Network Security Bible Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley WILEY

Transcription

1 WILEY Wiley Publishing, Inc. Network Security Bible Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley

2 Contents Acknowledgments Introduction Part I: Security Principles and Practices Chapter 1: Information System Security Principles 3 Key Principles of Network Security 3 Confidentiality '.'.['. 4 Integrity 4 Availability 4 Other important terms 4 Formal Processes c The systems engineering process '.'.'.'. 5 The Information Assurance Technical Framework 6 The Information Systems Security Engineering process 11 The Systems Development Life Cycle.'!! 21 Information systems security and the SDLC '.'.'.'.'.'. 22 Risk Management 31 Definitions 32 Risk management and the SDLC [ ' ' [ 33 Summary 42 Chapter 2: Information System Security Management 43 Security Policies 43 Senior management policy statement [ [[ 44 Standards, guidelines, procedures, and baselines 45 Security Awareness 46 Training [ 46 Measuring awareness [ 47 Managing the Technical Effort 48 Program manager 48 Program management plan '!! 48 Systems engineering management plan 48 Configuration Management 56 Primary functions of configuration management [ [ [ 56 Definitions and procedures 57

3 XI j Contents Business Continuity and Disaster Recovery Planning 59 Business continuity planning 60 Disaster recovery planning 64 Physical Security 67 Controls 68 Environmental issues 72 Fire suppression 73 Object reuse and data remanence 74 Legal and Liability Issues 75 Types of computer crime 75 Electronic monitoring 76 Liability 76 Summary 77 Chapter 3: Access Control Considerations 79 Control Models 79 Discretionary access control 79 Mandatory access control 80 Non-discretionary access control 81 Types of Access Control Implementations 81 Preventive/Administrative 81 Preventive/Technical 82 Preventive/Physical 82 Detective/Administrative 82 Detective/Technical 83 Detective/Physical 83 Centralized/Decentralized access controls 84 Identification and Authentication 84 Passwords 85 Biometrics 85 Single Sign-On 86 Databases 90 Relational databases 90 Other database types 92 Remote Access 93 RADIUS 93 TACACS and TACACS+ 93 Password Authentication Protocol 94 Challenge Handshake Authentication Protocol 94 Callback 95 Summary 95

4 Contents Part II: Operating Systems and Applications Chapter 4: Windows Security 99 Windows Security at the Heart of the Defense 101 Who would target me? 101 Be afraid 102 Microsoft recommendations 103 Out-of-the-Box Operating System Hardening 105 Prior to system hardening 105 The general process of system hardening 105 Windows 2003 new installation example 107 Specifics of system hardening 110 Securing the typical Windows business workstation 114 Securing the typical Windows gaming system 114 Installing Applications 115 Antivirus protection 116 Personal firewalls 118 Secure Shell 118 Secure FTP 119 Pretty Good Privacy 119 Putting the Workstation on the Network 120 Test the hardened workstation 120 Physical security 120 Architecture 120 Firewall 121 Intrusion detection systems 122 Operating Windows Safely 122 Separate risky behavior 122 Physical security issues 124 Configuration issues 125 Configuration control 127 Operating issues 130 Upgrades and Patches 138 Keep current with Microsoft upgrades and patches 138 Keep current with application upgrades and patches 139 Keep current with antivirus signatures 139 Use the most modern Windows version 140 Maintain and Test the Security 140 Scan for vulnerabilities 141 Test questionable applications 141 Be sensitive to the performance of the system 141 Replace old Windows systems 142 Periodically re-evaluate and rebuild 142 Monitoring 143 Logging and auditing 144

5 XIV Contents Clean up the system 144 Prepare for the eventual attack 145 Attacks Against the Windows Workstation 145 Viruses 145 Worms 146 Trojan horses 147 Spyware and ad support 148 Spyware and "Big Brother" 149 Physical attacks 149 TEMPEST attacks 150 Backdoors 150 Denial-of-service attacks 151 File extensions 151 Packet sniffing 152 Hijacking and session replay 152 Social engineering 152 Summary 153 Chapter 5: UNIX and Linux Security 155 The Focus of UNIX/Linux Security 155 UNIX as a target 155 UNIX/Linux as a poor target 157 Open source issues 158 Physical Security 160 Limiting access 161 Detecting hardware changes 162 Disk partitioning 163 Prepare for the eventual attack 164 Controlling the Configuration 166 Installed packages 166 Kernel configurations 167 Operating UNIX Safely 174 Controlling processes 174 Controlling users 187 Encryption and certificates 194 Hardening UNIX 196 Configuration items 196 TCP wrapper 198 Checking strong passwords 198 Packet filtering with iptables 199 Summary 200 Chapter 6: Web Browser and Client Security 201 Web Browser and Client Risk 201 Privacy versus security 202 Web browser convenience 202

