CHAPTER 9: Security Standards and Services 466 Authentication schemes for which there are no standards or pub- licly available specifications will not receive rigorous peer security review. PEAP is an open standard supported under the security framework of the IEEE 802.1x specification. PEAP offers security and efficiency when used with roaming wire- less devices. Authentication latency is frequently a concern with wireless networks because users may need to reconnect to a network through a number of AP devices as they roam. As a result, it is valu- able to be able to quickly perform reauthentication. PEAP supports this capability through the TLS session resumption facility, and any EAP method running under PEAP can take advantage of it. PEAP provides support for EAP authentication methods such as EAP-TLS and EAP-MS-CHAPV2 that can perform computer authentication. The PEAP protocol specifies an option of hiding a user’s name known as identity privacy. SUMMARY In today’s networking world, networks no longer have to be designed the same way. There are many options available as to how to physically and logi- cally design a network. All these options can be used to increase the security of the internal network by keeping untrusted and unauthorized users out. The usage of DMZs to segment traffic into a protected zone between exter- nal and internal firewalls helps prevent attacks against your Internet facing servers. VPNs are used to allow remote network users to securely connect back to the corporate network. To additionally reduce the risk in your environ- ment, application and service hardening should be considered. Be familiar with the required ports for various services so that you can uninstall or disable unused services, which will reduce unnecessary exposure. Include evaluation of network services such as DNS and DHCP, and specific types of application services such as e-mail, databases, NNTP servers, and others. IDSs are used to identify and respond to attacks on the network. Several types of IDSs exist, each with its own unique pros and cons. Which type you choose depends on your needs and ultimately on your budget. An IPS is a newer type of IDS that can quickly respond to perceived attacks. Hon- eypots are advanced IDSs that can intelligently respond to attacks, actually enticing the attacker to select them over other real targets on the network. Honeypots can be used to distract attackers from real servers and keep them Exam Objectives Fast Track 467 occupied while you collect information on the attack and the source of the attack. After an attack has occurred, the most important thing to do is to collect all the evidences of the attack and its methods. You also want to take steps to ensure that the same type of attack cannot be successfully performed on the network in the future. Authentication protocols are chosen based on the applications, complexity, and level of security needs. Kerberos provides access through secure encrypted keys and issuance of tickets. CHAP validates the identity of the clients through three-way handshake (challenge, response, success or failure). RADIUS is the most popular of all the AAA servers, which include RADIUS, TACACS, and TACACS+. Although TACACS offers authentica- tion and authorization, it does not offer any accounting tools. TACACS+ is credited with separating the AAA functions. We learned the differences between RADIUS, TACACS, and TACACS+. TACACS+ uses TCP as its transport instead of UDP. Mutual authentication is a process where both the requestor and the target entity must fully identify themselves before communication or access is allowed. We also reviewed EAP and PEAP. EXAM OBJECTIVES FAST TRACK Hardware and Software Security Devices IDSs can be deployed to alert administrators of unusual or suspi- cious activity on the network. Honeypots and honeynets can be useful tools to redirect the atten- tion of attacks to decoy systems to prevent damage to production components. Firewalls can be deployed to segment the network and add addi- tional security with firewall rules. The simplest way to define an IDS is to describe it as a specialized tool that knows how to read and interpret the contents of log files from sensors placed on the network, routers, firewalls, servers, and other network devices. A firewall is a hardware or software device used to keep undesir- ables electronically out of a network the same way that locked doors and secured server racks keep undesirables physically away from a network. CHAPTER 9: Security Standards and Services 468 A packet-filtering firewall works at the network layer of the OSI model and is designed to operate rapidly by either allowing or denying packets. An a pplication layer gateway operates at the application layer of the OSI model, analyzing each packet and verifying that it contains the correct type of data for the specific application it is attempting to communicate with. A stateful inspection firewall checks each packet to verify that it is an expected response to a current communications session. This type of firewall operates at the network layer but is aware of the transport, session, presentation, and application layers and derives its state table based on these layers of the OSI model. A proxy server is a server that sits between an intranet and its Internet connection. Proxy servers provide features such as document caching (for faster browser retrieval) and access control. A honeypot is a computer system that is deliberately exposed to public access – usually on the Internet – for the express purpose of attracting and distracting attackers. Network Ports, Services, and Threats One of the most common methods of obtaining access to a Windows-based system and then gaining control of that system is through NetBIOS traffic. Modern Windows-based platforms allow the configuration of OS and network services from provided administrative tools. These tools include a service applet in a control panel or a MMC tool in a Windows XP/Vista/2003/2008 environment. It may also be possible to check or modify configurations at the network adaptor properties and configuration pages. As attacks become more complex, they tend to be both