remaining five topics in order.
802.1X
The IEEE standard 802.1X defines port-based security for wireless network access control. As such, it offers a means of authentication and defines the Extensible Authentication Protocol (EAP) over IEEE 802, which is often known as EAP over LAN (EAPOL). The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the work.
Network Access Control (NAC)
Network access control (NAC) is a method to restrict access to the network based on identity or posture (discussed later in this chapter). This was created by Cisco to enforce privileges and make decisions on a client device based on information gathered from it (such as the vendor and version of the antivirus software running). If the wanted information is not found (such as that the antivirus definitions are a year old), the client can be placed in a quarantine network area to keep it from infecting the rest of the network. It can also be placed in a guest network and/or allowed to run nonpersistent (versus persistent) agents.
A posture assessment is any evaluation of a system’s security based on settings and applications found. In addition to looking at such values as settings in the Registry or dates of files, NACs can also check 802.1X values—the group of networking protocols associated with authentication of devices attempting to connect to the network. 802.1X works with EAP (discussed later in this chapter).
ExamAlert
As you prepare for the exam, be sure that you can identify posture assessment as any evaluation of a system’s security based on settings and applications found.
Port Security
Port security works at level 2 of the OSI model and allows an administrator to configure switch ports so that only certain MAC addresses can use the port. This is a common feature on both Cisco’s Catalyst as well as Juniper’s EX Series switches and essentially differentiates so-called dumb switches from managed (or intelligent) switches. Similarly, Dynamic ARP Inspection (DAI) works with these and other smart switches to protect ports from ARP spoofing.
MAC Filtering
Another name for a network card or network adapter is a network controller. Every controller has a unique MAC address associated with it. Filtering network traffic using a system’s MAC address typically is done using an ACL. This list keeps track of all MAC addresses and is configured to allow or deny access to certain systems based on the list. As an example, look at the MAC ACL from a router. Figure 10.2 shows the MAC ACL screen. Specific MAC addresses can be either denied or accepted, depending on the configuration. It would be possible, for example, to configure it so that only the system with the MAC address of 02-00-54-55-4E-01 can authenticate to the router.
FIGURE 10.2 A MAC ACL
When configuring security for wireless networks, filtering by MAC address is a common practice. Typically, in MAC filtering security, MAC addresses can be added to an “allow” ACL or “deny” ACL.
Captive Portal
Most public networks, including Wi-Fi hotspots, use a captive portal, which requires users to agree to some condition before they use the network or Internet. The condition could be to agree to the acceptable use policy, payment charges for the time they are using the network, and so forth.
One of the most popular implementations of captive portals is a Cisco application in its Identity Services Engine. However, there have been vulnerabilities identified with it, which allow attackers to intercept clear-text values.
Cram Quiz
1. Which of the following ports is used by TACACS+ by default?
A. 49
B. 51
C. 53
D. 59
2. Which of the following is the main authentication protocol used with Windows servers?
A. LDAP
B. Kerberos
C. L2TP
D. TFTP
3. What are the security tokens used with Kerberos known as?
A. Coins
B. Vouchers
C. Tickets
D. Gestures
4. Which of the following is NOT one of the factors associated with multifactor authentication?
A. Something you like
B. Something you are
C. Something you do
D. Something you have
Cram Quiz Answers
1. A. TACACS+ uses TCP port 49 by default.
2. B. Kerberos is the main authentication protocol used with Windows servers.
3. C. The tokens used for security in Kerberos are known as tickets.
4. A. Something you like is not one of the five factors used in multifactor authentication. The five legitimate possibilities are the following: something you know, something you have, something you are, somewhere you are, and something you do.
Securing Wireless Networks
Given a scenario, secure a basic wireless network.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What can be used to secure an EAP tunnel by using a certificate on the server side?
2. What does WPA mandate the use of?
3. What type of key does WPA2 Personal utilize?
Answers
1. PEAP can be used to secure an EAP tunnel by using a certificate on the server side.
2. WPA mandates the use of TKIP.
3. WPA2 Personal uses a preshared key.
ExamAlert
Remember that this objective begins with “Given a scenario.” That means that you may receive a drag and drop, matching, or “live OS” scenario where you have to click through to complete a specific objective-based task.
Wireless systems transmit data through the air and can be much more difficult to secure than those dependent on wires that can be physically protected. The growth of wireless systems in every workplace and home creates many opportunities for attackers looking for signals that can be easily intercepted. This section discusses various types of wireless systems that you’ll likely encounter and some of the security issues associated with this technology.