6 Contents Web browser productivity and popularity 202 Web browser evolution 203 Web browser risks Issues working against the attacker How a Web Browser Works 205 HTTP, the browser protocol 205 Cookies 208 Maintaining state 210 Caching 212 Secure Socket Layer 212 Web Browser Attacks Hijacking attack Replay attack 217 Browser parasites 218 Operating Safely 219 Keeping current with patches 220 Avoiding viruses 220 Using secure sites 220 Securing the network environment 222 Using a secure proxy 223 Avoid using private data 223 General recommendations 224 Web Browser Configurations Cookies Plugins 226 Netscape-specific issues Internet Explorer-specific issues Summary 236 Chapter 7: Web Security 237 What Is HTTP? How Does HTTP Work? HTTP implementation 242 Persistent connections 244 The client/server model 248 Put Get BurstableTCP HTML Server Content 252 CGI scripts PHP pages Client Content 254 JavaScript 254 Java 255 ActiveX 257

7 XVI Contents State 260 What is state? 260 How does it relate to HTTP? 260 What applications need state? 260 Tracking state 261 Cookies 261 Web bugs 264 URL tracking 265 Hidden frames 265 Hidden fields 266 Attacking Web Servers 266 Account harvesting 266 SQL injection 267 E-commerce Design 269 Physical location 269 Summary 271 Chapter 8: Security 273 The Risk 273 Data vulnerabilities 273 Simple versus collaboration 274 Spam 285 Maintaining confidentiality 288 Maintaining integrity 289 availability issues 290 The Protocols 290 SMTP 290 POP 294 IMAP 295 Authentication 296 Plain login 296 Login authentication 297 APOP 297 NTLM/SPA 298 +OK logged onpop before SMTP 299 Kerberos and GSSAPI 299 Operating Safely When Using 300 Be paranoid 300 Mail client configurations 301 Application versions 302 Architectural considerations 302 SSH tunnel 303 PGPandGPG 307 Summary 308

8 Contents Chapter 9: Domain Name System 309 Purpose of DNS Forward lookups Reverse lookups 316 Alternative Approaches to Name Resolution 318 Security Issues with DNS 319 Misconfigurations Zone transfers Predictable query IDs 325 Recursion and iterative queries 325 DNS Attacks Simple DNS attack Cache poisoning 327 Designing DNS 329 Split DNS Split-split DNS Master Slave DNS 331 Detailed DNS Architecture 331 Summary 332 Chapter 10: Server Security 333 General Server Risks 333 Security by Design 334 Maintain a security mindset Establishing a secure development environment Secure development practices 344 Test, test, test 351 Operating Servers Safely Controlling the server configuration Controlling users and access 356 Passwords Monitoring, auditing, and logging Server Applications 358 Data sharing 358 Peer to peer 362 Instant messaging and chat 363 Summary 364 Part III: Network Security Fundamentals Chapter 11: Network Protocols 367 Protocols 367 The Open Systems Interconnect Model 368

9 XVIII Contents The OSI Layers The Application layer The Presentation layer 370 The Session Layer 370 The Transport layer 371 The Network layer 372 The Data Link layer The Physical layer The TCP/IP Model TCP/IP Model Layers Network Address Translation 379 Summary 379 Chapter 12: Wireless Security 381 Electromagnetic Spectrum 381 The Cellular Phone Network 383 Placing a Cellular Telephone Call 385 Wireless Transmission Systems 386 Time Division Multiple Access 386 Frequency Division Multiple Access 386 Code Division Multiple Access 387 Wireless transmission system types 388 Pervasive Wireless Data Network Technologies 393 Spread spectrum 393 Spread spectrum basics IEEE Wireless LAN Specifications The PHY layer The MAC layer IEEE802.il Wireless Security WEP WEP security upgrades Bluetooth 413 Wireless Application Protocol Summary Chapter 13: Network Architecture Fundamentals 417 Network Segments 418 Public networks 418 Semi-private networks 418 Private networks 419 Perimeter Defense 419 Network Address Translation 420 Basic Architecture Issues 422 Subnetting, Switching, and VLANs 424 Address Resolution Protocol and Media Access Control Addresses

10 Contents Dynamic Host Configuration Protocol and Addressing Control 428 Firewalls 429 Packet filtering firewalls 430 Stateful packet filtering 432 Proxy firewalls 433 Disadvantages of firewalls 434 Intrusion Detection Systems 435 Types of intrusion detection systems 436 Methods and modes of intrusion detection 439 Responses to Intrusion Detection 442 Common Attacks 442 Summary 444 Part IV: Communications Chapter 14: Secret Communication 447 General Terms Historic Cryptography Substitution ciphers 449 Ciphers that shaped history 455 The Four Cryptographic Primitives 455 Random number generation Cast Introduction Symmetric Encryption 460 Stream ciphers Block ciphers Sharing keys 465 Asymmetric Encryption (Two-Key Encryption) Using a Certificate Authority Using a web of trust 469 Digital signatures 470 Hash functions 471 Keyed hash functions Putting These Primitives Together to Achieve CIA The Difference Between Algorithm and Implementation 475 Proprietary Versus Open Source Algorithms 476 Summary 477 Chapter 15: Covert Communication 479 Where Hidden Data Hides 479 Where Did It Come From? 481 Where Is It Going? 482 Overview of Steganography 482 Why do we need steganography? 483 Pros of steganography 484

