You are on page 1of 364

Net w or k Sec ur i t y

and Fi r ew al l s
Ac ademi c St udent Gui de
CI W Sec ur i t y Pr of essi onal Ser i es
ECL02-CANSAF-PR-901 version 7.0 rd012209
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010

Network Security and
Firewalls
Academic Student Guide

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010






President and COO
Debra Hoopes
Senior Vice President
Lindsay Miller
Vice President, Publishing
Todd Hopkins
Senior Content Developer
Kenneth A. Kozakis
Managing Editor
Susan M. Lane
Editor
Sarah Skodak
Project Manager/Publisher
Tina Strong
Customer Service ComputerPREP
Certification Partners, LLC
1230 W. Washington St., Ste. 111
Tempe, AZ 85281
(602) 275-7700

Copyright 2009, All rights reserved.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


Network Security and Firewalls
Developers
Timothy Crothers, James Stanger, Ph.D., Irina Heer and Kenneth A. Kozakis
Contributor
Stephen Schneiter
Editor
Susan M. Lane
Publisher
Tina Strong
Project Managers
Tina Strong and Todd Hopkins
Trademarks
Certification Partners is a trademark of Certification Partners, LLC. All product names and services identified
throughout this book are trademarks or registered trademarks of their respective companies. They are used
throughout this book in editorial fashion only. No such use, or the use of any trade name, is intended to convey
endorsement or other affiliation with the book. Copyrights of any screen captures in this book are the property of the
software's manufacturer.
Disclaimer
Certification Partners, LLC, makes a genuine attempt to ensure the accuracy and quality of the content described
herein; however, Certification Partners makes no warranty, express or implied, with respect to the quality, reliability,
accuracy, or freedom from error of this document or the products it describes. Certification Partners makes no
representation or warranty with respect to the contents hereof and specifically disclaims any implied warranties of
fitness for any particular purpose. Certification Partners disclaims all liability for any direct, indirect, incidental or
consequential, special or exemplary damages resulting from the use of the information in this document or from the
use of any products described in this document. Mention of any product or organization does not constitute an
endorsement by Certification Partners of that product or corporation. Data used in examples and labs is intended to be
fictional even if actual data is used or accessed. Any resemblance to, or use of real persons or organizations should be
treated as entirely coincidental. Certification Partners makes every effort to ensure the accuracy of URLs referenced in
all its material, but cannot guarantee that all URLs will be available throughout the life of a course. When this
course/CD-ROM was published, all URLs were checked for accuracy and completeness. However, due to the ever-
changing nature of the Internet, some URLs may no longer be available or may have been redirected.
Copyright Information
This training manual is copyrighted and all rights are reserved by Certification Partners, LLC. No part of this
publication may be reproduced, transmitted, stored in a retrieval system, modified, or translated into any language or
computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or
otherwise without written permission of Certification Partners, 1230 W. Washington Street, Suite 111, Tempe, AZ
85281.
Copyright 2009 by
Certification Partners, LLC
All Rights Reserved
ISBN: 1-59302-633-1
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
vi
2009 Certification Partners, LLC All Rights Reserved. Version 7.0



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
vii
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table of Contents
Course Description...................................................................................................................... xiii
Courseware ................................................................................................................................. xiv
Course Objectives........................................................................................................................ xvi
Classroom Setup ......................................................................................................................... xvi
System Requirements ................................................................................................................ xvii
Conventions and Graphics Used in This Book............................................................................... xx
Lesson 1: What Is Security? ........................................................................................................ 1-1
Pre-Assessment Questions ................................................................................................................ 1-2
Network Security Background ........................................................................................................... 1-3
What Is Security?.............................................................................................................................. 1-4
Hacker Statistics............................................................................................................................... 1-6
The Myth of 100-Percent Security...................................................................................................... 1-7
Attributes of an Effective Security Matrix........................................................................................... 1-8
What You Are Trying to Protect.......................................................................................................... 1-8
Who Is the Threat?.......................................................................................................................... 1-10
Security Standards.......................................................................................................................... 1-12
Case Study...................................................................................................................................... 1-16
Lesson 1 Review.............................................................................................................................. 1-18
Lesson 2: Elements of Security ................................................................................................... 2-1
Pre-Assessment Questions ................................................................................................................ 2-2
Security Elements and Mechanisms .................................................................................................. 2-3
The Security Policy............................................................................................................................ 2-3
Encryption ........................................................................................................................................ 2-9
Authentication ................................................................................................................................ 2-11
Specific Authentication Techniques ................................................................................................. 2-16
Access Control ................................................................................................................................ 2-18
Auditing.......................................................................................................................................... 2-27
Security Tradeoffs and Drawbacks .................................................................................................. 2-28
Case Study...................................................................................................................................... 2-29
Lesson 2 Review.............................................................................................................................. 2-31
Lesson 3: Applied Encryption...................................................................................................... 3-1
Pre-Assessment Questions ................................................................................................................ 3-2
Reasons to Use Encryption................................................................................................................ 3-3
Creating Trust Relationships ............................................................................................................. 3-3
Symmetric-Key Encryption................................................................................................................ 3-4
Symmetric Algorithms ....................................................................................................................... 3-5
Asymmetric-Key Encryption ............................................................................................................ 3-11
One-Way (Hash) Encryption ............................................................................................................ 3-12
Applied Encryption Processes.......................................................................................................... 3-15
Encryption Review........................................................................................................................... 3-30
Case Study...................................................................................................................................... 3-31
Lesson 3 Review.............................................................................................................................. 3-35
Lesson 4: Types of Attacks.......................................................................................................... 4-1
Pre-Assessment Questions ................................................................................................................ 4-2
Network Attack Categories................................................................................................................. 4-3
Brute-Force and Dictionary Attacks................................................................................................... 4-4
System Bugs and Back Doors............................................................................................................ 4-7
Malware (Malicious Software) ............................................................................................................ 4-8
Social Engineering Attacks .............................................................................................................. 4-17
Denial-of-Service (DOS) Attacks....................................................................................................... 4-21
Distributed Denial-of-Service (DDOS) Attacks.................................................................................. 4-23
Spoofing Attacks ............................................................................................................................. 4-31
Scanning Attacks ............................................................................................................................ 4-32
Man-in-the-Middle Attacks.............................................................................................................. 4-37
Bots and Botnets............................................................................................................................. 4-42
SQL Injection .................................................................................................................................. 4-43
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
viii
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Auditing.......................................................................................................................................... 4-44
Case Study...................................................................................................................................... 4-46
Lesson 4 Review.............................................................................................................................. 4-49
Lesson 5: Recent Networking Vulnerability Considerations ......................................................... 5-1
Pre-Assessment Questions ................................................................................................................ 5-2
Networking Vulnerability Considerations........................................................................................... 5-3
Wireless Network Technologies and Security...................................................................................... 5-3
IEEE 802.11 Wireless Standards....................................................................................................... 5-4
Wireless Networking Modes ............................................................................................................... 5-6
Wireless Application Protocol (WAP)................................................................................................... 5-9
Wireless Network Security Problems................................................................................................ 5-10
Wireless Network Security Solutions................................................................................................ 5-10
Site Surveys .................................................................................................................................... 5-15
Convergence Networking and Security............................................................................................. 5-23
Web 2.0 Technologies...................................................................................................................... 5-26
Greynet Applications ....................................................................................................................... 5-31
Vulnerabilities with Data at Rest ..................................................................................................... 5-32
Security Threats from Trusted Users ............................................................................................... 5-33
Anonymous Downloads and Indiscriminate Link-Clicking................................................................ 5-34
Case Study...................................................................................................................................... 5-36
Lesson 5 Review.............................................................................................................................. 5-38
Lesson 6: General Security Principles.......................................................................................... 6-1
Pre-Assessment Questions ................................................................................................................ 6-2
Common Security Principles.............................................................................................................. 6-3
Be Paranoid ...................................................................................................................................... 6-3
You Must Have a Security Policy ....................................................................................................... 6-4
No System or Technique Stands Alone............................................................................................... 6-4
Minimize the Damage........................................................................................................................ 6-5
Deploy Companywide Enforcement.................................................................................................... 6-5
Provide Training................................................................................................................................ 6-5
Use an Integrated Security Strategy................................................................................................... 6-6
Place Equipment According to Needs................................................................................................. 6-7
Identify Security Business Issues ...................................................................................................... 6-7
Consider Physical Security ................................................................................................................ 6-8
Case Study...................................................................................................................................... 6-16
Lesson 6 Review.............................................................................................................................. 6-18
Lesson 7: Protocol Layers and Security ....................................................................................... 7-1
Pre-Assessment Questions ................................................................................................................ 7-2
TCP/IP Security Introduction ............................................................................................................ 7-3
OSI Reference Model Review.............................................................................................................. 7-3
Data Encapsulation........................................................................................................................... 7-5
The TCP/IP Stack and the OSI Reference Model ................................................................................ 7-6
Link/Network Access Layer ............................................................................................................... 7-7
Network/Internet Layer ..................................................................................................................... 7-8
Transport Layer............................................................................................................................... 7-10
Application Layer ............................................................................................................................ 7-14
Protocol Analyzers........................................................................................................................... 7-23
Case Study...................................................................................................................................... 7-24
Lesson 7 Review.............................................................................................................................. 7-26
Lesson 8: Securing Resources...................................................................................................... 8-1
Pre-Assessment Questions ................................................................................................................ 8-2
TCP/IP Security Vulnerabilities ......................................................................................................... 8-3
Implementing Security ...................................................................................................................... 8-4
Resources and Services ..................................................................................................................... 8-5
Protecting TCP/IP Services ................................................................................................................ 8-6
Simple Mail Transfer Protocol (SMTP) .............................................................................................. 8-12
Physical Security............................................................................................................................. 8-15
Testing Systems .............................................................................................................................. 8-19
Security Testing Software ................................................................................................................ 8-19
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
ix
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Security and Repetition................................................................................................................... 8-20
Case Study...................................................................................................................................... 8-21
Lesson 8 Review.............................................................................................................................. 8-24
Lesson 9: Firewalls and Virtual Private Networks......................................................................... 9-1
Pre-Assessment Questions ................................................................................................................ 9-2
Access Control Overview.................................................................................................................... 9-3
Definition and Description of a Firewall ............................................................................................. 9-3
The Role of a Firewall ........................................................................................................................ 9-3
Firewall Terminology ......................................................................................................................... 9-4
Firewall Configuration Defaults ....................................................................................................... 9-10
Creating Packet Filter Rules ............................................................................................................ 9-11
Packet Filter Advantages and Disadvantages ................................................................................... 9-13
Configuring Proxy Servers ............................................................................................................... 9-22
URL Filtering................................................................................................................................... 9-29
Remote Access and Virtual Private Networks (VPNs) ........................................................................ 9-30
Public Key Infrastructure (PKI) ........................................................................................................ 9-34
Case Study...................................................................................................................................... 9-36
Lesson 9 Review.............................................................................................................................. 9-40
Lesson 10: Levels of Firewall Protection.................................................................................... 10-1
Pre-Assessment Questions .............................................................................................................. 10-2
Designing a Firewall ........................................................................................................................ 10-3
Types of Bastion Hosts .................................................................................................................... 10-4
Hardware Issues ............................................................................................................................. 10-5
Common Firewall Designs ............................................................................................................... 10-7
Putting It All Together ................................................................................................................... 10-11
Case Study.................................................................................................................................... 10-17
Lesson 10 Review.......................................................................................................................... 10-19
Lesson 11: Detecting and Distracting Hackers........................................................................... 11-1
Pre-Assessment Questions .............................................................................................................. 11-2
Proactive Detection.......................................................................................................................... 11-3
Distracting the Hacker .................................................................................................................... 11-4
Deterring the Hacker..................................................................................................................... 11-10
Case Study.................................................................................................................................... 11-12
Lesson 11 Review.......................................................................................................................... 11-14
Lesson 12: Incident Response ................................................................................................... 12-1
Pre-Assessment Questions .............................................................................................................. 12-2
Creating an Incident Response Policy .............................................................................................. 12-3
Determining If an Attack Has Occurred ........................................................................................... 12-4
Executing the Response Plan........................................................................................................... 12-5
Analyzing and Learning................................................................................................................... 12-8
Case Study...................................................................................................................................... 12-8
Lesson 12 Review.......................................................................................................................... 12-11
Appendixes ................................................................................................................. Appendixes-1
Glossary........................................................................................................................... Glossary-1
Index ................................................................................................................................... Index-1
Supplemental CD-ROM Contents ................................................. Supplemental CD-ROM Contents-1
List of Labs
Lab 1-1: Causing a NetBus trojan infection........................................................................................... 1-4
Lab 2-1: Viewing and modifying default access control settings in Windows Server 2003..................... 2-20
Lab 2-2: Viewing the effects of hostile JavaScript in Mozilla Firefox..................................................... 2-23
Lab 2-3: Configuring execution control lists in Windows Server 2003.................................................. 2-24
Lab 2-4: Creating an execution control list for the su command in Linux............................................. 2-26
Lab 3-1: Using symmetric encryption algorithms................................................................................... 3-9
Lab 3-2: Installing GPG4win 1.1.3 on Windows Server 2003 ............................................................... 3-19
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
x
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lab 3-3: Generating a key pair using GPG4win................................................................................... 3-20
Lab 3-4: Exporting and signing public keys using GPG4win................................................................ 3-22
Lab 3-5: Exchanging encrypted messages using GPG4win .................................................................. 3-25
Lab 3-6: Encrypting files with GPG4win.............................................................................................. 3-27
Lab 4-1: Using John the Ripper in Windows Server 2003 ...................................................................... 4-5
Lab 4-2: Conducting a virus scan in Windows to help thwart attacks.................................................. 4-16
Lab 4-3: Sending fake e-mail messages............................................................................................... 4-18
Lab 4-4: Analyzing a SYN flood in a packet sniffer............................................................................... 4-26
Lab 4-5: Identifying network-based attacks......................................................................................... 4-30
Lab 4-6: Using Nmap to scan a system in Windows Server 2003 ......................................................... 4-35
Lab 4-7: Conducting a man-in-the-middle attack................................................................................ 4-41
Lab 5-1: Installing a war-driving application and analyzing a site survey capture ................................ 5-19
Lab 5-2: Analyzing traffic captured from site survey software .............................................................. 5-22
Lab 6-1: Conducting a physical attack against a Windows 2003 server ............................................... 6-10
Lab 8-1: Securing an Apache2 Web server ............................................................................................ 8-8
Lab 8-2: Securing the FTP service ....................................................................................................... 8-10
Lab 9-1: Installing WinRoute Firewall in Windows Server 2003 ........................................................... 9-14
Lab 9-2: Configuring packet filtering rules .......................................................................................... 9-15
Lab 9-3: Configuring a proxy server in Windows Server 2003.............................................................. 9-25
Lab 10-1: Creating an internal network with WinRoute Firewall (instructor-led) ................................. 10-12
Lab 10-2: Denying HTTP access (instructor-led) ................................................................................. 10-14
Lab 10-3: Configuring an FTP packet-filtering rule for a specific host (instructor-led).......................... 10-16
Lab 11-1: Setting a logon tripwire script in Windows Server 2003 ....................................................... 11-6
Lab 11-2: Using Tripwire for Linux...................................................................................................... 11-8
Lab 12-1: Subscribing to security mailing lists.................................................................................... 12-7

List of Figures
Figure i-1: Classroom configuration .......................................................................................................xix
Figure 1-1: NetBus client interface........................................................................................................ 1-5
Figure 1-2: Client connected to loopback address.................................................................................. 1-5
Figure 1-3: Remote File Manager dialog box.......................................................................................... 1-6
Figure 2-1: Elements of effective security .............................................................................................. 2-3
Figure 2-2: Policy and technology.......................................................................................................... 2-6
Figure 2-3: American Express ExpressPay Web site ............................................................................ 2-13
Figure 2-4: Microsoft Fingerprint Reader Web page ............................................................................. 2-15
Figure 2-5: Properties dialog box General tab.................................................................................. 2-20
Figure 2-6: Properties dialog box Security tab................................................................................. 2-21
Figure 2-7: Permissions dialog box for Lessons folder.......................................................................... 2-21
Figure 2-8: Lockup.html alert screen .................................................................................................. 2-23
Figure 2-9: Viewing Microsoft Management Console settings............................................................... 2-25
Figure 3-1: Symmetric or single-key encryption..................................................................................... 3-4
Figure 3-2: RSA Home Page .................................................................................................................. 3-6
Figure 3-3: AxCrypt dialog box Create passphrase ............................................................................ 3-9
Figure 3-4: AxCrypt dialog box Enter passphrase............................................................................ 3-10
Figure 3-5: Encrypting information into ciphertext, using public key................................................... 3-11
Figure 3-6: Asymmetric-key encryption............................................................................................... 3-16
Figure 3-7: Asymmetric-key decryption............................................................................................... 3-17
Figure 3-8: PGP Corporation Web site ................................................................................................. 3-17
Figure 3-9: Gpg4win Welcome screen.................................................................................................. 3-19
Figure 3-10: GNU Privacy Assistant Keyring Editor window.............................................................. 3-20
Figure 3-11: New key pair ................................................................................................................... 3-21
Figure 3-12: Key pair details ............................................................................................................... 3-22
Figure 3-13: Export Public Keys To File dialog box .............................................................................. 3-23
Figure 3-14: Public key in Notepad ..................................................................................................... 3-23
Figure 3-15: GPA window Viewing imported key.............................................................................. 3-24
Figure 3-16: Encryption dialog box ..................................................................................................... 3-25
Figure 3-17: Message window with encrypted text............................................................................... 3-26
Figure 3-18: Jetico Web site................................................................................................................ 3-28
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xi
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Figure 3-19: Asymmetrically encrypted information passed through network ...................................... 3-29
Figure 3-20: Viewing data recovery agent for Windows Server 2003 system......................................... 3-33
Figure 4-1: Using John the Ripper in brute-force mode ......................................................................... 4-6
Figure 4-2: Selecting folder to be scanned........................................................................................... 4-16
Figure 4-3: Smurf attack..................................................................................................................... 4-24
Figure 4-4: Inspecting SYN flood packets using Wireshark .................................................................. 4-28
Figure 4-5: Add Counters dialog box ................................................................................................... 4-29
Figure 4-6: Viewing Performance snap-in during SYN flood................................................................. 4-29
Figure 4-7: Using Nmap to scan Windows system............................................................................... 4-34
Figure 4-8: Examining spoofed packet Internet Protocol .................................................................. 4-37
Figure 4-9: Ettercap capturing dictionary attack on switched network ................................................ 4-39
Figure 5-1: Ad-hoc vs. infrastructure mode........................................................................................... 5-6
Figure 5-2: Configuration interface for common wireless AP.................................................................. 5-8
Figure 5-3: Creating MAC address filter .............................................................................................. 5-11
Figure 5-4: Kismet, showing SSIDs obtained from war driving............................................................. 5-17
Figure 5-5: War driving using AirSnort................................................................................................ 5-17
Figure 5-6: Network Stumbler............................................................................................................. 5-18
Figure 5-7: Network Stumbler window................................................................................................ 5-19
Figure 5-8: Viewing Network Stumbler capture file.............................................................................. 5-20
Figure 5-9: Network Stumbler showing traffic decrypted from channel ................................................ 5-21
Figure 5-10: Viewing network clients attached to wireless APs in Network Stumbler............................ 5-21
Figure 5-11: Using Wireshark to view WEP traffic captured and decrypted by Kismet .......................... 5-23
Figure 5-12: Google Maps home page.................................................................................................. 5-27
Figure 5-13: Wikipedia home page ...................................................................................................... 5-28
Figure 5-14: RSS feed ......................................................................................................................... 5-29
Figure 6-1: Booting from the NT Password And Registry Editor CD...................................................... 6-11
Figure 6-2: Specifying the Windows partition ...................................................................................... 6-11
Figure 6-3: Registry files ..................................................................................................................... 6-12
Figure 6-4: Options for loaded hives.................................................................................................... 6-12
Figure 6-5: Editing a user account ...................................................................................................... 6-14
Figure 6-6: Edit complete.................................................................................................................... 6-14
Figure 7-1: OSI model layers................................................................................................................. 7-4
Figure 7-2: Headers added at each level of the OSI/RM......................................................................... 7-5
Figure 7-3: OSI model and TCP/IP stack............................................................................................... 7-6
Figure 7-4: IPv4 header......................................................................................................................... 7-8
Figure 7-5: Establishing TCP connection............................................................................................. 7-11
Figure 7-6: Terminating TCP connection ............................................................................................. 7-12
Figure 7-7: XAMPP Control Panel Application...................................................................................... 7-20
Figure 7-8: Using a browser FTP client................................................................................................ 7-21
Figure 7-9: Connecting using an FTP client......................................................................................... 7-22
Figure 7-10: TCP/IP Filtering dialog box ............................................................................................. 7-22
Figure 8-1: XAMPP splash screen.......................................................................................................... 8-9
Figure 8-2: XAMPP Control Panel Application showing running services.............................................. 8-11
Figure 8-3: Users dialog box with new home directory......................................................................... 8-11
Figure 8-4: Viewing permissions for C:\webfiles directory ................................................................... 8-22
Figure 8-5: Viewing custom permissions for C:\webfiles directory ....................................................... 8-22
Figure 8-6: Viewing object permission entries for C:\webfiles directory................................................ 8-23
Figure 9-1: Implementing NAT in network............................................................................................. 9-8
Figure 9-2: New Connection dialog box ............................................................................................... 9-15
Figure 9-3: WinRoute Firewall Configuration window.......................................................................... 9-16
Figure 9-4: WinRoute Firewall Interfaces window................................................................................ 9-16
Figure 9-5: WinRoute Firewall Traffic Policy window............................................................................ 9-17
Figure 9-6: Editing new rule ............................................................................................................... 9-17
Figure 9-7: New rule defined............................................................................................................... 9-18
Figure 9-8: Proxy server configuration................................................................................................. 9-23
Figure 9-9: Proxy server settings......................................................................................................... 9-26
Figure 9-10: URL Rule dialog box........................................................................................................ 9-27
Figure 9-11: Access denied message ................................................................................................... 9-27
Figure 9-12: Add User dialog box ........................................................................................................ 9-28
Figure 9-13: Login Page dialog box...................................................................................................... 9-29
Figure 9-14: Understanding VPN connection....................................................................................... 9-31
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xii
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Figure 10-1: Triple-homed bastion host .............................................................................................. 10-5
Figure 10-2: Screening router configuration........................................................................................ 10-8
Figure 10-3: Single-homed bastion configuration ................................................................................ 10-9
Figure 10-4: Dual-homed bastion configuration ................................................................................ 10-10
Figure 10-5: Screened subnet firewall configuration.......................................................................... 10-11
Figure 10-6: Network interfaces ........................................................................................................ 10-12
Figure 10-7: Verifying NAT rule......................................................................................................... 10-13
Figure 10-8: Editing NAT rule ........................................................................................................... 10-13
Figure 10-9: Interfaces on Trusted/Local network............................................................................. 10-14
Figure 10-10: New rule to block HTTP traffic from network host ........................................................ 10-15
Figure 10-11: Modified HTTP rule ..................................................................................................... 10-15
Figure 10-12: Rule denying FTP and FTPS access to single host........................................................ 10-16
Figure 11-1: Creating logon tripwire script with Notepad..................................................................... 11-7
Figure 11-2: Adding logon script to Administrator account.................................................................. 11-7
Figure 11-3: Alert message.................................................................................................................. 11-8
Figure 12-1: CERT home page............................................................................................................. 12-7

List of Tables
Table 1-1: Effective security system attributes ...................................................................................... 1-8
Table 1-2: "Hot spot" resources and potential threats.......................................................................... 1-10
Table 1-3: Security services ................................................................................................................ 1-12
Table 2-1: Typical tri-level resource classification scheme ..................................................................... 2-5
Table 2-2: Benefits of educating employees ........................................................................................... 2-8
Table 2-3: Functions of encryption...................................................................................................... 2-10
Table 2-4: Biometric authentication strategies .................................................................................... 2-14
Table 2-5: Kerberos terms................................................................................................................... 2-17
Table 2-6: Universal permissions ........................................................................................................ 2-19
Table 3-1: Security technology summary............................................................................................. 3-30
Table 4-1: Network attack types............................................................................................................ 4-3
Table 4-2: Computer virus types ........................................................................................................... 4-9
Table 4-3: Illicit servers....................................................................................................................... 4-13
Table 4-4: Common flooding techniques.............................................................................................. 4-22
Table 4-5: Types of scanning attacks................................................................................................... 4-32
Table 4-6: Common man-in-the-middle attacks .................................................................................. 4-37
Table 5-1: Wireless Ethernet elements .................................................................................................. 5-3
Table 5-2: Authentication types in wireless networks ............................................................................ 5-7
Table 5-3: Common wireless network security problems...................................................................... 5-10
Table 5-4: Issues to consider before site survey................................................................................... 5-15
Table 5-5: Site survey issues after wireless implementation................................................................. 5-16
Table 6-1: Security management terminology........................................................................................ 6-7
Table 7-1: OSI/RM layers ..................................................................................................................... 7-3
Table 7-2: ICMP message types............................................................................................................. 7-9
Table 7-3: Services and well-known ports............................................................................................ 7-13
Table 8-1: Security implementation model ............................................................................................ 8-4
Table 8-2: Common physical vulnerabilities and solutions .................................................................. 8-15
Table 8-3: Physical access control techniques ..................................................................................... 8-16
Table 8-4: Network equipment shielding methods ............................................................................... 8-17
Table 9-1: Telnet packet filter.............................................................................................................. 9-11
Table 9-2: FTP packet filter ................................................................................................................. 9-12
Table 9-3: Packet filter for internal passive FTP clients........................................................................ 9-13
Table 11-1: Tools for responding to attacks....................................................................................... 11-10

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xiii
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Course Description
Network Security and Firewalls teaches you how to secure your network from unauthorized activity. This
course teaches you about security principles, such as establishing an effective security policy, and about
the different types of hacker activities that you are most likely to encounter.
This course identifies security principles and techniques that enable you to stop a hacker by
understanding how to implement access control lists, operating system hardening and firewall
technology. It also teaches you how to personalize your network security system so you can create a
solution that adheres to universal principles, but also conforms to your business needs in responding to
specific hacker attacks.
You will learn about authentication procedures, encryption standards and implementations that help
ensure proper user authentication. You will also learn about the specific ports and protocols that hackers
manipulate, and about direct and indirect ways to protect your network operating systems. Finally, you
will learn how to respond to and report hacker activity, engage in proactive detection, and always keep
your company's needs in mind. Appendixes are included in the back of this coursebook to provide
resources for you as you continue to learn about applying security measures to your network.
Guided, step-by-step labs provide opportunities to practice new skills. You can challenge yourself and
review your skills after each lesson in the Lesson Summary and Lesson Review sections. Additional skill
reinforcement is provided in Activities, Optional Labs, Lesson Quizzes and a Course Assessment that are
available from your instructor.
This coursebook includes a supplemental CD-ROM containing the lab files used in class. To practice the
skills presented in class or to perform any labs that were not completed, refer to the Classroom Setup
section for information about system requirements and using the lab files.
Series
Network Security and Firewalls is the first course in the CIW Security Professional series. CIW Security
Professional consists of the following three courses:
Network Security and Firewalls
Operating Systems Security
Security Auditing, Attacks, and Threat Analysis
Prerequisites
Students must have completed the CIW Foundations and CIW Internetworking Professional series or be
able to demonstrate equivalent Internet knowledge.
Certification
The CIW Security Professional series of courses prepares students to take the high-stakes CIW Security
Professional certification exam. Those who pass the CIW Security Professional exam in addition to the
CIW Foundations exam earn the CIW Professional certification, which is recognized throughout the
industry as validating essential Internet skills for the workplace. Passing the CIW Security Professional
exam also counts toward advanced certifications such as CIW Security Analyst and Master CIW
Administrator. For information about taking the CIW Security Professional exam and other CIW exams,
visit www.CIW-certified.com.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xiv
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Courseware
This coursebook was developed for instructor-led training and will assist you during class. Along with
comprehensive instructional text and objectives checklists, this coursebook provides easy-to-follow
hands-on labs and a glossary of course-specific terms. It also provides Internet addresses needed to
complete some labs, although due to the constantly changing nature of the Internet, some addresses may
no longer be valid.
The student coursebook is organized in the following manner:




course title
_ table of contents
list of labs
list of figures
list of tables
_ appendixes

_ lessons
lesson objectives
narrative text
supplemental movie c lips
lesson review
lesson summary
E warnings
E tech notes
E graphics
E tables and figures
pre-assessment questions
_ glossary
_ index
case study
E exam objective callouts
E warnings
E tech notes
E graphics
E tables and figures
E exam objective callouts
labs
_ supplemental CD

When you return to your home or office, you will find this coursebook to be a valuable resource for
reviewing labs and applying the skills you have learned. Each lesson concludes with questions that review
the material. Lesson review questions are provided as a study resource only and in no way guarantee a
passing score on the CIW Foundations certification exam.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xv
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Coursebook versions
The CIW Security Professional courseware is designed for various classroom environments: academic,
learning center and corporate. These coursebooks are available in both instructor and student versions.
Student versions are available for both the academic environment and the learning center/corporate
environment. Check your book to verify which version you have.
Instructor (Academic, Learning Center and Corporate) Example syllabi for 10-week and 16-
week instruction periods are included on the instructor supplemental CD-ROM. Learning centers can
teach this series at an accelerated pace; consult the implementation tables on the supplemental CD-
ROM. The supplemental CD-ROM also includes an appendix listing the CIW Security Professional
certification exam objectives and locations of corresponding material in the coursebook. The
instructor version of this book includes Instructor Notes in the margin, which provide additional tips
and commentary for the instructor to supplement course narrative. Margin callouts also direct
instructors to material that relates directly to specified CIW Security Professional objectives. The
instructor book and supplemental CD-ROM contain all answers to Activities (pen-and-paper-based),
Optional Labs (computer-based), Lesson Quizzes and the Course Assessment. This book also includes
handout versions of all Activities, Optional Labs, Lesson Quizzes and the Course Assessment, which
the instructor can photocopy and assign during class or as homework. Lesson Quizzes and Course
Assessments are provided as study and course-grading resources only; success on these materials in
no way guarantees a passing score on the CIW Security Professional certification exam. The movies
provide supplementary instruction in a multimedia format, and enhance the coursebook narrative
and labs. However, movie content does not comprehensively address CIW Security Professional exam
objectives and is not intended to replace coursebook content.
Student (Academic) The student book and supplemental CD-ROM include Pre-Assessment and
Lesson Review questions for each lesson. However, the student book does not provide answers to
these questions. It also does not include any Activities, Optional Labs, Quizzes or the Course
Assessment. Students can obtain these elements and answers only from the instructor. The student
supplemental CD-ROM contains appendixes and files used to perform many of the labs in the
coursebook. The supplemental CD-ROM also includes an appendix listing the CIW Security
Professional certification exam objectives and locations of corresponding material in the coursebook.
Lesson Quizzes and Course Assessments are provided as study and course-grading resources only;
success on these materials in no way guarantees a passing score on the CIW Security Professional
certification exam. The movies provide supplementary instruction in a multimedia format, and
enhance the coursebook narrative and labs. However, movie content does not comprehensively
address CIW Security Professional exam objectives and is not intended to replace coursebook content.
Student (Learning Center/Corporate) Designed for the learning center/corporate environment,
this student book includes Pre-Assessment and Lesson Review questions. The student supplemental
CD-ROM contains appendixes; files used to perform many of the labs in the coursebook; and answers
to the Pre-Assessment Questions, Lesson Review Questions, Course Assessment, Activities, Optional
Labs and Lesson Quizzes. The supplemental CD-ROM also includes an appendix listing the CIW
Security Professional certification exam objectives and locations of corresponding material in the
coursebook. Lesson Quizzes and Course Assessments are provided as study and course-grading
resources only; success on these materials in no way guarantees a passing score on the CIW Security
Professional certification exam. The movies provide supplementary instruction in a multimedia
format, and enhance the coursebook narrative and labs. However, movie content does not
comprehensively address CIW Security Professional exam objectives and is not intended to replace
coursebook content.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xvi
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Additional online resources
In addition to the material found in the coursebooks, students can visit CIW Online at
www.vcampus.com/cciivv/CIW-Online/index.html to help them prepare for the CIW Security Professional
certification exam. CIW Online provides a variety of online tools students can use to supplement the
Official CIW Courseware, including:
Course review questions New course review questions that can be used for quizzes, tests and
other class assignments. The multiple-choice questions cover numerous topics throughout the CIW
Security Professional course material, not just those topics addressed by the CIW exam objectives.
The questions are completely integrated with material from the book and can be used to assess
students' understanding of the course material.
Interactive exercises Student activities that consist of fill-in-the-blank, true-or-false, categorizing,
matching and crossword puzzle exercises. The self-testing exercises provide immediate scoring and
feedback after completion, allowing students to focus on topics that require additional study. The
exercises are based on CIW Security Professional content and prepare students to excel in tests and
quizzes that feature multiple-choice questions.
Online flashcards Glossary flashcards that test students' vocabulary of important CIW Security
Professional terms. The interactive flashcards show a vocabulary term on one side and the definition
on the other. Students may move through the flashcards as necessary for extra review.
Course Objectives
After completing this class, you will be able to:
; Define the significance of network security, and identify various elements of an effective security
policy, including risk factors, security-related organizations, key resources to secure, general security
threat types and access control.
; Define encryption and the encryption methods used in internetworking.
; Use universal guidelines and principles of effective network security to create effective specific
solutions.
; Apply security principles, and identify security attacks.
; Identify firewall types, and define common firewall terminology.
; Plan and deploy a firewall system that incorporates multiple levels of protection, including firewall
system design, proactive detection, setting traps, security breach response, security alerting
organizations.
Classroom Setup
Your instructor has probably set up the classroom computers based on the system requirements listed
below. Most software configurations on your computer are identical to those on your instructor's
computer. However, your instructor may use additional software to demonstrate network interaction or
related technologies.
Security disclaimer
The code, examples and techniques found in this course are provided for the purposes of teaching about
security concepts. Never, under any circumstances, use any of the software or techniques discussed in
this course against any local or remote system that is not your own. Certification Partners, LLC, and its
partners are not responsible or liable for illegal or unethical use of software or techniques discussed or
used in this course.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xvii
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
System Requirements
This section lists the hardware, software, and connectivity requirements to implement this course.
Hardware
The following table summarizes the hardware requirements for all courses in the CIW program. Each
classroom should be equipped with one instructor station and x number of student stations (i.e., in a
classroom with 13 personal computers, set one up as the instructor station and the remaining 12 as
student stations).
The CIW hardware requirements are similar to the minimum system requirements for Microsoft Windows
Server 2003 Service Pack 2 Standard Edition implementation except that CIW requires increased hard
disk space (20 GB).
CIW hardware specifications Greater or equal to the following
Processor 133-MHz processor required; 550-MHz or faster processor
recommended; support for up to four processors on one server
L2 cache At least 256 KB
Hard disk At least 20 GB
RAM 128 MB of RAM required; 256 MB or more recommended; 4 GB
maximum
CD-ROM At least 32X
Network Interface Card (NIC) 10BaseT or 100BaseTX (10 or 100 Mbps)
Sound card/speakers Required for instructor's station, optional for student stations
Video adapter At least 4 MB
Monitor VGA or hardware that supports console redirection required; Super
VGA supporting 800 x 600 or higher-resolution monitor
recommended
Network hubs Enough 10-port 10BaseT or 100BaseTX
(10 or 100 Mbps) hubs to allow classroom computers to
communicate
Router Multi-homed system with three NICs*
* Must meet universal CIW hardware requirements.
Software
The recommended software configurations for computers used to complete the labs in this book are as
follows.
To be installed before class:
Microsoft Windows Server 2003 Service Pack 2, including:
Microsoft Internet Explorer 7 or later.
Microsoft Outlook Express 6 or later.
Full installation of Ubuntu Linux 8.0, available at www.ubuntu.com. See Linux installation
instructions for component detail. For multi-boot systems, you will need to repartition the disk.
Ubuntu requires its own hard disk partitions. It cannot be installed on Windows or MacOS partitions.
At the very least, you will need a dedicated partition for the Ubuntu root.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xviii
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
MailEnable e-mail server, available at www.mailenable.com. You can use any e-mail server you
prefer, as long as you know how to configure it so that students can send e-mail, and as long as you
can configure the e-mail server to allow relaying to explain how fake e-mail works.
Mozilla Firefox 3.0 or later, available at www.mozilla.com. If you prefer, you can use only Microsoft
Internet Explorer (with Outlook Express).
XAMPP 1.6.6a, available at www.apachefriends.org/en/xampp.html.
FileZilla 3.0.11, available at http://filezilla-project.org/.
You will need to obtain the following third-party Linux software (all files are available on the student
supplemental CD-ROM):
targa2.c, available at http://packetstorm.linuxsecurity.com.
papasmurf-linux.c, available at http://packetstorm.linuxsecurity.com.
Tripwire 2.x, available at www.tripwire.org/.
To be installed by students during course labs (all files are available on the student supplemental CD-
ROM):
NetBus 1.7, available at http://packetstormsecurity.org/.
AxCrypt 1.6.4.4, available at www.axantum.com/AxCrypt/.
GPG4win 1.1.3, available at www.gpg4win.org.
John the Ripper 1.7.0.1, available at www.openwall.com/john/ or
http://packetstorm.linuxsecurity.com.
Wireshark 1.0.0, available at www.wireshark.org/.
WinPcap 4.0.2, available at www.winpcap.org.
Nmap 4.76, available at www.insecure.org.
Ettercap NG 0.7.3, available at http://ettercap.sourceforge.net.
NetStumbler 0.4.0, available at www.netstumbler.com.
Windows NT Password And Registry Editor (also known as a Linux boot disk), available at
http://home.eunet.no/~pnordahl/ntpasswd/.
Kerio WinRoute Firewall 6.5.1, available at www.kerio.com.
Software necessary for the course but not available on student CD-ROM
The following software is necessary for the course, but is not available on the student supplemental CD-
ROM:
Spastic.exe (http://packetstorm.linuxsecurity.com or any other Packet Storm mirror) Do not scan
this file with an anti-virus program, as it contains a harmless trojan. Do not install this file on a
workstation or server that you regularly use. This file is meant to be used in the classroom only. Do
not allow students to conduct SYN floods against systems you do not own, or otherwise use this
program illicitly. Students will use this in the local classroom for a lab in which they will discover that
this file contains malware (some anti-virus applications call it a trojan), and students will then delete
it from their systems.
Obtain the above software and place it on a floppy disk before the course begins, especially if your
classroom does not have Internet access.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xix
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Connectivity
Due to the sensitive nature of some of the programs used, this course takes place in a special network
classroom, closed off from the rest of the company network and from the Internet. The classroom is
configured by the instructor. The instructor's computer must be able to communicate with all student
computers, acting as a router. TCP/IP is the network protocol used in the course.
LAN requirements
The course is designed for use with at least three physical networks, connected by an IP router (which
can be a multi-homed computer). Network A (192.168.3.0) students will use odd-numbered IP addresses.
Network B (192.168.4.0) students will use even-numbered IP addresses. The instructor will use a third
network with the network address 192.168.2.0. The subnet mask is 255.255.255.0. Classroom
configuration is illustrated in Figure i-1.

Figure i-1: Classroom configuration
The instructor's computer must be able to communicate with all the others through a router. The
instructor can use a multi-homed Windows Server 2003 server computer as the router. If the instructor
does not have a Windows system acting as a router, he or she can use whatever router is available.
Again, due to the sensitive nature of the information presented in this course, Internet connectivity is not
recommended. TCP/IP is the only network protocol used in this course. The instructor will find specific
instructions on how to configure the three subnets in the Classroom Setup Guide.
CIW Master Supplemental CD-ROM
Each coursebook includes a supplemental CD-ROM. The files on the CD-ROM are referenced and used
throughout the course.
When you insert the CIW Master Supplemental CD-ROM, you will see a list of courses. Select the
appropriate course, and you will be prompted to unzip an executable file. This executable file will create a
directory of all supplemental materials for the course. You can choose to download the directory to the
default location, which is C:\CIW\[Course_Title]. Optionally, you can select another location. After you
choose the location and unzip the file, a directory will be created on your hard drive. All supplemental
files for the course will be downloaded to this directory. You can then create a shortcut to this directory
on your Desktop. As you conduct the course labs, you can use this shortcut to access your lab files
quickly.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
xx
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Conventions and Graphics Used in This Book
The following conventions are used in these coursebooks.
Terms Technology terms defined in the margins are indicated in bold the first time they
appear in the text. However, not every word in bold is a term requiring definition.
Lab Text Text that you enter during a lab appears in italic bold type. Names of components
that you access or change in a lab appear in bold type.
Notations Notations or comments regarding screenshots, labs or other text are indicated in italic
type.
Program Code or
Commands
Text used in program code or operating system commands appears in the Lucida
Sans Typewriter font.
The following graphics are used in these coursebooks.

Tech Notes point out exceptions or special circumstances that you may find when
working with a particular procedure. Tech Notes that occur within a lab are
displayed without the graphic.

Tech Tips offer special-interest information about the current subject.

Warnings alert you about cautions to observe or actions to avoid.

This graphic signals the start of a lab or other hands-on activity.

Each lesson summary includes an Application Project. This project is designed to
provoke interest and apply the skills taught in the lesson to your daily activities.

Each lesson concludes with a summary of the skills and objectives taught in that
lesson. You can use the Skills Review checklist to evaluate what you have learned.
N
This graphic indicates a line of code that is completed on the following line.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


1Lesson 1:
What Is Security?
Objectives
By the end of this lesson, you will be able to:
; 1.1.1: Define security.
; 1.1.2: Identify the importance of network security.
; 1.1.3: Identify potential risk factors for data security, including improper
authentication.
; 1.1.4: Identify security-related organizations, warning services and certifications.
; 1.1.5: Identify key resources that need specialized security measures.
; 1.1.6: Identify the general types of security threat/attacker.
; 1.2.6: Select security equipment and software based on ease of use.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. What series of documents and procedures was developed by an international
consortium to serve as an international security standard that is used to help
designate secure operating systems?
a. British Standard 7799
b. The Common Criteria
c. The Orange Book
d. A security matrix
2. Which term describes a mechanism that allows you to monitor and document your
network's activities?
a. Threat identification
b. Risk analysis
c. Audit trail
d. Event detection
3. To what kinds of attacks are network resources most vulnerable?


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Network Security Background
The media frequently relate sensational incidents concerning Internet-related security
threats. From security problems with the popular Mozilla Firefox and Microsoft Internet
Explorer browser applications to sophisticated attacks aimed at compromising e-
commerce servers, computer and network administrators and users must contend with
an increasingly complex security environment. Attacks by hackers, which include
computer and e-mail viruses, have become increasingly common. Major online
businesses have also proved vulnerable. Amazon.com and eBay, for example, have been
victims of serious attacks.
Well-known hackers include Kevin Mitnick and John Draper (who is also known as
Captain Crunch), but many more unknown hackers can wreak havoc across the Internet.
Even though the following news passage reads like an excerpt from a spy novel, it
actually did occur:
Hacker penetrates T-Mobile systems
News Item: January 11, 2005 SecurityFocus
A sophisticated computer hacker had access to servers at wireless giant
T-Mobile for at least a year, which he used to monitor U.S. Secret Service
e-mail, obtain customers' passwords and Social Security numbers, and
download candid photos taken by Sidekick users, including Hollywood
celebrities, SecurityFocus has learned.
Twenty-one year-old Nicolas Jacobsen was quietly charged with the
intrusions last October, after a Secret Service informant helped
investigators link him to sensitive agency documents that were
circulating in underground IRC chat rooms. The informant also produced
evidence that Jacobsen was behind an offer to provide T-Mobile
customers' personal information to identity thieves through an Internet
bulletin board, according to court records.
The age of the preceding article is important. Consider that systems and software
applications have become even more powerful and available. Also, now that the business
community has embraced the Internet for commerce, communication and collaboration,
the integrity of sensitive information and communication lines becomes an all-important
concern. Responding to and countermanding threats such as viruses and hackers is an
important part of any network administrator's job.
The Internet is available to anyone with a network connection and an Internet Service
Provider (ISP) account. In fact, it was designed to be an open network, and therefore has
little built-in capacity for securing information. From a security standpoint, the Internet
is inherently unsecure. However, businesses and individuals now want to apply
principles of security to the Internet, effectively using it in a way its inventors did not
intend. For Internet users, the new challenge is to protect sensitive data while allowing
authorized personnel to use it.
This course will introduce you to information security principles and teach you how to
protect your systems from unauthorized access using the latest available technology. You
will learn to deploy host-based solutions, along with network-based technologies, such as
firewalls.
hacker
An unauthorized
user who penetrates
a computer host or
network to access
and manipulate
data.
OBJECTIVE
1.1.2: Importance of
network security
open network
A group of servers
and computers,
such as the Internet,
whic h allows free
access.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
What Is Security?
Put simply, security in a networking environment is the ability to identify and eliminate
threats and vulnerabilities. A general definition of security must also address the need to
safeguard organizational assets, including information and physical items such as the
computers themselves.
The idea of security is also intertwined with the notions of appropriateness and
subordination. A specific person must be designated as the security manager. This
person will be in charge of security, and must determine who can take appropriate
actions on specific items and when. All people who enforce security on the network must
act in roles subordinate to this leader. Regarding company security, what is appropriate
varies greatly from organization to organization, but any company with a network must
have a security policy that addresses appropriateness, subordination and physical
security.
This course discusses security as it relates to the Internet. With the advent of modern,
sophisticated technologies such as local area networks (LANs), wide area networks
(WANs), the Internet, wireless networks, Web 2.0 technologies and virtual private
networks (VPNs), the idea and practice of security have become more complex than
simply patrolling the network perimeter. With regard to networking, one could define
security as a continuing process in which an administrator ensures that information is
shared only among authorized users.
By the end of this course, you will be familiar with the processes and technologies used
to establish and limit behavior to what your organization considers appropriate. You will
focus on the aspects of security that relate to connecting your organization to the
Internet. Internet connectivity makes it extremely easy for unknown users to connect to
exposed resources. You need to ensure that users can access only what you want them to
access. This course will explore methods of controlling user and hacker access, and
responding to events and minimizing damage when someone circumvents those controls.
The following lab gives an example of how a hacker can remotely control a vulnerable
system through the use of an illicit server (service or daemon installed on a host that
thwarts authentication by allowing remote users to avoid the password database).
Suppose you are a security technician for the IT department of a midsize business. A
user calls you to report that he is concerned about an e-mail he received. He opened the
attached file before realizing he did not know the sender. Now he thinks his computer
may have been infected with a virus of some sort. You can diagnose the security threat
more quickly and easily if you are familiar with common exploits such as trojans, which
are programs disguised as harmless applications that actually produces harmful results.
Then you can begin to thwart this attempt to hack in to your company's systems.
Although many hackers do not engage in such activities, you must understand that such
practices can victimize an unsecured network.

Lab 1-1: Causing a NetBus trojan infection
In this lab, you will install NetBus and infect your machine with the NetBus server trojan
program. NetBus is an example of a trojan that can remotely control your machine across
the Internet. NetBus is often sent via an e-mail message, in hopes that an unsuspecting
user will run the patch.exe program.
OBJECTIVE
1.1.1: Define security
network perimeter
The outer limit of a
network as defined
by a firewall.
OBJECTIVE
1.1.3: Risk factors for
data security

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
The NetBus version 1.7 file that is used in this lab is named is NetBus170.zip and was
downloaded from the Packet Storm Web site at the following address:
www2.packetstormsecurity.org/cgi-
bin/search/search.cgi?searchtype=archives&counts=26&searchvalue=netbus++
1. Disable all anti-virus and personal firewall applications on your system.
2. Obtain the NetBus file from your instructor, decompress it, then double-click
Patch.exe. It will appear as if nothing has occurred, but you have just infected your
computer with the NetBus illicit server.
3. Double-click NetBus.exe to display the NetBus client interface shown in Figure 1-1.

Figure 1-1: NetBus c lient interface
4. In the Host Name/IP field, type 127.0.0.1, then click the Connect! button. The
NetBus interface should resemble Figure 1-2.
Note: This address is the loopback address to your system and allows you to use the
client interface on yourself.

Figure 1-2: Client connected to loopback address
5. Click the File Manager button to display the Remote File Manager dialog box. Click
the Show Files button, then expand the C: drive. The dialog box should resemble
Figure 1-3. You can use this dialog box to download, upload or delete files from the
infected system (in this case, your own). Do not delete files at this time.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 1-3: Remote File Manager dialog box
6. Click Close to return to the NetBus interface.
7. Click the Server Admin button, then click the Remove Server button. When you are
asked if you are sure you want to remove the server, click Yes. This action will
remove the NetBus illicit server from your system.
8. Close all dialog boxes and the NetBus interface.
If time allows, the instructor will lead a lab in which you will connect to a remote host.
Note: Connecting to a remote system without permission is illegal. This lab is presented for
informational purposes only.
In this lab, you installed NetBus and infected your machine with the NetBus server trojan
program. Consider how you can protect your network hosts from this threat. Anti-virus
applications generally find NetBus, but variants of NetBus that avoid detection do exist.
Intrusion detection (the use of internal network hosts to detect and track network
transmissions) is another method. For your network, however, the first line of defense
against remote NetBus use is to implement a firewall.

Hacker Statistics
In spite of the romantic representations of hackers in movies such as Sneakers, Hackers
and War Games, hacker activity is proving to be costly. According to the Computer
Security Institute and Computer Emergency Response Team (CERT), hacking is on the
rise and is becoming increasingly destructive. The CERT Web site (www.cert.org/stats)
has released the following statistics regarding the increase of reported attacks to show
the effects of hacker activity:
OBJECTIVE
1.1.2: Importance of
network security
OBJECTIVE
1.1.4: Security-
related
organizations and
certifications
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Reported incidents have risen steadily, from 252 in 1990 to 9,859 in 1999 to 137,529
in 2003 (2003 is the last year for which incident statistics were kept by CERT).
Total vulnerabilities cataloged have also risen steadily from 417 in 1999 to 3,784 in
2003 to 7,236 in 2007.
According to a survey of 2,066 organizations conducted by the U.S. Federal Bureau of
Investigation (www.fbi.gov) in January 2006, online crime in the United States alone
caused $67.2 billion in damages in 2005. Yet, it is estimated that about 90 percent of the
attacks that occur every year are not reported. In addition, 90 percent of the respondents
said they had experienced some form of attack, intrusion or leakage of proprietary
information in the previous 12 months.
Many networking professionals make the distinction between "white hat" (i.e.,
"good guy") hackers, and "black hat" hackers (sometimes called "crackers").

The IT community has responded to such attacks. Most companies have created security
policies. Businesses, organizations and e-commerce sites now implement firewalls,
intrusion-detection systems and programs to help track network activity. You will learn
more about some of these solutions in this course.
SANS (SysAdmin, Audit, Network, Security) Institute
The SANS (SysAdmin, Audit, Network, Security) Institute is dedicated to providing advice
and information regarding common systems vulnerabilities. Among other things, the
SANS home page (www.sans.org) provides a helpful Top 20 list to help administrators
remain aware of the most important security vulnerabilities.
The Myth of 100-Percent Security
Connectivity implies risk. If you allow legitimate users to access your computers or
networks, the opportunity exists for abuse. One popular saying is that the only secure
computer is one that has been disconnected from the network, shut off and locked in a
safe with the key thrown away. Although this solution might make the computer secure,
it also makes the computer useless.
Although you can never reach a point of complete security, you can achieve a level that
prevents all but the most determined and skilled hackers from accessing your system.
Proper security techniques can minimize the negative effects of hacker activity on your
organization. They can deter even the most determined hacker. Regarding Internet
security, you can usually restrict the network permissions of legitimate users so they can
still accomplish their tasks, but have no more access than necessary. The result of this
simple measure is that even if a hacker can steal a legitimate user's identity and enter
into the system, he or she will be able to gain only the level of access authorized for that
user. Such a restriction will confine any possible damage that the hacker may cause
using the stolen user name and password.
Balance in security
A key security principle is to use solutions that are effective, but that do not improperly
burden legitimate users who want access to needed information. Finding ways to actually
apply this principle is often a difficult balancing act. This need for balance applies
especially to Internet security. It is quite easy to employ security techniques that become
so onerous that legitimate users disregard and even circumvent your security protocols.
Hackers are always ready to capitalize on such seemingly innocent activity. Thus, having
Computer
Emergency
Response Team
(CERT)
An organization
devoted to dealing
with computer-
related security
issues. CERTis a part
of the Internet
Society (ISOC),
whic h establishes
the protocols that
govern the Internet.
Maintains
information about
how to solve
specific sec urity
problems and
publishes security
advisories.
OBJECTIVE
1.1.3: Risk factors for
data security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
an overzealous security policy could result in less effective security than if you had no
security policy at all.
You always need to consider the effect that your security policy will have on legitimate
users. In most cases, if the effort required by your users is greater than the resulting
increase in security, your policy will actually reduce your company's effective level of
security.
Attributes of an Effective Security Matrix
Although the components and configurations of a security system vary from company to
company, several characteristics remain constant. A reliable security matrix is
necessary to ensure that all security measures are cost-effective and reasonable. A
security matrix is composed of individual operating system security features, logging
services and additional equipment including firewalls, intrusion-detection systems and
auditing schemes.
Table 1-1 summarizes the most important aspects of an effective security system.
Table 1-1: Effective security system attributes
Attribute Description
Access control
-You have achieved your goal of allowing access to only legitimate users.
-You have maximized the ability to communicate while minimizing the
possibility of hacker access.
-You have minimized the possibility for damage in the event of hacker access.
Ease of use
-If a security system is difficult to use, many employees will find ways to
circumvent it.
-You have ensured that the interface is intuitive.
Appropriate
cost of
ownership
-You have considered not only the initial purchase cost, but also the price of
upgrades and service.
-You have also considered the cost of administration. How many employees,
at what skill level, are necessary to successfully implement and maintain the
system?
Flexibility and
scalability
-Your system allows your company to do business the way it wants to.
-Your system can grow as the company grows.
Superior
alarming and
reporting
-In the event of a security breach, your system notifies the administrator
quickly and in sufficient detail.
-You have configured the system to alert you as efficiently as possible.
Notification options include alerts by e-mail, computer screens, pagers and
so forth.
What You Are Trying to Protect
Now that you have learned about the general principles involved in a security system, we
will discuss exactly what needs protection. As you construct the security profile for your
network, it is helpful to classify your assets into four resource groups:
End-user resources (Windows 2000/XP/2003, Linux or Macintosh hosts used by
employees)
Network resources (routers, switches, wiring closets, telephony)
Server resources (including file, DNS, Web, FTP and e-mail servers)
security matrix
All components
used by a company
to provide a security
strategy. Includes
hardware, software,
employee training,
security policy, etc.
OBJECTIVE
1.2.6: Selecting
security equipment
and software
OBJECTIVE
1.1.5: Key resources
needing security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Information-storage resources (including human resources and e-commerce
databases)
End-user resources
Be sure you have enabled the members of your organization to protect their workstations.
Not all damage to your resources is the result of malicious user activity, nor of hacker
entry into your system. Often, computers are damaged by simple user error.
For example, many employees are largely unaware of the hazards involved in
downloading ActiveX files and using Java applets. Still others have not enabled
password-protected screen savers to prevent snooping while they are away from their
desks for even short periods of time. Users can also inadvertently download viruses and
trojans, thereby compromising your network's ability to function. As you learned earlier,
a trojan is a file or program that purports to operate in a legitimate way, but which also
has an alternative, secret operation, such as sending sensitive company information to a
hacker via e-mail.
However, employees can improve security by making sure their browsers are configured
for maximum-security settings for ActiveX and Java. You should also make sure that
each employee uses a virus checker and observes caution when downloading anything
from the Internet.
Protecting local resources is largely a matter of educating individual users about easily
applied security techniques. However, Internet security involves more than protecting
individual resources.
Network resources
Your networks are the primary communications medium for the entire company. If a
skilled hacker gains access to or control of your networks, he or she will probably gain
access to most or all company data. You must be aware that many hackers can imitate
any Internet Protocol (IP) device that has an IP address. Called IP spoofing, this activity
allows hackers to engage in various activities with impunity, because it helps them
thwart detection via audit trails. Because no inherent protection is available in the
current version (v4) of the Transmission Control Protocol/Internet Protocol (TCP/IP),
a hacker can take advantage of any device that does not have specific mechanisms in
place. As a result, users can take control of network resources and then move on to
system snooping.
Server resources
Your World Wide Web, e-mail and FTP servers are vulnerable to attacks designed to crash
the server so that its services are unavailable, or attacks designed to allow the hacker to
log on and obtain or alter information. Often, server resources become a target because
compromising one of these resources generally allows hackers to move on to controlling
other resources. Some servers provide backbone services (e.g., DNS), whereas others
provide mission-critical services (e.g., Web, e-mail and so forth). Regardless of category, it
is vital that you find ways to protect each as much as resources allow.
Information-storage resources
The most vital function of any company is the way it organizes and disseminates
information. These server types represent a hacker's ultimate goal, because these
databases contain sensitive information (e.g., credit card numbers, employee payroll
records and so forth). Hackers want information for many reasons. Some are merely
Transmission Control
Protocol/ Internet
Protocol (TCP/ IP)
A suite of protocols
that turns
information into
blocks of
information called
packets. These are
then sent across
networks such as
the Internet.
system snooping
The action of a
hacker who enters a
computer network
and begins
mapping the
contents of the
system.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
curious, and others are malicious. Still others want to engage in theft or industrial
espionage. Table 1-2 lists potentially vulnerable parts of a network.
Table 1-2: "Hot spot" resources and potential threats
"Hot Spot" Resource Potential Threat
End-user resources
Viruses, trojans and applets can damage local systems. End
users can also introduce problems through illicit activity.
Network resources
IP spoofing, system snooping and obtaining information.
Server resources
Unauthorized entry, interrupted service and trojans. Server
resources are the primary targets in most cases.
Database and
information resources
Obtaining trade secrets, customer data and so forth.

Who Is the Threat?
Popular culture often represents the hacker as a brilliant, underachieving adolescent
male who has a problem with authority. Although this description is sometimes accurate,
categorizing hackers in terms of their attitude and motivation is probably more useful.
Malicious activity occurs for a number of reasons. However, such activity typically falls
into four broad categories:
The casual attacker
The determined attacker
The spy
The end user
Perhaps the most important thing to consider when determining your company's security
is to identify the type of attacker who will target your company and to anticipate that
attacker's attitude.
Casual attackers
The casual attacker is sometimes an information seeker, but most often he or she is a
thrill seeker. The casual attacker has what might be called an "Everest mentality." In
other words, the casual attacker is hacking into your system simply "because it is there."
The vast majority of hackers fall into this category. They can be stopped with the proper
application of security, especially if this security policy specifies that you find and
respond to the hacker. Some casual attackers are teenage pranksters with access to a
phone line. A large underground network of these attackers exists.
Determined attackers
The determined hacker will gain access to your system, regardless of difficulty or
consequence. This type of hacker is going to get in via the Internet, or by manipulating a
careless or uninformed employee. These hackers have access to tested methods and tools
specifically designed to allow access into your network. In spite of your effective
equipment and clear security policy, this type of hacker's determination and willingness
to employ any method will eventually lead him or her to success.
OBJECTIVE
1.1.6: General
security threat types
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Determined hackers will often break into highly sophisticated systems to prove their
hacking prowess. Typically, these hackers are not out to destroy information, but will
often obtain information about your company and network just because they can.
Determined hackers have many motivations. One hacker might be a disgruntled
employee, whereas another might be motivated by resentment toward large businesses or
governments. Many attacks have occurred as the result of hackers' interest in removing
the presence of what they consider to be objectionable or controversial content. Still
others the majority, perhaps are motivated by financial gain.
Other hackers have more idiosyncratic motivations, which can be based upon an interest
in achieving fame, a need to gain a sense of accomplishment, or a need to demonstrate
their networking skills. Such motives may explain the majority of Web graffiti that has
occurred over the past few years.
Spies and industrial espionage
Spies have very specific targets and want to gain information or disrupt service. They are
well-funded and have nearly unlimited access to resources. Primary motivations for spies
include monetary gain and ideological beliefs. These hackers will stop at nothing to gain
access to the networks they have targeted. Businesses interested in industrial espionage
and various governments often fund spy groups, but some spies are mercenaries who will
work for the highest bidder.
Later lessons discuss how to implement firewalls and offer specific ways to defend against
hackers. For stopping a determined hacker, auditing is the most effective tool. With
proper auditing, you can discover and stop a hacker as soon as possible. A more detailed
discussion of auditing is presented in a later lesson, and another lesson offers a plan by
which you might respond to the hacker and report such activity. Sometimes you need to
contact law enforcement agencies, such as local authorities or possibly the U.S. Federal
Bureau of Investigation (FBI).
End users
End users constitute the first line of defense in network security. It is common for
security professionals to blame specific vendors (e.g., Microsoft, Sun or Ubuntu),
protocols (e.g., the fact that IPv4 does not require authentication) or operating systems
(e.g., Windows Server 2003 or Solaris) for their security woes. However, most security
breaches are caused by end users. End users may cause network security problems
through ignorance, carelessness, or a lack of effective and continual awareness training.
End users may also cause network security problems because they are simply trying to
do their jobs to the best of their abilities, using the tools they feel would best suit their
needs. If end users feel that problems they encounter are not being addressed, they may
try to start looking for their own solutions. Those "solutions" may end up circumventing
network security policy, leading to security breaches.
To solve this problem, consider the following strategies:
A short training session at the time of hire This session can be led by an
individual (e.g., an IT help desk worker, a security administrator or the employee's
manager) or it can be self-paced. Such sessions should include a thorough review of
the security policy.
Continual training Educate users at regular intervals so that they remain aware
of the latest threats.
Web graffiti
The act of defacing
a Web site by
replacing
authorized content
with illicit
information.
auditing
Reading and
interpreting log files
to identify hacker
activity.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Reminders Issue e-mail reminders concerning standard practices, and have
copies of the security policy readily available.
Explain common procedures Instruct end users not to click every attachment
that they receive in e-mail, and that they should not try to repair their own systems
when they perceive a threat. Show them steps that they can take to properly escalate
a perceived problem, rather than trying to handle it themselves. You can also show
them how to create client-side e-mail filters to avoid spam and dangerous
attachments with the latest virus or worm on the Internet.
Do not ignore end users Solve the business needs of end users before they
attempt to solve their own problems, to which they do not know the solutions. By so
doing, you help end users accomplish their tasks without compromising network
security.
With these strategies in mind, you can begin considering the end user as a security aid,
rather than a liability.
Security Standards
To complete our discussion of security basics, we must mention several standards that
help provide security.
ISO 7498-2: Security Architecture
The International Organization for Standardization (ISO) 7498-2 Security Architecture
document defines security as minimizing the vulnerabilities of assets and resources. An
asset is defined as anything of value. A vulnerability is any weakness that could be
exploited to violate a system or the information it contains. A threat is a potential security
violation.
ISO further classifies threats as either accidental or intentional, and active or passive.
Accidental threats are those that occur with no premeditated intent. Such threats as
natural disasters and system malfunctions fall within this group. Intentional threats may
range from casual examination of computer or network data to sophisticated attacks
using special system knowledge. Passive threats do not modify information contained in
the systems; neither the operation nor the state of the system is changed. Alteration of
information or changes to the system's state or operation is considered an active threat to
the system.
Security services
The ISO 7498-2 document further defines several security services, as summarized in
Table 1-3. These services will be examined in more detail in upcoming lessons.
Table 1-3: Security services
Service Purpose
Authentication
The process of proving identity. These services provide for the
authentication of a communications peer entity and the source of data
(origin).
Access control
Determines what system resources a user or service may use, view or
change. After a user has been authenticated, the access control service
on an operating system determines where that authenticated user can go.
Data
confidentiality
Protects data from unauthorized disclosure. Data confidentiality protects
from passive threats, which include users who read data from the
network wire using packet sniffers.
OBJECTIVE
1.1.4: Security-
related
organizations and
certifications
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 1-3: Sec urity servic es (c ont d)
Service Purpose
Data integrity
Protects against active threats (such as altering data) by verifying or
maintaining the consistency of information.
Non-repudiation
Allows all parties to provide proof of origin and/or proof of delivery
concerning any service, process or piece of information. By contrast,
repudiation is the ability to deny participation in all or part of a
transaction. For networking, one can repudiate an e-mail message or a
piece of data, such as a traceroute ping packet or SYN packet, by saying
"I did not send that."

Security mechanisms
According to ISO, a security mechanism is a technology, a software program or a
procedure that implements one or more security services. ISO classifies mechanisms as
either specific or pervasive.
A specific security mechanism is a technology or software program that implements only
one security service at a time. Encryption is an example of a specific security mechanism.
Although you can use encryption to ensure data confidentiality, data integrity and non-
repudiation (all services), the specific encryption technique you use requires various
encryption mechanisms to implement each service.

You will learn more about the various uses of enc ryption throughout this c ourse.

A pervasive security mechanism lists procedures that help implement one or more of the
security services at a time. Another element that differentiates pervasive, or general,
security mechanisms from specific mechanisms is that general mechanisms do not apply
to any one layer of the Open Systems Interconnection reference model (OSI/RM).
Examples of pervasive mechanisms include the following:
Trusted functionality any procedure that strengthens an existing mechanism.
For example, when you update the TCP/IP stack or run some software to strengthen
the ability of your Novell, Windows or UNIX system to authenticate, you are using a
pervasive mechanism.
Event detection the ability to detect and report local and remote incidents.
Audit trail any mechanism that allows you to monitor and document your
network's activities.
Security recovery the ability to react to an event, including creating short-term
and long-term solutions to known vulnerabilities. Also includes the ability to repair
damaged systems.
Additional security standards
Many other government and industry standards exist in addition to ISO 7498-2.
Although some standards may be falling out of favor in certain security circles, you will
find that an awareness of past and present standards is useful, because some companies
still apply these standards. A selected list of additional security standards includes:
Trusted Computer Systems Evaluation Criteria (TCSEC) also known as the
"Orange Book" because of its color when first published. In an attempt to standardize
levels of security, the U.S. government released a series of standards defining a
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
common set of security levels. These standards were released in a series of books
commonly called the "Rainbow Series" because each book had a different color cover.
The TCSEC standards begin with D (the lowest level) and continue through A1 (the
most secure). TCSEC addresses data confidentiality concerns only. TCSEC has fallen
out of favor with many in the networking industry because it does not address the
specific business needs for using a network, which can lead to serious problems
between the IT department and the rest of the company. However, some companies
still apply standards from the Orange Book. You can learn more about the Orange
Book at www.dynamoo.com/orange/.
Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) the
Canadian implementation of TCSEC, focused on information integrity and
availability. This and TCSEC began the push for the Common Criteria.
European Information Technology Security Evaluation Criteria (ITSEC)
addresses the issues of integrity and availability, as well as confidentiality.
The Common Criteria (CC) created by European and American governments to
unify various evaluation criteria documents. The Common Criteria supercedes
TCSEC, CTCPEC and ITSEC. CC was adopted by ISO as ISO standard 15408. It is
used to help designate secure operating systems, under specific circumstances.
Whenever an operating system is certified according to the Common Criteria, it can
then be used in government networks. You can learn more about the Common
Criteria at www.commoncriteriaportal.org/.
British Standard 7799 (BS 7799-3) outlines specific "controls," such as the
system access control, the use of a security policy and physical security measures. It
was designed to help managers and IT professionals create procedures to keep
information secure. BS 7799 describes how to plan, implement and correct network
implementations. The latest document, published in 2005, is BS 7799-3, which also
covers risk analysis and management.
ISO 17799 ISO adopted the BS 7799 document, making it an international
standard formally known as BS ISO/IEC 17799. The ISO 17799 standard describes
specific tasks and safeguards for IT professionals. This document is designed to
provide a practical, operations-based approach to security. It is not designed to focus
on specific issues, as are ITSEC and Common Criteria, nor was it enacted as a piece
of country-specific legislation, as were HIPAA and GLBA (which are discussed next).
You can obtain ISO documents (usually for a fee) at www.iso.ch.
Health Insurance Portability and Accountability Act (HIPAA) a law that affects
health providers in the United States (e.g., doctors, dentists, health-care providers for
senior citizens). Passed in 1996, HIPAA consists of two different sections: Title I
(designed to protect workers and families so they can obtain health care) and Title II
(which regulates how health-care providers and IT departments must secure patient
information). Regulations include mandating standardized access to personal medical
information by authorized parties, encrypting stored and transmitted information,
and rules for how information can be passed from company to company. Whereas all
of the previous standards are voluntary, HIPAA imposes fines and even jail time for
those who break this law. For more information about HIPAA, visit www.hipaa.org
and http://aspe.hhs.gov/admnsimp.
Gramm-Leach-Bliley Act (GLBA) an act passed by the U.S. government designed
to ensure the privacy of financial information and other sensitive information such as
Social Security numbers, phone numbers and bank account numbers. Also known as
the Financial Services Modernization Act, GLBA was designed to control how
financial service organizations store and transmit information, and it prohibits the
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
sharing of this information unless explicitly allowed by the customer. In many ways,
GLBA is the financial services analog to HIPAA. Passed in 1999, GLBA was
implemented in July 2001 for most banks, although some had a grace period until
July 2003. Among other requirements, GLBA requires all financial service providers
to implement a written, verified security policy designed to keep customer
information safe from attackers and improper disclosure by companies. Fines of up
to $500,000 are possible, by increments of $1000. For more information about GLBA,
visit www.ftc.gov/privacy/privacyinitiatives/glbact.html or
www.senate.gov/~banking/conf/confrpt.htm.
Sarbanes-Oxley (SOX) an act passed by the U.S. government in 2002 in response
to a number of major corporate and accounting scandals, which took place between
2000 and 2002. Sarbanes-Oxley describes specific mandates and requirements for
financial reporting, and establishes new or enhanced standards for all U.S. public
company boards, management and public accounting firms. It does not apply to
privately held companies. The act consists of 11 titles that are designed to improve
the accuracy and reliability of corporate disclosure to reinforce investment confidence
and protect investors. For more information about Sarbanes-Oxley, visit
http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/.
Federal Information Security Management Act of 2002 (FISMA) an act passed
by the U.S. government in 2002 that mandates annual audits to bolster computer
and network security within the federal government (and affiliated parties, such as
contractors working on behalf of a U.S. government agency). FISMA mandates a set
of processes that must be followed for all information systems used or operated by
the federal government. These processes must follow a combination of the special
publications SP-800 series issued by NIST, the Federal Information Processing
standards (FIPS) documents, and other legislation pertinent to federal information
systems, such as HIPAA and the Privacy Act of 1974. For more information about
FISMA, visit www.compliancehome.com/topics/FISMA/.
Implementing the Common Criteria does not necessarily exclude implementation of
standards such as ISO 17799, GLBA or HIPAA because the CC does not discuss planning
and procedures in detail as ISO 17799 does. Also, GLBA, HIPAA, SOX and FISMA are
examples of mandated laws, as opposed to being security standards.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
Think Like a Hacker
Andre is a system administrator who is responsible for securing the new LAN that he has
set up for Coffees R Us, a coffee distributor that sells its products wholesale in bulk to
grocery stores and restaurants. Andre ensures that the desktop computers are free of
malware and spyware, and that the network servers and applications are as secure as
possible. However, despite his efforts, Andre discovers that the network has become
infected with a trojan that allows the servers to be controlled remotely by external
sources.
* * *
As a class, discuss this scenario and answer the following questions:
Consider the components of an effective security matrix. Did Andre create a matrix
that encompassed all aspects of an effective security system?
Andre's security measures effectively patrolled the network perimeter. Is this enough?
If not, what else does Andre need to consider?
From what or whom is Andre trying to protect the LAN? If a determined hacker has
successfully infiltrated the LAN, what can Andre do to remove the trojan and ensure
that the LAN is less vulnerable to future attacks?
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 1: What Is Security? 1-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you learned about specific risks to your computer systems, as well as
some of the standards used to measure network security. Every organization has
different security concerns. Compile a list of potential security threats to your
organization or school. Determine which security elements can most effectively provide a
countermeasure to your potential security problems.
Skills review
In this lesson, you were introduced to the concept of security, and you saw
demonstrations of actual security threats. You also learned about the categories of
resources that need protection, the attributes of an effective security system, and the
types of people who make security systems necessary.
Now that you have completed this lesson, you should be able to:
- 1.1.1: Define security.
- 1.1.2: Identify the importance of network security.
- 1.1.3: Identify potential risk factors for data security, including improper
authentication.
- 1.1.4: Identify security-related organizations, warning services and certifications.
- 1.1.5: Identify key resources that need specialized security measures.
- 1.1.6: Identify the general types of security threat/attacker.
- 1.2.6: Select security equipment and software based on ease of use.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
1-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 1 Review
1. What is an open network?





2. The advent of sophisticated networking technologies has required network protection
to become more sophisticated than simply patrolling the network perimeter. Give an
example of an attack that could allow a computer to be controlled remotely.

3. What is the Computer Emergency Response Team (CERT)?



4. What are the components of an effective security matrix?


5. To what kinds of attacks are server resources most vulnerable?






Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


2Lesson 2:
Elements of Security
Objectives
By the end of this lesson, you will be able to:
; 1.1.7: Identify ways in which increased security mechanisms can result in increased
latency.
; 1.1.8: Define the significance of a security policy.
; 1.1.9: Identify and develop basic components of an effective security policy.
; 1.1.10: Identify the key user authentication methods.
; 1.1.11: Define the significance of access control methods.
; 1.1.12: Define the functions of access control lists (ACLs) and execution control lists
(ECLs).
; 1.2.1: Identify the three main encryption methods used in internetworking.
; 1.2.5: Identify the importance of auditing.
; 1.2.6: Select security equipment and software based on ease of use.
; 1.2.7: Identify security factors related to transmission of unencrypted data across the
network.
; 1.2.9: Identify the significance of encryption in enterprise networks.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. Proving what you know, showing what you have, demonstrating who you are and
identifying where you are represent methods of what security element?
a. Encryption
b. Authentication
c. Data integrity
d. Non-repudiation
2. What is the name of the Linux Kerberos application used to obtain a ticket-granting
ticket?
a. kinit
b. klist
c. kdestroy
d. tgt
3. What security method ensures that individuals, systems or processes access only
what they are authorized to access?


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Security Elements and Mechanisms
You have already been introduced to several U.S. and international security standards.
To survey and administer user activity, you must further understand the mechanisms
and controls that create an effective security infrastructure. This lesson will discuss the
importance of a coherent security policy, as well as auditing, encryption and
authentication mechanisms. At first, you will implement these concepts on specific
operating systems. Eventually, however, you will see how firewalls implement these
concepts to protect your entire network.
Figure 2-1 provides a representation of the most important security elements. It also
shows the hierarchy into which these elements are organized.