application- based and network-based, which has spawned the new term mixed threat applications. An example of such an attack can be seen in the MyDoom worm, which targeted Windows machines in 2004. Network Access Security Remote Access Policies define the clients’ access methods, proto- cols before authentication, and access permissions upon successful authentication. Exam Objectives Fast Track 469 Biometrics is used with devices that have the ability to authenticate something you already have, such as a fingerprint or retinal image. RADIUS is an acronym of Remote Access Dial-In User Service. RADIUS is the most popular of all the authentication, authoriza- tion, and accounting servers. RADIUS supports a number of protocols including PPP, PAP, and CHAP. Kerberos is a multiplatform authentication method that requires tickets (tokens) and a KDC. It exists as a realm in most platforms and is used in the domain environment in Windows Active Direc- tory structures. Directory services are used to store and retrieve information about objects, which are managed by the service. LDAP services are used to access a wide variety of information that’s stored in a directory. All-popular NOS implements directory services similar to LDAP. CHAP offers a three-way handshake mechanism (Challenge, Response and Accept/Reject). CHAP can use a shared secret, and uses a one-way hash to protect the secret. CHAP is more secure than PAP, as PAP transmits the password in cleartext. RADIUS and TACACS use UDP, and TACACS+ uses TCP. Mutual authentication consists of using various methods to verify both parties to the transaction to the other. 802.1x uses EAP for passing messages between the supplicant and the authenticator. Security Zones A security zone is defined as any portion of a network that has specific security concerns or requirements. Intranets, extranets, DMZs, and VLANs are all security zones. You must imagine the different pieces that make up a network as discrete network segments holding systems that share common requirements. These are sometimes called security zones and some of these common requirements can be the types of information the zone handles, who uses the zone, and what levels of security the zone requires to protect its data. CHAPTER 9: Security Standards and Services 470 In computer security, a DMZ is a “neutral” network segment where systems accessible to the public Internet are housed, which offers some basic levels of protection against attacks. EXAM OBJECTIVES FREQUENTLY ASKED QUESTIONS What is the difference between access controls and authentication? Q: They seem to be the same. Access controls set the condition for opening the resource. This could A: be the time of day, where the connection originates or any number of conditions. Authentication verifies that the entity requesting the access is verifiable and who the entity is claiming to be. How do I choose a suitable authentication factor from various Q: authentication factors available? Based on the applications you use and the level of security you A: want to provide, you should choose the authentication factor. One- factor is simple and less secure. It uses passwords only. Two-factor introduces further level of security by token cards and PIN. Mul- tifactor authentication involves biometrics, voice recognition, or such higher levels of security. Cost implication and ease of roll-out in large scale need to be considered in addition to security concerns while choosing multifactor authentication mechanisms. What are the devices that can be configured as RADIUS clients?Q: Various network devices including routers, switches, and WAPs can A: be configured as RADIUS clients. TACACS or TACACS+? Please advise.Q: TACACS+ is a proprietary Cisco protocol. It uses TCP. TACACS A: uses UDP and does not offer accounting tools. When your network is predominantly Cisco, you may consider TACACS+. All aspects of AAA are offered by TACACS+. What are the factors that influence PEAP deployment?Q: PEAP uses TLS to create an encrypted channel between the client A: supplicant and the RADIUS server. PEAP provides additional security for the client-side EAP authentication protocols, such as EAP-MS-CHAPV2, that can operate through the TLS-encrypted channel. When you need to implement higher level of security and are looking for a wide range of NOS platforms for deployment, you may want to consider PEAP. Self Test 471 What is a Proxy server?Q: A Proxy server is a device that sits between the Internet and the A: intranet and funnels traffic. It can provide access control and also document caching. Depending on the proxy server implementation, they often times have the capability to cache Web page content as well which makes browsing common sites faster, and they can publish internal Web site content to the Internet. How do I find out which port numbers are used by a specific Q: application? One of the easiest ways is to consult product documentation when A: it is available, but other ways including examining listening ports on the machine, using a packet sniffer to capture data transmitted by the application, and viewing the configuration information in the application. SELF TEST You are acting as a security consultant for a company wanting 1. to decrease their security risks. As part of your role, they have asked that you develop a security policy that they can publish to their employees. This security policy is intended to explain the new security rules and define what is acceptable and not accept- able from a security standpoint, as well as defining the method by which users can gain access to IT resources. What element of AAA is this policy a part of? A. Authentication B. Authorization C. Access Control D. Auditing One of the goals of AAA is to provide CIA. A valid user has entered 2. their ID and password, and has been authenticated to access network resources. When they attempt to access a resource on the network, the attempt returns a message stating, “The server you are attempting to access has reached its maximum number of con- nections.” Which part of CIA is being violated in this situation? A. Confidentiality B. Integrity C. Availability D. Authentication CHAPTER 9: Security Standards