644 | Chapter 11: Security+ Exam Study Guide Figures 11-9 and 11-10 show ad-hoc and infrastructure wireless network configu- rations respectively. Wired Equivalent Privacy (WEP) WEP is the primary security standard for 802.11 wireless networks, and it is designed to provide privacy in transmissions occurring between the AP and wireless client. It uses shared key authentication, which allows encryption and decryption of wireless transmissions. Up to four different keys can be defined on the AP and the client, and these keys can be rotated to enhance security. WEP encryption can use either 40- or 128-bit keys. When WEP is enabled on the AP and the wireless clients, the encryption keys and the SSID must match on both ends. WEP is easy to imple- ment because the administrator or the user can define the keys. WEP uses the CRC-32 checksum for data integrity, and privacy is ensured with the RC4 encryption algorithm. RC4 is a stream cipher, and both the AP and the client encrypt and decrypt messages using a known preshared key. The sender Figure 11-9. Ad-hoc wireless network Figure 11-10. Infrastructure wireless network Base station Wireless Ethernet Network File Server PC Wireless Access Point (WAP) Wireless Network Communication Security | 645 Security+ Study Guide runs the plain text message through an integrity check algorithm, Cyclic Redun- dancy Check (CRC-32), to produce the Integrity Check Value (ICV). The ICV is added to the plain text message. A random 24-bit Initialization Vector (IV) is generated and added to the beginning of the secret key to ensure the key’s secu- rity. The IV is changed every time to prevent reuse of the key. Authentication in wireless networks The IEEE 802.11 standard defines the following two types of authentication in wireless networks. Open authentication. Open authentication is device-specific, and allows almost all devices access to the wireless network. It should not be assumed that the open authentication method does not use encryption because all devices are granted access. This method can also require the use of WEP keys. Any client who knows the SSID of the AP can connect to the wireless network. Shared key authentication. Shared key authentication is used to grant access only to those wireless clients who possess the SSID and the shared key. The authentica- tion process begins when a client (also called the supplicant) requests a connection with the AP (also called the authenticator). The AP sends a random challenge text to the client. The client receives this, encrypts it with the shared key, and sends it back to the AP. The AP receives the encrypted text, decrypts it, and compares it with the original challenge text. If the two texts match, the client is authenticated and granted access. Shared key authentication is susceptible to plain text attacks because the initial challenge text is sent to the client as plain text. As a result, the shared key authen- tication is considered a weak authentication method. But it is still better than having no authentication at all. 802.1x authentication. The 802.1x is an authentication standard designed to provide security for port-based access to wireless devices. It provides more options for the administrators to pick up suitable encryption and key management mechanisms. Most of the newer AP devices are 802.1x-compliant. For more details about the 802.1x authentication process, refer to the “Remote Access” section earlier in this chapter. Some of the benefits of using 802.1x authentication are as follows: • It allows dynamic creation of per-user session keys. These keys need not be kept with the AP. • It provides mutual authentication. Both the client and the AP can authenti- cate each other before the communications begins. This helps prevent MITM attacks. • When used with the EAP, it provides per-packet authentication and data integrity protection. • It defines strong mechanisms for identification and authentication. 646 | Chapter 11: Security+ Exam Study Guide Types of attacks on wireless networks Wireless networks are prone to both active and passive attacks, which include DoS, MITM, spoofing, packet sniffing, war driving, jamming, network hijacking, and many more. Passive attacks on wireless networks are very common and are very difficult to detect because the attacker usually indulges in collecting informa- tion only. Active attacks are launched when a hacker has gathered sufficient information about the network after several successful passive attacks. The following is a list of some of the common attacks against wireless networks: War driving Hackers can use freely available war-driving software (such as NetStumbler) to launch passive attacks on wireless networks. They use this software to detect insecure wireless networks where they can easily get in. Man-in-the-Middle (MITM) These attacks are common on wireless networks. The attacker tries to plant a rogue AP in the range of an existing wireless network. The wireless users are not aware of whether they are connecting to a legitimate AP or to a rogue AP planted by a hacker. Since the range of AP devices may extend outside the building, a hacker may even use an AP device inside a car parked outside the building. Plain-text attacks The WEP standard is prone to these attacks because it uses the RC4 encryp- tion algorithm. In WEP authentication, the initial challenge text is sent in plain text. The RC4 encryption algorithm uses stream cipher and is known for its weaknesses. It uses a 24-bit IV for both 40- and 128-bit encryption, which is easy to predict. WEP encryption keys can be easily cracked using tools such as WEPCrack and AirSnort. Packet sniffing and eavesdropping These are two of the common techniques used to launch attacks on wireless networks. Sniffing refers to the monitoring of network traffic using legitimate network analysis tools. Hackers can choose any of the monitoring tools, such as AiroPeek, Ethereal, or TCPDump, to monitor wireless networks. These