Figure 2-1: Elements of effective security
Each of these elements operates in conjunction with the others to ensure that an
organization can communicate as efficiently as possible. At the bottom of the pyramid is
the corporate security policy, which establishes the foundation of any successful security
system. Having a security policy in place does not ensure that you will eliminate
intrusions and information loss. To do that, you will have to carefully audit your network.
However, a security policy does provide a foundation for all your subsequent actions.
Administrators implement and enforce the security policy and audit user activity,
attempting to spot security problems, which might include illicit employee activity, a
system with a low patch level or an intrusion from outside the network. Management
and security administrators should create the corporate security policy, because it
provides the foundation for all network activity.
The Security Policy
A security policy allows you to build an effective security infrastructure. Without an
effective security policy, your firewall implementation will not be as successful. Such an
infrastructure:
Secures resources, including information and the systems themselves.
Allows employees to do their jobs as quickly as possible.
Determines which traffic your firewall will permit or deny.
OBJECTIVE
1.1.8: Significance of
sec urity policy
patch level
The measurement of
specific updates
given to an
operating system.
Windows Server
2003 refers to system
patches as "service
packs."
OBJECTIVE
1.1.8: Significance of
sec urity policy
OBJECTIVE
1.1.9: Effective
sec urity policy
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Your security policy must provide guidelines for the entire organization and is the first
line of defense in establishing secure systems use. You must ensure that your security
policy does not conflict with the goals and practices of your business. Therefore, you
must assign a reasonable amount of protection to your resources.
To determine exactly how much protection a resource requires, you must also decide the
amount of risk to which it is exposed. For example, an internal user workstation is at
significantly less risk than a Web server because the latter is directly exposed to the
Internet. To reduce risk, you should take the following steps:
Classify your systems.
Determine security priorities for each system.
Assign risk factors.
Define acceptable and unacceptable activities.
Define security measures to apply to resources.
Determine how you will teach all your employees about security.
Determine who will administer your policy.
After you have determined the risks and priorities of your resources, you can determine
what measures you will apply to each resource. You should document your security
policy on a resource-by-resource basis. For instance, you might indicate that all standard
user workstations must run the latest anti-virus software, and that your external router
will filter Telnet at the exterior port. Your most critical resources, such as your e-mail
server, require the most detailed and stringent protections.
Classifying systems
As mentioned previously, the first step in reducing risk is to effectively allocate security
resources and develop a sound security infrastructure. You must identify and then
classify systems and data based on their importance to the organization.
Often, dividing system resources into three categories is useful:
Level I systems that are central to the business's operation. For example, an e-
commerce company might categorize its Web server as a Level I system. Employee
databases, user account databases and e-mail servers all count as Level I resources.
Level II systems that are needed, but are not critical to daily operation. Though
they cannot be down for long, a day or two of lost time would not cripple the
company. For example, if the database of employee pager numbers were down for two
days, the loss would be an inconvenience, but not a fatal problem.
Level III systems whose loss does not affect operations. A local desktop computer
would be a Level III system, as long as this computer does not affect systems in
Levels I and II.
See Table 2-1 for a summary of this resource classification scheme.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 2-1: Typical tri-level resource classification scheme
Resource Classification Hierarchy
Level Data Systems Security
Level I
critical
Critical data needing
high data integrity (trade
secrets, designs,
customer lists, patient
information, time-
sensitive business
documents, and so forth)
Mission-critical systems,
systems with high
availability requirements
or systems that cannot
tolerate more than a few
hours of downtime
(certificate servers,
registration and
customer billing
systems). These are often
publicly exposed servers.
Security analysis, extra
security measures,
dedicated system-level
audit, monitoring and
other security functions.
Usually, five percent of
systems (R&D facilities,
hospitals and other
health care facilities)
Level II
significant
Data that could cause
damage to the company
if it is no longer available
or is in the wrong hands
(customer information,
product lists, dealer
prices and so forth)
Operational systems,
line-of-business-level
systems; systems that
can tolerate up to 48
hours of downtime.
These are typically
internal servers that are
not directly connected to
the Internet
Normal security plus a
special monitoring, audit
and recovery procedure
(usually 20 percent of
systems)
Level III
routinely
essential
Operational data Normal systems whose
loss would not stop the
company from doing
business (systems that
have backup systems;
systems that can tolerate
at least one week of
downtime in case of
emergency). These are
typically end- user
machines.
Normal security policy
and defenses (usually 75
percent of a normal
organization's systems)

Categorizing systems wisely
Security administrators often make the mistake of classifying too many resources as
Level I. Level I resources should be only those that cannot be unavailable for even short
periods of time. For example, e-mail is a critical resource for most organizations, and
most network administrators would classify it as a Level I resource. Similarly, your
system's DNS or SAMBA servers may also be Level I resources because they provide a
foundation for the rest of your network.
Most machines meant for end users are not Level 1 resources; even if the notebook
computer belonging to the CEO crashes, the rest of the company can undoubtedly still
function during the repair period. Similarly, a non-e-commerce site may not consider its
Web server to be a Level I resource.
You must weigh each situation carefully. For example, if your company uses an intranet,
how essential is its Web server? Only you can make this decision, based on the following
criteria:
How much traffic the machine experiences.
The sensitivity of information on the machine. Does the server contain only a few
links and some Human Resources documents, or does it act as a "nerve center"
through which mission-critical information is exchanged?
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
The nature of the operating system. Some systems are inherently more secure than
others.
Prioritizing resources
After you have classified all your company's resources, you should create a prioritized
threat list and an action list, prioritized by system, in your security implementation plan.
Your priorities must be based on the importance of each system and its information,
including the availability of redundant systems and so forth. This prioritized list is
essential because during a crisis, staff members should not be forced to decide what to
save first. Expecting them to make choices in such a situation is an undue burden, and
will damage your company's overall security. Few IT departments have enough employees
and resources to address all Level I systems.
You should discuss priority in terms of finances, as well as time. Ask yourself the
following questions:
How much money and time can I commit to this resource?
Which Level I resources need security the most?
A Level I system requires significant resources and consideration, whereas a Level III
system might need only virus checking. An unrealistic policy will hurt a company's ability
to protect itself, and could even damage its ability to communicate efficiently.
If you are conducting electronic customer interaction with credit card or electronic cash
transactions, you will require specific security measures for the data and servers used in
these systems. You will need both physical and electronic security. If systems are
successfully penetrated, your business could be responsible for stolen credit card
numbers or other customer information. More importantly, your reputation is not easily
recoverable.
Assigning risk factors
After all your network's resources have been classified and prioritized, you must assign
risk factors. A risk factor is the likelihood that a hacker would attack a resource. Risk
factors should be determined for each resource you have defined.
When determining the risk factors for a resource, use this basic rule: The more sensitive
the resource, the higher the risk factor. For example, a company that manufactures
paper clips may have a corporate Web site. The risk factor associated with this Web site
would be much lower than the risk for the Web site of a company that manufactures
ballistic missiles.
Your security infrastructure is the implementation of your security policies at the
operations level. It should include multiple levels of defense and varying degrees of
protection as determined by each system's classification, as described in Table 2-1 on the
previous page.
Your people, policy and technology should have the relationship shown in Figure 2-2.
People
drive
policy
Policy
guides
technology
Technology
serves
people

Figure 2-2: Policy and technology
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Defining acceptable and unacceptable activities
To design security measures for specific resources, an effective security administrator
must differentiate between acceptable (permitted) and unacceptable (forbidden) activity.
Such activity must be defined in terms of each resource. Your security implementation
should specify both acceptable and unacceptable activity.
The categories of acceptable and unacceptable activity will always remain valid when it
comes to security. However, organizations will determine acceptable behavior differently,
based on their business needs. A policy that works well for one company might have
disastrous effects for another. Therefore, although the principles remain the same, the
individual applications will differ, sometimes radically.
Acceptable activities
Acceptable activity will vary from resource to resource. Hypothetically, acceptable
activities for your corporate Web site might include permission for users to browse only
the contents of HTML pages in the public folders and submit orders for items. Your policy
might give system administrators additional access to all the directories on the Web site,
allowing proper administration of this service. Finally, your security policy will
undoubtedly give your company's Webmaster further access that allows him or her to
modify the contents of the HTML documents.
Unacceptable activities and implementation
Unacceptable activity will also vary from resource to resource. As you approach the task
of defining what is unacceptable, you can take one of two approaches. You can either list
what is acceptable, thereby creating an implicit list of unacceptable activity, or you can
explicitly state what is unacceptable. Each method has its own advantages and
drawbacks. If applied improperly, a mere list of acceptable activities can often be too
broad, and might actually stifle user activity and impede your organization's ability to
function. The latter method can often omit an unacceptable activity, leaving gaps in your
protection. Legal problems can arise quickly, and if a security policy omits an important
activity or combination of activities, a hacker could find a loophole in the policy.
Because no two businesses or workplaces are identical, unacceptable activity has no
clear definition. Therefore, it is often necessary to define unacceptable activity as any
activity not specifically listed as acceptable. However, designing and implementing a
security infrastructure can be difficult with such a broad range.
The best solution, therefore, is to regularly define and list unacceptable activity. This
activity might take some time and might also require frequent updates, but such
repetition can also create an effective policy. To expand on the above hypothetical
example, you may want to indicate that it is unacceptable for anyone except your
Webmaster to modify the contents of the HTML documents. By listing specific activities,
you can make sure that they are specifically accounted for in your protection
mechanisms, and that your users know the policies.
Determining what is acceptable and unacceptable is a never-ending process.
With the rapid growth of the Internet, new applications and uses are introduced
frequently. Security administrators must keep abreast of the latest Internet
applications and whether or not they will be classified as acceptable or
unacceptable for their organizations.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Defining security measures to apply to resources
After you have identified resources and determined their use, you must determine the
appropriate security techniques for each element in your network. Security techniques
can include purchasing firewall devices and using encryption. Each device needs an
individual security evaluation. You should place the most thorough and advanced
security measures on your most critical resources.
List the measures that you will implement with each resource. For example, you will
probably implement packet filtering for your router. This step is fundamental, but can
save a great deal of time as you implement your system. You will learn more about
packets and packet filtering in a later lesson.
A key step in applying security measures to resources is considering how much time and
money should be spent on each resource. Security measures should always be cost-
effective, meaning that they should be as thorough and as inexpensive as possible.
Defining education standards for employees
The best way to achieve effective security is to teach the members of an organization
about the key security principles. If your users know how to choose good passwords, for
example, it is significantly more difficult for a hacker to bypass your password
authentication system. Often, such a system is central to site security. Administrators
need to understand how to set proper security on the systems they administer.
Programmers need to know how to write their software so it does not provide back doors
for hackers to exploit the network. By defining the items that you want various groups to
know, you can create and implement mechanisms to train them.
The specific security principles you teach employees will vary depending on their roles in
the organization, and the information they need to know in order to do their jobs and
achieve effective security. The security principles you teach users, executives and
systems administrators should benefit the organization as shown in Table 2-2.
Table 2-2: Benefits of educating employees
Employee Benefits
User
Creates sensitivity to security threats and vulnerabilities; produces
recognition of the need to protect corporate information and resources
Executive
Provides the level of organizational security knowledge necessary to
make policy decisions on information security programs
Administrative
Develops the ability to recognize and address threats and vulnerabilities
so that security requirements can be set for systems and resources
Determining who is responsible for administering the policies
Your security policy should list the parties responsible for securing specific systems.
Generally, a high-level person is responsible for implementing the security policy. Titles
vary, but often this person is the Chief Information Officer (CIO). The CIO is responsible
for ensuring that business information is readily available and secure. These
responsibilities are usually quite different from those of the Chief Technology Officer
(CTO), who is responsible for ensuring that the company servers are properly configured.
Usually, systems administrators report to the CTO, whereas security professionals report
to the CIO.
packet filtering
The use of a router
to process and scan
packets for
acceptable and
unacceptable
activity.

packet
Information
processed by
protocols so that it
can be sent across
a network.
back door
An intentional hole
in a firewall or
security apparatus
that allows access
around security
measures.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Separating security management from systems administration helps ensure that audits
are properly conducted and that goals are met. For example, if a systems administrator
fails to make an improvement mandated by an auditor, the auditor can report this failure
without worrying about a conflict of interest.
Encryption
Encryption is the process of making something readable only to the intended recipients.
Encryption can occur at both the network and document levels. At the document level,
encryption transforms an easily read plaintext file into ciphertext. The only way someone
can read this text is to gain access to the key that was used to transform the text into
ciphertext. Because the Internet is an open network, encryption has become important
not only for e-mail, but also for network and Internet communications.
Encryption is the primary means of ensuring data security and privacy on the Internet.
For e-commerce enterprises, the mere presence of encryption increases consumer
confidence. Because encrypted text is unreadable by anyone who does not possess the
correct key, data encryption helps secure online transactions by ensuring the
confidentiality and integrity of the data supplied by the customer. Implementing
encryption in the enterprise is one of the essential steps necessary for secure networking.
Encryption enables proper authentication and access control, both of which will be
introduced later in this lesson.
Encryption categories
You have probably heard of different ways to encrypt files, including the use of such
algorithms as the Data Encryption Standard (DES), RSA and MD5. Each of these
different methods is an example of the three main encryption categories used in
networking:
Symmetric encryption encrypts data using one text string (i.e., key). This same
key both encrypts and decrypts a file. Another name for asymmetric encryption is
private-key cryptography.
Asymmetric encryption encrypts data using a key pair. Each half of the pair is
related to the other, although it is very difficult (if not impossible) to analyze the public
key and derive the private key. What one half encrypts, the other half decrypts, and
vice versa. Another name for asymmetric encryption is public-key cryptography.
Hash encryption encrypts data using a mathematical equation called a hash
function, which (theoretically) scrambles information so it can never be recovered.
This form of encryption creates hash code, which is a fixed-length representation of a
message.
You will see the usefulness of these encryption categories throughout the course.
Encryption services
Data that is not encrypted can be sniffed by packet sniffers (software programs that
monitor network activity) to obtain information as it is being transmitted across a
network. Unencrypted data makes it easy for hackers to obtain sensitive information and
use it for malicious purposes. E-mail messages often contain information of a proprietary
or confidential nature. Encrypting such information is critical to protect the integrity of
the information and keep it secure from unauthorized access.
Encryption performs the four services shown in Table 2-3.
OBJECTIVE
1.2.9: Encryption in
enterprise networks
OBJECTIVE
1.2.1: Encryption
methods in
internetworking
ciphertext
Text that is
c ompletely
unreadable unless it
has been translated
back into readable
form with the use of
a key.
key
A method of
deciphering
encryption. A key
can be a simple
string of text
characters or a
complex series of
hexadecimal digits.
OBJECTIVE
1.2.7: Security
factors in
unencrypted data
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 2-3: Functions of encryption
Encryption Service Explanation
Data confidentiality
Data confidentiality is the most common reason for using encryption.
Through the careful application of mathematical formulas, you can
ensure that only the intended recipients of information can view it.
With public-key encryption, only the intended recipient can decrypt the
information, thereby being the only one who can read the information.
Data integrity
Data secrecy is insufficient for most security needs. Data can still be
illicitly decrypted and modified while in storage or as it passes across
the network wire. Mathematical formulas called hash functions exist to
help determine if data has been modified.
Authentication
Digital signatures provide authentication services. Digital signatures
use the same formulas that provide data confidentiality, but in a
different way. Signatures help to prove (with high mathematical
certainty) that the purported origin or sender of information is indeed
who he or she claims to be.
Non-repudiation
Digital signatures allow users to prove that an information exchange
actually occurred. Financial organizations especially rely on this facet
of cryptography for the electronic transfer of funds.

Encryption strength
A commonly discussed but frequently misunderstood aspect of cryptography is the
strength of encryption. What constitutes strong encryption? What level of encryption is
required for various security needs? How do you determine the effective strength of
different types of encryption?
Encryption strength is based on three primary factors:
Algorithm strength
Secrecy of the key
Length of the key
Algorithm strength
The first factor is algorithm strength, which includes such factors as the inability to
mathematically reverse the information without trying all possible key combinations. For
our purposes, we should rely on industry-standard algorithms that have been tested and
tried over time by cryptography experts. Any new or proprietary formula should be viewed
with significant distrust until it has been verified commercially.
Secrecy of the key
The second factor in encryption strength is the secrecy of the key, a logical but
sometimes overlooked facet. No algorithm can protect you from compromised keys. Thus,
the degree of confidentiality that stays with the data is directly related to how secret the
keys remain. Remember to distinguish between the algorithm and the key. The algorithm
need not be secret. The data to be encrypted is used in conjunction with the key, then
passed through the encryption algorithm.
Length of the key
The third factor in encryption strength, the length of the key, is the best known. In terms
of encryption and decryption formula application, the key length is determined in bits.
Adding a bit to the length of the key doubles the number of possible keys. In simple
terms, the number of possible combinations of bits that can make up a key of any given
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
length can be expressed as 2
n
, where n is the length of the key. Thus, a formula with a
40-bit key length would be 2
40
or 1,099,511,627,776 possible different keys. Working
against this high number is the speed of modern computers. Although the number of
possible keys is indeed large, specialized computers can now try that many combinations
of keys in less than a second.
Theoretically, any key can be decrypted regardless of its length. The more money an
individual or organization has to spend on key-cracking equipment, the faster the key
can be broken. However, even with a heavy investment in modern equipment, the greater
the length of a key, the longer it will take to break. In January 1999, for example,
Electronic Frontier Foundation, in collaboration with Distributed Computing
Technologies, Inc. (DCTI), broke a 56-bit DES cipher in 22 hours and 15 minutes using a
specially designed supercomputer, called "Deep Crack," along with a network of nearly
100,000 PCs on the Internet. In July 2002, DCTI broke a 64-bit RC5 cipher using about
70,000 (mostly home) computers, but it took 1757 days to do it. With the exponential
increase in computing power over time, it is estimated that even the safety of 128-bit keys
can be ensured only through the year 2010.
The U.S. government has adopted the Advanced Encryption Standard (AES) as its
encryption standard so that it can ensure strong encryption. AES supports key sizes of
128, 192 and 256 bits. The U.S. government uses 192-bit and 256-bit symmetric
encryption for data that is classified as top secret. Although corporations and
governments can certainly defeat encryption that is less than 128-bit with modern
computers, the amount of effort involved frequently exceeds the value of the information.
Indeed, one factor for deciding the length of key needed is the value of the information
being protected. Although probably not sufficient for corporations and governments, 64-
bit keys, for example, are usually more than sufficient for individuals' needs.
Authentication
Authentication is less a step than a combination of overlapping methods. The
authentication process attempts to verify the identity of a user, system or system process.
After this identification has taken place, the authenticated system or user can then have
access according to the limits established by the systems administrator.
If you have used an ATM card, presented a student ID card or used your driver's license,
you have engaged in a form of individual authentication. If you have ever used a
password to log your computer on to a network, you have participated in user
authentication. In fact, anyone who has ever used a simple house key or car key has
employed the principle of user authentication. However, authentication also applies to
entire systems and networks.
Authentication methods
Users or systems can prove that they are who or what they claim to be in four ways.
Regarding authentication, the rest of this course discusses specific programs based on
these four methods. You can prove your identity by:
What you know.
What you have.
Who you are.
Where you are.
OBJECTIVE
1.1.10: Key user
authentication
methods
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
What you know
The most common authentication method on the Internet and in the computer world is
password authentication. When you log on to a computer network, it usually asks you for
a password. A password is something you know. The computer bases its authentication
on the password. If you give your password to someone else, the computer will grant this
other person access because the authentication is based on knowing the password. Such
an action is not a failure on the computer's part, but on the user's. It also results from
the simplistic application of only one mode of authentication.
What you have
This method is slightly more advanced because you need some physical item for
authentication. A good example is a building entry card. Anyone who moves the card over
the scanner will be granted access to the building. Here, the authentication is based on
possessing the card. If you give the card to someone, he or she can enter the building.
Therefore, if you want to create a more sophisticated authentication system for entering
your building, you would require not only a card (which is an authentication method
based on what you have) but also a password (which is a method based on what you
know). In the computer industry, the "what you have" method is best exemplified by the
use of smart cards and digital certificates.
Smart cards
Every smart card contains a microchip. The chip can contain specific information about
its owner, including multiple credit card accounts, driver's license information, medical
information and so forth. A smart card can be the size of a standard credit card or larger,
depending upon the capacity of the embedded chip.
Sometimes, the embedded microchips contain read-only information. In this sense, the
chips hold more information than the magnetic strip typically found on the back of a
credit card. Such limited smart cards can be programmed only once, and are entirely
dependent upon a machine called a smart-card reader to operate. All smart cards rely
upon a reader, which is an electronic device that scans the card.
Some smart cards do not require additional power to operate. Others contain their own
power source, and still others derive power from the smart-card reader before the
microchip activates.
The two kinds of smart cards are:
Contact.
Contactless.
Contact smart cards must directly touch the reader device, whereas contactless cards
can communicate with the reader through a wireless electromagnetic connection. A
contactless card could, theoretically, authenticate a user.
Smart cards can offer many features. Some allow their persistent memory to be
reprogrammed. Others act as mini-computers in the sense that they have input/output
devices, persistent memory (e.g., mini-hard drive space), RAM and an active central
processing unit. Smart cards are valuable for authenticating users who want to:
Enter buildings.
Use cell phones.
Log on to a specific host.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Participate on a network.
Conduct banking and e-commerce transactions.

Compaq Corporation (www.compaq.com) offers a keyboard with a built-in
smart card reader.

ISO document 7816 contains the standard for smart cards. You can learn more about
smart cards at the following site:
The Smart Card Alliance Web page (www.smartcardalliance.org).
Radio-frequency identification
More recent contactless smart cards use a technology called radio-frequency
identification (RFID), which uses an RFID transponder embedded in the card for the
purpose of identification using radio waves. Another name for a contactless smart card is
a proximity card, so named because the card simply needs to be waved in front of a
special reader and not swiped. A big advantage from a consumer's point of view is that
the proximity card can remain inside the holder's purse or wallet and still be effective.
ISO document 14443 contains the standard for proximity cards.
American Express, for example, provided both contact smart cards and contactless
proximity cards that use RFID technology. In 1999, American Express introduced Blue
from American Express, which was designed to market a limited version of a contact
smart card. In 2005, the smart chip on the Blue Card was replaced with a radio-
frequency identification transponder and the resulting contactless proximity card was
introduced as ExpressPay. Figure 2-3 shows the American Express ExpressPay Web site.

Figure 2-3: American Express ExpressPay Web site
Other examples of contactless proximity cards are Mastercard's PayPass and JPMorgan
Chase's Blink.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Who you are
This process is based on some physical, genetic or otherwise human characteristic that
cannot be duplicated. This method is also known as biometrics. Until recently, advanced
biometric authentication was very expensive and was implemented only in highly secure
environments. Now, hundreds of companies have produced low-cost biometric solutions.
Biometrics is generally the most secure authentication method, if implemented properly.
Practically speaking, if any element of a person's body can be accurately sampled,
cataloged in a database and then accurately resampled, then it is a candidate for
biometric authentication. For biometric authentication to occur, unique information
about a person's body is stored in a database, and then associated with a specific set of
credentials. After the biometric information is properly matched with the user's
credentials, authorization occurs.
Table 2-4 describes strategies for biometric-based authentication.
Table 2-4: Biometric authentication strategies
Strategy Description
Fingerprints
The use of a person's fingerprints for identification is perhaps the oldest form
of biometric authentication. It remains the most common.
Hand
geometry
Hand-based recognition is generally less reliable than fingerprint
identification. However, combined with other strategies, it has proven to be
useful.
Voice
recognition
Also called speaker recognition, this strategy matches voice patterns.
Traditionally, it is one of the easier methods to spoof, due to tape and digital
voice sampling. Methods developed to counter voice spoofing include detecting
high and low voice frequencies, which are difficult to reproduce. Whenever a
specific voice metric is captured, it is called a voiceprint.
Retinal scans
A system scans the blood vessels that reside at the back of the human eye. A
scanner uses a light to read exactly how the vessels are arranged, then
matches this result to the contents of its database. Retinal scanning requires
a user to press his or her face close to a reader and wait for 10 to 15 seconds.
It is considered to be one of most effective biometric methods. It is difficult to
defeat, because if an eye is removed or a person dies, the retina begins to
rapidly deteriorate and lose consistency.
Iris scans
This strategy analyzes the area around the pupil and matches data with a
database. Although it is possible to use an eye replica to defeat the scan, most
devices fluctuate the light source during the scan to measure changes in pupil
dilation. Iris scans are more convenient than retinal scans, because users do
not have to spend as much time authenticating (about 5 seconds) and do not
have to press their face close to a scanner.
Face
recognition
A device measures all elements of the face, including distance between the
eyes, and between the mouth, nose, chin and forehead. To help thwart the use
of masks, users are often asked to move their heads, blink or make other
gestures. Authentication can occur quickly (e.g., 5 seconds), and users do not
have to get close to a device in order to authenticate.
Vascular
patterns
A scanner matches the blood vessel patterns in a person's face, hand or arm.
Currently an experimental technology.

Biometric-based authentication provides the following benefits:
Physical security Biometrics provides an extremely effective means of ensuring
physical security on a host. Many attackers attempt to defeat a system's security by
attaching USB or FireWire devices to a system. Biometrics can help prevent this. For
example, if an end user is forced to provide biometric information before accessing a
biometrics
The science of
mapping physical,
biological
characteristics to
individual identity.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
workstation's drives or peripherals, it will be much harder for an attacker to attach
unauthorized equipment and obtain access to sensitive information.
Ease of authentication for the end user Because authentication is based on a
person's physical attributes, a user cannot lose the password, smart card or other
device.
Definitive authentication Biometric authentication is considered to be one of the
most effective authentication methods, when implemented correctly.
Drawbacks of biometric authentication include the following:
The technology has not yet been widely implemented outside of high-level areas (e.g.,
government facilities, nuclear power plants).
The technology is generally expensive to implement because extensive planning and
user training is required in order to properly use a biometric authentication scheme.
It works best when combined with other forms of encryption (e.g., smart cards), thus
making it somewhat complex to implement.
Biometric implementations
Many companies offer fingerprint readers that are integrated into keyboards and mice for
easy access. One such example is the Microsoft Fingerprint Reader
(www.microsoft.com/hardware/mouseandkeyboard/features/fingerprint.mspx); Figure
2-4 shows its Web page.

Figure 2-4: Microsoft Fingerprint Reader Web page
Veridicom International (www.veridicom.com) specializes in fingerprint identification that
authenticates users with standard equipment. Some of its products use simple sensors
connected via parallel port and/or USB connections.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Where you are
The weakest form of authentication, this strategy determines your identity based upon
your location. For example, the UNIX rlogin and rsh applications authenticate a user,
host or process based partly upon the source of its IP address. Reverse DNS lookup is not
strictly an authentication practice, but it is related because it at least attempts to
determine the origin of a transmission before allowing access. For years, U.S. Web sites
providing software that used strong encryption (128-bit encryption or higher) conducted
reverse DNS lookups on all hosts. If a server finds that a host belongs to a domain
outside the United States (or, if the reverse DNS lookup was not possible), the server will
deny the connection. This practice is quite common in various settings.
Specific Authentication Techniques
Following are two techniques that augment authentication systems. They combine
encryption techniques with additional strategies to verify identity. You do not have to use
such programs as Kerberos and one-time password generators, but using such
techniques in your authentication methods will help you avoid security breaches. They
are specific implementations of three of the authentication methods described previously.
Kerberos
Kerberos is a key management scheme that authenticates unknown principals who want
to communicate with each other securely. The name Kerberos came from the mythical
three-headed dog that is said to guard the entrance to the underworld (Hades) in ancient
Greek tradition. Kerberos is defined in RFC 4120. As of this writing, version 5 is the most
current version of Kerberos.
Essentially, a Kerberos server acts as a trusted third party that knows the identities of
the parties who want to communicate. The job of a Kerberos server is to vouch for their
identities. It maintains a database of the participants' processes, servers, people, systems
and other information. A single entry in the database is called a principal. This database
of principals will contain the public and private keys of all authorized participants.
The clients obtain the public keys from the Kerberos server. A Kerberos client uses this
public key as evidence that a trust relationship exists between this client and the
Kerberos server. The client then obtains a ticket-granting ticket (TGT), which allows the
client to request additional network services. When the client wants to connect to another
server on the Kerberos network, the client uses the TGT to obtain a ticket from the
Kerberos server. This ticket contains a session key that allows the two Kerberos clients
to communicate. The concepts of encryption and keys will be more completely addressed
later in this lesson.
When the user has been authenticated, he or she can then access additional services.
Kerberos has several advantages:
Authentication, encryption and integrity goals are met even when users do not know
each other.
Kerberos clients need only enter password information locally. Through the use of
public-key cryptography, full passwords are never sent across the network, not even
in encrypted form.
Kerberos encrypts packets of information as they traverse the wire, making
information more secure.
OBJECTIVE
1.1.10: Key user
authentication
methods
session key
A temporary,
sometimes even
reusable, item that is
the result of the
authentication
process. A Kerberos
"ticket" is an
example of a
session key. Users
can re-deploy
session keys during
further network
exchanges to prove
identity. Session keys
are not specific to
any one security
implementation.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Kerberos can limit authentication to a certain time span.
Kerberos can control access to various resources. Again, using public-key
cryptography, Kerberos allows an end user to use a printer through the use of
"tickets."
The Kerberos scheme safeguards both the authentication process and all subsequent
communication. After you configure a client (such as an e-mail application) to
communicate with Kerberos, it will perform all the authentication automatically.

Kerberos was originally written for the UNIX platform. Microsoft has added its
proprietary version of Kerberos version 5 to Windows Server 2003.

UNIX-based Kerberos client and server terminology
A Kerberos server is actually composed of two different servers: The first authenticates
users, and the second issues special tickets that a user can present to various services
(e.g., printers, Internet access, file servers and so forth). Most of the time, these two
different servers are incorporated into one host called a Key Distribution Center (KDC).
Table 2-5 explains some of the terminology used in UNIX-based Kerberos
implementations.
Table 2-5: Kerberos terms
Element Description
Key Distribution
Center (KDC)
The central server that contains a database storing all users, hosts and
network services for a Kerberos realm. Each entry in the KDC database
is called a principal. The KDC contains two services. The first is the
ticket-granting server (TGS), which issues ticket-granting tickets, and
service and host tickets. The second is the authentication server (AS),
which issues tickets for network services.
Ticket-granting ticket
(TGT)
A special key granted by the KDC. This ticket does not provide access
to any resources. Rather, it authenticates a Kerberos user and
determines the network services this person is allowed to use.
Ticket
A session key appended to all subsequent network communication that
guarantees the identity of the ticket holder. A ticket is reusable for a
certain period of time (eight hours, for example) and provides access to
specific services, such as printers, routers and the logon services of
remote systems.
Principal
The name given to a user, host or host service (e.g., a print server, or a
system running Telnet).
kinit
The UNIX command that a client issues to receive a ticket from the
ticket-granting server.
klist
A command that allows users to list their cached credentials.
kdestroy
The UNIX command that erases client tickets so they cannot be reused.

Some Kerberos implementations, such as that found in Windows Server 2003, do
not use this terminology, nor do they use applications such as kinit, klist or
kdestroy. Windows Server 2003, for example, uses the term domain controller for
a KDC. The clients automatically create, manage and destroy credential
caches during logon and logoff.
Kerberos drawbacks
The main disadvantage of any Kerberos implementation is that if the KDC is
compromised, all communication becomes vulnerable. Additionally, the Kerberos server
does not ensure that all the client machines are secure; if an unauthorized user gains
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
access to an authorized system terminal (one on which an employee has used kinit, but
not kdestroy), he or she will be able to access information, because this terminal is still
properly authenticated. Although Kerberos clients can delete the session keys with the
kdestroy command, many users fail to use this command.
Finally, if you implement Kerberos, you must ensure that all network clients and
daemons support it. If just one user starts a standard Telnet session to one standard
Telnet server, a malicious user can obtain the network password with a standard protocol
analyzer such as tcpdump.
One-time passwords (OTPs)
A specific authentication method, this class of products is aimed at preventing snooping
and password hijacking, and is based on what you have. An OTP is a way to "harden" an
authentication system (i.e., make it more secure). It is not a replacement for
authentication. This method generates and uses passwords only once, then discards
them after use. In such a system, the server stores or generates a predetermined list of
passwords, which a client then uses. Because the passwords are used only once, a
hacker who decodes a given password has no advantage in trying to reuse it.
Internet Service Providers (ISPs) often use generated OTPs, as do organizations that
employ traveling sales forces and users who work remotely. CompuServe augments a
standard "what you know" password method with an OTP. When a user logs on to
CompuServe, he or she sends the password that is usually associated with his or her
account, but adds the actual minute the connection is made between its server and a
user. This combination of the standard password and time is then sent to CompuServe
for authentication. If a hacker stole and deciphered this password/time combination, it
would be useless, because it was valid for only a moment (the time the user logged on)
and could be used only at that time. This method does not replace the "what you know"
system of passwords, but does add another layer of protection.
You can learn more about OTP in RFC 2289. The One-Time Passwords In Everything
(OPIE) program is available for Linux systems at: www.inner.net/opie.
Access Control
When a system ensures that individuals, systems or processes can access only what they
are supposed to, it is engaging in access control. A network's internal mechanisms
ensure that each user and system can access only what the security policy allows. The
two general ways to implement such control are access control lists (ACLs) and execution
control lists (ECLs).
The access control step follows after user or process authentication. After a system has
authenticated you and established that you are who you claim to be, it applies access
control schemes to control what you can access in the system. These schemes can be
used to grant or deny privileges.
A good analogy to help understand access control is to consider a company building.
Most companies have a lobby to which anyone may be admitted. This lobby can be
likened to a Web server that allows unauthenticated users to access the home page. To
enter the company's offices, a person would need to present an identification badge. This
form of security allows only authenticated employees to access company offices. After
employees have entered the office area, their identification cards will allow them to access
only certain offices. For example, an employee of the marketing department may not be
OBJECTIVE
1.1.11: Access
control methods
OBJECTIVE
1.1.12: Access
control lists and
execution control
lists
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
authorized to use his or her identification card to access the CEO's office. This procedure
is a form of access control. It limits what authenticated users can access.
All operating systems that support access control differ slightly in how they implement
this form of security. Access control mechanisms are essential when securing servers.
You must limit what certain users can access on a server, as well as the access granted
to services and daemons.
Access control list (ACL)
Modern information systems treat resources as objects with certain characteristics and
properties. Resources can be devices such as printers and disks, the operating system
(OS), or programs and memory. A computer file is another example of a resource. One of
the security-related characteristics of these resources is the access control list (ACL).
An ACL identifies individual users and groups associated with a database. Each user or
group is assigned an access level that defines which operations that user or group may
perform on the database and the documents it contains. An authorized user must still
pass the ACL test to gain access to a database.
Conceptually, an ACL is a list of the entities that can access the resource and their
access levels. The entities can be users, servers, programs or applets. The access levels
could be read-only, write-only, read-write, delete, create, access or other actions. The
available actions will depend upon the type of object and the operating system that is
controlling that object. Each entity will be granted a level of access for the resource. If the
entity tries to perform an operation beyond its authorized level of access, the operating
system (e.g., UNIX, Windows or, in the case of Java applets, the Java Virtual Machine)
will raise an exception or generate error notification.
Common permissions
Most operating systems provide the ability to permit users to read, write and execute files
and folders. Table 2-6 describes the details of read, write and execute permissions.
Table 2-6: Universal permissions
Permission Description
Read
Allows users to access a file in a folder using a specific program. For example,
users can open and read the info.txt file with a word processor. In most
operating systems, read permission also allows users to copy the file to another
location. However, they cannot modify or delete the file, nor can they create a
new one or add one to that folder.
Write
Allows users to write information to the hard disk in most operating systems.
Write permission implies read permission. Write permission allows users to
modify the file. For example, they can open the info.txt file and add content to
it. They can also delete information from that file. In fact, they can even delete
the entire file.
Execute
Allows users to run, or execute, a specific application residing in a specified
folder.
Additional permissions can include the following:
Print allows the contents of a file or directory to be printed.
No access makes the file unavailable to all users. Many operating systems simply
have you remove all permissions from a file.
Full control allows anything to be done to the resources.
object
In security, a file,
program,
service/ daemon or
resource that is
maintained and
controlled by an
operating system.

access control list
(ACL)
A list of individual
users and groups
associated with an
object, and the
rights that each user
or group has when
accessing that
object.
OBJECTIVE
1.1.12: Access
control lists and
execution control
lists
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
List folder contents allows file and subfolder names to be viewed within a folder.
Modify allows the contents of a file or directory to be modified. However, the file or
directory cannot be deleted nor can the permissions be changed.
Take ownership allows the owner of a resource to surrender ownership of a file.
Depending upon the operating system vendor, many additional permissions may exist.
The ACL determines whether or not a user has access to the object. If a user does have access
to an object, the ACL defines exactly what the user can do to it. Furthermore, it defines the
database roles that users have, including the forms and public views that they may use.
In the following lab, you will see ways to impose an ACL on a host-by-host basis. Suppose
you are a systems administrator for your company's IT department. The CIO says that
some company resources have been accessed and modified by employees who should not
be working with those resources. She directs you simply to "get to the bottom of it." You
decide the best way to address the problem immediately is to review and update the
access control settings for all company employees. As you impose these restrictions,
consider that a firewall is designed to control access to all hosts on the network.
Lab 2-1: Viewing and modifying default access control settings in
Windows Server 2003
In this lab, you will view default permissions to see how easy it is to access sensitive
areas of the operating system as a non-administrative user in Windows Server 2003.
1. Log on as administrator and open Windows Explorer (Start | All Programs |
Accessories | Windows Explorer).
2. In Windows Explorer, create a directory named C:\Lessons.
3. Right-click the C:\Lessons directory, then select Properties. You should see the
Properties dialog box shown in Figure 2-5.

Figure 2-5: Properties dialog box General tab

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
4. Select the Security tab and note your default permissions (for Administrators).
Administrators have full access to this directory, as shown in Figure 2-6.

Figure 2-6: Properties dialog box Sec urity tab
5. Select each group name and note the default permissions for each.
6. Click the Sharing tab and select the Share This Folder radio button.
7. Click the Permissions button.
8. Note the default permission, which allows all users only to read, as shown in Figure
2-7.

Figure 2-7: Permissions dialog box for Lessons folder
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
9. Permissions: Grant full access to this share by selecting the Full Control check box
in the Allow column. Notice that the Change check box is automatically selected as
well.
10. Permissions: When you have finished changing permissions, close the Permissions
dialog box, the Properties dialog box and Windows Explorer.

Execution control list (ECL)
An execution control list (ECL) allows the operating system to limit a program's activity.
Traditionally, an operating system's functions have been predetermined by its creators,
and could not be modified or limited in any significant way. A user could attempt to limit
actual operating system processes; however, this action would limit the operation of all
programs on that machine. With an ECL, you can determine which of the program or
operating system's activities are appropriate, and which are not. In essence, you can
exert operating system-level control over a single application.
As soon as ECLs become common at the operating system level, one of the results will be
that organizations can customize the functioning of a program, thereby enjoying
unprecedented security. Before ECLs, a user was completely subjected to what the
programmer or operating system considered appropriate program behavior.
One benefit of an ECL is that it can minimize the threat of a malicious ActiveX program,
for example, and can further direct the activity of Java applets. Java applets are
sandboxed, providing a certain amount of protection. However, sandboxing is a generic
solution, whereas a more ambitious ECL provides a specific, customizable option for any
executable or device on a host.
An ECL can also help stop trojans. For example, if a user unwittingly downloads a trojan
that purports to run a utilization report of your Web server but also transmits a copy of
this information to the program creator for marketing purposes, a security breach has
occurred. However, an ECL can forbid the transmission of such data and alert you to this
attempted unauthorized activity. With an ECL, you can begin to free yourself from this
type of malicious programming.

A hacker can defeat even the most sophisticated operating system with the
latest ACL and ECL methods if the administrator uses default settings.

In the following lab, you will deploy an ECL to defend users against malicious code.
Suppose your company has had several recent reports from users of virus problems. Your
supervisor has directed you to implement security measures on user systems to help
combat this problem. Among various security needs and strategies, you know that
blocking certain types of activities on browsers will help. You can use an ECL to limit
execution of code on applications.
OBJECTIVE
1.1.12: Access
control lists and
execution control
lists
execution control
list (ECL)
A list of the
resourc es and
actions that an
operating system or
application can
access/ perform
while it is executing.
sandboxed
Containing built-in
constraints that
protect a program
from malicious
activity or prevent it
from accessing
important resources.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lab 2-2: Viewing the effects of hostile JavaScript in Mozilla Firefox
In this lab, you will use Mozilla Firefox to deploy an execution control list to defend
against malicious code in Windows Server 2003.
1. Open Windows Notepad.
2. Enter the following source code:

<html>
<head>
<title>Browser Locker</title>
<script>
<!--

for (i=0;i>=0;i++) {
alert("Stop me if you can!");
}

//-->
</script>
</head>
<body>
Are you frustrated yet?
</body>
</html>
3. Save the file to your Desktop and name it lockup.html.
4. Close any open programs.
5. Start Mozilla Firefox, then use the File | Open File command to open the
lockup.html file on your Desktop. The file will load into your browser and display a
screen similar to Figure 2-8.

Figure 2-8: Lockup.html alert screen

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
6. Click OK repeatedly. The message will return.
7. To stop execution of this script, you must close and restart the browser. Hold down
the CTRL and ALT keys and press DELETE, then click the Task Manager button. In the
Applications tab, select the process for Firefox, click the End Task button, then
click End Now. Close the Windows Task Manager dialog box.
8. Start a new session of Firefox. Be sure not to start it by double-clicking the HTML
file you created earlier in this lab. If you are prompted to restore your previous
session of Firefox, specify to start a new session instead.
9. In the menu bar, select Tools | Options. Click the Content icon, deselect the Enable
JavaScript check box, then click OK. Now, JavaScript has been placed on the
browser's execution control list.
10. After you have enabled execution control for JavaScript, load the page again. You
should see the text, "Are you frustrated yet?" but your browser should not be locked.
You have enabled an execution control list (ECL) for your Web browser.
11. Quit Firefox.

In the following lab, you will deploy a universal execution control list. Suppose your
company has just purchased a new server for the Research and Development
department. Your supervisor has directed you to configure the new server and implement
appropriate security measures on it. Among various security needs and strategies, you
know that the data in this server must be protected from any malicious activity. You can
use an ECL to limit execution of code on a server.

Lab 2-3: Configuring execution control lists in Windows Server 2003
In this lab, you will configure a universal Execution Control List for several Windows
Server 2003 Microsoft Management Console (MMC) snap-ins.
1. Log on as administrator if necessary.
2. Next, you will create a new user named test1. Select Start, right-click My Computer,
then select Manage. Expand the Local Users And Groups folder, right-click Users,
then select New User. Specify a user name of test1 and a password of password.
Deselect the User Must Change Password At Next Logon check box, then click
Create. Close the New User dialog box.
3. Log off as administrator and log on as test1.
4. As test1, select Start | Control Panel, double-click Administrative Tools, then
open the following snap-ins:
Computer Management
Routing and Remote Access
Services
Notice that even non-administrative users can access these snap-ins.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-25
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
5. Close all windows, log off as test1 and log on as administrator.
6. As administrator, select Start | Run, type mmc, then press ENTER.
7. A blank Console window will appear. Select File | Add/Remove Snap-in.
8. Click the Add button. When the Add Standalone Snap-in dialog box appears, scroll
down and click Group Policy Object Editor, then click Add.
9. When the Select Group Policy Object dialog box appears, make sure Local
Computer is selected, and click Finish.
10. Click Close, then click OK. You have just added a Group Policy snap-in to a blank
version of the MMC. Now, expand the Local Computer Policy icon so you are
viewing the User Configuration | Administrative Templates | Windows
Components | Microsoft Management Console | Restricted/Permitted Snap-ins
folder contents, as shown in Figure 2-9.

Figure 2-9: Viewing Microsoft Management Console settings
11. In the right pane, double-click Computer Management to display its Properties
dialog box. Click the Disabled radio button and click OK.
12. Repeat the previous step for the Routing and Remote Access and Services snap-ins.
13. Test your work by trying to open these snap-ins. You will not be able to access them.
You should see that even the system administrator is affected by these settings. You
must be careful when enabling settings such as these. The system administrator can
very easily be locked out of his or her own system if settings are applied incorrectly.
14. In the Properties dialog boxes for the Computer Management, Routing and Remote
Access and Services snap-ins, reset the settings to Not Configured (the default).
This action is necessary so you can access all services in future labs.
15. Close the Console window and save the console settings as Console1.msc.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-26 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
In the following lab, you will deploy an execution control list in a Linux system. Suppose
your company has just purchased a Linux server for the programming department. Your
supervisor has directed you to configure the new server and implement appropriate
security measures on it. Among various security needs and strategies, you know that the
data in this server must be protected from any malicious activity. You can use pluggable
authentication module (PAM) to serve the purpose of an ECL on Linux systems.

Lab 2-4: Creating an execution control list for the su command in Linux
In this lab, you will configure the pluggable authentication module (PAM) list for su so
this command treats the /etc/group file as an execution control list.
Note: Student accounts need to have administrative rights in order for the following lab
steps to work properly.
1. Boot into Linux and log on with your student account.
2. Select Applications | Accessories | Terminal to open a Terminal window.
3. Make copies of the /etc/pam.d/su and the /etc/group files:

sudo cp /etc/pam.d/su /etc/pam.d/su.orig

sudo cp /etc/group /etc/group.orig
Note: These copies will be necessary in case a problem arises. You can then copy the
original files back to files that have improper entries.
4. Open the /etc/pam.d/su file in a text editor:

sudo pico /etc/pam.d/su
5. Uncomment the following line by placing your cursor in front of the entry and
pressing the DELETE key twice to remove the hash mark (#) and space so that it
appears as shown:

auth sufficient pam_wheel.so trust
6. Save your changes, then exit your text editor.
7. Next, you will add the wheel group to the group file:

sudo groupadd wheel
8. Next, you will edit the /etc/group file and add yourself to the wheel group:

sudo pico /etc/group
9. Scroll down to the end of the file. You should see a wheel group on the last line that
looks similar to the following:

wheel:x:xxxx: (where the last four x's represent a four-digit number)
10. Move your cursor to the end of the wheel line, then type your username (e.g., user1).
Members of the wheel group are trusted individuals that are granted superuser
status.
11. Save your changes, then exit your text editor.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-27
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
12. You should now be able to use the su command to become any user without the need
to supply that user's password. Type the following to become the root user:

su -
Notice that you were not prompted to supply the root user's password to become the
root user.
13. Type exit to log off as root. Notice that the command prompt indicates that you are
now logged on as yourself.
Note: Manipulating the /etc/pam.d/su file and using the su command as described
above are considered to be "old school" practice by many. Most administrators
encourage the use of sudo instead. Nevertheless, the above steps demonstrate the
concept of execution control lists and how this concept is applied in Linux systems. It is
also useful to understand how to use the files that reside in the /etc/pam.d/ directory.

Auditing
Auditing is an essential aspect of an overall security plan. Most modern systems can
record all their activity in log files. These logs enable you to determine the effectiveness of
your security implementation. Through these activity logs, you can usually determine if
and how an unauthorized activity occurred.
Passive auditing
Auditing can include the passive logging of activity. In passive auditing, the computer
simply records activity and does nothing about it. Therefore, passive auditing is not a
real-time detection mechanism, because someone must review the logs and then act on
the information they contain. The principle of passive auditing demands that you take no
proactive or pre-emptive action. Also, when auditing passively, make sure your auditing
infrastructure consumes as few system resources as possible.
Active auditing
Active auditing involves actively responding to illicit access and intrusions. Responses
might include:
Ending the session.
Blocking access to certain hosts (including Web sites, FTP servers and e-mail
servers).
Tracing illicit activity back to the point of origin.
Because of the time required to view and decipher log reports, you must balance your
time between auditing and other tasks. Too much auditing places unnecessary stress on
system resources. Too little could threaten your security because you will not be able to
determine a hacker's activities precisely.
OBJECTIVE
1.2.5: Auditing
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-28 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Security Tradeoffs and Drawbacks
Too often, the administrative requirements of security implementation are not considered
during the design phase. Security requirements always involve drawbacks. These
drawbacks can include:
Increased complexity Some systems administrators do not have the expertise to
implement security measures. Also, training end users on using the security
measures you require is often necessary.
Slower system response time Authentication, auditing and encryption
mechanisms can degrade performance so that it takes longer for packets of data to
move across a network connection. Latent time occurs when the computer that sent
the packet waits for confirmation that the packet has been received. Security
mechanisms can increase this latency, thereby reducing your network connection
speed.
Time and effort are required to learn new software interfaces and techniques. You should
choose software and hardware that are easy to use. In addition to the obvious benefits
(such as reduced cost), such a step allows staff members the flexibility to spend more
time on tuning and improving security. Elements to consider include:
Ease of installation.
An intuitive interface.
Effective customer support.
OBJECTIVE
1.2.6: Selecting
security equipment
and software
OBJECTIVE
1.1.7: Increased
latency due to
security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-29
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
Antique Security
Collette owns an antique store that sells some high-ticket items. She has recently become
aware of various security techniques she can implement to make her store and small
Linux computer network more secure. Because her store was recently burglarized,
Collette wants to implement a security system to authenticate her 14 employees before
they are granted access to the store. She also wants to authenticate potential customers
before they are allowed to make purchases.
Some of the security techniques Collette is considering are:
Smart cards that employees must swipe through a smart-card reader to gain access.
Retinal scans for employees before they are allowed access.
A keypad into which employees must enter a numeric password.
Passwords that employees must enter to log on to their computers.
Fingerprint identification for employees to be able to log on to their computers.
Fingerprint identification for customers to prove their identities before they can make
purchases.
An RFID proximity card reader that forces customers to use proximity cards to pay
for purchases.
An access control list to identify which employees have access to which network
applications.
An execution control list to limit certain Linux operating system processes and
applications for all employees and herself.
* * *
As a class, discuss this scenario and answer the following questions:
Which of the security techniques are most appropriate considering the size and
complexity of Collette's business?
Which security techniques, if any, are appropriate for network access, employee entry
into the store, and customer authentication? What other techniques would you
recommend?
Has Collette done a good job of determining appropriate risk factors and prioritizing
her resources?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-30 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you learned about the elements and concepts necessary to ensure security
at the network level. One of those concepts was enabling the proper execution controls on
your applications. You will find that implementing a firewall will not protect all
applications and data, because illicit or badly written code can "tunnel in" through
legitimate protocols, such as HTTP.
Now, test the lockup.html file from Lab 2-2 in Microsoft Internet Explorer. If time permits,
serve the lockup.html from a Web server such as Apache Server or IIS. What happens
when you run the lockup.html file? Are you allowed to execute active content? What
happens when you execute the active content?
If you lock your browser, take the necessary steps to quit and restart it. To see the
default security settings for your remote and local connections, select Tools | Internet
Options, then select the Security tab. The Internet and Local intranet "zones" refer to
your remote and local connections, respectively. Click one of the zone icons, then click
the Custom Level button. Scroll through the security settings, and note the settings for
ActiveX controls and scripting. Modify some of the settings and test the lockup.html file
again. Does your browser lock up or are you still protected?
When you are finished experimenting with your security settings, reset all zones to their
default levels. As you can see, enforcing proper security settings at the network level is
critical to protecting applications and data.
Skills review
Effective security results from a solid security policy. Without one, a hacker can find
weaknesses in methods even as intricate and complex as encryption, authentication and
access control. In this lesson, you learned about how a security policy allows disparate
techniques, services and mechanisms to work together. You also learned how reliable
security is composed of an effective combination of different, though related, principles,
including encryption, passive and active auditing, and access control. Finally, you
learned about tradeoffs associated with security measures. You must make your security
implementations as easy to use as possible. Understanding these concepts can further
help you implement security in your network and for your firewall.
Now that you have completed this lesson, you should be able to:
- 1.1.7: Identify ways in which increased security mechanisms can result in increased
latency.
- 1.1.8: Define the significance of a security policy.
- 1.1.9: Identify and develop basic components of an effective security policy.
- 1.1.10: Identify the key user authentication methods.
- 1.1.11: Define the significance of access control methods.
- 1.1.12: Define the functions of access control lists (ACLs) and execution control lists
(ECLs).
- 1.2.1: Identify the three main encryption methods used in internetworking.
- 1.2.5: Identify the importance of auditing.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 2: Elements of Security 2-31
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
- 1.2.6: Select security equipment and software based on ease of use.
- 1.2.7: Identify security factors related to transmission of unencrypted data across the
network.
- 1.2.9: Identify the significance of encryption in enterprise networks.

Lesson 2 Review
1. Discuss the function of an access control list (ACL).


2. How does hash encryption work?


3. What is ciphertext?


4. What are the three primary factors in encryption strength?

5. Smart cards are an example of what type of authentication?


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
2-32 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0





Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


3Lesson 3:
Applied Encryption
Objectives
By the end of this lesson, you will be able to:
; 1.2.2: Define symmetric (private-key) encryption.
; 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes,
Public Key Infrastructure (PKI).
; 1.2.4: Define one-way (hash) encryption.
; 1.2.8: Identify the function of parallel processing in relation to cryptography.
; 1.2.10: Identify the impact of encryption protocols and procedures on system
performance.
; 1.2.11: Create a trust relationship using public-key cryptography.
; 1.2.12: Identify specific forms of symmetric, asymmetric and hash encryption,
including Advanced Encryption Standard (AES).
; 1.4.1: Deploy Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG) in Windows and
Linux/UNIX systems.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. What benefit does the Diffie-Hellman key exchange method provide?
a. It encrypts public keys between two users and their hosts.
b. It encrypts private keys between two hosts.
c. It encrypts transmissions between hosts.
d. It provides a secure method of transferring keys.
2. What type of encryption converts documents and information of variable length into
fixed, scrambled, 128-bit pieces of code?
a. Asymmetric encryption
b. Symmetric encryption
c. Hash encryption
d. Strong encryption
3. Which symmetric algorithm was chosen to be the Advanced Encryption Standard
(AES), and what were some of the standards it was required to meet in order to
become the encryption standard used by the U.S. government?






Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Reasons to Use Encryption
As you learned earlier, you can apply encryption for many different reasons. Encryption
can perform the following tasks:
Make data confidential Encryption prevents data from being seen by
unauthorized people.
Help authenticate users Encryption enables a user to prove his or her identity by
showing that the user has an encrypted element.
Ensure data integrity Encryption can be used to prove that data has not been
improperly altered.
Creating Trust Relationships
Applying encryption means establishing a trust relationship between hosts. On the most
basic level, a trust relationship involves exchanging a special piece of code, called a key.
This key allows a host to encrypt information so that only one remote host can decrypt
the information. This encryption is accomplished with public-key encryption. This form of
encryption demands that you create a private key and a public key.
After you have generated a key pair, you can then give the public key (the special piece of
code mentioned earlier) to anyone. Public keys are distributed using two methods:
Manually You have to first trade public keys with a recipient, then encode
messages to the recipient's public key. This method is usually required for encrypting
e-mail messages between recipients.
Automatically SSL and IPsec can exchange information (including private keys) in
a reasonably secure manner through a series of handshakes. You will learn more
about this method in this lesson. Modern Public Key Infrastructure (PKI) models,
such as those found in Windows Server 2003, have been created to enable the
automatic transfer of public keys.
Following is a quick overview of some terms used in encryption.
Rounds and parallelization
A round is a discrete part of the encryption process. An algorithm generally submits
information to several rounds. A higher number of rounds is preferable. Most symmetric-
key algorithm rounds first process half of the unencrypted data, then process the second
half. Then, each half is then reprocessed to make the resulting encryption stronger.
Separating information into rounds makes symmetric keys faster.
In regards to encryption, parallelization refers to two things. First, it can refer to the use
of multiple processes, processors or machines to work on cracking one encryption
algorithm. Individual hosts can be parallelized using a parallel cluster server. Such
technology allows many different hosts to work together as one system to crack a piece of
code. Parallelization can also refer to the use of an application that is capable of using
two algorithms at the same time to encrypt information.
OBJECTIVE
1.2.11: Trust
relationship with
public-key
cryptography
OBJECTIVE
1.2.8: Parallel
processing in
cryptography
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Symmetric-Key Encryption
In symmetric, or single-key, encryption, one key is used to encrypt and decrypt
messages. Even though single-key encryption is a simple process, all parties must know
and trust each other completely, and have confidential copies of the key. Reaching this
level of trust is not as simple as it may seem. The time when parties are trying to create
trust is when a security breach can occur. The first-time transmission of the key is
crucial. If it is intercepted, the interceptor knows the key and confidential material is no
longer protected. Figure 3-1 illustrates single-key encryption.

Plaintext input
Plaintext input
Ciphertext

Figure 3-1: Symmetric or single-key encryption
Benefits and drawbacks of symmetric-key encryption
The main benefit of symmetric encryption is that it is fast and strong. These features
allow you to encrypt a large amount of information in less than a second.
The main weakness of a symmetric key is key distribution. That is, all recipients and
viewers must have the same key. Therefore, all users must have a secure way to send
and retrieve the key.
However, if users are going to pass information in a public medium such as the Internet,
they need a way to transfer this key among themselves. In some cases, the users could
meet and transfer the key physically. However, such physical meetings are not always
possible.
One solution might be to send the key by e-mail. However, such a message could be
intercepted easily, thereby defeating the purpose of encryption. The users could not
encrypt the e-mail containing the key because they would have to share yet another key
to encrypt the e-mail that contains the original key. This dilemma raises the question: If
the symmetric key has to be encrypted itself, then why not use the method that
encrypted it in the first place? One solution is to use asymmetric-key encryption, a
process that will be discussed later in the lesson.
All types of encryption are subject to defeat. A countermeasure that can reduce the
danger of having a symmetric key compromised is to change your key regularly. However,
OBJECTIVE
1.2.2: Symmetric
(private-key)
encryption
OBJECTIVE
1.2.10: Impact of
encryption on
system performance
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
it is often difficult to change keys at a regular time, and even more difficult to inform
others of this change, especially if your organization contains many users.
In addition to this concern, hackers can compromise symmetric keys either with a
dictionary program, password sniffing, or by looking through a desk, purse or
briefcase. Symmetric encryption is most likely to be defeated by brute-force attacks.
These types of attacks are discussed later in the course.
Symmetric Algorithms
Numerous specific mathematical algorithms are applied to achieve symmetric encryption.
These include the following:
Data Encryption Standard (DES)
Triple DES
RSA algorithms, RC2, RC4, RC5, RC6
International Data Encryption Algorithm (IDEA)
Blowfish and Twofish
Skipjack
MARS
Rijndael
Serpent
Data Encryption Standard (DES)
The U.S. National Institute of Standards and Technology (NIST) formally adopted DES in
1977. You can learn more about the NIST at www.nist.gov. DES and its cousin Triple
DES remain the standard form of encryption for many companies and organizations. It is
described in the U.S. Federal Information Processing Standard (FIPS) PUB 46-1 and PUB
46-2 (www.itl.nist.gov/fipspubs/index.htm). FIPS documents are meant to publish
standards developed by the NIST. The U.S. National Security Agency (NSA) and the NIST
are the keepers of this system. The NSA home page is at www.nsa.gov.

Another name for the Data Encryption Standard is the Data Encryption Algorithm
(DEA).
DES is a block cipher in the sense that it encrypts data in 64-bit blocks. The same key is
used to encrypt and decrypt the data. This standard uses a technique called "diffusion
and confusion." The 64-bit block of data is divided into two halves, and each half is
successively passed through the key (called a round). DES has 16 rounds, and the key is
bit-wise shifted for each round. Forty-eight bits of the key are applied to the 32 bits of
data for the round.
The advantages of DES are that it is fast and simple to implement. DES has been in
production use for more than 30 years, so many hardware and software implementations
use the DES algorithm. However, key distribution and management are difficult, again
because DES relies upon a single-key model.
dictionary program
A program
specific ally written
to break into a
password-protected
system. A dictionary
program has a
relatively large list of
common password
names that the
program repeatedly
uses to attempt to
gain access.

password sniffing
A method of
intercepting the
transmission of a
password during the
authentication
process. A "sniffer" is
a program used to
intercept passwords.
OBJECTIVE
1.2.10: Impact of
encryption on
system performance
OBJECTIVE
1.2.12: Specific
forms of encryption
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Triple DES
Normal DES uses a 56-bit key and is considered sufficient for normal information. For
sensitive information, some users employ a technique called Triple DES. In this case, the
message is first encrypted using a 56-bit DES key, then decrypted with another 56-bit
key, and finally encrypted again with the original 56-bit key. The Triple DES thus
effectively has a 168-bit key. Because of the several levels of encryption, Triple DES also
thwarts man-in-the-middle attacks. Normal DES is fast, and Triple DES is faster than
other symmetric algorithms. The biggest advantage of Triple DES is its ability to use
existing DES software and hardware. Companies with large investments in the DES
encryption algorithm can easily implement Triple DES.
Encrypting and decrypting data require nothing more than passing the data
through an algorithm. The process for encryption is essentially identical to the
process for decryption.
Symmetric algorithms created by the RSA Security Corporation
Ron Rivest, Adi Shamir and Leonard Adleman invented their public-key encryption
system in 1977, and named it after the first letters in their last names. Since then, they
have gone on to invent several different algorithms. RSA algorithms are used in several
commercial operating systems and programs, including Windows and Internet Explorer.
RSA, the Security Division of EMC Corporation, (www.rsa.com) is one of the best known
and most effective companies in the field of cryptography. RSA's technologies are
included in existing and proposed standards for the Internet and the World Wide Web.
The RSA Web site, whose home page is shown in Figure 3-2, contains substantial
information about cryptography and security. This coursebook discusses only a few of
RSA's contributions.
RSA is best known for its asymmetric encryption algorithm called RSA. Do not
confuse symmetric algorithms created by the RSA (e.g., RC2 and RC4) for the
asymmetric algorithm called RSA.

Figure 3-2: RSA Home Page
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
RC2 and RC4 are the most commonly used symmetric key algorithms in commercial
applications. They can use variable-length keys up to 128 bits.
RC2 and RC5
RC2, developed by Ron Rivest, stands for Rivest Cipher No. 2. It is a block mode cipher,
which means it encrypts messages in blocks, 64 bits at a time. Because it is a variable-
length key, it can work with key lengths from zero to infinity, and the encryption speed is
independent of the key size.
RC5 is similar to RC2 in the sense that it is a block cipher, but the algorithm takes
variable block sizes and key sizes. Also, the number of rounds that the data passes
through the algorithm can be varied. The general recommendation is to use RC5 with a
128-bit key and 12 to 16 rounds to obtain a secure algorithm.
RC4
RC4, which Rivest developed in 1987, is a stream cipher, which encrypts messages as a
whole, in real time. The key length can be varied; the normal key length is 128 bits. Lotus
Notes, Oracle Secure SQL and CDPD use the RC4 algorithm.
RC6
Unlike many of the other newer encryption algorithms, RC6 comprises an entire family of
algorithms. The RC6 series was introduced in 1998. After RC5 was introduced,
researchers noticed a theoretical weakness in how RC5 processed its encryption during
specific rounds in the process. RC6 is designed to remedy this weakness. RC6 also makes
it easier for systems to calculate 128-bit blocks during each round.
International Data Encryption Algorithm (IDEA)
The International Data Encryption Algorithm (IDEA) was developed in 1990. At that time
it was called the Proposed Encryption Standard (PES), and it evolved into Improved PES
(IPES). Finally, in 1992, it evolved into IDEA. IDEA is also a block cipher and operates on
64-bit data blocks. The key is 128 bits long. Even though many consider this a stronger
algorithm, it has not gained popularity.
Blowfish and Twofish
Blowfish is a very flexible symmetric algorithm by Bruce Schneier, a prominent individual
in the cryptography arena who has made significant contributions. Blowfish is a variable-
round block cipher that can use a key of any length up to 448 bits.
Schneier has now created a newer algorithm named Twofish. This algorithm uses a 128-
bit block and is much faster than Blowfish. Twofish supports 128-, 192- and 256-bit
keys. Twofish is ideally suited for use on smart cards.
Skipjack
Skipjack is an encryption cipher designed by the U.S. National Security Agency. The
actual mathematical formula is top secret but is implemented in such products as the
Fortezza and Clipper chips. It uses an 80-bit key and 32 rounds on 64-bit blocks to
accomplish its encryption.
MARS
A block cipher algorithm, MARS was introduced by IBM. It uses 128-bit blocks and
supports a variable key size of between 128 and 448 bits. The MARS algorithm provides
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
better security than Triple DES and is significantly faster than single DES. Like Twofish,
it is especially designed to work well on smart cards.
Rijndael
The Rijndael algorithm allows the creation of key sizes in any multiples of 32 bits, with a
minimum of 128 bits and a maximum of 256 bits. It is a block cipher. The developers
were especially interested in making an algorithm that could perform quickly on various
platforms, including ATM networks, ISDN lines and even high-definition television
(HDTV).
Serpent
Serpent is designed to have a 128-bit block design, and supports 128-, 192- and 256-bit
keys. It is especially optimized for Intel-based chips. Although much more advanced,
Serpent is somewhat comparable to DES in the way it processes information.
Additional symmetric algorithms
Following is a quick overview of more obscure symmetric algorithms. They are not widely
used, but you may hear about them.
Misty1 and Misty2 Developed by Mitsubishi Electric, Incorporated, these are
block ciphers that use 64-bit blocks with a 128-bit key. Misty2 has additional fixes
that make it operate faster.
Gost First developed by researchers in the former Soviet Union, this algorithm is
64 bits, and it uses a 256-bit key. It is a block cipher algorithm that is very similar in
structure to DES.
Cast-256 This algorithm is a block cipher that uses 64-bit blocks and key sizes in
any multiples of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.
The original Cast algorithm uses a 64-bit key.

Any of the previously mentioned algorithms can be used for symmetric
encryption. Each presents advantages and disadvantages, ranging from
susceptibility to defeat to royalty costs for using the algorithm. Remember that
both parties involved in the encryption (the sender and the receiver) must agree
ahead of time which symmetric algorithm will be used.
Advanced Encryption Standard (AES)
AES is the encryption standard used by the U.S. government worldwide. In January
1997, the NIST began the process of determining an AES successor to DES because most
security experts believed that DES and Triple DES no longer met security requirements.
Among other requirements, the symmetric algorithm chosen for AES had to allow the
creation of 128-bit, 192-bit and 256-bit keys; provide support for various platforms
(smart cards, 8-bit, 32-bit and 64-bit processors); and be as fast as possible.
Candidate algorithms included the following:
MARS
RC6
Rijndael
Serpent
Twofish
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Rijndael was announced the winner to become AES by NIST in U.S. FIPS PUB 197 (FIPS
197) on November 26, 2001, and it became effective as a standard on May 26, 2002. You
can learn more about Rijndael/AES, as well as the reasons for its proposal, at
http://csrc.nist.gov/archive/aes/index.html.
In the following lab, you will use an open-source symmetric encryption algorithm to
encrypt a file. Suppose you work in a company's IT department, and the VP of Human
Resources asks you to provide a method for them to protect files that contain sensitive
data. She asks you how she can secure some files so they can be sent via e-mail and be
read only by the intended recipient. You could show the VP how to apply symmetric-key
encryption to the files, and how she can provide the recipient with the key for decryption.

Lab 3-1: Using symmetric encryption algorithms
In this lab, you will encrypt a file using the AxCrypt open-source encryption algorithm,
which uses the AES algorithm with 128-bit keys.
1. Boot into Windows Server 2003 as administrator.
2. Create the folder C:\encrypt.
3. Using Notepad, create a file named symmetric.txt. Enter the following text,
substituting your name for the asterisk:

This was encrypted with AES by *.
4. Save this file in the C:\encrypt folder.
5. Obtain the AxCrypt-Setup.exe program from the C:\Lab Files\Lesson 3 folder and
place it on your Desktop.
6. Double-click AxCrypt-Setup.exe. Proceed through the wizard to complete the
installation, then restart Windows Server 2003.
7. Open the C:\encrypt folder. Right-click symmetric.txt, then select AxCrypt |
Encrypt.
8. The AxCrypt dialog box will appear, as shown in Figure 3-3.

Figure 3-3: AxCrypt dialog box Create passphrase
9. Enter a passphrase that you can remember, select the Remember This For
Decryption check box, then click OK.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
10. The file will be encrypted. Notice that the file name has changed to symmetric-
txt.axx. Open the symmetric-txt.axx file in Notepad. Notice that the contents are
unreadable.
11. Now, you will send your encrypted file to your partner. Close the Notepad window,
then open Microsoft Outlook Express.
12. Configure Outlook Express to become a client to the e-mail server on your
instructor's system. Ask your instructor for details.
Note: Configure Outlook Express to send messages in plaintext format rather than
HTML. This is important because decrypting messages in Outlook Express, which you
will do later in this lesson, may not work properly if your messages are configured to
be sent as HTML.
13. After you have configured your e-mail client, obtain your partner's e-mail address
and send your encrypted file to him or her as an attachment. Your partner will also
send his or her encrypted file to you.
14. Decrypt the file sent to you by your partner by right-clicking symmetric-txt.axx and
selecting AxCrypt | Decrypt. Your partner should do the same thing to the file you
sent to him or her. You should see the AxCrypt dialog box shown in Figure 3-4.

Figure 3-4: AxCrypt dialog box Enter passphrase
15. Notice that you have a problem: You need your partner's password. Consider the
following questions:
A. How could your partner securely communicate this password to you over a long
distance?
B. What medium (e.g., telephone, a Web page or a paper note) is secure enough to
carry this password?
C. What if the person were not available to give you the password?
D. Where would you store this password once you had it? Would it be safe?
16. Obtain the password from your partner, enter it into the Enter Passphrase text box,
then click OK.
17. Notice that the symmetric-txt.axx file reappears as symmetric.txt. Open the file to see
the contents that your partner typed. When done. close all open applications.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Asymmetric-Key Encryption
Another name for asymmetric encryption is public-key encryption. Mathematicians at the
Massachusetts Institute of Technology first developed asymmetric key (public-key)
technology during the 1970s.
Asymmetric-key encryption uses a key pair in the encryption process, rather than the
single key used in the symmetric-key encryption process. A key pair is a mathematically
matched key set in which one half of the pair encrypts, and the other half decrypts. What
A encrypts, B decrypts; and what B encrypts, A decrypts.
Important to this concept is that one of the keys in the pair is made public, whereas the
other is kept private, as shown in Figure 3-5. The half that you decide to publish is called
a public key, and the half that is kept secret is the private key. Initially, it does not
matter which half you distribute. However, after one of the key pairs has been
distributed, it must always remain public, and the other must always remain private.
Consistency is critical.

P
l
a
i
n
t
e
x
t

C
i
p
h
e
r
t
e
x
t


Figure 3-5: Encrypting information into ciphertext, using public key
An example of asymmetric-key encryption is as follows: To send a secret to X, you would
encrypt the secret with X's public key, then send the encrypted text. When X receives the
encrypted text, he or she will decrypt it with his or her private key. Anyone who
intercepts the secret cannot decrypt it without X's private key.
Benefits and drawbacks of asymmetric-key encryption
Although private and public keys are mathematically related to one another, determining
the value of the private key from the public key is so difficult and time-consuming that it
is practically impossible. For communication over the Internet, the asymmetric-key
system makes key management easier because the public key can be distributed while
the private key stays secure with the user.
One of the drawbacks of asymmetric-key encryption is that it is quite slow, due to the
intensive mathematical calculations that the program requires. If a user wanted even a
rudimentary level of asymmetric encryption, hours would be needed to encrypt a
relatively small amount of information.
OBJECTIVE
1.2.3: Asymmetric
(public-key)
encryption
OBJECTIVE
1.2.10: Impact of
encryption on
system performance
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
How do browsers use public-key encryption?
You have probably used a Web browser to conduct an e-commerce transaction. It has
become standard to encrypt such transactions using the Secure Sockets Layer (SSL).
Most Web browsers already contain certificates from trusted certificate authorities. After
your Web browser recognizes that a Web server's certificate has been signed by a trusted
authority, the SSL session is granted automatically, as long as the browser verifies that:
The certificate has been signed by a trusted authority.
The Web server has the same name as given in the certificate.
The certificate is still valid and has not expired.
If any of these checks fails, most Web browsers will warn you and ask if you want to
proceed.
Asymmetric-key encryption elements
The three most common asymmetric-key elements are:
RSA.
Digital Signature Algorithm (DSA).
Diffie-Hellman.
Digital Signature Algorithm (DSA)
DSA was introduced by NIST and is available openly. It is used to sign documents.
Although it functions differently from RSA, it is not proprietary and has been adopted as
the standard signing method in Gnu Privacy Guard (GPG), the open source alternative to
Pretty Good Privacy (PGP).
Diffie-Hellman
Diffie-Hellman is a protocol that provides secure exchange of keys, thus it is known as a
key-exchange protocol. It is not an encryption algorithm per se, because it does not
scramble text. It is an open standard and has been widely adopted by the security
community, with only one major change: Because the Diffie-Hellman key-exchange
method was at one time especially prone to man-in-the-middle attacks, the Station-to-
Station (STS) protocol alters the Diffie-Hellman protocol to include proper authentication.
One-Way (Hash) Encryption
Hash encryption, also called one-way encryption, converts a document or information of
variable length into a scrambled, 128-bit piece of code, called the hash value. Hash
encryption is used for information that you want never to be decrypted or read.
Decrypting it is theoretically impossible.
An example of such use would be to protect passwords from disclosure. A malicious third
party cannot re-engineer the hash through a hash algorithm to decrypt a password.
When a user enters a password to access a secure Web site or intranet, the password is
encrypted and compared to the stored hashed password in the Web server. If the values
match, then access is permitted. Once the password is hashed, the process cannot be
reversed.
Another use for hash encryption is signing files. You will learn more about this topic
shortly. One-way encryption is also used when you want someone to verify but not copy
information. It may seem illogical that anyone would want to encrypt something
OBJECTIVE
1.2.11: Trust
relationship with
public-key
cryptography
OBJECTIVE
1.2.12: Specific
forms of encryption
OBJECTIVE
1.2.4: One-way
(hash) encryption
OBJECTIVE
1.2.10: Impact of
encryption on
system performance
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
permanently. However, many uses exist for encryption that not even the user can
decrypt.
For example, an automated teller machine (ATM) does not actually decrypt the personal
identification number (PIN) entered by a customer. The magnetic strip has the customer's
code encrypted one way into a hash code. After the card is inserted, the ATM calculates
the hash code on the PIN that the customer enters, which yields a result. This result is
then compared with the hash code on the customer's card. When this method is used,
the PIN is kept secure, even from the ATM and those who maintain it.
Signing data
Signing is normally implemented by passing the data to be signed through a one-way
encryption algorithm. Signing is often accomplished by using hash encryption, which
creates a hash value that is unique to the specific piece of data from which it was
generated. A hash value is unique because hash encryption is always extremely
dependent upon the contents of the message. The slightest change in the message will
result in a different hash value, which can help you discover a change in a file. The
person who wants to sign the data now only has to encrypt the hash value to ensure that
the data originated from the sender. This form of signing provides:
Security mechanisms.
Authentication.
Data integrity.
Authentication of the signature is provided when the sender encrypts the hash value with
his or her private key. This authentication assures the receiver that the message
originated from the sender.
Data integrity is achieved from the one-way encryption. Obtaining the hash value allows
the receiver to run the data through the same one-way encryption algorithm to obtain his
or her own hash value. The two hash values are then compared; if they are the same, the
data was not modified in transit.
Another distinct advantage of using the combination of one-way and asymmetric
algorithms is that the asymmetric algorithm has to encrypt only a small amount of data.
Because hash values are typically only a few kilobytes in size, significant time is not
needed to encrypt the hash value using the asymmetric algorithm.
Hash algorithms
Hash encryption uses complicated mathematical algorithms to achieve effective
encryption. Following are some discussions of several standard hash algorithms in
current use.
MD2, MD4 and MD5
The MD2, MD4 and MD5 algorithms belong to a group of one-way hash functions. These
functions take any length of bytestream and generate a unique fingerprint of a certain
length (for example, 128 bits). The process is one-way because you cannot generate the
message back from the signature, and the fingerprints are unique because no two
messages will have the same hash.
These functions are to be used as message-digest algorithms to generate unique one-way
fingerprints of e-mail messages, certificates and other items to ensure content integrity.
The normal message digest is 128 bits long.
OBJECTIVE
1.2.12: Specific
forms of encryption
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Ron Rivest also developed Message Digest 2 (MD2). MD4 and MD5 are faster than MD2
and are more commonly used. MD4 produces a 128-bit hash. It has been susceptible to
attacks; at least the last few rounds were successfully broken. Rivest then developed
MD5, which is stronger than MD4 and still produces a 128-bit hash. You can learn more
about MD5 in RFC 1321.
Rivest's design goals for the MD series are security, speed and simplicity. They also favor
the Intel processors, as opposed to UNIX and RISC chips.
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA) is another hash function. Also known as Secure Hash
Standard (SHS), it was developed by NIST and NSA and is used in U.S. government
processing. It can produce a 160-bit hash value from an arbitrary-length string.
SHA is structurally similar to MD4 and MD5. Although it is about 25 percent slower than
MD5, it is much more secure. It produces message digests that are 25 percent longer
than those produced by the MD functions, making it more secure against attacks than
MD5.
MD5sum
MD5 can be applied in Windows Server 2003 and Linux. The Linux md5sum utility
creates a fixed-length checksum of an individual file. The file can be of any length, but
the checksum is always fixed at 128 bits. This checksum is very useful, because it
verifies whether a document has experienced tampering.
For example, suppose you want to check whether the named file has changed. This file is
the executable that starts the DNS service on your system. Because named is a binary
file, you want to ensure that no one has altered it or replaced it with a trojan. In this
example, suppose you are working from the /var/james/ directory. You can issue the
following command:
host# md5sum /usr/sbin/named
5we5odble392,eoc97mbmd0003ndodom3xep /usr/sbin/named

The text string immediately beneath the md5sum command is the 128-bit hash of the
/usr/sbin/named file. You can save this output into a file, in this case, named.md5:
host# md5sum /usr/sbin/named > /usr/sbin/named.md5

The contents of the named.md5 file appear as follows:
5we5odble392,eoc97mbmd0003ndodom3xep /usr/sbin/named.md5

Notice that this file maps the 128-bit hash to the exact directory of the named file.
To compare the files, you can use two strategies.
1. Use the cat command to compare the contents of the named.md5 file to the output of
the md5sum command.
host# cat /usr/sbin/named.md5
5we5odble392,eoc97mbmd0003ndodom3xep /usr/sbin/named
host# md5sum /usr/sbin/named
5we5odble392,eoc97mbmd0003ndodom3xep /usr/sbin/named

The preceding output shows that the named file has not changed.
If the named file had somehow changed since the last time you ran the md5sum
command, you would see a difference when you ran md5sum:
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
host# cat /usr/sbin/named.md5
5we5odble392,eoc97mbmd0003ndodom3xep /usr/sbin/named
host# md5sum /usr/sbin/named
74s60as2djka8sjk48e1d90kdbgsdaiu90dn /usr/sbin/named

Notice that the output is now different, showing that the file has indeed been altered
since the last time the md5sum command was run. This change has occurred because
algorithms such as MD5 use the contents of the files they encrypt and generate hash
values from those contents. If the slightest change occurs, the hash value will be
different.
2. Use the -c option:
host# md5sum c /usr/sbin/named.md5
/usr/sbin/named: OK
host#

The preceding code shows that no change has occurred. If the named file had somehow
changed, you would see the following output:
host# md5sum c /usr/sbin/named.md5
/usr/sbin/named: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
host#

If you know a legitimate change has occurred to the file and want to generate a new hash
value, you would delete the file containing the old hash value and create a new one.
Applied Encryption Processes
Encryption methods are used in a wide variety of applications, from e-mail clients to Web
servers to actual networks, such as virtual private networks (VPNs).
Most modern dynamic encryption uses a combination of symmetric, asymmetric and one-
way encryption. This combination capitalizes on the strengths of each type of encryption,
while minimizing their weaknesses.
Programs such as IIS, Netscape Suite Spot, Pretty Good Privacy (PGP), Exchange Server
and Windows Server 2003, as well as protocols such as Secure MIME (S-MIME) and
Secure Sockets Layer (SSL), all employ a combination of symmetric, asymmetric and
hash encryption. Methods such as VPN and protocols such as Secure HTTP (SHTTP)
also use such combinations.
E-mail
E-mail is the most obvious application for encryption, especially now that business users
rely so heavily on it. Popular ways to encrypt e-mail include PGP and S-MIME.
Proprietary methods also exist, such as those used in Microsoft Exchange Server and
Lotus Notes.
Even though encryption standards differ, the principles remain the same. However,
although many encryption programs use a variety of symmetric, asymmetric and one-way
algorithms (as well as changing the order in which the data is encrypted), the overall
process is the same.
Following is a step-by-step account of the encryption process that was outlined in Figure
3-5.
virtual private
network (VPN)
An extended local
area network (LAN)
that enables a
company to
conduct secure,
real-time
communication.

Secure HTTP (SHTTP)
A form of encryption
that takes place at
the Web page level
and allows a Web
browser to transfer
sensitive information
across the Internet.
OBJECTIVE
1.2.12: Specific
forms of encryption
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
1. The sender and receiver need to obtain each other's public keys before an e-mail
message is sent.
2. The sender generates a random session key that will be used to encrypt the
e-mail message and attachments. This key is typically generated with respect to time
and some randomness such as file size or date. The algorithms used for the
encryption are typically DES, 3DES, IDEA, Blowfish, Skipjack, RC5, etc.
3. The sender will then pass the session key and message through one-way encryption
to obtain a hash value. This value provides data integrity so the message is not
altered in transit. The algorithms used at this step are MD2, MD4, MD5 and SHA1.
MD5 is used with SSL, and SHA1 is the default with S/MIME.
4. The sender then encrypts the hash value (obtained from Step 3) with his or her
private key. By using the sender's private key, the receiver is certain that the
message could have originated only from the sender. The encrypted hash value is
called the message digest.
5. The sender then encrypts the e-mail message and any attachments with the random
session key that was generated in Step 2. This encryption provides data
confidentiality.
6. The sender then encrypts the session key with the receiver's public key, to ensure
that the message can be decrypted only with the receiver's corresponding private key.
This provision provides authentication.
7. The encrypted message and message digest are sent to the receiver. The decryption
process occurs in the reverse order of the encryption process. See Figures 3-6 and
3-7.
Encrypted with
Bob's Private Key
key (B)
Public
Key
A
Private
Key
B
Public
Key
Y
Private
Key
Z
BOB
Alicia
Encrypted with
a random symmetric
key (M)
Encrypted
Symmetric Key
Signature
MESSAGE
Bob's Message
to Alice
Encrypted
Text
Message Digest
Random
Symmetric Key M
Encrypted with
Alice's Public
Key (Y)

Figure 3-6: Asymmetric-key encryption
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Bob's Message
to Alicia
Decrypted with
random symmetric
key (M)
Public
Key
A
Private
Key
B
Public
Key
Y
Private
Key
Z
Bob
Alicia
Random
Symmetric Key
M
Decrypted with
Alicia's Private Key
(Z)
Message Digest
Decrypted with
Bob's Public Key
(A)
Message Digest
Algorithm
Encrypted Text
Encrypted
Symmetric Key
Signature
MESSAGE
Message Digest

Figure 3-7: Asymmetric-key decryption
The following section explains two specific implementations of e-mail encryption as used
by the methods mentioned above.
Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG)
Perhaps the most popular high-technology encryption programs for e-mail and text files
are Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG). They are both successful
because they exploit the advantages of symmetric and asymmetric encryption technology,
as well as hash encryption. You can access the latest open-source version of PGP from
the PGP Corporation's Web site at www.pgp.com. See Figure 3-8.

