CIT 016 Review for Final Security+ Guide to Network Security Fundamentals Second Edition.

CIT 016Review for Final

Security+ Guide to Network Security FundamentalsSecond Edition

Three characteristics of information must be protected by information security: Confidentiality Integrity Availability

Information security achieved through a combination of three entities

Defining Information Security

Importance of Information Security

Information security is important to businesses: Prevents data theft Avoids legal consequences of not securing

information Maintains productivity Foils cyberterrorism Thwarts identity theft

Preventing Data Theft

Theft of data is single largest cause of financial loss due to a security breach

One of the most important objectives of information security is to protect important business and personal data from theft

Developing Attacker Profiles

Six categories: Hackers Crackers Script kiddies Spies Employees Cyberterrorists

Developing Attacker Profiles

Hackers

Person who uses advanced computer skills to attack computers, but not with a malicious intent

Use their skills to expose security flaws

Know that breaking in to a system is illegal but do not intend on committing a crime “Hacker code of ethics” Target should have had better security

Person who violates system security with malicious intent

Have advanced knowledge of computers and networks and the skills to exploit them

Destroy data, deny legitimate users of service, or otherwise cause serious problems on computers and networks

Crackers

Break into computers to create damage

Not as skilled as Crackers Download automated hacking

software from Web sites and use it to break into computers

Tend to be young computer users with large amounts of leisure time, which they can use to attack systems

Script Kiddies

Person hired to break into a computer and steal information

Do not randomly search for unsecured computers to attack

Hired to attack a specific computer that contains sensitive information

Possess excellent computer skills Could also use social engineering to

gain access to a system Financially motivated

Spies

One of the largest information security threats to business

Employees break into their company’s computer for these reasons: To show the company a weakness in their

security Being overlooked, revenge For money

Inside of network is often vulnerable because security focus is at the perimeter

Unskilled user could inadvertently launch virus, worm or spyware

Employees

Experts fear terrorists will attack the network and computer infrastructure to cause panic

Cyberterrorists’ motivation may be defined as ideology, or attacking for the sake of their principles or beliefs

Targets that are high on the cyberterrorists list are: Infrastructure outages Internet itself

Cyberterrorists

Three goals of a cyberattack: Deface electronic information to spread

disinformation and propaganda Deny service to legitimate computer users Commit unauthorized intrusions into

systems and networks that result in critical infrastructure outages and corruption of vital data

Cyberterrorists (continued)

Understanding Security Principles

Ways information can be attacked: Crackers can launch distributed denial-of-

service (DDoS) attacks through the Internet

Spies can use social engineering Employees can guess other user’s

passwords Hackers can create back doors

Protecting against the wide range of attacks calls for a wide range of defense mechanisms

Layering

Layered security approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks

Information security likewise must be created in layers

All the security layers must be properly coordinated to be effective

Layering (continued)

Limiting

Limiting access to information reduces the threat against it Only those who must use data should have access

to it Access must be limited for a subject (a person

or a computer program running on a system) to interact with an object (a computer or a database stored on a server)

The amount of access granted to someone should be limited to what that person needs to know or do

Limiting (continued)

Diversity Diversity is closely related to layering You should protect data with diverse layers of

security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers

Using diverse layers of defense means that breaching one security layer does not compromise the whole system Not just perimeter security Possibly using different vendors Increased administrative overhead

Diversity (continued)

You can set a firewall to filter a specific type of traffic, such as all inbound traffic, and a second firewall on the same system to filter another traffic type, such as outbound traffic Use application layer filtering by a Linux

box before traffic hits the firewall Use one device as the firewall and

different device as the spam filter Using firewalls produced by different

vendors creates even greater diversity This could add some complexity

Obscurity

Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside difficult Network Address Translation Port Address Translation Internal ports different from external

External port 80 Internal port 8080

Simplicity

Complex security systems can be difficult to understand, troubleshoot, and feel secure about

The challenge is to make the system simple from the inside but complex from the outside

Using Effective Authentication Methods

Information security rests on three key pillars: Authentication Access control (Authorization) Auditing (Accounting)

Also Known as AAA

Effective Authentication Methods

Authentication: Process of providing identity Can be classified into three main

categories: what you know, what you have, what you are

Most common method: providing a user with a unique username and a secret password

Username and Password

ID management: User’s single authenticated ID is shared

across multiple networks or online businesses

Attempts to address the problem of users having individual usernames and passwords for each account (thus, resorting to simple passwords that are easy to remember)

