SYBEX Sample Chapter Security+ ™ Study Guide Michael Pastore Chapter 3: Infrastructure and Connectivity Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic or other record, without the prior agreement and written permission of the publisher. ISBN: 0-7821-4098-X SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the USA and other countries. TRADEMARKS: Sybex has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. Copyrights and trademarks of all products and services listed or described herein are property of their respective owners and companies. All rules and laws pertaining to said copyrights and trademarks are inferred. This document may contain images, text, trademarks, logos, and/or other material owned by third parties. All rights reserved. Such material may not be copied, distributed, transmitted, or stored without the express, prior, written consent of the owner. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturers. The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Sybex Inc. 1151 Marina Village Parkway Alameda, CA 94501 U.S.A. Phone: 510-523-8233 www.sybex.com Chapter 3 Infrastructure and Connectivity THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:  2.1 Remote Access  2.1.1 802.1x  2.1.2 VPN  2.1.3 RADIUS  2.1.4 TACACS/+  2.1.5 L2TP/PPTP  2.1.6 SSH  2.1.7 IPSEC  2.1.8 Vulnerabilities  2.2 Email  2.2.3 Vulnerabilities  2.2.3.1 Spam  2.2.3.2 Hoaxes  2.3 Web  2.3.1 SSL/TLS  2.3.2 HTTP/S  2.3.4 Vulnerabilities  2.3.4.1 Java Script  2.3.4.2 ActiveX  2.3.4.3 Buffer Overflows  2.3.4.4 Cookies  2.3.4.5 Signed Applets  2.3.4.6 CGI  2.3.4.7 SMTP Relay Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.  2.5 File Transfer  2.5.1 S/FTP  2.5.2 Blind FTP/Anonymous  2.5.3 File sharing  2.5.4 Vulnerabilities  2.5.4.1 Packet Sniffing  3.1 Devices  3.1.1 Firewalls  3.1.2 Routers  3.1.3 Switches  3.1.4 Wireless  3.1.5 Modems  3.1.6 RAS  3.1.7 Telecomm/PBX  3.1.8 VPN  3.1.9 IDS  3.1.10 Network Monitoring/Diagnostics  3.1.11 Workstations  3.1.12 Servers  3.1.13 Mobile Devices  3.2 Media  3.2.1 Coax  3.2.2 UTP/STP  3.2.3 Fiber  3.2.4 Removable Media  3.2.4.1 Tape  3.2.4.2 CDR  3.2.4.3 Hard Drives  3.2.4.4 Diskettes  3.2.4.5 Flashcards  3.2.4.6 Smartcards Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Y our network is composed of a variety of media and devices that both facilitate communications and provide security. Some of these devices (such as routers, modems, and PBX systems) provide external con- nectivity from your network to other systems and networks. Some of the devices (such as CDRs, disks, and tape) provide both internal archival storage and working storage for your systems. In order to provide reasonable security, you must know how these devices work and how they provide or fail to provide security. This chapter deals with issues of infrastructure and media. They are key components of the Security+ exam and necessary for you to understand in order to secure your network. Infrastructure Security I nfrastructure security deals with the most basic aspects of how informa- tion flows and how work occurs in your network and systems. An infrastructure is simply the basis for all of the work occurring in your organization. When discussing infrastructures, bear in mind that this includes servers, networks, network devices, workstations, and the processes in place to facilitate work. To evaluate the security of your infrastructure, you must examine the hardware and its characteristics, and also examine the software and its characteristics. Each time you add a device, change configurations, or switch technologies, you are potentially altering the fundamental security capabilities of your network. Networks are tied together using the Internet and other network tech- nologies, thereby making them vulnerable to attack in any number of manners. The job of a security professional is to eliminate the obvious threats, to anticipate how the next creative assault on your infrastructure might occur, and to neutralize it before it happens. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 104 Chapter 3  Infrastructure and Connectivity The following sections deal with the hardware and software components that make up a network. Hardware Components Hardware components include physical devices, such as routers, servers, and firewalls. Figure 3.1 depicts a typical network infrastructure and some of the common hardware components in the environment. From a security per- spective, this infrastructure is more than the sum of all of its parts. You must evaluate your network from the perspective of each device in it. The complexity of most networks makes securing them extremely complicated. In order to provide reasonable security, every device must be evaluated to determine its strengths and weaknesses. FIGURE 3.1 A typical network infrastructure Notice in this figure that the network we will be evaluating has Internet connections. Internet connections expose your network to the highest number of