Figure 3-8: PGP Corporation Web site
OBJECTIVE
1.2.12: Specific
forms of encryption
OBJECTIVE
1.4.1: PGP/ GPG in
Windows and UNIX
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
GNU Privacy Guard was originally designed for UNIX systems, and is available at
www.gnupg.org. The remainder of this discussion applies to both applications.
Upon installation, PGP and GPG generate a public and private key pair. However, as
outlined above, this pair is an asymmetric key, and should be considered two halves of
one whole. The two halves are, in effect, two sides of the same coin. For example, the
following code represents a public key, as generated by PGP 6.5.8:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 6.5.8

mQGiBDRrg38RBADl0uD2Pbi5WbIURQYt3RjnKI0ouxY7MW+/BwypAaLjCAjeC6T7bVPwpoyNAvzJM9
MFQaku7WEOcJZJjdgH8BhdTK6obuvz13TdVk0nOIGJHNKeE6ul2/FKbyPKN3eA8/n8iuHSmwk3W8Va
LUOdDvnMePSAdFukVYW6vBInOyKCwCg/8deOl6e3ZRM6JScakrQxR8C13UD/1YuDWhhsqYtxYDAeaD
cHR5aICEXGo5Gl0ygfucP40yen4FWBUYswKQkGIo4iDBUfZUc8uCaZ1GnWQktNaT6AyJtu6zLv/+zj
r4B4IvLi8WtvRvJq4rrDqgpoDYWxmROyvgiJG1HyXHSuM+EMEQmerA2zjRULmogXASAB3LpZB8sA/s
HJH7gtr5LrL1nnBOeUozWHtE/R35uKVR20DL8dgQ1gAKhSgo+n1a4Aa8vmKmIBTQ9LpLv2Hg7erAcp
ghoHiU/8Y4WGodEcntelhaHDlmXVCc4c8NUd6Rryo+AA7KUkZAGtsIjHEcJgk7u7/jtF7eF+yhmOFV
ILRvUP7XFK8CSDrQiSmFtZXMgU3RhbmdlciA8amFtZXNzdEBjc25zeXMuY29tPokASwQQEQIACwUCN
GuDfwQLAwECAAoJEIBvyZAV1wnSqrMAoI++A94aySoJcxdsmyQTaNQyB+ULAKDZyhnUMXLeiBk8pg9
q82fRibqoIbkCDQQ0a4OAEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV8
9AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc5
8yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8W
y2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAc
pesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf/bqRjodnx9/07CJtkZ
mAGPwyFvvFfZgoIw/CNht1cnMR/cJmwofpFpeW8ERvY5RpYq1QVWKFbyrOd46jFbfPm5Apg03oJAb/
f5jmF+YxMybn8KEQVt2lz9v1qRO/pPjKveO7cpGOWRRoIo1Iw3NV0dTs935qvZSEWNoif/zL17RwPJ
cJZzfOf5IluvWQgOdImsg2vDEZmgja7zELj8N7/pgjGDFEqrZCQn1hyAWEzk04MIgg+h4Rr0EJotI0
kyWF6BDDaLYLilTbTKpBYI2gmj9BvwCrsw0qilUvDhqagb4zvNPnxRPczBugkAgjP/RPS6EHzz/wP6
75f5gTtjcav64kAPwMFGDRrg4CAb8mQFdcJ0hEC64YAnR+gUlFVqvBx9RvUoGEtetVWuvFUAKDc/S+
ivWI4mXO/6IfADDaepahPLw==
=VzmN
-----END PGP PUBLIC KEY BLOCK-----
This code represents one half of the asymmetric code known as the public and private
key pair. The user who created this code can freely disseminate it; it is his or her public
key. However, the other half of the code, which is mathematically equivalent to the
preceding example, is not distributed, and becomes the private key. Again, because there
is one code that is cut in half, and because these two halves work together, this coding
process is called asymmetric.
To ensure greater security, PGP and GPG also use a simple symmetric code. Besides
generating the public and private keys, it also asks you to create a simple, memorable
password that protects the asymmetric key pair, which is a form of symmetric encryption.
In this way, both PGP and GPG create a powerful encryption system that is easy to use
and that operates quickly and efficiently.
The actual message is encrypted with a random symmetric key, which is then encrypted
with the recipient's public key. Finally, both PGP and GPG use hash code in that they
create a ciphertext signature that can be compared without divulging the actual
information that created the key.
Revocation certificates
You should always create a revocation certificate when you generate a key pair. Under
ideal conditions, you will never have to use this certificate. However, it is necessary
because, in case of compromise, it allows you to quickly publish the fact that the key pair
is no longer valid because it has been compromised. Sometimes these certificates are
contained in a central location known as a Certificate Revocation List (CRL).
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
You can begin generating a revocation certificate in PGP by highlighting your key and
posting the revocation to a certificate server.
GPG allows you to begin creating a revocation certificate as follows, where your_keyname
is the actual name of your public key:
gpg --output revoke.asc --gen-revoke your_keyname

GPG will then generate a revocation certificate after you give the password for your
private key. You can then publish the revocation certificate when necessary.
In the following lab, you will install a GPG application on your server. Suppose your
company's executives need a way to send confidential data via e-mail. You could install a
PGP or GPG application on your server or their systems. Using an open-source
application shows the executives that you can meet their needs quickly in a cost-effective
manner.

Lab 3-2: Installing GPG4win 1.1.3 on Windows Server 2003
In this lab, you will install GPG4win.
1. Check to see what e-mail client you are using. You should have Microsoft Outlook
Express installed. If you do not, obtain it from www.microsoft.com.
2. Close all programs.
3. Obtain the GPG4win files from the \lesson3\gpg share on your instructor's system.
If necessary, obtain the program from http://www.gpg4win.org/download.html.
Save this file to your Desktop.
4. After you have downloaded the application, double-click gpg4win-1.1.3.exe.
5. Click Next at the Welcome screen, shown in Figure 3-9.

Figure 3-9: Gpg4win Welcome screen
6. Accept the software license agreement by clicking Next.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
7. In the Choose Components screen, select all check boxes, then click Next.
8. Accept the default destination location by clicking Next.
9. Accept the default installation options by clicking Next.
10. Accept the default Start Menu folder, click Install to begin the installation process,
then click Next upon completion.
11. Deselect the Show The README File check box, then click Finish.

In the following lab, you will generate a key pair for an e-mail message. Suppose your
company's executives need a way to send confidential data via e-mail. You could install
an open-source PGP or GPG application on the server or their systems. This application
will generate public and private key pairs for messages, allowing the executives to apply
encryption to their e-mail messages themselves, from their own computers.

Lab 3-3: Generating a key pair using GPG4win
In this lab, you will generate a key pair using GPG4win.
1. Log on as administrator.
2. Select Start | All Programs | GnuPG for Windows | GPA. The GNU Privacy
Assistant Keyring Editor window will open, as shown in Figure 3-10.

Figure 3-10: GNU Privacy Assistant Keyring Editor window
3. Click the Generate Key Now button. Enter your full name in the dialog box that
appears, then click Forward.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
4. Enter your e-mail address. Ask your instructor for your e-mail address. It will
probably be studentx@classroom.com, where x is your student number. Click
Forward.
5. Specify a passphrase of ciwcertified, then click Forward. If you receive a warning
informing you that the passphrase is not secure and prompting you to enter a new
passphrase, click Take This One Anyway.
Note: This password is for this lab only. It does not contain any numeric or non-
standard characters. It is a simple password for this course, in case the password is
lost. In a production environment, you would use a much more sophisticated password
that contains at least eight alphanumeric characters, a combination of uppercase and
lowercase letters, and several non-alphanumeric characters, such as !#$%^&*()_+~.
6. You will be prompted to create a backup copy of your new key, once it has been
generated. Under normal circumstances, it is highly recommended that you do this.
It is not necessary to do so for purposes of this lab. Select Do It Later, then click
Apply.
7. When the key pair is generated, the GNU Privacy Assistant Keyring Editor window
will appear containing your new key pair, as shown in Figure 3-11.

Figure 3-11: New key pair
8. Click on the key pair to provide details about it in the Details tab, located in the lower
portion of the window, as shown in Figure 3-12. Notice that your key pair is already
assigned ultimate trust, which means that you have complete trust in this user (you)
so that any key signed by this user will be considered fully valid.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 3-12: Key pair details
9. Close the GNU Privacy Assistant Keyring Editor window.

In the following lab, you will export and sign public keys using a GPG application.
Suppose your company's executives need a way to send confidential data via e-mail. After
you installed an open-source PGP or GPG application on the server or their systems, they
could generate public and private key pairs for messages. They can also export their
public keys to other executives and trusted users with whom they want to exchange
confidential messages. This allows the executives to encrypt and decrypt their e-mail
messages themselves, from their own computers.

Lab 3-4: Exporting and signing public keys using GPG4win
In this lab, both partners will export their public keys to each other. By the end of the
lab, all partners will have a full trust relationship established using asymmetric-key
encryption.
1. Select Start | All Programs | GnuPG for Windows | GPA to open the GNU Privacy
Assistant Keyring Editor window (hereinafter referred to as simply GPA).
2. Right-click the key pair you have just generated, then select Export Keys.
3. The Export Public Keys To File dialog box will appear, as shown in Figure 3-13.
OBJECTIVE
1.2.11: Trust
relationship with
public-key
cryptography

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 3-13: Export Public Keys To File dialog box
4. By default, keys will be exported to the C:\Program Files\GNU\GnuPG\share\
gpg4win directory. In the Selection text box, type C:\studentx (where x is your
student number) click OK, then close the GPA message box that confirms the
successful export operation.
5. View the C:\ directory in Explorer and open the file studentx in Notepad. Your public
key should appear as a series of blocks containing text and numbers, as shown in
Figure 3-14.

Figure 3-14: Public key in Notepad
6. Now, you will send your public key to your partner. Close the Notepad window, then
open Outlook Express.
7. Send your public key to your partner as an attachment. Your partner will also send
his or her public key to you.
8. When you receive your partner's public key, save it to your C:\ directory.
9. Now, you can use GPA to add your partner's public key to your keyring. Display the
GPA window, then click the Import button in the toolbar.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
10. The Import Public Keys From File dialog box will display. Double-click C:\ in the
Folders list, click studentx.dat in the Files list, then click OK. Close the message box
that appears confirming that one public key was read and imported.
11. Notice that your partner's public key now appears on your keyring. Click the
imported key to provide details about it in the Details tab, as shown in Figure 3-15.
Notice that the validity of the key appears as "Unknown."

Figure 3-15: GPA window Viewing imported key
12. You must sign the imported key in order to validate it. Right-click the imported key
and select Sign Keys. The Sign Key dialog box will appear prompting you to sign your
partner's public key with your private key. Click Yes.
13. You will be prompted for your own passphrase (ciwcertified). You should
understand that this passphrase is for your own private key, not for your partner's
public key. Enter it now and click OK.
14. Click on the imported key to again provide details about it in the Details tab. Notice
that the validity of the key now appears as "Fully Valid." However, also notice that the
owner trust appears as "Unknown."
15. Right-click the imported key and select Set Owner Trust. Click the Ultimate radio
button, then click OK. Verify that the imported key is now assigned ultimate trust.
You can now use your partner's imported public key to exchange information
securely.
Note: If you do not conduct Steps 12 through 15, you will still be able to encrypt
messages (i.e., you will be able to perform a data confidentiality service), but you will
not be able to authenticate users.
16. Close all applications.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-25
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
In the following lab, you will exchange encrypted e-mail messages and decrypt them
using a GPG application. Suppose your company's executives need a way to send
confidential data via e-mail. After you installed an open-source PGP or GPG application
on the server or their systems, they could generate public and private key pairs for
messages, and export their public keys to other executives and trusted users, with whom
the executives can now exchange encrypted confidential messages from their own
computers.

Lab 3-5: Exchanging encrypted messages using GPG4win
In this lab, you will use GPG4win and Outlook Express to send encrypted e-mail.
1. Start Outlook Express and prepare an e-mail message to your partner.
2. Before you send the e-mail message, you must encrypt it with your partner's public
key. You use the WinPT (Windows Privacy Tray) key management tool to do this.
Select Start | All Programs | GnuPG For Windows | WinPT. You will see the WinPT
icon (a small key) appear at the right side of the Windows taskbar.
3. In your Outlook Express message window, select the message text and use CTRL+C to
copy it to your Windows clipboard.
4. Right-click the WinPT icon on your Windows taskbar, then select Clipboard |
Encrypt. The Encryption dialog box will appear containing the keys on your keyring,
as shown in Figure 3-16.

Figure 3-16: Enc ryption dialog box
5. To encrypt the message you just composed, select the check box to the left of your
partner's key, then click OK.
Note: You must use your partner's public key to encrypt messages properly.
6. You must now replace the message text in your message window with the encrypted
message from your clipboard. Right-click the WinPT icon on your Windows taskbar,
then select Clipboard | Edit. You should see the Clipboard Editor window containing
the encrypted message text, and the text is selected.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-26 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
7. Copy the selected text from the Clipboard Editor window, and paste it into the
Outlook Express message window, making sure to overwrite the existing message
text. Your message window should appear similar to Figure 3-17.

Figure 3-17: Message window with encrypted text
8. Click the Send button to send your encrypted message to your partner. When you
and your partner receive e-mail messages from each other, you will notice that they
are encrypted. Double-click the message from your partner so you can view it in its
own window.
Note: Your instructor may need to manually process your messages on the e-mail server
to ensure you get them promptly. Additionally, students may want to set their e-mail
clients to contact the e-mail server every minute to ensure quick receipt of the message.
9. Next, you will decrypt the e-mail message you just received from your partner. Select
all of the text in the message window and use CTRL+C to copy it to your Windows
clipboard.
10. Right-click the WinPT icon on your Windows taskbar, then select Clipboard |
Decrypt | Verify.
11. Because this message was written to your public key, you now must enter the
passphrase of your private key (ciwcertified) to decrypt it. Enter it now and click
OK. When the process is complete, the decrypted text will be located on the
clipboard.
12. Right-click the WinPT icon on your Windows taskbar, then select Clipboard | Edit.
You should see the Clipboard Editor window containing the decrypted message text.
13. You can now copy the decrypted message text into your e-mail program or text editor.
14. Close all applications.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-27
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
In the following lab, you will encrypt files using a GPG application. Suppose your
company's executives need a way to secure their confidential data files. You have already
installed an open-source PGP or GPG application on the server or their systems, so with a
little extra training, the executives can encrypt any file on their hard drives themselves.
The executives can now send a secured attachment via e-mail to any of their trusted
recipients, and they can decrypt any encrypted files that they receive from trusted
senders.

Lab 3-6: Encrypting files with GPG4win
In this lab, you will use GPG4win to encrypt a file.
1. Create a new text document on your Desktop named gpgstudentx, where x is your
student number. Do not specify a file name extension.
2. Open the file gpgstudentx in Windows Notepad, enter the text This file is
encrypted, then save the file and close the Notepad window.
3. Next, you will encrypt the file with your partner's public key. Right-click the
gpgstudentx file, then select GPGee | Encrypt (PK). The "Encrypt (PK)" command
specifies to encrypt the file using public-key encryption.
4. You will see the Sign/Encrypt Files dialog box. Select the check box to the left of your
partner's key, then click OK.
Note: You must use your partner's public key to encrypt the file properly.
5. You will see a new file on your Desktop named gpgstudentx.gpg. GPG4win
automatically added the .gpg extension, which informs you that the file has been
encrypted.
6. Exchange with your partner the encrypted files using e-mail or any other method you
want.
7. Place the gpgstudentx.gpg file that your partner just sent you on your Desktop, then
double-click it. The Notepad window should appear containing the encrypted text.
Close the Notepad window.
8. Next, you will decrypt the encrypted file. Right-click the gpgstudentx.gpg file, then
select GPGee | Verify/Decrypt.
9. You will be asked for the passphrase for your own private key. Enter it now
(ciwcertified) and click OK. When you receive the message that the file has been
successfully decrypted, close the Verify/Decrypt Files dialog box.
10. You will see a new file on your Desktop named gpgstudentx (where x is your partner's
student number). Open the gpgstudentx file from your partner in Notepad. You
should see the decrypted text in the Notepad window.
Note: Notice that you did not have to give your partner your password because when
public-key encryption is used, passwords do not have to be exchanged. Exchanging
public keys does the job for you.
11. Close all open applications.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-28 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Secure MIME (S-MIME)
Secure mime (S-MIME) is a public, industry-standard method for public-key encryption
and e-mail signing. S-MIME uses slightly different algorithms, key formatting and key
servers from PGP. S-MIME also stores the keys differently. Nevertheless, the principles
remain the same in that S-MIME uses exactly the same steps to encrypt, decrypt and
sign messages.
Proprietary asymmetric encryption
Microsoft Exchange, Lotus Notes and Novell GroupWise can use proprietary algorithms.
The e-mail servers, not the clients, encrypt and decrypt messages.
The advantage of such proprietary encryption systems is that because the encryption is
fully integrated at the mail server level, a user need only click a button to encrypt and
decrypt. This solution is efficient because its users do not have to generate keys or take
steps to decrypt messages. This method can save valuable time, while still providing
effective security.
The disadvantage of such a proprietary asymmetric encryption method is that it is
compatible only with other servers by the same manufacturer. Thus, a Lotus Notes user
could not send encrypted e-mail to a Microsoft Exchange client. Many organizations use,
for example, UNIX for SMTP and POP3 servers. Any communication sent between an
Exchange server and a UNIX server would not be secure, unless the users employed S-
MIME, PGP or some other encryption program. This restriction could significantly limit
your organization's ability to communicate securely and still conduct business.
Encrypting drives
In addition to encrypting e-mail, you can encrypt files and entire portions of hard drives,
create checksums for files, and create hidden encrypted drives. BestCrypt
(www.jetico.com) has become a popular choice for the Windows and Linux platforms. See
Figure 3-18.

Figure 3-18: Jetico Web site
OBJECTIVE
1.2.12: Specific
forms of encryption
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-29
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Additional products that implement file encryption include:
Blowfish Advanced CS (can be downloaded from multiple sites).
Lock It Down (www.lockitdown.com/).
EasyCrypt (can be downloaded from multiple sites).
Secure Sockets Layer (SSL) and Secure HTTP (SHTTP)
You have already reviewed how a Web browser recognizes certificates. The Secure
Hypertext Transfer Protocol (Secure HTTP or SHTTP) and the Secure Sockets Layer (SSL)
each allow spontaneous encryption. They are often used in Web, e-mail and NNTP servers
to help secure transactions and communications. Additional applications used in the
security community also support SSL. Like PGP, both Secure HTTP and SSL use
symmetric, asymmetric and one-way encryption. Specifically, they use an asymmetric key
to exchange a symmetric key, and they use one-way encryption to sign all the data
packets.
Secure HTTP
As shown in Figure 3-19, Secure HTTP uses the asymmetric process to secure online
transactions, but as soon as this connection is made, it uses a symmetric key. Most
browsers support this protocol, including Mozilla Firefox and Microsoft Internet Explorer.


Figure 3-19: Asymmetrically encrypted information passed through network

Transport Layer Security (TLS) / Secure Sockets Layer (SSL)
The Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer
(SSL), allow applications to privately exchange data over public networks, thereby
preventing eavesdropping, tampering and message forgery. There are slight differences
between SSL and TLS, but they are essentially the same. TLS 1.0 is an Internet
Engineering Task Force (IETF) specification. The current approved version of TLS is
version 1.1, which is specified in RFC 4346.
TSL/SSL enables two applications to communicate over the network by authenticating
with digital certificates, which are digital IDs issued by a certificate authority (CA) to
authenticate and validate Internet data transfer. Certificates will be discussed in detail
later. It also ensures message reliability using encryption and message digests. TLS/SSL
is a thin veneer placed above the transport protocol. All browsers support TLS/SSL, so
the applications using it need no special code. Also, as cryptographic algorithms become
more advanced (e.g., DES, RC2, RC4 and so forth), browsers will support the protocol
independent of the applications.
OBJECTIVE
1.2.12: Specific
forms of encryption
Internet Engineering
Task Force (IETF)
An organization that
determines the
standards and
protocols for the
Internet.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-30 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
TLS/SSL provides security at the connection level. A TLS/SSL client and server use a
handshake procedure to negotiate a stateful connection. During this handshake, the
client and server agree on various parameters used to establish the connection's security.
The top-level sequence of the TLS/SSL protocol is:
1. The client and the server negotiate a connection and agree upon specific algorithms
for encrypting the channel.
2. The client then generates a random session key using a symmetric algorithm.
3. After authentication, all data is encrypted using this session key. The algorithms
typically used are DES or RC4.
4. The message authentication hash, or one-way encryption (SHA/MD5), signs all the
packets, thereby providing data integrity.
The TLS/ SSL specification details the data structures, client/ server handshake
protocol, certificate and key exchange procedures, messages, constants and so
forth. You need not know all the internal details of the TLS/ SSL to use the
protocol.
In some ways, TLS/SSL might be more secure than other methods because the
encryption process takes place at a lower level of the network, according to the Open
Systems Interconnection (OSI) model. Furthermore, TLS/SSL can encrypt more activity
than SHTTP because Secure HTTP will encrypt only HTTP activity, whereas TLS/SSL
encrypts the entire packet. TLS/SSL takes place at the transport level, a lower level of the
stack than Secure HTTP. Both protocols require certificates.
When a user connects to a Web site that uses TLS/ SSL for encryption, only the
Web server has a digital certificate. Thus, only the Web server is authenticated,
not the client or browser. Client authentication does not typically occur because
most Internet users do not have digital c ertificates installed on their mac hines.
Encryption Review
Review the security considerations presented in Table 3-1.
Table 3-1: Security technology summary
Security Technology Function
Encryption
Scrambles and unscrambles data traveling through the network;
prevents unauthorized snooping of data and provides privacy.
Authentication
Establishes participants' identities, using the principles of
authentication (what you know, what you have, who you are and
where you are).
Key
A word, phrase or string of text used to encrypt and decrypt
information.
Symmetric-key (private-
key) encryption
An encryption method that uses only one key.
Asymmetric-key
(public-key) encryption
An encryption method that uses two keys; data encrypted with one
key can be decrypted using the other key.
Message integrity by
hash mark and
signature
Uses a one-way algorithm to generate a hash value that is
computationally unique; ensures that the message or data is not
tampered with after it has been sent. Entities and individuals sign
messages, software, Java applets and other items; signatures can
be verified and traced back to certificate authorities.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-31
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
So Many Algorithms
Janet is the system administrator for a military contractor that produces navigational
instruments of a highly sensitive nature. Janet has been asked to recommend specific
symmetric algorithm(s) that would be appropriate for encrypting and decrypting
company-sensitive messages that users deliver to each other via the company intranet.
Janet wants the resulting algorithm(s) to be fast and simple, but very strong. The
algorithm(s) should also protect against hacker activity, such as man-in-the-middle
attacks. Janet decides to research the merits and drawbacks of the following algorithms:
Data Encryption Standard (DES)
Triple DES
RC2, RC4 and RC5
Blowfish
Twofish
MARS
Rijndael
Serpent
* * *
As a class, discuss this scenario and answer the following questions:
What are the merits of each of the algorithms being considered?
What are the drawbacks, if any, of each of the algorithms being considered?
What algorithmic key size would be appropriate for company-sensitive information
that could have serious consequences if the contents were intercepted by
unauthorized outsiders?
Has Janet considered algorithms appropriate to the situation described here?
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-32 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you learned how to apply encryption at the practical level. Windows Server
2003 has a built-in file encryption utility called the Encrypting File System (EFS). In
Windows 2000 Server, EFS was activated by default and the administrator was
automatically designated as the data recovery agent (which authorized the administrator
to recover encrypted data within the scope of his or her administration). However, in
Windows Server 2003, the administrator must manually create and install the data
recovery agent (even if it is him or herself) by executing the following steps:
1. Open a command window and use the cipher.exe utility:

cipher /r:filename

Note: The /r generates a .pfx and .cer file with a self-signed EFS recovery certificate
contained therein. The filename is any file name without an extension.
The cipher command will generate filename.pfx (for data recovery) and filename.cer
(for use in the recovery policy).
2. Access the directory containing the .PFX and CER files (the default is C:\Documents
and Settings\Administrator).
3. Right-click the CER file, select Install Certificate, then proceed through the wizard to
install the certificate to be used in the recovery policy.
4. Right-click the PFX file, select Install PFX, then proceed through the wizard to install
the recovery key to be used for data recovery.
5. Select Start | Administrative Tools | Local Security Policy | Security Settings |
Public Key Policies. Right-click the Encrypting File System folder, select Add Data
Recovery Agent, then proceed through the wizard to add yourself as the recovery
agent. Use the Browse Folders button to designate the CER file you created earlier as
the recovery agent.

You (as the administrator) will now be able to read all encrypted files created by any user
within the scope of your administration, as you will see during the remainder of this
application project.
As administrator (or an administrative user), create a folder directly off of the C:\ drive
named encryption. To encrypt this folder, open Windows Explorer, right-click the folder,
then select Properties. Click the Advanced button, then select the Encrypt Contents To
Secure Data check box.
All files you place in this folder will be encrypted. Create a file named test.txt and add
some text to it. When you have added some text and saved the file, review the
permissions on the folder and the file. Both are accessible by all users. Now, create a new
user named user1. Log off as administrator and log back on as user1.
As user1, access the folder named encryption and try to read the file named test.txt.
Notice that you can access the folder, but not the test.txt file because the file is encrypted
to the administrator's account. Now, as user1, create a new file in the encryption
directory. Log off as user1 and log back on as administrator. You will be able to read all

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-33
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
files in the encryption directory, including those created by user1 because you set up the
administrator as a data recovery agent. Otherwise, not even the administrator account
could access this file.
This restriction exists because files are encrypted with public-key encryption: The user1
account uses its public key to encrypt files and directories, so only its private key can
decrypt them. With this logic, non-administrative users could encrypt folders and files so
that not even the systems administrator would be able to read them. After all, if a user
encrypts data to his or her public key, then only the holder of the private key would be
able to decrypt information, and if the administrator account did not have access to all
private keys, the systems administrator would be locked out of his or her own system. In
such a situation, the administrator would never know what is going on in certain parts of
the system for which he or she was responsible.
You can verify that the administrator is now the data recovery agent by selecting Start |
Administrative Tools | Local Security Policy | Security Settings | Public Key Policies |
Encrypting File System. Notice that the folder contains the Administrator certificate. Also
notice that the Intended Purposes column stipulates File Recovery as the purpose of the
certificate, as shown in Figure 3-20.

Figure 3-20: Viewing data recovery agent for Windows Server 2003 system
You now understand how to implement folder and file-level encryption. You also
understand how the systems administrator acts as a data recovery agent for the local
system, in case a problem occurs, such as trouble with a user's private key. If the user's
private key becomes corrupted, the user will no longer be able to read his or her own
files, and the administrator will have to act as a recovery agent to decrypt these files.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-34 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Skills review
In this lesson, you applied encryption principles. You created trust relationships and
learned about some of the more powerful encryption options currently available. You
learned about public-key cryptography and hash algorithms, and you studied how to use
them on Windows Server 2003 and Linux. Finally, you reviewed certificate principles and
the use of SSL on your Web server. Now that you understand how to implement
encryption, you can learn more about different types of attacks commonly waged against
systems.
Now that you have completed this lesson, you should be able to:
- 1.2.2: Define symmetric (private-key) encryption.
- 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes,
Public Key Infrastructure (PKI).
- 1.2.4: Define one-way (hash) encryption.
- 1.2.8: Identify the function of parallel processing in relation to cryptography.
- 1.2.10: Identify the impact of encryption protocols and procedures on system
performance.
- 1.2.11: Create a trust relationship using public-key cryptography.
- 1.2.12: Identify specific forms of symmetric, asymmetric and hash encryption,
including Advanced Encryption Standard (AES).
- 1.4.1: Deploy Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG) in Windows and
Linux/UNIX systems.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 3: Applied Encryption 3-35
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 3 Review
1. What is the main problem that occurs when only symmetric encryption is used for
Internet communication?




2. Explain the basics of asymmetric encryption.



3. How is hash encryption decrypted?







4. Describe what could happen if you were to send your private key to a stranger. What
counter-action could you take?



5. What is the advantage of signing data using hash encryption?




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
3-36 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


4Lesson 4:
Types of Attacks
Objectives
By the end of this lesson, you will be able to:
; 1.2.5: Identify the importance of auditing.
; 1.4.3: Identify specific types of security attacks.
; 1.4.4: Identify a brute-force attack.
; 1.4.5: Identify a dictionary attack.
; 1.4.6: Identify routing issues and security.
; 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack.
; 1.4.8: Recognize attack incidents.
; 1.4.9: Distinguish between illicit servers and trojans.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. You notice that a server is handling connections slowly. You use tcpdump, and notice
that the server is receiving thousands of ICMP packets sent from thousands of
different hosts. What is happening to this server?
a. A SYN flood, as the result of a denial-of-service (DOS) attack
b. A UDP flood, as a result of a distributed DOS (DDOS) attack
c. A trojan has been installed on this system
d. A distributed denial-of-service attack
2. Which of the following is a form of man-in-the-middle attack?
a. Creating a SYN flood on a local subnet
b. Creating a UDP flood on a remote subnet
c. Creating a buffer overflow
d. Hijacking a connection
3. In protecting against information leakage, what is the difference between
necessary and unnecessary information?





Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Network Attack Categories
To really understand security, you must understand the types of attacks that you will
encounter. To further defend against a hacker, you must also understand the techniques,
tools and programs available to the hacker.
Table 4-1 lists common types of attacks waged against network resources. You will learn
more about these attacks throughout this lesson. It is important to understand that
attacks are often combined to produce a specific result. For example, a hacker might
place a trojan on a Web server. For the server to execute the trojan, the hacker would
perform a denial-of-service (DOS) attack on the server that would cause the machine to
restart. When the machine restarts, it will load the trojan.
Table 4-1: Network attack types
Attack Description
Brute force
A brute-force attack involves repeated guessing of passwords or other
encrypted data, one character at a time, usually at random. It can also
involve physical attacks, such as forcing open a server room door or
opening false ceilings.
Dictionary
Dictionary attacks involve repeated attempts to guess a password. They
are similar to brute-force attacks, but use a file containing a long list of
words to repeatedly guess user names and passwords, instead of
random values.
System bugs and
back doors
A system bug refers to an unintentional flaw in a program that creates
inadvertent access to a system through a network port.
A back-door attack involves code inserted secretly into an application
or operating system by developers; the code opens a networking port
that allows illicit access into the system. Usually, only the developers
know the password, but sometimes these passwords become publicly
known.
The difference between a bug and a back door is that a bug is
unintentional, whereas a back door is intentional.
Malware
Malware is an abbreviation for malicious software. Malware refers to
programs or files whose specific intent is to harm computer systems.
Malware includes viruses, worms, trojans, root kits, illicit servers and
logic bombs.
Social engineering
Social engineering involves attempts to trick legitimate employees into
revealing information or changing system settings in order to gain
access to a network.
Denial of service
(DOS)
DOS is a type of attack waged by a single system on one or more
systems. DOS attacks involve crashing a system completely or
occupying system resources (for example, CPU cycles and RAM), which
renders the system non-functional. DOS can also involve causing
legitimate system features and tools to backfire.
Distributed denial of
service (DDOS)
DDOS involves the use of multiple applications found on several
network resources to crash one or more systems, denying service to a
host. DDOS is often used to consume a server's data connection.
Spoofing
Spoofing (also known as a masquerade attack) involves altering or
generating falsified or malformed network packets. A host (or a program
or application) pretends it is another entity on a network. The entity
under attack is convinced it is dealing with a trusted host, and any
transactions that occur can lead to further compromise.
Scanning
Scanning involves detecting the ports that are open on the system
being attacked. The attacker can then learn more about the services
found and attempt to compromise weaknesses found in the services.
OBJECTIVE
1.4.3: Security
attack types
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 4-1: Network attack types (cont d)
Attack Description
Man in the middle
For a man-in-the-middle attack to take place, an attacker must be
physically in the middle of a connection to obtain information.
Bots and botnets
Bots are software applications that run automated tasks over the
Internet. Bots are not necessarily malicious per se. However, bots can
be used to assume control over infected computers. A botnet is a group
of computers infected with a bot.
SQL injection
SQL injection is a hacking technique in which malicious SQL
commands are passed through a Web application for the purpose of
gaining access to data contained in a back-end database.
Brute-Force and Dictionary Attacks
A brute-force attack is waged whenever a hacker conducts repeated access attempts to
gain access as a legitimate user. In a brute-force attack, a hacker uses every character,
word or letter he or she can think of to defeat authentication and obtain a legitimate
user's password. Many applications simply begin guessing user names and repeatedly
access a server. A brute-force attack requires the server to respond willingly to repeated
attacks. Depending upon the speed of the systems involved, thousands of attempts can
be made per minute. A brute-force attack is a rather unsophisticated attempt to try
everything, including a dictionary file, a sniffer and repeated logon attempts.
An example of a brute-force attack is a hacker's attempt to break a code using a
combination of computers and information. In one instance, a hacker responded to a
challenge to decrypt a single message that was encrypted by the RC4 algorithm and an
asymmetric key. To defeat this algorithm, the hacker had to resort to sophisticated and
extensive measures. He used 120 workstations clustered together, two supercomputers
and information from three major research centers. Even with all this equipment, it took
him eight days to defeat the encryption algorithm. In fact, for breaking encryption, eight
days is a rather short time.
Brute-force attacks conducted against secure systems require a great deal of time, and
are often the result of either desperation or great determination. Many systems, however,
are prone to exposure from such attacks, mainly because of inadequate security settings
and policies. Brute-force attacks are often easy to detect because they involve repeated
logon attempts, and account lockout can be enabled as a strategy to defeat such attacks.
Dictionary attacks
Dictionary attacks are customized, directed versions of brute-force attacks. If a potential
hacker were to try to obtain a password using a traditional brute-force method, he or she
would have to try every possible character, including lowercase, uppercase, numeric and
non-alphanumeric characters. A dictionary attack narrows the potential possibilities by
trying only specific passwords. Many end users mistakenly use a standard word for a
password. A dictionary attack attempts to decipher a password by consulting a file, often
called a dictionary file, that contains a long list of words. Sometimes these dictionary files
are very large (more than 10 MB) and can contain words from several different languages.
Strong passwords help defeat dictionary attacks by combining lowercase, uppercase,
numeric and non-alphanumeric characters. Hackers often use programs such as John
the Ripper for UNIX or Cain and Abel for Windows to obtain illegal access. Such attacks
are versions of the brute-force attack and are often used against networks. However,
brute-force attack
An attack involving
repeated user
name or password
guessing, one
character at a time.
Can also involve
physical attacks on
server-room doors or
false ceilings.
OBJECTIVE
1.4.4: Brute-force
attacks
OBJECTIVE
1.4.3: Security
attack types
dictionary attack
An attack in which
a hacker tries to
guess user
passwords by using
words from a file
containing various
possible passwords.
OBJECTIVE
1.4.5: Dictionary
attacks
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
hackers can also use dictionary programs in other ways. A dictionary program can allow
hackers to work in conjunction with many computers or to defeat passwords on ZIP files.
In the following lab, you will use a program called John the Ripper to stage a dictionary
attack. Suppose you work for a large company's IT department, and you are assigned to
test security on the users' computers in one of your networks. You could use a
dictionary-attack program such as this to attempt to crack passwords for the network
computers. Staging an attack such as this may help you uncover or prove the
vulnerabilities in your network, which you can then work to secure. Remember that if
you can hack into your network, so can an illicit user with malicious intentions.

Lab 4-1: Using John the Ripper in Windows Server 2003
In this lab, you will use the Windows version of the John the Ripper application to view
the passwords found in the /etc/shadow file of a Linux system. The /etc/shadow file
contains all passwords for a Linux system.
Note: Never, under any circumstances, use this or any other application to attack a system
outside of the classroom, or on any system that you do not own and administer.
1. Log on to your Windows Server 2003 system as administrator, and obtain the
john171w.zip archive from your student CD-ROM or your instructor.
Note: If these resources are not available, get the archive from
www.openwall.com/john/ or from http://packetstorm.linuxsecurity.com.
2. Unzip the archive to your Windows Desktop.
3. Obtain the files john_wordfile.txt, passwd and shadow from your instructor, and
place them in the /john171w/john1701/run directory.
Note: The john_wordfile.txt, passwd and shadow files can also be found on your
student CD-ROM in the Lab Files/Lesson 4 folder. The shadow and passwd files
represent sample /etc/shadow and /etc/passwd files, respectively. The instructor also
needs to create four user accounts, complete with passwords. Instructors, see the
instructor note for this page.
4. Open a command prompt, then change to the /desktop/john171w/john1701/run
directory.
5. The john_wordfile.txt, passwd and shadow files should now reside in your RUN
directory. John the Ripper first operates in brute-force mode, then in dictionary
mode. It has its own small dictionary file named password.lst, which contains simple
passwords. Run John the Ripper by issuing the following command:
john-386 shadow
6. John the Ripper will begin to guess passwords immediately, first in brute-force mode,
then using its built-in dictionary file. Press the SPACE BAR to check on the program's
progress. You will see that one password (joseph's password of "password") is guessed
quite quickly. However, the remaining passwords will not be found as quickly. In fact,
they will not be found in the amount of time you have for the class. After some time,
press the SPACE BAR again to get an idea of how long it will take this application to

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
determine a password by brute force. After a minute or two, your screen should
resemble Figure 4-1.

Figure 4-1: Using John the Ripper in brute-forc e mode
7. After you have waited for another minute or so, press CTRL+C to stop the program.
8. John the Ripper uses the file named john.pot to save cracked passwords. This file is
located in the RUN directory. Edit this file so that it is empty. Doing so will configure
John the Ripper to start over again, and will force it to report all found passwords at
the next command.
9. Now, run John the Ripper in dictionary mode only, specifying a word file of your own
choosing. John the Ripper eventually resorts to using its own built-in dictionary file
anyway. However, you have added a custom word file to the RUN directory for the
purposes of this course. Issue the following command:
john-386 wordlist=john_wordfile.txt shadow
10. You will see that once the special dictionary file has been specified, the passwords
are cracked immediately. Write the passwords retrieved in the spaces provided.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Check with your instructor to see if you have obtained the correct passwords and
user names. You can also issue the following command to review previously cracked
passwords obtained from this file:
john-386 -show shadow
11. You are not finished yet. Remember that the /etc/shadow file contains only
passwords, user names and password-aging information. It would be nice to
reconstitute all information about these accounts. In other words, you want to map
the passwords to all relevant user information. To do so, use the unshadow
command. You must have a shadow file and a passwd file to do so. A sample passwd
file resides in your RUN directory, so issue the following command:
unshadow passwd shadow > combined.txt
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
12. You now have a file similar to an "unshadowed" /etc/passwd file, complete with all
logon information associated with the user names and passwords. Issue the following
command to view the passwords for the file:
type combined.txt
You will see a large amount of output. If you want, use WordPad or Notepad to view
the entire file.
In this lab, you used John the Ripper in both brute-force and dictionary modes to crack a
UNIX shadow file. You now understand how it is possible to crack the authentication
database of a Linux, Solaris or other UNIX-based system.

System Bugs and Back Doors
A bug is an unintentional flaw in a program that creates an inadvertent opening. Many
times, an operating system or program running on the server contains these coding
problems. Hackers often know about such problems and exploit them.
A back door is an undocumented opening in an operating system or program, generally
placed there deliberately by the software developer. Program designers sometimes
intentionally place a back door in an operating system or program so they can support
the product quickly. In this sense, most back doors are not created with malicious intent.
However, many system administrators are not aware of back doors in their operating
systems, whereas many hackers are. Therefore, what was intended as an aid to the
system quickly becomes a liability.
Buffer overflow
Currently, one of the more popular bug-based types of attacks centers on flaws
inadvertently written into program code. These flaws can lead to a condition called a
buffer overflow. Another, less popular name for a buffer overflow is buffer overrun.
Buffer overflows occur when two processes and/or threads communicate with each other
imperfectly. In order to handle requests from clients, most complex daemons and
services, such as Web and FTP servers, launch multiple processes and threads.
Information has to pass between these different processes for the daemon to work as
expected. Consider the example of Apache Server: When it receives a request, one of the
Apache processes receives the initial client request, then passes this request to other
processes, which then determine which part of the hard drive will be accessed, how the
CGI will be called and so forth. When a piece of information, such as a GET request from
a client's Web browser, is handed between one process and another, the receiving process
generates a piece of memory called a buffer.
Good coding practice stipulates two things in relation to buffers: First, the receiving
buffer should always have enough room to accommodate the information being placed
into it. Competent programmers work hard to create routines that verify and size the data
before it is placed into a buffer. Secondly, the type of information should be checked
before being passed between one process and another and placed into the receiving
buffer. This data must be verified, because sometimes it can be of such a nature as to
crash the application or cause it to behave unexpectedly. Sometimes, however, the
validation routines used by programmers cannot anticipate the type of data that is
actually placed into a buffer. At other times, conditions not anticipated by the
OBJECTIVE
1.4.8: Attack
incident recognition
OBJECTIVE
1.4.3: Security
attack types
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
programmer occur, and too much information can be placed into a buffer, even though
the information is checked.
Whenever improperly sized or badly formatted information is placed into a buffer, a buffer
overflow occurs. Buffer overflows can be perfectly harmless, or they can lead to
conditions that cause complete compromise of a daemon (e.g., a Web server). In some
cases, when a flood of data or a piece of improperly formatted data overflows the
program's storage buffer in memory, it actually overwrites the buffers of other daemons
operating on the system. In such catastrophic cases, the result can cause a shell (i.e., a
space of memory) to be left behind. Hackers then focus on this shell, because often it will
accept any command the hacker wants to issue. In IP-enabled systems, this shell can be
linked to a certain port, thereby opening a back door into the system that hackers can
exploit remotely.
Many hackers then create applications that exploit these conditions. These applications
enable hackers to execute code arbitrarily on the system. Such codes can include
commands that:
Cause password databases to be sent to a user via e-mail, or copied to a world-
readable place on the hard drive (e.g., the FTP root directory).
Start (or stop) certain services or daemons.
Open additional ports that then request malicious applications to be uploaded and
installed on the system.
Write any information (such as HTML and GIF files as directed by the hacker) to
places on the hard drive, such as the system's Web document root directory (e.g.,
C:\inetpub\wwwroot\ or /var/www/html).
Although the skill level required to craft these attacks is advanced, the programs to
execute them (after they have been designed) are often freely distributed across many
Internet-based hacking sites. This simplicity and availability pose a significant threat to
security professionals, because they allow a relatively inexperienced user to "own" (i.e.,
compromise) an Internet server by simply clicking a mouse button or entering a few
simple commands.
Malware (Malicious Software)
Malware, or malicious software, refers to programs or files whose specific intent is to
harm computer systems. Malware is an electronic form of vandalism that can have global
implications. IT professionals must be aware of malware to be able to detect and remove
malicious code before it causes harm to systems and networks.
Malware includes the following, each of which will be discussed in this section:
Computer viruses
Worms
Trojans and root kits
Illicit servers
Logic bombs
OBJECTIVE
1.4.3: Security
attack types
malware
Abbreviation for
malicious software.
Malware is software
designed to harm
computer systems.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Viruses
Viruses are malicious applications that spread from system to system with the aid of
user intervention. A virus has two parts:
The application that activates and spreads the virus
The payload, which is the damage the virus does to the operating system or file
Not all viruses have payloads, however. Table 4-2 provides a list of the most common
types of viruses.
Table 4-2: Computer virus types
Virus Type Description
Boot sector/ Master
Boot Record (MBR)
virus
Moves boot sector (the part of a floppy disk that enables it to be read and
written to) data to another part of the disk and replaces it with its own
code. Whenever the computer starts up, the boot sector virus executes.
The MBR on most IBM-compatible systems is a similar place on the hard
drive. After a virus writes itself to the MBR, it can then generate activity
that is either annoying (e.g., your system will play sounds at certain times
of the day) or destructive (e.g., it will erase your hard drive).
Bomb
Resides on the hard disk and is activated when a particular event occurs,
such as a date change, a file change or a user or program action.
Cluster virus
Makes changes to a disk's file system. Any program run from an infected
disk causes the virus to run, giving the impression that the virus infects
all programs on the disk.
File-infecting virus
Infects program files on a disk. When the infected program is run, the
virus also runs.
Macro/ script virus
Infects a specific type of document file that can include macros (codes,
commands, actions or keystrokes that produce a result), such as
Microsoft Word or Excel files. When a document containing a macro is
opened, the virus runs.
Companion
A virus that appears to be the same name as a legitimate application, but
in fact has a different name. Many people do not configure MIME on their
systems to reveal common applications, and thus they can fall victim to
an attack in which a hacker tricks them into double-clicking a file that
looks legitimate, but is not. For example, if you do not have your system's
MIME settings reveal .exe and .com endings, notepad.exe may appear
similar to notepad.com, especially to an uneducated user. If notepad.com
contains malicious code, then the system could be compromised.
Terminate and Stay
Resident (TSR)
TSR viruses execute immediately, and appear to no longer be running.
However, they remain resident in memory where they can spread to other
systems, cause damage to files, and open network ports.
Stealth virus
Resides in the computer's memory and conceals changes it makes to files,
hiding the damage from the user and the operating system.
Polymorphic
Contains programming code enabling it to execute differently each time it
is run. Because it appears as a different process each time, this virus
avoids being detected by virus-scanning software.
Retro
Specifically attacks anti-virus software. Often included with other virus
types. The virus code contains a retro virus portion that disables the
virus-detection software, allowing another portion of the virus code to
attack the operating system, applications or stored files.
virus
A malicious
program that
replicates itself on
computer systems,
usually through
executable
software, and
causes irreparable
system damage.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Files most likely to contain viruses in Windows-based systems include those with names
ending in the following file name extensions:
.exe any executable file.
.vbs a file containing VBScript code.
.xls a Microsoft Excel spreadsheet file.
.doc a Microsoft Word document file.
.dll a Dynamic Linked Library (DLL) file. Applications often need DLL files to run;
you could easily be tricked into downloading one that contains a virus or trojan.
.bat used to contain scripts and commands that could harm your system.
.com similar to .bat.
.jpg, .gif and .png for images, but can be used to create companion viruses, for
example.
.zip used to contain archives. Many hackers will archive executable files to bypass
e-mail filtering applications. Unwise users will then open the zip file and execute the
program within.
Additional file types that should concern you include .html, .scr (for screen savers) and
.mdb (Microsoft Access). Many e-mail servers will automatically strip attachments with
these file name extensions to avoid virus outbreaks. However, doing so can seriously
interrupt your business operations, so it is important to strip attachments only after
consulting with management.
Virus behavior
Some viruses will replicate or activate simply when an application or hard drive is
activated, or when an icon is double-clicked. A virus can also act as a "time bomb,"
activating only after a certain number of days have elapsed. Some time-bomb viruses
activate only on certain days of the year. Other viruses act as logic bombs, which means
they will activate only under certain conditions. For example, a virus may replicate itself
or deliver its payload only if a certain application is running on a certain day.
Worms
A worm is an application that spreads from system to system automatically. Worms are
mostly designed to exploit systems that have weaknesses, and can target one or more
protocols. For example, a worm can be written to target a buffer overflow in Microsoft IIS
6.0 Web servers and thus spread itself accordingly. Worms can leave behind payloads,
just like viruses. In many cases, the worm does not leave a payload at all, but still
spreads itself so quickly through the Internet that many systems crash. In a sense, a
fast-spreading worm can be its own payload because its mere presence can create a
serious denial-of-service attack. Following are some notable examples of worms.
The Robert Morris Internet Worm released in 1988, crashed over a third of the
known Internet at the time.
Happy99 released around New Years of 1999. Caused minimal damage, but was
found in many Windows 9x systems.
worm
A self-replicating
program or
algorithm that
consumes system
resources.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Trojans and root kits
In general networking terms, a trojan is an application or file that appears to do one
thing, but in fact does another. Specifically, a trojan can be a daemon that operates in a
perfectly legitimate and expected way, but also has a secret operation that subverts your
system's security. "Trojan" is borrowed from the mythical story of the ancient Greeks'
storming the city of Troy by hiding soldiers inside a wooden horse.
Trojans often include files that open ports bound to a root shell or to a command prompt
with administrative privileges. They also can hide their own presence by altering existing
files meant to detect running processes. After it has been installed, a trojan can relate
sensitive information back to a hacker and upload programs that further defeat your
system's security measures.
Root kits
A root kit is a collection of trojans designed to compromise the system. Traditionally, root
kits were threats only to UNIX systems, but versions for Windows 2000, Windows XP and
Windows Server 2003 have appeared. A root kit usually consists of a series of programs
that replace legitimate programs with trojans. Root kits often replace or modify the
following system elements:
/bin/login Many root kits focus on using this file as the trojan used to open ports
that allow hackers to take control of your system. These ports are usually tied to a
root shell, which is a terminal from which the hacker can issue commands at will.
/bin/ps This command is responsible for discovering what processes exist on the
system. Altered forms of ps are usually written to exclude specific process names
associated with trojans that have opened ports bound to a root shell. Some Linux
root kits replace the netstat application with a trojan that reports false data
concerning open ports. Thus, when a systems administrator runs netstat, the open
ports will not be listed.
/bin/ls The list files command. Some root kits use this command to launch a
daemon that opens a port on the system. Hackers can then connect to the opened
port.
/bin/su Simple trojans can capture the password that a systems administrator
enters to become root and place the password in a world-readable directory, or
actually send the password to the hacker via e-mail.
Of course, any binary on a UNIX or Windows Server 2003 system can become a target.
Root kits can also do the following:
Create hidden directories Many root kits create hidden directories, which can
hide additional exploit applications.
Install Loadable Kernel Modules (LKM) Many Linux systems use LKMs to extend
the function of the kernel. Many root kits designed for Linux systems install a module
that modifies how the system operates. Modified systems can then be compromised
by a simple Telnet login.
Launch hidden processes Most of the time, these processes open a port that
allows a hacker to enter the system. This opening is not logged.
OBJECTIVE
1.4.9: Illicit servers vs.
trojans

trojan
A program
disguised as a
direc tory, arc hive
or game that,
when
downloaded to a
system, has an
alternative,
damaging effect.
Illicit servers, such
as NetBus, are
often made into
trojans that end-
users unwittingly
install on their
systems.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Following are two examples of root kits that have been popular in the past.
Adore This root kit installs many of the applications listed above, including an
LKM. Variations of Adore patch the kernel, which necessitates a reboot for the patch
to become functional. After the system is rebooted, the root kit is fully installed,
complete with many of the modified applications listed above. Many variations of
Adore exist.
T0rn a root kit that uses trojanized versions of SSH to encrypt transmissions
going in and out of a compromised server. It even allows the hacker to require
authentication for the root shell. The root kit is pre-compiled for most popular Linux
installations, which means that it can be quickly installed.
A new root kit will frequently replace different files. Although newer root kits will be
developed, they will still behave largely as outlined above.
How root kits are installed on the system
If you have not physically secured your system, hackers can simply uncompress the root
kit package, install it and (if necessary) reboot. However, root kits are most often installed
remotely. A malicious user can discover a remote exploit, penetrate the system, then
install a root kit.
Worms can also be used to install root kits. For example, many root kits were installed in
late 2000 and early 2001 when a common version of the Washington University FTP
daemon (wu-FTPD, available at www.rpmfind.net) was found to have a buffer overflow
that left a root shell behind. A worm was developed that first gained control of the
system, then used crond to install the root kit. The root kit required a system restart to
activate all its elements. Thus, many systems administrators saw that their systems had
been rebooted for no apparent reason when, in fact, they had become the victims of an
attack.
Repairing infected systems
Detecting root kits is extremely difficult. Following are some tactics to repair your system
if it has been infected by a root kit.
Completely erase and reinstall the operating system. When reinstalling the
operating system, make sure you do not reinstall from backups, as they can be
infected with the trojan.
Replace the affected binaries. This step is somewhat risky, because a root kit can
exploit different files from what you might expect.
As you might suspect, you should adopt a strategy that helps you avoid a root kit
installation in the first place. The following steps can greatly decrease the likelihood of a
successful root kit attack:
Reconfigure your Linux kernel as a "monolithic kernel." A monolithic kernel does
not allow modules to be installed, thus eliminating LKM-based root kits. Such a
kernel can, however, access all the necessary elements (the NIC, system applications
and so forth) to allow your server to fulfill its role in your business.
Install an application such as Tripwire or the Windows File Protection utility
(WPF). You will have to install Tripwire for UNIX yourself, but the WPF utility is
activated by default. It will inform you of any changes to files such as sys, .dll, .ocx,
.ttf, .fon and .exe. WPF will discover and reverse any illicit changes made by any
applications other than authorized Windows Server 2003 Service Packs, hot fixes,
Windows Update or operating system upgrades. You can configure Tripwire to be
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
extremely sensitive to file changes on your system. It can then send you reports
about the state of your system via e-mail.
Use anti-virus applications. Enterprise-grade anti-virus applications such as
Sophos (www.sophos.com) and AntiVir (www.avira.com) can help proactively detect
root kits and other viruses.
Illicit servers
An illicit server is an application that installs hidden services on systems. These services
can take the form of FTP and HTTP servers that use custom ports, as well as hidden
shares. Table 4-3 provides older, known examples of illicit servers.
Table 4-3: Illicit servers
Illicit Server Description
NetBus
Uses a client named Netbus.exe and a server named patch.exe. Both
applications can be renamed.
Back Orifice
Two versions of Back Orifice exist. The original version works on Windows
9x/Me systems. Its successor, Back Orifice 2000, is much more
sophisticated and operates on all modern Windows systems (e.g., Windows
Server 2003, 2000, XP and even 9x). Allows encrypted transfer of information
using various protocols.
GirlFriend
For use on Windows 9x/Me systems.
SubSeven
For use on Windows 9x/Me systems.
Note that these applications are not trojans in and of themselves. They are illicit servers.
However, it is possible to "trojanize" these applications.
Logic bombs
A logic bomb is code that activates only when certain conditions occur. Also known as a
trapdoor attack, a logic bomb can be activated under various conditions, including:
A specified amount of elapsed time (hours, days or weeks).
An action by a user, such as a specific key combination or launch of a certain
application.
A specific time of day or night.
A logic bomb usually has a payload, just like a virus. Payloads can include the following
actions:
Reformatting a hard drive
Executing applications to attack additional systems
Adding or deleting user accounts, or changing passwords
Sending information gathered from the infected system to a remote host owned by
the hacker
Who creates logic bombs?
Disgruntled programmers and systems administrators often create logic bombs,
especially if they suspect that they are going to be terminated from a job. Others create
logic bombs to aid in scams.
illicit server
An application that
installs hidden
services on systems.
Illicit servers consist
of "client" code and
"server" code that
enable the attacker
to monitor and
control the
operation of the
computer infected
with the server
code.
OBJECTIVE
1.4.9: Illicit servers vs.
trojans
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
For example, one systems administrator from a financial services Web site knew that he
would be terminated, and created an application that would disrupt all of the company's
Web servers two weeks in the future. Just before he was terminated, he had time to
deploy his logic bomb. The former employee then purchased the company's stock on a
short-sell for two weeks, knowing that the company's stock would suddenly fall at that
time.
Avoiding logic bombs
Following are some ways you can mitigate vulnerability and risk regarding logic bombs:
Regularly audit the activities of systems administrators.
Audit systems to identify any unnecessary applications or evidence of suspicious
activity.
When an employee is terminated, make sure that you understand their final actions.
If possible, lock him or her out of the network.
Include statements in your security policy about malicious activity (e.g., logic bombs)
perpetrated by systems administrators and company coders. Regularly remind all
potential attackers of your policy.
Hold an exit interview with the employee and clearly state policy concerning any
malicious post-hire activity.
Zero-day attacks
A zero-day attack is a computer threat that exposes computer application vulnerabilities
before a patch or update is available. Zero-day attacks are dangerous because they take
advantage of computer security holes for which no solution is currently available.
Hackers can create code to exploit the exposed vulnerability and deploy it before a fix is
ready.
Managing viruses, worms and illicit programs
Anti-virus applications provide the most effective way to manage viruses, worms and
other illicit programs. Anti-virus applications work as follows:
The anti-virus application uses a signature database, which is a collection of viruses,
worms and dangerous programs.
The application scans the system for viruses and dangerous programs. The scan can
include hard drives, floppy drives and system memory.
The application notifies you of an infection.
The application may be able to remove the virus.
Removing viruses
It is important to understand that anti-virus applications do not necessarily remove all
infections they detect. Virus removal may require you take additional actions, including
manually editing the registry, removing files or even shutting down the system. In many
cases, the virus or worm will have affected important system files that cannot be repaired
while the system is still running. You must create a specialized boot disk for the system.
You then reboot the system using this boot disk, which has additional anti-virus
applications installed. You can then use these applications to rid the system of the virus.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Repairing damage
Even if an anti-virus application can remove a virus or worm, it may not be able to repair
files damaged during the incident. The anti-virus application may also not be able to
remove files deposited by the virus. As you consider ways to recover from a virus
infection, remember that anti-virus applications cannot work miracles.
Updating the signature database
For anti-virus programs to work, it is essential to keep them current. Update the
signature database often. In many cases, daily updates are advisable. During times
when a worm or virus has stormed the Internet, even hourly updates might better protect
your system.
Avoiding viruses, worms and trojans
As you might suspect, you should adopt a strategy that helps you avoid malicious code
installation in the first place. Following are ways you can mitigate vulnerability and risk
in relation to viruses, worms and trojans.
Virus protection Many virus protection applications (e.g., Symantec AntiVirus or
Sophos Anti-Virus) can also detect well-known trojans. All modern anti-virus
applications are configured to identify viruses that they know. All virus applications
look for a particular profile, or signature, of a virus. Once an anti-virus application
identifies a signature, it will inform the user about the virus and attempt to contain
it. Enterprise-grade anti-virus applications, such as those provided by Symantec
(www.symantec.com), Sophos Anti-Virus (www.sophos.com) and AntiVir
(www.avira.com), can help proactively detect root kits and other viruses.
Application management and testing Any application loaded onto an operating
system should be thoroughly tested to check for evidence of tampering. The testing
process should look for undocumented behavior. Pay particular attention to ports, as
well as temporary files, that might be opened. Also, installation binaries should be
stored in a safe location to help ensure that they cannot become trojanized.
Configuration management Make sure that applications are not indiscriminately
loaded onto systems. Also, use file and directory checksum applications, such as
Tripwire, to help discover any changes on the hard drive (e.g., new or deleted files
and directories).
Use trusted media When installing operating systems, services and applications,
take care to install only from media that you know is secure. Verify checksums before
installation.
Install file-signature-checking software Applications such as Tripwire can help
you determine if (and when) a file has been altered by a virus or trojan.
In the following lab, you will conduct a virus scan to help thwart potential attacks.
Suppose you work on your company's IT team, and you have been directed to perform
quick security checks on the user systems in each department. A basic service you can
perform on each computer is a virus scan, which provides a quick but efficient way to
check systems for any potential problems or attacks.
signature database
In an anti-virus
scanner, a
c ollec tion of viruses,
worms and illicit
applications that
are listed as security
threats.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lab 4-2: Conducting a virus scan in Windows to help thwart attacks
In this lab, you will conduct a virus scan using the Trend Micro HouseCall Web site.
1. All Students: Disable all anti-virus and personal firewall applications on your
system.
2. Obtain the spastic.exe program from your instructor or from the Packet Storm Web
site (http://packetstorm.linuxsecurity.com), and place it on your Desktop.
3. Open your Web browser and go to the Trend Micro HouseCall Web site at
http://housecall.trendmicro.com.
4. At the Trend Micro HouseCall Web site, click the Click Here For Free Scan
hyperlink, then click the Get HouseCall Free Scan hyperlink. After a few moments,
the HouseCall page will appear. Accept the terms of use, then click the Launch
HouseCall button. The HouseCall software will be downloaded to your system.
Note: Your Web browser may display a warning message at the top of the window
prompting you to run a Java applet or ActiveX control. Take the necessary steps to do so.
5. Scan only a portion of your C:\ drive to save time. Click Select under Scan
Individual Selected Folders Only For Malware.
Note: Your Web browser may display a warning message at the top of the window
prompting you to run a Java applet or ActiveX control. Take the necessary steps to do
so.
6. Expand the Desktop icon. You will see a hierarchical representation of your hard
drive, as shown in Figure 4-2.

Figure 4-2: Selecting folder to be scanned

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
7. Select the check box next to the directory you want to scan, and then click Next.
8. When the scan is finished, review the results. Delete any malicious code, such as
spastic.exe, that is discovered. Close your Web browser.
In this lab, you conducted a virus scan.

Social Engineering Attacks
Social engineering is the use of tricks and disinformation to gain access to passwords
and other sensitive information. One of the strategies for researching a site is to learn as
much as possible about the individuals who belong to an organization. Hackers are
constantly trying to find more subtle ways to gain information from the organizations
they intend to penetrate.
For example, a group of high school students once wanted to gain access to a local
business's computer network. They created a form that asked for what seemed like
innocuous personal information, such as the names of the secretaries and executives and
their spouses, as well as the names of children, pets, and so forth. The students-turned-
hackers said that this simple survey form was part of a social studies project. Using this
form, the students were able to quickly penetrate the system because most of the people
on the network were using the names of pets and spouses for their passwords.
Another form of social engineering is a hacker's attempt to imitate a legitimate user by
confusing a computer system, or even a switchboard operator or guard. In several
instances, a hacker has called a company, posing as the systems manager. After
explaining that he had accidentally locked himself out of the computer, he convinced
someone in the company to change administrative access according to the hacker's
instructions. All the hacker then had to do was log on to the machine, and he had full
administrative access.
The social engineer somehow confuses the victim into divulging sensitive information,
often by getting the victim to forget that it was he or she who was first approached. After
this error on the victim's part occurs, a hacker can often obtain confidential information.
Typical targets of the social engineering strategy include anyone who has access to
information about systems they do not use, including secretaries, janitors, some
administrators and even security staff.
Asking for the password
Though not as clever or involved as the previously discussed strategies, simply calling
and asking for a password often works. To engage in social engineering, many hackers
have posed as legitimate employees who have lost their passwords. Often, gaining access
can be this simple.
Using fake e-mail
Using Telnet and a vulnerable server, a hacker can assume any identity and then send e-
mail messages to a user. Such messages are real in the sense that they have been sent
from a legitimate source to a legitimate user. In this way, the messages seem absolutely
authentic.
However, they are fraudulent in the sense that a hacker has generated them by tricking
an e-mail server into sending them. In short, such e-mail messages are the result of
tampering, and they demonstrate how a hacker capitalizes on the absence of an effective
OBJECTIVE
1.4.3: Security
attack types
social engineering
The use of
disinformation to
gain access to a
network by tricking
legitimate
employees into
revealing
information or
changing system
settings.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
authentication process. SMTP servers are inherently non-secure, and few companies
spend the time or money to add an authentication process to their mail servers.
Therefore, hackers can easily assume any identity they want, and then send as many
messages as they like.
Hackers can use fake e-mail to engage in social engineering. To gain passwords and other
sensitive information, hackers send e-mail messages that appear to be coming from a
legitimate source. Because users often assume that any e-mail message must come from
a legitimate source, a hacker posing as a systems administrator or department manager
can gain access to a great deal of information relatively easily. Hackers can engage in any
number of malicious tricks.
In the following lab, you will conduct a fake e-mail session. Suppose you are investigating
a security breach at your company. Although you have suggested social engineering as
one possibility for a cracked password that led to the break-in, one of your company's
executives discards this theory as impossible. To demonstrate the real threat that social
engineering poses, you could send an e-mail message that appears to be a systems
administrator's legitimate request for a user name or password, just as a hacker might
do. Once the executive understands that this threat is real, you may receive more
support in your investigation, as well as resources for providing more security training to
employees.

Lab 4-3: Sending fake e-mail messages
In this lab, you will conduct a fake e-mail session.
Note: The instructor must configure the classroom e-mail server to allow relaying for this lab
to work.
1. In Windows Server 2003, select Start | Run, and enter telnet in the Run dialog box.
2. You have now started the Windows Server 2003 Telnet client. Before you begin an
SMTP session, enable local echo on the system, so you can see what you are typing
during the SMTP session you are about to begin. Enter the following on the Telnet
client command line:

set localecho
3. While you are still within the Telnet client, connect to the classroom SMTP server at
Port 25. Your instructor's system should be the one that has an SMTP server for the
classroom. If the classroom is configured with another SMTP server, use that server
instead. For example, if your instructor's system is actually the SMTP server, and it is
named instructor01, you would enter the following from within the Windows Server
2003 Telnet client:

open instructor01 25
4. After you have connected to your instructor's system, enter the following strings and
press ENTER after each (do not type <cr>, which is a convention used in this course to
indicate a hard return):

helo company.com <cr>
mail from: fake@anydomain.com <cr>
rcpt to: partner's e-mail address <cr>
data <cr>

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Subject: This is fake! <cr>
<cr>
<cr>
enter message (1 or more lines) <cr>
<cr>
. <cr>
quit <cr>
Note: The period (.) on a separate line ends the message you have been generating. The
quit command ends the SMTP session.
Note: Some modern e-mail servers require that you use the word "ehlo" rather than
"helo." The reason for this requirement is that more current e-mail servers use certain
extensions to SMTP that allow more efficient handling of e-mail messages. Such servers
use the Extended Simple Mail Transfer Protocol (ESMTP).

5. Open an e-mail client and check for mail from your partner.
6. Study the following sample of a slightly more ambitious fake e-mail session,
accompanied by commentary. Note that the return address is not legitimate.

220 classroom.com ESMTP MailEnable Service, Version: 1.986-- ready at 08/12/08
13:00:00

helo mail.microsoft.com <cr> "Sender's" server

mail from: hacker@hack.com <cr> Fake e-mail address of the sender

rcpt to: student@classroom.com <cr> Real e-mail address of the recipient

data <cr> Begins the e-mail

From: James Stanger <cr> Creates the "From" line

Subject: Contract <cr> Subject line

<cr> Note the two hard returns here
<cr>
Body of Message <cr> Message body

. <cr> Type period; ENTER to end message

quit <cr> Close the connection
In this lab, you sent a fake e-mail message.

Phishing
Phishing is a form of social engineering that attempts to gather personal and financial
information from unsuspecting victims. Typically, phishers send users legitimate-looking
e-mail that appears to come from a well-known and trustworthy Web site. The e-mail
message prompts recipients to visit a fake Web site that looks identical to the legitimate
Web site. The users are then asked to update personal information, such as passwords,
and credit card, social security or bank account numbers, which the legitimate
organization already has. The phisher can then use the information entered into the fake
Web site for malicious purposes.
Examples of legitimate Web sites that phishers frequently spoof include eBay, PayPal,
Best Buy, America Online, MSN and Yahoo. Phishers use a number of different social
engineering and e-mail spoofing tricks to lure their victims into providing the information
they seek. In one fairly typical case, a phisher sent out messages purporting to be from
phishing
A social engineering
scam in which the
perpetrator sends e-
mail messages to
lure personal and
financial information
from unsuspecting
victims.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
America Online that indicated there had been a billing problem with recipients' AOL
accounts. The phishers e-mail message included AOL logos and legitimate links.
However, when recipients clicked the "AOL Billing Center" link, they were routed to a fake
AOL Web page that asked for personal information, including credit card numbers,
personal identification numbers (PINs), social security numbers, banking numbers and
passwords. The phisher then used this information for identity theft.
Pharming
Pharming is the act of installing malicious code on personal computers or servers that
redirects Internet traffic from a legitimate Web site to an identical-looking bogus Web site.
Pharmers can then prompt users for their user names and passwords in an attempt to
acquire their personal information in order to access their bank accounts, and commit
identity theft or other kinds of fraud in the users names. Because of the type of
information that pharmers acquire, banking and similar financial sites are often the
targets of pharming attacks.
Unlike phishers, who approach their targets one by one, pharmers can victimize a large
number of computer users simultaneously because no conscious action is required on
the part of the users. In one form of pharming attack, the pharmer sends malicious code
in an e-mail that modifies local host files on a personal computer. Because host files
convert URLs into the IP addresses that the computer uses to access Web sites, infected
host files will access Web sites the user did not intend to access. Therefore, even if a user
types in the correct URL or clicks an affected bookmark entry, the modified host file will
navigate to a fake Web site.
In January 2008, Symantec reported a pharming attack directed against a Mexican bank.
A bank customer received an e-mail that appeared to be from a legitimate Spanish-
language greeting card company. The e-mail contained malicious code that altered the
DNS settings on the customer's home router and misdirected the customer to a bogus
Web site.
Securing desktops
End users commonly fall prey to the following attacks:
Sniffing When a browser is used to access password-protected sites, it is possible
for a hacker to obtain information from unencrypted transactions between the
browser and site.
Buffer overflows A user's Web browser can be caused to crash, and in some
cases, expose the network host to an exploit.
Cross-frame browsing A bug in a Web browser can allow a malicious Web site to
use the Web client to read files on the hard drive. For example, the hacker could read
browser cookies, which can contain user name, passwords and sensitive system files,
as well as download and execute hostile code on the victim's computer.
Frame spoofing This attack exploits the use of standard frames in Web browsers.
Browser frames allow the main window in a browser to be split into two or more sub-
frames. In frame spoofing, a malicious Web site administrator can substitute content
from another DNS domain without alerting the reader. As a result, the end user may
think that he or she is giving credit card information to a legitimate site, when it is
actually being uploaded to a hacker's server.
pharming
An Internet scam in
which users are
misdirected to
fraudulent Web sites
without their
knowledge or
consent.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Following are ways to secure desktops from such attacks:
Updates Known problems are easily addressed by updating the browser to its
latest, stable version.
Encryption Encrypting information helps ensure that it cannot be sniffed.
Common methods of encryption for Web clients are SSL/TLS.
End-user education Once you inform end users to be careful about what they
download and use, your network will be more secure.
Denial-of-Service (DOS) Attacks
In a denial-of-service (DOS) attack, a hacker prevents a legitimate user from accessing a
service. An example of a denied service could be network connectivity, or any other
service that a system can provide. A DOS attack could be one in which a hacker attempts
to overload a system or program such as an FTP server by logging on as many times as
possible.
Alternatively, a hacker can also upload so much information to the FTP server that its
hard drive fills to capacity. Both of these activities can crash a system that has not
specifically prepared itself. In some cases involving UNIX, the FTP server can crash and
then give a hacker access to the drive that houses the server. Hardware, operating
systems and programs are susceptible to overload, allowing one of these overloaded
elements to permit illegitimate access to the entire system.
DOS can also involve causing legitimate system features and tools to backfire. For
example, many operating systems provide for account lockout. If account lockout is
enabled, a malicious user can purposely and repeatedly disable logon capability for user
accounts. As a result, users will be unable to access any network services.
The three main purposes behind a denial-of-service attack are:
To crash a server and make it unusable to everyone else.
To assume the identity of whatever system the hacker is crashing. Hacker strategies,
such as spoofing and man-in-the-middle attacks, must deactivate the true host that
they are spoofing. The denial-of-service attack does not enable a hacker to assume an
individual's identity, but does ensure that the legitimate individual cannot reply.
To install a trojan or an entire root kit.
Flooding
One strategy for DOS attacks is to use overwhelming amounts of packets. These packets
are designed to overburden a specific host (e.g., a SYN flood) or to occupy a network's
bandwidth so that it can no longer communicate with additional networks. Table 4-4
describes common flooding techniques.
OBJECTIVE
1.4.7: Denial-of-
service (DOS)
attacks
OBJECTIVE
1.4.3: Security
attack types
denial-of-service
(DOS) attack
A type of attac k
waged by a single
system aimed at
crashing the target
system.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 4-4: Common flooding techniques
Flooding Technique Description
SYN flood
Takes advantage of the otherwise normal activity of establishing a TCP
handshake. Instead of establishing a complete handshake, the hacker
drops the connection after the initial SYN bit is sent. While the target is
engaged in creating a port to respond to the active open, the hacker
then makes another connection and leaves it, only to make another and
another, until the target server has opened thousands of half-open
connections. Can cause a system to become sluggish, or even crash.
One of the most commonly perpetrated attacks against hosts on the
Internet.
Ping flood
Uses massive amounts of ICMP packets. Usually, these are Type 8 (echo
request) and Type 0 (echo reply) packets.
UDP flood
Uses massive amounts of UDP packets to bog down network hosts and
connections.
Malformed packets
The second strategy in DOS attacks is to send malformed packets to a host, hoping that
the target host will crash in the attempt to reassemble them. Following are several classic
examples of malformed packets.
Teardrop/ Teardrop2
The Teardrop series of attacks takes advantage of code that does not properly reassemble
overlapping UDP packets. It is generally associated with the Identification Protocol, which
ties a TCP connection to a particular user identity. Sendmail, for example, uses the ident
service to authenticate users attempting to access the service. You can learn more about
the Identification Protocol in RFC 1413.
Unpatched Linux and Windows systems (2003/2000/NT/XP/Me/9x) are particularly
prone to these attacks, making this a well-known form of attack. Teardrop is a denial-of-
service attack resulting in the "blue screen of death," showing the STOP 0x0000000A
error. Although most systems are now patched against this attack, Teardrop can still be
used to consume processor time and host bandwidth.
The key difference between the Teardrop and Teardrop2 attacks is that the latter uses 20
bytes for data padding and also spoofs the UDP packet length, allowing the newer attack
to bypass certain service packs and hotfixes.

The Teardrop attack is often called the Boink attack. Teardrop2 is called the
Bonk attack.

Ping of Death
The Ping-of-Death attack crashes a system by sending an ICMP packet that is larger than
65,536 bytes. Generally, it is impossible to send an IP datagram of 65,536 bytes.
However, a packet can be divided into pieces, then reassembled at the victim's address.
This process causes a buffer overflow in the victim's system. The Ping of Death is an older
attack and only affects systems that have not been properly updated.
Land attack
The Land attack occurs when a hacker sends a spoofed IP packet to a target computer
that has the same source and destination port and IP address as the host being attacked.
For example, if the system being attacked has the IP address of 10.100.100.37/24, then
both the source and destination address would be 10.100.100.37/24.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Land attack is a DOS attack resulting in a system crash (in older, unpatched UNIX
systems) or slowdown. Older, unpatched UNIX systems cannot handle packets formatted
in this way and completely crash, requiring a system restart. A Land attack is similar to a
SYN flood, because the packets have the SYN flag set as active. However, in a SYN flood,
source IP addresses are usually randomized.
Miscellaneous attacks
Applications are available to create any type of malformed IP, TCP, UDP or GRE packet.
Such applications include the following:
hping
ipmagic
Using these applications, as well as those created for specific exploits, it is possible to
generate packets that can have unforeseen consequences on various types of equipment.
Physical denial-of-service attacks
A DOS attack does not have to involve the use of software. If a malicious user is able to
access physical equipment, he or she can cause a denial-of-service attack. Examples of
physical attacks include:
Unplugging a network cable found in a wiring closet or behind a wall panel.
Removing or damaging a system (e.g., disconnecting a Web server or router, or
throwing the machine to the ground so that it no longer works properly).
Attacking a building's outside wiring so that the building is no longer connected to
any external networks.
To avoid physical attacks, make sure that all sensitive resources are placed behind
locked doors, or are otherwise not easily accessible. For example, conduct an audit of
your building campus's cabling to discover if any network and telecommunications lines
can be easily exposed.
Distributed Denial-of-Service (DDOS) Attacks
A distributed denial-of-service (DDOS) attack involves several remote systems that
cooperate to wage a coordinated attack that generates an overwhelming amount of
network traffic. Such attacks can often focus enormous amounts of traffic on one host,
causing it to crash under the burden. In other cases, a DDOS attack focuses on the
"network pipe" (e.g., the T1 or E3 line) and fills it full of fraudulent traffic. Such attacks
are often called bandwidth consumption attacks. Your systems may be able to operate,
but no one will be able to access their services.
A DDOS attack involves the following components:
A controlling application often called a master and used by the attacker to
contact hidden servers. The master does not have to reside on the attacker's
computer. The attacker can install the controlling software on several remote
systems.
An illicit service a hidden server that is installed on several remote systems. Most
of the time, these servers are installed on the hosts of unwitting server
administrators. To help avoid detection, the illicit service never resides on the
master's system. Sometimes called a daemon.
OBJECTIVE
1.4.7: Denial-of-
service (DOS)
attacks
OBJECTIVE
1.4.3: Security
attack types
distributed denial-
of-service (DDOS)
attack
A type of attac k
waged by multiple
systems aimed at
crashing the target
system.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
A zombie a server that has been compromised and is infected with the DDOS
illicit service. In some instances, thousands of zombies (i.e., network hosts) can be
controlled by just one master.
A target receives packets from the zombie. The master never sends packets
directly to the victim. In many cases, the entire victim network becomes incapable of
providing any services.
Common DDOS software includes the following:
Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) the original
DDOS application, and a follow-up created in the year 2000.
Stacheldracht a deviant of TFN, created in Germany.
Smurf/Fraggle uses ICMP or UDP.
Gateway capable of sending SYN floods, exploiting various daemons for buffer
overflows, and even conducting port scans.
Newer applications are continually being developed and distributed.
Smurf and Fraggle attacks
The Smurf attack is another DDOS attack that involves manipulating ICMP. Routers can
be (mistakenly) configured to respond to a specific kind of ICMP address called a directed
broadcast address. This address allows a router to generate ICMP packets for up to 255
IP addresses. Using directed broadcasts can help troubleshoot a network, because they
help determine how well the router is able to connect a particular subnet. However,
directed broadcast settings should never be left active on a production router.
As you might suspect, a Smurf attack takes advantage of routers that are configured to
use directed broadcasts. As shown in Figure 4-3, a hacker first creates a packet that
appears to originate from what will become the victim host, then directs this cooked
packet to one or more broadcasting routers. These routers are called intermediate hosts,
or Smurf amplifiers. Once the hacker sends this packet to the intermediate hosts, these
hosts will quite naturally respond with their own ICMP broadcast packets, thus becoming
unwitting conspirators in the Smurf attack.