tools enable hackers to find unprotected networks that can be exploited. Wireless networks can be protected against these attacks by using strong encryption and authentication methods. Jamming This refers to the flooding of radio frequencies with undesired signals. It usually results in the unavailability of required signals to the wireless devices. Network hijacking This refers to hijacking the wireless network of a user’s active session. The hacker can insert himself between a network server and the wireless client— and from that point on, the communication takes place between the hijacker and the client or the server. The hacker may also use rogue APs to divert a client session. Communication Security | 647 Security+ Study Guide Denial of Service (DoS) Most of the active attacks on wireless networks eventually result in these attacks. A DoS attack occurs when the legitimate client is prevented from accessing network resources due to unavailability of the services. Flooding Hackers can flood a wireless network using any of the attack methods, such as ICMP flooding (Ping flooding) and SYN flooding, etc. Protecting wireless networks from attacks It is important that administrators take steps to protect wireless networks from potential outside threats and attacks. Some of the protective measures that can be taken are listed here: • Administrators should keep their software and hardware updated by regu- larly checking for updates on vendors’ web sites. • When installing a wireless network, the default settings of the AP, such as the SSID, should be changed. Hackers usually know the default settings of devices. • WEP should always be used. Even if 40-bit encryption is used, it is better than not using encryption at all. WEP can be easily cracked, but the network can still be protected from a number of amateur hackers. • Wherever possible, wireless adapters and AP devices should support 128-bit WEP, MAC filtering, and disabling of SSID broadcasts. • IF SSID broadcasts are not disabled on APs, use of a DHCP server to auto- matically assign IP addresses to wireless clients should be avoided. War- driving software can easily detect your internal IP addressing scheme if SSID broadcasts are enabled and DHCP is in use. • Static WEP keys should be frequently rotated to so that they are not compromised. • The wireless networks should be placed in a separate network segment. If possible, create a separate perimeter network (also known as a Wireless Demilitarized Zone) for the wireless network that is separate from the main network of the organization. • Regular site surveys should be supported to detect the presence of rogue APs near a wireless network. • Placement of the AP is critical for wireless security. APs should be placed in the center of the building; avoid placing them near windows and doors. Site surveys. Site surveys enable network administrators to detect the boundaries of their wireless network beyond the required limits. The tools used to conduct site surveys are typically the same tools that the hackers use to detect unprotected wireless networks. Popular tools that can be used for site surveys include NetStumbler, Kismet, AirSnort, and WEPCrack. It is also important to conduct a physical inspection of the surroundings of the building. Hackers sometimes use 648 | Chapter 11: Security+ Exam Study Guide antennas to receive and amplify weak wireless signals from the APs in order to indulge in malicious activities. Site surveys also include keeping an eye on suspi- cious activities of people around the building. Infrastructure Security Designing, implementing, and maintaining a network infrastructure includes ensuring security for the network. It is not an easy task because there are several components of the network, such as network devices, media, server and worksta- tion hardware, network operating systems, and applications. It is important that administrators take steps to ensure security for each of these components so that the entire network is safe from possible attacks by outsiders. This section covers the concepts and security aspects of network components that need proper configuration to provide a safe and secure working organization. Device-based Security Network devices should be selected wisely and installed with correct configura- tions to prevent security loopholes. It is important to know the potential security problems in network devices and how devices can be configured to prevent outsiders from unauthorized access of the network or any of its servers containing confidential data. There are several devices that make up a complete secure network and each are discussed in the following sections. Firewalls A firewall is a hardware device or a software application that sits between the internal network of the organization and external networks in order to protect the internal network from communicating with the outside networks. A properly configured firewall blocks all unauthorized access to the internal network and also prevents internal users from accessing potentially harmful external networks. The three common firewall technologies are packet-filtering firewalls, Application- layer firewalls, and Stateful Inspection Firewalls. Packet-filtering firewalls. Packet-filtering firewalls inspect the contents of each IP packet entering the firewall device and, based on predefined and configured rules, allow or block packets inside the network. These firewalls permit or block access to specific ports or IP addresses. These firewalls work on two basic policies: Allow by Default and Deny by Default. In the Allow by Default policy, all traffic is allowed to enter the network except specifically denied traffic. In the Deny by Default policy, all traffic entering the firewall is blocked except that which is specifically allowed. Deny by Default is considered the best firewall policy, as only authorized traffic is allowed to enter the network using specified port numbers or IP