Introduction to Infrastructure Security
Companies invest millions of dollars annually in their computing infrastructure on items such as networking equipment and its maintenance, workstation and server hardware and software, and security devices, among many others. Security professionals must be familiar with the latest products and understand the security implications of their use in a particular environment.
The following is a list of the exam objectives you will be covering in this chapter:
-
3.1 Understand security concerns and concepts of the following types of devices:
- Firewalls
- Routers
- Switches
- Wireless
- Modems
- RAS (Remote Access Server)
- Telecom/PBX (Private Branch Exchange)
- VPN (Virtual Private Network)
- IDS (Intrusion Detection System)
- Network Monitoring/Diagnostics
- Workstations
- Servers
- Mobile Devices
-
3.2 Understand the security concerns for the following types of media:
- Coaxial Cable
- UTP/STP (Unshielded Twisted Pair/Shielded Twisted Pair)
- Fiber Optic Cable
- Removable Media
- Tape
- CD-R (Recordable Compact Disks)
- Hard Drives
- Diskettes
- Flash Cards
- Smart Cards
-
3.3 Understand the concepts behind the following kinds of security topologies:
- Security Zones
- DMZ (Demilitarized Zone)
- Intranet
- Extranet
- VLANs (Virtual Local Area Network)
- NAT (Network Address Translation)
- Tunneling
-
3.4 Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system:
- Network Based
- Active Detection
- Passive Detection
- Host Based
- Active Detection
- Passive Detection
- Honey Pots
- Incident Response
-
3.5 Understand the following concepts of security baselines, be able to explain what a security baseline is, and understand the implementation and configuration of each kind of intrusion detection system:
- OS/NOS (Operating System/Network Operating System) Hardening
- File System
- Updates (Hotfixes, Service Packs, Patches)
- Network Hardening
- Updates (Firmware)
- Configuration
- Enabling and Disabling Services and Protocols
- Access Control Lists
- Application Hardening
- Updates (Hotfixes, Service Packs, Patches)
- Web Servers
- Email Servers
- FTP (File Transfer Protocol) Servers
- DNS (Domain Name Service) Servers
- NNTP (Network News Transfer Protocol) Servers
- File/Print Servers
- DHCP (Dynamic Host Configuration Protocol) Servers
- Data Repositories
- Directory Services
- Databases
3.1: Understanding Device Security
Many different types of components make up the present day computer network infrastructure. Every hardware device you incorporate into the network has its security concerns. They include firewalls, routers, switches, modems, various types of servers, workstations, mobile devices, and much more. You must adequately secure each of these components because a network is only as secure as its weakest link. The Security+ exam tests your knowledge of the security issues of all the common network devices.
Exercise 3.1.1: Configuring a Firewall in Windows 2000
A firewall is a device designed to shield internal network components from threats originating from the outside world. Firewalls work by capturing and analyzing data entering the network from external points and then rejecting undesirable types of data according to rules configured on the firewall. The major types of firewalls are as follows:
Packet-filteringOperating at the Network layer (Layer 3) of the Open Systems Interconnection (OSI) model, this type of firewall filters packets based on IP addresses, ports, or protocols. This type of firewall is frequently configured on a router.
Proxy service firewallA proxy server acts as an intermediary between internal networks and the Internet. One type of proxy service firewall is the circuit-level gateway, which operates at the Session layer (Layer 5) of the OSI model and ensures that sessions established with the internal network are legitimate. Another type is the application-level gateway, which operates at the Application layer (Layer 7) of the OSI model and checks for which application-layer protocols are allowed.
Stateful-inspection firewallThis type of firewall combines the best of the other firewall technologies by using algorithms to process data at the OSI Application layer while monitoring communication states. In this manner, it operates at all layers of the OSI model. The Windows Firewall included with Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP1 is an example of a stateful-inspection firewall.
Many businesses utilize some type of server or other hardware device as a firewall. Several companies produce software firewalls that can be used to protect single computers or small networks. In this exercise, you install and configure ZoneAlarm, which is a software firewall that is well suited to protecting home- or small-office computers or networks. Perform this exercise on a computer running Windows 2000 Professional:
Log on to the Windows 2000 Professional computer as an administrator.