Figure 4-3: Smurf attack
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-25
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Because the echo request packet is spoofed with the victim host's address, the victim will
receive all of the packets. If a hacker sends enough ICMP packets, and the routers are
configured for broadcasting, the replies will overwhelm the victim's computer. However,
even the intermediate hosts (the Smurf amplifiers) can be victims too, because they are
now busy sending large amounts of broadcast traffic.

As you might deduce from this description, a Smurf attack is a form of IP
spoofing, resulting in a denial-of-service attack.

Fraggle attacks
A Fraggle attack is similar to a Smurf attack, except it uses UDP rather than ICMP.
Although the typical port is Port 7 (the echo port), most programs that wage Fraggle
attacks allow you to specify any port you want.
Protecting yourself against Smurf and Fraggle attacks
The best way to protect yourself against Smurf and Fraggle attacks is to properly
configure your router to disable broadcast pings. You can also filter out ICMP packets at
the firewall, or disable pinging on your server. However. these last two measures make it
rather difficult to test network connectivity if a problem occurs. Regarding Fraggle
attacks, many firewalls are configured to detect and filter out massive amounts of
packets sent from a host. It is also possible to use intrusion-detection applications to
detect such traffic.
Ways to diagnose DOS and DDOS attacks
A successful DOS or DDOS attack on a system will completely crash it. The system may
restart, or it may not accept any network packets or user input until it is forcibly
restarted. Less obvious signs of a system-based attack include slowed response times and
applications that no longer launch.
Regarding network activity, slowed or interrupted network access is the most common
sign. The best ways to diagnose DOS and DDOS attacks include:
Using a packet sniffer to view traffic on the network.
Using the netstat application to view connections on a system.
Using intrusion-detection applications to identify suspicious traffic, or floods of
traffic, on the network.
Mitigating vulnerability and risk
Recovering from most DOS attacks requires a simple reboot. However, DDOS attacks
often require you to reconfigure your switches and routers to drop offending traffic. Only
then will you be able to mitigate risk. On Windows Server 2003 systems, you can invoke
IPsec policies that allow you to limit or drop traffic from hosts. The Windows Server 2003
Internet Connection Firewall (ICF) also allows you to drop suspicious packets. On Linux
systems, you can use the ipchains application (for the 2.2 kernel and earlier) or iptables
application (for the 2.3 kernel and later) to completely block DDOS traffic.
To protect yourself from future DOS and DDOS attacks, determine the nature of the
attack. A simple software patch may solve your problem. For attacks involving traffic
floods, determine the nature of the attack, then configure your firewalls to block the
packets. You may also be able to ask your ISP to reconfigure its routers to permanently
block offending packets.
intrusion detection
The practice of
using applications
and servers to
detect suspicious
network and host-
based traffic.
OBJECTIVE
1.4.8: Attack
incident recognition
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-26 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Alternative sites
Another way to mitigate the effects of a DOS attack is to have alternative sites in place as
a backup in case service at your primary site is compromised. Major data centers
maintain completely redundant sites, for example. Alternative sites should include
backup DNS servers, Web servers, etc. Maintaining alternative sites is an extremely
expensive undertaking, but can allow business functions to resume quickly after a DOS
attack.
Unintentional DOS
Not all cases of denial-of-service are caused by intentional attacks. Often, normal
network maintenance functions or poor capacity planning can bring a network down or
slow it down so much that users cannot access services.
For example, if there is not sufficient bandwidth, or if traffic is not prioritized correctly
and server backups are performed during a busy period, then services will be disrupted,
generating what amounts to a denial of service.
Rebooting the corporate firewall or performing a DNS zone upgrade during the middle of
the day can certainly disrupt traffic and keep people from performing their jobs at least
for some period of time.
Even well-timed network maintenance tasks, such as installing system patches and
upgrades, or performing firmware upgrades, can have negative effects on a network if
there are problems with those upgrades. It is generally advisable to install upgrades and
patches one at a time and to test each one before proceeding with the next. Firmware
upgrades for firewalls should ideally be installed on a test system before being installed
on the device that actually protects your enterprise.
In the following lab, you will analyze the effect of a SYN flood attack. Suppose your
company's network has suffered a denial-of-service attack that has disrupted all your
users. You can investigate the cause of the attack by using a packet sniffer to inspect the
packets that flooded your system.

Lab 4-4: Analyzing a SYN flood in a packet sniffer
In this lab, your instructor will generate a SYN flood attack against student systems.
Students will use the Wireshark network protocol analyzer to analyze the effect of the
attack.
If Wireshark is not installed on your system, copy wireshark-setup-1.0.0 from the Lesson
4 folder of the supplemental CD-ROM to your Desktop, double-click the executable file,
and follow the prompts to install Wireshark and WinPcap (a utility that includes drivers
for capturing live network data on Windows systems). Use the default settings.
Note: Never, under any circumstances, use this or any other application to attack a system
outside of the classroom, or on any system that you do not own and administer.
1. Instructor: Log on to your Windows Server 2003 system as administrator.
Note: Administrative privileges are necessary because the tool used to generate the
SYN flood requires access to network sockets normally reserved for administrative
users.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-27
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
2. Students: Select Start | All Programs | Wireshark | Wireshark to start Wireshark.
Select Capture | Options to display the Capture Options dialog box. In the Name
Resolution section, deselect the Enable Transport Name Resolution check box. You
do not want to resolve packets. The packets your instructor will generate cannot be
resolved. As a result, Wireshark may hang for an unacceptable period of time before
showing packets. Do not capture traffic yet.
3. Instructor: If you have not already, obtain the spastic.exe program from the Packet
Storm Web site (http://packetstorm.linuxsecurity.com) and place it on your
Desktop. Open a command prompt and change to your Desktop (e.g., cd desktop).
Once you have changed to your Desktop, you are ready to wage an attack against an
individual system. Assuming that you wanted to attack a host with the IP address of
192.168.2.5, you would enter the following at the command prompt:
spastic 192.168.2.5 <do not press ENTER yet>
Specify the appropriate IP address. Make sure that you do not use a host name; the
application is designed for IP addresses only.
4. Instructor: Press ENTER. You are now attacking a student system.
5. Students: In the Capture Options dialog box, click Start to begin capturing traffic. If
you do not see any captured packets, select Capture | Stop, then click OK to stop
the capture. Select Capture | Interfaces to display the Capture Interfaces dialog
box, then click Start next to the IP address of your interface. Captured packets
should now start appearing in the window.
6. Instructor: After about 5 or 10 seconds, press CTRL+C to stop the attack.
Note: You can conduct a longer attack at the end of this lab if you like.
7. Students: Stop capturing traffic when your instructor indicates that the attack is
finished (select Capture | Stop). You may find that Wireshark will take some time
before it allows you to view the packets. This is because a SYN flood application can
generate thousands of packets in just a few seconds.
8. Students: Begin sifting through your packet capture. Notice the following points:

You are viewing thousands of packets that have been generated in a matter of
seconds.
The packets have forged, randomly generated source IP addresses.
The packets have forged, randomly generated source and destination port
numbers.
The fact that source IP addresses and port numbers are randomly generated
makes it very difficult to filter out such traffic using a desktop firewall (e.g.,
Windows Firewall or ZoneAlarm). Similarly, the fact that destination ports are
also randomly chosen makes filtering such packets using a desktop firewall quite
difficult.
9. Students: Inspect a single packet by selecting it in the top pane, then expanding it in
the middle pane as shown in Figure 4-4.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-28 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 4-4: Inspecting SYN flood packets using Wireshark
10. Students: Notice that the SYN flag is set, and that no others are set. View some of
the other similar packets with spoofed IP addresses (ignore those that constitute
standard network background traffic). Notice that all of these packets have spoofed IP
addresses, and that the IP addresses and port numbers are all random.
11. Students: Quit Wireshark without saving the capture data.
12. Students: Open the Performance snap-in (Start | Administrative Tools |
Performance).
13. Students: Ensure that the % Processor Time counter appears in the bottom pane of
the window.
14. Students: Right-click in the main pane of the Performance snap-in, and select Add
Counters to display the Add Counters dialog box, shown in Figure 4-5.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-29
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 4-5: Add Counters dialog box
15. Students: Display the Performance Object drop-down list, select TCPv4, click Add
and then click Close.
16. Students: Ensure that the TCPv4 object appears in the bottom pane of the window.
Notice that the TCPv4 object has a Segments/Sec counter.
17. Instructor: Attack each student's computer four times using the spastic.exe
application. If you attack multiple times, students will be able to see multiple spikes
in the Performance snap-in.
18. Students: Notice how your system's processor usage immediately spikes with each
attack. Notice also that the Segments/Sec counter jumps, as shown in Figure 4-6.

Figure 4-6: Viewing Performanc e snap-in during SYN flood
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-30 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Note: You can determine the actual severity of the SYN flood attack by right-clicking the
counter, selecting Properties, then changing the scale of the Segments/Sec counter
from default to .001.
19. Students and Instructor: After the instructor has finished attacking each system,
and after everyone has finished analyzing the SYN flood, consider the following
questions and write your answers in the spaces provided.
What would happen if hundreds or even thousands of systems used this
application against your system?

What would happen to your entire network?

What are some ways to help thwart this type of attack?



In this lab, you saw your instructor wage a SYN flood attack. You also analyzed this
attack using a packet sniffer and native performance analysis software. You now know
how to identify SYN flood attacks in Windows-based systems. You also discussed how to
stop such attacks.

In the following lab, you will analyze the effect of a network-based attack. Suppose your
company's network has suffered a denial-of-service attack that has disrupted all your
users. You can investigate the cause of the attack by using a packet sniffer to inspect the
packets that flooded your system.

Lab 4-5: Identifying network-based attacks
In this lab, you will use a packet sniffer to identify network-based attacks.
1. Start Wireshark.
2. Access the student CD-ROM and copy the Lab Files/Lesson 4/packet_captures/
directory to your Desktop.
3. In Wireshark, select File | Open and take the necessary steps to load the
packet_capture_1.cap file into Wireshark. Study the capture. Suppose you knew
that this attack was waged from a remote computer. What type of attack are you
viewing? How can you tell? Write your answers in the space provided.




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-31
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
4. Load the packet_capture_2.cap file into Wireshark. Study the capture. What type of
attack are you viewing? How can you tell? Write your answers in the space provided.

5. Load the packet_capture_3.cap file. Study the capture. Suppose you have verified
that the ping application is not in use on your host. Assume further that your
system's IP address is 192.168.2.4. What type of attack is your system nevertheless
conducting on a victim? Write your answer in the space provided.

In this lab, you used a packet sniffer to identify network-based attacks.

Spoofing Attacks
Spoofing is a form of identity theft in which a hacker attempts to defeat authentication.
Spoofing attacks are also known as masquerade attacks. Specific examples include the
following:
IP spoofing the ability to generate falsified information within an IP header. IPv4
is especially prone to this practice, because the IP stack does not contain the innate
ability to prove origin of source. However, Internet Protocol version 6 (IPv6) has this
ability and improves security considerably (at least for now).
ARP spoofing the ability for a system to spoof another system's MAC address,
often resulting in redirection of traffic on a LAN. ARP spoofing is often used to imitate
routers.
DNS spoofing the ability to appear to be a true DNS server, but in fact redirect
traffic to an attacking host that can gather sensitive information (e.g., user names
and passwords).
On IPv4, spoofing exploits the Internet's open network design. All servers assume that a
valid IP address belongs to the computer that sent it. Because TCP/IP contains no built-
in authentication, a hacker can assume the identity of another device. If your security
depends entirely upon the TCP/IP identity, then this type of attack can allow a hacker to
gain access to your system.
Spoofing and traceback
Many applications created by hackers can spoof IP addresses. The ability to falsify this
information is useful for a hacker because falsifying IP addresses thwarts detection. The
victim of an attack that also includes IP spoofing will find it difficult to conduct a
traceback (that is, trace the attack back to its true origin). Although a systems
administrator may be able to check system log files and packet captures, these checks
will not reveal the true source IP address of the attack.
Falsifying IP addresses also thwarts your ability to use Windows Server 2003 IPsec and
Linux packet-filtering commands, because the hacker can simply choose to spoof
different IP addresses. Many firewalls can be configured to automatically block
connections from hosts deemed to be threatening. However, one popular move against
such automatic reconfiguration has been to use IP spoofing against these firewalls where
the spoofed IP addresses are those of hosts vital to the network (e.g., DNS, e-mail and
Web servers for the company). Although you can exclude addresses from firewalls that
OBJECTIVE
1.4.3: Security
attack types
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-32 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
automatically block hosts, it is important to consider the drawbacks involved in
automating any feature of your firewall.
Protecting against spoofing attacks
Following are ways that you can mitigate spoofing attacks:
Encrypt DNS zone transfers, and limit transfers only to trusted hosts.
Use IPv6, which demonstrates resistance to spoofing attacks.
If you continue to use IPv4, then use IPsec.
Scanning Attacks
Perhaps the most fundamental attack involves scanning for systems and detecting open
system ports. Table 4-5 describes the types of scanning attacks.
Table 4-5: Types of scanning attacks
Scanning Attack
Type
Description
Ping scan
A host directs a number of ping packets at a collection of hosts on a
network. Used to determine the hosts that exist on a network.
Port scan
A host scans some or all of the TCP and UDP ports on a system to see
which ports are open.
War dialing
A hacker uses software and a modem to discover hosts using modems to
attach to the network.
War driving
A hacker uses a wireless NIC to see if a wireless network is in the area.
Network mapping
A hacker forges custom packets (e.g., ICMP, TCP or UDP) in order to
scan and map networks. If the individual and/or application is clever
enough, it is possible to map hosts inside of many network firewalls.
A legitimate network administrator can use these same strategies. In such cases, using
these strategies constitutes an audit, rather than an attack.
Once an attacker (or auditor) finds working hosts and open ports, he or she can then use
more intrusive and detailed scanners to learn more about the services found. The
attacker can then go about researching the system to discover how to compromise a
weakness found in the service.

Most scanning applications have the ability to spoof connections to avoid
traceback.

Stack fingerprinting and operating system detection
Many of the applications discussed in this lesson use stack fingerprinting, a technique
that allows you to use TCP/IP to help identify specific operating systems and servers.
This process is often necessary because most systems administrators address
information leakage whenever possible and disable information banners. However, each
server and vendor has its own behaviors regarding TCP/IP behaviors that are difficult
or impossible for a systems administrator to control. Many auditors and hackers work to
document these subtle differences in TCP/IP implementation, thereby creating a sort of
fingerprint for each operating system.
OBJECTIVE
1.4.3: Security
attack types
information leakage
A condition in which
a system or network
unnec essarily
reveals information
during standard
operations.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-33
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
The key to learning how one operating system uses TCP/IP differently from another is to
generate idiosyncratic TCP/IP packets and direct them to IP addresses and ports. Certain
operating systems will respond to these packets in different ways, allowing you to deduce
which type of system the host is running. For example, you can send a FIN packet (or any
packet without an ACK or SYN flag) to a host's open port. By doing so, you can elicit a
response from the following systems:
Microsoft Windows 2003, XP, 2000, NT, 98, 95 and 3.11
Linux (various kernels, including 2.4)
FreeBSD
Cisco
HP/UX
Most other systems will not respond. Although you have narrowed the field only slightly,
you have at least begun to investigate the nature of the host you are targeting.
If you generate a TCP packet with an undefined flag in the header, versions of Linux
before 2.0.35 tend to include this undefined flag in their responses. This behavior is
unique to this version of Linux, allowing you to determine the operating system running
at that host.
In UNIX systems, you can download files from /bin/ls. The files you might find could
reveal important information about the flavor of UNIX on the host.
Following is a partial list of checks made by fingerprinting programs:
ICMP Error Message Quenching
Type Of Service (TOS) value
TCP/IP options
SYN flood resistance
Sequence prediction through the TCP initial window
Many operating systems implement these activities differently, allowing the program to
learn more information.
Sequence prediction
Whenever TCP begins its three-way handshake, it begins with an initial SYN packet. TCP
sequence numbers are supposed to be randomized. However, some systems (e.g.,
Windows NT 4.0) do not sufficiently randomize packets, which makes it possible for
hackers to guess the sequence, then control TCP connections.
Many scanning programs (e.g., Nmap) have the ability to send initial SYN packets that
trick the operating system into a response. A fingerprinting application can deduce
several characteristics from the way this packet is formed, then arrive at an educated
guess about the operating system.
Network Mapper (Nmap)
Nmap is popular because it is relatively powerful, constantly updated and free. It is
available for both UNIX-based and Windows-based systems. It is an effective network
discovery program for two reasons. First, Nmap deploys a fairly sophisticated series of
TCP/IP fingerprinting engines. Its creator, who is known as Fyodor at www.insecure.org,
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-34 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
is also actively updating these engines so they can make as many educated guesses as
possible. Nmap can accurately scan server operating systems (including Novell, UNIX,
Linux and NT), routers (including Cisco, 3COM and HP) and dial-up devices. Secondly,
Nmap is effective because it is designed to defeat perimeter security applications, such as
firewalls.
One of the ways Nmap defeats firewalls is through its ability to fragment scans, primarily
via the stealth option. You can send stealth FIN packets (-sF), stealth Xmas tree packets
(sX) or stealth NULL packets (sN). These options allow you to fragment TCP queries to
bypass most firewall rules. Such strategies have been effective on even the most popular
of software companies, as well as many other organizations. Figure 4-7 shows the results
of a scan using Nmap.

Figure 4-7: Using Nmap to scan Windows system
Applications such as Nmap can also use older FTP servers to avoid tracebacks because
some FTP servers forward connections. If such an FTP server resides behind a firewall, an
attacker might be able to scan internal systems.
Long-term scans
You can also conduct long-term scans using Nmap. The -T option accepts several
different arguments, including the following:
Paranoid waits five minutes between sending packets to a host it wants to scan
Sneaky waits 15 seconds between sending packets
Polite waits 0.4 seconds between sending packets
Currently, Nmap runs on UNIX, Windows, MAC OS X, FreeBSD, OpenBSD, NetBSD, Sun
Solaris, Amiga and HP-UX platforms. On UNIX platforms, consider blocking any X ports
because they can provide a logon. Consult the /etc/services file for more information
about X protocols.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-35
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
You can also spoof source IP addresses, so auditors can evade traceback during a scan.
Issuing the nmap -h command will display a list of helpful commands. Also, consult the
Nmap manual page (man nmap) for more information.
A subtle hacker will simply issue a series of packets to an intended target over a period of
days, or even longer. Most intrusion-detection applications do not keep a database of
single packets sent over a long period of time. Ways to counter long-term scans include
configuring an intrusion-detection application to capture packets over a long period of
time. You can then search these captured packets for a pattern that may reveal how your
system has been thoroughly scanned over a long period of time.
Fragmented ICMP packets and network scanning
Many scanning applications use fragmented ICMP packets when conducting scans.
Sometimes, a firewall will allow such packets to pass, which means that the scanner will
be able to avoid the firewall and map the network. At other times, fragmented ICMP
packets will elicit a response from the target server that will allow the scanning
application to more precisely guess the operating system type.
In the following lab, you will scan your partner's computer to determine what services are
running on the system. Suppose you want to conduct an audit on your company's
network to determine the services being used by company computers. You can use a
network mapping application such as Nmap to perform a legitimate scan of the company
systems. Network administrators commonly use the same strategies and tools as hackers
to audit and improve their networks' security.

Lab 4-6: Using Nmap to scan a system in Windows Server 2003
In this lab, you will scan your partner's computer to determine the services that are
running on the system.
Note: Never, under any circumstances, use this or any other application to attack a system
outside of the classroom, or on any system that you do not own and administer.
1. Log on to Windows Server 2003 as administrator.
2. Go to the Lab Files/Lesson 4/WinPcap directory on the supplemental CD-ROM, or
to the WinPcap Web site (www.winpcap.org) and download it to your Desktop.
Install WinPcap by double-clicking the installation binary and following the
instructions. Unless WinPcap has already been installed, you should not have to
restart your system.
3. Obtain the Nmap installation binary from the Lab Files/Lesson 4/Nmap directory
on your supplemental CD-ROM, from your instructor, or from www.insecure.org.
4. Double-click the Nmap installation binary and follow the installation instructions.
5. Once Nmap is installed, double-click its icon on the Desktop, or select Start | All
Programs | Nmap | Nmap Zenmap GUI to start the program. The Zenmap window
will appear.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-36 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
6. Enter your partner's IP address in the Target field, then click Scan.
7. Take note of the network services running on your partner's computer. This
information can be used by hackers to break in to your system, because your system
is revealing every port that is open on it. It is quite possible that a vulnerable service
may be listening on this port. The computer name indicates that Microsoft
Networking is enabled over TCP/IP, in addition to the other services running.
8. Now, scan multiple hosts. For example, if you are on the 192.168.3.0 subnet, enter
the following text in the Target field to scan hosts between the IP addresses of
192.168.3.1 and 192.168.3.11:
192.168.3.1-11
9. Wait for about a minute, and you will see that Nmap scans each host within the
range you have specified.
10. Next, you will spoof the source IP address. In addition to specifying a host to scan,
you need to create a profile that allows you to (among other things) specify a false, or
spoofed, address. To begin creating a profile, select Profile | New Profile to display
the Profile Editor dialog box. In the Profile tab, type Spoof Exercise in the Profile
Name field.
11. Click the Ping tab, then select the Don't Ping Before Scanning (-PN) check box.
12. Click the Source tab, then select the Set Source IP Address (-S) check box. Specify
an IP address of 9.13.19.64 in the Set Source IP Address (-S) field.
Note: You can specify any IP address you want, as long as it is one not normally used
in the classroom network.
13. Still in the Source tab, select the Set Network Interface (-e) check box, then type
eth0 in the Set Network Interface (-e) field.
Note: Specifying "eth0" tells Nmap to use the first network interface for this system.
14. Click OK to finish creating your new profile. You will be returned to the Zenmap
window.
15. In the Zenmap window, display the Profile drop-down list and select the Spoof
Exercise profile you have just created.
16. Specify your partner's IP address in the Target field, then click Scan to begin your
scan.
17. Nmap will conduct a scan of your partner's system. However, this time the scan will
appear to originate from a false, or spoofed, IP address (e.g., 9.13.19.64), rather than
from your actual IP address.
18. Use Nmap to conduct additional scans of your partner's system using spoofed IP
addresses. As you and your partner use spoofed source IP addresses, start
Wireshark to sniff network traffic. Notice that the packet captures you obtain will
show that the scan comes from a spoofed address (e.g., 9.13.19.64), not from the
actual IP address of your partner's system. As you view packets in Wireshark,
highlight a spoofed packet that has been sent from your partner's system. Expand
the Internet Protocol portion of the packet, as shown in Figure 4-8.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-37
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 4-8: Examining spoofed packet Internet Protocol
Note: The IP addresses in the above figure may differ from the addresses you see
based on the IP address scheme your network is using, and the spoofed address you
specified in Step 12.
19. Review this packet. Notice that Wireshark is unable to determine that this IP address
has been spoofed. Consider how spoofing makes tracing back an attack to the
original source much more difficult.
In this lab, you conducted a scanning attack on a system. You also saw how it is possible
to spoof scanning attacks to thwart detection and traceback.

Man-in-the-Middle Attacks
An attack in which a hacker positions himself logically in the middle of a connection in
order to intercept (and possibly reroute) packets. A man-in-the-middle attack is one in
which a hacker attempts to act on packets being sent from one server to another. Table
4-6 describes man-in-the-middle attacks conducted on networks.
Table 4-6: Common man-in-the-middle attacks
Man-in-the-Middle
Attack
Description
Password sniffing
A utility such as tcpdump, Windows Network Monitor, Ethereal or
Sniffer Basic is used to obtain packets from the network, then discover
passwords embedded therein. Although it is possible to capture and
crack encrypted packets, information sent in plaintext is trivially
intercepted and used.
Connection
termination (session
killing)
A third party identifies and then terminates a connection between two
hosts on the network. This type of attack focuses on TCP.
OBJECTIVE
1.4.3: Security
attack types
man-in-the-middle
attack
An attack in which
a hacker positions
himself logically in
the middle of a
connection in order
to intercept (and
possibly reroute)
packets.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-38 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 4-6: Common man-in-the-middle attacks (cont d)
Man-in-the-Middle
Attack
Description
Connection
hijacking
A network connection between two hosts is redirected from a legitimate
target to a third attacking host. As with connection termination, this
type of attack focuses on TCP. Includes the ability to spoof the intended
destination host, and the ability to spoof intermediate routing devices.
Also known as TCP/IP hijacking.
Packet insertion
Rather than taking over a connection, this attack identifies a
connection, then inserts falsified packets into the data stream. As with
connection termination, this type of attack focuses on TCP. Also known
as a packet injection attack. Often conducted on unencrypted traffic
(e.g., Telnet, some instant messaging, FTP).
Poisoning
Through packet injection and connection hijacking, this attack gives
false information to protocols that rely on automatic updates. DNS, ARP
and routing protocols are especially vulnerable to poisoning attacks.
Replay attacks
An attack in which a user obtains previously transmitted or used
information (packets from a network or network host) and reuses it to
obtain illicit access to a system.
Except for password sniffing and replay attacks, the following conditions must occur for
an attack to take place:
The attacker must literally be in the middle of the physical connection. If two
networks are connecting between Seattle, Washington, and San Jose, California, the
"man in the middle" must find a way to be in between these points at the exact time
of connection.
The connection must be session-based (e.g., using TCP, rather than UDP).
Packet sniffing and network switches
It is quite easy to sniff packets in standard hub-based networks because all network
hosts have the ability to listen in on all communications. However, network switches have
replaced hubs in many network implementations, in part as an attempt to mitigate
vulnerability to packet sniffing attacks. Network switches cause network hosts to open
dedicated connections to each other, helping to reduce the likelihood of packet sniffing.
However, new applications have been developed that enable packet sniffing even on
switched networks. Applications such as Ettercap, shown in Figure 4-9, have the ability
to use ARP spoofing and additional techniques to confuse switches and allow sniffing of
any connection within a particular network.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-39
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 4-9: Ettercap capturing dictionary attack on switched network
In the preceding figure, the user named james has successfully used the su command
after a few tries. He has become root on a Linux server, and now an attacker has root's
password of T0pS3cret. You can download Ettercap from http://ettercap.sourceforge.net.
A packet sniffer (even one such as Ettercap) can usually obtain packets only on
the local network. If your system resides on the 192.168.2.0/ 16 network, for
example, then you will not be able to sniff traffic on the 10.100.100/ 24 network
using a standard packet sniffer.
Connection hijacking
Connection hijacking occurs on an IP network when Host A begins to communicate with
Host B. At this time, the attacker Host C finds a way to assume Host A's identity.
Host C then finds a way to remove Host A from the network. Host C is now impersonating
Host A, so Host C must ensure that Host A does not appear on the network again. Once
Host C has removed Host A, it can then begin transmitting and receiving data to and
from Host B. In a successful attack, the legitimate hosts believe they are communicating
directly with one another, when in reality the hacker is intercepting all traffic and routing
it to each host. The hacker can then do anything he or she likes with the data.
The hacker who conducts a hijacking attack requires a program (or several programs) to
perform the following functions:
Packet sniffing to obtain information about the connection being hijacked.
A DOS or DDOS program to eliminate the host being spoofed.
A program to generate a TCP connection to begin communicating with the
legitimate host that knows nothing about the successful hijacking attempt. This
program has the ability to spoof IP, TCP/UDP and ARP traffic.
Forward connections to forward connections from the legitimate host onto the
network, so that the legitimate host has no idea that an attack is occurring (if the
attacking host is imitating a router, for example).
In many cases, one application can accomplish all of these functions.
OBJECTIVE
1.4.6: Routing issues
and security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-40 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Example
Consider the following scenario involving three hosts named Larry, Moe and Curly. The
first host, Larry, will be the victim that thinks it is using a TCP SYN connection to initiate
a session with a legitimate user (in this case, Moe). However, Moe is not actually
participating in the connection because Curly has conducted a denial-of-service attack
against Moe. So, although host Larry thinks it is communicating with Moe, it is really
talking to Curly.
Registration hijacking
Just as it is possible to hijack a TCP connection, it is possible to hijack a VoIP
registration. There are numerous implications when a registration is hijacked. For
example, a hacker can steal telephone access to your network, making calls that you
support and pay for (toll fraud). A hijacker can also impersonate someone from your
company for reasons of ordering supplies, canceling services or misrepresenting your
company remember, your company's name may show up as the caller ID on this
connection.
A hijacked phone number (which has access to the network) can also be used for placing
unsolicited calls (voice spam). Tying up phone lines in this manner can be considered a
form of DOS attack.
Voice mail compromises
If a hacker can sniff passwords and can hijack a registration, access to voice mail
becomes easy. Messages can be altered, deleted, etc., and settings and passwords can be
changed by a malicious user.
Impersonated calls
Eavesdroppers can also intercept IP phone conversations and convert them into WAV files
that can be played back on any computer or playback device. Voice traffic tends to be
unencrypted. IP Security (IPsec)-encrypted VPN tunnels can be used as a solution;
however, VPN-based solutions can be complex and typically require connections to be
configured individually for each pair of computers that will be communicating over the
tunnel. VPNs are often employed for connecting remote offices or remote users to the
main office; they are seldom used within one building. Although it may seem that voice
traffic on a LAN is immune to attack, a surprising number of security breaches are
performed by trusted employees working inside the organization.
DNS and ARP cache poisoning
In DNS poisoning, a hacker can inject false information into the database of a DNS server
during a zone transfer. As the data stream flows by, the hacker simply creates new DNS
entries and/or removes existing DNS entries from the DNS zone. The DNS server then
reports this bogus information as being valid, which can help a malicious user imitate
legitimate sites and gain access to sensitive information.
ARP cache poisoning is similar, though much easier to accomplish. It occurs when a
malicious user is able to exploit any system's willingness to receive ARP entries
automatically from any other system. In IPv4, no authentication exists, so there is no way
for a system to differentiate valid ARP entries from invalid ones.
Operating systems use the ARP cache to map a system's MAC address to an IP address. A
malicious user need only use (or create) an application that sends falsified entries to
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-41
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
another system's ARP cache, and the victim system will then believe this information.
Once an ARP cache has been successfully poisoned, it is possible to:
Conduct a DOS attack. Suppose that a hacker poisoned your system's ARP cache so
that the network router's MAC address became associated with an invalid IP address
(one not used on the network). You would not be able to communicate on the Internet
as a result.
Conduct a man-in-the-middle attack. In the previous example, a hacker was able
to poison your ARP cache that mapped the router's valid ARP entry with a bogus IP
address. Suppose a hacker was able to map the router's valid ARP entry with his own
IP address. All packets meant for the router would be directed toward the hacker's
system, resulting in a connection hijacking attack. As a result, the hacker would
receive all packets meant for outside networks. The hacker could then sift through
these packets and look for sensitive information (e.g., user names and passwords to
e-mail accounts, etc.).
Avoiding man-in-the-middle attacks
Following are some ways to avoid man-in-the-middle attacks:
Encrypting traffic can help reduce all attacks except for connection termination.
Encrypting the authentication process reduces the possibility of logon and password
information being intercepted.
Ensuring that all network systems randomize TCP sequence numbers can help
reduce connection hijacking and replay attacks. Most systems now do this, but
earlier Windows NT versions were particularly susceptible to attacks.
Auditing networks for malicious applications may help keep malicious software from
being installed on systems. This activity also helps you identify when network sniffers
are in promiscuous mode. A network interface card (NIC) normally blocks packets
that are not addressed to it. However, for a packet sniffing application to successfully
sniff network traffic, the NIC on the system running the packet sniffer must be placed
into promiscuous mode. When a NIC is in promiscuous mode, it will blindly receive
all packets passing along the network. A PC with a NIC operating in promiscuous
mode is running a packet sniffing program.
In the following lab, you will conduct a man-in-the-middle attack. Suppose you want to
conduct an audit of your company's users' security practices. You can use a network
protocol analyzer to capture information contained in transmissions between your users'
systems. Network administrators commonly use the same strategies and tools as hackers
to audit and improve their networks' security.

Lab 4-7: Conducting a man-in-the-middle attack
In this lab, you will use Wireshark to capture e-mail passwords contained in
transmissions between your system and your instructor's system. If time permits, you
will also see the effects of spoofing a scanning attack.
Note: This lab is designed to work in hub-based networks, not those that use switches. If
your network is using a switch, you will be unable to conduct this lab as written.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-42 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Note: Never, under any circumstances, use this or any other application to attack a system
outside of the classroom, or on any system that you do not own and administer.
1. Instructor: Enable the e-mail server if necessary, then change the passwords of all
users. Make the password for each student account slightly unique (e.g., secret1,
secret2, and so forth). Relate these passwords to each user individually. Now, each
person has a unique password, and no one knows the others' passwords.
2. Students: Configure your e-mail clients to use the password supplied by your
instructor.
3. Students: As administrator, start Wireshark.
4. Students: Select Capture | Options to display the Capture Options dialog box.
Enter the following in the Capture Filter field (where partner_system is the IP address
of your partner's system, and where instructor is the DNS name or IP address of your
instructor's system):
host partner_system and host instructor
5. Students: Deselect the Enable Transport Name Resolution check box to ensure
that you will be able to quickly read your capture.
6. Students: Click Start to begin capturing traffic. If you do not see any captured
packets, select Capture | Stop, then click OK to stop the capture. Select Capture |
Interfaces to display the Capture Interfaces dialog box, then click Start next to the
IP address of your interface. Captured packets should now start appearing in the
window. You are now conducting a man-in-the-middle attack between your partner's
system and the instructor system.
7. Students: Have your partner check e-mail using the new password.
8. Students: After a few seconds, end your packet capture. Review the packets, and
note any user names and passwords used.
9. Students: What is your partner's new user name and password?
10. Students: Repeat the process, but this time, sniff the connections of other users.
In this lab, you conducted a man-in-the-middle attack.

Bots and Botnets
Bots, or Internet bots, are software applications that run automated, repetitive tasks over
the Internet. Bots are often used as Web spiders, in which an automated script browses
the World Wide Web to provide up-to-date data for search engines.
However, hackers can also use bots maliciously to launch automated attacks on
networked computers, usually for the purpose of taking control of the infected computers
to do their bidding. A group of infected computers is known as a botnet. An individual
computer within a botnet is referred to as a zombie because it is controlled by the
hacker who launched the bot, not the owner of the computer.
OBJECTIVE
1.4.3: Security
attack types
bot
Software
application that
runs automated
tasks over the
Internet.

botnet
A group of
computers infected
with a bot.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-43
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Bots are typically used by hackers to launch applications such as the following:
DOS and DDOS attacks programs designed to crash the target system
Adware programs that automatically play, display or download advertisements to
a computer
Spyware programs that intercept the users interaction with the computer and
send information to its creators about a user's activities without the users consent
Spam e-mail messages that are sent disguised as messages from people, but are
either annoying or malicious in nature
Click fraud programs that cause the users computer to visit Web sites for the
purpose of generating a charge-per-click transaction without the users consent
Downloader programs programs that consume bandwidth by downloading entire
Web sites
Web site scrapers programs that copy the content of a Web site and re-use it
without permission on automatically generated doorway pages (pages to which
Internet users are redirected without their knowledge).
Avoiding bot attacks
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans
Apart) is a widely used technique that is effective in distinguishing between a human
user and a bot. CAPTCHAs require that a user view a distorted text image, and then type
it before he or she is allowed to proceed with a transaction. The distorted image is easily
recognizable by humans, but is a difficult challenge for a bot.
An example of a bot attack
In June 2008, a denial-of-service attack was launched on Amazon.com and the Internet
Movie Database (imdb.com), effectively shutting down their servers for more than three
hours over a four-day period. IMDB is owned by Amazon and uses Amazon IP addresses.
In addition to the possibility that hackers were deliberately trying to shut down Amazons
Web servers by launching an automatic script, there is speculation that the shutdown
was inadvertently caused by bots programmed to seize the limited-quantity Metal Gear
Solid 4 bundle, an 80-GB pack for the PlayStation 3, which went on sale on Amazon on
the first day in which outages were reported.
SQL Injection
SQL injection is a common Web attack mechanism used by hackers to steal data from
organizations. SQL injection is an attack in which a hacker inserts malicious code into
SQL command strings for the purpose of gaining access to data contained in a database.
It takes advantage of improper coding in your Web applications that enables the hacker
to inject SQL commands into a login form, for example, to allow them to gain access to
your database data. SQL injection is one of the most common application-layer attack
techniques used today.
Web site features such as login pages, search pages, shopping carts, support and product
request forms, feedback forms, and dynamic content are all susceptible to SQL injection
attacks. All of these Web applications contain fields that are available for user input,
which enable SQL statements to pass through and query the database directly.
OBJECTIVE
1.4.3: Security
attack types
SQL injection
A hacking
technique in which
SQL commands are
passed through a
Web application for
execution by the
back-end
database.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-44 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Preventing SQL injection attacks
Unfortunately, firewalls and similar intrusion-detection mechanisms provide little
protection from full-scale Web attacks. Because your Web site needs to be public,
security mechanisms will allow public Web traffic to communicate with your databases
through Web applications.
Avoid dynamically generated SQL
One way to prevent SQL injection is to avoid using dynamically generated SQL in your
code. By using parameterized queries and stored procedures, you can make it impossible
for SQL injection to occur within your Web application.
Use parameterized queries
Parameterized queries are queries that have one or more embedded parameters within
the SQL statement. By embedding parameters into SQL statements, your code is less
prone to errors than if you were to use dynamically generated SQL. Stored procedures
can secure your database by restricting objects within the database to specific accounts,
and permitting the accounts to execute stored procedures only. Your code then accesses
the database using only the account that has permission to execute stored procedures.
As long as you do not provide this account any other permission, such as write, a hacker
will be unable to enter a SQL statement to execute against your database. Any interaction
with your database is done using the stored procedures that you wrote and are located in
the database itself, which is usually inaccessible to a DMZ or perimeter network.
Audit for SQL injection vulnerabilities
Audit your Web site and Web applications periodically to check for SQL injection
vulnerabilities. Manual vulnerability auditing is complex and can be very time-
consuming. The best way to check your Web site and Web applications is to use an
automated Web vulnerability scanner, which crawls through your entire Web site and
automatically checks for undiscovered vulnerabilities. It will indicate which URLs and
scripts are vulnerable to SQL injection so that you can immediately fix the code.
Auditing
Auditing is the primary means of protecting yourself against malicious code. Through
regular system scanning, you can identify open ports and suspicious activity. Critical
steps to perform include the following:
Checking password databases regularly (e.g., the Windows SAM, and the UNIX
/etc/passwd and /etc/shadow files)
Checking log files for suspicious entries
Scanning systems
Identifying areas of information leakage
Checking password databases regularly
Create a regular schedule to help you make sure that your authentication databases are
current. Look for suspicious additions and even deletions. Also, check each account to
make sure that users have not elevated their permissions. For example, make sure that
the Windows Server 2003 account is not suddenly in the Administrators group.
OBJECTIVE
1.2.5: Auditing
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-45
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Checking log files
A proficient hacker always erases evidence of an attack. He does so using the following
strategies:
Modifying log files By eliminating certain entries, the hacker can make it appear
as if he never entered a system.
Flooding systems with information If a log file grows particularly large, it may be
difficult for the systems administrator to detect malicious activity, because he or she
cannot successfully wade through all the information.
Changing logon accounts A hacker will try to elevate the privileges of a standard
account so that it has administrative privileges.
Look for the following evidence of suspicious activity:
Failed logon attempts.
Accounts that have new permissions and/or new passwords.
Unusual logon times. For example, suppose your established baseline is that the Vice
President of Product Development logs in between 7 a.m. and 7 p.m. If his account is
accessed at 2 a.m., you may want to ask questions about this activity.
As you review log files, you should also review system-level and user-level entries. Do not
simply look for changes to hard drive files and/or logs. Review individual user accounts,
as well. Common users to monitor include administrative accounts, as well as accounts
important to your company (e.g., those for executives, middle management and IT
workers).
Scanning systems
Regularly scan your systems to determine whether any vulnerabilities have developed.
Scanning software can include the following:
Virus management applications useful for scanning file systems
Port scanners applications that allow you to determine which service or daemon
is listening on a port
Vulnerability analysis applications applications that query services and
daemons on open ports to determine a vulnerability
Identifying information leakage
On computers and computer networks, connectivity implies risk. Each computer must
supply potentially sensitive information to create a connection between a server and the
Internet. Organizations must determine how to minimize the information they provide to
the public, as well as take the proper steps to provide only the necessary legitimate
information. The first step is to determine what information is necessary, and what is
not.
Necessary information
The following information is necessary for users to connect with the system, even though
providing it can still give a hacker essential clues about your system:
InterNIC registration information
TCP services that you are running (Web, FTP and e-mail servers, among others)
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-46 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Unnecessary information
Take steps to protect the following information:
Contents of a DNS server.
Routing tables.
User and account names.
Banner information running on any of the servers. For example, Apache server
defaults to providing full information about its version, the operating system and the
modules it is currently using to help deliver documents. If possible, change the
default setting.
Banner information is crucial to hackers so they can identify the type of operating system
and Internet service that a host is running. The banner information can be obtained by
connecting via Telnet directly to a specific port on a host. Many security administrators
are now removing this information so that hackers cannot use it against them.

Case Study
Mopping Up Leakage
Juliet is the network administrator for a startup company. She is aware that in order to
connect her network servers to the Internet, information about her servers will be made
public.
One of the ways Juliet can reduce the threat of unwanted hacker activity is to ensure
that the network servers provide as little information as possible concerning their
operations. When Juliet established Internet connectivity, the following information about
her system was made public:
Banner information about the Web, FTP, DNS and e-mail servers
TCP services that the network was running
User and account names
Routing tables
DNS server contents
InterNIC registration information
* * *
As a class, discuss this scenario and answer the following questions.
What information is necessary for users to connect to the Internet?
What information is not necessary for users to connect to the Internet?
Which of points listed above are safe to disclose?
Which points might invite unwanted hacker activity?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-47
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
One of the things discussed in this lesson is the fact that many Internet and network
daemons reveal too much information. Apache Server, for example, defaults to providing
full information about its configuration. Default information provided includes:
Full information about Apache Server, including the version name.
The type of operating system on which it is installed (e.g., Ubuntu Linux or Windows
Server 2003).
All installed modules (e.g., mod_ssl/2.6.6 OpenSSL/0.9.5a mod_perl/1.24).
To solve this problem, Apache Server allows you to edit the /etc/apache2/apache2.conf
file and enter any of the following:
ServerTokens Full The banner reveals all information about the daemon and the
server. This is the default setting.
ServerTokens Prod The banner contains only the word "Apache." This feature is
supported only in later versions of Apache Server 1.3.x.
ServerTokens Minimal Apache's banner sends the following: Apache/1.3.0.su
ServerTokens OS The server's banner contains the name of the Web server, as
well as the operating system version.
Open /etc/apache2/apache2.conf. Scroll down to the ServerTokens entry, and enter the
following:
ServerTokens Minimal
After you restart Apache Server (/etc/init.d/apache2 restart), the Web server will re-read
the configuration file. As a result, the new Apache banner will contain only the Apache
server's name and version. Providing less information in many cases will help keep your
systems more secure. Connecting via Telnet to Port 80 and reading the information will
not test whether this banner fix is operating. Use a more advanced vulnerability scanner
to test the difference between banners.
Skills review
In this lesson, you learned about specific attacks that hackers perpetrate against target
systems. You learned about brute-force and dictionary attacks, as well as how system
bugs can expose a system to hacker activity. You also learned about the various types of
malware that are specifically designed to harm computer systems.
You learned about social engineering attacks, and how to monitor denial-of-service (DOS)
and distributed denial-of-service (DDOS) attacks. One of the ways to reduce threats is to
ensure that your system provides as little information as possible concerning its
operations. You learned how spoofing attacks can hide the identity of a hacker, and how
scanning attacks detect open system ports. You learned that man-in-the-middle attacks
can be as simple as sniffing information on the network, or as complex as injecting
packets and hijacking connections.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-48 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
You learned how bots and botnets launch automated scripts to run repetitive tasks to
take control of affected computers. You also learned how SQL injection is used to inject
SQL code into Web application login forms to gain access to an organizations database.
Finally, you learned how systems administrators can use auditing to assess and protect
their networks and systems, often by using the same techniques and tools that hackers
use.
Now that you have completed this lesson, you should be able to:
- 1.2.5: Identify the importance of auditing.
- 1.4.3: Identify specific types of security attacks.
- 1.4.4: Identify a brute-force attack.
- 1.4.5: Identify a dictionary attack.
- 1.4.6: Identify routing issues and security.
- 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack.
- 1.4.8: Recognize attack incidents.
- 1.4.9: Distinguish between illicit servers and trojans.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 4: Types of Attacks 4-49
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 4 Review
1. Describe the difference between a virus and a worm.





2. Describe the difference between a dictionary attack and a brute-force attack.





3. How does a bug differ from a back door?



4. What is social engineering?



5. What is the primary difference between a DOS and a DDOS attack?



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
4-50 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


5Lesson 5:
Recent Networking
Vulnerability
Considerations
Objectives
By the end of this lesson, you will be able to:
; 1.1.3: Identify potential risk factors for data security, including improper
authentication.
; 1.2.5: Identify the importance of auditing.
; 1.4.3: Identify specific types of security attacks.
; 1.4.8: Recognize attack incidents.

In addition to the CIW Security Professional objectives listed above, you will also study
the following topics and skills:
; Security issues associated with wireless network technologies.
; Security issues associated with convergence networking technologies.
; Security issues associated with Web 2.0 technologies.
; Additional security issues, including greynet applications, data at rest, trusted users
within an organization, anonymous downloads and indiscriminate link-clicking.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. What type of networking makes use of spread spectrum signaling, such as FHSS,
DSSS and OFDM?
a. Convergence networking
b. Virtual networking
c. Web 2.0 networking
d. Wireless networking
2. Which of the following Web 2.0 technologies provides the user with both author and
editor privileges, so that he or she can create or update collaborative Web sites "on
the fly"?
a. Ajax
b. Blogs
c. RSS
d. Wikis
3. The 802.1x standard was designed by the IEEE to centrally authenticate users
who want to access 802.11x wireless networks. Describe the four-step process
that occurs when a wireless client connects to such a network.







Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Networking Vulnerability Considerations
You have been introduced to the concepts of network security, potential security
breaches and some techniques you can use to combat network vulnerabilities. In this
lesson, you will learn about security issues associated with wireless network
technologies, convergence networking technologies and Web 2.0 technologies. You will
also learn about the dangers of downloading and installing applications of which your
network administrative staff is unaware, as well as the security threats associated with
data at rest, trusted users within an organization, anonymous downloads and
indiscriminate link-clicking.
Many of these topics do not map to numbered CIW Security Professional
objectives. These topics are very current and may be included in the CIW v5
Security Professional objectives in the future. At this time, these important topics
are marked with unnumbered objective callout boxes to signify their relevance.
Wireless Network Technologies and Security
Wireless technologies enable the operation of mobile phones and wireless network
connections. Wireless (mobile) phones and most wireless NICs and access points are
radios, and they rely on the sending and receiving of radio waves. (Some wireless
networking technologies use optical transmission.)
The term WiFi (short for Wireless Fidelity) generically refers to any type of 802.11
wireless network. The IEEE 802.11 series of standards defines the features and functions
of a high-speed wireless LAN. WiFi provides high-speed data connections between mobile
devices and WiFi access points using short-range wireless transmissions. Mobile devices
can include laptops, PDAs, BlackBerries, iPods or mobile phones.
A wireless LAN (WLAN) is one in which a mobile user can connect to a local area network
(LAN) through a wireless (radio) connection. The only difference between a wireless LAN
and a cabled LAN is the medium itself: Wireless systems use wireless signals instead of a
network cable. A standard system that uses a wireless NIC is called an end point.
Wireless networking is usually implemented in a hybrid environment, in which wireless
components communicate with a network that uses cables. For example, a laptop
computer may use its wireless capabilities to connect with a corporate LAN that uses
standard wiring.
Table 5-1 provides an overview of the most essential wireless Ethernet elements.
Table 5-1: Wireless Ethernet elements
Wireless Element Description
Wireless NIC
This device is installed on a PC to make it a wireless client. It can be
attached in any number of ways, including PCI card, USB or Personal
Computer Memory Card International Association (PCMCIA).
Wireless access
point (AP)
Also known as a base station or a hotspot. The wireless counterpart to a
standard Ethernet hub or switch. Provides centralized access to multiple
wireless clients. A wireless AP can then be connected to a standard
(wired) Ethernet hub, switch, bridge or router.
Configuration
software
Software necessary to configure both the client and the AP. Provided by
the manufacturer. Wireless equipment belonging to the same standard is
interoperable between manufacturers, unless the manufacturer has
added a non-standard feature (usually a form of encryption). Even non-
standard equipment will support universal features.
OBJECTIVE:
Security issues with
wireless network
technologies
WiFi
Short for Wireless
Fidelity. A generic
term referring to any
type of 802.11 high-
speed wireless
network.
end point
A system that uses a
wireless NIC.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 5-1: Wireless Ethernet elements (c ont d)
Wireless Element Description
Antenna
All wireless devices (e.g., wireless clients and APs) require an antenna.
Sometimes the antenna is encased inside the device, or it is attached to
the outside. In many cases, it is possible to attach more powerful
antennae, which can allow the wireless network client to reside farther
away than originally intended by the manufacturer.
Beacon
When a wireless AP is ready to accept connections, it sends a special
Ethernet frame called a beacon management frame to inform clients of its
availability.
Service Set Identifier
(SSID)
A unique identifier for a wireless cell that controls access to the cell.
Often, a SSID is a simple text string entered into an AP. SSIDs are case-
sensitive. They can also be encrypted.
Wireless signals
Wireless networking uses spread spectrum signaling. Spread spectrum is secure and is
used today for military satellite systems. In spread spectrum technologies, a signal is
generated by a system, then sent (i.e., spread) over a large number of frequencies to
another system, which then reassembles the data. Wireless networks can use the
following types of spread spectrum transmissions:
Frequency Hopping Spread Spectrum (FHSS) Originally developed during World
War II, FHSS involves changing the frequency of a transmission at regular intervals.
That is, signals move from frequency to frequency, and each frequency change is
called a hop. Both the client and the server must coordinate the hops between
frequencies. That is, they retune at regular intervals during the transmission. Even
though FHSS networks use hop sequences, they do not make connections any more
secure than those found in DSSS networks.
Direct Sequence Spread Spectrum (DSSS) In this method of transmission, rather
than hopping from one frequency to another, a signal is spread over the entire band
at once through the use of a spreading function. DSSS is used by IEEE 802.11b and
802.11g networks.
Orthogonal Frequency Division Multiplexing (OFDM) OFDM splits a radio
signal into smaller sub-signals that are transmitted simultaneously on different
frequencies. 802.11a and 802.11g networks can use OFDM.
IEEE 802.11 Wireless Standards
Security issues with wireless network technologies The IEEE 802.11 group of standards
specifies the technologies for wireless LANs. It standardizes wireless LAN equipment and
speeds. Such equipment has become popular in homes, small businesses and large
enterprises.
The 802.11 specifications are part of an evolving set of wireless network standards known
as the 802.11 family. The particular specification under which a wireless network
operates is called its "flavor." Following is a summary of the most common wireless
Ethernet specifications:
802.11 (WiFi) the original specifications for wireless networking. Initially provided
for data rates of 1 Mbps or 2 Mbps in the 2.4-GHz band using either FHSS or DSSS.
At one time, the term WiFi applied only to products using the 802.11b standard, but
today it applies to products that use the 802.11 standard.
spread spectrum
Various methods for
radio transmission in
which frequencies
or signal patterns
are continuously
changed.
OBJECTIVE:
Security issues with
wireless network
technologies
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
802.11a operates at up to 54 Mbps in the 5-GHz band. This standard uses OFDM
for transmitting data. This standard also offers stronger encryption and more
authentication features than 802.11b, and includes Forward Error Correction (FEC)
to guard against data loss. This standard offers the same speed as 802.11g but offers
higher capacity. The 802.11a standard was ratified after 802.11b and is not
backward-compatible with 802.11b or 802.11g.
802.11b operates at 11 Mbps (but will fall back to 5.5, then 2, then 1 if signal
quality becomes an issue) in the 2.4-GHz band. Uses DSSS only. Because it operates
in the 2.4-GHz band, it is subject to interference from microwave ovens, cordless
phones and Bluetooth devices, which also operate in this band. The 802.11b
standard also uses weak encryption and authentication, but is inexpensive and easy
to install.
802.11e provides Quality of Service (QoS) standards for wireless networks,
enabling them to carry delay-sensitive packets, such as those for Voice over Wireless
LAN (VoWLAN) and streaming media.
802.11g operates at speeds of up to 54 Mbps in the 2.4-GHz band. Backward-
compatible with 802.11b. An 802.11g network card will work with an 802.11b access
point, and an 802.11g access point will work with an 802.11b network card but only
at speeds up to 11 Mbps. To achieve 54-Mbps throughput, you must use 802.11g
network cards and access points. The 802.11g standard uses OFDM or DSSS. These
networks provide security features similar to those provided by 802.11a networks.
802.11h solves problems with wireless networks operating in the 5-GHz band by
decreasing interference with satellites and radar, thus making them acceptable in
Europe and in several other countries.
802.11i Also known as WPA2, this amendment to the 802.11 standard specifies
wireless security enhancements that supersede WiFi Protected Access (WPA). The
original security mechanism for wireless networks was Wired Equivalent Privacy
(WEP), but WEP had severe security weaknesses. WPA was developed as an
intermediate solution for the weaknesses in WEP and was the standard until the
introduction of WPA2.
The access method for all the IEEE 802.11 specifications is Carrier-Sense Multiple
Access/Collision Avoidance (CSMA/CA), which specifies that each node must inform
other nodes of an intent to transmit. When the other nodes have been notified, the
information is transmitted. This arrangement prevents collisions because all nodes are
aware of a transmission before it occurs.
IEEE 802.11n wireless standard
IEEE 802.11n is the most current wireless standard. It enables high-bandwidth
applications such as streaming video to coexist with wireless VoIP. Compared to the
previous wireless standards, 802.11n enables you to build bigger, faster wireless
networks that deliver better reliability and capacity with more built-in security.
The 802.11g standard was ratified by the IEEE in 2003 but is becoming less adequate as
applications become more complex and require more bandwidth. For example, the use of
streaming video is difficult with 802.11g products, which have a theoretical maximum
throughput speed of 54 Mbps. However, real-world speeds are generally in the 22 Mbps
to 24 Mbps range, which is inadequate for video.
The 802.11n standard uses new technologies to give WiFi increased speed and range.
These technologies are:
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Multiple Input, Multiple Output (MIMO) MIMO uses multiple antennae to direct
signals from one place to another. Instead of sending and receiving a single stream of
data, MIMO can simultaneously transmit three streams of data and receive two. This
technique enables more data to be transmitted in the same period of time. It also
increases the range, or distance over which data can be transmitted. 802.11n
equipment typically delivers more than twice the range of 802.11g equipment. The
increased range of 802.11n also can mean fewer "dead spots" in coverage.
Channel bonding In channel bonding, two separate non-overlapping channels can
be used at the same time to transmit data. This technique also increases the amount
of data that can be transmitted.
Payload optimization (also known as packet aggregation) Payload optimization
is a technique that enables more data to be included in each transmitted packet.
The 802.11n standard also supports WPA and WPA2 for encryption and authentication.
That makes 802.11n particularly attractive to small and medium-size businesses, which
typically do not have the level of IT resources that larger companies do.
Note: You can periodically check the IEEE 802.11 Working Group for WLAN Standards site
at www.ieee802.org/11/ for the latest information about wireless LAN standards.
Wireless Networking Modes
Two types of wireless modes exist for 802.11a, 802.11b and 802.11g networks:
Ad-hoc in which systems use only their NICs to connect with each other.
Infrastructure in which systems connect via a centralized access point, called a
wireless access point (AP).
Figure 5-1 illustrates the two types of wireless networks.

Figure 5-1: Ad-hoc vs. infrastructure mode
Wireless access points (APs)
A wireless access point (AP) is a device that acts much like a standard hub or switch in
that it allows wireless systems to communicate with each other, as long as they are on
the same network. It is possible to attach a wireless AP to a standard Ethernet hub or
switch, and thus extend your network without having to lay down wires, which can be
inconvenient. It is also possible for a wireless AP to include a router, which enables
multiple wireless and wired networks to communicate with each other.
OBJECTIVE:
Security issues with
wireless network
technologies
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Wireless cells
A wireless cell is a collection of wireless clients around a specific wireless AP. The farther
away a client is from a wireless AP, the less it is inclined to belong to a particular cell
because the AP beacon becomes too weak, and interference results.

Resources often call a wireless cell a "sphere of influence" that is generated by a
specific wireless AP.
If multiple cells exist in close proximity, a client may reside in several wireless cells at one
time. Due to the nature of wireless networks, it is also possible for a mobile client (i.e., a
laptop computer) to be moved from one wireless cell to another. As a result, it is possible
for people to move from one wireless cell to another to gain (sometimes illicit) access to a
wireless network and its resources. Resources can include files, printers and other
networks, such as the Internet.
Types of authentication in wireless networks
Table 5-2 describes the two types of wireless authentication used in wireless networks.
Table 5-2: Authentication types in wireless networks
Security Level Description
Open System
Authentication (OSA)
Authentication occurs in cleartext.
Shared Key
Authentication (SKA)
Wired Equivalent Privacy (WEP) is employed. Both the wireless AP
and the wireless client share the key.

Basic Service Set Identifier (BSSID)
A Basic Service Set Identifier (BSSID) is provided by a wireless AP and has one function:
to differentiate one wireless cell from another. The BSSID does not contain authentication
information. In fact, it is most often the MAC address of the wireless AP.
Service Set Identifier (SSID)
A Service Set Identifier (SSID) is a unique name for each wireless cell (i.e., network). A
SSID is used to control access into a particular wireless cell. Usually, a SSID is a simple
text string entered into a wireless AP, although a SSID can also be established by hosts
participating in an ad-hoc wireless network. Once a wireless AP has a SSID entered, this
AP immediately becomes differentiated from other wireless cells. SSID values are case-
sensitive and can be up to 32 characters long. They can also be encrypted.

A SSID is not the same as a BSSID.

Common default wireless AP SSIDs include the following:
ANY (in lowercase and/or uppercase letters).
The vendor name (e.g., Linksys, Belkin, again in uppercase and/or lowercase). Cisco
Aironet cards use the word tsunami.
Some cards default to a blank SSID. To at least begin to secure your system, change
default SSID settings.
Figure 5-2 shows the configuration interface for a common wireless AP.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 5-2: Configuration interface for c ommon wireless AP
Notice that values exist for the BSSID as well as for the SSID. It is also possible to
configure a wireless AP so that it has its own IP address information. The default channel
is often 11, although you can specify your own channel. The Request To Send (RTS)
threshold determines the wireless AP's ability to communicate with clients. A lower RTS
value can help a busy wireless AP recover from excessive collisions more quickly. As a
result, more clients can access the AP. However, setting the value too low can cause the
AP to send too many RTS packets, which can reduce the AP's ability to handle traffic
efficiently. Too large a setting can reduce the number of clients that can effectively access
the wireless AP.
Wireless AP beacon
Whenever a wireless AP is ready to accept connections, it sends a special Ethernet frame
called a beacon management frame. This beacon informs clients about the AP's
availability. Clients that are not specifically configured to use a particular wireless AP use
this beacon to determine their participation in a wireless network. If a client knows where
to go, it does not rely upon an AP's beacon. The beacon contains the SSID, and can often
be decrypted easily by hackers because it is usually encrypted insufficiently. In some
wireless APs, it is possible to disable beaconing or to reduce beacon frequency.
Host association
Three association states exist for a wireless client:
Unauthenticated and unassociated
Authenticated and unassociated
Authenticated and associated
When a wireless host is transmitting information through a network access point, it must
be authenticated and associated. An authenticated but unassociated host has simply
been recognized by the wireless AP, but the host is not currently sending information
through the AP.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Wireless Application Protocol (WAP)
Wireless Application Protocol (WAP) provides a uniform set of communication standards
for cellular phones and other mobile wireless equipment. WAP is not used in wireless
Ethernet networks. WAP provides the following services.
Uniform scripting standards for wireless devices WAP includes specifications
for Wireless Markup Language (WML), which is roughly analogous to Hypertext
Markup Language (HTML), commonly used in Web browsers and e-mail clients.
Essentially, compare the functions of HTML and JavaScript to Web browsers; WML
and WMLScript provide the same functions to mobile wireless clients (e.g., Web
browsers embedded into cell phones and PDAs).
A method of encrypting devices from WAP-enabled phones The most important
WAP element to understand is Wireless Transport Layer Security (WTLS), which is
designed to encrypt wireless packets. WTLS is similar to SSL/TLS in that it uses
certificates to encrypt data. WTLS is often referred to as wireless PKI.
WTLS benefits
WTLS supports various protocols, including connection-oriented and connectionless
protocols (i.e., TCP and UDP respectively). As a result, it is possible to use WTLS with a
UDP data stream, as well as with TCP. SSL/TLS can only encrypt TCP-based traffic.
WTLS is designed to encrypt transmissions using as little bandwidth as possible, which
makes it more efficient than SSL and TLS when used on cellular phones. WTLS is also
designed to encrypt transmissions without requiring as many CPU cycles as SSL/TLS.
Problems with WTLS
You have learned about the benefits of WTLS in regards to cellular phones and other non-
Ethernet devices. Understand that WTLS is a PKI solution like any other, except that it is
designed for low-bandwidth environments (e.g., cell phones). When WTLS traffic remains
on a cellular network, it is quite secure. However, cellular traffic is increasingly placed
onto Ethernet data networks via a wireless gateway.
When wireless information is placed onto a standard network via a gateway, it must be
decrypted from WTLS then re-encrypted into a standard PKI solution, such as SSL or
TLS. This decryption and re-encryption at the gateway introduces what many have called
a security "gap in the WAP," because at this point, it is be possible for individuals to sniff
connections and obtain sensitive information. Thus, the gateway is a weak point when
wireless telephones communicate with standard networks to create convergent networks.
Languages used in WAP
Wireless devices, such as cell phones, use Wireless Markup Language (WML) to send,
receive and read formatted documents. WAP also includes WMLScript, which is roughly
analogous to JavaScript.
OBJECTIVE:
Security issues with
wireless network
technologies
Wireless Transport
Layer Security
(WTLS)
The Wireless
Application Protocol
(WAP) encryption
standard that uses
certificates to
encrypt wireless
packets.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Wireless Network Security Problems
Table 5-3 describes the common security problems with wireless networks.
Table 5-3: Common wireless network security problems
Security
Problem
Description Solution
Cleartext
transmission
By default, many wireless network protocols
communicate in the clear (i.e., in cleartext),
just like an Ethernet network.
Enable encryption solutions
such as WiFi Protected
Access (WPA).
Access control
It is possible to obtain the SSID because it is
either unencrypted or poorly encrypted. Thus,
any host can access the network once it is
configured with the AP's SSID.
Enable MAC address
filtering.
Unauthorized
APs and
wireless
systems
Users may incorporate their own APs and
wireless systems to speed up their work.
However, such systems can create an opening
around the corporate firewall. This problem
becomes even more serious if the AP is then
plugged into a network hub or switch.
Conduct regular site surveys
to ensure that only
authorized networks are in
use.
Corporate
users
participating in
ad-hoc
networks
Most ad-hoc networks lack encryption
mechanisms. Outsiders can connect to an ad-
hoc network without a user's knowledge or
consent and access files on his or her
computer, or access the network to which the
user's computer is attached.
Periodically check the
settings on users' WLAN
cards, or lock user profiles to
prevent access to these
settings.
Weak and/ or
flawed
encryption
Even if you have enabled Wired Equivalent
Privacy (WEP), you are not as protected as
you might think. WEP encryption has been
cracked. Also, part of the WEP handshake is
not encrypted.
Use additional encryption
and authentication methods.
Encryption and
network traffic
The packet-by-packet encryption process can
slow traffic, especially in busy systems.
Use additional APs, or move
from a wireless solution to a
faster wired solution (e.g.,
Fast Ethernet).
War driving
Malicious users can surreptitiously scan for
wireless APs that allow unauthorized access.
Also called war walking, for those who are
surveying sites on foot.
Conduct site surveys, and
use the latest stable
encryption and
authentication mechanisms.
Also disable beaconing from
the wireless AP.
Wireless Network Security Solutions
There are several available solutions for wireless security. These include:
Wired Equivalent Privacy (WEP).
MAC address filtering.
802.11i (WiFi Protected Access [WPA2]).
802.1x.
Remote Authentication Dial-In User Service (RADIUS).
Other physical and configuration solutions.
OBJECTIVE:
Security issues with
wireless network
technologies
OBJECTIVE
1.1.3: Risk factors for
data security
OBJECTIVE
1.4.3: Security
attack types
OBJECTIVE:
Security issues with
wireless network
technologies
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Wired Equivalent Privacy (WEP)
Wireless networks do not encrypt information by default. Wired Equivalent Privacy (WEP)
encrypts all data packets sent between all wireless clients and the wireless AP. WEP uses
a four-step handshake when authenticating a client:
The client requests authentication. This request is sent unencrypted.
The AP issues a challenge to the client. The challenge is sent unencrypted.
The client sends an encrypted response to the challenge.
The AP sends an encrypted authentication response.
Because the request and the challenge are both unencrypted, it is possible for hackers to
use sniffing applications to try to take advantage of this exchange and obtain the SSID.
WEP is an obsolete protocol that is fundamentally flawed. Because of this, other
advanced security schemes such as 802.1x and WPA2 should be used wherever possible.
However, in some situations (for example, in some Voice over WLAN [VoWLAN]
implementations), these advanced security schemes may require too much overhead and
will result in slowed transmissions. In such situations, WEP must be used.
MAC address filtering
It was quickly discovered that the use of a SSID did not provide adequate control over a
wireless cell, especially because WEP was vulnerable. Accordingly, another method for
limiting access to a resource was developed: MAC address filtering. In MAC address
filtering, an AP is configured so that it allows only certain system MAC addresses to
communicate with the rest of the network. MAC address filtering can be performed using
either of two policies:
Exclude all by default, then allow only listed clients.
Include all by default, then exclude listed clients.
Figure 5-3 shows a simple MAC address filter utility for a common wireless AP.

Figure 5-3: Creating MAC address filter
In this example, you will see that only two systems are allowed to use this wireless AP.
They are the only items listed in this particular access control list (ACL). This particular
interface is designed to exclude all systems, except for those explicitly permitted.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
MAC address spoofing
The chief problem with MAC address filtering is that it is possible to spoof (i.e., clone)
MAC addresses using commonly available software. Because it is possible to easily spoof
MAC addresses, the practice of filtering only increases the challenge for hackers. To solve
the problem, use stronger authentication and access control methods, such as 802.1x
and the Extensible Authentication Protocol (EAP).
MAC address spoofing can also be used in other ways, including c reating DDOS
attacks. For example, you could generate a MAC-based c onflict on a network
between several systems, which will then be unable to communicate on the
network.
Following is an example of MAC address spoofing. In the example, a Linux system first
tries and fails to ping a system named accounting.company.com, which is connected
through a wireless AP that excludes all but those systems with specific MAC addresses.
Not thwarted by this initial failure, the attacker knows from doing reconnaissance that
the system named receiving.company.com is on the AP's MAC address filter ACL, and is
thus allowed to connect to it. To see if the receiving.company.com system's MAC address
is in the attacker's ARP cache, he runs the arp command for the first time. The system's
MAC address is not listed.
So, the attacker pings receiving.company.com to obtain that system's MAC address,
which is viewable using the arp command once again. Then, the attacker loads an
application called Macc to change its MAC address to be the same as
receiving.company.com. Thus, the attacker is able to gain access to the wireless AP and
systems on its network (i.e., wireless cell). The attacker is then able to scan the accounts
server for weaknesses using Nmap, generate an attack on the system's Web server, then
add an account called admin1 that has full administrative permissions.
root@albion james]# ping accounting.company.com
PING accounting.company.com (10.100.100.39) from 10.100.101.38: 56 (84) bytes of data
100 packets transmitted, 0 received, 100% loss, time 50000ms
root@albion james]# arp
albion.company.com ether 00:50:BA:8B:A9:4E C wlan0
router.company.com ether 00:80:5F:FE:14:C1 C wlan0
root@albion james]# ping receiving.company.com
PING receiving.company.com (192.168.2.5) from 10.100.101.38: 56(84) bytes of data.
64 bytes from receiving.company.com (192.168.2.5): icmp_seq=1 ttl=255 time=5.09 ms
64 bytes from receiving.company.com (192.168.2.5): icmp_seq=2 ttl=255 time=2.50 ms
root@albion james]# arp
albion.company.com ether 00:50:BA:8B:A9:4E C wlan0
router.company.com ether 00:80:5F:FE:14:C1 C wlan0
receiving.company.com ether 00:60:97:75:0E:96 C wlan0
root@albion james]# macc --m=00:60:97:75:0E:96 eth0
Current MAC: 00:50:BA:8B:A9:4E [wireless] (Linksys, PCMCIA Card)
Faked MAC: 00:60:97:75:0E:96 (unknown)
root@albion james]# ping accounting.company.com
PING accounting.company.com (10.100.100.39) from 10.100.101.38: 56(84) bytes of data.
64 bytes from accounting.company.com (10.100.100.39): icmp_seq=1 ttl=255 time=5.09 ms
64 bytes from accounting.company.com (10.100.100.39): icmp_seq=2 ttl=255 time=2.50 ms
root@albion james]# nmap accounting.company.com
Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-09-11 16:32 PDT
Interesting ports on accounting.company.com (10.100.100.39):
(The 1592 ports scanned but not shown below are in state: closed)
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Port State Service
80/tcp open http
23/tcp open telnet
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
1433/udp open ms-sql-s
1723/tcp open pptp
Remote operating system guess: Microsoft Windows.NET Enterprise Server (build
3604-3615 beta)

Nmap run completed -- 1 IP address (1 host up) scanned in 3.785 seconds

root@albion james]# gcc iisbufferattack.c -o iibuffersattack
root@albion james]# ./iisbufferattack.c accounting.company.com
Querying system
System vulnerable. Commencing attack.
Attack successful! User named admin1 added, with full administrative perms!
^C
root@albion james]# Telnet accounting.company.com
Trying 10.100.100.39...
Connected to accounting.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: admin1
password: ********
*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\Documents and Settings\admin1>

Now, the admin1 user can make any changes to the system, as well as snoop into
accounting information for this company.
IEEE 802.11i: WiFi Protected Access (WPA)
WiFi Protected Access (WPA) is a specification of security enhancements for WiFi
networks. The current version, WPA2, is now part of the 802.11i standard. 802.11i
makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and
WPA use the RC4 stream cipher. The WPA technology offers several improvements over
WEP, including:
Improved encryption through Temporal Key Integrity Protocol (TKIP) TKIP is
an encryption scheme that scrambles keys using a hashing algorithm and ensures
the integrity of those keys through an integrity-checking feature.
Authentication based on Extensible Authentication Protocol (EAP) EAP allows
authentication over PPP links and wireless connections. It is capable of allowing
authentication via a RADIUS server, a challenge/response authentication scheme,
one-time passwords, and digital certificates. EAP is built on a public-key encryption
system to ensure that only authorized users can access a network.
Authentication in WPA2 involves a four-way handshake in which all the exchanges are
encrypted and the access point authenticates itself to the wireless client. WPA2 can be
used to secure video and voice transmissions over a wireless network.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
IEEE 802.1x
The 802.1x standard was designed by the IEEE to centrally authenticate users who want
to access 802.11x wireless networks. Traditionally, a wireless client simply authenticates
with a wireless access point (AP). However, decentralizing authentication can lead to
complexity and cause security breaches. The 802.1x standard allows you to connect an
AP to a centralized server (e.g., a RADIUS server) so that all hosts are properly
authenticated.
The 802.1x standard uses EAP for authentication. However, the standard does not
specify encryption. You must combine 802.1x authentication with an encryption method,
such as IPsec, for example.
802.1x authentication process
When a client connects to an AP on an 802.1x network, it is always placed into an
unauthorized state. When a client is unauthorized, it cannot access even the most basic
services. However, as soon as authorization occurs, the client will be allowed to fully
participate on the network.
Following is a step-by-step description of what happens when a client connects to an AP
on an 802.1x network:
1. The client initiates a connection to an AP.
2. The AP recognizes the connection, but considers the connection to be
unauthenticated. As a result, the wireless client will not receive any network services
(e.g., an IP address from a DHCP server). The AP then obtains user-based
authentication credentials from the wireless client.
3. After obtaining credentials from the client, the AP confirms the client's authentication
credentials from a central authentication server (e.g., a RADIUS server).
4. If the credentials are valid, the AP's port is placed into an authorized state. If the
client's credentials are rejected, the session ends.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a popular method for centralizing remote user access. Mostly meant for dial-
up access, a RADIUS system can authenticate various connections across a public
network (e.g., modem, cable modem, DSL and wireless). RADIUS uses UDP as its
transport protocol, and RADIUS servers listen on UDP Port 1812.
RADIUS uses advanced encryption techniques. The remote access server and the RADIUS
server use a shared secret to encrypt authentication information. It is also possible to use
additional authentication methods.
Physical and configuration solutions
In addition to enabling stronger encryption and authentication (and taking basic steps
such as changing the default SSID), you can:
Move the wireless AP to a firewall's DMZ. This way, traffic is by definition
considered to be untrusted, and clients will use the resource at their own peril. Also,
the firewall will be able to protect the internal network from anyone who breaks into
the AP.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Shield the area used by the wireless cell. Thus, war drivers, war walkers and other
snoopers cannot gain access to the packets generated by the wireless AP.
Disable beaconing from the AP. Doing so helps thwart war-driving applications that
need this information to discover networks. War-driving applications can also use
these packets to help defeat encryption and obtain the SSID.
Disable DHCP on the AP. Doing so helps dissuade hackers, who will then have to
take additional steps trying to figure out the network's IP address. As a result, your
wireless clients may need to use static IP addresses.
Regularly change the SSID. Doing so helps thwart unauthorized access.
Site Surveys
A site survey is a review or inspection of a network that is conducted to assess the
network's functionality and the strength of its security measures. Site surveying is a type
of security auditing. Site surveyors often use the same software and methods used by
malicious users in order to discover the vulnerabilities that hackers may want to exploit.
Two types of site surveys are conducted: authorized and unauthorized. Following is a
discussion of each type.
Authorized site surveys
An authorized site survey involves determining the suitability of a wireless LAN in a
network. A site survey should be conducted before the actual wireless solution is put into
place. Whenever you conduct a site survey, you will need to identify the issues discussed
in Table 5-4.
Table 5-4: Issues to consider before site survey
Site Survey Issue Description
Sources of interference
Wireless networks can fail due to excessive interference from
sources that generate electromagnetic interference (EMI) and
radio frequency interference (RFI). EMI can be generated by
motors and manufacturing equipment. RFI can be caused by
radios, cordless phones and imaging devices used in hospitals
(e.g., MRI devices).
Location for wireless
hardware installation
You must identify secure locations to reduce the possibility of
tampering.
Determination of
authentication, encryption
and access-control means
Various encryption options are available. If you choose EAP as
an authentication mechanism, you must then choose the
authentication protocol.
Possible end-user and IT
training
If your situation requires extensive wireless authentication and
mechanisms, you may need to train both IT workers and end
users.
Possible modifications to
network security policy
If you have not used wireless technologies before, you should
update your security policy to clearly inform users about
acceptable and unacceptable activities. You must also specify
the authentication, encryption and access control mechanisms
that are to be used in your wireless networks.
OBJECTIVE
1.2.5: Auditing
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Site surveys after implementation
Whenever a site survey is conducted after wireless implementation, it is generally part of
the overall auditing process. Post-implementation site surveys involve the activities
discussed in Table 5-5.
Table 5-5: Site survey issues after wireless implementation
Site Survey Issue Description
Unauthorized use of wireless
equipment
Look for wireless APs and wireless software and hardware that
can help you identify points at which users are violating the
security policy. For example, look for Network Stumbler and
Kismet software installations, or USB NICs that might suggest
the presence of an unauthorized wireless network.
Identification of problems
with authentication, access
control and encryption
Make sure that all steps outlined in your security policy are
being followed. Otherwise, a malicious user may easily
penetrate your network.
Location of physical access
points that may reduce
security or cause network
outages
If a wireless AP is exposed, it may be possible for a user to
simply unplug it from the network, or even steal the
equipment.
When conducting site surveys, you will often employ the same software and methods
used by malicious users. For example, if you want to study your network to see if IT
workers are employing unacceptably low levels of WEP encryption or omitting 802.1x
authentication or MAC-based access control, then you can use Network Stumbler, Kismet
or AirSnort to discover and correct these problems.
Unauthorized site surveys: War driving/ war walking
War driving is a form of unauthorized site surveying. In war driving, an individual obtains
wireless sniffing software, installs it (usually) on a notebook computer, and drives (or
walks) through areas where wireless networks are suspected to exist.
The term war driving is based on the practic e of war dialing, in whic h hac kers
use their modems and large lists of telephone numbers to find modems that
would answer their initial requests. War dialing and war driving are somewhat
analogous to the practice of ping and port scanning, in that they are all
attempts to discover responsive nodes or devices by means of random queries.
War driving often involves the use of a global positioning satellite (GPS), which is used to
generate maps of vulnerable sites. Most war-driving applications generate latitude and
longitude coordinates, which can then be fed into mapping software.
Examples of site surveying software
Figure 5-4 shows that Kismet was able to capture the SSIDs from several networks in a
popular New York City business district.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 5-4: Kismet, showing SSIDs obtained from war driving
Figure 5-5 shows another application called AirSnort, which was able to crack WEP and
report four network SSIDs.

