Devices 121 Servers Most modern server products also offer workstation functionality. In fact, many servers are virtually indistinguishable from workstations. Linux functions as both a workstation and a server in most cases. Windows 2000, while having multiple versions of workstation and server, communicates to networks in a virtually identical manner. Most successful attacks against a server will also work against a work- station, and vice versa. Additionally, servers will run dedicated applications, such as SQL Server or a full-function web server. An early version of IIS installed a default mail system as a part of its installation. This mail system was enabled unless specifically disabled. This mail server suffered from most of the vulnerabilities that were discussed in Chapter 2, “Know Your Enemy,” as they related to virus and worm infections. Make sure that your system runs only the services, protocols, and processes that are needed. Turn off or disable things you do not need. Mobile Devices Mobile devices, including pagers and Personal Digital Assistants (PDAs), are becoming very popular. Many of these mobile devices use either RF signaling or cellular technologies for communication. If the device uses the Wireless Applications Protocol (WAP), the device in all likelihood does not have security Many of the newer systems, such as Windows 2000, allow permissions to be established to prevent software installation. You would want to evaluate the capabilities of the settings in the workstations for security. This process is referred to as locking down a desktop. You can lock down most desktops to prevent the installation of software. This may also prevent users from automatically upgrading software, and it may create additional work for the IS department. You will need to evaluate both issues to determine what the best approach to take is. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 122 Chapter 3  Infrastructure and Connectivity enabled. Several levels of security exist in the WAP protocol. These protocols include:  Anonymous authentication, which allows virtually anyone to connect to the wireless portal.  Server authentication, which requires the workstation to authenticate against the server.  Two-way (client and server) authentication, which requires both ends of the connection (client and server) to authenticate to con- firm validity. Most newer palm systems are configured to allow authentication. This authentication can be configured to challenge the user of the device to log on, as well as allow the user to chal- lenge the server. WAP is covered in more detail in Chapter 4. Many new wireless devices are also capable of using certificates to verify authentication. Figure 3.12 shows a mobile systems network. This network uses both encryption and authentication to increase security. The Wireless Session Protocol (WSP) manages the session information and connection between the devices. The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP. The Wireless Datagram Protocol (WDP) provides the common interface between devices. FIGURE 3.12 A mobile environment using WAP security WSP WDP WTLS WDP Security is managed at the WTLS layer. 802.11 Equipped System WAP Server Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Remote Access 123 Remote Access One of the primary purposes for having a network is the ability to connect systems together. As networks have grown, many technologies have come on the scene to make this process easier and more secure. A key area of concern relates to the connection of systems and other networks that are not part of your network. This section discusses the more common protocols used to facilitate connectivity. Serial Line Internet Protocol Serial Line Internet Protocol (SLIP) is an older protocol that was used in early remote access environments. SLIP was originally designed to connect UNIX systems together in a dial-up environment, and it supports only serial communications. SLIP is a very simple protocol that is used to pass TCP/IP traffic. The protocol is not secure, nor is it efficient. Many systems still support SLIP strictly for legacy systems. SLIP is not widely used anymore, and it has largely been replaced by Point-to-Point Protocol (PPP). Point-to-Point Protocol Introduced in 1994, Point-to-Point Protocol (PPP) has largely replaced SLIP. PPP offers multiple protocol support including AppleTalk, IPX, and DECnet. PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1. PPP does not provide data security, but it does provide authentication using CHAP. Figure 3.13 shows a PPP connection over an ISDN line. In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission. PPP allows many channels in a network connection (such as ISDN) to be connected or bonded together to form a single virtual connection. FIGURE 3.13 PPP using a single B channel on an ISDN connection ISDN Channel D Channel B Channel PPP Connection B Channel Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 124 Chapter 3  Infrastructure and Connectivity PPP works by encapsulating the network traffic in a protocol called Network Control Protocol (NCP). Authentication is handled by Link Control Protocol (LCP). A PPP