11 XX Contents Cons of steganography 485 Comparison to other technologies 485 History of Steganography 488 Using steganography in the fight for the Roman Empire 488 Steganography during war 489 Core Areas of Network Security and Their Relation to Steganography Confidentiality Integrity Availability Additional goals of steganography Principles of Steganography 492 Steganography Compared to Cryptography 493 Protecting your ring example Putting all of the pieces together Types of Steganography 495 Original classification scheme New classification scheme Color tables Products That Implement Steganography S-Tools Hide and Seek Jsteg 508 EZ-Stego 511 Image Hide 512 Digital Picture Envelope Camouflage Gif Shuffle 517 Spam Mimic Steganography Versus Digital Watermarking What is digital watermarking? 521 Why do we need digital watermarking? 521 Properties of digital watermarking 521 Types of Digital Watermarking 522 Invisible watermarking 522 Visible watermarking 523 Goals of Digital Watermarking 523 Digital Watermarking and Stego 524 Uses of digital watermarking 524 Removing digital watermarks Summary Chapter 16: Applications of Secure/Covert Communication POP/IMAP protocols 530 Pretty Good Privacy 531 Kerberos 532 Authentication Servers 534

12 Contents Working Model 535 Public Key Infrastructure [ 537 Public and private keys \ [ 538 Key management 54O Web of trust 541 Virtual Private Networks [ 5 41 Design issues 543 IPSec-based VPN 544 IPsec header modes PPTP/PPP-based VPNs.....'. 547 Secure Shell 54g Secure Sockets Layer/Transport Layer Security [ [ '_ ' ' 549 SSL Handshake Summary Chapter 17: Intrusion Detection and Response 557 Malicious Code 557 Viruses 557 Review of Common Attacks [ 559 Denial-of-service/Distributed denial-of-service attacks '559 Back door Spoofing ' ' " ' Man-in-the-middle 5gj Re P la y '. '.'. ' '. '.'. '. '.'.'.'.'.'. '.'.'.'.'.'. 561 TCP/Hijacking 561 Fragmentation attacks '.'.'.'.' 562 Weak keys cg2 Mathematical attacks '.'.'.'.' 563 Social engineering gg3 Port scanning '.'.'.' 564 Dumpster diving 5g4 Birthday attacks ][[ 5g 4 Password guessing [ [ ' gg5 Software exploitation Inappropriate system use 5gg Eavesdropping 5gg War driving 5g7 TCP sequence number attacks [ 5g7 War dialing/demon dialing attacks [ 5g7 Intrusion Detection Mechanisms '.'.'.'.' 567 Antivirus approaches '.'.'.'' 567 Intrusion detection and response 5gg IDS issues 571

13 B XXII Contents Honeypots 573 Purposes 573 Honeypot categories 574 When to use a honeypot When not to use a honeypot Current solutions 576 Honeynet Project Incident Handling CERT/CC practices 578 Internet Engineering Task Force guidance 583 Layered security and IDS 584 Computer Security and Incident Response Teams 585 Security Incident Notification Process 587 Automated notice and recovery mechanisms 588 Summary 589 Chapter 18: Security Assessments, Testing, and Evaluation 591 Information Assurance Approaches and Methodologies 591 The Systems Security Engineering Capability Maturity Model NSA Infosec Assessment Methodology 594 Operationally Critical Threat, Asset, and Vulnerability Evaluation 595 Federal Information Technology Security Assessment Framework 595 Certification and Accreditation 596 The National Information Assurance Certification and Accreditation Process 596 Four phases of NIACAP 597 DoD Information Technology Security Certification and Accreditation Process 598 The four phases of DITSCAP 599 Federal Information Processing Standard OMB Circular A The National Institute of Standards and Technology Assessment Guidelines 602 SP SP SP SP Penetration Testing 607 Internal penetration test External penetration test Full knowledge test 609 Partial knowledge test 609 Zero knowledge test 609

14 Contents XXI Closed-box test 610 Open-box test Auditing and Monitoring Auditing Monitoring Summary 612 Chapter 19: Putting Everything Together 613 Critical Problems Facing Organizations 613 How do I convince management security is a problem and that they should spend money on it? 613 How do I keep up with the increased number of attacks? 615 How do you make employees part of the solution and not part of the problem? 615 How do you analyze all of the log data? How do I keep up with all of the different systems across 616 my enterprise and make sure they are all secure? 617 How do I know if I am a target of corporate espionage or some other threat? 617 Top 10 common mistakes 618 General Tips for Protecting a Site Defense in depth Principle of least privilege 621 Know what is running on your system Prevention is ideal but detection is a must Apply and test patches 623 Regular checks of systems 623 Summary 623 Index 625