Can be for users and for computers that share data

Disabling Nonessential Systems

First step in establishing a defense against computer attacks is to turn off all nonessential services

Disabling services that are not necessary restricts attackers can use Reducing the attack surface

Disabling Nonessential Systems

A service can be set to one of the following modes: Automatic Manual Disabled

Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system

Hardening Operating Systems

Hardening: process of reducing vulnerabilities

A hardened system is configured and updated to protect against attacks

Three broad categories of items should be hardened: Operating systems Applications that the operating system

runs Networks

Hardening Operating Systems

You can harden the operating system that runs on the local client or the network operating system (NOS) that manages and controls the network, such as Windows Server 2003 or Novell NetWare

Applying Updates

Operating systems are intended to be dynamic

As users’ needs change, new hardware is introduced, and more sophisticated attacks are unleashed, operating systems must be updated on a regular basis

However, vendors release a new version of an operating system every two to four years

Vendors use certain terms to refer to the different types of updates.

Applying Updates (continued)

A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update

A hotfix does not typically address security issues; instead, it corrects a specific software problem


A patch or a software update fixes a security flaw or other problem May be released on a regular or irregular

basis, depending on the vendor or support team

A good patch management system: Design patches to update groups of

computers Include reporting system Download patches from the Internet Distribute patches to other computers

Securing the File System

Another means of hardening an operating system is to restrict user access

Generally, users can be assigned permissions to access folders (also called directories in DOS and UNIX/Linux) and the files contained within them

Firmware Updates

RAM is volatile―interrupting the power source causes RAM to lose its entire contents

Read-only memory (ROM) is different from RAM in two ways: Contents of ROM are fixed ROM is nonvolatile―disabling the power

source does not erase its contents

Firmware Updates (continued) ROM, Erasable Programmable Read-

Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware (flash)

To erase an EPROM chip, hold the chip under ultraviolet light so the light passes through its crystal window

The contents of EEPROM chips can also be erased using electrical signals applied to specific pins

Firmware Updates (continued)

To update a network device we copy over a new version of the OS software to the flash memory of the device.

This can be done via a tftp server or a compact flash reader/writer Router# copy tftp flash:

Having the firmware updated ensures the device is not vulnerable to bugs in the OS that can be exploited

Network Configuration

You must properly configure network equipment to resist attacks

The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network

In addition to making sure the perimeter is secure, make sure the device itself is secure by using strong passwords and encrypted connections SSH instead of Telnet and console, vty

passwords

Configuring Packet Filtering

The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer

TCP and UDP are based on port numbers Socket: combination of an IP address and a

port number The IP address is separated from the port number

by a colon, as in 198.146.118.20:80

Network Configuration

Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a file system)

Rules are composed of several settings (listed on pages 122 and 123 of the text)

Observe the basic guidelines on page 124 of the text when creating rules

Network Cable Plant

Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment

Three types of transmission media: Coaxial cables Twisted-pair cables Fiber-optic cables

Twisted-Pair Cables

Standard for copper cabling used in computer networks today, replacing thin coaxial cable

Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket

Twisted-Pair Cables (continued)

Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference

Unshielded twisted-pair (UTP) cables do not have any shielding

Twisted-pair cables have RJ-45 connectors

Fiber-Optic Cables

Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal

Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses

A glass tube (cladding) surrounds the core

The core and cladding are protected by a jacket

Hardening Standard Network Devices

A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router

This equipment has basic security features that you can use to harden the devices

Switches and Routers

Switch Most commonly used in Ethernet LANs Receives a packet from one network device

and sends it to the destination device only Limits the collision domain (part of network

on which multiple devices may attempt to send packets simultaneously)

A switch is used within a single network Routers connect two or more single

networks to form a larger network

Hardening Network Security Devices

The final category of network devices includes those designed and used strictly to protect the network

Include: Firewalls Intrusion-detection systems Network monitoring and diagnostic

devices

Firewalls

Typically used to filter packets Designed to prevent malicious packets

from entering the network or its computers (sometimes called a packet filter)

Typically located outside the network security perimeter as first line of defense

Can be software or hardware configurations

Firewalls (continued)

Software firewall runs as a program on a local computer (sometimes known as a personal firewall) Enterprise firewalls are software firewalls

designed to run on a dedicated device and protect a network instead of only one computer