connection allows remote users to log on to the network and have access as though they were local users on the network. PPP does not provide for any encryption services for the channel. As you might have guessed, the unsecure nature of PPP makes it largely unsuitable for WAN connections. A dial-up connection using PPP works very well, because it is not common for an attacker to tap a phone line. To counter this, other protocols have been created that take advantage of the flexibility of PPP and build on it. You want to make sure that all of your PPP connections use secure channels, dedicated connections, or dial-up connections. Remote users who connect directly to a system using dial-up connections do not necessarily need to have encryption capabilities enabled. If the connection is a direct one, the likelihood that anyone would be able to tap an existing phone line is relatively small. However, you should make sure that connections through a network do use an encryption-oriented tunneling system. 802.1X Wireless Protocols The IEEE 802.1x protocols refer to a broad range of wireless protocols for wireless communications. There are two major families of standards for wireless communications: the 802.11 family and the 802.16 family. The 802.11 standards are discussed in more detail in Chapter 4 under “Wireless Systems.” The 802.16 standard is undergoing debate in the IEEE and was finalized in the fall of 2002. The 802.11 protocols are primarily short-range systems suitable for use in buildings and campus environments. VPN VPNs are used to make connections between private networks across a public network, such as the Internet. These connections are not guaranteed to be secure unless a tunneling protocol, such as PPTP, and an encryption system, such as IPSec, is used. A wide range of options, including proprietary technologies, is available for VPN support. Many of the large ISPs and data communication providers provide dedicated hardware with VPN capa- bilities. Many servers also provide software VPN capabilities for use between two networks. VPN systems can be dedicated to a certain protocol, or they can pass whatever protocols they see on one end of the network to the other end. A pure VPN connection appears as a dedicated wired connection between the two network ends. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Remote Access 125 RADIUS Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of dial-in and other network connections. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether or not an incoming caller is autho- rized. In a large network with many connections, this allows a single server to perform all authentications. Figure 3.14 shows an example of a RADIUS server communicating with an ISP to allow access to a remote user. Notice that the remote server is actually functioning as a client to the RADIUS server. This allows centralized administration of access rights. FIGURE 3.14 The RADIUS client manages the local connection and authenticates against a central server. The major difficulty with a single server RADIUS environment is that the entire network may refuse connections if the server malfunctions. Many RADIUS systems allow multiple servers to be used to increase reli- ability. All of these servers are critical components of the infrastructure, and they must be protected from attack. The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating system manufacturers. TACACS/+ Terminal Access Controller Access Control System (TACACS) is a client/ server-oriented environment, and it operates in a similar manner to RADIUS. The most current method or level of TACACS is TACACS/+. TACACS/+ allows credentials to be accepted from multiple methods, including Kerberos. The TACACS client/server process occurs in the same manner as the RADIUS process illustrated in Figure 3.14. CISCO has widely implemented TACACS/+ for connections. TACACS/+ is expected to become widely accepted as an alternative to RADIUS. Radius ServerClient Radius Client Authorization Request Server Validating Request ISP Large Network Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 126 Chapter 3  Infrastructure and Connectivity Tunneling Protocols Tunneling protocols add an additional capability to the network. They pro- vide the ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems. The most common protocols used for tunneling are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), and IPSec: PPTP PPTP supports encapsulation in a single point-to-point environ- ment. PPTP encapsulates and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks. The negotiation between the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the channel is encrypted. This is one of the major weaknesses of the PPTP protocol. A packet-capture device, such as a sniffer, that cap- tures the negotiation process can potentially use that information to determine the connection type and information about how the tunnel works. Microsoft developed PPTP, and they support it on most of their products. PPTP uses port 1723 and TCP for connections. L2F L2F was created by Cisco as a method of creating tunnels primarily for dial-up connections. L2F is similar in capability