Connect to the Internet and navigate to http://www.zonelabs.com/store/content/home2.jsp.
Click the Free Downloads and Trials link.
Click the ZoneAlarm Free Download link, and then click Download FREE ZoneAlarm.
When the download completes, click Open and follow the instructions presented by the installation wizard.
When requested, click Yes to start ZoneAlarm.
In the Zone Labs Security Options window, click the Select ZoneAlarm option, click Next, and then click Finish.
Follow the instructions in the configuration wizard that next appears.
When requested, click OK to restart your computer.
When the computer restarts, log back on as administrator. You see the tutorial shown in Figure 3.1.
Click Next to display the Do I Need to Change the Default Firewall Settings to Be Secure page. Note the options and then click Next again.
Note the actions performed by ZoneAlarm on each page of this wizard, including their definition of "zones," which is simpler than that used by Internet Explorer. When you reach the end of the wizard, click Done.
You can modify all options provided by ZoneAlarm from its control panel. (See Figure 3.2.)
Select the various pages provided from the left side of the ZoneAlarm control panel. These pages are as follows:
OverviewAs shown in Figure 3.2, provides an overview of the actions that ZoneAlarm has performed.
FirewallAllows you to select the security levels for the two zones provided by ZoneAlarm.
Program ControlDetermines whether applications are able to access the Internet.
Antivirus MonitoringDisplays the status of your antivirus software.
E-mail ProtectionAllows you to turn on MailSafe, which is a supplement to antivirus software that helps to protect you from email-borne viruses.
Alerts & LogsAllows you to decide whether to display messages on the screen when ZoneAlarm blocks an intrusion. Click Advanced to configure logging properties.
Close the ZoneAlarm control panel when you finish exploring and configuring the available options.
NOTE
If you want to try out the ZoneAlarm Pro option for 14 days, choose the Select ZoneAlarm Pro option on this window. You can purchase this program later if you want.
Figure 3.1 The ZoneAlarm tutorial provides information on the available options and configuration settings that serve to protect your computer.
Figure 3.2 You can display intrusion information and configure all available options from the various pages presented by the ZoneAlarm control panel.
CAUTION
You need to know the major well-known ports for the Security+ exam. Knowledge of these ports is vital for answering questions related to firewalls or network access. Be sure you know the following TCP ports as a minimum: 20, File Transfer Protocol (FTP) control; 21, FTP data; 22, Secure Shell (SSH); 23, Telnet; 25, Simple Mail Transfer Protocol (SMTP); 80, Hypertext Transfer Protocol (HTTP); 110, Post Office Protocol 3 (POP3); 119, Network News Transfer Protocol (NNTP); 143, Internet Message Access Protocol (IMAP4); 443, Secure Sockets Layer (SSL and HTTPS); 1812, Remote Authentication Dial-In User Service (RADIUS); and 3389, Microsoft Remote Desktop.
Exercise 3.1.2: Understanding Vulnerabilities in Routers, Switches, Modems, RAS, Telecom, and VPN
The most secure computer system is one not connected to a network. However, isolated systems have few uses in today's environments. The reality is that your computers will most likely be accessible from remote clients in some manner. Be aware that every access path to your system has inherent vulnerabilities.
This exercise directs you to uncover some of the general risks with each type of remote access. Although each of the remote access approaches we discuss is more secure than wide-open access, there are still vulnerabilities you must be aware of and address.
In this exercise, you take a look at a few network access devices and security vulnerabilities associated with each one. Let's start with switches. Although a switch can make it harder for attackers to sniff networks for valuable information, they can also make it easier to launch some attacks. Next, we'll look at virtual private networks (VPNs). Although a VPN is a method to increase connection security, careless implementation can decrease your overall system's security. Then we'll look at modems. The modems you know about aren't the ones that will hurt you. It's the ones you don't know about that someone has connected to your network that will cause problems:
Connect to the Internet and browse to http://networking.earthweb.com/netsysm/article.php/933801. This article by Joseph Sloan discusses security problems inherent with switches. Although switches provide some protection from sniffing of network traffic, this protection can be circumvented. What are three ways in which this can occur?