One disadvantage is that it is only as strong as the operating system of the computer

Firewalls (continued)

Filter packets in one of two ways: Stateless packet filtering: permits or denies

each packet based strictly on the rule base Stateful packet filtering: records state of a

connection between an internal computer and an external server; makes decisions based on connection and rule base

Can perform content filtering to block access to undesirable Web sites

Designing Network Topologies

Topology: physical layout of the network devices, how they are interconnected, and how they communicate

Essential to establishing its security Although network topologies can be

modified for security reasons, the network still must reflect the needs of the organization and users

Security Zones

One of the keys to mapping the topology of a network is to separate secure users from outsiders through: Demilitarized Zones (DMZs) Intranets Extranets

Demilitarized Zones (DMZs)

Separate networks that sit outside the secure network perimeter

Outside users can access the DMZ, but cannot enter the secure network

For extra security, some networks use a DMZ with two firewalls

The types of servers that should be located in the DMZ include: Web servers – E-mail

servers Remote access servers – FTP servers

Network Address Translation (NAT)

“You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems

Hides the IP addresses of network devices from attackers

Computers are assigned special IP addresses (known as private addresses)

These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network

Port address translation (PAT) is a variation of NAT

Each packet is given the same IP address, but a different TCP port number

Network Address Translation (NAT)

Virtual LANs (VLANs)

Segment a network with switches to divide the network into a hierarchy

Core switches reside at the top of the hierarchy and carry traffic between switches

Workgroup switches are connected directly to the devices on the network

Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches


Segment a network by grouping similar users together

Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)

Secure/MIME (S/MIME)

Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages

Provides these features: Digital signatures – Interoperability Message privacy – Seamless integration Tamper detection

Pretty Good Privacy (PGP) Functions much like S/MIME by encrypting

messages using digital signatures A user can sign an e-mail message without

encrypting it, verifying the sender but not preventing anyone from seeing the contents

First compresses the message Reduces patterns and enhances resistance to

cryptanalysis Creates a session key (a one-time-only

secret key) This key is a number generated from random

movements of the mouse and keystrokes typed

Pretty Good Privacy (PGP)

Uses a passphrase to encrypt the private key on the local computer

Passphrase: A longer and more secure version of a

password Typically composed of multiple words More secure against dictionary attacks

Pretty Good Privacy (PGP)

Securing Web Communications

Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol

One implementation is the Hypertext Transport Protocol over Secure Sockets Layer

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

SSL protocol developed by Netscape to securely transmit documents over the Internet Uses private key to encrypt data

transferred over the SSL connection Version 20 is most widely supported

version Personal Communications Technology

(PCT), developed by Microsoft, is similar to SSL


TLS protocol guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL; they are often

referred to as SSL/TLS SSL/TLS protocol is made up of two

layers


TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted

FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture Has cryptographic mechanism that provides

message confidentiality, integrity, authentication, and access control to messages, components, and even systems

Secure Hypertext Transport Protocol (HTTPS)

One common use of SSL is to secure Web HTTP communication between a browser and a Web server This version is “plain” HTTP sent over SSL/TLS and

named Hypertext Transport Protocol over SSL Sometimes designated HTTPS, which is the

extension to the HTTP protocol that supports it

Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely

Tunneling Protocols

Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation

IEEE 8021x

Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE)

Gaining wide-spread popularity Provides an authentication framework

for 802-based LANs (Ethernet, Token Ring, wireless LANs)

Uses port-based authentication mechanisms Switch denies access to anyone other than

an authorized user attempting to connect to the network through that port

IEEE 8021x (continued)

Network supporting the 8021x protocol consists of three elements: Supplicant: client device, such as a

desktop computer or personal digital assistant (PDA), which requires secure network access

Authenticator: serves as an intermediary device between supplicant and authentication server

Authentication server: receives request from supplicant through authenticator

802.1x

802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access.

The 802.1x framework defines three roles in the authentication process:1. Supplicant = endpoint that needs network access2. Authenticator = switch or access point3. Authentication Server = RADIUS, TACACS+, LDAP

The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.