and Services 472 You are performing a security audit for a company to determine 3. their risk from various attack methods. As part of your audit, you work with one of the company’s employees to see what activities he performs during the day that could be at risk. As you work with the employee, you see him perform the following activities: Log in to the corporate network using Kerberos Access files on a remote system through a Web browser using SSL Log into a remote UNIX system using SSH Connect to a POP3 server and retrieve e-mail Which of these activities is most vulnerable to a sniffing attack? A. Logging in to the corporate network using Kerberos B. Accessing files on a remote system through a Web browser using SSL C. Logging into a remote UNIX system using SSH D. Connecting to a POP3 server and retrieving e-mail You are reading a security article regarding penetration testing 4. of various authentication methods. One of the methods being described uses a time-stamped ticket as part of its methodology. Which authentication method would match this description? A. Certificates B. CHAP C. Kerberos D. Tokens You are a security consultant for a large company that wants to make 5. its intranet available to its employees via the Internet. They want to ensure that the site is as secure as possible. To do this, they want to use multifactor authentication. The site uses an ID and password already but they want to add security features that ensure that the site is indeed their site, not a spoofed site, and that the user is an authorized user. Which authentication technology supports this? A. Certificates B. CHAP C. Kerberos D. Tokens You are developing a password policy for a company. As part of the 6. password policy, you define the required strength of the password. Because of the security requirements for the company, you have Self Test 473 required a minimum length of 14 characters, the use of uppercase and lowercase alphabetic characters, the use of numbers, and the use of special characters. What else should you require? A. No dictionary words allowed in the password B. No portion of the username allowed in the password C. No personal identifiers allowed in the password D. All the above You have been asked to help a company implement multifactor 7. authentication. They want to make sure that the environment is as secure as possible through the use of biometrics. Based on your knowledge of authentication, you understand that biometrics falls under the “something you are” category. Which other category should be used with the biometric device to provide the highest level of security? A. Something you know B. Something you have C. Something you do D. All the above You are attempting to query an object in an LDAP directory using 8. the distinguished name of the object. The object has the following attributes: cn: 4321 givenName: John sn: Doe telephoneNumber: 905 555 1212 employeeID: 4321 mail:jdoe@nonexist.com objectClass: organizationalPerson Based on this information, which of the following would be the distinguished name of the object? A. dcnonexist, dccom B. cn4321 C. dn: cn4321, dcnonexist, dccom D. jdoe@nonexist.com You are creating a new LDAP directory, in which you will need to 9. develop a hierarchy of organizational units and objects. To perform CHAPTER 9: Security Standards and Services 474 these tasks, on which of the following servers will you create the directory structure? A. DIT B. Tree server C. Root server D. Branch server When using LDAP for authentication in an internetworking envi-10. ronment, what is the best way to ensure that the authentication data is secure from packet sniffing? A. Use LDAP to keep all passwords encrypted when transmitted to the server. B. Use LDAP over SSL/TLS to encrypt the authentication data. C. Require that the clients use strong passwords so that they cannot easily be guessed. D. Use LDAP over HTTP/S to encrypt the authentication data. Which password attack will take the longest to crack a password?11. A. Password guessing B. Brute force attack C. Dictionary attack D. All attacks are equally fast The company you are working for has decided to do something to 12. make their workstations more secure. They have decided to give all users a Smart Card for use with system logins. Which factor of authentication is used with this new requirement? A. Something you know B. Something you have C. Something you are D. Something you do Choose the correct set of terms: When a wireless user, also known 13. as the ___________ wants to access a wireless network, 802.1x forces them to authenticate to a centralized authority called the ____________. A. Authenticator; supplicant B. Supplicant; authenticator Self Test Quick Answer Key 475 C. Supplicant; negotiator D. Contact; authenticator You have been asked to use an existing router and use it as a 14. firewall. Management would like you to use it to perform address translation and block some known bad IP addresses that previous attacks have originated from. With this in mind, which of the following statements are accurate? A. You have been asked to perform NAT services. B. You have been asked to set up a proxy. C. You have been asked to set up stateful inspection. D. You have been asked to set up a packet filter. EAP is available in various forms including:15. A. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco LEAPEAP-FAST B. EAPoIP, EAP-TLS, EAP-MPLS, RADIUS, EAP-FAST C. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco PEAP D. EAPoIP, EAP-TLS, EAP-TTLS, Kerberos, EAP-FAST SELF TEST QUICK ANSWER KEY C1. C2. D3. C4. A5. D6. D7. C8. C9. B10. B11. B12. B13. B14. D15. . and TACACS+ uses TCP. Mutual authentication consists of using various methods to verify both parties to the transaction to the other. 802.1x uses EAP for passing messages between the supplicant. acting as a security consultant for a company wanting 1. to decrease their security risks. As part of your role, they have asked that you develop a security policy that they can publish to. the method by which users can gain access to IT resources. What element of AAA is this policy a part of? A. Authentication B. Authorization C. Access Control D. Auditing One of the goals of