Continue to Sloan's second article and summarize several methods by which you can overcome these problems in a Unix environment.
Navigate to http://www.winnetmag.com/Articles/Index.cfm?ArticleID=8878. This article discusses a tool named Arpredirect, which is an Address Resolution Protocol (ARP) poisoning tool that can sniff traffic across switches. How does this tool work? What capabilities does it provide for an intruder who uses it to access data on your network? For more information, you might want to follow the link provided to Dug Song's Web site, which in turn links to additional articles related to security concerns of switched networks.
For an account of programming code that enabled hackers to launch denial of service (DoS) attacks against Cisco routers and switches, go to http://www.computerworld.com/securitytopics/security/story/0%2C10801%2C83820%2C00.html. What can happen if this code is run against a router to send a series of IP packets with a special format? What do network administrators have to do if this happens? Describe two actions that the networking team must perform to mitigate this vulnerability.
In Chapter 2, "Communication Security," you learned how to configure RAS and VPN from a Microsoft perspective. Navigate to http://www.ticm.com/info/insider/old/dec1997.html for a discussion of RAS and VPN vulnerabilities. What are several vulnerabilities inherent in these technologies? Describe how you would mitigate each vulnerability.
Matthew Mitchell presents another view of VPN vulnerabilities at http://www.giac.org/practical/matthew_mitchell_gsec.doc. How does encapsulation protect the data on the VPN? We will discuss the encryption algorithms mentioned in this article in Chapter 4, "Basics of Cryptography." What is the limitation of VPN data encryption? How can an unprotected network share become a vulnerability, and what are several consequences of such vulnerabilities? How can an attacker compromise a corporate network through computers used by telecommuters working from home and connected by DSL or cable modems, and what consequences can occur? Summarize the seven-step procedure outlined by Mitchell for protecting users accessing the network by means of a VPN.
Mark Collier discusses telecom, Voice over IP (VoIP), and PBX security at http://nwc.networkingpipeline.com/22104067. What are several possible VoIP deployment scenarios, and how can they be attacked? Summarize the types of vulnerabilities inherent in these devices, and note how they include many of the types of attacks you studied in Chapter 1, "General Security Concepts."
Another vulnerability associated with RAS and VPNs is that of war dialing. Navigate to http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci546705,00.html for a concise definition of this term and how a war dialer can be used to penetrate networks.
For more information on war dialing and how to mitigate this threat, continue to http://www.sans.org/rr/papers/60/471.pdf. What are several dangers associated with dial-up connections? How does a war dialer work, and what data can it provide? How can an intruder using a war dialer cover up his actions? Describe some components of a policy that should be applied to a company's dial-up users. How can a security professional test her network's vulnerability to the threat of war dialing?
Unauthorized hardware such as modems presents another threat to the security of the network infrastructure. Go to http://www.cert.org/security-improvement/practices/p097.html and summarize the reasons why unauthorized hardware can be of concern. What are several means that you can use on a daily or monthly basis to detect unauthorized modems and other peripherals?
NOTE
If the URLs provided in this or other exercises no longer exist, simply use your favorite search engine to locate other sites that contain information pertinent to the topics at hand.
CAUTION
The use of switches is a good method for limiting hostile sniffing across the LAN.
NOTE
The SANS Reading Room (http://www.sans.org/rr) is a good place to look for papers on many topics you need to know for the Security+ exam. The idea in the situation discussed here is to research problems associated with allowing a secure connection to terminate on an insecure client.
Exercise 3.1.3: Windows Network Monitor
Microsoft provides several support tools that help administrators monitor network traffic. A network monitor is a tool that sniffs data packets being transmitted across the network and allows an individual to display and analyze the contents of packets. This individual could be a hacker or a network administrator who is searching for evidence of intrusion or other network problems. Specifically, Microsoft Network Monitor provides visibility into what types of traffic are traveling across network segments. The version of Network Monitor depends on the version of Windows you are using. For this exercise, we use the Network Monitor Capture Utility for Microsoft Windows 2000 Server:
NOTE
Network Monitor is available for Microsoft Systems Management Server, and the Network Monitor Capture Utility, a command-line implementation with similar basic capture capabilities, is available for Windows XP Professional. To make this exercise available to the largest number of installations, we use the Network Monitor Capture Utility for Windows 2000 Server.