WPA, WPA2, TKIP-RC4, and CCMP-AES
The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) technologies were designed to address the core, easy-to-crack problems of earlier technologies, such as Wired Equivalent Privacy (WEP). These technologies were created to implement the 802.11i standard. The difference between WPA and WPA2 is that the former implements most, but not all, of 802.11i in order to be able to communicate with older wireless devices that might still need an update through their firmware to be compliant. WPA uses the RC4 encryption algorithm with TKIP, whereas WPA2 implements the full standard and is not compatible with older devices.
Although WPA mandates the use of TKIP, WPA2 requires Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of a replay attack. WPA (with TKIP) was used as an intermediate solution, implementing a portion of the 802.11i standard. The ultimate solution, a full implementation of the 802.11i standard, is WPA2 (with CCMP).
Wireless Authentication and Authorization
Choosing the correct authentication protocol for remote clients is an important part of designing a secure remote-access strategy. After they are authenticated, users have access to the network and servers. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the EAP types adopted by the WPA/WPA2 standard are PEAP, EAP-FAST, and EAP-TLS. EAP was developed in response to an increasing demand for authentication methods that use other types of security devices, such as token cards, smart cards, and digital certificates.
To simplify network setup, a number of small office and home office (SOHO) routers use a series of EAP messages to allow new hosts to join the network and use WPA/WPA2. Known as Wi-Fi Protected Setup (WPS), this often requires the user to do something to complete the enrollment process: press a button on the router within a short time period, enter a PIN, or bring the new device close by (so that near field communication can take place).
Cisco, RSA, and Microsoft worked together to create Protected Extensible Authentication Protocol (PEAP). There is now native support for it in Windows (which previously favored EAP-TLS). Although many consider PEAP and EAP-TLS to be similar, PEAP is more secure because it establishes an encrypted channel between the server and the client.
EAP-FAST (Flexible Authentication via Secure Tunneling) was designed by Cisco to allow for the use of certificates to establish a TLS tunnel in which client credentials are verified.
To put EAP implementations in a chronological order, think EAP-TLS, EAP-FAST, and then PEAP. In between came EAP-TTLS, a form of EAP-TLS that adds tunneling (Extensible Authentication Protocol—Tunneled Transport Layer Security). Of all the choices, PEAP is the one with more vendors than just Cisco and thus is currently favored for use today.
Shared, Preshared, and Open Keys
During the authentication process, keyed security measures are applied before communication can take place. On many APs, authentication can be set to either shared key authentication or open authentication. The default setting for older APs typically is open authentication. Open authentication enables access with only the SSID and/or the correct WEP key for the AP. The problem with open authentication is that if you do not have other protection or authentication mechanisms in place, your wireless network is totally open to intruders. When set to shared key mode, the client must meet security requirements before communication with the AP can occur.
Shared requires that a WEP key be configured on both the client system and the AP. This makes authentication with WEP-Shared mandatory, so it is more secure for wireless transmission. WPA-PSK, the acronym for Wi-Fi Protected Access with Preshared Key, is a stronger form of encryption in which keys are automatically changed and authenticated between devices after a specified period of time or after a specified number of packets have been transmitted.
Note
One implementation of WPA is known as WPA2 Personal. This implementation uses a preshared key, whereas WPA2 Enterprise needs an authentication server.
MAC Filtering
To increase wireless security, some APs enable you to configure MAC address filtering and guest access. MAC address filtering enables you to limit access to only those specified hosts. Guest access uses a different password and network name and enables visitors to use the Internet without having access to the rest of the network (thus avoiding your data and computers).
ExamAlert
Make sure that you understand the purpose of MAC address filtering and that this works the same whether the network is wired or wireless.
Geofencing
Any wireless technology, but usually GPS and sometimes RFID, can be used to create a virtual geographic boundary. This boundary is called a geofence. After that boundary is defined, software can be used to trigger a response when a device enters or leaves that area. A section of a supermarket, for example, can be configured to text a coupon code to iPhones for a percentage off milk purchases to any phone coming within 10 feet of the dairy section.
Similar technology can be used to take attendance in a classroom, at a meeting location, and so on. Because events can be triggered for not only entering a zone, but also leaving it, it could be used to send a message to parents if a child leaves the virtually defined neighborhood, and so on. Still in its infancy, geofencing technology is expected to grow in acceptance and application over the next few years.
ExamAlert
Remember that the goal of geofencing is to have a defined boundary and then be able to respond to what either enters or leaves that area.