Figure 5-5: War driving using AirSnort
Figure 5-6 shows the Network Stumbler application.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 5-6: Network Stumbler
In this figure, a network with the SSID of paunet has been identified. It has four systems
on it that are generating quite a bit of traffic.
War driving applications capture and analyze beacon traffic to determine the presence of
wireless networks. They then use the strategies discussed earlier to determine the
wireless AP's name, the types of data it is generating, and its encryption and
authentication methods. They can also identify the firmware used in an AP and report
weaknesses. For example, one wireless AP sold by Belkin once contained a problem in its
SNMP implementation that allowed anyone with access to simple SNMP query tools to
conduct a denial-of-service (DOS) attack. The solution was to upgrade the company's
firmware.
Once the war-driving application obtains authentication and encryption information, it
can then subject these packets to attacks and obtain the AP's SSID.
Following are some popular sites for learning more about war driving:
WarDriving.com (www.wardriving.com)
WLANA Wireless LAN Association (www.wlana.org)
BitShift (http://bitshift.org/projects/page13/page13.html)
Jeff Duntemann's Wardriving FAQ (www.drivebywifiguide.com/wardrivingfaq.htm)
NetStumbler.com (www.netstumbler.com)
Kismet (www.kismetwireless.net)
In the following lab, you will install a war-driving application and analyze its capture.
Suppose you have recently installed a wireless network for your company. Because your
network may be subject to unauthorized use by outsiders who find it using war-driving
techniques, it makes sense for you to conduct a site survey on your network using the
same techniques that a hacker might use. By uncovering vulnerabilities in your new
wireless network, you can then work to resolve them and secure your network.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lab 5-1: Installing a war-driving application and analyzing a site
survey capture
In this lab, you will install a war-driving application and analyze its capture.
Note: It is unlikely that your systems will have wireless cards. This lab will install Network
Stumbler, then view a capture from an existing site survey.
1. Instructor: Enable Internet access for the classroom.
2. Log on as administrator.
3. Go to the NetStumbler home page (www.netstumbler.com) and click the necessary
links to download the installation program to your Desktop.
4. Once you have downloaded the program to your Desktop, double-click the
installation icon and follow the setup instructions.
5. Once the installation is finished, select Start | All Programs | Network Stumbler.
You will see the Network Stumbler window, as shown in Figure 5-7.

Figure 5-7: Network Stumbler window
6. Review the interface. Specifically, identify the following features in the left pane of the
main window:

Channels If wireless traffic is captured or loaded, this feature organizes traffic
according to the channel used by the wireless AP.
SSIDs This feature organizes captured traffic according to the SSIDs captured.
Filters This feature allows you to organize and view traffic according to
predefined filters. For example, default filters exist to place WEP-encrypted traffic
and unencrypted traffic into separate groups.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Notice also that captured traffic will appear in the right pane of the window, where
you can view the MAC address, SSID and other information.
7. Now that you are somewhat familiar with the Network Stumbler interface, you can
analyze a past site survey capture. A capture file from Network Stumbler usually has
the extension of .ns1. Go to the Lab Files/Lesson 5 directory on your student CD-
ROM, and copy the .ns1 files onto your Desktop. If you do not have access to these
files, you will need to download a capture file. Go to the following Web site to
download a capture file to your Desktop:

www.renderlab.net/H2K2
Note: If this site is no longer valid, conduct a search on Google or AltaVista for .ns1
files.
8. After you have placed Network Stumbler capture files on your Desktop, select File |
Open and open one of the .ns1 files. Your screen should resemble Figure 5-8.

Figure 5-8: Viewing Network Stumbler capture file
9. Notice that this view shows all the MAC addresses (BSSIDs), as well as the SSIDs and
other information. Expand Channels. You will see icons for each channel. Expand
each of the channels, then highlight Channel 1 (or the first channel listed). You will
see BSSIDs for each system that is using this particular channel. Click one of the
BSSIDs that you see, as shown in Figure 5-9.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 5-9: Network Stumbler showing traffic decrypted from channel
10. You will see a graph showing the strength of the signal (in green) and the noise (in
red). From this graph, you can determine how busy the wireless AP is. Such
information can help a war driver, or it can help you target busy networks. When
conducting a legitimate site survey, such information can help you differentiate
between an impromptu, personal wireless network and one that is a legitimate part of
the company.
11. Contract Channels, then expand SSIDs. Expand several SSIDs. You will see how
many clients are attached to a SSID, as shown in Figure 5-10.

Figure 5-10: Viewing network clients attached to wireless APs in Network Stumbler
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
12. Contract SSIDs, then expand Filters. Experiment with the filters you see there.
13. When you are finished experimenting, close Network Stumbler.
14. Remember that it is possible to configure applications such as Network Stumbler to
use a GPS. Review the following links to view maps generated by war drivers who
have conducted their own unauthorized site surveys:
www.theswampbbs.com/80211/ap2.jpg
www.theswampbbs.com/80211/ap3.jpg
http://home.no.net/wlan/Nord_Rogaland_24km.jpg
http://home.no.net/wlan/kop.htm
http://home.no.net/wlan/Skudeneshavn_12km.jpg
http://home.no.net/wlan/Sor_Rogaland_70km.jpg
15. Consider how similar maps could be useful to network security professionals who
work for large companies. Then, consider the usefulness of such maps to malicious
users.
In this lab, you installed and analyzed a war-driving application.

In the following lab, you will analyze traffic captured from site survey software. Suppose
you recently installed a wireless network for your company and conducted a site survey
on it. Analyzing network traffic can provide quite a bit of information about the use and
contents of a network. By uncovering vulnerabilities in your new wireless network, you
can then work to resolve them and secure your network.

Lab 5-2: Analyzing traffic captured from site survey software
In this lab, you will use the Wireshark network protocol analyzer tool to analyze WEP
traffic captured and decrypted by Kismet, a popular site survey application.
If Wireshark is not installed on your system, copy wireshark-setup-1.0.0 from the Lesson
5 folder of the supplemental CD-ROM to your Desktop, double-click the executable file,
and follow the prompts to install Wireshark and WinPcap (a utility that includes drivers
for capturing live network data on Windows systems). Use the default settings.
1. Access your student CD-ROM and copy the kismet.dump file from the Lab
Files/Lesson 5 directory to your Desktop.
2. Select Start | All Programs | Wireshark | Wireshark to start Wireshark.
3. In Wireshark, select File | Open, then open the kismet.dump file. Your screen
should resemble Figure 5-11.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 5-11: Using Wireshark to view WEP traffic captured and decrypted by Kismet
4. Scroll to Packet 8. You will immediately see the SSID in the lower pane (in this case,
IBM_SG_DPD).
5. Expand an IEEE 802.11 beacon frame packet. You will likely find a SSID. If not,
scroll through another packet. Once you see a packet that shows a SSID, expand the
packet to view all of its components.
6. Quit Wireshark.
In this lab, you analyzed WEP traffic captured and decrypted by Kismet.

Convergence Networking and Security
Traditionally, computer networks were responsible for transporting data (e.g., e-mail,
Web traffic and so forth). Telephone networks were responsible for transporting voice.
Increasingly, data and telephony networks are converging. Therefore, security
professionals have become responsible for data found in both standard networks and
telephony networks. Consider the following issues related to convergence technologies
and equipment.
Private Branch Exchange (PBX) A PBX allows a company to manage its own
telephone infrastructure. A PBX is a computer dedicated to telephone connections. It
allows a company office to provide its own extensions, voice mail and call forwarding.
It is responsible for handling incoming and outgoing calls. In many cases, a PBX will
have a modem attached to it that allows the PBX vendor or telephone company to
maintain the PBX. Through war dialing, a hacker who specializes in breaking into
telephony equipment (often called a "phreak") might be able to obtain access to this
modem and penetrate the company's telephone system. As a result, the hacker could
OBJECTIVE:
Security issues with
convergence
networking
technologies
OBJECTIVE
1.4.3: Security
attack types
OBJECTIVE
1.4.8: Attack
incident recognition
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
obtain voice mail records or make long-distance calls for which your company would
have to pay.
Voice over IP (VoIP) devices Routers and switches can be configured to handle
voice data. In these cases, a security break-in will cause problems not only for
database, Web and e-mail servers, but also for your telephone systems. With the
advent of VoIP, router and switch security becomes paramount.
End-user telephone connections Verify that end users are not making
unauthorized modem connections using company telephone lines. Such connections
enable a security breach. For example, an end user may have a drive on his system
mapped to a confidential resource on the network server. If this end user attaches a
modem to his system and then connects to a remote network, the user on the remote
network might be able to find this mapped drive and access it. At the very least, such
a connection could end up introducing a virus or trojan into the network
environment. To solve this problem, regularly audit end-user cubicles for signs of
unauthorized equipment.
Virtual LANs (VLANs)
A virtual local area network (VLAN) is a logical grouping of hosts, made possible by a
network switch and most newer routers. Generally, a VLAN is not implemented by a
firewall. In a VLAN, a group of hosts can be created regardless of where they are
physically connected to a LAN. Members of this group will then compete with each other
for network access, regardless of their physical location.
In traditional hub-based Ethernet networks, groups of hosts belonged to the same
broadcast domain, unless they were separated by a router. If you used a router,
however, the hosts would not belong to the same logical network. Thus, hub-based
networks that did not want to use a large number of routers relied solely on physical
placement when it came to creating a local group of hosts.
A broadcast domain is not the same as a c ollision domain. A c ollision domain is
a group of Ethernet-addressable computers that compete for network access
according to the Carrier Sense Multiple Access / Collision Detection (CSMA/ CD)
method of network access.
VLANs are useful in the following ways:
Security If you place hosts that receive or transmit sensitive traffic inside a VLAN,
malicious users will have more difficulty sniffing network traffic. It is also possible to
configure access control lists (ACLs), which determine the users, groups or services
that can use a particular resource, on a switch so that certain hosts are prohibited
access to a host in the VLAN. For example, suppose that a host in VLAN A is under
attack from a host in VLAN B. You can create an ACL on the switch of either VLAN A
or VLAN B to block this traffic. For stronger security, you could create ACLs on both
switches to block the problem of incoming and outgoing traffic. Because a VLAN can
help you create a group of computers, you can also use a VLAN to apply an access
policy that, for example, prohibits all traffic other than HTTP, POP3 and SMTP from
entering or leaving that group.
Performance A VLAN can help reduce traffic in parts of your network. For
example, if several systems are causing too much traffic for a particular segment, a
VLAN can be created to isolate these systems. A VLAN can also be used to balance
network load between segments.
Ease of administration The ability to separate a logical grouping of systems from
their physical location makes it possible to keep a user's workstation in the same
Voice over IP (VoIP)
The use of Internet
Protocol (IP) data
networks to convey
voice normally
carried by
telephone networks.
virtual local area
network (VLAN)
Logical subgroup
within a local area
network (LAN)
created with
software instead of
hardware.
broadcast domain
A group of systems
that communicate
directly with each
other without the
aid of a router. If
one system can
send a packet to
the Layer 2
addresses of all
systems, then they
all exist in the same
broadcast domain.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-25
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
physical location, but have the workstation participate in a new group of
workstations pertinent to the user's job description. In short, a user can belong to a
new department, but remain in the same physical location.

A VLAN is not a complete security solution. It supplements firewalls and other
measures.
A VLAN is not limited to an individual switch. You can span a VLAN across multiple
switches. Thus, a VLAN can be quite small (e.g., 10 workstations) or relatively large (e.g.,
200 workstations and 23 servers).

You could argue that a VLAN also creates a type of security zone because it
isolates a group of computers, then allows security rules and ACLs to control how
this group communicates.
VLAN hopping
VLANs are an important aspect in enabling VoIP. VLANs can become a security concern,
however, due to VLAN hopping.
VLAN hopping is a type of attack in which a hacker can intercept packets as they are
being sent from one VLAN and redirect those packets to a port that is not normally
accessible from a given end system, thereby threatening network security. Attackers have
been able to sniff data at the switch level, extracting passwords and other sensitive
information.
VLAN hopping attacks are successful in networks that permit autotrunking.
Autotrunking is a function that enables one or more switch ports in a system of VLANs to
carry traffic for any or all of the VLANs accessible through a particular switch. This type
of switch port is called a trunk port. In contrast, access ports carry only traffic to and
from the particular VLAN assigned to it. In most Cisco switches, autotrunking is turned
on by default. If a switch is set for autotrunking, an attacker can make it appear as if it
requires access to all the VLANs allowed on the trunk port.
Thwarting VLAN hopping
Disabling autotrunking reduces the possibility of VLAN hopping.
Another recommended practice to prevent VLAN hopping is to remove the native (default)
VLAN setting (VLAN1) from any trunk port. That is, trunking ports should have a unique
native VLAN number (other than the default VLAN1).
Firewall conflicts
Two or more firewalls operating on the same LAN will usually conflict and affect the LANs
operability. Windows XP SP2 and Windows Server 2003, for example, contain built-in
firewalls. If you are also using a third-party firewall, there are likely to be conflicts
between the two firewalls. As a result, some operations, such as e-mail or Web access,
will not work properly, or an otherwise good Internet connection will simply drop. You
should only enable one firewall at a time.
DNS loops
In some cases, DNS resolution can become confused. A DNS loop is said to occur when a
host makes a simple DNS request to access a remote Web site such as Google
(www.google.com), and the routers and firewalls make multiple, infinite DNS requests. As
a result, the client system can never resolve a host name to an IP address.
VLAN hopping
An attack in which
a hacker intercepts
packets as they are
sent from one VLAN
to another on a
trunk.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-26 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
A DNS loop can be caused by improper entries in the DNS zone database, or when
multiple firewalls and routers are working together. In the latter instance, the routers and
firewalls can get caught in a loop sending packets to each other, rather than forwarding
them to their proper destination.
Typical resolutions include removing improperly created canonical name (CNAME) entries
(i.e., aliases), and updating router and firewall routing tables.
Web 2.0 Technologies
Web 2.0, a term coined in 2004 by Tim O'Reilly of O'Reilly Media, refers to the changing
trends in the use of World Wide Web technology and Web design since the early days of
the Web when most Web pages were static, when users simply retrieved information, and
when Internet connections were slow. Web use before the "bursting of the dot-com
bubble" in 2001 is now referred to as "Web 1.0."
Web 2.0 is a paradigm shift in the way the Internet is used compared with the days of
Web 1.0. Web 2.0 involves a more open approach to the Internet that concentrates on
developing the information-sharing and collaboration capabilities of the Web. The idea
behind Web 2.0 is that users who access the Internet, view media and use the Web
should be active contributors, helping to customize the available technology and media
for their own purposes, as well as for those of their communities. Users should no longer
be content to simply absorb the available content. This methodology contrasts sharply
with the Web 1.0 philosophy, in which news was provided by a few large corporations,
Web pages were static and rarely updated, and only users who were technically proficient
could contribute to the development of the Web.
Web 2.0 has enabled users to provide a significant amount of information on the Web,
and there are no longer any restrictions on what they produce. Enabling non-technical
users with the freedom to create and edit any page in a Web site has allowed users to
become collaborators, co-writers and co-producers of Web content. Web 2.0 has made it
possible for users to connect to one another through the Internet.
Web 2.0 has also led to the development of Web-based communities and hosted services,
such as social-networking sites, video-sharing sites, wikis, blogs, RSS feeds, podcasts
and folksonomies. The Web is now a resource through which users have the ability to
generate and distribute content, as well as to update and modify it. This can result in an
increase in the economic value of the Web to businesses, as users can perform more
activities online. Examples of companies that use the Web 2.0 business model are:
BitTorrent (www.bittorrent.com).
SourceForge (http://sourceforge.net).
Wikipedia (www.wikipedia.org).
Friendster (www.friendster.com).
MySpace (www.myspace.com).
Facebook (www.facebook.com)
YouTube (www.youtube.com).
In the following sections, you will learn about the Web 2.0-enabled technologies of Ajax,
wikis, blogs, RSS, podcasts and folksonomy.
OBJECTIVE:
Security issues with
Web 2.0
technologies
Web 2.0
A concept referring
to the changing
trends in the use of
WWW technology
and Web design
that have led to the
development of
information-sharing
and c ollaboration
capabilities.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-27
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Ajax
Ajax (Asynchronous JavaScript and XML ) is a programming methodology for the Web
that enables Web applications to interact with users in much the same way they do with
desktop applications. Ajax allows you to create interactive Web applications using
XHTML, CSS, the DOM, JavaScript and XMLHttpRequest. You can use Ajax to create
dynamic and interactive Web pages without the need to refresh or reload the page. Ajax
will work only on the more advanced browsers (6.x or higher).
In traditional Web applications, the interaction between the server and the user is
synchronous. When a user performs an action, the action triggers a request to the server,
which renders the appropriate page in the user's browser. The user must then wait for
the page to load while the request is being processed. Each action a user performs results
in lag time. Once the request is processed, the server sends the results back to the user.
With Ajax, the interaction between the server and the user is asynchronous. JavaScript
that is loaded when the page loads handles most of the basic tasks such as data
validation and manipulation, as well as rendering the page. While the JavaScript is
rendering the page for the user, it is simultaneously sending data back and forth to the
server. But the data transfer is not dependent upon actions of the user. Therefore, the
normal lag and delay caused by server calls is eliminated because the information is
being sent asynchronously via JavaScript calls.
Google Maps (http://maps.google.com) is a well-known example of an Ajax-driven Web
application. With Google Maps, you can drag the map around on the screen effortlessly,
and add and remove flags without waiting for Google's server to send you an updated
Web page. The Google Maps home page is shown in Figure 5-12.

Figure 5-12: Google Maps home page
Ajax
A programming
methodology that
uses a number of
existing
technologies
together and
enables Web
applications to
make incremental
updates to the user
interface without
the need to reload
the browser page.

XMLHttpRequest
An application
programming
interface (API) that
is used to transfer
XML and other text
data between a
Web server and
browser.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-28 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Wikis
A wiki is a page or collection of Web pages that can be viewed and modified by anybody
with a Web browser and access to the Internet. When you open a wiki, you can read what
the wiki's community has already written. You can then click an Edit button in the wiki
article to edit the article's text. You can add or modify any content you want in the article.
Wikis provide users with both author and editor privileges, and are often used to create
collaborative Web sites and to promote community Web sites. They have become semi-
authoritative voices on particular topics. Wikipedia (www.wikipedia.org) is perhaps the
best-known example of user collaboration to build a Web site containing information that
all other users can access as well as populate. It has become an often-used reference by
many users who view it as a reliable source of information. The Wikipedia home page is
shown in Figure 5-13.

Figure 5-13: Wikipedia home page
Technically, a wiki is a combination of a CGI script and a collection of plaintext files that
enables users to create Web pages "on the fly." When you request a wiki article, the script
gathers the corresponding text file, converts its marked-up text into HTML, converts user-
selected text into hyperlinks, inserts this information into a page template, and sends the
result to your browser. You can then modify the content of the page template and save your
edits, after which the modified article will appear for others to access and modify.
The open-editing concept of wikis does present some inherent risks. To combat against
the inclusion of inappropriate language, spam, and incorrect or inappropriate content,
wikis are often monitored by members of their communities. However, monitoring wikis
can be both time-consuming and personnel-intensive. As a result, many wikis now
require authorization so only group members can modify content.
Another potential shortcoming of a wiki is that it can have a collaborative bias. As the
wiki's community adds and modifies content, it can start reflecting the opinions,
perspectives and values of its users. Therefore, a wiki may not be completely unbiased in
its presentation of a particular topic or issue.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-29
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Blogs
Short for Web log, a blog is an online journal created by an individual or an organization
and can cover any topic imaginable. When blogs were first created, bloggers thought of
them as easy-to-use FTP clients for Web pages. Now, blogs allow anybody to express their
views in an online forum.
Blogs are an example of a Web 2.0 social-networking methodology that emphasizes user
interaction. Blog postings are mainly textual but can include images, photos, links, video
and audio. The postings are archived by date and sometimes by author or by category.
Other bloggers and Web site owners can encourage inter-blog dialog by using permanent
links, or "permalinks," to link directly to a specific post on a blog. By reading and
discussing each other's posts, bloggers form a massive network that can influence
national media and policy makers.
The collective community of all blogs is known as the blogosphere. The mainstream
media can use discussions "in the blogosphere" to gauge public opinion about various
issues.
Because anyone can write anything in a blog, there are those that see blogging as a way
to circumvent the "filter" of acceptable journalism and publish information that can be
misleading, libelous or false. Some critics maintain that bloggers do not respect the
copyrighted material of others or the role of the mass media in presenting credible news.
Really Simple Syndication (RSS)
RSS (known as Really Simple Syndication, RDF Site Summary or Rich Site Summary) is a
Web feed format for delivering Web content that is updated frequently, such as blog
entries and news headlines. RSS feeds allow you to view headlines and updates from your
favorite Web sites without the need to open your Web browser or visit any Web sites. RSS
feeds also allow you to deliver the latest information you want to broadcast to your
readers without the need to send an e-mail or a newsletter. An example of an RSS feed
through Mozilla Thunderbird is shown in Figure 5-14.

Figure 5-14: RSSfeed
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-30 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
RSS feeds can be read using software called an RSS reader, feed reader or aggregator. To
start receiving RSS feeds from your favorite Web sites, you need only download an
aggregator, and then customize it to search for content based on specific keywords or
information.
Windows RSS aggregators are included in:
Internet Explorer 7 (www.microsoft.com).
Mozilla Thunderbird (www.mozilla.com).
Safari (www.apple.com).
Windows Live Mail (http://home.live.com).
Linux RSS aggregators include:
Bottom Feeder (www.cincomsmalltalk.com/BottomFeeder).
Liferea (http://liferea.sourceforge.net).
Syndigator (http://sourceforge.net/projects/syndigator).
Podcasts
A podcast is similar to an RSS feed in that the user can download syndicated audio or
digital-media files to computers or portable media players, such as Apple's iPods. To
create a podcast, you can produce your own audio files (e.g., MP3, Ogg or WMA files) and
publish them online. You can then index the files so that an RSS reader can subscribe to
them. Podcasts can also consist of rebroadcasts of radio or television content, educational
tutorials, and other audio content.
A podcast differs from other digital formats, such as streaming media, in that the podcast
files can be syndicated, subscribed to, and downloaded automatically as you add new
content. Users who want to subscribe to a podcast's syndicated media need to acquire
feed aggretagor software, such as Apple's iTunes player (www.apple.com/itunes). Most
users use MP3 players or computers that have media player software installed to listen to
podcasts. Users can also use VoIP technology to listen to podcasts.
Folksonomy
Folksonomy is the practice of categorizing online content through tags. Tagging, which is
a characteristic of Web 2.0, allows non-technical users to collectively classify and find
information. The term was coined in 2004 by information architect Thomas Vander Wal.
A folksonomy is usually created by a group of individuals, typically the resource users
themselves. Users add tags to online items, such as text, images, videos and bookmarks.
These tags are then shared and can be modified by other users. The tags themselves can
consist of keywords, category names or metadata. However, because users are creating
the tags, items can be categorized with any word that defines a relationship between the
resource and a concept in the user's mind. The user can choose any number of words,
some of which will obviously represent the item, while others may make no sense to
anyone but the user.
Tags are a great way to bring others to your blog or Web site and draw attention to your
posts. By allowing people to share information effectively, the use of tags encourages the
growth of online communities. And by bringing communities together around common
interests, tags add value to the information those communities accumulate.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-31
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Two well-known examples of folksonomy systems are Delicious (http://delicious.com) and
Flickr (www.flickr.com), both owned by Yahoo! Delicious is a tool used to organize Web
pages by offering a tagging system for URLs that integrates with the Firefox browser
through bookmarklets (JavaScript interface elements). Users can use Delicious to store
and retrieve their bookmarks on the Delicious site and to identify each bookmarked URL
with appropriate metadata. Flickr is a photo management and sharing Web application
that users can use to identify their photographs by applying tags. Users can browse each
site for resources that match a given tag.
A major shortcoming of current folksonomy systems is that because users furnish the
tags, the terms can be ambiguous and imprecise. However, many users do not consider
this to be a problem because they believe that tags are there primarily to assist the
particular user who is submitting them.
Greynet Applications
Greynet applications refer to network-based applications that a corporate network user
downloads and installs without the permission or knowledge of the IT department.
Common examples of greynet applications include instant messaging (IM), peer-to-peer
(P2P) applications, streaming media players and RSS readers.
Some greynet applications, such as IM and collaboration programs, have legitimate
business use and can help increase user productivity. However, other greynet
applications, such as peer-to-peer file and music sharing programs, can increase security
risks and needlessly consume network resources. By downloading greynet applications,
users can inadvertently download trojans, spyware and other malware. All greynet
applications can be a drain on network system resources because they consume
corporate bandwidth.
Once greynet applications are downloaded and installed, they can be difficult to remove.
Many greynet applications use encryption and port agility, which makes them difficult to
detect and block.
Securing instant messaging and P2P applications
Instant messaging (IM) involves the use of applications that act in peer-to-peer (P2P)
mode. Instant messaging applications are capable of the following:
Real-time communication of information.
Direct communication between clients using ports above 1023.
File transfer using ports above 1023, in which both clients can exchange any type of
file. Some anti-virus applications do not properly protect against such attachments.
Because IM and P2P applications use ports above 1023, many firewalls are not
configured to block this traffic. Thus, these clients represent yet another way for hackers
to introduce threats into the network.
File transfer and the 8.3 naming convention
As with most client/server protocols on the Internet, IM and P2P clients can fall victim to
sniffing attacks in which user names and passwords are sniffed during authentication.
Viruses, trojans and other malicious code can be sent using the file transfer features
found in these applications. Instant messaging and P2P applications can also easily fall
victim to attacks in which a hacker gives a file a double file name extension (e.g.,
file.exe.jpg), which is called a double-naming attack.
OBJECTIVE:
Additional security
issues
OBJECTIVE
1.1.3: Risk factors for
data security
port agility
The ability to
dynamically send
and receive traffic
across any open
network port.
OBJECTIVE
1.4.3: Security
attack types
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-32 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
A double-naming attack exploits the DOS-based 8.3 naming convention. Originally, files
in DOS could only have names that were eight characters long, followed by a dot. Only
three letters could go after the dot. Modern Windows versions are able to exceed this
limit. However, some IM clients will only read the first three letters after the first dot.
Many hackers will create an executable file with two dots (e.g., image.jpg.exe. The IM
client will incorrectly show that this file is simply a JPEG image file, when in fact it is an
executable. The operating system will read the true ending of the file (.exe), then
automatically open the executable. In many cases, users who thought they had
downloaded an MP3 file have double-clicked a malicious executable file that installed
malware onto their systems.
Additional attacks
Instant messaging traffic is often not encrypted, which makes it vulnerable to man-in-
the-middle attacks such as packet sniffing. Such attacks clearly reduce privacy, both at
home and at work. Finally, one of the common aspects of the IM culture is for users to
conduct denial-of-service (DOS) or distributed DOS (DDOS) attacks against someone they
thought offended them. Thus, the use of instant messaging can expose the network to
more risk.
Securing instant messaging and P2P
Ways to secure instant messaging and legitimate P2P traffic can include:
Using a VPN to encrypt transmissions.
Using built-in encryption found in many instant messaging clients.
Scanning all files sent via instant messaging for viruses.
Finally, when creating an account for instant messaging, make sure that you are
prepared for a possible invasion of privacy. In many cases, the companies that provide IM
sell user information to other clients, and you may receive additional spam from many
sources.
Vulnerabilities with Data at Rest
Because data is vulnerable when it is being ported across a public network, we have
already seen how it must be protected while it is in transit. However, a network
administrator is not only responsible for the safety of the data while it is in transit, but
also when it is at rest. Data is considered to be at rest when it is not being read or
updated.
In order to maintain data in a non-corrupted and accessible state, the network
administrator should ensure that the data is stored on RAID drives, and that the data is
backed up regularly. The backed-up data should then be stored off-site in a safe location.
If the data is encrypted, the network administrator is responsible for ensuring that it can
be decrypted.
It is critical that the corporate security policy contain explicit instructions about data
maintenance and storage as follows:
Backed-up data needs to be verified before it is stored off-site to ensure that the data
is not corrupt. Otherwise, when the data is needed, it will not be available.
The encryption keys and passwords necessary to decrypt data need to be recorded
and kept in a location accessible to authorized personnel only.
The people who are authorized to maintain, access and decrypt data must be defined.
OBJECTIVE
1.1.3: Risk factors for
data security
OBJECTIVE:
Additional security
issues
RAID (Redundant
Array of
Independent Disks)
A category of disk
drive that employs
two or more drives
and allows you to
store data
redundantly.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-33
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Procedures must be in place to describe the actions that should occur when top
responders are unable to respond if there is an immediate need for data retrieval.
Data on network drives and in network shares
Users must ensure that their data, especially confidential or important data, is stored in
a secure, safe location. Users should copy files to network drives that are backed up on a
regular basis in case anything happens to their own systems that render them inoperable
or unable to retrieve data from their local hard drives.
At times, a user might create a network share folder on his or her local hard drive in
which to place files for others to access. However, in some configurations, all folders
below the share are shared as well. Thus, the user may have inadvertently given everyone
on the network access to the data in the share. Another consequence of this action is that
a hacker may enter another user's system that has access to the network share. In so
doing, a hacker can gain access to the important or confidential files stored in a network
share on one system by gaining illicit access to another system.
Data on vulnerable systems
Users must be very careful about storing confidential or important data on laptops and
removable media, such as flash drives. Because of their portable nature, they can be
easily misplaced, stolen or lost, and with them all the data stored therein.
The network administrator should ensure that adequate anti-virus/anti-malware
software is installed on the corporate network and that these applications are kept up to
date. However, home systems may not be kept as secure as those at the company. Home
systems may not even have anti-virus/anti-malware software installed at all. Users
should be cautioned about transferring files between home and corporate systems,
whether by disk, flash drive or network connection. Remote systems that are
inadequately protected may easily present a new infection source to the network.
Database data and SQL injection
Recall from a previous lesson that SQL injection is an attack in which a hacker inserts
malicious code into SQL command strings for the purpose of gaining access to data
contained in a database. Data stored in a database is at rest. The only time it is not at
rest is when someone is executing a SQL statement against the data.
A hacker can inject malicious code into a SQL statement and then execute the altered
code and destroy a database that could contain potentially millions of records. For this
reason, access to a database should be as restrictive as possible while still allowing users
the access they need to perform their work effectively.
Security Threats from Trusted Users
There are times when security breaches are caused by internal employees or other
trusted users who, although well-intentioned, feel the need to circumvent their
company's security policies to get their jobs done. These trusted users may expose the
company's data to risk through carelessness or noncompliance with established security
measures, or by following security procedures that are inadequate.
Trusted users may unintentionally expose corporate data to unauthorized outsiders or
expose the corporate network to malware by:
OBJECTIVE:
Additional security
issues
OBJECTIVE
1.1.3: Risk factors for
data security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-34 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Sending work documents to a personal e-mail account to more easily access the files
from home.
Relying on VPNs or other remote access capabilities, such as Web mail, to more easily
access the files from home.
Accessing work e-mail via a public wireless hotspot, from which a malicious user
could gain access to an internal system through the open public wireless network.
Gaining access to corporate data via a public computer at a location such as an
Internet caf, a library or an airport.
Copying work-related files to a laptop or other removable media device and
subsequently losing the device.
Acting politely and trustingly toward strangers, such as holding a door open to a
restricted area for someone they do not know. Such a person could then gain
unauthorized admittance to sensitive areas without the need to use a card key or
provide some other form of identification. In some cases, the stranger could take the
opportunity to steal information from you by looking over your shoulder or otherwise
reading what you have in your hand. This activity is often called "shoulder surfing."
Also, the stranger might actually be trying to distract you so that a third person can
get past you and gain unauthorized access.
Maintaining the same access rights to the internal network despite changing jobs
within the company for which previous access privileges are no longer warranted.
Therefore, simply creating corporate security policies does not necessarily prevent trusted
users from inadvertently causing security breaches. Network administrators need to
educate and perhaps monitor employees to ensure that their behavior will align with the
corporate security standards.
Anonymous Downloads and Indiscriminate Link-
Clicking
Web sites contain scripting, Java applets, ActiveX controls and Web 2.0 technologies to
make their pages rich, entertaining and interactive. Unfortunately, these same items can
be used by malicious coders to propagate viruses, launch attacks, and surreptitiously
install trojans or bots that would prove injurious to your computer.
Web sites that contain malicious content designed to harm your computer are known as
poisoned Web sites. Simply visiting a poisoned Web site can infect or destroy the data
stored on your computer. Even if a visit to a poisoned Web site does not produce such
dire consequences, it may turn your computer into a bot, a spam generator or a slow
performer.
Poisoned Web sites may also contain drive-by downloads, which download trojans,
spyware, viruses or other malware without the user's knowledge or consent. The site may
display a link or pop-up window that, when clicked, initiates the drive-by download with
no indication to the user of having done so.
Only a real-time solution can provide the analysis you need to detect and identify
poisoned Web pages and malicious sites when conducting online searches. There are
several anti-virus software applications that include "safe searching" or "safe surfing"
options. By enabling these options, the applications can report possible dangerous Web
pages in the search results and block object downloads that may harm your system.
Modern Windows systems now come equipped with native anti-virus software. Third-
OBJECTIVE:
Additional security
issues
OBJECTIVE
1.1.3: Risk factors for
data security
OBJECTIVE
1.4.3: Security
attack types
poisoned Web site
A Web site that
c ontains malicious
content designed to
harm your
computer.

drive-by download
The automatic
download of
malicious content
without the user's
knowledge or
consent.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-35
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
party products exist for Windows systems, as well as Apple. AVG (http://free.avg.com)
and the latest versions of spyware and virus removal products from Norton
(www.symantec.com) and McAfee (www.mcafee.com) are examples of third-party
products that contain safe searching/surfing options you can use to protect your system
from poisoned Web pages. Linux and UNIX-based systems can use the ClamAV set of
anti-virus applications (www.clamav.net).
Following are some guidelines to help avoid contact with poisoned Web sites:
If there is sensitive or confidential data on a computer, do not use it to browse the
Web. This helps to limit Web-based attacks to computers that do not contain
important data.
Install security patches and updates for the Web browser as well as for the operating
system. However, only download patches from known authorized sites. Unauthorized
sites may contain links to patches that do the very thing you are trying to avoid.
Ensure that you are using the latest versions of browsers and that they are capable
of using the strongest encryption for secure communications.
Configure security settings not to run Java applets, JavaScript, VBScript, ActiveX
controls and so forth without prompting you first.
Disable plug-ins. If you need to enable a plug-in for a particular task, enable it
temporarily for that task only, and then disable it again.
Users should also be careful about clicking links or downloading objects found in chat
rooms, instant messages or some other Web 2.0 activities. Most users are already familiar
with the dangers of opening e-mail attachments when they do not recognize the sender.
Anti-virus and resident scanner programs are configured by default to check all incoming
e-mail. However, these applications are not suitable for other technologies and may leave
you vulnerable to malicious content from these sources.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-36 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
Thanks for Sharing
Sylvie is a program manager for a mid-size company that works on top-secret government
contracts. She has received highly confidential data files from the government concerning
the company's current project, and she stores the data on her hard drive in a folder
named "Confidential." Because she is going to be in a three-hour manager's meeting,
Sylvie makes the Confidential folder a network share and asks her assistant, Renaldo, to
print some of the data for her to review after the meeting. Because of her limited
computer knowledge, Sylvie inadvertently allows everyone on the network access to her
Confidential folder.
Paolo is in the accounting department and loves to listen to music while he balances the
books. He has Napster and iTunes and an illicit P2P file-sharing application loaded on his
system from which he accesses MP3 files. Stephan, an intern also working in the
accounting department, is an unscrupulous computer hacker who has befriended Paolo.
Unbeknownst to Paolo, Stephan has loaded a trojan onto Paolo's computer through the
P2P application and, through it, is able to access the network when Paolo is away from
his workstation.
Because Sylvie's shared folder is open to anyone on the network, Stephan can now access
the confidential data and sell the information to a competing company for profit.
* * *
As a class, discuss this scenario and answer the following questions:
How should Sylvie have configured the network share to prevent this occurrence from
happening?
Should Sylvie have loaded the confidential data onto her laptop computer or stored it
on some other removable media, such as a flash drive, for safekeeping? What are the
potential pitfalls of doing this?
What steps can the network administrator take to ensure that a similar occurrence is
not repeated?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-37
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you learned about some of the technologies that have given rise to the
term Web 2.0.
With Web 2.0 technologies, you can combine data from various sources and provide
information that is useful to others. For example, you might decide to combine a Flickr
tagged gallery of bed-and-breakfast establishments with actual reviews that people have
submitted about them. You could then include a connection to Google Maps to find such
establishments in an area that you plan to visit. The Web site might not have any of the
photos from Flickr, nor any of the reviews from users. It may include only an interface
that allows viewers to determine where they are going, and enable them to read the
blogged reviews, post their own reviews and attach them to those already tagged.
Open your Web browser and access Flickr (www.flickr.com) and Google Maps
(http://maps.google.com) to familiarize yourself with their interfaces and experiment with
their features. Create an account in Flickr and explore the site to see what other people
have uploaded and how they tagged their content. Explore the Flickr blog, and add your
own comments and tags to items you find interesting. Use Google Maps to locate items
you find in Flickr that reference a geographic location.
Skills review
In this lesson, you learned about security issues associated with wireless network
technologies, convergence networking technologies and Web 2.0 technologies. You
learned about the dangers of downloading and installing applications of which your
network administrative staff is unaware. You also learned about security threats
associated with data that is at rest, with trusted users within an organization, with
receiving anonymous downloads and with conducting indiscriminate link-clicking.
Now that you have completed this lesson, you should be able to:
- 1.1.3: Identify potential risk factors for data security, including improper
authentication.
- 1.2.5: Identify the importance of auditing.
- 1.4.3: Identify specific types of security attacks.
- 1.4.8: Recognize attack incidents.

In addition to the CIW Security Professional objectives listed above, you also studied the
following topics and skills:
- Security issues associated with wireless network technologies.
- Security issues associated with convergence networking technologies.
- Security issues associated with Web 2.0 technologies.
- Additional security issues, including greynet applications, data at rest, trusted users
within an organization, anonymous downloads and indiscriminate link-clicking.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-38 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 5 Review
1. Describe at least two technologies that the IEEE 802.11n standard uses to give WiFi
the speed and range necessary for high-bandwidth applications such as streaming
video, for example, to coexist with wireless VoIP.






2. VLANs are an important aspect in enabling VoIP. Describe the main security concern
associated with VLANs.



3. To what does the term "Web 2.0" refer?




4. What is a greynet application?




5. Why should users avoid clicking links or downloading objects found in chat rooms,
blogs and the like?




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 5: Recent Networking Vulnerability Considerations 5-39
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
6. During the WEP handshake, a four-part handshake occurs:
Authentication request
Challenge
Response
Authentication response
Which elements of the handshake are not encrypted?


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
5-40 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


6Lesson 6:
General Security
Principles
Objectives
By the end of this lesson, you will be able to:
; 1.3.1: Identify the universal guidelines and principles of effective network security.
; 1.3.2: Define amortization and chargeback issues related to network security
architectures.
; 1.3.3: Use universal guidelines to create effective specific solutions.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. Which of the following could lead to a physical security breach?
a. Weak passwords
b. Old, inactive user accounts
c. An operating system that has not been adequately patched
d. System servers that allow detachable devices, such as USB and Firewire hard
drives, to be installed
2. Which of the following describes chargeback?
a. Billing a department for the use of a server or technician
b. Determining the amount of bandwidth a server has used
c. An attack that replays packets to the original server, causing a
denial-of-service attack
d. An attack that results in a buffer overflow and a root-level exploit
3. Describe the concept of physical security.




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Common Security Principles
Although specific security implementations are always unique, 10 easily identified
principles are common to all networks:
Be paranoid.
You must have a security policy.
No system or technique stands alone.
Minimize the damage.
Deploy companywide enforcement.
Provide training.
Use an integrated security strategy.
Place equipment according to needs.
Identify security business issues.
Consider physical security.
If you learn about these principles now, you will be able to implement effective security at
your company. The rest of this lesson will discuss each of these points individually.
Be Paranoid
Although the word "paranoid" might seem to be an overstatement, if you are not
suspicious to the point of paranoia, you will probably not follow your security policy as
diligently as you should.
At a personal level, assume that when you are connected to the Internet, you are a target
for attack. At the network level, design your security system assuming that a hacker will
circumvent it. This assumption will ensure that you apply as many techniques as
possible on several levels. Put backups in place so that if a hacker breaches one area,
another area will be able to contain the hacker's activity. This security principle is simple,
but it can save your entire network.
Minimize threats
Threat minimization is a result of using security principles properly, even if they seem too
cautious. For instance, if you use proper access controls, a hacker who has stolen a
legitimate user's identity will be able to access only what that user can access. In other
words, if a hacker can assume the identity of a member of your organization, he or she
will be able to access the same files and systems as that legitimate user. Defining user
responsibilities and access, then, is a key element of threat minimization.
Separate systems
Another way to ensure security is to separate your systems. If you protect your FTP files
separately from your Web files, penetration of Web security will not automatically mean
that your FTP security has been breached. You will learn more about this concept in a
later lesson.
OBJECTIVE
1.3.1: Universal
principles of
effective network
security
OBJECTIVE
1.3.3: Effective
specific solutions
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Motivation for security
The chief motive for inventing and using such techniques is the expectation that
something will go wrong, and that someone is out there, trying to make things go wrong.
Few things motivate people more than fear, so do not underrate this perspective when
securing your system.
You Must Have a Security Policy
A security policy is the foundation upon which all security decisions are made. If you do
not have an effective security policy, your actual implementation will be inconsistent,
providing points of access to the hacker.
A security policy defines each rule to be followed and includes clear explanations of its
purpose. An obscure or imprecise security policy may not convey the core security values,
roles and responsibilities to the organization.
Weak links
A hacker generally searches a site for a "weak link" from which to penetrate. Whether
these weak links are overlooked defaults or bugs in the operating system, they exist
because the security policy did not remind the system administrator of the essential
steps to take when upgrading an operating system, adding a user or adding a new
program.
A thorough security policy helps you correct such oversights, and enables you to make
consistent decisions as you secure your network.
No System or Technique Stands Alone
A successful security system is a matrix, or combination of individual methods,
techniques and subsystems. Whenever possible, you should use as many security
principles and techniques as you can to protect each resource.
For example, a network that relies solely upon authentication is not nearly as secure as
one that combines authentication, access control and encryption. Similarly, your site is
better protected by packet filtering at the router combined with a firewall backed up by
user authentication and intrusion detection.
Balance of security
Use of multiple techniques and technologies at every point allows you to protect against
the weaknesses of each individual technique while improving overall effective security. As
your security system develops, you will base these choices upon the overall balance of
security.
A balance must be obtained because you can implement too many methods, again
resulting in less effective security. The most critical factor is to analyze each method of
protection for weakness and determine if you can reduce that weakness by using an
additional method or two while not going too far.
Security is ongoing
No universal product, technology or solution offers full protection against all threats.
Security threats are evolving and growing quickly. You need dedicated staff and resources
to perform the security function well. Security is not an installation-only area.
OBJECTIVE
1.3.3: Effective
specific solutions
OBJECTIVE
1.3.3: Effective
specific solutions
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Minimize the Damage
By using multiple techniques at every device (e.g., a router and the Web server) and at
every level (e.g., the operating system and the Internet server), you can limit damage
perpetrated by a hacker.
For example, you should supplement your firewall with an encryption technique such as
Secure Multipurpose Internet Mail Extension (S-MIME) to secure your e-mail. Later
lessons will discuss other techniques to help detect and occupy a hacker, thereby
minimizing damage.
Deploy Companywide Enforcement
Too often, organizations develop security policies and then the administrators do not
enforce the rules on themselves.
For example, system and security administrators often give their own everyday user
accounts "root" or "administrator" access. They know how not to accidentally damage a
system or perform other such compromising actions, so they do not consider this type of
access to be a problem. However, hackers will try to locate such accounts and
concentrate on penetrating them instead of other highly secured accounts.
Companywide means everyone
Company executives also tend to defeat security measures, because those measures can
seem inconvenient to someone who must access information as quickly as possible. In
smaller companies, many company owners want root or administrative rights simply
because they are the bosses. A good rule is to have as few a number of root and
administrative accounts as possible.
Some people think that even the most unobtrusive security measures are a waste of time,
and will ignore them or create shortcuts around them. Such innocent and seemingly
necessary activity creates a security breach that hackers can discover and use.
A company plan must make everyone at every level accountable for security.
Many hackers are adept at discovering weaknesses in the application of a
security system, especially when those weaknesses result from incomplete
implementation.

Provide Training
Proper training is one of the most effective and easiest security measures you can put in
place. A companywide, one-hour user training session on such strategies as proper
password selection can dramatically increase security levels.
Training for various user levels
Following is recommended training for each of the three user levels:
OBJECTIVE
1.3.3: Effective
specific solutions
OBJECTIVE
1.3.3: Effective
specific solutions
OBJECTIVE
1.3.3: Effective
specific solutions
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
End users Users must be informed of new viruses that are introduced on the Web.
You can notify them via a companywide e-mail message or conference call.
Administrators Security administrators must remain informed about the latest
threats and countermeasures. A good idea is to assign each security administrator a
topic or area. For example, one security administrator can keep current with the
latest viruses, and another could keep up with the latest hacker tools and
techniques. Then administrators can cross-train each other.
Executives Executives need to be kept aware of the latest tools that can be used
to keep a site's security up to date. A useful technique is to tell the executives of a
successful break-in at a related site. With this information, they will probably be
willing to fund projects to improve security.
Each group of employees has different levels of responsibilities. Their activities also
expose them to different threat types. Executives will need to learn about how to secure
equipment and accounts during travel, for example. Both end users and executives will
need to be educated on how to secure their workstations, recognize social engineering
and avoid e-mail viruses.
As you educate employees, make sure that you tailor your presentations to their needs
and skill levels.
Additional training
In some situations, you need to conduct training sessions for end users so they properly
use new tools you want to implement. Remember that any steps you want to add to your
security policy will not be successful if you do not have the support of the users who
must implementing the policy.
Use an Integrated Security Strategy
Find out how each department implements the security strategy. Unless some compelling
reason exists, do not allow each department to have its own policy or to interpret the
policy separately such actions defeat the overall effect of the security strategy and
create security holes. Again, make sure that all levels of your organization, including
executives, are following this strategy.
Security and systems administrators should always keep close watch on all components
of their networks. A site's security can be easily defeated by a poorly secured system
about which the security administrators are not aware.
Lapses in integration
For example, it is common practice for Research and Development (R&D) departments to
conduct tests on beta software and operating systems. These systems need security as
much as every live system on the network.
Suppose that a site's security administrators have done a good job securing all their
network resources, but that the R&D department has installed a beta system on a test
machine, then placed it on the public network. This system represents an exception to
the strategy made by the security administrators.
Such systems are quickly discovered by hackers. Moreover, systems that house beta
software often contain serious security problems. If a hacker is able to penetrate this one
system, he or she could then launch attacks from it. In many cases, security
OBJECTIVE
1.3.3: Effective
specific solutions
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
administrators will not be expecting an attack to originate from within the company's
network, and the security breach will go unnoticed.
This situation can be countermanded by regular audits and by installing intrusion
detection tools. However, you must also ensure that all departments are prepared to
adhere to the security policy and your security strategies. Doing so will solve a great
number of problems.
Place Equipment According to Needs
It is easy to get caught up in the desire to purchase the latest equipment and software.
However, you should always consider how any technology addresses specific business
needs. To do this, you should take the following steps:
Conduct a needs assessment audit.
Consult with management to determine specific needs.
Determine how a new technology will affect the daily routines of end users at all
levels.
Work with management to secure funding.
Conduct research to determine the proper products for your organization.
Security for necessary technology is a large enough job. Having to secure resources that
are not necessary to your business simply wastes your time and efforts, and may even
compromise the security of your required equipment and software.
Identify Security Business Issues
Security has quickly become a central business issue, mainly because of the costs
involved. Investors, insurers and customers have become very interested in making sure
that companies have done all they can to ensure security.
IT management and company presidents, therefore, are now very interested in proving
that they have shown due diligence when securing their networks. Doing so helps the
business secure funding and maintain a positive company image.
Large companies have identified ways to manage and justify most security costs. Table 6-
1 discusses some terminology used when managing security costs and resources.
Table 6-1: Security management terminology
Term Definition
Amortization
An accounting term used to accurately determine the cost of a
particular implementation and pay for it over time. Amortization also
includes accounting for depreciation of software or hardware.
Chargeback
The ability to accurately determine the costs of using various
networking security services. A service can include:
Tasks performed by IT professionals, including system
installation, network engineering and security consulting.
The use of a firewall, server or additional network resources.
Departments and divisions within the same large company often
conduct chargebacks. Suppose that James was sent from the IT
department's help desk to consult with the R&D department. The IT
department could charge the R&D department for James' time.
OBJECTIVE
1.3.3: Effective
specific solutions
OBJECTIVE
1.3.3: Effective
specific solutions
OBJECTIVE
1.3.2: Amortization
and chargeback
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 6-1: Security management terminology (cont d)
Term Definition
Capacity forecasting
Planning the amount of bandwidth required to provide services for
future customers.
Trend analysis
Identifying legitimate and illegitimate network traffic so that you can
create a baseline of activity.
Performance
management
Determining the existing workload of systems on the network.
Business issues and network latency
Latency is the measurement of time needed for a request to be processed between a client
and a server on a network. Increasing security in your network can increase network
latency because of the extra time needed to encrypt packets, for example. Another way
that security can increase network latency is if you install an e-mail virus scanner on
your SMTP server. Doing so can significantly increase the time required for messages to
be processed.
Security measures can also affect businesses and users in the following ways.
Increased cost Many security solutions are very costly. Firewall licenses for one
site can cost U.S. $20,000 or more.
Inconvenience New programs and procedures may inconvenience users,
especially users who travel often and those who work remotely. Remember to make
end users aware that even though they will be slightly inconvenienced right now, the
long-term benefits will save them time and secure the company.
Consider Physical Security
Many corporations or organizations have implemented sophisticated security software,
only to have their systems defeated because the actual machine was not physically
secured. Commonly, an organization will place its firewall and network in a public area,
exposing it to tampering. Others will forget to restrict access to otherwise secure rooms.
Other considerations are also important for physical security.
Physically securing your equipment is extremely important because if a person can gain
physical access to a system, that same person can control it. For example:
A user can boot a Windows system into safe mode which allows access to the
troubleshooting tools in Windows. Because safe mode loads a minimal set of drivers,
a user can modify the registry, or load or remove drivers.
When a Linux system boots, a user can access the boot loader and instruct the
system to boot into single-user mode. Single-user mode provides root access without
a login or password.
Ubuntu distributions include rescue mode, which allows a user to recover a lost
password, update or recover configuration files, or fix an unbootable machine. In
rescue mode, a user can specify to open a root shell, thus establishing single-user
mode.
Often, a hacker will use a non-Internet security breach to open an Internet security hole
through which to enter your systems. Such breaches might include the following:
OBJECTIVE
1.3.3: Effective
specific solutions
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
An open door to the room containing the firewall equipment.
An employee who removes or introduces information manually.
An employee who divulges passwords and other information.
An employee who accidentally gives the network a virus. Most viruses are the result
of otherwise benign user activity, such as someone's unknowingly bringing an
infected disk from home.
System servers that allow detachable devices, such as USB and Firewire hard drives,
to be installed
Questions to ask yourself concerning physical security might include the following:
Is the corporate firewall in a locked room?
Are the network machines (e.g., the router, the Web server, the FTP server and so
forth) fastened and monitored?
Are any employees working alone in sensitive areas?
Surveillance methods
Options for increasing physical security include the following:
Replacing standard key locks with number pads
Placing the servers behind locked doors
Installing video surveillance equipment
One company, Home Solutions (www.x10.com/homepage.htm), sells video cameras as a
way to increase physical security. They can be configured to act as a sort of trip-wire.
Whenever anyone walks past the camera, it takes a snapshot, then transmits the image
via e-mail or by other means. This strategy can prove quite useful in highly sensitive
settings.
In the following lab, you will observe how operating system rescue utilities can be used to
circumvent system security. Several rescue utilities are available for Windows (for
example, the NT Password And Registry Editor utility can be used to reset a forgotten
administrative password). Suppose your companys system administrator became
unavailable or unreachable for an extended period of time, and you were named as the
interim administrator. Without the previous administrators password, you cannot access
the functions required for your new job. By using a utility such as NT Password And
Registry Editor, you can reset the existing administrator password and gain full access
without having to reinstall the operating system. Keep in mind that while such utilities
can be invaluable tools for rescuing or repairing a system, they can also be used just as
easily to gain illicit administrative access to a system. As you will see in the lab, all that is
required is unmonitored physical access to the system.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lab 6-1: Conducting a physical attack against a Windows 2003 server
In this lab, you will use the freeware Windows NT Password And Registry Editor utility to
gain administrative access to a Windows 2003 server. This utility uses a specialized
version of Linux to write values to the Windows 2003 registry. This technique is known as
"superzapping." Note that this utility cannot change passwords in Active Directory.
Note: Your instructor should supply a bootable CD that contains the Windows NT Password
And Registry Editor utility. If necessary, you can obtain an ISO image (archive disk image
file) of this program from http://home.eunet.no/~pnordahl/ntpasswd/. You can then burn
the ISO image file to a CD for use in this lab.
1. First, you will create a new account named physicaltest. Select Start |
Administrative Tools | Computer Management. Expand Local Users And Groups
in the console tree. Right-click Users, then select New User to open the New User
dialog box. Type physicaltest in the User Name text box.
2. Choose a password for the physicaltest account that is at least eight characters long,
incorporating as many characters as possible. Do not reveal this password to your
partner or anyone else. Deselect the User Must Change Password At Next Logon
check box.
3. Click the Create button, then click the Close button.
4. Now you will add this account to the Administrators group. Double-click the
physicaltest user in the right pane of the console to open the Properties dialog box.
Click the Member Of tab, then click the Add button to open the Select Groups dialog
box. In the box below the Enter The Object Names To Select heading, type
Administrators and click OK. Click Apply, then click OK to close all open dialog
boxes, then close the Computer Management console.
5. Change places with your partner.
6. You should now be sitting at your partner's system. Obtain the bootable CD from
your instructor, or if necessary, create one.
7. Place the boot disk you have just created into the CD-ROM drive.
8. Properly shut down and restart the computer.
Note: Make sure that your system is configured to read your CD-ROM drive first at boot
time. Enter the system's CMOS and make sure the CD-ROM drive is selected to be read
first. Ask your instructor for assistance if necessary.
9. When the boot disk begins, you will see that it loads a specialized form of Linux and a
registry-editing program, as shown in Figure 6-1.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 6-1: Booting from the NTPassword And Registry Editor CD
10. At the boot: prompt, press ENTER.
11. Most of the program is automated and the default options are generally the ones you
will use. For almost all options, you will press ENTER to accept the suggested defaults.
The program will auto-load relevant device drivers, and Linux will take some time to
load. As it loads, try to view the partition check (it may scroll by very quickly). You
will eventually search one of these partitions for the Windows Server 2003 Security
Accounts Manager (SAM) database.
12. The program will ask you for a partition that contains the Windows 2003 installation,
as shown in Figure 6-2. For example, it might offer /dev/hda1 or dev/hda5. Usually,
the program will discover the correct partition. If it does, press ENTER.

Figure 6-2: Spec ifying the Windows partition
13. The NT Password And Registry Editor program will ask you to select the full path to
the SAM file. By default, the program knows the registry directory
(windows/system32/config). This should be correct, so press ENTER.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Note: If, for some reason, the SAM is in a different directory, enter the correct path.
14. You should see a list of files in the directory, as shown in Figure 6-3. They should
include default, SAM, SECURITY, system and others. These are portions of the
registry that you can edit.

Figure 6-3: Registry files
15. As shown in Figure 6-3, the NT Password And Registry Editor program will ask which
part of the registry to load into memory. The default selection is Option 1 Password
Reset. Press ENTER to enter password-resetting mode.
16. The Windows 2003 registry contains groups of settings, called hives. The hives are
loaded and the program will present the list of options shown in Figure 6-4.

Figure 6-4: Options for loaded hives
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Note: Syskey (System Key) is one of the tools used by Windows 2003 to protect
passwords. It is responsible for using strong encryption on the passwords stored in the
SAM. Using NT Password And Registry Editor does not require deactivation of Syskey,
nor should it. Instead of trying to decrypt passwords, NT Password And Registry Editor
directly writes information to the SAM, bypassing the need for decryption. If you
deactivate Syskey, you will reset all passwords, thus alerting the system administrator
that an intrusion has occurred. Using this attack, you alert only one user, but by then,
a hacker would probably add a new user with administrative privileges.
17. Option 1 Edit User Data And Passwords is selected by default. Press ENTER to
specify that you want to edit user data and passwords.
18. NT Password And Registry Editor will automatically list all local users on the
machine (that is, all the users in the SAM). You will see a list of accounts similar to
the following:

RID: 01f4 Username: <administrator>
RID: 01f5 Username: <guest> *BLANK password*
19. List several additional accounts in the space provided:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Note: The RID (Relative ID) number is the unique end value given to each user in the
SAM. For more information, consult the Microsoft Developers network, and search for
RID.
20. Enter the name of the physicaltest account. This specifies the account you want to
change.
21. The program displays information about the specified account and then presents a
menu of options, as shown in Figure 6-5. Type 1 and press ENTER to clear the
password.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 6-5: Editing a user account
22. Type ! and press ENTER to quit the password-writing portion of the program. You are
presented with the loaded hives menu again, allowing you to specify different options
or additional accounts to change.
23. Type q and press ENTER to indicate that you want to quit the utility. The program
shows which hives have changed and asks whether you want to write those changes
back to the SAM.
24. Type y and press ENTER to write the changes to the SAM. After successfully writing
the change, the program will report that the edit is complete.
25. You are offered the option to try again in case the edit failed, as shown in Figure 6-6.
Type n and press ENTER to indicate that you are finished.

Figure 6-6: Edit complete
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
26. Ignore the message about job control, remove the CD disk from the CD-ROM drive,
and press CTRL+ALT+DEL to restart your system.
27. Log on as physicaltest and press ENTER for the password. You are able to log on
using the blank password you set. You have conducted a physical attack against
your partner's computer.
28. Switch computers so you are again sitting at the system you were using when you
began this lab.
29. Log off from physicaltest and log back on as Administrator.
The best way to secure your systems from this type of attack is to carefully control and
monitor your server room. For example, you may need to state in your security policy
that no one is allowed to approach the server room during certain times. Although
physical attacks require access to the server, this process is not difficult for a determined
hacker who knows how to defeat locks and improperly constructed rooms that have, for
example, "false ceilings" that allow a person to crawl into the server room.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
Stung!
Alexander was evaluating system metrics in the locked server room when there came an
insistent knock on the door. A man wearing a Pest-Free Exterminating uniform and
carrying an insecticide tank, a black light and a stepladder informed him that building
management had contracted his company to remedy a scorpion infestation. The
exterminator pointed to the ceiling tile above the five Linux servers and explained that
several large nests had been discovered in the ceiling, scattered in numerous locations on
the fifth floor. The exterminator wanted to spray inside the ceiling in the server room and
remove any nests that might be discovered.
The exterminator explained that while the insecticide was still wet, it could cause
dizziness and nausea, even though it was technically safe for humans to breathe the
fumes. However, the insecticide would be dry in 10 minutes. The exterminator also
advised that there was a strong possibility that some scorpions might drop out of the
ceiling when he removed the tile, and that Alexander might want to leave the room.
Alexander had a strong fear of scorpions, but he also knew that unauthorized visitors in
the server room were prohibited by the corporate security policy, and that even an
authorized visitor should not be left alone in the server room.
Alexander phoned the building management and confirmed that Pest-Free
Exterminating had indeed been hired to handle the scorpion problem.
Alexander then attempted to phone two other members of the IT team to see if one of
them would be willing to remain in the server room while the exterminator went
scorpion hunting, but Alexander was unable to reach either of them.
After reconfirming with the exterminator that several scorpions could fall from the
ceiling, Alexander decided to wait outside.
After only about six minutes, the exterminator emerged from the server room and
showed Alexander four dead scorpions. The exterminator assured him that there
were none lingering in the server room.
Four days after the exterminators visit, confidential company data appeared on the
Internet, and the IT team found themselves locked out of the company Web server and
database server.
* * *
As a class, discuss what most likely transpired in the server room while the exterminator
was left unattended.
What other steps could Alexander have taken to ensure the safety of the company assets?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 6: General Security Principles 6-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
Superzap was an IBM utility that allowed administrators or other highly trusted
individuals to override system security in order to repair the system in case of an
emergency. Abuse of Superzap and similar utilities has given rise to a type of attack
called superzapping.
Research the Superzap utility and the process known as superzapping. Why are such
utilities useful? What are the risks? Do the risks outweigh the benefits? Why is
superzapping so difficult to trace back to a perpetrator? Are there superzap-type utilities
on the operating system used in your corporation, school or home? How can these
utilities be locked down? Should they be locked down?
Skills review
In this lesson, you learned about the key principles to consider when implementing
security at your site. Security entails a balance among security requirements, company
needs and political concerns such as training upper management and long-term
employees. Finally, you learned fundamental questions to ask, and you learned to
consider both systemwide security needs and those of individuals in the company. If you
adhere to the principles discussed in this lesson, you will be able to create a security
infrastructure that is not only efficient, but also understood and followed by everyone in
your organization.
Now that you have completed this lesson, you should be able to:
- 1.3.1: Identify the universal guidelines and principles of effective network security.
- 1.3.2: Define amortization and chargeback issues related to network security
architectures.
- 1.3.3: Use universal guidelines to create effective specific solutions.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
6-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 6 Review
1. How is network latency related to security?


2. Why has network security become a central business issue?



3. What are some options for increasing physical security?


4. How can you minimize the damage that a hacker might cause?


5. Why must training be targeted to different individuals in a company?








Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


7Lesson 7:
Protocol Layers and
Security
Objectives
By the end of this lesson, you will be able to:
; 1.3.4: Identify potential threats at different layers of the TCP/IP stack.
; 1.3.7: Secure TCP/IP services, including HTTP, FTP.
; 1.4.6: Identify routing issues and security.
; 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. What element of TCP is exploited by connection hijacking attacks?
a. The handshake
b. The initial connection
c. The final connection
d. The ACK bit
2. Which of the following can cause misrouting of e-mail?
a. Cache poisoning
b. A distributed denial-of-service attack
c. DNS poisoning
d. Illicit zone transfers
3. Describe the legitimate and malicious uses of ICMP.
For legitimate uses, ICMP packets are most often used to troubleshoot connectivity. The
ping program can be used to test name resolution, as well as whether or not a system
is up. For illegitimate uses, hackers can use ICMP to wage denial-of-service attacks
against servers. Using relatively simple applications and equally modest bandwidth, a
hacker can quickly fill up a corporation's T3 line with ICMP packets.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
TCP/ IP Security Introduction
Experienced hackers understand how to exploit standard TCP/IP operations, which are
often known as the TCP/IP protocol stack. They know how a packet is constructed and
routed. You need a clear understanding of these issues too.
Security administrators need extensive knowledge of the TCP/IP suite for many reasons.
To properly program firewall filters, the security administrator must have a deep
understanding of the IP and TCP/UDP layers of TCP/IP. Hackers often exploit certain
areas of the TCP/IP stack to compromise network security.
TCP/ IP and network security
The Internet and TCP/IP are often synonymous. When the Internet was first created in
the 1960s, the furthest thing from the creators' minds was security. The biggest
difficulties with the Internet, or ARPAnet as it was initially called, were not security-
related issues but operational problems. The creators were concerned about making the
network functional, not whether or not a hacker would try to break in. Thus, the Internet
and TCP/IP were not designed around strong security principles. Security mechanisms
are constantly being "retrofitted" to work with existing networks and TCP/IP.
In this lesson, you will learn the critical aspects of each of the TCP/IP layers. After you
have a good understanding of the layers, you will learn how a TCP/IP packet is
constructed and about the core files used to configure a host.
Much of the following information may be review, but you need to understand TCP/IP
and the packet-creation process so you can best protect your network. You will also learn
how hackers exploit specific "holes" in TCP/IP to gain access to networks, because you
need a solid foundation in these concepts so you can effectively implement firewalls and
proxy servers. We will begin with a review of the OSI reference model.
OSI Reference Model Review
The Open Systems Interconnection reference model (OSI/RM) is a seven-layer
network function model that was defined by the International Organization for
Standardization (ISO). The OSI/RM consists of the seven layers described in Table 7-1.
Table 7-1: OSI/ RM layers
Layer Layer
Number
Description
Application 7
Provides the interface to the user in a networking environment.
Networking applications such as file transfer and e-mail function
here.
Presentation 6
Provides useful transformations on data to support a
standardized application interface and general communications
services. Encryption occurs at this layer.
Session 5
Responsible for describing how protocols build up and tear down
connections (or sessions). Also adds traffic flow and
synchronization information.
Transport 4
Provides reliable, transparent transport between endpoints (the
source and destination hosts). Also supports end-to-end error
recovery and flow control. This layer is responsible for the
accuracy of data transmission.
Network 3
Responsible for logical addressing. Organizes data into packets.
TCP/ IP protocol
stack
The hierarchy of
protocol levels
established
according to the
Open Systems
Interc onnec tion
(OSI) model. The
stack is the portion
of the operating
system that transmits
and receives
information on a
network.
OBJECTIVE
1.3.4: Threats in
TCP/ IP stack layers
Open Systems
Interconnection
reference model
(OSI/ RM)
A layered network
architecture model
of communic ation
developed by the
ISO. Defines seven
layers of network
func tions.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 7-1: OSI/ RM layers (cont d)
Layer Layer
Number
Description
Data link 2
Defines how data is formatted for transmission and how access
to the network is controlled. This layer prepares the information
so it can be placed on the transmission medium, such as a
copper wire.
In the IEEE 802 series of LAN standards, the data link layer is
divided into two sublayers: the Logical Link Control (LLC) layer
and the Media Access Control (MAC) layer.
Physical 1
Associated with transmission of unstructured bitstreams
(electrical impulses, light or radio signals) over a physical link
(such as copper wire or fiber-optic cable). This layer controls how
data is transmitted and received across the media.

Like any other networking model, the OSI/RM reminds us of how systems communicate
with one another. For Host A to "talk" to Host B, Host A must encapsulate its data and
send it over the network to Host B. Host B must then de-encapsulate the data. That is,
an application on Host A may pass a request down through the layers of the OSI/RM to
the physical media, and an application on Host B will pull that request up from the
physical media through the layers of the OSI/RM in order to process and present the
request, as illustrated in Figure 7-1.

Figure 7-1: OSI model layers
In the preceding figure, the left column contains the seven OSI/RM layers that exist on
the client. The right column contains the same seven layers that exist on the server. The
upper four layers are used whenever a message passes to or from a host. The lower three
layers are used whenever a message passes through a host. If the message is addressed
to the particular host, the message is passed to the upper layers. If the message is
addressed to another host, it is not passed to the upper layers, but is forwarded to
another host.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Data Encapsulation
The process of passing information through the layers is called encapsulation or
packetization. A Protocol Data Unit (PDU) is a packet of information that is created by a
computer and passed from one layer of the OSI/RM to another. A PDU contains
information specific to each layer. Each layer adds a header to the data being passed
through it to prepare it for transfer. At the end of the encapsulation process, a frame is
formed.
Packet creation: Adding headers
The packet-creation process begins with Layer 7 (the application layer) of the OSI/RM,
and continues through Layer 1 (the physical layer). For example, when you send an
e-mail message or transfer a file from one computer to another, this message or file
undergoes a transformation from a discrete (i.e., complete) file into smaller pieces of
information (packets). Beginning with the application layer of the OSI/RM, the file
continues to be divided until the initial discrete message becomes smaller, more
manageable pieces of information sent at the physical layer.
As shown in Figure 7-2, each layer adds its own information (the header) to the packet.
This information enables each layer to communicate with the others, and also allows the
receiving computer to process the message. Keep in mind that each layer considers
whatever has been passed down to it from an upper layer to be "data." It treats the entire
higher-layer message as a data payload. It does not concern itself with what was added
by the upper layers.

Figure 7-2: Headers added at each level of the OSI/ RM
Data, segments, packets and frames
The terms data, segment, packet and frame are the protocol data unit names assigned to
information at specific points in the encapsulation process. That is, they refer to
information at the application (and presentation and session), transport, network and
data link layers, respectively. An item of information is considered data as it is generated
and passed down through the upper three layers of the OSI, which are often collectively
known as the application layer.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Removing headers
When a receiving host processes a packet, it reverses the packet-creation process and de-
encapsulates or removes each header, beginning with Layer 1 and ending with Layer 7.
All that is left at the end of this process is the original, unaltered data, which the host
can then process.
Peers
Network communication is based on the principle of peer layers. In a single system, each
OSI layer has one or two adjacent layers (the layer above it and the layer below it) with
which it interacts. For example, the data link layer receives packets from the network
layer. The data link layer encapsulates the packets into frames and then passes them to
the physical layer.
On the receiving end of a communication is another system. Within that receiving
system, any given layer communicates only with that same layer on the sending system.
That is, when the network layer on the sending system adds information (e.g., a
destination IP address), that information will be of use only to the network layer (its peer)
on the receiving system.
The TCP/ IP Stack and the OSI Reference Model
Aside from the OSI/RM, there are several networking models in use today. Similar to
other networking models, the TCP/IP architecture divides protocols into layers. Each
layer is responsible for specific communication tasks, and each layer coincides with
layers of the OSI/RM. The TCP/IP stack contains four layers. Figure 7-3 shows the
correlation between the OSI model and the TCP/IP stack. To better understand TCP/IP,
compare it to the OSI model.

Figure 7-3: OSI model and TCP/ IP stack
The comparison of the TCP/ IP stack and the OSI model is one of interpretation.
The transport layer in the TCP/ IP model is sometimes considered to correspond to
the session and transport layers of the OSI model.
User programs
Operating system
or IP stack
Peripherals and
network equipment
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Link/ Network Access Layer
The link/network access layer of the TCP/IP stack is composed of the electronic signals
transmitted over the wire. The type of media across which the signals are sent defines
this layer. Some examples of media are fiber, coaxial cable, twisted pair and free space
(infrared, short-range wireless, microwave, satellite). Little security protection is available
for the link/network access layer. If a potential hacker has access to the physical media,
such as a wiretap or sniffer, he or she will have a copy of all information sent. The only
real protection is to use encryption, data labels and traffic padding. All of these
techniques make it more difficult for a hacker to successfully use any information
obtained from a sniffer.
Network topologies
The security administrator must understand the physical layout of all segments of the
network that he or she is protecting. One of the most common hacker methods of
attacking and penetrating a network is to install a packet sniffer onto one of the
company's internal machines. Other problems in network topology include:
Instances in which an enterprising user bypasses your proxy server or
packet-filtering firewall and connects to the Internet via another system.
Instances in which a multi-homed system is directly connected to the outside
network, bypassing the firewall.
Remember that the link/network access layer defines the electronic signals on the media.
LANs use digital baseband transmissions (the entire media bandwidth is allocated to a
single channel). At one time, hubs were used to form a star-configured Ethernet network.
Hubs operate at the link/network access layer. A hub-based topology is often called
shared Ethernet. Because all hosts must share the bandwidth, only one can transmit at a
time. Signals are sent from a node to the hub, and the hub then sends the information
out to all remaining nodes connected to it, so any data sent on the wire will be readable
by anyone who is physically connected to the wire. A shared Ethernet network provides
for only half-duplex transmission; data can be transmitted in only one direction at a time.
In most modern Ethernet networks, switches are used to connect nodes. A switch directs
the flow of information directly from one node to another. There are several types of
switches, and each type operates at a different layer of the OSI/RM. A Layer 2 switch,
also called a LAN switch, provides a separate connection for each node in a companys
internal network. Essentially, a LAN switch creates a series of instant networks that
contain only the two devices communicating with each other at that particular moment.
Layer 2 switches operate at the data link layer (Layer 2) of the OSI model.
Switches provide full-duplex communication. A switch cross-connects all hosts connected
to it and can give each sender/receiver pair the lines entire bandwidth, instead of
sharing the bandwidth with all other network nodes. A switch can handle multiple
simultaneous communications between computers attached to it. For these reasons, it is
more difficult to sniff traffic on a switched network than it is to sniff traffic on a shared
Ethernet network.
While switched networks are not as inherently insecure as shared Ethernet networks,
they are still vulnerable to sniffing. You must be very careful when planning and
reviewing your LAN. Understanding the network layout of your computer will help
prevent unknown sniffers from being implemented.
OBJECTIVE
1.3.4: Threats in
TCP/ IP stack layers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Network/ Internet Layer
The next layer of the TCP/IP stack is the network/Internet layer, also known as the OSI
network layer, which is used primarily for addressing hosts and routing. It does not
provide any means for error correction or flow control. The network/Internet layer uses
best-effort services to deliver datagrams. All upper-layer communication, such as TCP,
UDP, ICMP and IGMP, is encapsulated within an IP datagram. TCP and UDP will be
discussed in their own sections, but ICMP and IGMP are considered to exist only in the
network/Internet layer and therefore are addressed as separate IP-layer protocols.
Internet Protocol (IP)
An IP address is a 32-bit address that uniquely identifies a host on a TCP/IP network.
You need to understand what an IP address is and what is contained within the IP
header. The total size of an IP header is 20 bytes. An IP header contains a number of
informational and control fields, along with a source 32-bit IP address and a destination
32-bit IP address. The fields contain information such as the IP version number, length,
type of service and other configurations, as shown in Figure 7-4.

Figure 7-4: IPv4 header
Every IP datagram is an individual piece of information traveling from one host to
another. The hosts compile the received IP datagrams into a usable form. This open
architecture makes the network/Internet layer an easy target for hackers.
IP-based communication has the following weaknesses:
Packets are not signed As a result, IPv4 provides no authentication; there is no
way to determine exactly where a packet originated.
Packets are not encrypted Information is not encrypted by default in IPv4 as it
passes across the network wire. Thus, IPv4 does not guarantee confidentiality.
Packets can be manipulated easily For example, it is possible to use a special
application to forge IP headers so that packets generated by one host appear to come
from another. The receiving host cannot determine that the source IP address is
inaccurate, and upper-layer protocols must perform some type of check to prevent
this problem. This practice is called IP address spoofing. It is also possible to spoof
source and destination ports in TCP/IP.

Another tactic often found at this layer exploits source-routed IP datagrams, which
have been created to travel only a specific path. This exploit is called source routing.
Often, these types of datagrams are created to circumvent security measures such as
firewalls.
OBJECTIVE
1.3.4: Threats in
TCP/ IP stack layers
OBJECTIVE
1.4.7: Denial-of-
service (DOS)
attacks
OBJECTIVE
1.4.6: Routing issues
and security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Internet Control Message Protocol (ICMP)
The Internet Control Message Protocol (ICMP) communicates errors or other conditions at
the network/Internet layer. An ICMP message is an extension to the IP header and also
consists of several levels. Normally ICMP messages are quite useful. For example, when
you ping a host to see if it is operational, you are generating an ICMP message. The
remote host will respond to the ping with an ICMP message of its own. This process is not
normally a problem with most networks.
However, there are more ICMP message types than those used by the common ping
program.
ICMP message types
Each ICMP message contains three fields that define its purpose and provide a
checksum. They are the TYPE, CODE and CHECKSUM fields. The TYPE field identifies
the ICMP message, the CODE field provides further information about the associated
TYPE field, and the CHECKSUM field provides a method for determining the integrity of
the message. Table 7-2 provides a list of the ICMP types.
Table 7-2: ICMP message types
ICMP
Type
Name Description
0
Echo Reply The packets that are sent back whenever you use the
standard ping command to send echo request packets.
3
Destination Unreachable What is sent back by a router whenever a host,
network or port is unreachable. This type contains
arguments that have 15 additional values, including:
0: Network unreachable.
1: Host unreachable.
3: Port unreachable.
7: Destination host unknown.
4
Source Quench Sent whenever the destination cannot handle the
amount of traffic being received.
5
Redirect Message Used by an intermediate router if it knows of a better
route for a packet than the one originally found in the
packet. This message supports four additional
arguments:
0: Redirect datagrams for the network
1: Redirect datagrams for the host
2: Redirect datagrams for the type of service and
network
3: Redirect datagrams for the type of service and
host
8
Echo Request The ICMP message issued when you use the ping
command.
11
Time Exceeded Sent by a host whenever a packet's TTL (time to live)
has expired, and the packet has not been delivered or
replied to in time.
12
Parameter Problem Issued by a host that drops a packet because it was
malformed. Messages with the value of 1 indicate that
a required element of the packet was missing.
Messages with the value of 0 contain information about
where the packet experienced the problem.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 7-2: ICMP message types (c ont d)
ICMP
Type
Name Description
13 and
14
Timestamp Request and
Reply
Used to synchronize time between two hosts.
15 and
16
Information Request and
Reply (Obsolete)
At one time used by systems to obtain IP addresses.
Replaced by DHCP.
17 and
18
Address Mask Request and
Reply
Used at boot time by computers who need to learn the
subnet mask used in a network. Hosts reply with type
18.
A firewall can block any or all of these message types. Sometimes, network
administrators choose to block only certain types; others will block all traffic after the
network has been configured and tested.
Why block ICMP?
ICMP messages have traditionally been used to attack remote networks and hosts.
Attacks involving the Tribal Flood Network (TFN) series of programs have used ICMP to
consume bandwidth and effectively crash sites.
Transport Layer
The transport layer of the TCP/IP stack controls the flow of information between hosts.
Two protocols exist at the transport layer: Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP). You should be familiar with various aspects of the transport
layer so you can implement key Internet security measures. The services provided by TCP
and UDP are different and must be addressed individually from a security standpoint.
Transmission Control Protocol (TCP)
TCP is a connection-oriented protocol; that is, for two computers to communicate, they
must go through a "handshaking" process and an information exchange. After these steps
have been accomplished at both ends, a connection through which traffic passes is in
place. TCP yields such things as guaranteed delivery. FTP is a well-known TCP-based
protocol. After the connection has been established and data begins to be transferred, if
any of the pieces get lost in the process, TCP will have them retransmitted.
TCP is the protocol used by most Internet services, including HTTP (the World Wide Web),
FTP and SMTP (e-mail).
The TCP handshake
The key to understanding and securing the TCP traffic used by your network is to
understand the TCP handshake process when a connection is established. You should
review the TCP handshake, because it is often manipulated by hackers.
The TCP header
The TCP header's flag field establishes and terminates a basic TCP connection. Three
flags accomplish this process, as follows.
SYN synchronizes the sequence numbers
FIN signals that no more data will be transmitted from the sender
ACK identifies acknowledgment information in the packet
OBJECTIVE
1.3.4: Threats in
TCP/ IP stack layers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Establishing a TCP connection: SYN and ACK
For the TCP connection to be established, a three-way handshake must be completed.
The three-way handshake consists of the following steps (this example uses the
client/server model).
1. The client (or requesting end) performs an active open by activating the SYN flag in
the TCP header. The TCP header also contains:
The desired port number for connection.
The sequence number field with the Initial Sequence Number (ISN). This number
is generated randomly, and is used to synchronize the client and server when
they transfer data on the bytestream.
2. The server performs a passive open by sending its own SYN to the client that
specifies:
The server's ISN.
An acknowledgment (ACK) of the client's SYN.
3. Finally, the client returns an ACK to the server. The client and server can now
transfer data using the bytestream, and the connection is established.
Figure 7-5 illustrates this entire process.
Active Open: SYN flag, I SN, and desired port number.
Passive Open: SYN flag, I SN, and ACK.
ACK.