In this exercise, you will install Network Monitor. You will also install Dynamic Host Configuration Protocol (DHCP) so that you can capture packets from the four-step DHCP process occurring at a client computer seeking TCP/IP configuration. You will use two computers, one running Windows 2000 Server and the other running Windows 2000 Professional or Windows XP Professional. Steps on a computer running Windows Server 2003 are similar:
Click Start, Settings, Control Panel, Add/Remove Programs.
Select Add/Remove Windows Components to start the Windows Components Wizard.
Select Management and Monitoring tools and click Details.
In the Management and Monitoring Tools dialog box, select Network Monitor Tools, click OK, and then click Next.
When prompted, insert the Windows 2000 Server CD-ROM, and then click OK.
Click Finish when the completion page appears.
Click Add/Remove Windows Components again, select Networking Services, and then click Details.
In the Networking Services dialog box, select Dynamic Host Configuration Protocol (DHCP), click OK, and then click Next.
When the completion page appears, click Finish, and then close Add/Remove Programs and Control Panel.
Click Start, Programs, Administrative Tools, Network Monitor. The Microsoft Network Monitor utility opens.
If a dialog box opens that discusses selecting a network adapter, click OK to allow Network Monitor to select a network adapter for your system. The initial Network Monitor window is shown in Figure 3.3.
Click Start, Programs, Administrative Tools, DHCP.
In the DHCP console, right-click your server and choose New Scope.
Click Next, provide a name for a test scope, and click Next again.
Type 192.168.1.101 and 192.168.1.200 for a range of addresses that the DHCP server will assign to clients, and then click Next twice.
On the Configure DHCP Options page, select No, I Will Configure These Options Later, and then click Next again until you reach the completion page.
Click Finish and close the DHCP console.
To capture some network traffic from the network adapter, click Capture, Start.
To generate some network traffic, start a DHCP session with a computer running Windows 2000 Professional. Log on to the Windows 2000 Professional computer as an administrator.
Right-click My Network Places and choose Properties.
In the Network and Dial-Up connections dialog box, right-click Local Area Connection and choose Properties.
In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP) and then click Properties.
In the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP Address Automatically and then click OK.
Close the Internet Protocol (TCP/IP) Properties and Local Area Connection Properties dialog boxes.
Return to the server. Network Monitor should now indicate that some packets have been captured. Click Capture, Stop.
Click Capture, Display Captured Data. This displays a summary capture window.
Scroll this window, watching the columns labeled Protocol and Description. You should be able to locate packets for the DHCP protocol with descriptions labeled Discover, Offer, Request, and ACK (as shown in Figure 3.4). They represent the four steps of the DHCP process and show how you can use Network Monitor to capture and analyze data on the network.
Figure 3.3 Network Monitor provides details of packets captured at the local computer.
NOTE
After you capture a file of network traffic, you need the complete Network Monitor tool to view its contents. This tool is available on Microsoft Systems Management Server.
Consult the Windows Support Tools help file for a complete description of the Network Monitor Capture Utility.
Figure 3.4 Network Monitor provides information on the contents of frames captured from the network adapter.
Exercise 3.1.4: Diagnostics and Utilities Used for Monitoring Networks, Workstations, Servers, and Mobile Devices
Many utilities allow you to monitor various system events and activity. With respect to network activity, we'll look at a few common utilities in this exercise. This exercise focuses on Microsoft Windows, but these utilities are commonly found on other operating systems as well.
The basic purpose of monitoring utilities is to take a snapshot of activity so you can improve the performance or security of a system. The utilities generally provide raw data for you to analyze. The more you can request very specific data, the quicker you will be able to zero in on pertinent information. Take the time to learn how to use monitoring utilities and their common features. You will be rewarded with the information to adjust your systems to perform the way you intend:
Launch a Windows command prompt by choosing Start, Programs, Accessories, Command Prompt. If you are using Unix or Linux, these commands are accessible from the command line in any shell.