Cram Quiz
1. Both WPA and WPA2 were created to implement which 802.11 standard?
A. x
B. d
C. i
D. g
2. WPA uses which encryption algorithm?
A. MD5
B. RC4
C. CCMP
D. AES
3. Which of the following technologies can be used to create a virtual perimeter for mobile devices?
A. Polygon sites
B. RADIUS zones
C. Geofencing
D. DMZ
Cram Quiz Answers
1. C. The WPA and WPA2 technologies were created to implement the 802.11i standard.
2. B. WPA uses the RC4 encryption algorithm with TKIP.
3. C. Geofencing can be used to create a virtual perimeter for mobile devices.
Common Networking Attacks
Summarize common networking attacks.
CramSaver
1. What are software programs or code snippets called that execute when a certain predefined event occurs?
2. What type of malware takes control of a system and demands that a third party be paid before control is returned to the rightful owner?
Answers
1. Logic bombs are software programs or code snippets that execute when a certain predefined event occurs.
2. Ransomware takes control of a system and demands that a third party be paid before restoring control to the rightful party.
Malicious software, or malware, is a serious problem in today’s computing environments. It is often assumed that malware is composed of viruses. Although this typically is true, many other forms of malware by definition are not viruses, but are equally undesirable. Although we commonly associate them with coming from the outside, do not overlook the possibility for them to come from inside threats as well (particularly malicious employees who feel slighted because they did not get a raise or recognition they feel they deserve and have now become an insider threat).
Malware encompasses many types of malicious software and all were intended by their developer to have an adverse effect on the network. The following sections look at some of the more malevolent types.
Denial-of-Service and Distributed Denial-of-Service Attacks
Denial-of-service (DoS) attacks are designed to tie up network bandwidth and resources and eventually bring the entire network to a halt. This type of attack is done simply by flooding a network with more traffic than it can handle. When more than one computer is used in the attack, it is technically known as a distributed DoS (DDoS) attack. These typically use a botnet to launch a coordinated attack through a traffic spike. Almost every attack of this type today is DDoS, and we will use DoS to mean both.
A DoS attack is not designed to steal data but rather to cripple a network and, in doing so, cost a company huge amounts of money. It is possible, in fact, for the attack to be an unintentional, or friendly, DoS attack coming from the inside. Just as with friendly fire in combat, it matters not that it was unintentional, it does just as much damage.
The effects of DoS attacks include the following:
Saturating network resources, which then renders those services unusable
Flooding the network media, preventing communication between computers on the network
Causing user downtime because of an inability to access required services
Causing potentially huge financial losses for an organization because of network
and service downtime.
Types of DoS Attacks
Several types of DoS attacks exist, and each seems to target a different area. For instance, they might target bandwidth, network service, memory, CPU, or hard drive space. When a server or other system is overrun by malicious requests, one or more of these core resources breaks down, causing the system to crash or stop responding. A permanent DoS attack continues for more than a short period of time and requires you to change your routing, IP addresses, or other configurations to get around it.
Fraggle
In a Fraggle attack, spoofed UDP packets are sent to a network’s broadcast address. These packets are directed to specific ports, such as port 7 or port 19, and, after they are connected, can flood the system.
Smurfing
The Smurf attack is similar to a Fraggle attack. However, a ping request is sent to a broadcast network address, with the sending address spoofed so that many ping replies overload the victim and prevent it from processing the replies.
Ping of Death
In a ping of death attack, an oversized Internet Control Message Protocol (ICMP) datagram is used to crash IP devices that were manufactured before 1996.
SYN Flood
In a typical TCP session, communication between two computers is initially established by a three-way handshake, referred to as a SYN, SYN/ACK, ACK. At the start of a session, the client sends a SYN message to the server. The server acknowledges the request by sending a SYN/ACK message back to the client. The connection is established when the client responds with an ACK message.
In a SYN attack, the victim is overwhelmed with a flood of SYN packets. Every SYN packet forces the targeted server to produce a SYN/ACK response and then wait for the ACK acknowledgment. However, the attacker doesn’t respond with an ACK, or spoofs its destination IP address with a nonexistent address so that no ACK response occurs. The result is that the server begins filling up with half-open connections. When all the server’s available resources are tied up on half-open connections, it stops acknowledging new incoming SYN requests, including legitimate ones.
Buffer Overflow
A buffer overflow is a type of DoS attack that occurs when more data is put into a buffer (typically a memory buffer) than it can hold, thereby overflowing it (as the name implies).
Distributed Reflective DoS
This type of attack is also called an amplification attack, and it targets public UDP servers. Two of the most common protocols/servers that a distributed reflective DoS (DRDoS) attack usually goes after are Domain Name Service (DNS) and Network Time Protocol (NTP) servers, but Simple Network Management Protocol (SNMP), NetBIOS, and other User Datagram Protocol (UDP) protocols are also susceptible.