external threats. These threats can come from virtually any location worldwide. The network includes routers, firewalls, switches, servers, Internet Clients Clients Server Accounting Server Engineering Router Firewall Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Infrastructure Security 105 and workstations. Each of these devices has its own unique vulnerabili- ties and strengths. These devices are covered in more detail later in this chapter. As you can see from Figure 3.1, your infrastructure is complicated and dynamic. Software Components Hardware exists to run software. Most of the devices that we use today have a certain amount of artificial intelligence. This intelligence makes them easy to configure, easy to support, and to a certain extent, easy to bypass. The network infrastructure illustrated in Figure 3.1 includes servers, workstations running operating systems, routers, firewalls (which may run as applications on servers), and dedicated devices that have their own communications and control programs. This situation leaves networks open to attacks and security problems because many of these systems work independently. Many larger organiza- tions have built a single area for network monitoring and administrative control of systems. This centralization allows a larger overall picture of the network to be seen, and it allows actions to be taken on multiple systems or network resources if an attack is underway. These centralized areas are called a Network Operations Center (NOC) . Using a NOC makes it easier to see how an attack develops and easier to provide counter measures. Unfortu- nately, a NOC is beyond the means of most businesses. They are expensive and require a great deal of support. ATT Wireless NOCs ATT Wireless maintains a huge NOC for each of the cell centers they man- age. These centers provide 24/7 real-time monitoring of all devices in the cellular and computer network that they support. The operators in the NOC have the ability to literally reach out and touch any device in the network to configure, repair, and troubleshoot. A single NOC has dozens of people working around the clock to keep on top of the network. When an ATT Wire- less center goes down, it effectively takes down the entire cell-phone service for an entire region. As you can imagine, this is horrendously expen- sive and they do not let it happen very often. There are several NOC facilities in the United States, and one region can support or take over operations for another region if that center becomes inoperable. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 106 Chapter 3  Infrastructure and Connectivity Supporting an infrastructure in a large corporation can be a horrendously expensive proposition, and it requires literally years of development to create an effective NOC. Devices Connecting all of these components requires physical devices. Large multinational corporations, as well as small and medium-sized corporations, are building networks of enormous complexity and sophistication. These networks work by utilizing miles and miles of both wiring and wireless tech- nologies. Whether the network is totally wire and fiber-based, or totally wireless, the method of transmitting data from one place to another opens vulnerabilities and opportunities for exploitation. These vulnerabilities appear whenever an opportunity exists to intercept information from the media. The devices briefly described here are the components that you will typically encounter in a network. Firewalls Firewalls are one of the first lines of defense in a network. There are different types of firewalls, and they can be either stand-alone systems or included in other devices such as routers or servers. Many firewalls are add-in software available for servers or workstations. The basic purpose of a firewall is to isolate one network from another. Firewalls are becoming available as appli- ances, meaning they are installed into the network between two networks. Appliances are freestanding devices that operate in a largely self-contained manner. They should require less maintenance and support than a server-based product. Firewalls function as one of the following:  Packet filter  Proxy firewall  Stateful inspection The proxy shown in Figure 3.2 effectively limits access from outside networks, while allowing inside network users to access outside resources. