FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge If it’s a high-risk, high-impact, must-not-fail situation, it’s MISSION CRITICAL! 1 YEAR UPGRADE BUYER PROTECTION PLAN Bradley Dunsmore, A+, Network+, i-Net+, MCDBA, MCSE+I, CCNA Jeffrey W. Brown, CISSP Michael Cross, MCSE, MCPS, MCP+I, CNA TECHNICAL EDITOR: Stace Cunningham, CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+ “Finally, a truly useful guide to Internet security. A must read for anyone responsible for protecting their network.” —Mike Flannagan, Network Consulting Engineer Cisco Systems, Inc. INTERNET SECURITY MISSION CRITICAL! With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created solutions@syngress.com, a service that includes the following features: ■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. ■ Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for solutions@syngress.com. ■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. ■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you’ve purchased this book, browse to www.syngress.com/solutions. To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you. solutions@syngress.com 115_MC_intsec_FM 12/13/00 1:12 PM Page i 115_MC_intsec_FM 12/13/00 1:12 PM Page ii MISSION CRITICAL! MISSION CRITICAL! INTERNET SECURITY 115_MC_intsec_FM 12/13/00 1:12 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 STP692AD43 002 JY536842C4 003 C392K28FA7 004 BG57C87BC2 005 22PCA94DZF 006 55ZP2ALT73 007 DUDR527749 008 XRDYEW42T3 009 MPE28494DS 010 SM359PS25L PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Mission Critical Internet Security Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per- mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-20-2 Copy edit by: Adrienne Rebello Index by: Robert Saigh Technical edit by: Stace Cunningham Page Layout and Art by: Shannon Tozier Project Editor: Kate Glennon Co-Publisher: Richard Kristof Distributed by Publishers Group West 115_MC_intsec_FM 12/13/00 1:12 PM Page iv v Acknowledgments We would like to acknowledge the following people for their kindness and sup- port in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler, Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making cer- tain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu- siasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. v 115_MC_intsec_FM 12/13/00 1:12 PM Page v vi From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from pro- viding instructor-led training to hundreds of thousands of students world- wide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Officer, Global Knowledge 115_MC_intsec_FM 12/13/00 1:12 PM Page vi vii Contributors Bradley Dunsmore (A+, Network+, i-Net+, MCDBA, MCSE+I, CCNA) is currently working for Cisco Systems in Raleigh, NC. He is a Technical Trainer in the Service Provider Division where he develops and issues training to the solution deployment engi- neers. He has eight years of computer experience, the last four in enterprise networking. Bradley has worked with Bell Atlantic, Adtran Telecommunications, and Electronic Systems Inc., a Virginia-based systems integrator. He specializes in TCP/IP and LAN/WAN communications in both small and large business environments. Joli Annette Ballew (MCSE, MCP, MCT, A+) is a technology trainer and network consultant. She has worked as a technical writer, educational content consultant, PC technician, and MCSE instructor. Joli attended the University of Texas at Arlington and gradu- ated with a Bachelor’s degree in Mathematics. The following year, she earned her teaching certificate from the state of Texas. After teaching for ten years, she earned her MCSE, MCT, and A+ certi- fications and entered the field of computer training and con- sulting. Joli lives near Dallas, TX and has a beautiful daughter, Jennifer. Jeffrey W. Brown (CISSP) is a Vice President of Enterprise Information Security at Merrill Lynch in New York City, where he is responsible for security analysis, design, and implementation of global computing infrastructures. Jeff has over eight years of information technology experience. He is co-author of the Web Publisher’s Design Guide for Windows (Coriolis) and is a member of the SANS Windows Security Digest editorial board. He has been a participant in several SANS efforts including “Windows 115_MC_intsec_FM 12/13/00 1:12 PM Page vii viii NT Security Step-by-Step,” the Windows 2000 Security Improvement Project, and the Center for Internet Security. Jeff was recently a panelist for a discussion on virtual private net- working (VPN) technology at Security Forum 2000, sponsored by the Technology Manager’s Forum. He has a BA in Journalism and an MS in Publishing from Pace University. Michael Cross (MCSE, MCPS, MCP+I, CNA) is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. In addition to administering their network and providing support to a user base of over 800 civilian and uniform users, he is Webmaster of their Web site (www.nrps.com). Michael also owns KnightWare, a company that provides consulting, programming, networking, Web page design, and computer training. He has served as an instructor for private col- leges and technical schools in London, Ontario in Canada. He is a freelance writer and and has authored over two dozen articles and chapters. He currently resides in St. Catharines, Ontario, Canada. Jason Harper (MCSE) is a published author and technology con- sultant who concentrates exclusively on network and systems security, policy and network architecture technologies. Thanks go to his family, Noah, Stacey, and Laurie for all their support. 