addresses. Packet-filtering firewalls use IP addresses and TCP/IP port numbers to decide whether certain traffic is to be allowed or blocked. The firewall can be configured to allow or deny traffic based on the source IP address, the destination IP address, Infrastructure Security | 649 Security+ Study Guide the source port, or the destination port. TCP/IP port numbers fall into the following three categories: • Well-known port numbers that range from 0 to 1023. • User ports (registered ports) that range from 1,024 to 46,151. • Dynamic/private ports that range from 46,152 or 65,535. For the Security+ exam, you will need to know the port numbers used by various network protocols and services. Table 11-2 lists some of the well-known ports. Packet-filtering firewalls work at the Network layer (Layer 3) of the OSI model. One of the benefits of these is the ease of configuration because a packet is either allowed or blocked. This technique also does not cause any delays in transmis- sions. There are certain limitations also. The firewall can just inspect the header of the packet but does not read the contents of the packet. Another drawback is that if a certain application opens a port dynamically and does not close it, the open port remains a security risk to the network. Application-layer firewalls. Application-layer firewalls work at the Application layer (Layer 7) of the OSI model. They are also known as Application firewalls or Appli- cation layer gateways. This technology is more advanced than packet filtering because it examines the entire packet to allow or deny traffic. Proxy servers use this technology to provide application-layer filtering to clients. Application-layer packet inspection allows firewalls to examine the entire IP packet and, based on configured rules, allow only intended traffic through them. One of the major drawbacks of application-layer firewalls is that they are much slower than packet-filtering firewalls. Every IP packet is broken at the firewall, Table 11-2. Well-known port numbers Port number Protocol/Service 20 File Transfer Protocol (FTP) (Data Port) 21 File Transfer Protocol (FTP) (Control Port) 22 Secure Shell (SSH) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name System (DNS) 67 and 68 BootStrap Protocol (BOOTP); also used by the Dynamic Host Configuration Protocol (DHCP) 80 HyperText Transfer Protocol (HTTP) 110 Post Office Protocol version 3 (POP3) 119 Net News Transfer Protocol (NNTP) 137, 138, and 139 NetBIOS Name Service (Windows operating systems) 143 Internet Message Access Protocol version 4 (IMAP4) 161 and 162 Simple Network Management Protocol (SNMP) 389 Lightweight Directory Access Protocol (LDAP) 443 Secure Socket Layer (SSL) or HTTPS 650 | Chapter 11: Security+ Exam Study Guide inspected against a complex set of rules, and re-assembled before allowing it to pass. For example, if the firewall finds virus signatures in a packet, it can block them. Although this technique allows for more rigorous inspection of network traffic, it comes at the cost of administration and speed. Stateful Inspection Firewalls. Stateful Inspection Firewalls work by actively monitoring and inspecting the state of the network traffic and keeping track of all the traffic that passes through the network media. This technology overcomes the draw- backs of both packet-filtering and application-layer firewalls. It is programmed to distinguish between legitimate packets for different types of connections, and only those packets are allowed that match a known connection state. This technology does not break or reconstruct IP packets and hence is faster than application-layer technology. Using this technology, a firewall can monitor the network traffic and dynamically open or close ports on the device on an as-needed basis, as the communication states of common applications are known to the firewall. For example, if legiti- mate HTTP traffic enters the firewall, it can dynamically open port 80 and then close it when traffic has been allowed. This is in contrast to packet filtering, where the administrator would have to permanently keep port 80 open on the firewall. For the Security+ exam, you will need to know how firewalls work and what type of firewall is suitable for a given situation. If speed is a concern and you need to permanently allow or deny access to cer- tain IP addresses or ports, packet filtering is best suited. If inspec- tion of packets is required at the application level, you will need an application-layer firewall. Similarly, if the question asks you about monitoring network traffic or communication states, select the Stateful Inspection Firewall. Routers Routers are hardware devices or software implementations that connect two segments of an internetwork. Routers have usually two or more interfaces that connect to different network segments. They can help provide secure communica- tions between two network segments inside an organization, or even between an organization’s network and an external network such as the Internet. Routers pass IP packets between segments based on IP addresses configured in routing tables. Routing tables can be dynamic or static (created manually by administrators). In addition to routing tables, routers also support Access Control Lists (ACLs) to determine which IP packets should be allowed and which should be blocked. RRAS in Windows Server 2000 and 2003 is an example of a software router. Most of the routers come with built-in security features. They can be configured based on the requirements of an organization. It is always wise to change the default configurations of routers, as hackers know these configurations. Routers use routing protocols such as distant vector and link state to dynamically build routing tables. These tables are prone to spoofing and eavesdropping. Using routing protocols, attackers sometimes are able to insert false IP address entries in routing tables and can take control of the network. Defining static routes is