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Devices 107 The proxy in this illustration is also performing firewall functions. The end user in this network uses the proxy server to manage traffic and receive returning information. This section discusses three of the most common functions that firewalls perform. FIGURE 3.2 A proxy firewall blocking network access from external networks Packet Filter A firewall operating as a packet filter will pass or block traffic to specific addresses based on the type of application. A packet filter may allow web traffic on Port 80 and block Telnet traffic on Port 23. This type of filtering is included in many routers. If a received packet request asks for a port that is not authorized, the filter may reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall. Packet filters are growing in sophistication and capability. A packet filter does not analyze the contents of a packet; it decides whether to pass it or not based on the addressing information of the packet. Proxy Firewall Think of a proxy firewall as an intermediary between your network and another. Proxy firewalls are used to process requests from an outside network and evaluate whether the request is forwarded or not. The proxy will intercept all of the packages and reprocess them for use internally. This process includes hiding IP addresses. The proxy firewall will examine the data and make rules-based decisions about whether to forward the request or refuse it. External Network Proxy Internal Network Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 108 Chapter 3  Infrastructure and Connectivity The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby effectively isolating the user from the external network. A server-based proxy firewall will typically use two NIC cards. This type of firewall is referred to as a dual-homed firewall. One of the cards is connected to the outside network and one is connected to the internal network. The proxy software manages the connection between the two NIC cards. This effectively segregates the two networks from each other and offers increased security. Figure 3.3 illustrates a dual-homed firewall segregating two networks from each other. FIGURE 3.3 A dual-homed firewall segregating two networks from each other Dual-Homed Server-Based Proxy Firewall You are the network administrator of a small network. You are installing a new firewall server using Windows 2000. After you complete the installa- tion, you notice that the network does not appear to be routing traffic through the firewall and that inbound requests are not being blocked. This presents a security problem for the network because you have been getting unusual network traffic lately. NIC A NIC B Network A Network B NIC Card Make sure routing or IP forwarding is disabled in operating system. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Devices 109 The proxy function can occur at either the application level or the circuit level. Application-level proxy functions will read the individual commands of the protocols that are being served. This type of server is very advanced and must know the rules and capabilities of the protocol used. This type of proxy would know the difference between a GET and a PUT operation, for example, and would have rules specifying how to execute them. A circuit-level proxy creates a circuit between the client and the server and does not deal with the contents of the packets that are being processed. A unique application-level proxy server must exist for each protocol supported. Many proxy servers also provide full auditing, accounting, and other usage information that would not normally be kept by a circuit-level proxy server. Combining firewalls with other firewalls will provide a variety of configuration and security options. See Chapter 6, “Working with a Secure Network,” for further details. Stateful Inspection The last section on firewalls focuses on the concept of stateful inspection. Stateful Inspection is also referred to as stateful packet filtering. Most of the devices we use in networks do not keep track of how information is routed or used. Once a packet is passed, the packet and path are forgotten. In stateful inspection or stateful packet filtering, records are kept using a state table that tracks every communications channel. Stateful inspections occur at all levels of the network and provide additional security, especially in connectionless protocols such as User Datagram Protocol (UDP) and Internet Control The most likely solution to this problem deals with the fact that Windows 2000 offers the ability to use IP forwarding in a dual-homed server. IP forwarding bypasses your firewall and uses the server as a router. Even though the two networks are effectively isolated, the new router is doing its job well and it is routing IP traffic. You will need to verify that IP forwarding and routing services are not running on this server Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. . 2.5.4 .1 Packet Sniffing  3 .1 Devices  3 .1. 1 Firewalls  3 .1. 2 Routers  3 .1. 3 Switches  3 .1. 4 Wireless  3 .1. 5 Modems  3 .1. 6 RAS  3 .1. 7 Telecomm/PBX  3 .1. 8 VPN  3 .1. 9. COVERED IN THIS CHAPTER:  2 .1 Remote Access  2 .1. 1 802.1x  2 .1. 2 VPN  2 .1. 3 RADIUS  2 .1. 4 TACACS/+  2 .1. 5 L2TP/PPTP  2 .1. 6 SSH  2 .1. 7 IPSEC  2 .1. 8 Vulnerabilities  2.2. Telecomm/PBX  3 .1. 8 VPN  3 .1. 9 IDS  3 .1. 10 Network Monitoring/Diagnostics  3 .1. 11 Workstations  3 .1. 12 Servers  3 .1. 13 Mobile Devices  3.2 Media  3.2 .1 Coax  3.2.2 UTP/STP  3.2.3