to PPP and should not be used over WANs. L2F does provide authentication, but it does not provide encryption. L2F uses port 1701 and TCP for connections. L2TP Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of PPTP and L2F. L2TP is primarily a point-to-point protocol. L2TP supports multiple network protocols and can be used in networks besides TCP/IP. L2TP works over IPX, SNA, and IP. This gives L2TP the capability of being used as a bridge across many different types of systems. The major problem with L2TP is that it does not provide data security, in that the information is not encrypted. Security can be provided by protocols such as IPSec. L2TP uses port 22 and TCP for connections. SSH Secure Shell (SSH) is a tunneling protocol originally designed for UNIX systems. SSH uses encryption to establish a secure connection between two systems. SSH also provides security equivalent programs such as Telnet, FTP, and many of the other communications-oriented programs under UNIX. SSH is now available for use on Windows systems as well. This makes SSH the preferred method of security for Telnet and Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Internet Connections 127 other cleartext-oriented programs in the UNIX environment. SSH uses port 22 and TCP for connections. IPSec IPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling protocols. IPSec is oriented pri- marily toward LAN-to-LAN connections, rather than dial-up connections. IPSec provides secure authentication and encryption of data and headers. This makes IPSec a good choice for security. IPSec can work in either Tunneling mode or Transport mode. In Tunneling mode, the data or payload and message headers are encrypted. Transport mode encrypts only the payload. Internet Connections The Internet is perhaps the area of largest growth for networks. The Internet is a worldwide network that offers the capability of instantaneous connections between networks, no matter where they are located. The technology started as a research project funded by the Department of Defense and has grown at an enormous rate. Within a few years, virtually every computer in the world is expected to be connected to the Internet. This creates a security nightmare and is one of the primary reasons that the demand for professionals trained in information and computer security is expected to grow exponentially. The following section describes some of the more common protocols including the World Wide Web, Telnet, FTP, e-mail, and SMTP. Connecting Remote Network Users Your company wants to support network connections for remote users. These users will use the Internet to access desktop systems and other resources in the network. What would you advise the company to consider? You would want your organization to implement a tunneling protocol that supports security. A good solution would be a VPN connection that uses IPSec. You may also want to explore protocols like SSL, TLS, and SSH as alternatives. All of these protocols offer security as a part of their con- nection process. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 128 Chapter 3  Infrastructure and Connectivity The information on ports and sockets in this section is intended for back- ground information and is not tested on the exam. Ports and Sockets As you already know, the primary method of connection between systems using the Internet is the TCP/IP protocol. This protocol establishes connec- tions and circuits using a combination of the IP address and a port. A port is an interface that is used to connect to a device. Sockets are a combination of the IP address and the port. If you attempt to connect to a remote system with the IP address 192.168.0.100 that is running a website, you will use Port 80 by default. The combination of these two elements gives you a socket. The full address and socket description would then be 192.168.0.100:80. IP is used to route the information from one host to another through a network. The four layers of TCP/IP encapsulate the information into a valid IP packet that is then transmitted across the network. Figure 3.15 illustrates the key components of a TCP packet requesting the home page of a website. The data will be returned from the website to Port 1024 on the originating host. FIGURE 3.15 A TCP packet requesting a web page from a web server The source port is the port that is being addressed on the destination. The destination port is the port to which the data will be sent. In the case of a WWW application, these would both contain 80. A number of the fields in The destination port indicates Port 80. This is the default for an HTTP Server. The return port to the client is 1024. The command GET/ instructs the server to send data. Source Port 1024 Destination Port 80 Sequence Number Acknowledgment Number Offset Reserved Flags Window Checksum Urgent Pointer Options Padding Data GET/ Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. Internet Connections 129 this packet are used by TCP for verification and integrity and you need not be concerned with them at this time. However, the data field contains the value Get /. This requests the home or starting page from the web server. In