one way to prevent spoofed entries in routing tables, but for a large internetwork it is simply not possible to build static routing tables. Infrastructure Security | 651 Security+ Study Guide Switches Switches are network devices similar to network hubs that connect network components within a LAN. Switches are different from routers because routers operate at the Network layer (Layer 3) of the OSI model while switches operate at the Data Link layer (Layer 2). Routers use IP addresses to forward traffic, while switches use MAC addresses for this purpose. A MAC address is permanently configured on network adapters by their manufacturers and cannot be changed. Some Layer 3 switches operate at the Network layer of the OSI model. Switches offer better security to networks because they use MAC addresses and can filter out traffic coming in from an unknown MAC address. Switches are better than hubs because they forward only incoming packets to the desired desti- nation instead of broadcasting them to all devices. One of the major security concerns related to switches is that if a hacker is able to take administrative control of the switch, he can easily hijack the entire network. Software applica- tions such a Switch Port Analyzer (SPAN) can be used to send a duplicate copy of all packets passing through the switch to a specific port, which may be in the control of the hacker. SPAN is generally used by administrators for trouble- shooting purposes, but it can also be exploited. Switches can also be subject to Address Resolution Protocol (ARP) spoofing and DoS and MITM attacks. Since switches can be configured using Telnet sessions, an attacker can perform packet sniffing to capture Telnet session traffic in order to obtain an administrative username and password. Administrators should use secure Telnet sessions using SSH. MAC flooding is another way to flood switches with a large number of MAC addresses. Wireless Wireless network cards, wireless routers, and wireless access points are the main devices associated with wireless networking. Wireless security was covered in the “Wireless Communications” section earlier in this chapter. Modems Modems are devices usually connected to remote access servers (RAS) to provide access to remote users or telecommuters. Remote users dial in to a RAS modem or a modem bank using ordinary telephone lines and a preconfigured telephone number. Although this technology is becoming obsolete with the increased use of broadband, older systems still use modems to grant remote access. Modems are prone to war-dialing attacks by hackers. Hackers can use wardialing software in an attempt to locate a modem connected to a RAS server that will respond to the hacker. When properly configured with security features such as callback, modems can be secured from unauthorized access. Remote access policies can further be implemented on RAS servers to enhance security. Remote Access Servers (RAS) RAS typically use modem banks to provide remote access to remote users. These modems are configured with telephone numbers; when a remote user dials a 652 | Chapter 11: Security+ Exam Study Guide predetermined number, any of the free modems in the modem bank can respond. Once the communication starts, the remote user is authenticated using his dial-in permissions and remote access policies. RAS servers use a number of authentica- tion and authorization protocols to grant access only to authorized users. These protocols include CHAP, MS-CHAP, and EAP. Insecure protocols such as PAP and the Shiva Password Authentication Protocol (SPAP) can also be used, but should be avoided as much as possible. Some RAS server security policies include mandatory caller ID, callback, and limi- tation of calling days and hours. These policies ensure that only an authorized user connects to the RAS server from a predetermined telephone number and during permitted days and hours. Caller ID ensures that the call is coming from an authorized telephone number. Restriction on calling days and hours ensures that if a hacker does not know about these restrictions, his calling attempt is detected. A strong password security policy should also be in place. Additionally, administrators may restrict the use of unnecessary protocols on RAS servers. Virtual Private Networks (VPNs) A VPN is a low-cost alternative to providing remote access to corporate networks. It is also used for creating intranets and extranets using a secure tunnel through a public network. It is less expensive for large companies to connect its branch office networks to the corporate network because dedicated circuits are not required. Typically, all offices are connected to the local ISPs, which further provide connectivity to the Internet. Similarly, remote users or telecommuters can simply dial in to the local ISP to connect to their office networks. This saves them the cost of long-distance calls. Depending on their implementation, VPNs can be of the following types: Remote Access VPN This is used to provide remote connectivity to individual employees who work from remote sites. These employees include telecommuters or those who work from home. Site-to-Site VPN (intranet) This is used between local area networks of an organization located at different geographical locations. Intranet refers to the network created for different offices of the same organization. A site-to-site VPN typically uses demand-dial routing in order to reduce the costs involved in permanent connections to the Internet. Site-to-Site VPN (extranet) This is used to connect networks of two or more different organizations. Extranet refers to the network created for these different organizations. Usually, organizations with common interests or partner companies imple- ment extranets for secure data transfers. Figures 11-11 and 11-12 show Remote Access VPN and Site-to-Site VPN respectively. Infrastructure Security | 653 Security+ Study Guide A VPN works by creating a tunnel through the