115_MC_intsec_FM 12/13/00 1:12 PM Page viii ix Technical Editor and Contributor Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur- rently located in San Antonio, TX. He has assisted several clients, including a casino, in the development and implementa- tion of network security plans for their organizations. He held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. While in the Air Force, Stace was heavily involved in installing, troubleshooting, and protecting long-haul circuits, ensuring the appropriate level of cryptography necessary to pro- tect the level of information traversing the circuit as well the cir- cuits from TEMPEST hazards. This included American equipment as well as equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace has been an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co-authored or served as the Technical Editor for over 30 books published by Osborne/McGraw-Hill, Syngress Publishing, and Microsoft Press. He has also written articles for “Internet Security Advisor” magazine. His wife Martha and daughter Marissa have been very sup- portive of the time he spends with the computers, routers, and firewalls in the “lab” of their house. 115_MC_intsec_FM 12/13/00 1:12 PM Page ix [...]... Chapter 1 Securing Your Internetwork Solutions in this chapter: s Introduction to Internetworking Security s Differentiating Security Models and Attacks s Designing a Site Scenario s Network Communication in TCP/IP s Security in TCP/IP 1 115_MC_intsec_01 2 12/12/00 3:04 PM Page 2 Chapter 1 • Securing Your Internetwork Introduction to Internetworking Security Internetworking security has become a very... Securing Your Internetwork Introduction to Internetworking Security Why the Change of Heart Toward Network Security? Differentiating Security Models and Attacks Hackers and Attack Types What Do Hackers Do? Attack Types Types of Defenses Education Application Security Physical Security Firewalls, Proxy Servers, and NAT Designing a Site Scenario Ensuring Host Security Characteristics of Network Security Availability... (S-HTTP) Transport Layer Security Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Secure Shell (SSH) Filtering Network Layer Security IP Security Protocols (IPSec) Filtering (Access Control Lists) Data-Link Layer Security Authentication Terminal Access Controller Access System Plus (TACACS+) Remote Dial-In User Service (RADIUS) Kerberos Summary FAQs Chapter 2 Internetwork Security Concepts Introduction... Windows 2000 Problems and Limitations What Is the Same? Windows 2000 Distributed Security Services Active Directory and Security Advantages of Active Directory Account Management Managing Security via Object Properties Managing Security via Group Memberships Active Directory Object Permissions Relationship between Directory and Security Services Domain Trust Relationships The Great Link: Kerberos Trusts... VPNs Internal VPNs IPSec Security Issues The Encryption Starts Here Who’s Knocking? He Sent Us What? Who Has the Certificate? Summary FAQs Chapter 4 Internet Security Applications Introduction Integration of Internet Security Applications Security Concerns Security Services Cryptography Keys 69 70 71 73 74 75 75 75 76 78 79 80 81 81 82 83 84 85 87 89 90 91 92 93 95 95 98 98 99 99 99 100 101 101 102 102... support those needs has made security management a difficult task Security will be only as good as the weakest link in the security chain Security management tools that can create, distribute, and audit consistent security configurations and policies are critical for large and distributed organizations www.syngress.com 115_MC_intsec_01 12/12/00 3:04 PM Page 5 Securing Your Internetwork • Chapter 1 Hackers... an information security policy, and supports it by providing the resources to build and maintain an effective security program www.syngress.com 3 115_MC_intsec_01 4 12/12/00 3:04 PM Page 4 Chapter 1 • Securing Your Internetwork An effective security program includes awareness, prevention, detection, measurement, management, and response to minimize risk There is no such thing as perfect security The... network security failures have been widely publicized in the world press An advantage to this unfortunate situation is the lowered resistance from upper management to support security initiatives Getting upper management support is the first step in creating an effective network security program Management must provide the authority to implement security processes and procedures Management commits to security. .. while they still have an Internet connection through their DSL or cable modem Attention to detail in the security policy, workstation configuration, and user awareness is critical in order to ensure that vulnerabilities don’t creep into your system Ensuring Host Security Any vendor’s software is susceptible to harbouring security vulnerabilities Almost every day, Web sites that track security vulnerabilities,... What SSH Can and Can’t Protect You From Potential Security Risks with SSH Understanding PGP Using PGP The Web of Trust Potential Security Risks with PGP Understanding S/MIME Additions to MIME How S/MIME Works Potential Security Risks with S/MIME Understanding Kerberos Kerberos Components How Kerberos Works Comparing Kerberos and Windows 2000 Potential Security Risks with Kerberos Summary FAQs Chapter . 1:12 PM Page i 115_MC_intsec_FM 12/13/00 1:12 PM Page ii MISSION CRITICAL! MISSION CRITICAL! INTERNET SECURITY 115_MC_intsec_FM 12/13/00 1:12 PM Page iii Syngress. 102 Chapter 4 Internet Security Applications 105 Introduction 106 Integration of Internet Security Applications 106 Security Concerns 107 Security Services