ExamAlert
As you study for the exam, be sure to know that reflective, amplified, and distributed are varieties/characteristics of Denial of Service (DoS) attacks.
ICMP Flood
An ICMP flood, also known as a ping flood, is a DoS attack in which large numbers of ICMP messages are sent to a computer system to overwhelm it. The result is a failure of the TCP/IP protocol stack, which cannot tend to other TCP/IP requests.
Social Engineering
Social engineering is a common form of cracking. It can be used by both outsiders and people within an organization. Social engineering is a hacker term for tricking people into revealing their password or some form of security information. It might include trying to get users to send passwords or other information over email, shoulder surfing, or any other method that tricks users into divulging information. Social engineering is an attack that attempts to take advantage of human behavior.
Logic Bomb
Software programs or code snippets that execute when a certain predefined event occurs are known as logic bombs. Such a bomb may send a note to an attacker when a user is logged on to the Internet and is accessing a certain application, for example. This message could inform the attacker that the user is ready for an attack and open a backdoor. Similarly, a programmer could create a program that always makes sure his/her name appears on the payroll roster; if it doesn’t, then key files begin to be erased. Any code that is hidden within an application and causes something unexpected to happen constitutes a logic bomb.
Rogue Access Points and Evil Twins
A rogue access point describes a situation in which a wireless access point has been placed on a network without the administrator’s knowledge. The result is that it is possible to remotely access the rogue access point because it likely does not adhere to company security policies. So, all security can be compromised by a cheap wireless router placed on the corporate network. An evil twin attack is one in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information users transmit.
Advertising Wireless Weaknesses
These attacks start with war driving—driving around with a mobile device looking for open wireless access points with which to communicate and looking for weak implementations that can be cracked (called WEP cracking or WPA cracking). They then lead to war chalking—those who discover a way in to the network leave signals (often written in chalk) on, or outside, the premise to notify others that the vulnerability is there. The marks can be on the sidewalk, the side of the building, a nearby signpost, and so on.
Phishing
Often users receive a variety of emails offering products, services, information, or opportunities. Unsolicited email of this type is called phishing (pronounced “fishing”). This technique involves a bogus offer sent to hundreds of thousands or even millions of email addresses. The strategy plays the odds. For every 1,000 emails sent, perhaps one person replies. Phishing can be dangerous because users can be tricked into divulging personal information such as credit card numbers or bank account information. Today, phishing is performed in several ways. Phishing websites and phone calls are also designed to steal money or personal information.
Ransomware
With ransomware, software—often delivered through a Trojan horse—takes control of a system and demands that a third party be paid. The “control” can be accomplished by encrypting the hard drive, by changing user password information, or via any of a number of other creative ways. Users are usually assured that by paying the extortion amount (the ransom), they will be given the code needed to revert their systems to normal operations.
DNS Poisoning
With DNS poisoning, the DNS server is given information about a name server that it thinks is legitimate when it isn’t. This can send users to a website other than the one to which they wanted to go, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS spoofing, and fast flux is one of the most popular techniques. It is used by botnets to hide the delivery sites behind a changing network of compromised hosts that act as proxies.
ARP Cache Poisoning
Address Resolution Protocol (ARP) poisoning tries to convince the network that the attacker’s MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker’s machine.
Spoofing
Spoofing is a technique in which the real source of a transmission, file, or email is concealed or replaced with a fake source. This technique enables an attacker, for example, to misrepresent the original source of a file available for download. Then he can trick users into accepting a file from an untrusted source, believing it is coming from a trusted source.
Deauthentication
Deauthentication is also known as a disassociation attack. With this type of attack, the intruder sends a frame to the AP with a spoofed address to make it look like it came from the victim that disconnects the user from the network. Because the victim is unable to keep a connection with the AP, it increases their chances of choosing to use another AP—a rogue one or one in a hotel or other venue that they have to pay extra to use. A number of hotels had suits filed against them by the Federal Trade Commission for launching attacks of this type and generating revenue by requiring their guests to pay for “premium” services rather than being able to use the free Wi-Fi.
Brute Force
There are a number of ways to ascertain a password, but one of the most common is a brute force attack in which one value after another is guessed until the right value is found. Although that could take forever if done manually, software programs can take lots of values in a remarkably short period of time. WPS attacks, for example, have become much more common since the technology (Wi-Fi Protected Setup) is susceptible to brute force attacks used to guess the user’s PIN. When an attacker gains access, the attacker is then on the Wi-Fi network.