Figure 7-5: Establishing TCP connection
Terminating a TCP connection: FIN and ACK
Because TCP connections are full-duplex, terminating a TCP connection requires four
steps. Full-duplex means that data can flow in both directions independently. Therefore,
both connections must be closed.
To close TCP connections properly, either host can send a FIN (i.e., activate the FIN flag
in the TCP header). When one host receives a FIN, it must close data flowing in the other
direction by sending a FIN to the application at the other end. Most applications close
data flow in both directions at the end of a session. However, closing only one direction
and operating in a half-closed mode is possible.
The four basic steps for terminating a TCP connection are:
1. The server performs an active close by activating the FIN flag (the client usually exits
the application, but the server initiates the TCP connection termination). This action
terminates the data flow from the server to the client.
2. The client performs a passive close by sending an ACK to the server.
3. The client also sends its own FIN to the server to terminate data flow from the client
to the server.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
4. Finally, the server sends an ACK back to the client. The TCP connection is
terminated. Figure 7-6 illustrates this entire process.
Act ive close: FI N flag, st ops server t o client dat a flow.
Passive close: FI N flag, st ops client t o server dat a flow.
ACK.
ACK.

Figure 7-6: Terminating TCP connection

Normally, the FIN is created by the application. However, the ACK that responds
to each FIN is automatically generated by TCP.

To program a packet-filtering firewall, you must understand how a TCP connection starts
and ends.
Attacking TCP
The most common attack with TCP is called a SYN flood attack. A SYN flood begins the
TCP session process by issuing a SYN request. However, the SYN request is not complete
and leaves the connection request unfinished. The hacker will continue to issue modified
SYN requests until the remote host can no longer respond to any new TCP connection
requests. The hacker has then effectively crashed the remote host because the remote
host cannot respond to any more hosts.
One can also predict the sequence number of each TCP packet. Doing so enables an
individual to hijack connections.
User Datagram Protocol (UDP)
UDP is a connectionless protocol. It is often used for broadcast-type protocols, such as
DHCP, or audio or video traffic. It is faster and uses less bandwidth because a UDP
connection is not continually maintained. This protocol does not guarantee delivery of
information, nor does it repeat a corrupted transfer, as does TCP. Thus, in the case of
audio or video transmission, the loss of several data packets will have little discernible
impact.
Several other protocols use UDP, such as Trivial File Transfer Protocol (TFTP). This is
simpler than FTP, and useful if authentication is not a concern. Protocols such as TFTP
require that all packets arrive, but these protocols need only ensure the delivery and
receipt of all pieces at the application level.
Realtime Transport Protocol (RTP) often uses UDP for transporting voice packets in Voice
over IP (VoIP) and multimedia connections. Protocols running at the application level
(e.g., Session Initiation Protocol [SIP] or H.323) use the Realtime Transport Control
Protocol (RTCP) to monitor the connection, and these application-layer protocols provide
for quality of service on the connection.
UDP is often used to conduct scans of systems. Applications can also forge UDP packets
to help wage distributed denial-of-service (DDOS) attacks.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Ports
Both TCP and UDP use the concept of ports. A machine running TCP/IP almost always
has many different applications running at the same time, and all must be able to
communicate simultaneously. For instance, a computer that acts as a Web server may
also serve as an FTP and mail server. A mechanism is needed to allow incoming packets
to be directed to the proper program. As a harbor has different ports, or docks, where a
ship must go to be processed, early developers gave computers a similar way to process
information.
To enable the proper directing of information, each program or service is assigned a
specific TCP or UDP port number. These port numbers are addresses by which processes
can be identified. Each port number is a 16-bit integer value that identifies a
communication channel to a specific user process. TCP and UDP protocol headers
contain both source and destination port numbers.
Thus, a network packet coming into the computer is examined to determine its source
and destination port number, and is then turned over to the appropriate program by the
operating system. Over the years, the primary port numbers have become standardized.
For instance, File Transfer Protocol (FTP) uses TCP Ports 20 and 21, the Domain Name
System (DNS) uses TCP Port 53 and UDP Port 53, and Web servers use TCP Port 80.
SNMP uses UDP Ports 161 and 162, whereas mail servers use TCP Port 25.
There are 65,536 possible ports that can be used with either TCP or UDP. The Internet
Corporation for Assigned Names and Numbers (ICANN) (previously the Internet Assigned
Numbers Authority [IANA]) has defined the first 1023 ports as well-known ports. Well-
known ports are used by TCP and UDP to identify well-known services that a host can
provide. No process is allowed to bind to a well-known port unless its effective user ID is
0 (a user account with unlimited access privileges, such as root [Linux], supervisor
[NetWare] or administrator [Windows]). Table 7-3 lists some services and their well-
known port numbers.
Table 7-3: Services and well-known ports
Service TCP/ UDP Port Number
Active FTP data 20
Active FTP command 21
SSH 22
Telnet 23
SMTP 25
DNS 53
BOOTP/DHCPv4 server 67
BOOTP/DHCPv4 client 68
TFTP 69
HTTP 80
POP3 110
NTP 123
IMAP4 143
SNMP 161
SNMPTRAP 162
OBJECTIVE
1.3.7: Securing
TCP/ IP services
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 7-3: Services and well-known ports (cont d)
Service TCP/ UDP Port Number
BGP 179
LDAP 389
HTTPS (HTTP over TLS/SSH) 443
DHCPv6 client 546
DHCPv6 server 547
LDAP Secure (LDAP over TLS/SSH) 636

A server application can use any of the undefined ports (those greater than 1023) without
contacting the ICANN. Ports above 1023 are known as "reserved" ports.
The port numbers 1024 through 49151 are referred to as registered port numbers. The
ICANN recommends certain ports within this range to be used by particular applications.
These ports are opened by processes that require sessions to occur over a long period of
time. For example, a passive FTP session would use one of these ports to carry data.
The port numbers 49152 to 65535 are not controlled or registered in any way by the
ICANN. Any client-side application can open these ports randomly when accessing remote
hosts. The ports are referred to as dynamic, private, random or ephemeral ports. These
ports are not permanently assigned to any publicly defined application.
This information is important because security depends largely upon your ability
to control network packets. You must be able to determine exactly where these
packets go, and to which computers and programs.

Application Layer
The final layer of the TCP/IP stack is the application layer, which is the most difficult to
secure. Because TCP/IP applications can perform almost without limits, you have
virtually no way to secure all application-layer programs. However, most application-layer
programs share some characteristics.
As you know, TCP/IP is primarily used in a client/server model. The application layer
best exemplifies this usage. For example, users go through Web browsers to access Web
pages. The browser is the client and the Web server is the server. The only limitation is
the number of ports on which a host can communicate. Because TCP and UDP ports are
not the same, more than 130,000 possible applications can be used over the TCP/IP
suite. Protecting a network on a per-application basis is nearly impossible, so allowing
only particular applications to communicate through the network is a much better
approach.
File Transfer Protocol (FTP)
FTP is used to send and receive files over a TCP/IP connection. FTP consists of a server
and a client. Almost every TCP/IP host has a built-in FTP client, and most servers have
an FTP server program.
FTP uses two ports for communication: a control connection and a data connection. A
control connection is established using TCP Port 21. The control connection port remains
open during the entire FTP session, and is used to send control messages and client
OBJECTIVE
1.3.4: Threats in
TCP/ IP stack layers
OBJECTIVE
1.4.7: Denial-of-
service (DOS)
attacks
OBJECTIVE
1.3.7: Securing
TCP/ IP services
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
commands between the client and server. A data connection is established using an
ephemeral port. The data connection is created each time a file is transferred between the
client and server. A new data connection is established each time a file is transferred,
sometimes several times during the entire FTP session.
There are two types of FTP: active and passive. In active FTP, the ports opened on the
server are TCP Port 21 for the command port and TCP Port 20 for the data port. In
passive FTP, the data port is not always TCP Port 20.
Active FTP
In active FTP, the FTP client system connects from a random registered Port N (where N is
a port number greater than 1023) to the FTP server's command port, Port 21. The client
will elect to receive data on Port N+1 (one port higher than the port it uses to connect to
the FTP server). The client uses the PORT command to tell the server which port the
client will use for the data connection. For example, the client sends the command PORT
N+1 to the FTP server. The server will then connect back to the client's specified port from
its own data port, Port 20.
Active FTP causes problems with firewalls. Although the client initiates the command
connection with the FTP server, the client does not initiate the data connection. The client
simply tells the server which port to use. The server must then initiate the data
connection back to the client. Because the server (which is an outside system) attempts
to make a connection to an internal system (the FTP client), the client-side firewall blocks
the data connection.
Passive FTP
In passive FTP, the client system initiates both connections to the server. When
establishing an FTP connection in passive mode, the client opens two random registered
ports (N and N+1). The first port, N, contacts the FTP server on the server's Port 21,
thereby establishing the command connection. Instead of sending a PORT command (as
in active FTP), the client issues a PASV command. The PASV command tells the FTP
server to open a random registered Port P on the server (where P is a port number greater
than 1023) and to then send a PORT command back to the client. That is, the server
sends the command PORT P to the client. The PORT command tells the client which port
the FTP server will use for data, and then the client initiates the second connection from
its own Port N+1 to the server at Port P (the specified data port). Because the client
initiates both connections, the client-side firewall will not attempt to block the data
connection.
A common exploit is to find an FTP server that accepts anonymous connections and has
write access. Hackers can then upload erroneous information to fill up all hard disk
space, in hopes that the FTP server is installed on the hard disk that contains the
operating system. If the hard disk is filled with false information from the hacker, the
overload could cause the operating system to crash. This same technique is used in
hopes that the server's log files are contained on the FTP server's hard disk. The hacker
fills the drive, preventing the log files from growing due to lack of space. The hacker then
attempts to break into the operating system or other services without being detected by
the log files.
Another common exploit against FTP servers is to copy stolen software to the server of a
third party. The hacker will then broadcast the FTP server to other hackers. The other
hackers will then upload and download the pirated software at will. No direct attack has
been aimed at the server, because all of the activity is technically legitimate. However, the
hackers have used the FTP server as a staging server for their illegal activity.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
You should allow only anonymous connections to your FTP server. This method
may seem to be less secure, but is actually safer. By allowing only anonymous
connections, you do not compromise any user accounts on the FTP server. For
example, an administrator can log on anonymously, but could not log on as the
root or administrator account. Because standard FTP sends all user names and
the corresponding passwords in plaintext, your user accounts will not be
compromised by the use of FTP.
Hackers often exploit the FTP servers indirectly. For example, the FTP server could have a
buffer overflow or related bug that allows a hacker to compromise the system.
Hypertext Transfer Protocol (HTTP)
HTTP is the most widely used protocol on the Internet. HTTP uses Port 80 for the control
connection, and an ephemeral port to transfer data. Two distinct security concerns
surround HTTP. The first focuses on the viewer applications that people use, and the
second is the CGI applications used by the HTTP server.
Web browser viewer applications are used to format the different types of content. For
example, if you download a movie file, another application is needed to view the movie.
The browser requests the Web page containing the movie, and HTTP responds by sending
all the requested pages and associated content. When the client receives the movie file, it
must load a program such as Windows Media Player or RealAudio Player. Current
browsers have most of the common viewer applications pre-configured and should not be
modified unless all the related security issues have been addressed. Another concern for
Web users is the downloading of malicious ActiveX controls or Java applets. These
programs are executed on the user's computer and can contain any type of code,
including trojans or viruses. The best way to protect your users is to educate them about
what these programs can do, and caution them to avoid downloading unverified code.
The HTTP servers must also be protected. The HTTP server is akin to an FTP server in its
most basic form. When a Web user requests an HTTP page, the HTTP server retrieves the
page from its hard disk and sends the page to the client. The client must properly format
the page. However, these types of Web servers are very simplistic and do not provide a
pleasant experience for users. To expand and extend the capabilities of a Web server,
extended applications can be added to an HTTP server. Extended applications include
such things as Java programs, CGI programs, Active Server Pages and numerous other
possibilities. These programs introduce a number of security holes. When a Web server
starts executing code, it may be exploited. These programs are used to exploit a Web
server in two ways: first, by modifying how the current HTTP server's programs are
executed, and secondly, by placing a trojan on the HTTP server that the HTTP server later
executes.
HTTP servers also commonly become victims of hackers who use them to store files.
Some hackers can "own" a site and then use it illicitly as their own personal Web server.
Telnet
Telnet is used for remote terminal access and can be used to administer a UNIX machine.
Windows Server 2003 provides one installation of Telnet server, which can support
multiple clients at the same time. The Telnet Server service is disabled by default in
Windows Server 2003. To enable the service, you must set the startup type to manual.
OBJECTIVE
1.3.7: Securing
TCP/ IP services
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Telnet was first considered relatively secure because it requires the remote user to log on.
However, many versions of Telnet send all user names and passwords in plaintext.
Experienced hackers can also hijack a Telnet session in progress. Given the security
ramifications of using Telnet, take care when using the protocol. Telnet should be used
only when you can verify the entire network connecting the client and server. Therefore, it
should not be used over the Internet. You should also filter all Telnet traffic at the
firewalls. A series of programs function similarly; they are called the r series, and include
rsh (remote shell) and rlogin (remote login). The same security concerns associated with
Telnet are also valid when using the r programs.
The default Telnet server options in Windows Server 2003 are generally
c ompatible with most Telnet clients. Authentic ation may be provided through
Kerberos v5, SSL/ TLS, NTLM authentication, digest authentication or passport
authentication. NTLM is the authentication protocol for computers that are not
participating in a domain, such as stand-alone servers and workgroups.
Many systems administrators have replaced Telnet and the r-series applications with
Secure Shell (SSH). You can learn more about SSH at www.ssh.com. SSH encrypts all
transmissions and also allows for authentication via public-key encryption.
Simple Network Management Protocol (SNMP)
SNMP allows administrators to check the status and sometimes modify the configuration
of remote hosts, especially routers, switches and wireless devices. SNMP-compliant
network devices (called SNMP nodes) can be centrally controlled by an SNMP manager.
Three versions exist: SNMPv1, SNMPv2 and SNMPv3. All versions of SNMP use UDP Ports
161 and 162.
SNMPv1
SNMPv1 is the most common and least secure because it uses a simple text string (also
called a community name) to authenticate users. A community is the term used by SNMP
to authenticate nodes with managers and vice versa. If a manager and a node have the
same community name, all SNMP queries are allowed. If a hacker were able to
compromise the community names, he or she could query and modify the SNMP nodes
used on the network. SNMPv1 also does not encrypt communications. That is,
information is transferred in plaintext. A hacker connected to any portion of the network
connecting a node with a manager could retrieve the information, including the
community name. SNMPv1 should not be used over any public network, especially the
Internet. SNMP is a viable network management solution within a company's private
network, but all SNMP traffic should be filtered at the firewall.
SNMPv2
SNMPv2 is the least often used. It offers some improvements in security and
confidentiality over version 1, but is not compatible with version 1.
SNMPv3
SNMPv3 is the current standard version of SNMP. It has robust authentication and
encryption abilities, but is less often used than SNMPv1. Remote Network Monitoring
(RMON) was created to allow the integration of statistics gathered through network
analyzers, monitors or probes with SNMP. RMON is part of SNMP.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Domain Name System (DNS)
Under normal conditions, DNS uses UDP Port 53 when resolving DNS queries. However,
it uses TCP Port 53 when conducting zone transfers and when handling other requests
larger than a certain packet size (512 bytes).
Two attacks on DNS are popular:
DNS poisoning In this attack, a hacker injects false data into a zone transfer. The
result of DNS poisoning is that the DNS server cache becomes populated with false
name-to-IP-address pairings. Thus, if someone were to poison the DNS cache of a
client's DNS server, any client who entered http://www.yahoo.com, for example, may
actually be sent to a hacker's site instead. Also, if a hacker is able to inject a false MX
record for a domain, the hacker would be able to intercept e-mail for an entire
domain.
Illicit zone transfers In this attack, a hacker imitates a DNS server and obtains
the entire DNS database.
DNS Security Extensions
DNS Security Extensions (DNSSEC) was designed to protect DNS clients from receiving
forged DNS data. All answers in DNSSEC include a digital signature. By checking the
digital signature, the client can check to see if the information received is identical to the
information on the authoritative DNS server. DNSSEC is designed to ensure the integrity
and authenticity of the data; however, it does not provide data confidentiality. DNSSEC
responses are not encrypted. DNSSEC has no part in securing zone transfers.
Zone transfers
A zone transfer is commonly accomplished in two situations:
When a client attaches to a DNS server using nslookup and conducts a zone transfer
When a slave (i.e., secondary) name server queries a primary server to obtain its zone
files
Hackers can attack a DNS server and obtain its zone files. The result of such an attack is
that a hacker will learn the IP addresses and computer names of all systems in that zone,
and the hacker will have an accurate map of all systems in your network. DNS zone
transfers can be secured using DNS keys or encrypting the payloads.
Securing zone transfers
You can secure your DNS server. First, you can place this server behind the firewall, then
use your firewall to block out any zone transfers. Secondly, you can configure your
system to accept zone transfer requests only from specific hosts.
Following is an example of an entry limiting zone transfers to a host with the IP address
of 192.168.2.1 on a server running either BIND version 8 or 9.
options {
directory "/var/named";
allow-transfer {
192.168.2.1;
};
};

Limiting zone transfers in this way is effective, but consider the following question: What
would happen if a hacker were to configure his or her server with the IP address of
OBJECTIVE
1.4.6: Routing issues
and security
DNSSecurity
Extensions (DNSSEC)
A set of extensions
to DNSdesigned to
protect DNSclients
from attacks. Uses
digital signatures to
ensure data
integrity and
authenticity.
BIND
Berkeley Internet
Name Daemon. The
most widely used
daemon used to
resolve names to IP
addresses.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
192.168.2.1? The hacker would then be able to receive this zone transfer. Another
solution is needed.
Zone signing and public-key encryption
As of BIND version 8, public-key encryption has been able to secure DNS zones and zone
transfers. The use of public-key encryption secures zone transfers in two ways. First, it
encrypts the actual data transfer, thereby reducing the possibility of DNS zone poisoning.
Secondly, it enhances authentication, because the server will exchange data only with
another server that has the proper public key. This action supplements the standard
method of zone transfers, which relies solely upon IP-based access control and
authentication. You can learn more about signing DNS zone files at
www.isc.org/products/BIND.
Additional application layer protocols
Following is a list of additional application-layer protocols that you will probably
encounter as a systems administrator.
Session Initiation Protocol (SIP) uses UDP Port 5060 by default. SIP will use
TCP Port 5060 if a UDP attempt fails. You can also specify to use a non-standard
port.
H.225 call signaling uses TCP Port 1720.
Post Office Protocol 3 (POP3) uses TCP Port 110.
Simple Mail Transfer Protocol (SMTP) uses TCP Port 25.
Internet Relay Chat (IRC) uses TCP Ports 194 and 6667, and UDP Ports 194 and
6667.
RealServer and RealPlayer RealServer uses Port 80 by default, unless a Web
server is installed. Then, it will use Port 8080 by default. RealPlayer uses an
ephemeral port to attach to a RealServer port. Both UDP and TCP are supported,
though newer versions of RealServer default to using TCP.
ICQ an instant messaging program, uses TCP Port 4000.
Network File System (NFS) uses UDP Port 2049.
Sun Remote Procedure Call (RPC) uses TCP and UDP Port 111.
Network Information System (NIS) uses TCP Port 901.
Many firewall , for example Linux systems using packet-filtering applications
suc h as ipc hains or iptables require special daemons or modules to support
many of the protocols discussed here. The daemons or modules are necessary
so the packets can be transferred from a private network to the public network
and back again. FTP often requires such special treatment, as well.
In the following lab, you will configure Windows Server 2003 to filter port connections.
Suppose you work for your company's IT department, and your manager has directed you
to add security to the network that employees use. Protecting a network on a per-
application basis is nearly impossible, so allowing only particular applications to
communicate through the network is a much better approach. You can do this by
specifying only certain ports to accept connections, thus limiting traffic with the Internet
at large.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lab 7-1: Enabling TCP/ IP filtering on Windows Server 2003
In this lab, you will configure Windows Server 2003 so that it will accept connections only
on ports you specify.
1. Ensure the FTP service is installed and started in XAMPP: Select Start | All
Programs | Apache Friends | XAMPP | XAMPP Control Panel to open the XAMPP
Control Panel Application, as shown in Figure 7-7. If the FileZilla service is not
running, start it (i.e., the XAMPP Control Panel Application should appear as shown
in Figure 7-7, with Apache, MySQL and FileZilla all running). Close the XAMPP
Control Panel Application.

Figure 7-7: XAMPP Control Panel Application
2. In XAMPP, the default settings for the FileZilla server allow a user to connect
anonymously. Verify that you can connect to your partner's FTP services: Open a
Web browser and enter ftp://studentx in the address bar (where x is your partners
student number). You should see the XAMPP default ftp folder structure, as shown in
Figure 7-8.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 7-8: Using a browser FTP client
3. In XAMPP, the default settings for FileZilla server allow for connection as an
anonymous user (without the use of a password). You can also use an FTP client to
connect to your partner's system: Select Start | All Programs | FileZilla FTP Client
| FileZilla. Type studentx in the Host text box (where x is your partners student
number), and then press ENTER. Notice that the anonymous user name and password
are automatically detected, and you are again connected to your partners FTP site,
as shown in Figure 7-9.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 7-9: Connecting using an FTP client
4. When you have finished testing connectivity, close your browser and your FTP client.
5. Click Start, right-click My Network Places, then click Properties to open the
Network Connections dialog box. Right-click Local Area Connection, then click
Properties to open the Local Area Connection Properties dialog box.
6. Highlight Internet Protocol (TCP/IP) and click the Properties button to open the
Internet Protocol (TCP/IP) Properties dialog box.
7. Click the Advanced button, click the Options tab, then select TCP/IP Filtering in
the Optional Settings section.
8. Click the Properties button to open the TCP/IP Filtering dialog box, as shown in
Figure 7-10.

Figure 7-10: TCP/ IP Filtering dialog box
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
9. Notice that you have several options. You can lock down all TCP and UDP ports, as
well as any IP protocol. Currently, your system should be using default settings,
which allow access to all protocols. In the TCP Ports section, select the Permit Only
radio button.
10. Click the Add button, type 80 to specify Port 80, then click OK. You have now
specified to permit TCP connections only on Port 80.
11. Click OK until you return to the Local Area Connection Properties dialog box. Click
the Close button.
12. You will be prompted to restart your computer. Restart your system, then boot back
into Windows Server 2003.
13. Use the XAMPP Control Panel Application to restart the FileZilla service.
14. Access your partner's system using your Web browser. You should be able to connect
to your partners Web server.
15. Now use your browser to specify the FTP protocol and attempt to connect to your
partners FTP server. For example, type ftp://studentx (where x is your partners
student number). You will be denied access.
16. Open an FTP client and try to connect to your partner's system. You will be denied
access. Use any other client, such as Telnet. You will be denied access.
17. When you are finished experimenting, return your Windows Server 2003 TCP/IP
installation to its default settings. Failure to perform this step may interfere with
future labs.

Protocol Analyzers
Network or protocol analyzers allow network administrators to analyze data traversing
their networks. The data is "captured" by the network analyzer as it is transmitted across
the network. Once captured, the data can be closely studied. For example, you can view
the IP header, which indicates the Internet (IP) addresses of both the source and the
destination nodes.
Network analyzers can help an administrator troubleshoot and manage a network. Most
network analyzers support several network protocols, such as TCP/IP and IPX/SPX. If
you are viewing the packets on your network and notice a computer sending error
messages, you can identify the computer and determine the problem. Popular network
analyzers include the Sniffer Basic (previously NetXRay, www.sniffer-basic.com) and
Sniffer Portable products (www.networkgeneral.com). The open-source program
Wireshark is another popular analyzer for both Linux and Windows systems. It is
primarily a packet sniffer, and is available at www.wireshark.org/.
A network analyzer can help troubleshoot and manage a network by providing the
following services:
Monitoring network traffic to identify network trends This practice helps
establish a network baseline. For example, you may notice that network traffic is
heaviest in the morning when all users start their computers.
Identifying network problems and sending alert messages Problems (such as
traffic exceeding a given parameter) can be predefined by the network administrator.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Identifying specific problems Problems might include error messages generated
by a network device, which can then be repaired.
Testing network connections, devices and cables Network analyzers can send
test packets over the network. The packets can be traced to discover faulty
components or cables.
You can use a protocol analyzer to capture packets from data streams, then analyze the
information in them to learn about network activity. The information you obtain can help
you determine trends and problems on a network, and can also help you perform other
troubleshooting steps.
Case Study
Securely Yours, Anonymous
Raj was contracted to perform a security audit on his friend Ben's Windows network. Ben
owns a small company that designs and installs custom lighting plans for private homes.
Although Ben has been unaware of any security problems, he wants to be sure that he is
properly securing his company equipment and data.
Although Raj found that the corporate Web server and database were well protected, he
was alarmed to find that each employee had his or her own unique account on the
corporate FTP site, which did not use encryption. Employees use the FTP site to upload
custom orders, blueprints and photos.
Raj suggested that Ben either:
Give all employees access to the FTP site via anonymous access; or
Secure the FTP transactions.
* * *
As a class, consider Raj's suggestions, then answer the following questions:
What are the advantages and drawbacks of each option?
Which solution would be easiest to implement?
Are there other approaches to securing an FTP site?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 7: Protocol Layers and Security 7-25
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
This lesson focused on reviewing the protocols found in the TCP/IP suite. When time
permits, create a DNS structure and then experiment with limiting zone transfers to only
certain hosts. Perform this task in either Linux or Windows Server 2003. To learn more
about securing zone transfers through public-key encryption, consult the BIND Web site
at www.isc.org/products/BIND.
Skills review
Hackers often exploit weaknesses in the TCP/IP stacks of various Internet hosts to
compromise a network's security. In this lesson, you analyzed the basics of TCP/IP,
learned how packets are created and sent according to the OSI model, and saw how a
network routes those packets. You then reviewed the protocols commonly filtered at
firewalls, including ICMP and various application-layer protocols such as IRC, NFS and
NIS. If you understand how messages are sent across the Internet, you can then take
specific steps at your firewall to ensure that your company is sending information as
securely as possible.
Now that you have completed this lesson, you should be able to:
- 1.3.4: Identify potential threats at different layers of the TCP/IP stack.
- 1.3.7: Secure TCP/IP services, including HTTP, FTP.
- 1.4.6: Identify routing issues and security.
- 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
7-26 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 7 Review
1. Why must you be concerned about open ports on your system?


2. Which layer is the most difficult to secure, and why?


3. Why does active FTP cause problems with firewalls?





4. In what way is Telnet vulnerable to security threats?

5. What are the two biggest security concerns with the Simple Network Management
Protocol version 1 (SNMPv1)?



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


8Lesson 8:
Securing Resources
Objectives
By the end of this lesson, you will be able to:
; 1.3.5: Consistently apply security principles.
; 1.3.6: Identify ways to protect operating systems, routers and equipment against
physical attacks.
; 1.3.7: Secure TCP/IP services, including HTTP, FTP.
; 1.3.8: Identify the significance of testing and evaluating systems and services.
; 1.3.9: Identify network security management applications, including network
scanners, operating system add-ons, log analysis tools.
; 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. What should you do if a daemon is running as root?
a. Stop the daemon so future attacks do not occur.
b. Restart the daemon so it runs under a different PID.
c. Reconfigure the daemon to run as a non-privileged user.
d. Install another daemon as a non-privileged user.
2. You are installing a Windows Server 2003 system that will be used as a Web server.
During the installation process, what can you do to enhance its security?
a. Install IIS as a non-root user to ensure that it runs securely.
b. Have IIS run using a non-root account that you create manually.
c. Change the administrator account to another name.
d. Segment the operating system from the Web server.
3. The Internet Worm was a denial-of-service virus that caused a multi-day outage
for Internet-connected hosts beginning on November 2, 1988. List at least two
developments that occurred as a result of the Internet Worm.




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
TCP/ IP Security Vulnerabilities
As you have seen, TCP/IP is a powerful and popular protocol. However, IPv4 (the current
version) is also inherently insecure, not only because of its popularity, but also because
of its open-source nature. Anyone can consult the RFCs and learn all the idiosyncrasies
of its design. These aspects, plus the fact that IPv4 does not natively support strong
encryption and authentication, have invited many abuses.
You have learned about TCP/IP abuses, such as SYN flooding, IP spoofing and
connection hijacking in previous lessons. These implementations are proof that the lack
of TCP/IP security has lead directly to the development of tools and techniques designed
to exploit the weaknesses inherent in TCP/IP.
The next-generation Internet protocol, Internet Protocol version 6 (IPv6) , attempts to fix
many of the flaws in the current IPv4 protocol. IPv6 provides authentication and
encryption on the Internet, and could solve a lot of the existing problems with TCP/IP.
You will learn more about IPv6 in the next section.
Internet Protocol version 6 (IPv6)
With Internet use growing so rapidly, the current addressing scheme, IPv4, is in danger of
running out of IP addresses. It is also creating unmanageable routing tables for the
Internet's backbone routers. In addition to solving IP address shortages, IPv6 improves
upon IPv4 by using routers more efficiently and requiring less administrative overhead
than IPv4.
IPv6 uses 128-bit addresses instead of 32-bit addresses. This format uses hexadecimal
numbers instead of decimals. Following is an example of an IPv6 address:
2E22:4F00:000E:00D0:A267:97FF:FE6B:FE34
IPv4 can support 4 billion IP addresses. By contrast, IPv6 can support just over 340
trillion trillion trillion (3.4 x 10
38
) IP addresses (or 79 octillion times the IPv4 address
space), at least in theory. According to the Internet Society (ISOC), practical IPv6
implementation could mean that IPv6 will be able to support around 35 trillion IP
addresses, which is still significantly larger than IPv4's 4 billion.
IPv6 may be implemented between now and 2015, depending on how fast current IP
addresses are used. IPv6 and IPv4 will probably coexist, and IPv4 will be part of Internet
use for several more generations. Any server that can support IPv6 packets can also
support IPv4 packets.
Determining which IP version to implement
In determining which version of IP to implement, there are several items to take into
consideration.
Although IPv6 includes features that will help solve router congestion, replacing the
existing infrastructure of Internet routers is a slow process. IPv4 is still the de facto
standard and people are slow to change. IPv4 and IPv6 will coexist for several years to
come, so even if you implement IPv6, you will still most likely connect to the Internet via
IPv6-to-IPv4 conversion gateways.
New installations in North America and Europe will most likely continue to implement
IPv4 for the foreseeable future. In developing economies, such as China and India, new
installations will most likely implement IPv6 as ISPs in those countries will receive pools
hexadecimal
A base-16 number
system that allows
large numbers to be
displayed by fewer
characters than if
the number were
displayed in the
regular base-10
system. In
hexadecimal, the
number 10 is
represented as the
letter A, 15 is
represented as F,
and 16 is
represented as 10.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
of IPv6 addresses, not IPv4 addresses. The developed areas of the world already have
been allotted most of the IPv4 addresses.
As you prepare for a new installation, you may be anxious to take advantage of the
benefits IPv6 has to offer. But you must consider your existing equipment. Will you be
connecting to or supporting legacy hardware or applications that will support only IPv4?
If existing hardware will support IPv6, how difficult and time-consuming will it be to
convert your existing infrastructure? How many of your IT staff are familiar and
comfortable with IPv6?
To learn more about IPv6, visit www.ipv6.org or the IPv6 Forum at www.ipv6forum.com.
Implementing Security
The remainder of this lesson will discuss how you can implement a security model to help
protect the most often-attacked servers that use TCP/IP, including HTTP, FTP and SMTP
servers. First, you will begin with a brief overview of a helpful security implementation
model.
The five steps described in Table 8-1 can help you apply your security policy as
consistently as possible.
Table 8-1: Security implementation model
Step Number Action Description
Step 1 Publish the security
policy
You must always define and publish your security
policy. A company's security policy will be useless if
only you and fellow IT employees know it. All
employees must know where to locate the security
policy and how it applies to their jobs.
Step 2 Categorize
resources and
needs
You learned about Levels I, II and III classification
earlier. You should also consider that classic
network management always includes detailed,
written documentation of every system, including
hardware types, current configurations and
protocols used. Prioritization and other elements
are part of categorization.
Step 3 Secure each
resource and
service
This step involves some or all of the following
actions:
-Changing server and system defaults.
-Removing extraneous services.
-Constantly monitoring public connections,
including VPNs, modem banks, and especially Web
and FTP servers.
-Ensuring physical security.
-Locking down registry keys and password files.
Step 4 Log, test and
evaluate
Establish logging on all systems, and check the
logs regularly.
Configure your log files so that they will not
become security threats.
Step 5 Repeat the process
and keep current
Never assume that you are finished with security
just because you have taken the first four steps.
You also need to remain aware that your existing
policy might develop gaps as new hacker
techniques develop.

OBJECTIVE
1.3.5: Applying
security principles
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
You have already learned about the first two steps. This lesson will focus on Steps 3, 4
and 5. Specifically, you will work to secure some of the TCP/IP resources discussed in an
earlier lesson.
Resources and Services
Each service operates independently of the others. As a security specialist, you must
devise ways to make this independence work for you, and not against you. Service
independence can present a problem, because after a hacker compromises one system,
he or she can use it to attack another. However, you can make services and your
operating system work for you by following the suggestions presented here.
Protecting services
You can protect services by coordinating various permissions, services and techniques.
You should also change system defaults and remove unnecessary services.
Protect against profiling
Profiling is a hacker's ability to determine the nature of a network host. Profiling is often
conducted through zone transfers and port scanning. It is also the ability to determine
the nature of the traffic passing to and from the host. Packet sniffers can be used to
profile. When a NIC is in "promiscuous mode," a hacker can then begin to compromise
the network. Various methods are available to thwart such activity.
Coordinate methods and techniques
One of the more important concepts in securing resources is the ability to coordinate
methods and techniques so that if a hacker defeats one method, your system can counter
with another. As you coordinate services, address each one separately. Consider the
HTTP, Telnet and FTP servers. Each of these systems has specific vulnerabilities, and
must be addressed individually. This requirement includes changing default settings.
Define operating system policies along with service security policies. Your system should
not rely on only one element of security (authentication, encryption or auditing). For
example, do not rely on only one form of authentication. You can add a layer of
encryption or auditing for more security.
Protect services by changing default settings
Any experienced hacker knows the default settings of a particular service, server or
computer. Therefore, you should change as many default settings as possible. You will
learn more about how to change specific defaults later in this lesson.
Remove unnecessary services
Often, removing unnecessary services will help security. Most organizations omit this
simple solution, creating an unintentional back door. For example, if you are using
Internet Information Services (IIS) on Windows Server 2003, do not leave the Server
service running. Doing so creates a security hazard and invites unneeded risk.
Simply because the system is running an OS/2 subsystem does not necessarily mean it
has a security hole. However, it does mean that you need to take care of redundant
services. Furthermore, you need not leave it running, because many hackers look for this
type of redundancy. Services used are most likely to contain unknown security holes.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Protecting TCP/ IP Services
Following are some configuration guidelines that can help you secure your TCP/IP
services.
Specialized accounts
Most Internet servers (Web, FTP and so forth) operate using special user accounts
designed to give users just enough permissions to do their jobs. These specialized
accounts are necessary because generally, service should not be run by an administrative
user. If something goes wrong with the service or daemon, a hacker will not be able to
exploit a privileged shell that might be left behind.
When checking your services, make sure they are not running as root or administrator. If
they are, conduct research to see if the service can be run using a less privileged account.
The Web server
The key to securing the Web server is to segment the operating system, the Web server
program and the server's files on their own hard drives or partitions. If a breach occurs,
such segmentation will help limit a hacker's activity to specific hard drives, or even parts
of hard drives, that are not essential to the rest of the system. Subordination is key.
Instead of keeping the operating system, program files, and HTML files and scripts for a
Web page all on the same hard drive, partition the drive several times, then place only the
operating system on the primary partition.
Next, place the Web server program (e.g., IIS) on the second partition. From there, you
can move all the HTML files to another partition. Making the drive containing the HTML
content read-only is a simple but effective countermeasure to hacker activity. Users can
still view the HTML files, but partitioning will greatly limit what a hacker can do if he or
she gains access to this partition.
You can then place the scripts (such as CGI, Internet Services Application
Programming Interface [ISAPI], and Perl scripts) on another partition. Because these
scripts must be executed, you must allow this kind of activity. However, you can often
allow your operating system to forbid writing to the drive. A hacker will often try to place
a trojan in the directory that contains a Web server's scripts. After the hacker has placed
a trojan in the scripts' directory, he or she need only execute a script from any Web
browser.
By isolating the scripts in a specific drive or partition, you can more easily protect the
operating system and other services from any malicious code being executed in the
directory. In this way, if a hacker defeats the security of one of the servers, he or she is
still limited to only one of the partitions, rather than having access to the entire hard
drive. Furthermore, if that partition is read-only, the hacker cannot copy files onto it, or
alter any files. This placement is a specific example of how you can layer security
techniques to create a matrix of secure systems, devices and resources.
OBJECTIVE
1.3.7: Securing
TCP/ IP services
Internet Services
Application
Programming
Interface (ISAPI)
A method
developed by
Microsoft to write
programs that
communicate with
Web servers through
OLE.
Perl
A cross-platform
programming
language that
enables users to
write custom CGI
programs, as well as
system
management
programs.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Common Gateway Interface (CGI) scripts
Common Gateway Interface (CGI) scripts are the primary source of security holes in
Web servers. One reason is that they are like miniature servers: They can execute
commands and present information to clients. A hacker can use seemingly benign
scripts, which are actually carelessly written, to defeat your system's security.
CGI scripts open security holes in two ways:
They intentionally or unintentionally leak information about the host system.
Scripts that possess remote user input, such as the contents of a form or "searchable
index" command, can be tricked into arbitrarily executing system commands.
Placing CGI scripts in their own partition is one way you can protect your system.
However, most problems can be addressed by ensuring the code itself is written properly.
CGI and programming
Make sure your CGI programmers take great care in writing these scripts. Examine the
scripts closely to see how they handle unexpected or incorrect data. If you are not
familiar with Perl or C (or any language in which the script is written), find someone who
is. Otherwise, you could find yourself responsible for a security breach caused by a
poorly written script.
To ensure that CGI scripts are secure, ask the following questions of your developer:
Did we use compiled CGI gateways instead of those written in Perl or shell scripts?
How much are we trusting the client (i.e., the remote user using a form) to enter the
correct information?
Are we using the "eval" statement? If so, what steps are we taking to prevent users
from sending arbitrary information to the interpreter?
What precautions are we taking against buffer overflows? Sometimes, a CGI script
may account for only 1,024 bytes of memory, when in fact much more is necessary.
As a result, the program in many cases, the shell crashes, and as a result, the
user data overwrites the program stack. From this point, a hacker can then execute
arbitrary code on the system, often with root privileges.
Is any information passed directly from a client (i.e., remote user) to the shell
command? This procedure can allow a user to embed special characters called meta-
characters in the data stream. These characters can crash the shell and/or result in
a buffer overflow. To solve this problem, direct your CGI programmers to filter special
characters out of the data stream. You can also have programmers turn on data
tainting. Tainted variables cannot be used in any eval, system or exec system calls,
thereby allowing a stronger measure of security.
How many, if any, of these CGI scripts are interacting with the shell?
Management may direct that all CGI scripts (as well as other mission-critical applications
written by company personnel) be independently checked for problems.
The code below shows the use of the eval statement that is passed directly to the shell.
#!/bin/ksh
# Demonstrates poorly implemented CGI parsing.

print -- "Content-type: text/html\n\n"

Common Gateway
Interface (CGI)
A protocol that
allows a Web server
to pass control to a
software
application, based
on a user request. It
also allows that
program to receive
and organize that
information, then
return it to the user
in a consistent
format. A CGI script
resides on a Web
server, enabling the
CGI process.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
# Process the command line, sample only, contains security problems!
eval $(cat - | awk 'BEGIN {RS="&"};{
gsub("%2B"," ")
gsub("%3B",";")
gsub("%2F","/")
gsub("%3D","=")
gsub("%60","`")
gsub("%2C",",")
gsub("%22","\"")
gsub("%0D%0A","\012")
gsub("+"," ")
gsub("=","=\"")
print $0 "\""
}')

echo "<HTML>"
echo "<H1><CENTER>Your Request has been Entered</CENTER></H1>"
echo "<h2><CENTER>Thank You</CENTER></h2>"
echo "<hr>"
echo "regtype= ${reqtype}<BR>"
echo "interests= ${interest1} ${interest2} ${interest3}<BR>"
echo "email= ${email}<BR>"
echo "mailaddr= ${mailaddr}<BR>"
echo "priority= ${priority}<BR>"
echo "submitit= ${submitit}<BR>"
echo "<hr>"
echo "</HTML>"

Securing Apache2
Many hacking programs designed to attack Web servers, including Apache2,
automatically search for default directory locations (e.g., C:\xampp\htdocs). If you
change this default location, you can thwart these attacks, because the application used
by the hacker will not be able to access the default directory.
In the following lab, you will move an Apache2 default directory to another location so
that if a hacker tries to infiltrate your system, he or she will be unable to do so. Suppose
you are the security administrator for your company and you want to make your Web
server as secure as possible. Moving default directories to different locations is an easy
way to thwart hacker attacks because many hacking programs search for default
directory locations. These applications will no longer know where your files are located.

Lab 8-1: Securing an Apache2 Web server
In this lab, you will change the default location of an Apache2 folder to help secure your
system by hiding information from potential hackers.
Note: Perform the following steps with a partner so that you can test each other's work
using your Web browsers.
1. Open Windows Explorer.
2. In Windows Explorer, go to C:\xampp. Move the C:\xampp\htdocs subdirectory to
C:\, then rename it C:\webfiles.
Note: Do not copy the subdirectory, or else you will lose all the custom permissions that
protect the directory.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
3. Open the C:\xampp\apache\conf\httpd.conf file in Notepad. Scroll down to the
following line:

DocumentRoot "C:/xampp/htdocs."
4. Modify the line to read as follows:

DocumentRoot "C:/webfiles".
5. Scroll down to the following line:

<Directory "C:/xampp/htdocs">,
6. Modify the line to read as follows:

<Directory "C:/webfiles">.
7. Save the httpd.conf file and exit Notepad.
8. Start the XAMPP Control Panel, then stop and restart the Apache2 Web service.
9. Make sure your partner has finished all the previous steps, and use your Web
browsers to test each other's work. You should see your partner's XAMPP splash
screen, as shown in Figure 8-1.

Figure 8-1: XAMPP splash screen
In this lab, you enhanced your Apache2 Web server's security by moving key folders.

File Transfer Protocol (FTP) servers
Securing your File Transfer Protocol (FTP) server is similar to securing your Web server.
Be sure to separate the FTP server from the files it downloads by using separate
partitions. Whenever possible, you should separate FTP user accounts and access
options from those used to access the Web. Again, this configuration works against
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
individual breaches by allowing you to place separate operating system access controls
for each service. If one resource is compromised, the other will remain secure.
A possible denial-of-service (DOS) attack might be to fill the hard drive on your FTP
server. If the operating system resides on the same partition as the files, this attack
would probably cause the system to crash. Potentially, a hacker could log on to the server
repeatedly in an attempt to fill the logs to a point where their number and size will crash
the server.
If you do not segment your operating system, servers and files, a hacker can achieve
control easily.
Sometimes you will need to allow read-only access to your public files through FTP, but if
external users (including those using intranets) are uploading files to your Web server,
you should consider disk space. If the disk is filled because someone uploaded a large
file, the whole system could crash.
Access control for FTP servers
Although most FTP servers allow access only to files residing beneath the FTP service's
root directory, make sure that your FTP server does not allow access to sensitive files. If
you are not careful, users could gain access to your Web directories and overwrite your
Web files. This problem has happened quite often, including an episode in which U.S.
intelligence agencies' Web pages were altered by hackers.
In the following lab, you will alter the default settings for your FTP server. Suppose you
are the security administrator for your company and you want to make your FTP server
as secure as possible. Changing default settings is an easy way to thwart hacker attacks
because many hacking programs understand system defaults. These applications will no
longer be able to attack your system if the system defaults are modified.

Lab 8-2: Securing the FTP service
In this lab, you will alter the default settings for your FTP server. Although it cannot be
done for this class, you should seriously consider placing your drives on a completely
separate partition from your operating system.
1. Open Windows Explorer. Create a folder on C:\ named ftpfiles.
2. Start the XAMPP Control Panel and ensure that the FileZilla service is running. If it
is not, click the Start button to begin the service. The XAMPP Control Panel
Application should appear as shown in Figure 8-2.
OBJECTIVE
1.4.7: Denial-of-
service (DOS)
attacks

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 8-2: XAMPP Control Panel Application showing running services
3. Click the Admin button for FileZilla. The Connect To Server dialog box will appear.
Click OK to close the dialog box and display the FileZilla Server window.
4. Select Edit | Users to display the Users dialog box.
5. In the Page section, click the Shared Folders link to display the Shared Folders
control window.
6. In the Shared Folders section, click the Add button to display the Browse For Folder
dialog box. Navigate to the C:\ftpfiles folder you created in Step 1, select it, then
click OK.
7. Ensure that C:\ftpfiles is selected, then click the Set As Home Dir button to make it
the home directory. The Users dialog box should appear as shown in Figure 8-3.

Figure 8-3: Users dialog box with new home directory
8. Click OK, then close the FileZilla Server window.
9. Stop, then restart the FileZilla service.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
10. Make sure your partner has finished all the steps in this lab. Then, open a command
prompt or any FTP client to check your partner's work. If you use a command
prompt, log on as anonymous with a password of password.
In this lab, you added a greater measure of security to your FTP sites.

Simple Mail Transfer Protocol (SMTP)
Because the Simple Mail Transfer Protocol (SMTP) protocol was formed without security
in mind, securing an e-mail server is rather difficult. Newer SMTP servers often offer
security features, such as reverse Domain Name System (DNS) lookup, to help ensure
that the e-mail sender is actually who he or she claims to be. Whenever possible, use
such authentication measures.
For securing e-mail itself, encryption is the key. An earlier lesson discussed the main
encryption methods and mentioned several popular tools, including the proprietary
encryption methods found in Microsoft servers and public-key encryption such as PGP.
These methods are the most useful for ensuring that the information sent through your
server will be secure.
The Internet Worm
The Internet Worm was a denial-of-service virus that caused a multi-day outage for
Internet-connected hosts beginning on November 2, 1988. The application, written by
Robert T. Morris, Jr., a graduate student in the Cornell University department of
computer science, was accidentally released on the Internet. According to Morris, the
program was designed to demonstrate that the Internet, as it existed at that time, was
vulnerable and contained many security holes. It is an important historical event,
because it still teaches security professionals about the weakness of TCP/IP applications
in regards to e-mail. The incident was caused by a program that used a hole in the UNIX
TCP/IP implementation and the lack of bounded arrays in the C programming language
to establish a beachhead on approximately 7,000 Internet hosts, the bulk of the Internet
at that time.
The worm exhausted the systems' physical CPU and memory resources to such an extent
that it slowed them considerably or caused them to crash. No other damage was done;
that is, files were not erased or destroyed, but system administrators had to spend some
time verifying that no other problems had been introduced. The scenario could have been
much worse, if the worm had included code that did actual physical damage or ran
without drawing attention to itself.
The component of the worm that used this particular weakness is known as the fingerd
attack. In this attack, the worm tries to infiltrate systems via a bug in fingerd, the finger
daemon. The version that existed at the time was susceptible to a buffer overflow
condition, in which it read its arguments from a pipe but did not limit how much
information it read. As soon as fingerd read more than the allowed internal 512-byte
buffer, it proceeded to write information past the end of its stack, causing the buffer
overflow.
The Worm took advantage of this weakness and called fingerd with a 536-character
argument. The last 24 characters were designed to overwrite the system stack so that it
would leave a shell behind that was able to accept commands. The result was that
instead of the finger command being executed, a command shell was started, which was
then used to deliver all the worm files to a new host via sendmail.
OBJECTIVE
1.3.7: Securing
TCP/ IP services
OBJECTIVE
1.4.7: Denial-of-
service (DOS)
attacks
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Results of the Internet Worm
This worm has affected the development of Web technologies in several key ways:
Web programming languages such as Java now enforce strict bounds checking on
arrays. Writing past the end of the 512-byte buffer in Java would not be possible
today.
Operating systems give system operators much more control over the permissions
available to net-attached processes, and default those permissions to the most
conservative settings.
The Computer Emergency Response Team (CERT) was created as a result of this
attack. This organization is still quite active and, along with SANS (www.sans.org), is
a key site for obtaining security information.
The Internet Worm led indirectly to the creation and implementation of Internet
firewalls. You will learn more about firewalls in future lessons.
Buffer overflows
The sendmail daemon was the UNIX service that was responsible for the Internet Worm.
Through the years, sendmail has become much more secure, and can generally be used
with as much confidence as any other network daemon. However, new buffer overflow
problems are constantly being discovered, exploited and addressed. For example,
sendmail at one time defaulted to allowing relaying to all hosts. This default has been
changed as of version 8.9. Update the program regularly, using the latest, stable patch.
You can find patches at various sites, including www.sendmail.org.
The Melissa virus
Melissa, released in March 1999, was allegedly created by a New Jersey hacker/software
developer. Unlike the 1988 Internet Worm, Melissa exploited flaws in e-mail client
applications, rather than any coding flaws in the servers themselves. The chief flaw in the
client was that many Microsoft-oriented e-mail client applications implicitly trust and act
upon data passed to them. Likewise, many Microsoft-oriented desktop applications (e.g.,
Microsoft Word, Excel and Access) will act upon information passed to them by e-mail
clients.
Understanding Melissa
This virus is embedded in a Microsoft Word document. When a user opens the document,
the virus delivers its payload. The virus infects the user's machine, then directs the e-
mail client application to automatically send an e-mail message, complete with the
infected attachment, to the first fifty contacts in the client's address book.
This virus bogged down many e-mail servers. It also spawned several copycat virus
mutations, which hackers developed and sent out on the Web. One of these mutations
was the Papa virus, which specifically attacked Microsoft Excel spreadsheets. This strain
of Melissa operated in a similar way, with Papa sending 60 infected e-mail messages to
unwitting recipients.
Because viruses such as Melissa, the LoveBug and the Anna Kournikova viruses have
become so prevalent, e-mail server administrators have enabled various access control
measures.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Access control for e-mail
When securing an e-mail server, you can:
Enable authentication for SMTP. Most servers do not require a sending user to
authenticate by default.
Forbid relaying to unauthorized users. SMTP hosts that relay are the primary cause
of e-mail spam on the Internet. Many SMTP servers, such as versions of sendmail
older than 8.8 and Microsoft Exchange 4.0, did not prohibit relaying by default. You
can learn more about relaying at www.sendmail.org or http://spam.abuse.net/spam,
and from the Coalition Against Unsolicited Commercial E-mail (www.cauce.org).
Scan e-mail attachments.
Reduce the size of e-mail attachments.
Impose a limit on the number of e-mail messages a particular account can receive.
Eliminate e-mail attachments.
E-mail and virus scanning
The Internet Worm and the Melissa virus are excellent examples of the need for effective
e-mail scanning. Both attacks reveal certain weaknesses of an SMTP server. First, most
e-mail servers do not examine the contents of messages they deliver. Secondly, they can
be easily overwhelmed by requests resulting from attacks.
Modern e-mail viruses, trojans and worms appear in e-mail attachments. An e-mail
message can include any type of attachment, including viruses and trojans. The best
defense against malicious attachments is to purchase or obtain third-party software that
scans all messages as they are sent and received via SMTP. Respected attachment
scanning software includes Symantec Mail Security for SMTP (www.symantec.com) and
Email Security Service from Deerfield Software (www.deerfield.com).
User education
The second-most effective preventive measure is user education. Educating your e-mail
users on how viruses and trojans are sent through SMTP will help reduce the number of
viruses or trojans on your network.
Performance issues and business effects
Advanced SMTP servers can scan e-mail transparently by placing the e-mail messages in
a temporary holding area. The server scans the files, then forwards the e-mail as
appropriate. This process takes extra time but is well worth the delay. If the slowdown is
too great, you may have to increase the power of your e-mail server(s) in the following
ways:
Add extra hard drives.
Add extra RAM.
Obtain additional e-mail servers.
Make sure that any measures you take regarding e-mail do not negatively affect end
users. They must be able to do their jobs after you have implemented security measures.
Consider the possible effects that imposing a size limit on attachments may have on
various users, for example. Eliminating e-mail attachments may never be an option for
many businesses. If you want to impose any of these measures, contact management and
obtain feedback about how the change may affect users.
spam
Unsolicited bulk e-
mail sent
anonymously, often
from misconfigured
e-mail servers.
OBJECTIVE
1.3.9: Network
security
management
applications
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Physical Security
Your job as a security professional does not end with network security. Ensuring proper
access to network resources also includes taking steps to physically secure your
organization's buildings. Physical security issues you need to consider include the
following:
Ensuring that internal areas (e.g., hallways and entrances to offices) are properly lit
and observed using security guards or cameras.
Ensuring that external areas (e.g., building approaches, service entrances and
parking lots) are properly guarded. Again, cameras and guards may be appropriate.
Identifying sensitive areas that could be targeted for attempted attacks.
Identifying areas where attackers may easily enter a building. Attackers commonly
enter buildings through low-level security zones (e.g., service entrances for kitchens),
then work their way through the building to more sensitive areas (e.g., server rooms
and executive offices).
Protecting the network against common physical attacks
Table 8-2 describes common physical security problems faced by networks and then
discusses ways you can protect your network.
Table 8-2: Common physical vulnerabilities and solutions
Physical
Vulnerability
Description Solution
False ceilings
Many buildings use removable
tiles instead of solid ceilings. In
many cases, the false ceilings can
be removed, allowing access into
locked rooms.
If false ceilings are used, make sure
that rooms are truly separated from the
rest of the office.
Exposed
communication
lines
Wiring closets are not locked, and
it is possible to break into wiring
as it enters and exits the
building.
Check for and correct exposed internal
and external wiring. Look for
unsecured internal and external wiring
closets, as well. Identify and correct
unlocked and poorly guarded telephony
panels. Review lighting for these
resources.
Exposed jacks
Even though personnel have been
removed from offices, the network
jacks are still active.
Conduct thorough audits of the
network after downsizing and/or
transferring users to make sure that
wall jacks are not left active.
Exposed
heating/ cooling
ducts
Heating ducts have openings that
allow people to enter and exit
buildings.
Cordon off exits and entrances. Place
bars over ducts, with the approval of
the building and heating supervisors.
Doors with
exposed hinges
Some doors, even if closed and
locked, can be removed by simply
removing the hinges.
Replace the door. Enable surveillance.
Inadequate
lighting
It is difficult to physically patrol
and secure an area if you cannot
see the grounds well.
Use existing lighting, or install new
fixtures.
OBJECTIVE
1.3.6: Protecting
against physical
attacks
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 8-2: Common physical vulnerabilities and solutions (cont d)
Physical
Vulnerability
Description Solution
Lack of
surveillance
Sensitive entrance areas and
hallways are left unguarded.
Use security guards or install
surveillance cameras.
Poor lock quality
A sensitive area is guarded only
by a standard lock that can be
picked, or a door closes
improperly, allowing
unauthorized entrance to
network systems.
Install keypads and smart card-
enabled systems. You can also require
biometric authentication.

Ensuring access control
Table 8-3 describes ways to ensure physical access control in your network.
Table 8-3: Physical access control techniques
Physical Access
Control
Technique
Description
Physical barriers
The most obvious physical barriers include doors, walls and ceilings. Make
sure that all of these barriers are in place. Less obvious physical barriers
include metal detector checkpoints, walls designed to impede traffic flow
and enable surveillance, and cement walls that are meant to keep people
and equipment away from buildings.
Biometrics
Require individuals to present biometric information at sensitive areas.
This information can be placed onto smart cards. Or, you can have
individuals submit to eye scans and breath analysis.
Guards
One of the more traditional methods of access control is to post a
knowledgeable, skilled guard at the location that requires security. The
guard can check authentication information and look for suspicious
activity. Guards can also provide physical perimeter security.
Locking down
servers and
workstations
Place important resources behind locked doors, in rooms without false
ceilings. Consider removing physical resources that allow a user to easily
access a server (e.g., floppy drives, USB and FireWire ports, and CD-ROM
drives). Place locks on servers and workstations so they cannot be removed
from racks and desks. Consider biometric authentication for essential
resources.
Securing wireless cells
As you determine the level of security in your network, consider the location of the
wireless cells, as well as how to avoid intentional and unintentional interference from
various sources of interference.
Make sure that wireless cells are located in places where war drivers cannot easily obtain
access to them. You may want to place wireless networks well inside buildings to help
keep transmissions away from war drivers. You can also shield wireless cells, though
doing so may inadvertently interrupt all communications.
Shielding network equipment
Table 8-4 describes two common ways to shield networks (and any other network
element) from attacks.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 8-4: Network equipment shielding methods
Shielding Method Description
Transient
Electromagnetic
Pulse Emanation
Standard (TEMPEST)
A standard developed by the U.S. government meant to help control
electromagnetic transmissions that interfere with network connectivity
or which are meant to eavesdrop on traffic. Involves placing protective
coatings and sheaths on cables and computer connectors (e.g., for
network or video connections) and extra shielding for building wiring.
Shielding can be as simple as metal or aluminum foil.
Faraday cage
A TEMPEST component. Essentially a metal box, often made of
aluminum, stainless steel or copper. Can also be made of wire mesh or
metal foil. Can be large enough for a computer, a room or even a
building. If a Faraday cage is applied to a computer, then the system is
reasonably protected against bursts of electromagnetic energy, known
as electromagnetic pulses (EMP), which could damage networking
equipment. If a Faraday cage is used to contain an entire wireless
network, then the network will work only inside of that cage. Faraday
cages can be used to secure internal computer components (e.g.,
processors), as well as computer connections.
Securing removable media
Increasingly, workstations and even servers have removable devices attached to them,
such as the following:
Tape drives.
Hard drives and diskettes
DVD/CD-R and DVD/CD-RW drives
Additional USB and FireWire devices
Smart card readers
In all these cases, you can physically secure the environment by either locking the door,
posting a guard or enabling surveillance (e.g., a video camera monitored by a guard).
End-user training will also help protect against unintentional misuse, and will help you
discipline and even prosecute those guilty of intentional misuse. You should also
consider ways to physically secure the media to reduce tampering.
Additional media
Flashcards are examples of storage media. They are often used in digital cameras, but
can store various types of data. Examples of flashcards include:
Memory stick, SmartMedia and CompactFlash cards.
Memory cards in PCMCIA format.
Many flashcards simply appear as another drive on a computer, which can be shared
with any other resource on the network. Therefore, this media can pose a threat to
security, especially if it contains viruses or if a perpetrator uses it to store illicitly
obtained data. You can protect this media through passwords, though most vendors
choose not to do this. Or you can place encrypted files onto this media.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Controlling the environment
The following elements are always a concern when determining the security of your
networking equipment:
Humidity controls An environment that is too dry will result in excessive static
electricity, making computer and telephony systems vulnerable. An environment that
is too humid can cause condensation to form on equipment. Humidity should be
between 40 to 50 percent in server rooms and wire closets.
Ventilation Servers and related equipment can generate considerable amounts of
heat. Make sure that rooms are properly ventilated. Air sources should be prepared
to remove air from the room, as well as move air into the server room.
Power issues Make sure that all power switches and boxes (both internal and
external) are properly secured and locked. Otherwise, someone could simply switch
off power to a building, floor or room to disrupt business. You may have to discuss
alternative power sources to ensure business continuity.
Fire detection and suppression
To be secure, you need a dedicated fire system. When securing equipment against fire,
you need fire-detection equipment, as well as a way to suppress any fire that is detected.
Fire must be detected as quickly as possible to have any chance of subduing it. Fire-
detection equipment includes the following:
Smoke detectors and air sniffers responsible for determining the presence of
smoke and unseen gases. Additional sniffing equipment can also be provided to sense
the presence of gases, including carbon monoxide. In relevant businesses, sensors
can be installed to detect chemical and even biological agents.
Flame and heat detectors responsible for determining the presence of flames or
unacceptably high temperatures.
If a fire does break out, it is important to have appropriate equipment available to fight it.
Computer equipment will generate fires that are electrical in nature, so you may need a
Class C fire extinguisher in isolated cases.
To prevent fire on a large scale (e.g., an entire server room or floor) in a networked
environment, you will need a more powerful suppression system. All suppression systems
flood the environment with a medium that retards or eliminates a fire. The flood of
retardant (e.g., water or a chemical) is released in one of two ways:
A sensor is tripped.
A physical stop in the line is melted, releasing the retardant.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Testing Systems
Testing your systems should be central to your security implementation plan. Following
are some simple steps for testing existing systems.
Test your network with the same types of tools, methods and techniques that
hackers use. Numerous automated testing tools can also assist you; you will learn
about many of these tools in later lessons.
Consult server logs. You must compare logs to determine how actual conduct
conforms to your stated security policy. Note any deviations from your policy, then
use this information to improve user compliance.
Do not become complacent. Do not assume that your system is secure simply
because you have implemented the security measures in this lesson. You must take
an active role in verifying system security. On the Internet, what might be secure
today may develop problems later, due to a hardware change, an operating system
upgrade or a bug in an application.
To implement a new system or test a new security setting, follow the steps below:
Implement the policy on systems whose configurations are identical to those of your
normal systems.
Place the system or systems on a different subnet.
Simulate, as far as possible, conditions normal to your network.
As with existing systems, test your new system against the common hacker
techniques and methods with which you are familiar.
Security Testing Software
Most security testing software is designed to test various aspects of system security. Some
programs are comprehensive, and others focus on very specific aspects of your network.
Most are simply tools that help automate the process of uncovering security problems.
The primary benefit of these tools is that they are convenient and automated, and you
can run them regularly with little effort. Their chief liability is that most of the
comprehensive tools become outdated quickly. These programs have no way of detecting
newly discovered security problems, unless you modify or update them. Additionally, you
should always view security testing as a supplement to proper auditing practices, not a
replacement for them.
Specific tools
Most tools common to hackers were originally written for more legitimate purposes.
Systems administrators wanted to test their own security systems, and devised programs
that could test their proposed solutions. However, any program that probes a security
system can be used to break into it. The level of risk depends on whether a hacker or
system administrator is using the tool.
The three major security tool categories are:
Network scanners.
Operating system add-ons.
Logging and log analysis tools.
OBJECTIVE
1.3.8: Testing and
evaluating systems
and services
OBJECTIVE
1.3.8: Testing and
evaluating systems
and services
OBJECTIVE
1.3.9: Network
security
management
applications
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Network scanners
Network scanners use a database of known security problems and test networks against
this information. After searching a particular network host, a network scanner will
categorize security risks and vulnerabilities, and then report them. Many scanners
determine whether resources are at high, medium or low risk. Following are some issues
to consider when considering the use or purchase of a scanner:
The primary problem with vulnerability scanners is that they can become outdated
quickly. Make sure you update them regularly.
The scanner should be relatively easy to use and understand. Ease of use ensures
that security professionals will spend time concentrating on vulnerabilities, not on
learning how to use the software.
Update the scanner as often as possible so your systems are being tested for the
latest discovered vulnerabilities.
Although many network scanners claim to be comprehensive, you will find that each
will have its own strengths and weaknesses. For example, some are especially good at
scanning Windows-based systems, whereas others are best at scanning Linux
systems. Consider also that many scanners focus on how a specific operating system
is used. For example, some scanners are best used against systems that are deployed
as file and print servers in a LAN or enterprise network. Others are best suited to
scanning systems deployed on the Internet as Web servers.
Operating system add-ons
An operating system add-on is an application, service or daemon that works in tandem
with the operating system or service to increase its native security ability. The term is
used to describe many of the tools that you have already learned about. An operating
system add-on can be as involved as an e-mail attachment scanner, encryption software
and so forth.
Modest examples of add-ons include Microsoft Windows Server 2003 Service Pack 2, and
UNIX daemon updates and patches. You can obtain the Microsoft Service Pack by
searching for it at www.microsoft.com and going to the Download Center search page
(currently, www.microsoft.com/downloads/search.aspx?). You can obtain updates for
Ubuntu Linux by using the Update Manager tool, which enables your system to
automatically download important updates to your system.
Logging and log analysis tools
These programs allow the system administrator to know what activity occurs on the
network, such as when a user logs in and out, what mail goes in and out of the system,
and which files are transferred across the network. Programs of this type can log
transactions that occur between your network and a remote network.
Security and Repetition
The final step is to use what you have learned and return to the beginning, building your
new knowledge and capabilities into a better security implementation. Security is a
heuristic process. You must continually improve and test your security system with real-
time experiments and tests. Improved security is often the effect of trial and error that
helps you construct and reconstruct your system.
The only way to ensure continued security, then, is by applying sound principles,
modified by experimentation and the lessons you learn from experience.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
Secure My Servers
Stefan is the property manager of an office complex that prides itself on the high level of
security it provides for its tenants.
A mid-size company has just moved in and expressed concern for the physical security of
its servers because they had experienced a break-in in their previous office. The company
wants to ensure that such an event will not be repeated in their new suite.
Stefan reviews the security attributes of the office complex, as follows:
Each suite has a built-in server room that does not contain false ceilings.
Each built-in server room is protected by a Faraday cage.
All building and suite entrances require card-key access.
Security guards patrol the premises 24 hours a day, 7 days a week.
All suites are temperature-controlled and humidity-controlled.
All suites are equipped with smoke detectors and sprinkler systems that are tripped
automatically if flames are detected.
* * *
As a class, discuss this scenario and answer the following questions:
Are the security measures provided by the office complex comprehensive enough to
adequately protect the company's servers? Why or why not?
What other physical security measures would you recommend that Stefan provide his
new tenant to remove any lingering fears of theft or damage?
What security measures would be too costly to implement for the security needed?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you have learned about ways to secure various Internet services, including
FTP and Web servers. In Lab 8-1, you moved (not copied) the default directory of your
Web server. View the default permissions of your Web directory. See Figures 8-4, 8-5 and
8-6. They show the default permissions for the C:\webfiles directory.

Figure 8-4: Viewing permissions for C:\ webfiles directory


Figure 8-5: Viewing custom permissions for C:\ webfiles directory

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 8: Securing Resources 8-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 8-6: Viewing objec t permission entries for C:\ webfiles directory
If you had copied the C:\xampp\htdocs subdirectory and then changed it to C:\webfiles,
then these files would not be retained, because to retain permissions on a file or
directory, you must move it rather than copy it.
Skills review
In this lesson, you learned about strategies that will help you understand the ongoing
nature of effective security implementation, and you have seen how to implement the
security process. You also learned about the basic techniques to secure Web, FTP and
SMTP servers, how to separate your servers from your operating system, and how to
protect your network's physical infrastructure.
Now that you have completed this lesson, you should be able to:
- 1.3.5: Consistently apply security principles.
- 1.3.6: Identify ways to protect operating systems, routers and equipment against
physical attacks.
- 1.3.7: Secure TCP/IP services, including HTTP, FTP.
- 1.3.8: Identify the significance of testing and evaluating systems and services.
- 1.3.9: Identify network security management applications, including network
scanners, operating system add-ons, log analysis tools.
- 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
8-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 8 Review
1. What element of an e-mail message poses the greatest security threat?



2. What measures can you take to secure an e-mail server?



3. What is the chief liability involved in using security testing software?


4. How do network scanners work?

5. Why should you separate FTP user accounts and access options from those used to
access the Web?



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


9Lesson 9:
Firewalls and Virtual
Private Networks
Objectives
By the end of this lesson, you will be able to:
; 1.1.3: Identify potential risk factors for data security, including improper
authentication.
; 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes,
Public Key Infrastructure (PKI).
; 1.4.2: Define IPSec concepts.
; 1.4.6: Identify routing issues and security.
; 1.5.1: Define the purpose and function of various firewall types.
; 1.5.2: Define the role a firewall plays in a company's security policy.
; 1.5.3: Define common firewall terms.
; 1.5.4: Identify packet filters and their features.
; 1.5.5: Identify circuit-level gateways and their features.
; 1.5.6: Identify application-level gateways and their features.
; 1.5.7: Identify features of a packet-filtering firewall, including rules, stateful multi-
layer inspection.
; 1.5.8: Identify fundamental features of a proxy-based firewall (e.g.; service
redirection, service passing, gateway daemons), and implement proxy-level firewall
security.
; 1.5.9: Define the importance of proxy caching related to performance.
; 1.6.1: Implement a packet-filtering firewall.
; 1.6.2: Customize your network to manage hacker activity.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. You are using IPsec. What element of an IP packet is responsible for authentication?
a. The Encapsulating Security Payload (ESP)
b. The Internet Key Exchange (IKE)
c. The Authentication Header (AH)
d. The Layer 2 Tunneling Protocol (L2TP)
2. Your certificate has expired. What can you do to ensure that this certificate is no
longer requested by other hosts?
a. Create a new certificate.
b. Request a new certificate.
c. Send the certificate to a CA to be deleted.
d. Generate a certificate revocation list.
3. You want to encrypt traffic between firewalls (i.e., you want to create a VPN).
What is the first step you must take to enable the VPN connection?



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Access Control Overview
When a building is physically secured from break-ins, the highest protection is placed on
access points to the facility. The goal is to prevent any unauthorized person from ever
gaining access to the building, so the company's assets will remain safe. The concept of
network security is the same. The security administrator's goal is to restrict access to and
from the company's network. Restricting access to a network is accomplished with
firewalls and virtual private networks (VPNs).
This lesson discusses the simple and complex mechanisms used to shield your internal
network from unwanted activity.
Definition and Description of a Firewall
Many references maintain that the term firewall comes from a safety technique applied
in building construction. Whenever a wall separates sections of a building, such as
different businesses or apartments, it is made as fireproof as possible. This measure
protects the rest of the occupants in case one unit catches fire. However, most firewalls
have a heavy door placed in them, allowing people to enter or leave that section of the
building. So, even though the wall protects people on each side, its door still allows
necessary access while affording increased safety from a fire.
In computer networking, a network firewall acts as a barrier against potential malicious
activity, while still allowing a "door" for people to communicate between your secured
network and the open, unsecured network.
A firewall can consist of a single machine, or "box," that sits between a private network
and the Internet. This type of firewall is ideal for small business and home networks. The
required firewall mechanism for large corporations often requires more than just the
firewall box. Medium-sized and large businesses often require multiple hosts that reside
in a subnet between your internal network and the Internet. This area, called a
demilitarized zone (DMZ), often consists of a complex series of hosts that contain
daemons designed to monitor traffic as it is routed in and out of your network.
By the time you are ready to implement your firewall, you should know what services
your company requires, and what services will be available to both internal and external
users. The need for services on both sides of the firewall largely determines what firewall
functions you will use.
The Role of a Firewall
A firewall is the most critical component of any security implementation, because it
authoritatively defines the difference between the internal network and all other
networks. A firewall strategy should aim to meet four goals:
Implement a company's security policy
Create a choke point
Log Internet activity
Limit network host exposure
firewall
A security barrier
that controls the
flow of information
between the
Internet and private
networks. A firewall
prevents outsiders
from accessing an
enterprise's internal
network, which
accesses the
Internet indirectly
through a proxy
server.

demilitarized zone
(DMZ)
A mini-network that
resides between a
company's internal
network and the
external network,
such as the Internet.

daemon
A UNIX program
(i.e., service) that is
usually initiated at
startup and runs in
the background
until required.
OBJECTIVE
1.5.1: Firewall
purpose and types
OBJECTIVE
1.5.2: Role of firewall
in sec urity policy
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Implementing a company's security policy
A firewall is the primary means of enforcing your security policy. In an earlier lesson, you
were introduced to security policies and their importance for proper network security. For
example, your security policy may state that only the Internet mail server will transmit
SMTP traffic. You would enforce this policy feature directly at the firewall. A firewall can
also work together with network routers to help implement Type of Service (ToS)
policies.
Creating a choke point
Firewalls create choke points between a company's private network and a public network.
Proper implementation requires that all traffic be funneled through these choke points.
After these points have been clearly established, the firewall devices can monitor, filter
and verify all inbound and outbound traffic. By forcing all inbound and outbound traffic
through these choke points, network administrators can focus their security efforts in
just a few places. Without such a point for monitoring and controlling information, a
systems or security administrator would have too many places to monitor.

Another name for a choke point is a network perimeter.


Logging Internet activity
A firewall also enforces logging, and provides alarm capacities as well. By placing logging
services at the firewall, security administrators can monitor all access to and from the
external network or Internet. Good logging strategies are one of the most effective tools for
proper network security. Firewalls will provide the most information for the
administrator's log archive.
Firewalls can also account for traffic so that Internet Service Providers (ISPs) and
corporate departments can accurately bill customers for usage. Counting traffic and
billing according to the volume of network use is often referred to as chargeback.
Limiting network host exposure
A firewall creates a protected perimeter, or border, around your network. It enhances
privacy by "hiding" your internal systems and information from the public. When remote
nodes probe your network, they will see only the firewalls. The remote device will not
know how your network is laid out or what it contains.
A firewall limits network exposure by enhancing authentication and providing network-
to-network encryption. By making incoming traffic pass through various source checks, a
firewall helps limit the attacks that can be waged from the outside.
Firewall Terminology
Before continuing our discussion of firewalls and firewall technologies, we will establish
common definitions for several important terms.
Type of Service (ToS)
Bits that can help
prioritize certain
types of traffic.
Routers can mark IP
packets with certain
ToSbits. For
example, you can
set ToSbits for all
HTTP traffic, so that it
is processed before
any other traffic
type.
chargeback
The concept of
billing users for the
volume of network
traffic they
generate.
OBJECTIVE
1.5.3: Common
firewall terms
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Packet filter
Packet filters are devices that process network traffic on a packet-by-packet basis. They
operate only at the network layer of the OSI/RM, so they allow or block IP addresses and
ports, and can be implemented through standard routers (e.g., a Cisco 2501 router) as
well as dedicated firewall devices (e.g., a Check Point Firewall-1 device). A pure packet
filter looks only at the following information:
Source IP address
Destination IP address
Source port
Destination port
Packet type (ICMP, EGP and so forth)
Packet-filtering firewall supplements, such as stateful multi-layer inspection, can help
extend this basic capacity. You will learn more about stateful inspection shortly.
Proxy server
A proxy is an entity that stands for, or acts for and on behalf of, another person or thing.
Consider a simple example of attending a meeting for an absent colleague. For that
meeting, you represent that person, and you receive and convey information for him or
her. You make sure to relate the contents of that meeting to him or her, and sometimes
you act on things said in that meeting as if you were that person.
Proxy servers are very important to firewall applications because a proxy replaces the
network IP address with a single IP address. Multiple systems can use this single IP
address. A proxy server provides the following services:
Hiding network resources Hackers will see only one IP address instead of all
exposed systems.
Logging A proxy server can log incoming and outgoing access, allowing you to see
the details of successful and failed connections.
Caching A proxy server can save information obtained from the Internet (for
example, Web pages). This cache contains copies of information found on the
Internet. For example, internal Web clients that access the Internet through the
proxy will see these copied (or cached) pages, and will thus not need to access the
Internet to view them. A proxy server will regularly check these copies to see whether
sites or pages have been updated. It will also automatically purge old information
after a certain length of time. A common proxy server problem occurs when the
server returns old information. In such cases, the administrator must purge the
existing cache, or set the proxy server to update its cache more often.
Essentially, the two types of proxy server are:
Application-layer proxy (also called application-layer gateway).
Circuit-level proxy (also called circuit-level gateway).
Application-layer proxy
By far the most popular types of proxy servers are those that proxy application-level
traffic. For example, Squid proxy server can process only certain protocols, including
HTTP, HTTPS, FTP, IRC, DNS and SNMP. This behavior is quite different from packet
filters, which do not concern themselves at all with individual applications; they focus
packet filter
A device, such as a
router or firewall,
that processes and
scans packets for
acceptable and
unacceptable
activity.
OBJECTIVE
1.5.4: Packet filters
OBJECTIVE
1.5.8: Proxy-based
firewalls
OBJECTIVE
1.5.9: Proxy caching
and performance
OBJECTIVE
1.5.6: Application-
level gateways
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
only on source and destination ports and IP addresses. A proxy server receives requests
from internal network clients and then, if the client is authorized, communicates with
external servers on behalf of the internal clients. You will learn more about proxy servers
shortly.

Many companies market proxy servers as multi-functional. Do not confuse how
companies market a product with its actual function.