Internet. It can be implemented using high degrees of security. Commonly used tunneling protocols include PPTP and L2TP/IPSec. The combination of L2TP and IPSec is considered more secure than PPTP. Data traveling through the Internet is encrypted and secure from eavesdroppers. SSH can also be used as a security mechanism. Additionally, orga- nizations can implement firewalls to secure their VPN servers. VPN servers can also be placed inside secure perimeter networks, which is usually separate from the main local area network of the organization. Network monitoring Network monitoring allows administrators to keep an eye on network traffic in order to detect abnormal behaviors or network congestions and take corrective action to resolve network problems. Most large networks employ some kind of monitoring or sniffing software applications to monitor network traffic. While these applications are good when used appropriately, they also pose security risks because a malicious user or an outsider can take advantage by gathering data from the network media. Equipment used to diagnose network problems may also be Figure 11-11. Remote Access VPN Figure 11-12. Site-to-Site VPN Intranet ISP Internet Tunnel VPN connection Internet VPN Remote office Main office Remote office Small office/ Home office [...]... to use a regular user account when not performing any administrative task Databases Examples of database servers include Microsoft’s SQL Server and Oracle These database servers pose a challenging task for administrators in terms of hardening these servers and maintaining their security Database applications are usually the client/server type where the database server is called the backend and the... workstation is called the frontend Administration of database applications and servers usually requires separate database administrators who manage access control, authentication, and auditing of these services These administrators must ensure the security of data stored in the databases, which may be very critical to the functioning of the organization Organizations involved in e-commerce also use database... Practically, this algorithm is considered as secure as RSA ElGamal produces large sizes of ciphertext and can be used on fast WAN links only It is used in some recent versions of PGP Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme and is based on the ElGamal algorithm Hashing algorithms A hashing algorithm (also called a hash function) is the process of creating a small... protocol-based IDS Application protocol-based IDS usually monitors the activities of specific applications and the protocols used by these applications It is able to detect attacks by analyzing application logs, and it can identify a variety of attacks It can also monitor malicious activities of individual users and is able to work with encrypted data The drawback is that these IDS consume a significant amount... tapes are commonly used for backing up data because of their large capacity and their ability to be reused These tapes come in the form of small cassettes with a variety of speeds and capacity Tapes are vulnerable to physical thefts, as anyone with access to them can easily smuggle them out of the organization and get access to critical data Some of the methods to secure data stored in magnetic tapes... the attack mechanisms used by attackers, and to use them later to update the attack signature database Honeypots must be administered with care because they may accidentally expose the organization’s real network It may require a full-time administrator to properly configure the honeypot and regularly monitor the activities of the attackers Make sure that you can distinguish between a honeypot and a. .. It is issued by a CA to bind a public key to an individual or an organization The name of the individual or the organization appears as a distinguished name, an email address, or a DNS name An organization may use certificates for a variety of purposes such as encryption of email messages, doing business on the Internet, or digitally signing software applications When downloading software from the Internet... within areas with high-static electricity They are small in size and can easily be stolen Some of the newer flash cards offer security features such as data encryption and authentication It is good to use these security features to protect data from theft Older cards that have limited storage capacity and no security features should be replaced with newer cards Smart cards Smart cards usually store a small... username as administrator and a blank password for the administrator account Even now some applications allow administrators to keep their passwords blank This is a serious security concern; administrators should not exercise this option at any cost Data repositories Data repositories in a network include data storage systems, which can be servers running directory services, database servers, Network Attached... is generated so that administrators can take corrective action It 664 | Chapter 11: Security+ Exam Study Guide is important for administrators to keep the attack signature database up to date, which is the most difficult part of implementing IDS Most attack signatures are constructed by running different types of attacks against the network and looking for a unique pattern of the attack Application protocol-based . containing confidential data. There are several devices that make up a complete secure network and each are discussed in the following sections. Firewalls A firewall is a hardware device or a software application. are not aware of whether they are connecting to a legitimate AP or to a rogue AP planted by a hacker. Since the range of AP devices may extend outside the building, a hacker may even use an AP. They are also known as Application firewalls or Appli- cation layer gateways. This technology is more advanced than packet filtering because it examines the entire packet to allow or deny traffic.