VLAN Hopping
VLAN hopping, as the name implies, is an exploit of resources on a Virtual LAN that is made possible because the resources exist on said Virtual LAN. There is more than one method by which this occurs, but in all of them the result is the same: An attacking host on a VLAN gains access to resources on other VLANs that are not supposed to be accessible to them (becoming a compromised system). Again, regardless of the method employed, the solution is to properly configure the switches to keep this from happening.
ExamAlert
A compromised system is any that has been adversely impacted (intentionally or unintentionally) by an untrusted source. The compromise can relate to confidentiality, integrity, or availability.
Man-in-the-Middle Attacks
In a man-in-the-middle attack, the intruder places himself between the sending and receiving devices and captures the communication as it passes by. The interception of the data is invisible to those sending and receiving the data. The intruder can capture the network data and manipulate it, change it, examine it, and then send it on. Wireless communications are particularly susceptible to this type of attack. A rogue access point, a wireless AP that has been installed without permission, is an example of a man-in-the-middle attack. If the attack is done with FTP (using the port command), it is known as an FTP bounce attack.
Exploits and Zero-Day Attacks
When a hole is found in a web browser or other software, and miscreants begin exploiting it the very day it is discovered by the developer (bypassing the 1- to 2-day response time many software providers need to put out a patch after the hole has been found), it is known as an exploit attack or zero-day attack. Zero-day attacks are incredibly difficult to respond to. If attackers learn of the weakness the same day as the developer, they have the ability to exploit it until a patch is released. Often, the only thing you as a security administrator can do between the discovery of the exploit and the release of the patch is to turn off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to keep the network safe.
ExamAlert
Be ready to identify the types of attacks just described. You can expect questions on the exam about these types of attacks.
Vulnerabilities and Prevention
The threat from malicious code is a real concern. You need to take precautions to protect your systems. Although you might not eliminate the threat, you can significantly reduce it.
One of the primary tools used in the fight against malicious software is antivirus/antimalware software. Antimalware software (which includes antivirus software and more) is available from a number of companies, and each offers similar features and capabilities. You can find solutions that are host based, cloud/server based, or network based. The following is a list of the common features and characteristics of antivirus software:
Real-time protection: An installed antivirus program should continuously monitor the system looking for
viruses. If a program is downloaded, an application opened, or a suspicious email
received, the real-time virus monitor detects and removes the threat. The virus application
sits in the background, largely unnoticed by the user.
Virus scanning: An antivirus program must scan selected drives and disks, either locally or remotely.
You can manually run scanning or schedule it to run at a particular time.
Scheduling: It is a best practice to schedule virus scanning to occur automatically at a predetermined
time. In a network environment, this typically is off hours, when the overhead of
the scanning process won’t impact users.
Live updates: New viruses and malicious software are released with alarming frequency. It is recommended
that the antivirus software be configured to regularly receive virus updates.
Email vetting: Emails represent one of the primary sources of virus delivery. It is essential to
use antivirus software that provides email scanning for both inbound and outbound
email.
Centralized management: If used in a network environment, it is a good idea to use software that supports
managing the virus program from the server. Virus updates and configurations need
to be made only on the server, not on each client station.
Managing the threat from viruses is considered a proactive measure, with antivirus software only part of the solution. A complete security protection strategy requires many aspects to help limit the risk of malware, viruses, and other threats:
Develop in-house policies and rules: In a corporate environment or even a small office, you need to establish what information
can be placed on a system. For example, should users download programs from the Internet?
Can users bring in their own storage media, such as USB flash drives? Is there a corporate
BYOD policy restricting the use of personal smartphones and other mobile devices?
Monitoring virus threats: With new viruses coming out all the time, you need to check whether new viruses have
been released and what they are designed to do.
Educate users: One of the keys to a complete antivirus solution is to train users in virus prevention
and recognition techniques. If users know what to look for, they can prevent a virus
from entering the system or network. Back up copies of important documents. It should
be mentioned that no solution is absolute, so care should be taken to ensure that
the data is backed up. In the event of a malicious attack, redundant information is
available in a secure location.
Automate virus scanning and updates: You can configure today’s antivirus software to automatically scan and update itself.
Because such tasks can be forgotten and overlooked, it is recommended that you have
these processes scheduled to run at predetermined times.
Don’t run unnecessary services: Know every service that is running on your network and the reason for it. If you
can avoid running the service, equate it with putting another lock on the door and
do so.
Keep track of open ports: Just as you don’t want unnecessary services running, you don’t want unnecessary ports
left open. Every one of them is an unguarded door through which a miscreant can enter.