Use the ping command to test a remote computer to see whether it is reachable. Type ping IP address. (You can also use a fully qualified domain name [FQDN]; for example, we used ping http://www.foxnews.com.) The ping command shows the amount of time it takes to reach the target system and for the target system to respond (see Figure 3.5).
Use the tracert command to show how many machines, or hops, exist between your computer and the target (see Figure 3.6). This utility is useful to diagnose performance issues by showing the path between two machines. Type tracert IP address or tracert FQDN (for example, we used tracert http://www.foxnews.com).
Use the netstat command to show the status of ports on your machine. Type netstat a to show all ports that are listening for connections (see Figure 3.7). You can also use netstat to show which process is listening to a port. This option is nice when you are trying to find unknown or hostile programs installed on a machine. When you know that a port is open, you can use other utilities to determine what program opened the port. In Windows, you need to install third-party utilities, such as Inzider (http://ntsecurity.nu/toolbox/inzider/) or Foundstone's FPortNG tool (http://www.foundstone.com/knowledge/zips/FPortNG.zip).
Figure 3.5 The ping command verifies the existence of and connectivity to a remote machine on the Internet.
The ping command sends special network packetsInternet Control Message Protocol (ICMP) echo packetsto remote computers. If the remote computer allows and responds to ICMP packets, you should get a response from the ping command. However, some firewalls block or drop ICMP packets so the ping command doesn't always report back correctly. When it doesn't provide a response from the target system, you have to use other, more sophisticated, diagnostic tools. All ping tells you is that the target machine responded to an ICMP echo packet.
The tracert command is similar to the ping command in that it sends ICMP echo packets. The difference is in the use of the Time to Live (TTL) field in the ICMP packet. A router decrements the TTL value when it receives an ICMP packet and most routers return a "TTL expired in transit" message when the TTL value reaches 0. The tracert command sends out many ICMP packets, with TTL values ranging from 1 to some maximum value. At each hop along the way, routers decrement the TTL values. The first router in the path returns the TTL packet that started with a TTL value of 1. The second router returns the packet whose TTL value started with 2. The sender listens for returned ICMP packets and constructs the route all the way to the destination.
Figure 3.6 The tracert command provides information on all routers through which the signal passes to reach a target machine.
Figure 3.7 The netstat a command displays a list of all ports that are listening for connections on your machine.
These are just a few of the many monitoring utilities that exist for capturing and analyzing the status and activity of your systems. Look at your system's administration documentation for additional utilities. In addition, check the following sites on the Internet for suitable monitoring utilities:
Labmice at http://labmice.techtarget.com/Utilities/networkmonitor.htm offers a range of freeware and shareware administrative tools with brief descriptions of each.
Adle Enterprises at http://www.adlenterprises.com/Utilities/Network/linux-network-monitoring.php offers Linux network monitoring shareware tools.
NetSaint is a network monitoring tool primarily designed for Linux. Information and downloads, as well as links to other monitoring utilities, are available at http://www.netsaint.org/docs/0_0_6/about.html.
Monitor Tools at http://www.monitortools.com/cat_networksystem/ offers a comprehensive list of links to network and system monitoring utilities for all operating systems.
What Did I Just Learn?
Now that you have looked at device security, let's take a moment to review all the critical items you've experienced in this lab:
A firewall is a hardware or software device that stops unwanted network or Internet traffic from entering a computer or network. ZoneAlarm is a popular software firewall that is easily configured for home- or small-office computers.
Every network device has some kind of vulnerability associated with it. We looked at ARP poisoning as it affects switches, unauthorized modems, and VPN vulnerabilities.
The Microsoft Support Tools includes a simple Network Monitor Capture Utility that you can use to capture and analyze traffic from the network adapter of a Windows computer. Although Microsoft makes it easy to capture network data, it is more important to understand how to interpret network activity.
Several TCP/IP utilities allow you to monitor system activity and connectivity on Windows, Unix, or other computers.