essence, this requested the home page of the site 192.168.0.100 Port 80. The data is formed into another data packet that is passed down to IP and sent back to the originating system on Port 1024. The connections to most services using TCP/IP are based on this port model. Many of the ports are well documented, and the protocols to com- municate with them are well known. If a vendor has a technological weakness or implements security poorly, the vulnerability will become well known and exploited in a short amount of time. E-Mail E-mail is one of the most popular applications in use on the Internet. Several very good e-mail servers and clients are available. Figure 3.16 demonstrates the process of transferring an e-mail message. FIGURE 3.16 E-mail connections between clients and a server The most common e-mail systems use SMTP, POP, or IMAP protocols. These protocols use the TCP protocol for session establishment: Simple Mail Transport Protocol (SMTP) Simple Mail Transport Protocol (SMTP) is a mail delivery protocol that is used to send e-mail between an e-mail client and an e-mail server, as well as between e-mail servers. Messages are moved from client to server to client via the Internet. Each E-Mail Server E-Mail Clients E-mail Stores and forwards E-mail to clients Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 130 Chapter 3  Infrastructure and Connectivity e-mail can take different paths from the client to the server. In this situation, the clients are on two different e-mail servers, they could both be on the same server and the process would appear transparent to the user. SMTP uses port 25 and TCP for connections. Post Office Protocol (POP) Post Office Protocol (POP) is a newer protocol that relies on SMTP for message transfer for receiving e-mail. POP provides a message store that can be used to store and forward mes- sages. If a server is not operating, the originating server can store a message and try to resend it later. POP3, the newest version of POP, allows messages to be transferred from the waiting post office to the e-mail client. The current POP standard uses port 109 for POP2 and 110 for POP3. The POP protocol uses TCP for connections. Internet Message Access Protocol (IMAP) Internet Mail Access Protocol (IMAP) is the newest player in the e-mail field, and it is rapidly becoming the most popular. Like POP, IMAP has a store and forward capability. However, it has much more functionality. IMAP allows messages to be stored on an e-mail server instead of being downloaded to the client. IMAP allows messages to be downloaded based on search criteria. Many IMAP implementations also allow connection using web browsers. The current version of IMAP (IMAP 4) uses port 143 and TCP for connection. S/MIME and PGP are two of the more popular methods of providing security for e-mails. These are covered in more detail in Chapter 8, “Cryptography Standards.” E-Mail Vulnerabilities E-mail accounts typically use a separate logon name and password from the OS-user ID and password. This somewhat minimizes the security risk, unless they are the same. The authentication information for e-mail is not always encrypted and is subject to sniffing. Further, the message is unencrypted and all contents are subject to exposure. If your e-mail servers are located in another facility and you use the Internet to communicate, your e-mails are very easily intercepted and read. If privacy is an issue, you will need to encrypt them using one of the packages or encryption schemes discussed later in this book. Any misuse of corporate resources such as e-mail servers are considered security issues by most organizations. Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. [...]...Internet Connections 131 The following list describes some of the security risks your e-mail server can face: Spam Spam refers to unsolicited junk mail received by most e-mail users today The volume of unsolicited e-mail is growing, and entire industries... you products and services One of the dangers of spam is that attachments sent via spam may contain viruses or other malicious code Hoaxes Hoaxes are another annoying e-mail trend that is growing From a security perspective, hoaxes include notification of new virus threats These e-mails can be very convincing when they are received by unsuspecting users A large-scale hoax that is going around falsely... are read, interpreted by your browser, and displayed on your system If you want to see what HTML looks like, you can set your browser to view source code You will see things similar to a Copyright © 20 03 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved . between devices. FIGURE 3. 12 A mobile environment using WAP security WSP WDP WTLS WDP Security is managed at the WTLS layer. 802.11 Equipped System WAP Server Copyright © 20 03 SYBEX Inc., 1151 Marina. is. Copyright © 20 03 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. 122 Chapter 3  Infrastructure and Connectivity enabled. Several levels of security exist in. other faster connections such as T1. PPP does not provide data security, but it does provide authentication using CHAP. Figure 3. 13 shows a PPP connection over an ISDN line. In the case of ISDN,