Avoid unencrypted channels and clear-text credentials: The days when these were acceptable have passed. Continuing to use them is tantamount
to inviting an attack.
Shun unsecure protocols: Once upon a time, clear-text passwords were okay to use because risks of anyone getting
on your network who should not were minimal. During those days, it was okay to use
unsecure protocols as well because the priority was on ease of use as opposed to data
protection. All of this went out of acceptance decades ago and you must—in the interest
of security—be careful with the following unsecure protocols: Telnet, HTTP, SLIP,
FTP, TFTP, and SNMP (v1 and v2). Secure alternatives—offering the same functionality,
but adding acceptable levels of security—are available for each. Where possible, opt
instead for SSH, SNMPv3, TLS/SSL, SFTP, HTTPS, and IPsec.
Patches and updates: All applications, including productivity software, virus checkers, and especially
the operating system, release patches and updates often, designed to address potential
security weaknesses. Administrators must keep an eye out for these patches and install
them when they are released. Pay particular attention to unpatched/legacy systems
and keep them as secure as possible.
One of the best tools to use when dealing with problems is knowledge. In several locations, CompTIA stresses that user education is important, but even more important is that administrators know what is going on and keep learning from what is going on now and what has gone on in the past. As an example, TEMPEST is the name of a project commenced by the U.S. government in the late 1950s that all administrators should be familiar with. TEMPEST was concerned with reducing electronic noise from devices that would divulge intelligence about systems and information. This program has become a standard for computer systems certification. TEMPEST shielding protection means that a computer system doesn’t emit any significant amounts of electromagnetic interference (EMI) or radio frequency interference (RFI) (RF emanation). For a device to be approved as a TEMPEST, it must undergo extensive testing, done to exacting standards that the U.S. government dictates. Today, control zones and white noise are used to accomplish the shielding. TEMPEST-certified equipment often costs twice as much as non-TEMPEST equipment.
ExamAlert
Know some of the ways to prevent networking attacks and mitigate vulnerabilities.
Cram Quiz
1. Which of the following is an attack in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information users transmit?
A. Zero day
B. Phishing
C. Evil twin
D. Social engineering
2. Which of the following is a type of DoS attack that occurs when more data is put into a buffer than it can hold?
A. Dictionary attack
B. Buffer overflow
C. Worm
D. Trojan horse
3. Which of the following is an attack in which something that appears as a helpful or harmless program carries and delivers a malicious payload?
A. Worm
B. Phish
C. Evil twin
D. Trojan horse
4. Which of the following is an attack in which users are tricked into revealing their passwords or some form of security information?
A. Bluesnarfing
B. Phishing
C. Evil twin
D. Social engineering
Cram Quiz Answers
1. C. An evil twin attack is one in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information users transmit.
2. B. A buffer overflow is a type of DoS attack that occurs when more data is put into a buffer than it can hold.
3. D. Trojan horses appear as helpful or harmless programs but, when installed, carry and deliver a malicious payload.
4. D. Social engineering is a term for tricking people (users) into revealing their passwords or some form of security information.
Mitigation Techniques
Explain common mitigation techniques and their purposes.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. True or false: A honeypot is a trap that allows the intruder in but does not allow access to sensitive data.
2. True or false: A root guard is used to prevent misuse of BPDU packets on a switch.
Answers
1. True. A honeypot is a trap that allows the intruder in but does not allow access to sensitive data.
2. True. A root guard is used to prevent misuse of BPDU packets on a switch.
The previous section looked at some of the more common types of networking attacks and concluded with a discussion of vulnerability prevention. This section continues that discussion by focusing on mitigation techniques. Mitigation is defined as the action of reducing the severity, seriousness, or painfulness of something. When it comes to network security, mitigation is the actions, techniques, and ways of reducing the possibility of an attack and the severity of one that may occur. The focus of this section is on issues related to that topic.
Signature Management
Digital signatures are the electronic equivalent of a sealed envelope and are intended to ensure that a file has not been altered in transit. Any file with a digital signature is used to verify not only the publishers of the content or file, but also to verify the content integrity at the time of download. On the network, PKI enables you to issue certificates to internal developers/contractors and enables any employee to verify the origin and integrity of downloaded applications.
Device Hardening
The first section of this chapter looked at network device hardening. Know that it is important to change default passwords, keep firmware current, and disable unused elements (ports, services, and the like).
Change Native VLAN
On switches, the native VLAN is the only VLAN that is not tagged in a trunk. This means that native VLAN frames are transmitted unchanged. By default, the native VLAN is port 1, and that default represents a weakness in that it is something known about your network that an attacker could use. To strengthen security, albeit a small amount, you can change the native VLAN to another port. The command(s) used to do so are dependent on the vendor and model of your port but can be easily found online.