Web sites such as http://compnetworking.about.com/ can help you learn more about
proxy servers and firewalls in general.
Circuit-level proxy
A circuit-level gateway operates at the transport layer of the OSI/RM. This type of firewall
monitors the source and destination of TCP and UDP packets, and does not inspect
application-layer traffic, nor does it inspect the traffic as thoroughly as does an
application-level proxy. Often, a circuit-level gateway is composed of two hosts. An
encrypted connection exists between the first firewall host and the second, and both work
together to process traffic. The benefit of such an arrangement is that it provides fault
tolerance in case one host fails. This arrangement also allows the processing load to be
shared between hosts.
Circuit-level gateways often provide Network Address Translation (NAT), in which a
network host alters the packets of internal network hosts so they can be sent out across
the Internet. You will learn more about NAT shortly.
A packet-filtering firewall can accomplish NAT, as well; not every instance of NAT
implies a circuit-level gateway. For example, the Windows Firewall application in
Windows Server 2003 uses a special feature of packet filtering called
masquerading to enable NAT.
The most popular circuit-level gateway is SOCKS, invented by David Koblas. Many
companies support this type of gateway, including IBM and Microsoft. Two versions of the
SOCKS protocol exist: SOCKS v4 and SOCKS v5. The latter is the most-often used, and
provides support for additional protocols. You can read more about the SOCKS version 5
protocol by reading RFCs 1928, 1929, 1961 and 3089.
The SOCKS reference architecture and client are owned by Blue Coat Systems
(www.bluecoat.com). You can read more about circuit-level gateways by reading D. Brent
Chapman, Simon Cooper and Elizabeth D. Zwicky's Building Internet Firewalls.
Advantages and disadvantages of circuit-level proxies
The primary advantage of using a circuit-level gateway is that it provides NAT, which
allows security and network administrators great flexibility when developing an internal
IP addressing scheme.
The primary disadvantage of a circuit-level gateway, however, is that it requires modified
applications. To work with a circuit-level gateway firewall, an application must be
specifically written to provide all connection information to the SOCKS server. For
example, most Web browsers contain native support for SOCKS servers. But because not
all applications are written to cooperate with a circuit-level gateway, using this firewall
type may severely limit employees' ability to use custom, mission-critical applications.
Thus, employees must alter their practices to accommodate the firewall. Additional
weaknesses include the fact that a circuit-level gateway cannot discriminate between bad
and good packets; also, it is susceptible to IP spoofing.
OBJECTIVE
1.5.5: Circuit-level
gateways
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Network Address Translation
Network Address Translation (NAT) is the practice of hiding internal IP addresses from
the external network. Three ways exist to provide true NAT:
Configure masquerading on a packet-filtering firewall, such as a Linux system.
Configure a circuit-level gateway.
Use a proxy server to conduct requests on behalf of internal hosts.
When a firewall or router is configured to provide NAT, all internal addresses are
translated to public IP addresses when connecting to an external host. When packets
come back in from an external host, they are translated back so the internal network
host receives them.
Another name for NAT is IP address hiding.
RFC 1918 outlines the addresses that the IANA recommends using for internal address
schemes. The internal network address ranges are as follows:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

The values appended to the IP addresses denote subnet masks using Classless
Internet Domain Routing (CIDR) notation. A CIDR notation value of / 8 denotes
the following subnet mask: 255.0.0.0. The CIDR notation values of / 12 and / 16
denote the 255.240.0.0 and 255.255.0.0 subnet masks, respectively.
Notice that the 172.16.0.0/12 and 192.168.0.0/16 networks do not have standard class
B and class C subnet masks. If you choose to implement one of the listed network
addresses, you need not register the addresses with any Internet authority. The
advantage to using one of the listed addresses is that these addresses will never be
routed over the Internet. All routers on the Internet are programmed to automatically
discard any address that has a source or destination of the aforementioned private
network IDs. Not routing these addresses is beneficial if one of the nodes on your network
is misconfigured and becomes exposed to the Internet. If the machine is configured with a
private address, it still cannot be accessed remotely because no routes are available to it.
Masquerading
In relation to packet-filtering firewalls, masquerading is the process of altering the IP
header. Specifically, a packet filter that masquerades can alter the IP header so it appears
to originate from the firewall, rather than from the original host. Masquerading is useful
with NAT, because it allows hosts using private network IP addresses to communicate
with hosts on the Internet. A commonly used phrase for masquerading is "packet
mangling."
In Figure 9-1, two networks (192.168.37.0/16 and 10.5.7.0/8) can communicate with
each other, because each network has firewalls that translate the host IP addresses into
Internet-addressable IP addresses (34.09.45.1/8 and 207.19.199.1/24, respectively).
OBJECTIVE
1.4.6: Routing issues
and security
Network Address
Translation (NAT)
An Internet
standard that allows
a local area
network to use one
set of IP addresses
for internal traffic
and another set of
IP addresses for
external traffic .
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-1: Implementing NATin network
NAT considerations
When deploying NAT on any multi-homed device (such as a router), you will have to
determine which NICs are public and which are private. Only the public NIC should be
used to provide NAT. Many firewalls are configured so that if you perform NAT on the
public NIC, no traffic originating from the public network will be forwarded to the other
networks. However, traffic originating from the private network can still pass through to
the public (i.e., external) network. In this situation, you must create specific rules to
disallow traffic passing from the internal network to the external network.
NAT and vendor terminology
Each firewall product uses its own terminology. For example, Microsoft products often
use the words "trusting" and "trusted" to describe a proxy server's defensive stance in a
multi-homed situation. Following is a summary of the terminology.
Trusting the proxy server that allows traffic from the internal network interface to
enter the proxy server's system
Trusted the network and/or host that is allowed access to the system
Internet
192.168.37.0/16
192.168.37.3
192.168.37.4
192.168.37.5
192.168.37.2
10.5.7.0/8
10.5.7.3
10.5.7.4
10.5.7.5
10.5.7.2
The firewalls translate addresses
from the 192.168.37.0/16 and
10.5.7.0/8 networks into Internet-
addressable form.
207.19.199.1/24
34.09.45.1/8
192.168.37.1
10.5.7.1
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Trust can occur in one of two ways. For example, you can implement a full one-way trust
in which the internal network can cross the proxy server and access external resources. A
full two-way trust allows all traffic, regardless of source, to traverse the proxy server.
Except for the fact that the firewall would still log activity, this stance would defeat the
purpose of having a firewall.
Bastion host
A bastion is a secure computer system placed directly between a trusted network and an
untrusted one, such as the Internet. You can have a single-homed bastion host. Most
often, however, a bastion host uses two network interface cards (NICs). Each card acts as
an interface to a separate network. On one card is your company's production network
that you supervise, control and protect. The other card interfaces with another network,
usually a public one, such as the Internet.
Operating system hardening
A firewall requires only a limited number of services. In operating system hardening, the
firewall's installation program disables or removes all unnecessary services.
Most firewall packages, including Symantec Enterprise Firewall (www.symantec.com),
Check Point Firewall-1 (www.checkpoint.com) and McAfee Host Intrusion Prevention
(www.mcafee.com) operate on top of popular operating system platforms. These products
work even if the firewall includes a dedicated network appliance.
Generally, a system designated as a firewall is not suitable for any other network
application because the firewall software will prohibit installation and execution of all
programs that it does not specifically recognize. Some firewalls automatically disable
applications and services that you may try to run. For this reason alone, you should
consider dedicating your firewall system solely to firewall duties.
The logic behind operating system hardening is that when you strip an operating system
to its foundation, it is much more difficult to compromise the host by exploiting system
bugs.
Screening and choke routers
A screening router is another term for a packet-filtering router that has at least one
interface exposed to a public network, such as the Internet. Another name for a screening
router is the outside router, because it presents interfaces to the Internet, not to the
internal network. A screening router is different from a bastion host in that it does not
use additional services to thoroughly screen packets. A screening router is configured to
examine inbound and outbound packets based upon filter rules.
Choke router
When two routers are used in a firewall configuration, the internal router (i.e., the router
that presents an interface to the internal network) is often called a choke router.
A choke router defines the point at which a public network can access your internal
network. It also defines the point at which your internal network users can access the
public network. Security administrators use choke points to limit external access to their
networks. Using a firewall strategy creates choke points, because all traffic must flow
through the firewalls.
network appliance
A single mac hine
dedicated to one
purpose. Instead of
installing firewall
software on a
standard computer,
you can obtain a
specialized system
meant only to house
firewall software.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Demilitarized zone (DMZ)
A DMZ is a mini-network that resides between a company's internal network and the
external network. The network is created by a screening router and, sometimes, a choke
router. A DMZ is used as an additional buffer to further separate the public network from
your internal private network.
Many systems administrators place Web and DNS servers in a DMZ because it is more
convenient. The benefit of this practice is that the screening router provides some
protection. The drawback is that any server in a DMZ is not as protected as it would be if
it resided behind the actual choke router. Another commonly used term for a DMZ is
service network.
Web security gateway
With the advent of Web 2.0, hackers are finding new and innovative ways to spread
malware, spyware and adware. Web content creation has shifted from trusted sources to
anonymous and user-driven collaborations such as wikis, blogs and social networking
sites. Hackers are thus able to circumvent traditional security measures by targeting
trusted Web sites with good reputations to maximize the effectiveness of their attacks.
In this context, traditional security measures such as URL filtering are no longer enough
to thwart the delivery of malicious content. A Web security gateway is an application
designed to provide security protection from malware by classifying new and dynamic
Web content in real-time, determining immediately whether the Web site and its contents
are safe.
The Web security gateway categorizes actual content on Web sites, not just the sites
themselves, which allows users to access Web sites but block portions of sites that are
inappropriate or may pose a security risk. Because Web security gateways are designed
to analyze Web site content in real-time, they can immediately protect users from
malicious Web content.
Firewall Configuration Defaults
By default, a firewall can be configured to either:
Deny all traffic, in which case you would specify certain types of traffic to allow in
and out of your network.
Allow all traffic, in which case you would specify certain types of traffic to deny.
Arguably, the most secure option is to have the firewall deny all traffic by default. After
you install the firewall, you will need to open the necessary ports so users inside the
firewall can access the systems they are authorized to use. In other words, if you want
your employees to send and receive e-mail, you will have to create rules and/or start
daemons that allow POP3 and SMTP to pass through the firewall.
Remember, a firewall works both ways: It controls access to traffic entering and leaving
the network. Therefore, you need to take special measures to ensure that all necessary
ports have been opened so clients can open ephemeral ports (i.e., those ports higher than
1023) to connect to the Internet.
If you have a firewall that allows all traffic by default, you will then have to take measures
to create rules and use various services (i.e., daemons) to deny unwanted traffic.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Creating Packet Filter Rules
Because a packet filter is a device that inspects each packet for pre-defined content, you
must define rules that tell the packet filter what to block or allow. Although it does not
provide error-proof protection, it is almost always the first line of defense.
Many firewall configurations have multiple routers or firewalls, and security engineers
often begin filtering packets at the external (i.e., screening) router, which discards certain
types of activity entirely. The choke router then filters out additional traffic. This method
is very useful for implementing broad restrictions; it also ensures that no single point of
failure exists.
When packets are filtered at a router, it is usually called a screening router. Screening
router is another term for a packet-filtering firewall.
Process
Packet filters work at the network layer of the OSI/RM. Packet filters use text files that
have been created by a security administrator. The text files are composed of rules that
are sequentially read line-by-line. Each rule contains specific entries to help determine
how incoming packets will be handled. Rules can be applied based upon source and
destination IP addresses or source and destination network addresses. Packet filters also
can enforce rules based upon TCP and UDP ports. All Internet services are based upon
specific TCP and UDP ports, and can therefore be subject to examination.
Packet filters are read and then acted upon on a rule-by-rule basis. After a packet has
failed any portion of a filter, the subsequent rules will not be read. Remember to consider
the order of rules within a filter. A packet filter will provide two actions, allow or block.
The allow action routes the packet as normal if all conditions within the rule are met. The
block action will discard all packets if the conditions in the rule are not met. Packet filters
will discard any packet unless it has specifically been allowed within a rule.
Rules and fields
Packet filters use rules to determine what packets are allowed to traverse the firewall. A
rule is composed of several fields. Specific implementation involves telling the router to
filter the content of IP packets based on the fields discussed earlier.
Packet filters work best for restricting certain IP addresses and TCP and UDP applications
from entering or leaving your network. For example, to disable the ability to Telnet into
internal devices from the Internet, you could create a packet filter rule. An earlier lesson
discussed how TCP/IP works, and how Telnet uses TCP Port 23. In a packet filter that
allows all access by default, a packet filter rule that stops Telnet would look similar to the
values in Table 9-1.
Table 9-1: Telnet packet filter
Rule
Number
Action SRC IP DSTIP SRC Port DSTPort Protocol
1 Discard
* * 23 * TCP
2 Discard
* * * 23 TCP

OBJECTIVE
1.5.7: Packet-
filtering firewalls
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
The information listed above tells the router to discard any packet going to or coming
from TCP Port 23. An asterisk indicates any value in a particular field. In the preceding
example, if a packet is passed through the rule that has a source port of 23, it will
immediately be discarded. If a packet with a destination port of 23 is passed through this
rule, it will be discarded only after Rule 2 has been applied. All other packets will be
discarded.
These examples are meant to describe the concept of packet filter rules. Actual
implementations of the rules will vary widely. For example, Cisco routers require
you to format a particular rule much differently than does Check Point's
FireWall-1.
Standard FTP clients and creating packet filter rules
Standard FTP clients make data connections to two ports on an FTP server: Port 20 and
21. Port 20 on the server is the data channel (i.e., the port that sends the actual
information). Port 21 on the server is the "control" channel, which the server uses to
listen for connections and issue commands.
A standard FTP client builds a connection with a server by first opening a port number
above 1023 (e.g., Port 4998) that is directed to Port 21 on the server. Once the client has
connected to Port 21, it issues a PORT command to the server. This command has the
server open its own Port 20 and initiate a connection back to this same ephemeral port
on the client (e.g., Port 4998). The client then acknowledges this connection by opening a
second ephemeral port (e.g., Port 4999), this time directed to Port 20 on the server. Once
these transactions occur, data transfer can begin between the client and the server.
Thus, in a firewall that disallows all access by default, the following rule (Table 9-2) will
allow an internal standard FTP client to connect to outside FTP servers:
Table 9-2: FTP packet filter
Rule
Number
Action SRC IP DSTIP SRC
Port
DST
Port
Protocol
1
Allow 192.168.10.0/24 * * 21 TCP
2
Block * 192.168.10.0/24 20 <1024 TCP
3
Allow * 192.168.10.0/24 20 * TCP ACK=1
4
Allow * 192.168.10.0/24 > 1023 > 1023 TCP

Rule 4 may seem to be just like Rule 1. However, notice that Rule 4 is allowing clients on
the 192.168.10.0/24 network to acknowledge connections to Port 20, not Port 21.
Passive FTP clients and packet filter rules
Most modern Web browsers and FTP clients do not use standard FTP. Rather, they use
passive FTP. Like standard FTP, the server listens for connection on Port 21, and clients
use a port above 1023 to make a connection to this server port. However, when a passive
FTP client begins the data connection, it does not use the PORT command. Rather, the
client uses the PASV command, which tells the server to open up one of its own ports
above 1023, rather than Port 20, to build a data channel. In passive mode FTP, a server
never uses Port 20.
Table 9-3 lists a set of packet filter rules that allows internal passive FTP clients to
connect to outside FTP servers. These rules assume a firewall stance that all connections
are blocked unless explicitly allowed (see Table 9-3).
OBJECTIVE
1.6.1: Implementing
packet filters
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 9-3: Packet filter for internal passive FTP clients
Rule
Number
Action SRC IP DSTIP SRC
Port
DST
Port
Protocol
1 Allow 192.168.10.0/24 * >1023 21 TCP*
2 Allow * 192.168.10.0/24 21 >1023 TCP
3 Allow 192.168.10.0/24 * >1023 >1023 TCP
4 Allow * 192.168.10.0/24 >1023 >1023 TCP
The first rule allows all clients inside the 192.168.10.0/24 network to open ports above
1023 to a destination port of 21 (where the server is listening for connections). At this
time, the client makes a PASV request. The second rule allows the server to respond to
the PASV request. The third rule allows the client to open a second port back to the
server to begin the data channel. The fourth rule allows the server to acknowledge the
data connection, so that files can be transported.
Passive FTP is often called firewall friendly FTP. This is because in a passive FTP session,
the server does not initiate a new connection with a client using a well-known port (e.g.,
Port 20), like it does in a standard FTP session. Although passive FTP sessions do require
a server to use Port 21 to connect to a client, this connection takes place as an
acknowledgment to a connection first made by the client. Thus, many firewalls recognize
that this connection is part of a previous session. In the case of standard FTP, the server
initiates the connection between Port 20 and the client, and many firewalls are configured
to automatically drop such connections.
Packet Filter Advantages and Disadvantages
The main advantage to using a packet filter is that the devices and software needed are
probably already in place, because most routers natively support packet filtering.
Because all the devices are already in place, little or no money will need to be spent on
new equipment. After you learn how to format the rules, you can begin controlling access.
Packet filters (used as screening routers) are normally the first line of defense for a
firewall system. Packet filters can screen entire applications or network IDs. For example,
a packet filter could restrict all inbound traffic to a specific host. This restriction would
prevent a hacker from being able to contact any other host within the internal network.
Because packet filters work at the network layer, less processing power is needed. As a
result, many high-volume sites, such as Yahoo!, eBay and others, use packet-filtering
firewalls, because many proxy-oriented firewalls cannot quickly process high volumes of
traffic.
Drawbacks
The biggest problem with packet filters or screening routers is that they cannot
discriminate between good and bad packets. If a packet passes all the rules, it will be
routed to the destination. Packet filters cannot tell if the routed packet contains good or
malicious data. Packet filters are susceptible to embedded code within a standard packet.
Using our first FTP example, a hacker could embed a program that scanned all IP
addresses on the 192.168.10.0 to create a map of the internal network. As long as the
hacker initiated the packet with a source port of 20, the packet filter would pass all the
packets.
OBJECTIVE
1.5.7: Packet-
filtering firewalls
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Another weakness ties directly to the one mentioned above. Creating packet filters
requires extensive knowledge of TCP/IP. Most TCP/IP applications are client/server-
based so the filters will need multiple rules to deal with the client/server communication.
Generalizing rules is difficult because most TCP/IP applications have special TCP/UDP
port requirements.
Another problem with packet filters is that you usually have to create more than 100
rules to limit and permit network access. Creating all these rules can be time-consuming.
Another significant weakness of packet filters is their susceptibility to spoofing. Spoofing
is similar to the first weakness, which was the inability to discriminate between good and
malicious data. If a hacker spoofs his or her source address with a source address that is
specifically allowed by a rule within the filter, the firewall will pass or route the packet.
Stateful multi-layer inspection
Introduced by Check Point, stateful multi-layer inspection allows packet filters to
overcome weaknesses inherent in packet filtering. Packet filters that engage in stateful
multi-layer inspection can examine packets in context because the firewall can maintain
a database of past connections. By analyzing and comparing connections, the firewall can
understand the nature of a series of connections. Stateful multi-layer inspection allows
you to detect and thwart ping and port scans, and help determine if a packet has been
spoofed.
The final benefit of stateful multi-layer inspection is that it allows packet filters to inspect
packets at all layers of the OSI/RM, not just the network layer. Many companies now use
stateful multi-layer inspection in their packet-filtering firewalls.
Popular packet-filtering products
Following is a partial list of packet-filtering firewall and router products:
Check Point FireWall-1 (www.checkpoint.com)
Cisco PIX (www.cisco.com)
WinRoute Firewall (www.winroute.com or www.kerio.com)
Ipchains and iptables (open-source packet filtering software, available in Linux)
In the following labs, you will install WinRoute Firewall on your computer, configure
packet-filtering rules, and see how a firewall can be used on a server to act as a multi-
homed router. Suppose you are configuring a network for a small business that is
concerned about the safety of its data. Adding a firewall to the network can limit access
from the outside and prevent hackers or other unauthorized persons from viewing the
contents of the company's network.

Lab 9-1: Installing WinRoute Firewall in Windows Server 2003
In this lab, all students and the instructor will install WinRoute Firewall on their
systems. The instructor will install WinRoute Firewall onto the Windows Server 2003
system to act as a multi-homed router. In later labs, students will monitor the
instructor's packet-filter configuration efforts.
1. All students: Use the ping program to test connectivity between you and other
students in the classroom.
OBJECTIVE
1.6.1: Implementing
packet filters

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
2. Obtain the WinRoute Firewall software and place it on your Desktop.
3. As Administrator, double-click the installation file (kerio-kwf-whql-6.5.0-4794-
win32.exe) and install the product.
4. Follow all instructions given by the installation wizard and accept the default
configuration. When prompted, enter a password of password.
5. When prompted to select remote access, select No and continue with the installation.

Lab 9-2: Configuring packet filtering rules
In this lab, you will add a packet filtering rule that allows ICMP packets through the
firewall from any source or destination. ICMP packets from any source or destination are
disallowed by default.
1. All students: Select Start | All Programs | Kerio | Administration Console to
launch the WinRoute Firewall Administration Console.
2. The New Connection dialog box will appear, as shown in Figure 9-2. Enter a
password of password, then click Connect.

Figure 9-2: New Connection dialog box
3. The Network Rules Wizard will appear to help you secure the connection of your LAN
to the Internet. In the second screen, specify A Single Internet Link Persistent as
the Type of Internet Connection. Proceed through the remaining screens of the
wizard accepting the default configurations, then click Finish.
4. A Welcome screen will appear prompting you to register WinRoute Firewall. Click
Close.
5. Try to ping your partners host. You should not be able to do so.
6. At the command prompt, check the IP configuration for your workstation. Notice that
WinRoute Firewall is now running; you are using a new IP configuration.
OBJECTIVE
1.6.1: Implementing
packet filters

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
7. In the Administration Console, select Configuration in the left pane, shown in Figure
9-3. Familiarize yourself with the application's layout.

Figure 9-3: WinRoute Firewall Configuration window
8. Select Interfaces. Notice that the network card is automatically detected, as shown
in Figure 9-4.

Figure 9-4: WinRoute Firewall Interfac es window
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
9. Select Traffic Policy. Notice that the rules that appear in the Traffic Policy pane
(Figure 9-5) are the same rules that were created when you installed WinRoute
Firewall and navigated through the original configuration screens.

Figure 9-5: WinRoute Firewall Traffic Policy window
10. To create a new rule, click the Add button at the bottom of the Traffic Policy pane.
This action will add a new policy line at the top of the pane.
11. Right-click New Rule and select Edit Rule. In the Edit Rule dialog box, type ICMP
packets in the Name text box, specify a background color for the rule, and describe
what the new rule will perform (e.g., Allows ICMP traffic on the network), as shown
in Figure 9-6. Click OK when finished.

Figure 9-6: Editing new rule
12. Leave the Source and Destination categories set to Any. Right-click Any in the
Service column and select Edit Service. Click the Add button and select Service to
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
display the Service dialog box. Display the Service drop-down list, select Any ICMP,
and then click OK twice.
13. Right-click in the Action column for the new rule and select Permit. The new rule
should appear as shown in Figure 9-7. Click the Apply button at the bottom of the
Traffic Policy pane to apply the new rule.

Figure 9-7: New rule defined
14. At the command prompt, ping your partners IP address. Ping another IP address
such as the default gateway. Notice that ICMP traffic is now allowed on the network.
Note: Do not remove the ICMP packets rule. You will need it to perform the next lab.
In this lab, you created packet-filtering rules on your system.

Using the ipchains and iptables commands in Linux
The Linux operating system natively supports packet-filtering rules. Kernel versions 2.2
and earlier support the ipchains command. Beginning with the experimental 2.3 kernel
and continuing with the 2.4 and 2.6 kernels, the iptables command has become
standard. The iptables command manipulates a special area of the kernel called Netfilter.
Even systems that use the 2.4 or 2.6 kernel can support ipchains, as long as the ipchains
module is installed. However, a properly written iptables ruleset is both faster and more
secure than its nearest equivalent in ipchains.
kernel
The core of the Linux
operating system.
This core can be
upgraded to obtain
the latest features
and the
functionality you
need.
OBJECTIVE
1.6.1: Implementing
packet filters
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Both the ipchains and iptables commands have similar syntax, but Netfilter contains
several additional features. Using either ipchains or iptables, you can create packet-
filtering rules that accept, drop or masquerade traffic. Both the ipchains and iptables
commands allow you to control packets by manipulating chains, which are specially
defined areas of the packet filter designed to hold different rules. Following is a brief
discussion of the elements manipulated in both ipchains and iptables.
Ipchains
In ipchains, the three built-in chains are as follows:
input used to control packets entering the interface
output used to control packets leaving the interface
forward used to control packets being masqueraded, or sent to remote hosts
You must specify a target using the -j option. The target values are ACCEPT, REJECT,
MASQUERADE and LOG. The MASQUERADE target allows you to establish NAT on a
firewall. Case is important for both the chains and the targets. In ipchains, all chains are
in lowercase letters, and all targets are in uppercase letters.
Changes in Netfilter (i.e., iptables)
In Netfilter, all built-in chains are in uppercase letters. Netfilter adds three tables, which
explains why the command name is now iptables, instead of ipchains:
filter contains the INPUT, OUTPUT and FORWARD chains. The default table
reports when you list chains using the iptables -L command.
nat used for creating NAT. Contains the PREROUTING, OUTPUT and
POSTROUTING tables. The PREROUTING table alters packets as soon as they enter
(used when masquerading connections). The OUTPUT table alters locally generated
packets. POSTROUTING alters packets before they are about to be sent on the
network.
mangle alters the packets. Generally, you do not use this for establishing NAT.
This table has two chains: PREROUTING (alters packets that have entered the
system) and OUTPUT (alters packets that have been generated by the local operating
system).
Both the filter and mangle tables contain additional chains. The iptables command also
allows you additional logging options. For example, the ipchains -l option causes a rule to
log any match and send a message to the /var/log/messages file. The iptables command,
however, requires that you use the -j option and specify the target LOG for any rule. You
can learn more about ipchains and iptables by consulting their respective man pages.
Using ipchains and iptables
Because most Linux systems use modules to extend the functionality of the kernel, use
the lsmod command to verify what modules are installed. Look for entries such as
ipchains, ip_tables or iptable_filter. If you have kernel 2.4 and later, but the ipchains
module is installed, issue the following command:
modprobe -r ipchains
OBJECTIVE
1.6.1: Implementing
packet filters
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
This command removes all ipchains modules. You can then load the following iptables
modules, if they are present:
modprobe ip_tables
modprobe iptable_filter

In many systems, simply issuing the ipchains or iptables command will automatically
load the necessary modules. If the iptables modules are not present, then install them
from www.rpmfind.net. If these modules will not install, you need to recompile your
kernel to use Netfilter. However, most systems include kernels that support Netfilter.
To remove iptables, you can issue the following commands:
modprobe -r iptables
modprobe -r iptable_filter
You can then use the modprobe ipchains command to reinstall ipchains, if you want. It is
wise to use lsmod often to determine what else you need to install or uninstall. Remember
that some systems use monolithic kernels, which means that they will not allow the use
of modules. In such cases, you will have to recompile the kernel to include Netfilter, or to
allow modules.
Ipchains examples
Suppose, for example, that you have a host with the IP address of 192.168.2.0/24.
Suppose further that you want to create a simple personal firewall that blocks all
incoming ICMP traffic sent from remote hosts to your own host. To do so, you would
issue the following command:
ipchains -A input -p icmp -s 0/0 -d 0/0 -j REJECT

This command tells the input chain to forbid any ICMP traffic from any host. If you
wanted to block ICMP traffic from only, say, the 10.100.100.0/24 network, you would
delete the above rule, and replace it with one that specifies only that subnet. The
commands to do so would be as follows:
ipchains -F
ipchains -A input -p icmp -s 10.100.100.0/24 -d 0/0 -j REJECT
The host can no longer receive packets, but it can still send them, because you have only
blocked the input chain. To prohibit this host from sending packets to the
10.100.100.0/24 network, you could use the following command to add an entry to the
output chain:
ipchains -A output -p icmp -s 192.168.2.0/24 -d 10.100.100.0/24 -j REJECT

Now this host can no longer receive or send ICMP traffic. Of course, you are not limited to
controlling just ICMP traffic. If you want to block incoming POP3 traffic from all hosts, for
example, you could issue the following command:
ipchains -A input -p tcp -s 0/0 -d 0/0 110 -j REJECT

If you want to deny all traffic by default and then specifically allow only, for example,
POP3 traffic, you could use the -P option, which sets a policy for the chain you specify.
You could then begin to allow the POP3 traffic, as well as DNS service and the ephemeral
ports necessary for your system to connect to a POP3 server:
ipchains -P output DENY
ipchains -P forward DENY
ipchains -P input DENY
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-21
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
ipchains -A input -p tcp -s 0/0 -d 0/0 110 -j ACCEPT
ipchains -A input -p tcp -s 0/0 -d 0/0 1024: -j ACCEPT
ipchains -A input -p udp -s 0/0 -d 0/0 1024: -j ACCEPT
ipchains -A output -p tcp -s 0/0 -d 0/0 1024: -j ACCEPT
ipchains -A output -p udp -s 0/0 -d 0/0 1024: -j ACCEPT
ipchains -A output -p udp -s 0/0 -d 0/0 53 -j ACCEPT

Notice that the last rule allows the system to generate a packet to any host on Port 53.
This rule allows the use of any DNS server. You could be more specific, if you knew the IP
address of your DNS server.
You do not have to create a full masquerading firewall to understand how ipchains and
iptables work. These examples should be enough to get you started creating firewalls.
Still, a short example may be helpful. Suppose that you have an internal NIC (named
eth0) with the IP address of 192.168.2.1/24, and an external NIC (named eth1) with the
IP address of 45.9.2.23/24. The following entry would enable all systems that are using
the internal NIC as a default gateway to use the Internet:
ipchains -A forward -i eth0 -s 192.168.2.0/24 -d 0/0 -j MASQ

The above entry adds an entry to the forward chain, which is designed to allow
masquerading. The -i option specifies the eth0 interface, which is the internal interface.
The -j ACCEPT target means that this interface will accept masquerading for the
192.168.2.0/24 network. You can then begin to deny or accept traffic as you see fit.
Before you can masquerade a connection, you must enable IP forwarding and IP
defragmentation on the system, regardless of whether you are using ipchains, iptables or
a Windows system. On a Linux system, you perform this task by issuing the following
commands:
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/always_defrag

You can do this manually, or enter the commands at the bottom of the /etc/rc.d/rc.local
file, if you want these settings to be made automatically. To learn more about how to use
ipchains to create a full-blown firewall, consult the Linux IPCHAINS-HOWTO at
http://tldp.org/HOWTO/IPCHAINS-HOWTO.html.
Iptables examples
Because iptables has three tables to read instead of one, you need to know how to list
and manipulate them. The filter table is listed by default. The two commands below show
you how to list the nat and mangle tables:
iptables -t nat -L
iptables -t mangle -L
When creating a personal firewall, however, you do not need to use the nat or mangle
tables. To create a simple personal firewall that blocks all incoming ICMP traffic, you
would issue the following command:
iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j DROP
To block ICMP traffic from only the 10.100.100.0/24 network, you would issue the
following command:
iptables -A INPUT -p icmp -s 10.100.100.0/24 -d 0/0 -j DROP
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-22 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
To deny all traffic and allow only POP3 traffic, you would issue the following commands,
after deleting any existing rules:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1024: -j ACCEPT
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p udp -s 0/0 -d 0/0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0/0 -d 0/0 --dport 110 -j ACCEPT

The first two entries allow any server on the Internet to connect to your workstation's
ephemeral ports (i.e., the ports above 1024). If you know the IP addresses of your DNS
and e-mail servers, you could restrict all the entries to a specific IP address, rather than
the entire Internet. For example, if the IP address of the DNS server were
10.100.100.100/8 and the e-mail server were at the address of 203.54.23.3/24, you
would enter the following:
iptables -A INPUT -p tcp -s 10.100.100.100/8 -d 0/0 --dport 1024: -j ACCEPT
iptables -A INPUT -p udp -s 10.100.100.100/8 -d 0/0 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p udp -s 0/0 -d 203.54.23.3/24 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0/0 -d 203.54.23.3/24 --dport 110 -j ACCEPT

If you want to masquerade a connection using iptables, you would use the nat table.
Using the same scenario as for the ipchains command, you would masquerade your
internal network so that it could connect to the Internet as follows:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

For more information on using iptables, read the IPTABLES HOWTO at
https://help.ubuntu.com/community/IptablesHowTo and other locations on the Internet.
To learn more about masquerading using a Linux system, consult
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/.
Configuring Proxy Servers
When any type of proxy acts for and on behalf of a client host, it uses its own IP address
in the place of the original that belongs to the client host. In this sense, the host's
effective IP address is contingent upon the proxy server itself. This process effectively
hides the actual IP address from the rest of the Internet, because all clients must access
the Internet through a specific port, as shown in Figure 9-8.
OBJECTIVE
1.5.8: Proxy-based
firewalls
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-23
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-8: Proxy server configuration
The preceding figure shows that the network is protected by a proxy server, which
requires all clients to connect at a specific port, in this case Port 3128 (the standard port
for the WinRoute Firewall and Squid proxy servers).
Recommending a proxy-oriented firewall
Proxy-oriented firewall products include:
Symantec Enterprise Firewall (www.symantec.com).
Microsoft Internet Security and Acceleration (ISA) Server (www.microsoft.com).
Squid (www.squid-cache.org).
Symantec Enterprise Firewall is a highly respected proxy-oriented firewall. Microsoft ISA
Server is also commonly used. Many organizations use a product such as Enterprise for
the bastion host, but then use ISA Server to handle Web traffic. When they are used in
tandem, each proxy server can divide traffic, thereby providing some load balancing and
fault tolerance. Squid has become a popular open-source proxy server for Linux systems.
It supports many protocols, and is reliable and highly configurable.
Proxy server advantages and features
The main advantage of a proxy server is its ability to provide NAT. Shielding your internal
network from the public is paramount. Following are additional benefits.
Internet
192.168.37.0/16
192.168.37.3
192.168.37.4
192.168.37.5
192.168.37.2
The proxy receives requests at
port 3128 from the 192.168.37.0/
16 network and forwards the
requests onto the Internet
Proxy Server
Port 3128
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-24 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Authentication
Most proxy servers can be configured to require a client to first authenticate before being
allowed access to Internet services (HTTP, FTP, e-mail and so forth). After a user
authenticates and receives an access token, the proxy server can then determine exactly
which resources that user can use.
Logging and alarming
The logging and alarming features provided are often much more robust than those in
packet filters and circuit-level gateways. Proxy servers analyze considerably more
information than the other two types of firewalls, so they can log nearly every portion of a
TCP/IP session, from the network frame up to the application layer.
Caching
Because proxy servers need to analyze a TCP/IP packet at every layer of TCP/IP, the
proxy server will often cache this information to disk. Any subsequent request for the
same data will now be accessed from the proxy server's hard disk instead of the remote
server. Retrieving the data from disk is much faster than from the remote server. Many
rules can be applied to the proxy server to configure how often it will check the remote
sites for updated content.
Fewer rules
A proxy-oriented firewall generally requires fewer rules than a packet filter. Creating the
rules generally takes less time, so this is an advantage.
Reverse proxies and proxy arrays (cascading proxies)
Another advantage of using application gateways is their ability to provide reverse proxy
services. These services work similarly to standard ones, except that they proxy inbound
requests. A reverse proxy server is located outside a network's firewall system and is
registered on the Internet as a company's production server such as a Web or e-mail
server. When public users access the Web server, they are actually connecting to the
proxy server. The proxy server will then contact the Web server that resides behind the
firewall. This setup prevents public users from contacting the Web server directly. If a
hacker tries to break into the Web server, he or she will only be breaking into the proxy
server. The proxy server does not contain the actual data on the Web server, so breaking
into the proxy server does not yield any usable information
A proxy array is several proxy servers configured as one. Proxy arrays are also known as
proxy clusters or cascading proxies, and are useful for load balancing. When several
reverse proxy servers are used together, the total amount that the servers can cache is
increased. The group also provides fault tolerance in case one of the proxies fails. Certain
proxy arrays can also act as a single unit. For example, depending on how the proxy
servers in the array are configured, changing a setting of one will change the settings on
all. Proxy arrays are often used in a reverse proxy environment as well. When proxy
arrays are used with a reverse proxy solution, public users can access several Web
servers simultaneously.
Proxy server drawbacks
One disadvantage of application-level gateways is creating the filters for the TCP/IP
applications. Each application must be configured individually. Given the number of
applications that can be used over TCP, firewall administrators will require extensive
knowledge of all the applications and unique settings for each to create secure filters. In
some cases, specific proxy servers will need to be created to proxy a single application. All
proxies require modified clients.
OBJECTIVE
1.5.9: Proxy caching
and performance
OBJECTIVE
1.6.2: Customizing
networks to
manage hackers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-25
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Client configuration
Clients that use a proxy server for remote TCP/IP connectivity must be configured to use
a proxy and have all the correct parameters specified. If the internal users use different
client applications for each Internet application (for example, browsers, mail clients, news
clients, FTP clients and chat programs), each application must be configured to use the
proxy server for remote access. Often the Internet applications will not interface correctly
(or at all) with a proxy server.
Speed
Because proxy-oriented firewalls delve deeply into the IP packet, they need more system
resources. At extremely busy sites, a proxy-based firewall can become a liability, because
it can cause unacceptable latency. The general rule when recommending proxy-oriented
firewalls is that they will suit T3 speeds. Any company that requires a faster connection
speed requires a packet-filtering product, such as Check Point's FireWall-1.
In the following lab, you will configure WinRoute Firewall as a proxy server. Suppose you
are configuring a network for a small business that is concerned about the safety of its
data. Adding a proxy server to the network can limit access from the outside and prevent
hackers or other unauthorized persons from viewing the contents of the company's
network.
Lab 9-3: Configuring a proxy server in Windows Server 2003
In this lab, you will configure WinRoute Firewall as a proxy server. This lab requires two
partners to work with each other. Partner 1 will configure WinRoute Firewall as a proxy
server, while Partner 2 tests the proxy server rule changes established by Partner 1.
1. All students: If necessary, disable the Windows Server 2003 firewall so there will not
be any conflicts with WinRoute Firewall: Open the Services snap-in, double-click
Windows Firewall/Internet Connection Sharing (ICS), click the Stop button, then
display the Startup Type drop-down list and click Disabled. Click Apply and then
OK.
2. Partner 1: If necessary, open the WinRoute Firewall Administration Console. (Use
the user name Admin. The password should be password.)
3. Partner 1: Display the Traffic Policy pane. Add a new rule named Service HTTP
with the following specifications:

Source = Any
Destination = Any
Service = Any
Action = Permit

4. Partner 1: In the left pane, select Configuration | Content Filtering | HTTP Policy
to display the HTTP Policy pane.
5. Partner 1: Click the Proxy Server tab. Make sure that the non-transparent proxy
server is enabled. Leave the default port at 3128, as shown in Figure 9-9.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-26 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-9: Proxy server settings
6. Partner 1: Select the WinRoute Proxy Server radio button, then click Apply.
7. Partner 2: Configure any Web browser as a client to Partner 1's proxy server, then
test connectivity: In Internet Explorer, select Tools | Internet Options, click the
Connections tab, then click the LAN Settings button. Deselect Automatically
Detect Settings. Select the Use A Proxy Server For Your LAN check box, enter the
IP address of the proxy server, and specify a port number of 3128. The new rule you
added in Step 3 allows all connections, so you should be able to connect.
8. Partner 1: Next, you will specify that the proxy server deny access to any site. In the
HTTP Policy pane, click the URL Rules tab, then click the Add button to display the
URL Rule dialog box.
9. Partner 1: In the Description text box, type Limit access. In the And URL Matches
Criteria section, click the URL Begins With radio button and type an asterisk ( * ) in
the text box if necessary.
Note: WinRoute Firewall allows the use of wildcard characters. As in most cases, this
particular wildcard is interpreted as "everything"; therefore, all users who use your
proxy server will be denied access to any site.
10. Partner 1: In the Action section, click the Deny Access To The Web Site radio
button, then select the Log check box. The URL Rule dialog box should appear as
shown in Figure 9-10.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-27
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-10: URL Rule dialog box
11. Partner 1: Click OK and then Apply.
12. Partner 2: Clear your browser's cache, then use your browser to access any host on
the network, or any host on a remote network. You will be denied access, as shown in
Figure 9-11.

Figure 9-11: Ac cess denied message
13. Partner 1: In the left navigation pane, select Logs | HTTP. Note the messages you
receive at the bottom of the HTTP log. You should see that your partner has
attempted a connection.
14. Partner 1: Next, you will add a new user and a new rule to configure WinRoute
Firewall to require the new user to authenticate. In the left navigation pane, select
Users And Groups | Users. The User Accounts tab will be selected by default. Click
the Add button to display the Add User dialog box, shown in Figure 9-12.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-28 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-12: Add User dialog box
15. Partner 1: Enter ciw into the Name text box, enter a password of password in the
Password and Confirm Password text boxes, click Next twice, then click Finish to
return to the User Accounts tab. Click the Apply button.
16. Partner 1: Open the URL Rule dialog box and create a new HTTP policy named
Restricted access.
17. Partner 1: In the If User Accessing The URL Is section, click the Selected User(s)
radio button, then click the Set button to display the Users dialog box. In the Other
Users section, select ciw (the user you created in Step 15) and click the right-arrow
button. The user named ciw should appear in the Selected Users section. Click OK to
return to the URL Rule dialog box.
18. Partner 1: Click OK to return to the HTTP Policy pane, and then click Apply to
enable the new rule.
19. Partner 2: Clear your browser's cache, then use your browser to access any host on
the network, or on a remote network. You will again be denied access. However, this
time, you will be able to authenticate a user to gain Web access. Click the Login Page
link to display the Login Page dialog box, shown in Figure 9-13.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-29
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-13: Login Page dialog box
20. Enter the user name and password you defined in Step 15 (ciw and password), and
then click Login. You should now be able to connect.
21. When time permits: Partners should switch roles and repeat the relevant steps in
this lab.
22. All students: Remove the Limit Access and Restricted Access rules from the HTTP
Policy pane.

URL Filtering
Originally, Uniform Resource Locators (URLs) were designed to help you use your Web
browser to navigate to the Web page of your choice. URLs now enable remote computers
to exchange executable content and commands, and act as a conduit for client/server
data. Therefore, it is important to control the URLs that enter and leave your network to
reduce the risks posed by spyware, worms and trojans.
You can use the following techniques to filter outbound URLs from your network:
Require users to access the Internet via a proxy server. A proxy server provides a
single point for monitoring and controlling your outbound traffic. You can also use
the proxy to cache frequently used pages and graphics to maximize the efficiency of
your bandwidth. Proxy servers are available from the open-source community
(www.squid-cache.org is one very popular option), as well as a variety of commercial
vendors.
Consider filtering outbound URLs to enforce compliance with your
organizations acceptable Internet usage policies. You can reduce employee
access to non-work-related Web sites by checking outbound URLs against lists of
known sites that contain harmful code or are otherwise "inappropriate."
By filtering outbound URLs, you can also help eliminate the use of Web-based e-mail
services, file sharing sites and other Web resources that allow potentially harmful files
into your network.
OBJECTIVE
1.1.3: Risk factors for
data security
OBJECTIVE
1.5.8: Proxy-based
firewalls
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-30 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
You can use the following techniques to filter inbound URLs to your network:
Ensure that your Web applications are well-written. Well-written Web applications
will ensure that any input from parameters passed in URLs is properly validated. The
Open Web Application Security Project (www.owasp.org) contains tools and
documents that provide excellent information on URL attacks and the best practices
you can apply to protect against them.
Add an application-level firewall to create another line of defense. Packets that
enter your network should be subjected to rules they must satisfy before they are
allowed admittance. If you are running the Apache HTTP server, you can use an
open-source application-level firewall such as ModSecurity (www.modsecurity.org) to
protect your network.
Whether you filter inbound URLs, outbound URLs or both, there will be instances when
the filter blocks legitimate traffic. You should provide a mechanism by which users can
report filtering problems so you can resolve them quickly and consistently.
When properly used, URL filtering can be a key component in your strategy to protect
corporate networks against the problems posed by malware and inappropriate Web
content.
Remote Access and Virtual Private Networks
(VPNs)
A virtual private network (VPN) is an encrypted tunnel that provides secure access
between two hosts across an unsecured network. Once a remote VPN client connects to a
VPN server, the client often has access to the same network resources as a client located
on the company campus. Following are the three types of VPNs.
Workstation-to-server A network is established between one workstation and a
central VPN server. The server usually provides two services: access to the network in
which the server resides, and an encrypted tunnel for all communications passing
between the two hosts. For example, when a telecommuter first establishes a VPN
into the network before obtaining e-mail, he or she is using a host-to-host VPN
solution. Also called a remote access VPN.
Firewall-to-firewall A tunnel is created between two distinct networks and used to
securely connect remote LANs over unsecured networks. Often called a site-to-site
VPN.
Workstation-to-workstation Workstations encrypt communications between each
other on the same LAN, or on a local enterprise network.
As suggested in Figure 9-14, two hosts can communicate securely across the Internet
using public-key encryption. Most firewalls provide VPN services. In order for the
encryption to occur, the firewalls must first exchange public keys.
OBJECTIVE
1.6.2: Customizing
networks to
manage hackers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-31
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 9-14: Understanding VPN connection
VPNs extend a company's network over a public medium such as the Internet. The VPN
encapsulates all the encrypted data within an IP packet. Because the packet contains
valid IP and TCP information, it is routed normally over the Internet. This use of firewalls
to communicate with each other creates a virtual network perimeter, because the
network of firewalls can create a larger perimeter for the corporate network. One
advantage of this kind of network is that it supports remote users with full security. The
enhanced security increases freedom for remote users to use corporate applications and
resources anywhere in the world.
Tunneling protocols
All VPNs use tunneling protocols, because they encapsulate, or tunnel, packets or
payloads as they pass between hosts. Encryption occurs at the source, and decryption
occurs at the destination. Sending packets in this manner has another advantage besides
encryption. Because the entire packet is encrypted and then placed within a typical
TCP/IP packet, other networking protocols can be transmitted this way. For example, the
IPX/SPX protocol can be tunneled through an IP-enabled VPN.
Tunneling protocols provide the following benefits:
Once a client creates a tunnel (i.e., a VPN), traffic is usually encrypted.
The tunnel allows a remote system to gain access to protected resources.
All the security fundamentals (e.g., authentication, message integrity and encryption) are
very important to implementing a VPN. Without such authentication procedures, a
virtual network
perimeter
An outer corporate
network created
using VPN
technologies, thus
extending the
corporate network
to suppliers and
customers.
tunneling protocol
A protocol that
encapsulates data
packets into
another packet.
Tunneling protocols
include Point-to-
Point Tunneling
Protocol (PPTP),
Internet Protocol
Security (IPsec) and
Layer 2 Tunneling
Protocol (L2TP).
192.168.37.0/16
192.168.37.3
192.168.37.4
192.168.37.5
192.168.37.2
Firewall A
10.36.37.0/8
10.36.37.3
10.36.37.4
10.36.37.4
10.36.37.2
Internet
Encrypted Tunnel
Firewall
B's Public
Key
Firewall
A's Public
Key
Firewall B
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-32 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
hacker could impersonate anyone and gain access to the network. Message integrity is
required because the packets can be altered as they travel through the public network.
Without encryption, the information may become truly public.
Internet Protocol Security (IPsec)
Internet Protocol Security (IPsec) is an IETF standard that provides packet-level
encryption, authentication and integrity between firewalls, or between hosts in a LAN.
IPsec can use an Authentication Header (AH) and the Encapsulating Security Payload
(ESP) service to authenticate and encrypt the data payload, or only an authentication
header to provide simple authentication. Most IPsec implementations do both. It is
important to remember that IPsec is implemented as an add-on to IPv4. These security
features are implemented natively in IPv6.
Security associations (SA) and Internet Key Exchange (IKE)
A security association (SA) is the exchange of data meant to uniquely identify a particular
host. Generally, an SA requires the use of public-key cryptography. If you want to use
IPsec to communicate securely with another host, you must first create an SA.
The Internet Key Exchange (IKE) process allows two hosts to establish a trust
relationship. IKE allows two hosts to negotiate the exact nature of the connection.
Elements of the negotiation include:
The encryption type.
How long the SA will be valid (for example, eight hours).
The authentication method.
In most forms of IPsec, IKE occurs in two phases. In the first phase (often called main
mode), the Internet Security Association Key Management Protocol (ISAKMP) negotiates
the encryption type, the authentication method and so forth. It also maintains security
associations (SAs) and is responsible for removing the keys associated with an SA. You
can read more about ISAKMP by reading RFC 2408.
The OAKLEY key-determination protocol, discussed in RFC 2412, generates the actual
keys. It then issues messages via UDP to help hosts exchange the strongest keys
possible. OAKLEY is used as a subset of ISAKMP. Keys generated at the end of the main
mode phase then encrypt the actual traffic that passes between network hosts. This
second phase of IPsec is called Phase 2, or quick mode. Most IPsec-compliant software
and devices allow you to monitor active SAs. For example, Microsoft Windows Server
2003 provides the IP Security Monitor snap-in.
To implement IPsec, you need only one of the following to help provide
authentication: a host that automatically issues tokens and certificates (e.g., a
Windows Server 2003 domain controller), a digital certificate recognized by all
hosts, or a "shared sec ret" key, which is a simple string of text to whic h all hosts
refer when decrypting packets.
IPsec vulnerabilities
IPsec's main vulnerabilities include the following:
Compromised keys It is possible for a malicious user to obtain the key used to
encrypt the transmissions. As a result, the hacker can defeat encryption and gain
access to all information transmitted. Such a compromise is rather rare, however.
Compromised certificates If a malicious user obtains the master CA certificate,
then information can be decrypted.
Internet Protocol
Security (IPsec)
A set of protoc ols
developed by the
IETF to support the
secure exchange of
packets at the IP
layer.

Encapsulating
Security Payload
(ESP)
The device used to
authenticate and
encrypt packets in
IPsec .
OBJECTIVE
1.4.2: IPSec
concepts
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-33
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Perfect Forward Security (PFS)
IPsec on Windows Server 2003 requires that you first obtain a key to then generate new
keys for all data packets. Subsequent transmissions between hosts are encrypted using
this key. Perfect Forward Security (PFS) enables IPsec hosts to use multiple keys to
encrypt data. PFS is designed to protect transmissions if an IPsec key is compromised,
because it requires the system to generate multiple keys during a transmission. However,
enabling this feature in some IPsec implementations may adversely reduce performance
due to additional processor overhead caused by additional key generation.
Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point Tunneling Protocol (PPTP) is used to create VPN connections. The chief
benefit of PPTP is that it is capable of tunneling and encrypting connections across
multiple networks. Point-to-Point Protocol (PPP) cannot perform these tasks; PPP allows
encryption to occur only between the client and the ISP's dialup server.
PPTP works at the data link layer (Layer 2 of the OSI/RM), and is capable of using PPP to
tunnel various protocols (e.g. TCP/IP, IPX/SPX and NetBEUI). Although PPTP does
require a client to first create a connection to an ISP, the subsequent encrypted
connection does not have to be made to the ISP. The VPN connection can be made across
many networks to any remote server on any remote network. Thus, with PPTP, the use of
encryption is no longer tied to the ISP. Finally, PPTP uses Challenge Handshake
Authentication Protocol (CHAP), which uses hash encryption to ensure that passwords
are not easily stolen. You can read more about PPTP by consulting RFC 2637.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) incorporates elements of Point-to-Point Protocol (PPP)
and another protocol called Layer 2 Forwarding (L2F) protocol. L2F was introduced by
Cisco systems. Like PPTP, standard L2TP uses PPP to allow the tunneling of various
network protocols. L2TP also supports Challenge Handshake Authentication Protocol
(CHAP).
Unlike PPTP, L2TP borrowed its ability to forward connections from the L2F protocol. As a
result L2TP is supported by virtually every vendor of VPN hardware and software. L2TP
also uses enhanced compression techniques, thereby creating faster connection. Finally,
standard L2TP supports various network types, including ATM, frame relay and X.25.
You can learn more about L2TP by reading RFC 2661.
VPN vulnerabilities
VPNs of any type can present the following vulnerabilities.
Man-in-the-middle attacks Weak VPN connections can be subject to hijacking
attacks. Also, packets can be captured and decrypted if the encryption algorithms are
not strong enough.
Old access accounts and permissions In many cases, VPN servers use their own
accounts databases. If the account database is not properly maintained, old accounts
may be present, which could allow unauthorized access to the network.
Access from unsecured systems VPN connections have become increasingly
popular with telecommuters. However, home systems may not be kept as secure as
those residing at the company campus. Home systems often do not update virus
signatures regularly, and may not even have anti-virus software installed at all. In
such cases, these remote systems may present a new infection source to the network.
After all, these remote systems are allowed through the firewall as are any other local
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-34 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
system; yet if they are not properly secured, they cause or aid in a virus outbreak
that could cripple your company.
Rogue VPN servers Illicit use of VPN connections can be used to avoid compliance
with the company's security policy.
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) servers are repositories for managing public keys,
certificates and signatures. In addition to authenticating the identity of the entity owning
a key pair, PKI also provides the ability to revoke a key if it is no longer valid. A key
becomes invalid if, for example, a private key is cracked or made public. The primary goal
of PKI is to allow certificates to be generated and revoked as quickly as possible.
Corporations are especially interested in the ability to establish quick, secure
communication using PKI.
PKI standards
PKI is based on the X.509 standard, which is meant to standardize the format of
certificates and how they are accessed. A standard for PKI is currently being developed.
As of this writing, the latest RFCs include the following.
RFC 2560 provides a discussion of the Online Certificate Status Protocol (OCSP),
which enables Internet-aware applications to quickly determine a certificate's validity
RFC 2585 describes the architecture and protocols used in PKI
RFC 3647 an informational document explaining the purpose of a certificate
policy statement and a certification practice statement
RFC 4210 identifies the terminology and protocols used in PKI
RFC 4523 explains how LDAP is used to allow access to PKI servers (i.e.,
repositories)
PKI terminology
PKI uses the following elements and terms.
Digital certificate a signed public key that verifies a set of credentials tied to the
public key of a certificate authority. A digital certificate authenticates a user or host.
Certificate authority (CA) The party responsible for issuing a certificate. A CA
can delegate actual authentication to a registration authority (RA). An issuing CA
creates certificates for individuals (i.e., end entities). You will learn more about CAs
shortly.
Registration Authority (RA) the party responsible for verifying the actual identify
of a person or host interested in participating in a PKI scheme.
CA certificate a file that contains several fields meant to further identify a
particular person or host. An example of a field is the Subject field, in which the
person or host is mentioned by name.
Certificate store where clients and CAs store certificates. These stores can be
managed so that only the most current certificates are listed.
End entity the end user or person listed in the Subject field.
OBJECTIVE
1.2.3: Asymmetric
(public-key)
encryption
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-35
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Certificate policy statement a public document containing rules and procedures
agreed upon by the CA and the end entity. This document specifies the certification
path and the technologies that enable authentication.
Certification practice statement a public document containing the practices
that a CA employs in issuing certificates. This document includes details about the
certificate life cycle (issuance, management, renewal and revocation).
Certification path the traceable history of the parties who have vouched for the
certificate. Certificates depend highly upon the integrity of the party who vouches for
them. If a problem exists in a certificate's certification path, the certificate may be
deemed invalid, and should be revoked.
Repository a series of distributed networks that allow access to certificates.
Certificate Revocation List (CRL) as you learned earlier, a list containing
certificates that have expired before their normal due dates, due to server
compromise, or because the owner no longer wants the certificate to be used.
Certificates
Certificates authenticate users and hosts. A certificate is essentially a public key that
has been verified by a trusted third party, who ensures that this certificate authenticates
a particular host, company or person. A number of companies, called certificate
authorities (CAs), issue authentication certificates and sign them with their signatures to
indicate a program's validity. One of these companies is called VeriSign. You can also act
as your own CA, given that you have the software that allows you to generate certificates.
Windows Server 2003 has its own native CA software, and you can use OpenSSL
(www.openssl.org) in Linux systems.
Following are the four types of certificates.
Certificate authority certificate used by CAs to validate another CA as a trusted
issuer. Only a few CAs are automatically trusted by Web browsers.
Server certificate used to verify a company's Web server. A company applies for a
server certificate and sends the request to one of several CAs. The CA will verify that
the company is legitimate, then send the company a digital certificate. Specialized
server certificates exist. For example, an IPsec client can obtain a certificate that
allows a host to participate in an IPsec-enabled network.
Personal certificate used by individuals, usually to encrypt e-mail or authenticate
with a Web server. The individual contacts a CA to request a personal certificate. The
only verification the CA performs is by e-mail address. The CA sends the certificate to
the e-mail address specified by the individual. In theory, only that person would have
access to the e-mail account, and would therefore be the only one who could retrieve
and use the certificate.
Software or publisher certificate used to validate software code. For example, if a
user accesses a Web site that is trying to download a Java applet or an ActiveX
control, a security warning usually appears. The publisher certificate is used to
validate the code to assure the user that the code does not contain malicious
programming.
certificate
A specific form of
an asymmetric key.
Certificates provide
authentication and
assign responsibility.
ActiveX programs,
for example, can be
certified to show
who wrote them
and when.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-36 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Choosing certificate types
Server and personal certificates are the most common types. When you use a server
certificate, you must configure the particular service (i.e., daemon) to use it. When you
use a client certificate, you must configure the particular client (e.g., an e-mail client or
Web browser) to use the certificate.

Case Study
Gimme a V! Gimme a P! Gimme an N!
Giancarlo is the security administrator for a furniture manufacturer in Turin, Italy. The
company also has offices and warehousing facilities in Bologna and Milan.
The Turin office has an E1 line for Internet access, and uses frame relay to provide
Internet access to the other two offices. However, because the Turin office has
experienced rapid growth over the past two years, its E1 line is being forced to handle
more and more traffic for all the offices. In addition, the company has been suffering from
DDOS attacks across the frame relay.
Giancarlo proposed the following solution to improve and secure Internet
communications among the three offices:
Install a firewall at each of the three offices.
Lease additional E1 lines for the Bologna and Milan offices.
Remove the frame relay and implement firewall-to-firewall VPN connections among
the three offices.
Use IPsec and L2TP to encrypt transmissions across the network.
As a result of these enhancements, Giancarlo pointed out, the offices would be able to
communicate more securely because all network transmissions would be strongly
encrypted. Giancarlo also suggested that the amount of spam on the network would be
greatly reduced because he would be able to filter e-mail traffic at the firewall.
* * *
As a class, discuss this scenario and answer the following questions.
Do you think that worker productivity would increase as a result of the security and
performance improvements advocated by Giancarlo? Why or why not?
Do you think the increased cost of new equipment and E1 lines would be justified?
Why or why not?
What other security improvements, if any, would you suggest?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-37
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you learned the basics of configuring packet filters and proxy servers. You
also learned about how a VPN is built using public-key encryption. Specifically, this
lesson covered ways to encrypt IPv4 using IPsec. Following are some steps you can take
to create IPsec in your LAN, and also how to configure Squid proxy server.
Squid proxy server
The most respected proxy server for Linux is the Squid proxy server. Go to www.squid-
cache.org to learn more about it. When time permits, install Squid proxy server on your
Linux system. As you do, consider the following facts:
You do not necessarily need two NICs to install Squid. Although Squid or any proxy
server can be used on a bastion host, you can install it on a single-homed system in
a production environment.
Configuring Squid requires that you edit the /etc/squid/squid.conf file.
Squid is configured by default to deny access to all users. Squid uses classes, which
are essentially like groups. You can place IP addresses inside of classes, then
determine whether these classes can be denied or allowed. For example, suppose you
wanted to allow access to all classroom users, but to deny access to all users in the
fictional 192.168.2.5 subnet. You could first define some groups, then apply policies
to them. Although more than one way exists to perform this task, you could enter the
following into the ACCESS CONTROLS section, just below the first Defaults section:
acl all srcdomain classroom.com
acl access1 src 192.168.2.1/255.255.255.0
acl access2 src 192.168.3.1/255.255.255.0
acl access3 src 192.168.4.1/255.255.255.0
acl notciw src 192.168.2.5/255.255.255.0
acl byu url_regex byu

The previously mentioned rules define the classroom.com domain and place it in a single
group called srcdomain. The next three rules define the three classroom networks
(192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24) individually, in case you want to
apply separate rules for each domain. The fourth rule defines the 192.168.2.5 network.
As a bonus, the last rule forbids access to any URL request containing the letters "byu."
To apply rules to these defined classes, you would scroll down to the http_access section
and enter the following:
http_access allow access1
http_access allow access2
http_access allow access3
http_access deny access3
http_access deny byu
http_access allow all

These policies tell Squid to first deny access to all users, then to allow access to only the
access1, access2 and access3 groups. Contrary to what you might expect, Squid defaults
to a stance that is the opposite of the last line mentioned in the list. Thus, the
http_access allow all rule has Squid deny all access unless it is explicitly permitted. You
can then start Squid. If you are using the RPM version available from www.rpmfind.net,
use the startup script:

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-38 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
/etc/rc.d/init.d/squid start
As long as clients have been properly configured for this proxy server, all access will be
allowed to everyone except for:
Anyone outside of the 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24
networks.
Anyone who wants to access any URL with the exact text string of byu.
Configuring Microsoft Windows Server 2003 to use IPsec
Windows Server 2003 supports IPsec natively. You can configure IPsec by using the Local
Security Policy MMC snap-in (Start | Administrative Tools | Local Security Policy). Three
default IP security policies are installed by default, though none is marked as active.
Before you activate a security policy, make sure it is suitable for your situation. All the
security policies, for example, require that you authenticate in one of three ways:
1. Systems can authenticate and encrypt by consulting a Domain Controller. This option
is the default. Authentication is accomplished via the modified Kerberos server.
2. All hosts can obtain and use certificates to authenticate and encrypt. For example, a
central system can create a CA and the client hosts can obtain a special IPsec
certificate. This option is often preferable when you want to establish IPsec, but do not
want to use the proprietary version of Kerberos used in Windows Server 2003.
3. Use a "shared secret," which is a simple text string that all systems consult to encrypt
and decrypt information. This option is the easiest, but the least secure.
After you configure your policy to use any of the three methods above, you can then apply
it to your system. If you apply strict settings, your hosts will be able to communicate only
with other IPsec-enabled hosts.
FreeSWAN
The standard IPsec software for UNIX and Linux systems is FreeS/WAN
(www.freeswan.org). Unlike the Microsoft implementation of IPsec, this project has taken
pains to follow the IPsec RFCs. The Linux and Windows Server 2003 IPsec software can
be configured to work together. Go to www.freeswan.org/freeswan_trees for more
information about the latest distribution and interoperability documents.
Skills review
A firewall is a critically important aspect of your overall security policy, mainly because it
is where you can enforce authentication on all users and monitor all inbound and
outbound traffic. This lesson discussed the three types of firewalls, as well as the
protocols, gateways and devices used to increase security at the network level. You have
learned what a firewall is, how it enhances security, and how it enables you to implement
strategies at various choke points. You also learned about the advanced features that
certain firewall products can provide.
Now that you have completed this lesson, you should be able to:
- 1.1.3: Identify potential risk factors for data security, including improper
authentication.
- 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes,
Public Key Infrastructure (PKI).
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 9: Firewalls and Virtual Private Networks 9-39
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
- 1.4.2: Define IPSec concepts.
- 1.4.6: Identify routing issues and security.
- 1.5.1: Define the purpose and function of various firewall types.
- 1.5.2: Define the role a firewall plays in a company's security policy.
- 1.5.3: Define common firewall terms.
- 1.5.4: Identify packet filters and their features.
- 1.5.5: Identify circuit-level gateways and their features.
- 1.5.6: Identify application-level gateways and their features.
- 1.5.7: Identify features of a packet-filtering firewall, including rules, stateful multi-
layer inspection.
- 1.5.8: Identify fundamental features of a proxy-based firewall (e.g.; service
redirection, service passing, gateway daemons), and implement proxy-level firewall
security.
- 1.5.9: Define the importance of proxy caching related to performance.
- 1.6.1: Implement a packet-filtering firewall.
- 1.6.2: Customize your network to manage hacker activity.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
9-40 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 9 Review
1. How does operating system hardening work?

2. What is a screening router?

3. What is a demilitarized zone (DMZ)?



4. What two default configurations can a firewall have?


5. What is a packet filter?



6. What is the primary purpose of a digital certificate?





Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


10Lesson 10:
Levels of Firewall
Protection
Objectives
By the end of this lesson, you will be able to:
; 1.4.6: Identify routing issues and security.
; 1.5.1: Define the purpose and function of various firewall types.
; 1.5.3: Define common firewall terms.
; 1.6.1: Implement a packet-filtering firewall.
; 1.6.2: Customize your network to manage hacker activity.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. Which term describes the process of removing services, daemons and other
functionality from the firewall's operating system?
a. Operating system hardening
b. Stateful multi-layer inspection
c. Bastioning
d. Perimeter creation
2. A firewall is connected to the Internet and uses two NICs. What type of firewall host is
this?
a. A triple-homed bastion host
b. A dual-homed bastion host
c. A screened subnet firewall
d. A bastion host
3. Describe at least one benefit and one drawback of using a single screening router
to protect your network.




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Designing a Firewall
Great care should be taken when preparing and building a firewall device. Earlier, the
term bastion host was defined as any device with a direct connection to a public network.
Here, it also refers to a firewall device. A bastion host can be any of the three types of
firewalls:
Packet filter
Circuit-level gateway
Application-level gateway
Be very careful when constructing your bastion host. A bastion host is, by definition, a
publicly accessible device. When Internet users attempt to access resources on your
network, the first machine they will encounter is the bastion host. This high level of
exposure will dictate the hardware and software configurations.
The bastion host is similar to a guard at a military base. The guard must check
everyone's credentials to determine whether they may enter the base and what areas of
the base they can access. Guards are often armed to prevent entry by force. Similarly,
bastion hosts must check all incoming and outgoing traffic, and enforce the rules
specified in the security policy. They must be prepared for attacks from external and
possibly internal sources. Bastion hosts must be armed with logging and alarming
features to prevent attacks. Some can even take action when a threat is detected.
Firewall design principles
When building firewall devices, you should always keep the design simple, and make
plans for what to do if the firewall is penetrated.
Keeping design simple
The most common way that a hacker will penetrate a system is to take advantage of
overlooked components installed on a host. Build your bastion host with the fewest
possible components, both hardware and software. The bastion host should be created to
provide only firewall services. Do not install application services, such as Web servers, on
firewall hosts. The bastion host should have all unnecessary services or daemons
removed. Having only a few running services on the bastion host gives a potential hacker
less opportunity to overcome the firewall.
Design the firewall so that you can funnel incoming and outgoing information into the
smallest number of points. Doing so helps you can concentrate your protection
mechanisms. This focus will allow you to get the most security for the least amount of
effort. Another benefit to using choke points is easier site administration, because you
will know exactly where information enters and leaves your system. The most
comprehensive and extensive monitoring tools should be configured on the choke points.
Making contingency plans
If your firewall design is set up properly, the only public access to your network will be
through your firewalls. When designing firewalls, the security administrator should make
plans in case the firewall host crashes or is compromised. If you have only one firewall
device separating the Internet and your internal network, and hackers penetrate your
firewall, they will have full access to your internal network.
OBJECTIVE
1.5.1: Firewall
purpose and types
OBJECTIVE
1.5.3: Common
firewall terms
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
To prevent this penetration, design several levels of firewall devices. Do not rely on a
single firewall device to protect your network. Firewall designs will be covered later in this
lesson. If your security is compromised, your security policy should state what to do.
Specific steps to take include:
Creating an identical copy of the software.
Configuring an identical system and keeping it in safe storage.
Ensuring that all software necessary to install the firewall is handy. This step
includes making sure you have rescue disks.
Types of Bastion Hosts
When creating a bastion host, remember its function in your firewall strategy.
Determining the bastion host's role will help you decide what is needed and how to
configure the device. The three common types of bastion hosts are discussed below.
These types are not the only ones that exist, but most firewalls fall into one of these three
categories.
Single-homed bastion host
A singled-homed bastion host is a firewall device with only one network interface. Single-
homed bastion hosts are used for application-level gateway firewalls. The external router
is configured to send all incoming data to the bastion host, and all internal clients are
configured to send all outgoing data to the host. The bastion host will then test the data
against the security guidelines and act accordingly.
The main disadvantage of this type of firewall is that the router can be reconfigured to
pass information directly to the internal network, completely bypassing the bastion host.
Also, users can reconfigure their machines to bypass the bastion host and send their
outgoing information directly to the router.
Dual-homed bastion host
Dual-homed bastion hosts function identically to single-homed bastion hosts except that
they have at least two network interfaces. Dual-homed bastion hosts serve as application
gateways, and as packet filters and circuit gateways as well.
The advantage of using dual-homed bastion hosts is that they create a complete break
between the external network and internal network. This break forces all incoming and
outgoing traffic to pass through the bastion host. For a hacker to access internal devices,
he or she must compromise the dual-homed bastion host, hopefully allowing you more
time to react and prevent a security break-in.
Triple-homed bastion host
The triple-homed bastion host often separates the Internet, the internal network and the
demilitarized zone (DMZ). The DMZ creates a fairly secure space, or subnetwork, to locate
servers that are accessed from the Internet, including modem pools, FTP and Web
servers. If a company's publicly accessed servers are placed in the DMZ, the firewall can
be configured to forward all public traffic from the Internet directly to the DMZ.
The advantage of this structure is that Internet traffic avoids the company's internal
network, which keeps the internal computers safe from the public. A triple-homed
firewall is displayed in Figure 10-1.
OBJECTIVE
1.5.1: Firewall
purpose and types
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 10-1: Triple-homed bastion host
Internal bastion hosts
Internal bastion hosts can be any of the three common bastion host types. They are
standard single-homed or multi-homed bastion hosts, but reside inside your company's
internal network. Thus, they are not bastion hosts in the classic sense, because they are
not directly placed between a trusted network and an untrusted one. They provide an
additional level of security in case the external firewall devices are compromised.
Hardware Issues
The most common mistake when administrators are choosing the hardware to use for the
firewall is to buy the biggest and fastest machine on the market. The idea is that a faster
machine will be able to process the incoming and outgoing traffic quickly, and improve
network performance. However, this assumption is often wrong. The functions provided
by bastion hosts are not complex and do not require powerful machines. Using a less
powerful machine is sufficient for most firewall implementations, and can also save
money.
A bastion host can be installed on a simple hardware configuration. The operating system
on which the bastion host runs will typically dictate the minimum hardware
requirements. When choosing hardware, use only common hardware components that
have been tested, not "cutting edge" technologies. Often, after these new technologies
have been subjected to testing in a production environment, security holes are
discovered.
Using less powerful hardware offers several other advantages. If your firewall is
compromised and a hacker installs tools or services on it to further penetrate your
network, a less powerful computer will slow the process, allowing you more time to
identify the breach. Similarly, if a hacker discovers that the firewall is installed on a
powerful system, it may become a much more attractive target than a standard
computer.
The decision about how fast a processor or how much RAM to purchase will be
influenced by the role of the bastion host. For example, if the bastion host is going to run
an application gateway service, a larger hard disk should be installed for the application
gateway's caching feature. All bastion hosts will benefit from a sizable amount of RAM.
Although a fast processor is not needed to analyze incoming and outgoing traffic, tracking
the number of simultaneous connections can be memory-intensive.
You must also back up your bastion host; it should be configured with its own tape
backup device. If your company has a networked backup strategy, it will probably require
accounts and direct access from the tape backup server to the bastion host. These
OBJECTIVE
1.6.2: Customizing
networks to
manage hackers
OBJECTIVE
1.4.6: Routing issues
and security
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
accounts can compromise the security of either the bastion host or the backup server.
Performing local backups on the bastion host will eliminate this problem.
Choosing the operating system
Often, packet-filtering firewalls are run on routers, which have their own proprietary
operating systems that you must use. Using routers in this fashion is a good first line of
defense, and most of the configuration process is creating the proper filters and
configuring the routers to implement them. However, if you plan to install a firewall
application on a computer, you need to choose the operating system that the firewall
application will use.
The biggest factor when deciding on an operating system is to choose one with which you
are most familiar. If you are a Solaris administrator, you should not choose Windows
Server 2003 as the bastion host's operating system. Select an operating system that will
help reduce the time required to familiarize yourself with the new firewall product; such a
selection will help diminish possible configuration errors.
Another factor in deciding on an operating system is the services needed for your
company's network. If your company requires an application server that can filter NNTP,
HTTP and SMTP traffic, the operating system must be able to facilitate these services. The
operating system should provide multi-tasking and support multiple simultaneous
connections easily.
If you are building a bastion host and do not have a preferred operating system, UNIX is
a logical choice, because it has been tried and tested for over 30 years and is widely
supported. Determining which version of UNIX to use is also a consideration. Select a
version that has been tested on the Internet and is widely used. Do not choose a version
that is new or has not been thoroughly tested.

You c an c reate a firewall on a simple floppy disk. Such firewall implementations
generally use a version of Linux.

Firewall appliances
Increasingly, firewalls are not installed on existing operating systems. Firewall software
often ships with its own dedicated system. In such cases, the firewall is called a "firewall
appliance." These solutions are popular because it is not necessary to first obtain a
separate operating system then conduct a separate installation.
Services and daemons
You have already been introduced to operating system hardening, which is the removal of
any unnecessary service, daemon or application. System hardening is the most essential
step in creating a secure bastion host. Unfortunately, this step is often the most
overlooked. Removing applications may seem excessive, but remember that the bastion
host will be the first device a hacker tries to penetrate when breaking into a network. By
removing all these components, you make the hacker's job more difficult.
You should secure each bastion host individually and at every level. For example, secure
the firewall application, operating system, and other services, such as Telnet, FTP and so
forth. Each of these systems has specific vulnerabilities that must be addressed
separately.
When you install an operating system, many services or daemons are installed by default.
For example, most versions of UNIX install the Telnet daemon by default. All unnecessary
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
services should be disabled and removed. Simply disabling the devices does not ensure
that they cannot later be re-enabled.
You should also remove as many programs from the operating system as possible. For
example, on a UNIX system, you should remove many of the programs used for system
administration, such as rm, chmod and so forth. These programs can allow a hacker to
gain root-level access to the host that is configured as your firewall and cause significant
damage. Also, consider removing software development applications such as gcc and g++.
If such applications become necessary, you can re-install them from a separate disk.
Proxy servers
Another important configuration of proxy-oriented firewall devices is to remove IP routing.
If IP routing is enabled on these servers, the bastion host may automatically route
packets without first checking to see if they adhere to the security definitions. If you
remove IP routing, the bastion host must use the firewall component to route or proxy the
incoming and outgoing traffic.
Common Firewall Designs
Now that you have a good knowledge of how to create secure firewalls, you can learn to
implement a firewall strategy. The first step in designing a secure firewall strategy is to
physically secure the firewalls themselves. This point may seem obvious, but if you do
not keep your firewalls and production servers in a secure location, any device can be
compromised. Entire networks have been brought down because a cleaning person
turned off a server in the middle of the night to save power. Most devices allow for
administrative or root-level access by physical means; for example, booting a server from
a special floppy disk or connecting to a router through a standard serial port. Most of
these threats cannot be completely removed from the device, so the answer is to secure
the location in which the devices are kept.
The four common firewall designs each provide a certain level of security. A simple rule of
thumb is this: The more sensitive the data, the more extensive the firewall strategy
should be. Each of the four common firewall implementations is designed to create a
matrix of filters and points that can process and secure information.
The four options are:
A screening router.
A single-homed bastion host.
A dual-homed bastion host.
A screened subnet.
A screening router option is the simplest, and consequently the most common. Most
organizations use at least a screening router solution largely because all the necessary
hardware is already in place. The two options for creating a screened host firewall are a
single-homed or dual-homed bastion host. Both configurations require all traffic to pass
through a bastion host, which acts as both a circuit- and an application-level gateway.
The final commonly used method is the screened subnet firewall, which uses an
additional packet-filtering router to achieve another level of security.
Screening routers
A screening router is considered an excellent first line of defense. Because screening
routers are nothing more than routers that implement filters, all the needed hardware is
OBJECTIVE
1.5.1: Firewall
purpose and types
OBJECTIVE
1.6.2: Customizing
networks to
manage hackers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
already in place. You learned earlier that screening routers can be configured to reject all
inbound and outbound traffic based upon IP address and TCP and UDP ports. A
screening router should be configured to route traffic that is acceptable under the
security policy. Screening routers are good at denying entire ranges of IP addresses or
network addresses, as well as filtering unwanted TCP/IP applications.
Figure 10-2 shows a diagram of a packet-filtering router. It is inexpensive, but still
provides a measure of protection.

Figure 10-2: Screening router c onfiguration
Disadvantages of screening routers
Several drawbacks may result from using only a screening router solution. The main one
is that a high degree of TCP/IP knowledge is required to create proper filters. Screening
routers rely solely on the use of these filters, and any configuration errors within a filter
may allow unwanted traffic to pass, or may deny acceptable traffic.
Another disadvantage is that only a single device is used to protect the network. If a
hacker were able to compromise the screening router, he or she could access any
resource on your network. In addition, the screening router does not hide your internal
network configuration. Anyone accessing your screening router can see your network
layout and architecture with relative ease.
Screening routers also do not typically have good monitoring or logging features. If a
screening router receives traffic that violates its filters, it will not provide good
information about the violation. Also, screening routers usually do not offer alarming
capabilities. If a security violation occurs, screening routers cannot inform the security
administrator of the potential threat.
Screened host firewall (single-homed bastion)
The second prevalent type of firewall is a screened host that uses a single-homed bastion
host in addition to a screening router. Single-homed bastion hosts can be configured as
either circuit-level or application-level gateways. When using either of these two types,
each of which is a proxy server, the bastion host can hide the configuration of the
internal network. The single-homed bastion host provides this functionality by using
network address translation (NAT). Using NAT allows the network administrators to use
any internal IP address scheme.
The screened host firewall is designed so that all incoming and outgoing information is
passed through the bastion host. The screening router is configured to route all incoming
traffic directly to the bastion host. This routing allows the bastion host to analyze all
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
traffic before it proxies the data to the internal network. The screening router is also
configured to route outgoing traffic only if it originates from the bastion host. Configuring
the router in this manner does not allow the internal nodes to reconfigure their machines
to bypass the bastion host. By accepting outgoing traffic only from the bastion host,
internal hosts must conform to the restrictions set at the proxy server. The bastion host
is configured to restrict unacceptable traffic and proxy acceptable traffic.
A single-homed bastion host is shown in Figure 10-3.

Figure 10-3: Single-homed bastion configuration
This implementation is superior to the packet-filtering firewall because it adds a bastion
host. The bastion itself constitutes a second security device that is significantly more
difficult for a hacker to subvert than a router. Now, the hacker must subvert not only the
router, but also a separate computer that is not designed to accept logon requests. With a
screened host firewall, the hacker's task becomes doubly difficult.
Disadvantages of single-homed bastion host
The disadvantages of this method, compared to packet filtering, are increased cost and
reduced performance. Because the bastion host processes information, the network often
needs more time to respond to user requests. Certain types of bastion hosts can also
make user access to the Internet more difficult. If the bastion host functions only as a
circuit-level gateway, the internal hosts will be unaffected. However, if the bastion host
serves as an application-level gateway, the internal client must be configured to use the
application gateway's services. Also, not all TCP/IP applications will work through an
application-level gateway.
Screened host firewall (dual-homed bastion)
This variation of the screened host firewall adds significant security to the previous
method by using a dual-homed bastion host. As shown in Figure 10-4, a dual-homed
bastion is a computer that has two network interfaces.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0


Figure 10-4: Dual-homed bastion configuration
This firewall implementation is secure because it creates a complete physical break
between your network and any external one, such as the Internet. As with the single-
homed bastion, all external traffic is forwarded directly to the bastion host for processing.
In this implementation, however, a hacker must subvert the bastion host and the router
to bypass the protection mechanisms.
A single-homed implementation still might allow a hacker to modify the router to not
forward packets to the bastion host. This action would bypass the bastion and allow the
hacker directly into the network. Such a bypass usually does not happen, however,
because a network using a single-homed bastion is usually configured to send packets
only to the bastion host, and not directly to the Internet. For a hacker to bypass a
network properly configured for a single-homed bastion firewall, he or she must
reconfigure the entire network to bypass the firewall.
A dual-homed bastion removes even this possibility. Furthermore, even if a hacker could
defeat either the screening router or the dual-homed bastion host, he or she would still
have to penetrate the other firewall implementation type, greatly slowing progress. Dual-
homed bastion hosts also allow network administrators to implement network address
translation.
Screened subnet firewall (demilitarized zone)
The most common method for implementing a firewall is the screened subnet. This is also
known as a demilitarized zone (DMZ) because it creates a fairly secure space, or
subnetwork, between the Internet and your network. It is the most secure of the four
general implementations, mainly because it uses a bastion host to support both circuit-
level and application-level gateways while defining a demilitarized zone. In this
configuration, all publicly accessible devices, including modem pools and other such
resources, are placed inside this zone. The DMZ then functions as a small isolated
network positioned between the Internet and the internal network. See Figure 10-5.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 10-5: Screened subnet firewall configuration
As Figure 10-5 shows, this configuration uses external and internal screening routers.
Each is configured so that its traffic flows only to or from the bastion host. This
arrangement prevents any traffic from directly traversing the subnetwork, or DMZ. The
external screening router uses standard filtering to restrict external access to the bastion
host, and rejects any traffic that does not come from the bastion host. This router also
uses filters to prevent attacks such as IP spoofing and source routing. The internal
screening router serves as a third line of defense, also using rules to prevent spoofing and
source routing. Like its external counterpart, this router rejects incoming packets that do
not originate from the bastion host, and sends only outgoing packets to the bastion host.
Chief among the benefits of this method is the fact that a hacker wanting to access your
network must subvert three separate devices without being detected. A second benefit is
that the internal network is effectively invisible to the Internet, because all packets going
out and coming in go directly to the DMZ, not to your network. This arrangement makes
it impossible for a hacker to gain information about your internal systems. Only the DMZ
is advertised in the routing tables and other Internet information. Third, because this
routing information is contained within the network, internal users cannot access the
Internet without going through the bastion host.
Any packets sent directly from the internal network cannot be replied to from the Internet
because no routing tables (to get the packet back to the internal network) will exist on the
Internet. This configuration prevents internal users from bypassing your security
measures.
You need not employ a dual-homed bastion host in this scenario because the routers
ensure the traffic can flow only through the bastion host.
Putting It All Together
Covering all possible firewall strategies and products is nearly impossible in the ever-
changing field of network security. In the following labs, you will finish the firewall
lessons by implementing a simple firewall strategy using Microsoft Windows Server 2003
running WinRoute Firewall (www.winroute.com or www.kerio.com). Suppose your
company has just set up a new network and is concerned about security. You are asked
to determine and implement the best type of firewall design to protect your company's
systems and data. You can use a firewall service to create an internal and external
network, then use packet-filtering rules to allow or deny access to certain services you
deem necessary or risky to network functionality.
OBJECTIVE
1.6.1: Implementing
packet filters
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lab 10-1: Creating an internal network with WinRoute Firewall
(instructor-led)
You have already seen how to create packet-filtering rules in WinRoute Firewall. In this
lab, you will connect to the WinRoute Firewall service running your own host, then
configure the service to create an internal and external network.
Note: This lab assumes that the Instructor's Windows Server 2003 system is acting as a
multi-homed router.
Note: This lab also assumes that students have disabled the proxy settings that were
enabled in the previous lesson and that the browsers are configured for direct access to the
Internet.
Note: You may not be able to conduct Labs 10-1, 10-2 or 10-3 if you are using a
virtualization environment to mimic multiple systems. These labs were created using two
separate systems in a non-virtualized environment.
1. Instructor: This lab assumes a classroom setup that has two networks. The
instructor's computer contains both NICs. The instructor should be on the
192.168.1.100 network, and students should be on the 10.100.200.0 network. Verify
that the students can connect to the 10.100.200.0 NIC. Also verify that the instructor
has access to the Internet and can communicate with the rest of the network. The
Interfaces pane of the WinRoute Firewall Administration Console should resemble
Figure 10-6.

Figure 10-6: Network interfac es
2. Instructor: In the Administration Console, display the Traffic Policy pane and verify
that the existing rule for NAT resembles that shown in Figure 10-7.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 10-7: Verifying NATrule
3. Students: After the instructor system is configured properly in WinRoute Firewall,
configure your own systems with an IP address on the 10.100.200.0 network with a
subnet mask of 255.255.255.0. Set the default gateway to Instructor.
4. Students: Try accessing the Internet by going to a Web site or accessing Web services
on the network. Verify HTTP access as stated in the NAT rule for local trusted
networks.
5. Students: Try to ping another host on the network. Try to ping the default gateway.
The gateway is the only host that you will be able to access. Notice in the configured
NAT rule that ICMP is not listed as an allowed service offered through the firewall.
6. Instructor: In the Traffic Policy pane, edit the NAT rule by adding the Any ICMP
service. Right-click in the Service column and select Edit Service. Click the Add
button and select Service to display the Service dialog box. Display the Service drop-
down list, select Any ICMP, click OK twice and then Apply. The NAT rule should
resemble Figure 10-8.

Figure 10-8: Editing NATrule
7. Students: Try to ping another computer on the network. Notice that you are able to
ping any host or domain name because the firewall now permits the transmission of
ICMP packets.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
8. Instructor: Try to ping another computer on the network. You will not be able to do
so because the Local Area Network Interface is not part of the Trusted/Local network
and is considered external to it (refer to Figure 10-6). Only the hosts residing on the
Trusted/Local network are permitted to use ICMP as stated in the NAT rule. In order
for you (the instructor) to be able to ping other computers, the interface must be
configured to be a part of the Trusted/Local network.
9. Instructor: Display the Interfaces pane, then double-click Local Area Connection
to display the Interface Properties dialog box. Notice that the Local Area Connection
is the Internet interface.
10. Instructor: Display the Interface Group drop-down list and select Trusted/Local
Interfaces. Click OK and then Apply. Both network interfaces are now part of the
Trusted/Local network, as shown in Figure 10-9.

Figure 10-9: Interfaces on Trusted/ Local network
11. Instructor: Try to ping another host on the network. Now, all of the computers will
be able to ping each other.

In the following lab, you will see how to create a firewall rule that denies external Web
access for all hosts in your network. Suppose you are designing the firewall system for
your company, and you want to restrict the Web sites that your users can access.
Denying certain types of HTTP access at the firewall level is an easy way to limit all users'
Web use if you deem it important to the network's security.

Lab 10-2: Denying HTTP access (instructor-led)
In this lab, your instructor will create a rule that denies external Web access for all hosts.
The effect will be that hosts can browse only Web servers on the same network, but
cannot access Web sites outside the private network.
1. Students: Verify that you are able to access internal and external Web services
through your Web browsers.
2. Instructor: You will block all Web traffic from each host in the network by modifying
the NAT rule. In the Traffic Policy pane, double-click in the Service column to open
the Edit Service/Port dialog box. Select HTTP and click the Remove button. Click
OK and then Apply.
3. Instructor: Try to access a Web site from any host on the network. The service will
be denied. You have successfully disallowed any HTTP service from passing through
the firewall. You will find that the Local Area Connection has blocked HTTP access as
well. If you want to allow access to certain hosts on the Trusted/Local network, you
will need to create a new rule to limit access. You will now drop HTTP access to all

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-15
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
hosts connected through the Local Area Connection 2 interface (the NIC to which
students are connected to the network).
4. Instructor: Modify the NAT rule by adding the HTTP service back into the rule. Verify
that you are able to access internal and external Web services through your Web
browser.
5. Instructor: You will now create a new rule to block HTTP traffic from the network
host on the Local Area Connection 2 network (10.100.200.1).
6. In the Traffic Policy pane, click the Add button to create a new rule at the top of the
pane. Double click New Rule and specify a name such as HTTP. Double-click the
Source column to display the Edit Source dialog box. Click the Add button, select
Network Connected to Interface, and select Local Area Connection 2. Click OK
twice. Double-click the Service column and add the HTTP service. Double-click the
Action column, click Deny, then click OK. Click Apply to save the new rule, as
shown in Figure 10-10.

Figure 10-10: New rule to block HTTP traffic from network host
7. Students: Try to access a Web site using a browser. You will not be able to view Web
sites.
8. Instructor: Try to access a Web site using a browser. You will see that you can
access Web sites because you are connecting to the Internet through the Local Area
Connection, which is not being blocked.
9. Students: Try to access a Web site using the HTTPS protocol, such as
https://www.amazon.com. You will be able to connect to Amazon through the secure
protocol because it is not being blocked by the firewall.
10. Instructor: Edit the HTTP rule you created to block HTTPS as well as HTTP. The rule
should resemble Figure 10-11.

Figure 10-11: Modified HTTP rule
11. Students: Verify that you are no longer able to access HTTPS sites.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-16 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
In the following lab, you will see how to configure an FTP packet-filtering rule that
disables a specific host. Suppose you are designing the firewall system for your company,
and you want to restrict FTP access for just a certain computer or computers. Denying
FTP access at the firewall level is an easy way to protect certain systems whose contents
may be more vulnerable via FTP, or to limit the actions of certain users who may
unknowingly compromise network security.


Lab 10-3: Configuring an FTP packet-filtering rule for a specific host
(instructor-led)
In this lab, the instructor will create a rule that disables access for a specific host.
1. Instructor: Create a rule that denies FTP and FTPS access from the internal
network. See Figure 10-12.

Figure 10-12: Rule denying FTP and FTPSacc ess to single host
2. Instructor: Work with students to create more rules that control access for
additional hosts.
3. Instructor: Remove all rules you created when finished with this lab.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-17
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Case Study
Triple-Owned Firewall Strategy
Soo-Yun is a novice network administrator who was recently hired by a startup company
founded by three partners. She is responsible for setting up a corporate firewall to secure
the company's network resources.
Two of the partners think they are knowledgeable about networks and network security,
but have very different ideas about the best way to secure the network resources. One
partner prefers a very simple and inexpensive solution, such as the use of a screening
router only. The other partner is willing to spare no expense and has asked Soo-Yun to
consider implementing a triple-homed bastion configuration with a DMZ using the
newest, most powerful hardware available.
Soo-Yun proposed a compromise solution based on her own somewhat limited knowledge
of network security, and on the budget suggested by the third partner, who controls the
financial aspect of the company but has no opinion regarding network security. Soo-Yun
proposed that she be able to:
Purchase high-end equipment with the fastest processing speed and largest amount
of RAM allowable.
Use the Ubuntu Linux operating system.
Implement a screened host configuration that uses a single-homed bastion in
addition to a screening router.
Place the Web and FTP services on a separate server.
Configure the single-homed bastion as an application-level gateway for added
security.
Use NAT to hide the configuration of the internal network.
The three partners seemed satisfied with Soo-Yun's proposal and directed her to proceed
with the firewall implementation.
* * *
As a class, discuss this scenario and answer the following questions.
What are the advantages of Soo-Yun's solution over the use of only the screening
router?
What are the disadvantages relative to more complex firewall implementations, such
as a screened subnet?
What components of Soo-Yun's implementation, if any, would you change? Why?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-18 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you have seen your instructor implement packet filtering on a firewall. As
you know, packet filtering considers only source and destination IP addresses and ports.
It does not inspect the actual data streams for content, as does a proxy server. For your
application project, work with the instructor to use WinRoute Firewall to establish a
proxy server on the multi-homed host. Add a new URL rule in the HTTP Policy pane of the
WinRoute Firewall Administration Console that requires authentication for users to
access hosts on the network.
Linux
When time permits, consider the iptables commands and modules required to implement
packet filtering in Linux.
Skills review
From firewall placement to removing unnecessary services, you must understand the
steps needed to apply an effective firewall strategy. In this lesson, you learned how to
create and configure a secure bastion host, and you were introduced to some of the
various firewall strategies in use. Finally, you implemented packet filtering at your router.
Now that you have completed this lesson, you should be able to:
- 1.4.6: Identify routing issues and security.
- 1.5.1: Define the purpose and function of various firewall types.
- 1.5.3: Define common firewall terms.
- 1.6.1: Implement a packet-filtering firewall.
- 1.6.2: Customize your network to manage hacker activity.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 10: Levels of Firewall Protection 10-19
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 10 Review
1. What is the most important aspect of firewall placement?

2. What two basic concepts are critical in firewall design?



3. What steps are important when creating a contingency plan for your firewall system?



4. Discuss some advantages in using less powerful hardware for an effective firewall.





5. Discuss securing services and daemons.






Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
10-20 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


11Lesson 11:
Detecting and
Distracting Hackers
Objectives
By the end of this lesson, you will be able to:
; 1.6.2: Customize your network to manage hacker activity.
; 1.6.3: Implement proactive detection.
; 1.6.4: Distract hackers and contain their activity.
; 1.6.5: Deploy tripwires and other traps on a network host.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. Which technique is used to determine the telephone line that a hacker has used to
attack your system?
a. A packet line trace
b. A physical line trace
c. A packet checksum trace
d. A packet route trace
2. Which of the following uses a series of tripwires designed to issue alerts to the
systems administrator?
a. A checksum analysis
b. A logging daemon
c. A network jail
d. Port scanners
3. What are some of the tools you can use to respond to an attack?






Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 11: Detecting and Distracting Hackers 11-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Proactive Detection
Despite the sophistication of your equipment and techniques, it is inevitable that your
network's security will be scanned and tested, and it is likely that some sort of
compromise will occur. Whether the intrusion comes from a determined hacker, a
careless employee, or someone bent on industrial espionage or a good time, you should
prepare for a security threat. This lesson will show you specific ways to detect, distract
and deter hacker activity.
Hacking activity tends to increase at night (between 7:00 p.m. and 6:00 a.m.). Proactive
detection techniques are often the only way to repel potential hackers during these times.
An effective detection policy always includes auditing, but you must also make it as easy
as possible for your system to detect problems and present solutions automatically.
Automated security scans
Your systems are especially tempting targets during off hours. Consider using such
programs as the Windows Server 2003 Task Scheduler or the cron daemon in Linux (if
you have not already disabled them) to execute applications, or batch scripts to log
current connections and resources in use (or perform numerous other security tasks).
You should run such a program during off hours, when the traffic load is light, so that
you can detect hackers and avoid inconveniencing users.
If your company's activity level does not drop at night, find another time when
the network is not as busy. As with other methods, be flexible when implementing
your security scans.
Batch scripts are extremely powerful; you can use them to administer and watch a wide
range of things, and to perform tasks such as automatically initiating responses. The
accompanying media contains a sample Windows Server 2003 security batch file named
secrep.bat. It logs a wealth of information about current system activity to a text file for
later use.

You can save time by having an automated log check specific items within a
system, thereby directing your security techniques.

Event logs such as those generated by the secrep.bat file are especially useful if you are
suspicious of certain system activity. They can yield more pertinent information than
poring over many pages of detailed logs.
Alternatively, it may be easier to execute the script on the target machine from an
internal machine running the scheduler service. Either way, it is another technique in
your arsenal to fight system intruders.
Login scripts
A login script can be used for several purposes. Normally, login scripts are used to
customize a user's environment when he or she logs on. Login scripts are those that are
executed upon a successful logon. They can also be used to enhance a network's
security. Most hackers ultimately will try to obtain privileged user access to the system
by compromising Linux's root account and the Windows Server 2003 administrator
account. Security administrators can modify the login scripts executed by these accounts
to execute various auditing features. For example, you could create a login script to be
executed when the root account logs on; such a script will record the host name and IP
address of the system that is attempting to log on. This information can then be
OBJECTIVE
1.6.3: Proactive
detection
OBJECTIVE
1.6.2: Customizing
networks to
manage hackers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
compared to previously recorded information to identify any suspicious logon attempts
using the root account.
Using login scripts in this way is not limited to only the privileged accounts. Hackers will
not usually attempt to access a privileged account directly for fear that they may trigger
alarms. Consider using login scripts with the special accounts used by services and
daemons. Normally, these accounts are not used to log on as typical user accounts, but
to authenticate the daemons and services with the operating system. You should be
concerned when one of these special accounts is used like a normal user account for
logging on. The login scripts associated with these accounts can run paging applications
that can alert the security administrators as soon as the account is used in a logon
attempt.
Login scripts can be used in almost unlimited ways. A login script can use anything that
can be issued from a command line or executed from within a script. Using login scripts
is also a very inexpensive solution because they are a feature of nearly every type of
server operating system.
Automated auditing
Log files provide some of the most useful information to help prevent security break-ins.
The most difficult portion of logging is deciding exactly what to log. In general, two things
can be logged: successful actions and unsuccessful actions. You can also monitor
information at a variety of locations, such as the router or a specific application service.
When determining what to log, you should err on the side of logging too much rather
than too little. Log files need to be scanned regularly, and the amount of information in
them is often immense. You can write scripts that will scan your network and
automatically analyze activity. Such automation releases an administrator's time,
reduces administrative costs and enhances security. These scripts will search for specific
patterns in the logs regarding areas of special concern.
Distracting the Hacker
Besides simply catching the activity, there are many ways to distract hackers. One reason
to do this is to keep them on the network long enough for you to find and trace them. For
instance, you can set a firewall rule so the source IP address directs the hacker to a
dummy system. Many larger networks have created an entire system within their network
that was actually full of disinformation meant to preoccupy hackers and keep them
online until they could be caught.
From fictional accounts to dummy files, tripwire scripts and jails, if your company has
the resources and incentive, you should carefully consider these techniques. Using these
techniques is not without risk, and many companies choose to simply end the
connection.
Dummy accounts
By now, you know that system defaults are one of most hackers' first targets. However,
you can use default information directly against hackers as well. For instance, the
Windows Server 2003 administrator account is called "administrator." This account can
be renamed in Windows Server 2003 using the Local Security Policy snap-in. Doing so
makes things more difficult for the potential hacker. You can now go one step further by
creating a new account called administrator and restricting all access to it. You can then
establish heavy auditing and alarms to alert you when an attempt to log on with the
account occurs.
OBJECTIVE
1.6.4: Distracting
and containing
hackers
OBJECTIVE
1.6.2: Customizing
networks to
manage hackers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 11: Detecting and Distracting Hackers 11-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Dummy files
You can create intentionally misleading files to either misinform an information seeker, or
simply distract a thrill seeker. For a corporate spy, you could supply false financial
spreadsheets, as well as other files. You are limited only by your imagination.
After you have created the dummy files, you should take additional measures to provide
better security. For example, you could create a file called salaries, and place the file on a
server that would be a potential target. An additional security measure may be to
configure an alarm whenever that file is accessed.
Dummy password files
One way to use a dummy file is to create a false password file. A false password file can
significantly distract the hacker. In this file, you could supply false names and
passwords, making sure that they are plausible, but not used.
Tripwire scripts and automated checksums
Security tools can alert you that a hacker has broken in, or is trying to do so. An alerting
tool is often known as a "tripwire." A tripwire in network security is based on the tripwire
concept used in military applications. The idea behind a tripwire is that when a potential
hacker attacks a system, he or she will either fall into a trap that you have placed, or
leave behind unequivocal evidence of tampering.
A tripwire can do a variety of things, such as page or send the security administrator an
e-mail message, drop the hacker's network connection, or create a database of changes
that have occurred.
Automated checksums
Hackers often break into a computer to plant a trojan or virus. The hacker hopes that the
file will eventually be executed either automatically or when the system is restarted. A
very common technique is to create a trojan with the same name as a frequently used
operating system file. The hacker then breaks into a server and replaces the original
operating system file with the trojan.
You may need to analyze the size of key operating programs to ensure that a hacker has
not tampered with them. Several programs will automatically scan key files for dates,
time stamps and related information. The results are then compared against known
values or previous scans. If a file has been modified or the time stamps and size do not
match, the file has probably been replaced with a trojan. If a trojan or virus is found,
immediately replace it with a known good file and find out where the hacker broke into
the system to place the trojan.
Tripwire, available at www.tripwire.com, is an application designed to inform you when a
directory or file has been altered or removed. It performs this task by automatically
creating checksums and storing these values in a database. It is available for most
common network operating systems, including Solaris, Windows NT/2000/XP/Server
2003, HP-UX, AIX and Linux. When Tripwire is first run, it creates a database of system
files. You can then configure Tripwire to conduct automatic checks of the file system.
During a check, if Tripwire discovers that a file has been altered, it will alert you. Alerts
can be made via e-mail or in log files.
OBJECTIVE
1.6.5: Deploying
tripwires and other
traps
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Issues with tripwire scripts and checksum applications
Take great care when placing tripwire scripts. They must not be accidentally set off by an
internal user or by another network administrator, or else a false alarm will result,
especially when logon tripwire scripts are used.
Regarding the use of automated checksum applications such as Tripwire, you must
ensure that the database has not been eliminated or altered. If such alteration occurs,
subsequent scans will not detect any problems. Therefore, consider using read-only
drives and media to store sensitive databases and files.
In the following lab, you will see how to set a logon tripwire script in a Windows Server
2003 server. Suppose you are in charge of security for your company's new network, and
you are considering ways to patrol for illicit system activity. You can create a "tripwire"
script to send a network message to a host in the case of an unauthorized logon attempt.
In essence, this script establishes a tripwire that alerts the systems administrator of a
potential hacking.

Lab 11-1: Setting a logon tripwire script in Windows Server 2003
In this lab, you will set a logon tripwire script in a server to send a network message to a
host in the case of an unauthorized logon attempt. This lab assumes that the network
security policy would ask that no one ever use the administrator account interactively.
Instead, systems administrators should use the account named "Training" because the
steps below create a tripwire for the administrator account that alerts a designated host
every time an interactive logon occurs.
Note: This lab assigns the tripwire to the administrator account of the local system. If this
computer were participating in an Active Directory, the process would be handled by
creating an entry for the script through group policies in Active Directory. This tripwire will
only be effective when the user attempts to log on to the local computer, not on any other
computer on the network.
1. In order for this lab to work properly, you must ensure that the Messenger, Remote
Procedure Call (RPC) and Workstation services are running. Select Start |
Administrative Tools | Services to display the Services window.
2. By default, the Messenger service is disabled, while the Remote Procedure Call (RPC)
and Workstation services are enabled and started. To enable and start the Messenger
service, double-click Messenger to display its Properties dialog box. Display the
Startup Type drop-down list and select Automatic. Click the Apply button, then
click the Start button, and then click OK.
3. Open the Computer Management snap-in (Start | Administrative Tools |
Computer Management). Navigate to System Tools | Local Users And Groups |
Users and create a new user named Training. Specify a password of Tr$ining1 and
make sure that you deselect the User Must Change Password At Next Logon check
box. Click Create and then click Close.
4. Now, you need to make the Training user a member of the Administrators group.
Double-click Training to display its Properties dialog box. Click the Member Of tab,
then click the Add button. In the Select Groups dialog box, click the Advanced
button, click the Find Now button, double-click Administrators, and then click OK
twice. This will be your new administrator account.
OBJECTIVE
1.6.5: Deploying
tripwires and other
traps

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 11: Detecting and Distracting Hackers 11-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
5. Log on as Training and create a new text file named script.bat with the following
lines:

@echo off
net send DESTINATION_SYSTEM_NAME "Break-in in progress!"
Note: In the place of DESTINATION_SYSTEM_NAME, enter the name of the system to
which you want this message to be sent. For example, Figure 11-1 shows a file that
will send a message to the computer named Student3 when a logon occurs.

Figure 11-1: Creating logon tripwire script with Notepad
Note: Local logon scripts must be stored in a shared folder or subfolder named
netlogon. If this folder does not exist by default, you must create it.
6. Create a folder called netlogon in the root directory of drive C: and copy the
script.bat file you created into this folder.
7. Now, you will share the folder with default permissions and access control. Right-
click netlogon and select Sharing And Security to display the Sharing tab of the
Properties dialog box. Click Share This Folder, click Apply and then OK.
8. Open the Computer Management snap-in (Start | Administrative Tools | Computer
Management). Navigate to System Tools | Local Users And Groups | Users, and
then double-click the Administrator account to display the Properties dialog box.
9. Click the Profile tab.
10. Profile: Type the directory path C:\netlogon in the Profile Path text box, then type
script.bat in the Logon Script text box, as shown in Figure 11-2.

Figure 11-2: Adding logon script to Administrator account
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
11. Apply all your changes, then log off. Log back on as Administrator. An alert message
will be displayed on the host to whom you addressed the message in Step 5, as
shown in Figure 11-3.

Figure 11-3: Alert message

In the following lab, you will use the Tripwire program in Linux. Suppose you are in
charge of security for your company's new network, and you are considering ways to
patrol for illicit system activity. You can use the Tripwire program to detect unauthorized
activity on a computer. Tripwire creates a database of all the files on the computer,
including information about each file's size and last modification date. You can run the
program periodically, then review the information about the files on the computer to
determine if any changes have taken place that may require further investigation.

Lab 11-2: Using Tripwire for Linux
In this lab, you will install and deploy the Tripwire program in Linux. The Tripwire
program creates hashes of your entire hard drive, allowing you to determine any changes
to files.
1. Open a terminal window and verify that the Tripwire RPM is installed:

dpkg l | grep trip
2. If any information about Tripwire is returned, you know it is installed. If you see
nothing, verify that you have issued the above command properly. If you have done
this and see nothing in your terminal window, Tripwire is not installed. Obtain
Tripwire by loading Synaptic Package Manager (System | Administration |
Synaptic Package Manager). You will be asked to supply the password for the root
command. Once Synaptic opens, search for the word "tripwire." Select the tripwire
check box and take the necessary steps to install it. Be prepared to give site and local
passphrases. Use password for both. Once Tripwire is installed, continue to the next
step.
3. You are ready to initialize Tripwire, which means you will have it scan your system's
hard drive and create a database. This database will be located in the
/var/lib/tripwire/ directory. To initialize Tripwire, issue the following command:

sudo tripwire --init
You will be asked to specify your local passphrase (it should be password).
4. After some time, the database will be created. When initialization has completed,
alter the contents of the /etc/passwd and /etc/shadow files by adding a new user:

sudo useradd username
Note: Replace "username" in the command with a name of your choice.
OBJECTIVE
1.6.5: Deploying
tripwires and other
traps

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 11: Detecting and Distracting Hackers 11-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
5. After you have added a new user, issue the following command to have Tripwire
compare its database (which has recorded the original state of your hard drive) to the
existing state of the hard drive:

sudo tripwire --check
6. By default, Tripwire stores its report files in the /var/lib/tripwire/report/ directory.
These report files are named according to the following format:

hostname-year/month/day-time.twr
Use the twprint command to read the report that has been generated. Make sure to
substitute the correct information that specifies the actual name of the file:

sudo twprint --print-report r /var/lib/tripwire/report/hostname-*.twr |less
7. Scroll down to view the report. You will see that files such as /etc/group,
/etc/passwd and /etc/shadow have changed. Notice that the size, modify time,
CRC32 and MD5 values have all changed.
8. When you are finished reading the report, type q to return to a prompt. Tripwire can
be configured to send e-mail reports. You can also run it from cron to automate
reporting. Consult the man page for the tripwire command for more details.

Jails
Regarding network security and hacker detection, a jail is a separate system you can
create to delay or distract a hacker. A jail looks just like a series of actual network hosts,
when in fact it is a series of tripwires designed to issue alerts to the systems
administrator. Jails commonly supply deliberately inaccurate information that allows an
administrator time to detect and catch the hacker.
Jails can be a dangerous way to contain hacker activity, mainly because of the potential
for a hacker to "break out" of your jail and into your actual system. Also, make sure that
your security policy allows you to use a jail. Systems administrators have sometimes
created jails, only to learn later that the company forbids them. The decision to create a
jail or other such device should be made by managers who fully understand the benefits
and drawbacks of such techniques.
A jail might be advisable for several reasons, especially if the network is particularly
large. A determined hacker is going to relay through several sites before penetrating your
system. To locate a hacker's origin, you usually need to obtain packet traces and
physical line traces. These will track the hacker to his or her source. To accomplish this
tracking, you must keep the hacker online.
Talented hackers use a system for only a few minutes at a time. In fact, most hackers
usually work with many systems at a time, going back and forth between them. This
practice makes hacker activity seem intermittent, and therefore non-threatening. The
result is that it is quite difficult to detect even the most malicious activity until it is too
late.
A good hacker, like a good administrator, is paranoid. Sometimes, the only way to catch a
hacker is to take a proactive stance. Such proactive methods may include making the
hacker stumble across a tripwire, as was shown in a previous lab.
OBJECTIVE
1.6.5: Deploying
tripwires and other
traps
OBJECTIVE
1.6.4: Distracting
and containing
hackers
packet trace
The activity of
learning where a
packet of
information has
come from.
Because any
information sent
ac ross the Internet
has probably
passed through at
least five or six
computers, it is
often necessary to
learn the route by
whic h that
information came.

physical line trace
The attempt to
determine the port
or telephone line a
hacker has used.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Deterring the Hacker
The difference between deterring hackers and distracting them is that deterring hackers
extends past catching them; it drops the connection (sometimes permanently), or ensures
that the hacker will be contained. It is important, also, that you are not seen as
punishing the hacker, in the sense that you are retaliating. Your goal should be to
discourage future attempts to enter your system.
Methods for deterring hackers
When detecting and deterring a hacker, you are limited only by your knowledge of
available resources and your understanding of your network. Following is a list of
methods available.
Log traffic and send e-mail messages Check your system logs and determine the
origin of the attack. You can also try to trace an existing connection by using a port
listener. If you are reasonably sure that your logs' connection trace has given you the
true identity of an attacker, you can then send the systems administrator or ISP an
e-mail message requesting an explanation.
Conduct reverse scans If you can identify an attacker, consider scanning the
system to learn more about the origin of the attack.
Drop the connection You can configure your system to automatically drop the
connection. You can also enter this host's IP address into a database so that the host
cannot connect to your system again in any way. Often, simply cutting off a hacker is
insufficient, because he or she will return, or because you want to continue tracing
the connection to discover its true origin. As long as the attacker is not destroying or
obtaining sensitive information, you may want to wait and see if you can gain
additional information that will help you catch the perpetrator.
Contact the ISP Trace the connection, if possible, and inform the hacker's ISP.
Two reasons exist for notifying the ISP:
The ISP can terminate the connection so the attack can be stopped.
The ISP can help you trace the attack.
In the case of several denial-of-service (DOS) attacks waged against Yahoo!, Microsoft and
Amazon.com in early February 2000, the most effective course of action was to
reconfigure routers so that traffic could not be passed to the victim hosts.
Tools for responding to hackers
Many security tools are available for responding to hackers. Responses range from
notifying the administrators to hardening the firewall so that it closes the connection. As
shown in Table 11-1, security tools at your disposal range from simple packet sniffers to
personal firewall applications and individual applications.
Table 11-1: Tools for responding to attacks
Tool Description
Sniffers
Sniffers include the Sniffer and nGenius products (www. netscout.com),
snort (www.snort.org), and Wireshark (www.wireshark.org).
Personal firewalls
Tools such as ZoneAlarm (www.zonealarm.com), Comodo Firewall Pro
(www.personalfirewall.comodo.com) and PC Tools Firewall Plus (www.
pctools.com/firewall) can detect and respond to attacks on Windows
systems.
OBJECTIVE
1.6.4: Distracting
and containing
hackers
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 11: Detecting and Distracting Hackers 11-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Table 11-1: Tools for responding to attacks (cont d)
Tool Description
route
The route command is generally used to configure a Linux system's
routing tables. However, it can also be used to drop connections.
Ipchains / iptables
Both of these commands allow you to create entries that will
permanently drop all connections from a host.
Nmap (Network
Mapper)
This tool can identify port scan attacks and take several actions,
including automatically dropping all connections to a system. You can
learn more about Nmap at http://nmap.org/.
Port Scan Attack
Detector (PSAD)
This tool runs on Linux machines and analyzes iptables log messages
to detect port scans and other suspicious traffic. For more information,
go to www.cipherdyne.com/psad.

When implementing security tools, do not automatically assume that your
network is protected. Often, security tools are created based upon current
hacker techniques and tools. Hackers are constantly updating their tools and
techniques to penetrate systems. Your security tools may not detect or respond
to a new hacker tool.
You can find additional tools at the following locations.
http://packetstorm.linuxsecurity.com A site devoted to both white hat and
black hat hackers.
http://sourceforge.net Although not a site devoted specifically to security, it
contains many valuable security tools.
Problems with retaliation
Carefully consider the use of retaliatory measures such as reverse scans and contacting a
person's ISP. Although they can help stop many hackers, such strategies could also lead
to negative consequences for your company. Remember that hackers often spoof IP
addresses, so you may end up retaliating against the wrong host.
Also, a hacker can spoof IP addresses that are important to the proper function of your
network. For example, consider what would happen if you use the iptables command to
automatically block all scanning hosts, and a hacker spoofs your own DNS servers, or the
IP addresses of legitimate customers.
Further, some hackers might interpret your measures as an insult or a challenge, which
might increase their resolve to compromise your network. Therefore, carefully consider
the use of retaliatory measures, because they can cause more problems than they solve.
white hat hacker
A security analyst
who is asked to test
an organization's
network and
information security
measures.
black hat hacker
A malicious user
who defeats
security measures to
either view or obtain
system
c onfiguration
information and
data.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Case Study
Sacking the Hack
Raphael is the security administrator for a new Brazilian aircraft manufacturer. Because
the aircraft will incorporate new design features and materials patented by their own
engineers, Raphael anticipates that the company will become the target of industrial
espionage perpetrated by hackers. Raphael wants to proactively thwart hacking activity
and detect any activity that does occur as soon as possible. The company specifically
forbids using jails and engaging in any retaliatory actions toward hackers who are
discovered.
Raphael proposes the following to detect, distract and deter hacker activity:
Setting up dummy password files and automated checksums
Setting up a series of tripwires to supply inaccurate information to any hacker who
breaches the networks security
Conducting reverse scans against perceived hackers
Employing the use of sniffer applications and personal firewalls to help thwart
attacks
Installing intrusion-detection applications to provide automating auditing for network
hosts
* * *
As a class, discuss this scenario and answer the following questions:
What are the relative merits and drawbacks of each of the proposed ideas?
Which of the proposed ideas is in compliance with the companys network security
policy?
Which of the proposed techniques or tools would be the most helpful to Raphael?
Can you think of any other techniques or tools that Raphael should consider?

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 11: Detecting and Distracting Hackers 11-13
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson Summary
Application project
In this lesson, you learned about ways to proactively detect and even respond to hackers.
Go to the http://packetstorm.linuxsecurity.com and http://sourceforge.net sites and
search for applications that can help you secure your network.
When time permits, configure an account to use the secrep.bat file so that it runs
whenever that user logs on. Then, view the report.txt file to gain information about the
system.
Skills review
A hacker's best friend is a network that performs lax security, or a security staff that
thinks its job was finished when protective services and programs were installed.
Proactive security detection in the form of scripts and automated programs can help busy
systems administrators. It is important to find ways to protect your system, which may
involve detecting, distracting and deterring hackers.
Now that you have completed this lesson, you should be able to:
- 1.6.2: Customize your network to manage hacker activity.
- 1.6.3: Implement proactive detection.
- 1.6.4: Distract hackers and contain their activity.
- 1.6.5: Deploy tripwires and other traps on a network host.


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
11-14 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 11 Review
1. Most computer break-ins occur late at night. What is the best way to repel potential
hackers during these times?


2. How can login scripts help you implement security?


3. How can checksum analysis help you implement security?



4. How does the Tripwire application alert you that a hacker has broken in, or is trying
to do so?




5. Describe why you would not want to immediately drop a connection that you have
confirmed is illicit.









Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


12Lesson 12:
Incident Response
Objective
By the end of this lesson, you will be able to:
; 1.6.6: Respond appropriately to a security breach.
; 1.6.7: Identify security organizations that can help in case of system attack.
; 1.6.8: Subscribe to respected security alerting organizations.
; 1.6.9: Identify appropriate authorities to contact regarding data theft and other
attacks.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
12-2 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Pre-Assessment Questions
1. Which of the following is essential for ensuring an efficient response to hacker
activity?
a. End all network connections.
b. End all network connections made by the hacker.
c. Consult with the IT manager.
d. Consult the response policy.
2. Which of the following will enable a response team to learn the most about an attack?
a. Allowing the attack to continue so that they can study its effects
b. Recording all relevant information
c. Deciding ahead of time not to panic
d. Enabling auditing
3. After an attack has occurred, and you have repaired all damage, describe what you
should do next.







Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 12: Incident Response 12-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Creating an Incident Response Policy
You learned earlier how to contain and punish hacker activity. When a security breach
does occur, you need a plan to deal with the hacker. You should have a well-planned
policy that explains how and when to report a problem, and it should also detail the
proper organizations and people to inform. This lesson describes the specific steps you
should take if a hacker is detected. The first step is to write down a specific response
policy.
Consider the following steps, then customize them to conform to your own situation. You
must write these steps down because they will form your incident response policy, which
is a simple but effective document that explains the proper steps to take if a security
breach occurs. Keep this policy in view of all IT professionals at all times. Workers should
be directed to follow these steps in case of an attack. They should not deviate from them
unless they can provide a specific justification for doing so.
Decide ahead of time
You do not want to have to make policy decisions during a crisis. You need to make
policy decisions well before a crisis happens. Research has repeatedly proven that people
in crisis situations make poor decisions unless a clearly defined policy exists. For
example, your policy could stipulate that systems administrators should contact the
president of operations before contacting law enforcement. Such requirements will help
everyone make sound decisions without embarrassing the company and creating
unnecessary attention.
For example, AT&T discovered in 1995 that hackers had penetrated its network. Trying to
solve the problem, the system administrators decided to create an electronic "jail."
Although this action seemed prudent to help the company find the perpetrators, the
administrators were reprimanded because management deemed that their solution had
endangered the company's network.
The confusion at AT&T was the result of miscommunication between management and
the system administrators. This confusion could have been avoided if everyone had
known and followed a single written plan. Acting prudently is easy if you have a well-
organized, written policy to follow.
When considering what to do if a hacker attacks your network, decide what steps you will
take, then record those decisions. Itemize a detailed list of procedures, and include it in
your written policy. Then, make sure all concerned employees have a copy. Your security
plan should stipulate when to end a hacker's session, and when to keep the hacker busy.
Do not panic
It is easy to tell someone not to panic during an emergency or a security breach, but
actually remaining calm at such a time is difficult. When systems administrators and
response teams panic, they can rush to snap judgments that may be inappropriate for
the current situation. However, with a pre-written policy, your plan of action will be
mapped out for you. So, the first step to take is to review the pre-written policy. Doing so
will allow you to think clearly and respond more efficiently when it is most important.
OBJECTIVE
1.6.6: Security
breach response
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
12-4 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Document everything
System and server logs are, of course, essential to incident documentation. Auditing logs
are often the proof that a hacker has infiltrated the system. However, if a security breach
occurs, you should also document the responding moves that you make. Audit logs are
only half of what you need.
At a minimum, a report should include the following information:
The time and date of the attack
The nature of the attack, including affected systems, the traffic type (e.g., TCP, UDP,
ICMP), and so forth
The server(s) involved
The names of all company employees (e.g., management, other IT workers and so
forth) who were contacted during the response
Any applications used
An example of a detailed account might look something like this:
"On September 1, 2008, at 8:00 a.m. Pacific Standard Time, I noticed that certain
administrative permissions on the Web server had been reset by account 'ty2,' which was
still active. I then called my supervisor, Bill Evans, who ordered me to conduct a
traceroute, which I did at 8:10, using the Winfingerprint program. As I was waiting for
the program to finish, I also began looking through the auditing logs."
Your account of the incident should indicate which systems were affected, where the
hacker entered (if possible), and any peculiar or interesting moves the hacker made.
If you are careful to record your own activities as well as what you can learn about the
hacker's, your chances of avoiding further problems increase.

An accurate log might also help system administrators fix damaged systems,
c hanged permissions, and so forth.
Just as important, a detailed log will enable you to fix problems in your security system.
Such a log will also help you when you retrace your steps after the crisis to see what you
might have done more efficiently.
Determining If an Attack Has Occurred
When a security breach is suspected, you must first assess the breach and determine
whether an actual attack has occurred. Often, the activities of an inept user can resemble
hacker activity. Also, even if a user account has been implicated in an attack, this does
not mean that the user waged the attack. The user account may itself have been
compromised as part of a larger, more involved attack. The suspicious activity may even
have been the work of someone with administrative access. Even the best policy can fail if
someone makes a hasty conclusion and begins the incident response process. However,
after you have identified a problem, be vigilant, persistent and thorough.
OBJECTIVE
1.6.6: Security
breach response
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 12: Incident Response 12-5
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Determine the scope of the breach
After you have confirmed that a hacker has entered your system, analyze the situation.
Your first task in the determination process is to find out if the hacker is at Stage 1
(discovery), Stage 2 (penetration), or Stage 3 (control, and spreading to other systems).
Very often, not only one system or system daemon is compromised. After a hacker gains
access to one system, he or she will probably try to control others on your network. Thus,
you should take the following steps:
Determine which accounts have been affected.
Identify which files have been read, altered or substituted.
Trace the hacker's activities in your system.
Consult audit logs.
Determine whether any permissions have been reset.
A security group or department should determine the scope of the damage to your
system. During this activity, system administrators should stop all their activities
because even routine activity will generally destroy evidence that the hacker has left
behind. If the hacker has erased files, for instance, administrators can reclaim them only
before the space on the hard drive is revised. Even normal activity will revise the hard
drive space, thereby causing the files to be lost forever.
Stop or contain activity
When you detect and identify an attack, the next step you should take is to either break
the connection or contain the activity, as directed by your security policy and the
particular situation. Just remember that containment is often dangerous. Even with a
sound policy in place, such decisions are still situation-dependent.
Executing the Response Plan
Most of the time, responding to an attack is a matter of doing what your incident
response policy stipulates. Steps mandated by your security policy can include:
Notifying affected individuals.
Breaking the link or creating a "jail."
Notifying appropriate authorities.
Contacting the hacker.
Tracing connections and conducting other checks to further map the hacker's
activity.
Reconfiguring the firewall.
Notifying affected individuals
Notifying management is often an important first step. However, understand that even
though management wants to be notified concerning a security breach, it probably does
not want to make any decisions concerning further actions. Usually the IT department is
charged with making such decisions, as guided by the security policy. Also, if a hacker
has compromised a legitimate user account, you will probably need to direct that user to
change his or her password and thoroughly check the files on that computer to see if
anyone has tampered with them.
OBJECTIVE
1.6.6: Security
breach response
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
12-6 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
In an earlier lesson, you learned about the importance of notifying the ISP in case of an
attack. When executing your incident response plan, make sure that you consider this
option. Your ISP will probably be very helpful if you can prove that a user account has
been compromised or if a user has engaged in illegal activity. However, it is important to
realize that you bear the burden of proof in such cases. Proof should include any
information that helped you reach a reasonable conclusion that the ISP has an account
or server that was somehow involved in an attack on your system. As you discuss a
break-in with an ISP, consider the following types of evidence:
Log files indicating the source IP address and port(s) of the connection
Any evidence of the user's logon name
Your ISP can terminate the connection so that the attack can be stopped, and it can help
you trace the attack. Also, an ISP can reconfigure its routers so that "downstream"
networks will not receive the same attack.
Notifying appropriate authorities
Once you have collected evidence of a security breach, you should notify the following
parties, who can use the evidence you collect.
Internal litigants If an employee has been charged with attacking a system, you
will need to provide solid evidence of the attack.
Law enforcement In many countries and states, a security breach must be
reported to law enforcement. These parties will expect data to be properly obtained
and stored.
Insurance companies Evidence of a security breach is not only used for
prosecution and litigation. It can also be used to file insurance claims. Increasingly,
insurance companies have been insuring servers and services against business loss.
Notifying Internet agencies
The Computer Emergency Response Team (CERT) receives thousands of e-mail messages
and hotline calls every year. CERT staff investigates many of these reports, then issues
alerts. If you suspect that a hacker has broken into your system, you may need to notify
CERT (www.cert.org). The CERT Web site, whose home page is shown in Figure 12-1, is
also an excellent resource for security information.
OBJECTIVE
1.6.9: Contacting
appropriate
authorities
OBJECTIVE
1.6.7: Security
organizations
OBJECTIVE
1.6.8: Security
alerting organization
subsc riptions
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 12: Incident Response 12-7
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Figure 12-1: CERThome page
In the following lab, you will view the Web sites of several security-alerting organizations
and gain access to up-to-date information about Web security. Suppose you work in a
company's IT department, and the systems administrator has assigned you to research
and stay on top of current security issues. A good way to do this is to join at least one
online forum where you can discuss Web security issues with other IT professionals. You
conduct an online search, and discover several sites that may provide the information
and learning tools you need to help you better manage Web security for the company.

Lab 12-1: Subscribing to security mailing lists
In this lab, you will subscribe to security mailing lists.
Note: You may want to perform these lab steps when you return to your office to subscribe
to respected security mailing lists.
1. Browse to the CERT Web page at www.cert.org and subscribe to the mailing list.
2. Go to www.webappsec.org/lists/websecurity/. Subscribe to the mailing list by
selecting the appropriate links.
3. Go to www.securityfocus.com. Subscribe to the newsletter by clicking the
appropriate links.
4. Your instructor may be able to provide you with additional security sites. Record
them here:
____________________________________________________________________________________
____________________________________________________________________________________


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
12-8 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Analyzing and Learning
The most important step in the response process is to learn from the incident. To best
analyze your response, ask the following questions of everyone involved after the attack
has occurred:
How did the hacker(s) bypass the security? By compromising an employee? Through
social engineering? By committing a brute-force attack? Modifying the routing tables?
Through an inadequate firewall? Ask specific questions and write down the answers.
What were the strengths of the actual response effort? What could have been
improved? What should be done differently in the future?
What personnel and/or software could have helped prevent this attack?
After you have asked and answered these questions, you can record the specific lessons
you have learned, then update your security policy and the way it is implemented. If you
take these steps, you will always ensure that your security policy reflects the lessons you
have learned from your experience.

Case Study
The First Incident
Xiao is the one-person IT department for his 15-person start-up company. Xiao is
responsible for all IT-related activity including network security and incident response.
He discovered that a serious security breach had occurred over the weekend resulting in
the corruption of several backup drives and password files, access to which required
administrative permission. Because Xiao is the only employee with administrative access,
he immediately suspected a hacker attack.
Xiao proceeded to record the time and date of the attack, the nature of the attack, the
servers involved, and the files and directories affected. He also attempted to trace the
hacker, and he made a mental note to contact the police once he determined who the
hacker was.
* * *
As a class, discuss this scenario and answer the following questions:
Did Xiao document all the necessary information needed to respond appropriately to
the attack and help prevent future attacks? If not, what other information would be
helpful?
Was Xiao correct to assume that the system suffered a hacker attack? Could any of
the other employees have inadvertently breached system security?
Whom should Xiao notify of the attack?
What types of additional personnel or software may help in preventing future
attacks?
OBJECTIVE
1.6.6: Security
breach response
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 12: Incident Response 12-9
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Lesson Summary
Application project
This lesson has focused on steps you can take if a network security breach occurs. When
you return to your office, consider writing down a plan for your IT employees. If time
permits, write down some beginning thoughts in the space below.
If you need some questions to get you started, consider the following:
Who is the first person in your company to contact if a break-in occurs?
Which management personnel should be informed?
What systems are of particular concern to you, and which of these should be
protected the most?
Should notification occur by e-mail? Pager? Windows pop-up message?
Who should be informed after a situation has been stabilized (i.e., after an intrusion
has been identified and initially communicated)?
Consider questions that will help you begin a response policy for your own situation.
Finally, do not think that you have to write down the policy perfectly the first time. Just
write down your initial thoughts, then you or an assistant can add to your first ideas and
revise them later.
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
12-10 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0

Skills review
In many ways, responding to a security incident is as important as implementing sound
hardware and software security. Unless you itemize proper solutions and follow them
exactly, you might panic and become further victimized by a hacker. In this lesson, you
learned about how to respond appropriately to hacker activity. You also learned about the
necessity of keeping accurate, written accounts of all activity, when breaking a hacker's
connection might be appropriate, and how to learn from hacker activity.
Now that you have completed this lesson, you should be able to:
- 1.6.6: Respond appropriately to a security breach.
- 1.6.7: Identify security organizations that can help in case of system attack.
- 1.6.8: Subscribe to respected security alerting organizations.
- 1.6.9: Identify appropriate authorities to contact regarding data theft and other
attacks.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Lesson 12: Incident Response 12-11
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Lesson 12 Review
1. Why should you notify your ISP when a security breach has occurred?



2. What should you do after a security incident has been resolved?



3. After you have decided the steps to take when responding to an incident, what
should you do next?



4. Describe why you must determine the scope of a particular security breach.



5. What steps should you take after you have determined whether a hacker is in the
discovery, penetration or control stage?




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
12-12 Network Security and Firewalls
2009 Certification Partners, LLC All Rights Reserved. Version 7.0



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Appendixes-1
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
13Appendixes
Appendix A: Objectives and Locations*
Appendix B: Internet Security Resourc es *
Appendix C: Commercial Products Used in This Course *
Appendix D: Works Consulted *
Appendix E: Security Tools *

* Appendix found on Supplemental CD-ROM

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Appendixes-2
2009 Certification Partners, LLC All Rights Reserved. Version 7.0



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Glossary-1
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
14Glossary
access control list (ACL) A list of individual users
and groups associated with an object, and the rights
that each user or group has when accessing that
object.
Ajax A programming methodology that uses a
number of existing technologies together and enables
Web applications to make incremental updates to the
user interface without the need to reload the browser
page.
auditing Reading and interpreting log files to
identify hacker activity.
back door An intentional hole in a firewall or
security apparatus that allows access around security
measures.
BIND Berkeley Internet Name Daemon. The most
widely used daemon used to resolve names to IP
addresses.
biometrics The science of mapping physical,
biological characteristics to individual identity.
black hat hacker A malicious user who defeats
security measures to either view or obtain system
configuration information and data.
bot Software application that runs automated tasks
over the Internet.
botnet A group of computers infected with a bot.
broadcast domain A group of systems that
communicate directly with each other without the aid
of a router. If one system can send a packet to the
Layer 2 addresses of all systems, then they all exist in
the same broadcast domain.
brute-force attack An attack involving repeated
user name or password guessing, one character at a
time. Can also involve physical attacks on server-room
doors or false ceilings.
certificate A specific form of an asymmetric key.
Certificates provide authentication and assign
responsibility. ActiveX programs, for example, can be
certified to show who wrote them and when.
chargeback The concept of billing users for the
volume of network traffic they generate.
ciphertext Text that is completely unreadable
unless it has been translated back into readable form
with the use of a key.
Common Gateway Interface (CGI) A protocol that
allows a Web server to pass control to a software
application, based on a user request. It also allows
that program to receive and organize that information,
then return it to the user in a consistent format. A CGI
script resides on a Web server, enabling the CGI
process.
Computer Emergency Response Team (CERT) An
organization devoted to dealing with computer-related
security issues. CERT is a part of the Internet Society
(ISOC), which establishes the protocols that govern the
Internet. Maintains information about how to solve
specific security problems and publishes security
advisories.
daemon A UNIX program (i.e., service) that is
usually initiated at startup and runs in the
background until required.
demilitarized zone (DMZ) A mini-network that
resides between a company's internal network and the
external network, such as the Internet.
denial-of-service (DOS) attack A type of attack
waged by a single system aimed at crashing the target
system.
dictionary attack An attack in which a hacker tries
to guess user passwords by using words from a file
containing various possible passwords.
dictionary program A program specifically written
to break into a password-protected system. A
dictionary program has a relatively large list of
common password names that the program repeatedly
uses to attempt to gain access.
distributed denial-of-service (DDOS) attack A
type of attack waged by multiple systems aimed at
crashing the target system.
DNS Security Extensions (DNSSEC) A set of
extensions to DNS designed to protect DNS clients
from attacks. Uses digital signatures to ensure data
integrity and authenticity.
drive-by download The automatic download of
malicious content without the user's knowledge or
consent.
Encapsulating Security Payload (ESP) The device
used to authenticate and encrypt packets in IPsec.
end point A system that uses a wireless NIC.
execution control list (ECL) A list of the resources
and actions that an operating system or application
can access/perform while it is executing.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Glossary-2
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
firewall A security barrier that controls the flow of
information between the Internet and private
networks. A firewall prevents outsiders from accessing
an enterprise's internal network, which accesses the
Internet indirectly through a proxy server.
hacker An unauthorized user who penetrates a
computer host or network to access and manipulate
data.
hexadecimal A base-16 number system that allows
large numbers to be displayed by fewer characters
than if the number were displayed in the regular base-
10 system. In hexadecimal, the number 10 is
represented as the letter A, 15 is represented as F, and
16 is represented as 10.
illicit server An application that installs hidden
services on systems. Illicit servers consist of "client"
code and "server" code that enable the attacker to
monitor and control the operation of the computer
infected with the server code.
information leakage A condition in which a system
or network unnecessarily reveals information during
standard operations.
Internet Engineering Task Force (IETF) An
organization that determines the standards and
protocols for the Internet.
Internet Protocol Security (IPsec) A set of
protocols developed by the IETF to support the secure
exchange of packets at the IP layer.
Internet Services Application Programming
Interface (ISAPI) A method developed by Microsoft
to write programs that communicate with Web servers
through OLE.
intrusion detection The practice of using
applications and servers to detect suspicious network
and host-based traffic.
kernel The core of the Linux operating system. This
core can be upgraded to obtain the latest features and
the functionality you need.
key A method of deciphering encryption. A key can
be a simple string of text characters or a complex
series of hexadecimal digits.
malware Abbreviation for malicious software.
Malware is software designed to harm computer
systems.
man-in-the-middle attack An attack in which a
hacker positions himself logically in the middle of a
connection in order to intercept (and possibly reroute)
packets.
Network Address Translation (NAT) An Internet
standard that allows a local area network to use one
set of IP addresses for internal traffic and another set
of IP addresses for external traffic.
network appliance A single machine dedicated to
one purpose. Instead of installing firewall software on
a standard computer, you can obtain a specialized
system meant only to house firewall software.
network perimeter The outer limit of a network as
defined by a firewall.
object In security, a file, program, service/daemon
or resource that is maintained and controlled by an
operating system.
open network A group of servers and computers,
such as the Internet, which allows free access.
Open Systems Interconnection reference model
(OSI/RM) A layered network architecture model of
communication developed by the ISO. Defines seven
layers of network functions.
packet Information processed by protocols so that
it can be sent across a network.
packet filter A device, such as a router or firewall,
that processes and scans packets for acceptable and
unacceptable activity.
packet filtering The use of a router to process and
scan packets for acceptable and unacceptable activity.
packet trace The activity of learning where a packet
of information has come from. Because any
information sent across the Internet has probably
passed through at least five or six computers, it is
often necessary to learn the route by which that
information came.
password sniffing A method of intercepting the
transmission of a password during the authentication
process. A "sniffer" is a program used to intercept
passwords.
patch level The measurement of specific updates
given to an operating system. Windows Server 2003
refers to system patches as "service packs."
Perl A cross-platform programming language that
enables users to write custom CGI programs, as well
as system management programs.
pharming An Internet scam in which users are
misdirected to fraudulent Web sites without their
knowledge or consent.
phishing A social engineering scam in which the
perpetrator sends e-mail messages to lure personal
and financial information from unsuspecting victims.
physical line trace The attempt to determine the
port or telephone line a hacker has used.
poisoned Web site A Web site that contains
malicious content designed to harm your computer.
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Glossary-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
port agility The ability to dynamically send and
receive traffic across any open network port.
RAID (Redundant Array of Independent Disks) A
category of disk drive that employs two or more drives
and allows you to store data redundantly.
sandboxed Containing built-in constraints that
protect a program from malicious activity or prevent it
from accessing important resources.
Secure HTTP (SHTTP) A form of encryption that
takes place at the Web page level and allows a Web
browser to transfer sensitive information across the
Internet.
security matrix All components used by a company
to provide a security strategy. Includes hardware,
software, employee training, security policy, etc.
session key A temporary, sometimes even reusable,
item that is the result of the authentication process. A
Kerberos "ticket" is an example of a session key. Users
can re-deploy session keys during further network
exchanges to prove identity. Session keys are not
specific to any one security implementation.
signature database In an anti-virus scanner, a
collection of viruses, worms and illicit applications that
are listed as security threats.
social engineering The use of disinformation to
gain access to a network by tricking legitimate
employees into revealing information or changing
system settings.
spam Unsolicited bulk e-mail sent anonymously,
often from misconfigured e-mail servers.
spread spectrum Various methods for radio
transmission in which frequencies or signal patterns
are continuously changed.
SQL injection A hacking technique in which SQL
commands are passed through a Web application for
execution by the back-end database.
system snooping The action of a hacker who enters
a computer network and begins mapping the contents
of the system.
TCP/IP protocol stack The hierarchy of protocol
levels established according to the Open Systems
Interconnection (OSI) model. The stack is the portion
of the operating system that transmits and receives
information on a network.
Transmission Control Protocol/Internet Protocol
(TCP/IP) A suite of protocols that turns information
into blocks of information called packets. These are
then sent across networks such as the Internet.
trojan A program disguised as a directory, archive
or game that, when downloaded to a system, has an
alternative, damaging effect. Illicit servers, such as
NetBus, are often made into trojans that end-users
unwittingly install on their systems.
tunneling protocol A protocol that encapsulates
data packets into another packet. Tunneling protocols
include Point-to-Point Tunneling Protocol (PPTP),
Internet Protocol Security (IPsec) and Layer 2
Tunneling Protocol (L2TP).
Type of Service (ToS) Bits that can help prioritize
certain types of traffic. Routers can mark IP packets
with certain ToS bits. For example, you can set ToS
bits for all HTTP traffic, so that it is processed before
any other traffic type.
virtual local area network (VLAN) Logical
subgroup within a local area network (LAN) created
with software instead of hardware.
virtual network perimeter An outer corporate
network created using VPN technologies, thus
extending the corporate network to suppliers and
customers.
virtual private network (VPN) An extended local
area network (LAN) that enables a company to conduct
secure, real-time communication.
virus A malicious program that replicates itself on
computer systems, usually through executable
software, and causes irreparable system damage.
VLAN hopping An attack in which a hacker
intercepts packets as they are sent from one VLAN to
another on a trunk.
Voice over IP (VoIP) The use of Internet Protocol
(IP) data networks to convey voice normally carried by
telephone networks.
Web graffiti The act of defacing a Web site by
replacing authorized content with illicit information.
white hat hacker A security analyst who is asked
to test an organization's network and information
security measures.
WiFi Short for Wireless Fidelity. A generic term
referring to any type of 802.11 high-speed wireless
network.
Wireless Transport Layer Security (WTLS) The
Wireless Application Protocol (WAP) encryption
standard that uses certificates to encrypt wireless
packets.
worm A self-replicating program or algorithm that
consumes system resources.
XMLHttpRequest An application programming
interface (API) that is used to transfer XML and other
text data between a Web server and browser.

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Glossary-4
2009 Certification Partners, LLC All Rights Reserved. Version 7.0


Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Index-1
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
15Index

128-bit addresses, 8-3
8.3 naming convention, 5-32
access control, 1-12, 2-18, 5-10
access control list (ACL), 2-19
access control, e-mail, 8-14
access control, FTP servers, 8-10
access control, physical, 8-16
account lockout, 4-21
ACK, 7-11
active auditing, 2-27
active FTP, 7-15
activities, defining acceptable and unacceptable, 2-7
ad-hoc mode, wireless, 5-6
Adore root kit, 4-12
Advanced Encryption Standard (AES), 3-8
adware, 4-44
algorithms, symmetric, 3-5
anonymous downloads, 5-34
anti-virus applications, 4-14, 4-15
AP, wireless, 5-3, 5-6
application layer, TCP/IP stack, 7-14
application-layer proxy, 9-5
APs, unauthorized, 5-10
ARP cache poisoning, 4-41
ARP spoofing, 4-32
assessing security breaches, 12-4
asymmetric encryption, 2-9
asymmetric-key encryption, 3-11
attack categories, 4-3
attackers, casual, 1-10
attackers, determined, 1-10
auditing, 1-11, 2-27, 4-45
authentication, 1-12, 2-10, 2-11, 9-24
authentication database, 4-45
Authentication Header, 9-32
authentication in wireless networks, 5-7
authentication methods, 2-11
automated auditing, 11-4
automated checksums, 11-5
automated security scans, 11-3
autotrunking, 5-25
back doors, 2-8, 4-7, 5-26, 5-31
back-door attack, 4-3
BackOrifice, 4-13
Basic Service Set Identifier (BSSID), 5-7
bastion host, 9-9
bastion host, dual-homed, 10-4
bastion host, internal, 10-5
bastion host, single-homed, 10-4, 10-8
bastion host, triple-homed, 10-4
bastion hosts, types, 10-4
beacon, 5-4
BIND, 7-18
biometric authentication strategies, 2-14
biometrics, 8-16
Blowfish, 3-7
botnet, 4-4, 4-43
bots, 4-4, 4-43
breaches, determining scope of, 12-5
British Standard 7799, 1-14
broadcast domain, 5-24
brute-force attack, 4-3, 4-4
BSSID, 5-7
buffer overflow, 4-7, 4-20, 8-13
caching, 9-24
Canadian Trusted Computer Product Evaluation
Criteria (CTCPEC), 1-14
CAPTCHA, 4-44
categorizing resources and needs, 8-4
CD-R and CD-RW drives, securing, 8-17
cell, wireless, 5-7
CERT, 1-6
certificates, 9-35
CGI, 8-7
changing default settings, 8-5
choke point, creating, 9-4
choke router, 9-9
circuit-level proxy, 9-6
cleartext transmission, 5-10
click fraud, 4-44
clients, securing, 4-20
Common Criteria (CC), 1-14
common firewall designs, 10-7
Common Gateway Interface (CGI), 8-7
common security principles, 6-3
Computer Emergency Response Team (CERT),
1-6, 12-6
configuring proxy servers, 9-22
connection hijacking, 4-40
connection termination, 4-38
controlling application, 4-24
coordinating methods and techniques, 8-5
cross-frame browsing, 4-21
CSMA/CA, 5-5
CTCPEC, 1-14
data, 7-5
data at rest, 5-32
data confidentiality, 1-12, 2-10
data encapsulation, 7-5
Data Encryption Standard (DES), 3-5
data integrity, 1-13, 2-10
DDOS attack, 4-3, 4-24
demilitarized zone (DMT), 9-10
denial-of-service (DOS) attack, 4-3, 4-21
DES, 3-5
dictionary attack, 4-3, 4-4
dictionary program, 3-5
Diffie-Hellman, 3-12
digital certificate, 9-34
Digital Signature Algorithm (DSA), 3-12
Direct Sequence Spread Spectrum (DSSS), 5-4
diskettes, securing, 8-17
distributed denial-of-service (DDOS) attack, 4-3, 4-24
DNS poisoning, 4-41
DNS Security Extensions (DNSSEC), 7-18
DNS spoofing, 4-32
DNSSEC, 7-18
Domain Name System (DNS), 7-18
DOS and DDOS, diagnosing, 4-26
DOS attack, 4-3, 4-21
downloader program, 4-44
DSSS, 5-4
dummy accounts, 11-4
dummy files, 11-5
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Index-2
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
EAP, 5-13
education standards for employees, defining, 2-8
e-mail and virus scanning, 8-14
e-mail, encrypting, 3-15
Encapsulating Security Payload (ESP), 9-32
encapsulation, of data, 7-5
encryption, 2-9
encryption strength, 2-10
encryption, reasons to use, 3-3
end point, 5-3
end-user resources, 1-9
enforcing security policy companywide, 6-5
environment, controlling, 8-18
equipment placement, 6-7
European Information Technology Security Evaluation
Criteria (ITSEC), 1-14
execute permission, 2-19
execution control list (ECL), 2-22
Extensible Authentication Protocol (EAP), 5-13
face recognition, 2-14
fake e-mail, 4-18
Faraday cage, 8-17
FHSS, 5-4
File Transfer Protocol (FTP), 7-14
fingerprints, 2-14
fire detection and suppression, 8-18
firewall configuration defaults, 9-10
firewall, definition and description, 9-3
firewall, designing a, 10-3
firewall, role of, 9-3
firewall-to-firewall VPN, 9-30
flooding techniques, 4-22
Fraggle attack, 4-25, 4-26
fragmented ICMP packets, 4-36
frame, 7-5
frame spoofing, 4-21
Frequency Hopping Spread Spectrum (FHSS), 5-4
FTP server, 8-9
gateway, 4-25
GirlFriend, 4-13
Gnu Privacy Guard (GPG), 3-17
Gramm-Leach-Bliley Act (GLBA), 1-14
hacker, 1-3
hacker statistics, 1-6
hackers, deterring, 11-10
hackers, distracting, 11-4
hackers, types, 1-10
hand geometry, 2-14
hard drives, securing, 8-17
hardware, firewall, 10-5
hash encryption, 2-9, 3-12
Health Insurance Portability and Accountability Act
(HIPAA), 1-14
hexadecimal, 8-3
hijacking, 4-39, 4-40
HIPAA, 1-14
hop, 5-4
host association, wireless, 5-8
HTTP, 7-16
Hypertext Transfer Protocol (HTTP), 7-16
ICMP packets, fragmented, 4-36
IDEA, 3-7
IEEE 802.11 (WiFi), 5-4
IEEE 802.11a, 5-5
IEEE 802.11e, 5-5
IEEE 802.11g, 5-5
IEEE 802.11h, 5-5
IEEE 802.11i, 5-5
IEEE 802.1x, 5-14
illicit server, 1-4, 4-13
illicit servers, 4-13
illicit service, 4-24
IM, 5-31
implementing security, 8-4
incident documentation, 12-4
incident response policy, 12-3
incidents, analyzing, 12-8
indiscriminate link-clicking, 5-34
industrial espionage, 1-11
information leakage, 4-33, 4-46
Information Technology Security Evaluation Criteria
(ITSEC), 1-14
information-storage resources, 1-9
infrastructure mode, wireless, 5-6
instant messaging (IM), 5-31
integrated security strategy, 6-6
International Data Encryption Algorithm (IDEA), 3-7
Internet Control Message Protocol (ICMP), 7-9
Internet Protocol (IP), 7-8
Internet Protocol Security (IPsec), 9-32
Internet Protocol version 4 (IPv4), 8-3
Internet Protocol version 6 (IPv6), 8-3
Internet Services Application Programming Interface
(ISAPI), 8-6
Internet Worm, 8-12
IP, 7-8
IP spoofing, 4-32
ipchains command, 9-18
iptables command, 9-18
IPv4, 8-3
IPv6, 4-32, 8-3
iris scan, 2-14
ISAPI, 8-6
ISO 7498-2 Security Architecture document, 1-12
ITSEC, 1-14
jails, 11-9
John the Ripper, 4-5
Kerberos, 2-16
kernel, 9-18
L2TP, 9-33
Land attack, 4-23
Layer 2 Tunneling Protocol (L2TP), 9-33
leakage, information, 4-33, 4-46
limiting network hose exposure, 9-4
link layer, TCP/IP stack, 7-7
log analysis tools, 8-20
log files, 4-46
logging and evaluating, 8-4
logging Internet activity by firewall, 9-4
logic bomb, 4-13
login scripts, 11-3
MAC address filtering, 5-11
malformed packets, 4-23
malware, 4-3, 4-8
man-in-the-middle attack, 4-4, 4-38, 4-42, 9-33
MARS, 3-7
masquerade attack, 4-3, 4-32
masquerading, 9-7
master, 4-24
MD5sum, 3-14
mechanisms, security, 1-13
Melissa virus, 8-13
mobile phones, 5-3
modes, wireless, 5-6
myth of complete security, 1-7
naming convention, 8.3, 5-32
NetBus, 4-13
NetStumbler, 5-17
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Index-3
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
network access layer, TCP/IP stack, 7-7
Network Address Translation (NAT), 9-7
network analyzer, 7-23
network appliance, 9-9
network attacks, types of, 4-3
network latency, 6-8
Network Mapper (Nmap), 4-34
network perimeter, 1-4
network resources, 1-9
network scanner, 8-20
network switches, 4-39
network/Internet layer, TCP/IP stack, 7-8
Nmap, 4-34
non-repudiation, 1-13, 2-10
notifying affected individuals, 12-5
Notifying authorities, 12-6
notifying Internet agencies, 12-6
object, 2-19
OFDM, 5-4
one-time passwords (OTPs), 2-18
one-way encryption, 3-12
open network, 1-3
Open System Authentication (OSA), 5-7
Open Systems Interconnection reference model
(OSI/RM), 7-3
operating system add-ons, 8-20
operating system hardening, 9-9
Orange Book, 1-13
Orthogonal Frequency Division Multiplexing
(OFDM), 5-4
OSI Reference Model, 7-6
OSI/RM, 7-3
OSI/RM layers, 7-3
outside router, 9-9
P2P, 5-31
packet, 2-8, 7-5
packet filter, 9-5
packet filter advantages, 9-13
packet filter drawbacks, 9-13
packet filter rules, creating, 9-11
packet filtering, 2-8
packet insertion, 4-39
packet sniffing, 4-39, 4-40
packet traces, 11-9
packet-filtering products, 9-14
packetization, 7-5
parallelization, 3-3
passive FTP, 7-15
password database, 4-45
password sniffing, 3-5, 4-38
PBX, 5-23
peer-to-peer (P2P), 5-31
Perfect Forward Security (PFS), 9-33
permissions, 2-19
physical denial-of-service attack, 4-24
physical line trace, 11-9
physical security, 6-8
physical vulnerabilities, 8-15, 8-16
Ping of Death, 4-23
Point-to-Point Tunneling Protocol (PPTP), 9-33
poisoning, 4-39
poisoning, DNS and ARP cache, 4-41
policy administrators, determining, 2-8
polymorphic virus, 4-9
ports, 7-13
Pretty Good Privacy (PGP), 3-17
Private Branch Exchange (PBX), 5-23
profiling, protecting against, 8-5
protecting services, 8-5
protecting TCP/IP services, 8-6
protocol analyzer, 7-23
proxy server, 9-5, 10-7
proxy-oriented firewall, 9-23
Public Key Infrastructure (PKI), 9-34
publishing security policy, 8-4
radio waves, 5-3
RADIUS models, 5-14
read permission, 2-19
Remote Authentication Dial-In User Service
(RADIUS), 5-14
removable media, securing, 8-17
removing unnecessary services, 8-5
replay attack, 4-39
resources to protect, 1-8
resources, prioritizing, 2-6
response plan, executing, 12-5
retinal scan, 2-14
retro virus, 4-9
Rijndael, 3-8
risk factors, assigning, 2-6
rogue VPN servers, 9-34
root kit, 4-11
rounds, 3-3
RSA Security Corporation, 3-6
scanning attack, 4-3, 4-33
scanning systems, 4-46
scans, long-term, 4-35
scraper, site, 4-44
screened host firewall, 10-8
screened subnet filter, 10-10
screening router, 9-9, 10-7
Secure Hash Algorithm (SHA), 3-14
Secure HTTP (SHTTP), 3-15, 3-29
Secure MIME (S-MIME), 3-28
Secure Sockets Layer (SSL), 3-29
securing IIS, 8-8
securing resources and services, 8-4
security business issues, identifying, 6-7
security concepts and mechanisms, 2-3
security matrix, 1-8
security measures to apply to resources, defining, 2-8
security policy, 2-3
security policy, implementation by firewall, 9-4
security policy, need for, 6-4
security testing software, 8-19
security training, 6-5
security, defined, 1-4
segment, 7-5
sequence prediction, 4-34
Serpent, 3-8
server resources, 1-9
Service Set Identifier (SSID), 5-4, 5-7
services, security, 1-12
session killing, 4-38
SHA, 3-14
Shared Key Authentication (SKA), 5-7
shielding methods, 8-17
SHTTP, 3-29
signature database, 4-15
signing, 3-13
Simple Mail Transfer Protocol (SMTP), 8-12
Simple Network Management Protocol (SNMP), 7-17
site scraper, 4-44
site survey, 5-15
Skipjack, 3-7
smart card readers, securing, 8-17
smart cards, 2-12
SMTP, 8-12
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Index-4
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
Smurf attack, 4-25
sniffers, 11-10
sniffing, 4-20
social engineering, 4-3, 4-17
spam, 4-44, 8-14
specialized accounts, 8-6
spoofing, 4-3, 4-32
spoofing, MAC address, 5-12
spread spectrum, 5-4
spyware, 4-44
SQL injection, 4-4, 4-44
SSID, 5-4, 5-7
SSL, 3-29
Stacheldracht, 4-25
stack fingerprinting, 4-33
standards, security, 1-12
standards, wireless, 5-4
stateful multi-layer inspection, 9-14
stopping or containing activity, 12-5
SubSeven, 4-13
surveillance methods, 6-9
switches, network, 4-39
symmetric encryption, 2-9
symmetric-key encryption, 3-4
SYN, 7-11
SYN flood, 4-21
SYN flood attack, 7-12
System Administration, Networking, and Security
(SANS) Institute, 1-7
system bug, 4-3, 4-7
system scanning, 4-45, 4-46
system snooping, 1-9
systems, classifying, 2-4
T0rn root kit, 4-12
tape drives, securing, 8-17
target, 4-25
TCP, 7-10
TCP handshake, 7-10
TCP/IP, 1-9
TCP/IP protocol stack, 7-3, 7-6
TCP/IP security, 7-3
TCSEC, 1-13
Teardrop attacks, 4-23
Telnet, 7-16
TEMPEST, 8-17
Temporal Key Integrity Protocol (TKIP), 5-13
testing and evaluating, 8-19
ticket, 2-17
ticket-granting ticket (TGT), 2-17
TKIP, 5-13
TLS, 3-29
topologies, network, 7-7
tradeoffs and drawbacks, 2-28
Transient Electromagnetic Pulse Emanation Standard
(TEMPEST), 8-17
Transmission Control Protocol (TCP), 7-10
Transmission Control Protocol/Internet Protocol
(TCP/IP), 1-9
Transport Layer Security (TLS), 3-29
transport layer, TCP/IP stack, 7-10
Tribe Flood Network (TFN), 4-25
Triple DES, 3-6
tripwire scripts, 11-5
trojan, 1-4, 4-11
trust relationships, creating, 3-3
Trusted Computer Systems Evaluation Criteria
(TCSEC), 1-13
trusted users, 5-33
tunneling protocol, 9-31
Twofish, 3-7
Type of Service (ToS), 9-4
User Datagram Protocol (UDP), 7-12
vascular patterns, 2-14
virtual LAN (VLAN), 5-24
virtual network perimeter, 9-31
virtual private network (VPN), 3-15, 9-30
virus, 4-9
VLAN, 5-24
VLAN hopping, 5-25
Voice over IP (VoIP) devices, 5-24
voice recognition, 2-14
VoIP, 5-24
VPN, 3-15, 9-30
WAP, 5-9
war driving, 5-10
war driving/war walking, 5-16
weak encryption, 5-10
Web graffiti, 1-11
well-known ports and services, 7-13, 7-14
WEP, 5-11
WiFi, 5-4
WiFi Protected Access (WPA), 5-13
Wired Equivalent Privacy (WEP), 5-11
wireless access point (AP), 5-3, 5-6
wireless AP beacon, 5-8
Wireless Application Protocol (WAP), 5-9
wireless cells, securing, 8-16
wireless Ethernet elements, 5-3
Wireless Fidelity (WiFi), 5-3
wireless languages, 5-9
Wireless Markup Language (WML), 5-9
wireless NIC, 5-3
wireless security issues, 5-10
wireless standards, 5-4
Wireless Transport Layer Security (WTLS), 5-9
wireless, authorized site survey, 5-15
wireless, unauthorized site surveys, 5-16
WML, 5-9
WMLScript, 5-9
workstation-to-server VPN, 9-30
workstation-to-workstation VPN, 9-30
worms, 4-10
WPA, 5-13
WPA2, 5-13
write permission, 2-19
WTLS, 5-9
WTLS, problems, 5-9
zero-day attack, 4-14
zombie, 4-25



Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Supplemental CD-ROM Contents-1
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
16Supplemental CD-ROM
Contents
The Network Security and Firewalls supplemental CD-ROM contains the following files needed to complete
the course labs:
Ntwk_Sec_Fwalls_AC_Student_CD
Appendix Lab Files

. Appendix
Appendix_A.pdf
Appendix_B.pdf
Appendix_C.pdf
Appendix_D.pdf
Appendix_E.pdf
Appendix_F.pdf
Appendix_G.pdf
. Lab Files
Lesson 1
Lesson 2
Lesson 3
Lesson 4
Lesson 5
Lesson 6
Lesson 7
Lesson 9
Lesson 11
MailEnable
. Lab Files\Lesson 1
NetBus170.zip

. Lab Files\Lesson 2
lockup.html

. Lab Files\Lesson 3
AxCrypt-Setup.exe gpg4win-1.1.3.exe

. Lab Files\Lesson 4
Ettercap
Nmap
packet_captures
WinPcap
john171w.zip
john_wordfile.txt
netflood.cpp
papasmurf-linux.c
passwd
shadow
syn_v1_5.zip
targa2.c
wireshark-setup-1.0.0.exe
. Lab Files\Lesson 5
kismet.dump
netstumbler1.ns1
netstumbler2.ns1
netstumbler3.ns1
netstumbler4.ns1
netstumblerinstaller_0_4_0.exe
wireshark-setup-1.0.0.exe
. Lab Files\Lesson 6
cd080802.zip

. Lab Files\Lesson 7
FileZilla_3.0.11_win32-setup.exe
telnet.pcap
wireshark-setup-1.0.0.exe xampp-win32-1.6.6a-installer.exe
. Lab Files\Lesson 9
kerio-kwfWhql-6.5.1-5000-win32.exe

Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010
Supplemental CD-ROM Contents-2
2009 Certification Partners, LLC All Rights Reserved. Version 7.0
. Lab Files\Lesson 11
SECREP.BAT tripwire-2.4.1.2-src.tar.bz2

. Lab Files\MailEnable
mailenablestandard.exe




Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010


By opening this package, you agree to be bound by the following agreement:
Some of the material on the accompanying CD-ROM may be copyrighted, in which case all rights
are reserved by the copyright holder. You are licensed to use the material copyrighted by the
publisher and its licensors on a single computer. You may copy and/or modify the CD-ROM
content as needed to use it on a single computer. Copying the CD-ROM and its content for any
other purpose is a violation of the United States copyright laws.
This CD-ROM and its content are provided as is, without warranty of any kind, either express or
implied, including but not limited to the implied warranties of merchantability and fitness for a
particular purpose. The publisher assumes no liability for alleged or actual damages arising
from the use of this CD-ROM (including but not limited to damages due to viruses).
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010







www.CIW-certified.com

9 7 8 1 5 9 3 0 2 6 3 3 2
I SBN 1 - 59302 - 633 - 1
*ECL02CANSAFPR901*
Authorized to be used in American Public University System.
To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010

You might also like