Switch and Port Protection
Switches and ports have been mentioned already, but it is worth bringing them up again because they can represent quite a weakness. Be sure to secure switches, disable unused ports, and be on the lookout or aware of the issues discussed in the following sections.
ExamAlert
As you study for the exam, know that securing switches, disabling unused ports, and using common-sense solutions can go far in improving network security.
Spanning Tree
The Spanning Tree Protocol (STP) is defined as IEEE 802.1d and the more recent Rapid Spanning Tree 802.1w. This protocol can be a godsend when it comes to solving certain problems with switches. Loops, for example, can occur when more than one bridge or switch is implemented on the network. In this scenario, the devices can confuse each other by leading one another to believe that a host is located on a certain segment when it is not. To combat the loop problem, STP enables bridge/switch interfaces to be assigned a value that is then used to control the learning process.
Flood Guards, BPDU Guards, and Root Guards
Because switches can be subject to DoS attacks, flood guards are used to look for and prevent malicious traffic from bringing the switch to a halt. Whether it is DoS in question, or DDoS, a flood guard is used as protection for a switch and can be purchased as a standalone device or with another.
Similarly, a bridge protocol data unit (BPDU) guard prevents looping on a switch. It protects the spanning tree domain from external influence by moving a nontrunking port into an error state when a BPDU is received on that port. BPDUs are data messages that are exchanged across the switches via spanning tree protocol topology. These data packets contain information on ports, addresses, priorities, and costs and ensure that the data ends up where it was intended to go; the guard shuts down interfaces that receive BPDUs instead of putting them into the spanning tree blocking state where they could cause looping.
Root guards are similar to BPDU guards in that they are used to prevent malicious exploitation of BPDU packets. The difference is that a root guard is used to prevent another switch from becoming the BPDU superior. Root guard is needed when you connect a network that you manage to one that you do not.
DHCP Snooping
Although it sounds like a bad thing, DHCP snooping is just the opposite. It is the capability for a switch to look at packets and drop DHCP traffic that it determines to be unacceptable based on the defined rules. The purpose of this is to prevent rogue DHCP servers from offering IP addresses to DHCP clients.
Demilitarized Zones (Perimeter Network)
An important firewall-related concept is the demilitarized zone (DMZ), sometimes called a perimeter network. A DMZ is part of a network where you place servers that must be accessible by sources both outside and inside your network. However, the DMZ is not connected directly to either network, and it must always be accessed through the firewall. The military term DMZ is used because it describes an area that has little or no enforcement or policing.
Using DMZs gives your firewall configuration an extra level of flexibility, protection, and complexity. Figure 10.3 shows a DMZ configuration.
By using a DMZ, you can create an additional step that makes it more difficult for an intruder to gain access to the internal network. In Figure 10.3, for example, an intruder who tried to come in through Interface 1 would have to spoof a request from either the web server or proxy server into Interface 2 before it could be forwarded to the internal network. Although it is not impossible for an intruder to gain access to the internal network through a DMZ, it is difficult.
ExamAlert
Be prepared to identify the purpose of a DMZ.
VLAN Network Segmentation
By dividing one network into smaller subnetworks, it is possible to optimize it in a number of ways. The segmentation is accomplished with switches and VLANs, and the separation can be done to isolate such things as heavy load systems or certain protocols. By moving those to their own subnetwork, the result should be performance increases for other parts of the network.
Note
Popular today is using virtual machines (VMs) to segment or separate systems (software) from the main OS (host versus guest) and the rest of the network through virtual switches.
Privileged User Account
Enforcing user privileges can be fairly taxing. If the user does not have least privileges (discussed earlier in this chapter), the user's escalated privileges could allow them to access data to which they would not otherwise have access and cause harm to it—intentional or not. Be cognizant of the fact that you won’t have the same control over user accounts in the cloud as you do locally, and when someone locks his account by entering the wrong password too many times in a row, you or they could be at the mercy of the hours that the technical staff is available at the provider.
You want to carefully monitor all privileged users accounts (admin, root, and so on) and apply more protection to them than to any other accounts because of the power they have. Give privileges to users only as needed, and try to limit elevated permissions to being used only when needed (and then returning to regular user permissions until elevated ones are needed again).
File Integrity Monitoring
File hashing was discussed earlier in terms of verifying that the files downloaded are what you expect them to be. The same concept for files you may download should be applied to files residing on your system. Use checksums and file integrity systems to monitor your files and make certain the ones you are backing up are unchanged and complete.
Role Separation
Separation of duties policies are designed to reduce the risk of fraud and to prevent other losses in an organization. A good policy will require more than one person to accomplish key processes. This may mean that the person who processes an order from a customer isn’t the same person who generates the invoice or deals with the billing.
Separation of duties helps prevent various problems, such as an individual embezzling money from a company. To embezzle funds successfully, an individual would need to recruit others to commit an act of collusion—that is, an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.
In addition, separation-of-duties policies can help prevent accidents from occurring in an organization. Suppose that you’re managing a software development project. You want someone to perform a quality assurance test on a new piece of code before it’s put into production. Establishing a clear separation of duties prevents development code from entering production status until quality testing is accomplished.
Many banks and financial institutions require multiple steps and approvals to transfer money. This helps reduce errors and minimizes the likelihood of fraud.
Using ACLs to Restrict Access
Earlier in this chapter, the section “Authentication and Access Controls” discussed access control lists. The main item to take away is that an ACL defines who can access resources, and there must be an inherent understanding by the system that unless permission has been explicitly granted, it is denied.
Honeypots and Honeynets
When talking about network security, honeypots and honeynets are often mentioned. Honeypots are a rather clever approach to network security but perhaps a bit expensive. A honeypot is a system set up as a decoy to attract and deflect attacks from hackers. The server decoy appears to have everything a regular server does—OS, applications, and network services. The attacker thinks he is accessing a real network server, but he is in a network trap.
The honeypot has two key purposes. It can give administrators valuable information on the types of attacks being carried out. In turn, the honeypot can secure the real production servers according to what it learns. Also, the honeypot deflects attention from working servers, allowing them to function without being attacked.
A honeypot can do the following:
Deflect the attention of attackers from production servers
Deter attackers if they suspect their actions may be monitored with a honeypot
Allow administrators to learn from the attacks to protect the real servers
Identify the source of attacks, whether from inside the network or outside
ExamAlert
Think of a honeypot as a trap that allows the intruder in but does not allow access to sensitive data.
One step up from the honeypot is the honeynet. The honeynet is an entire network set up to monitor attacks from outsiders. All traffic into and out of the network is carefully tracked and documented. This information is shared with network professionals to help isolate the types of attacks launched against networks and to proactively manage those security risks. Honeynets function as a production network, using network services, applications, and more. Attackers don’t know that they are actually accessing a monitored network.
Penetration Testing
It is becoming more common for companies to hire penetration testers to test their system’s defenses. Essentially, a penetration tester will use the same techniques that a hacker would use to find any flaws in a system’s security. These flaws may be discovered by means other than directly accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering. This is known as passive reconnaissance. In contrast to this, active reconnaissance directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack.
When doing penetration testing, it is important to have a scope document outlining the extent of the testing that is to be done. It is equally important to have permission from an administrator who can authorize such testing—in writing—authorizing the testing to be conducted.
One weakness a good penetration test looks for is escalation of privilege; that is, a hole created when code is executed with higher privileges than those of the user running it. By breaking out of the executing code, the users are left with higher privileges than they should have.
Three types of penetration testing are Black Box (the tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker), White Box (the tester has significant knowledge of the system, which simulates an attack from an insider—a rogue employee), and Gray Box (a middle ground between the first two types of testing. In gray box testing, the tester has some limited knowledge of the target system).
Note
With so many security-related topics now appearing on the Network+ exam, you have a good head start on Security+ certification study after you successfully finish taking this exam.
Cram Quiz
1. Which of the following is NOT one of the types of penetration testing?
A. Black Box
B. White Box
C. Red Box
D. Gray Box
2. Which of the following enables bridge/switch interfaces to be assigned a value that is then used to control the learning process?
A. LGH
B. STP
C. eDiscovery
D. DTP
3. Which of the following is one step up from the honeypot?
A. Geofence
B. VLAN
C. DMZ
D. Honeynet
Cram Quiz Answers
1. C. The three types of penetration testing are Black Box, White Box, and Gray Box. The differences among them are based on how much knowledge of the target system is provided to the tester.
2. B. STP enables bridge/switch interfaces to be assigned a value that is then used to control the learning process.
3. D. One step up from the honeypot is the honeynet.
What’s Next?
The final chapter of this book focuses on all areas of network troubleshooting, including troubleshooting best practices and some of the tools and utilities you use to assist in the troubleshooting process.
No matter how well a network is designed and how many preventive maintenance schedules are in place, troubleshooting is always necessary. Because of this, network administrators must develop those troubleshooting skills.