802.1x Roles

Authentication ServerAuthenticator

Supplicant

Microsoft Windows XP includes 802.1x supplicant support

Remote Authentication Dial-In User Service (RADIUS)

Originally defined to enable centralized authentication and access control and PPP sessions

Requests are forwarded to a single RADIUS server

Supports authentication, authorization, and auditing functions

After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request

Allows company to maintain user profiles in a central database that all remote servers can share

Terminal Access Control Access Control System (TACACS+)

Industry standard protocol specification that forwards username and password information to a centralized server (TACACS)

Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not

TACACS+ utilizes TCP port 49. It is a Cisco proprietary enhancement

to original TACACS protocol.

IP Security (IPSec) (continued)

IPSec is a set of protocols developed to support the secure exchange of packets

Considered to be a transparent security protocol

Transparent to applications, users, and software

Provides three areas of protection that correspond to three IPSec protocols: Authentication Confidentiality Key management


Supports two encryption modes: Transport mode encrypts only the data

portion (payload) of each packet, yet leaves the header encrypted

Tunnel mode encrypts both the header and the data portion

IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet

The entire original packet is then treated as the data portion of the new packet


Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: AH in transport mode AH in tunnel mode ESP in transport mode ESP in tunnel mode

Virtual Private Networks (VPNs)

Takes advantage of using the public Internet as if it were a private network

Allow the public Internet to be used privately

Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network

Virtual Private Networks (VPNs)

Two common types of VPNs include: Remote-access VPN or virtual private dial-

up network (VPDN): user-to-LAN connection used by remote users

Site-to-site VPN: multiple sites can connect to other sites over the Internet

VPN transmissions achieved through communicating with endpoints An endpoint can be software on a local

computer, a dedicated hardware device such as a VPN concentrator, or even a firewall

Basic WLAN Security

Two areas: Basic WLAN security Enterprise WLAN security

Basic WLAN security uses two new wireless tools and one tool from the wired world: Service Set Identifier (SSID) beaconing MAC address filtering Wired Equivalent Privacy (WEP)

Service Set Identifier (SSID) Beaconing

A service set is a technical term used to describe a WLAN network

Three types of service sets: Independent Basic Service Set (IBSS) Basic Service Set (BSS) Extended Service Set (ESS)

Each WLAN is given a unique SSID

MAC Address Filtering

Another way to harden a WLAN is to filter MAC addresses

The MAC address of approved wireless devices is entered on the AP

A MAC address can be spoofed When wireless device and AP first exchange

packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device

Wired Equivalent Privacy (WEP)

Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents

Uses shared keys―the same key for encryption and decryption must be installed on the AP, as well as each wireless device

A serious vulnerability in WEP is that the IV is not properly implemented

Every time a packet is encrypted it should be given a unique IV

Other Wireless Authentication Protocols

Wi-Fi Protected Access WPA The TKIP encryption algorithm was developed for WPA

to provide improvements to WEP WPA2

WiFi Alliance branded version of the final 802.11i standard

WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security

802.1X LEAP PEAP TKIP

Untrusted Network

The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use

One approach to securing a WLAN is to treat it as an untrusted and unsecure network

Requires that the WLAN be placed outside the secure perimeter of the trusted network

Untrusted Network (continued)

Trusted Network (continued)

WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP)

TKIP mixes keys on a per-packet basis to improve security

Although WPA provides enhanced security, the IEEE 80211i solution is even more secure

80211i is expected to be released sometime in 2004

Cryptography Terminology

Cryptography: science of transforming information so it is secure while being transmitted or stored

Steganography: attempts to hide existence of data

Encryption: changing the original text to a secret message using cryptography


Decryption: reverse process of encryption

Algorithm: process of encrypting and decrypting information based on a mathematical procedure

Key: value used by an algorithm to encrypt or decrypt a message


Weak key: mathematical key that creates a detectable pattern or structure

Plaintext: original unencrypted information (also known as clear text)

Cipher: encryption or decryption algorithm tool used to create encrypted or decrypted text

Ciphertext: data that has been encrypted by an encryption algorithm

Cryptography Terminology (continued)

Defining Hashing

Hashing, also called a one-way hash, creates a ciphertext from plaintext

Cryptographic hashing follows this same basic approach

Hash algorithms verify the accuracy of a value without transmitting the value itself and subjecting it to attacks

A practical use of a hash algorithm is with automatic teller machine (ATM) cards

Defining Hashing (continued)

Hashing is typically used in two ways: To determine whether a password a user

enters is correct without transmitting the password itself

To determine the integrity of a message or contents of a file

Hash algorithms are considered very secure if the hash that is produced has the characteristics listed on pages 276 and 277 of the text

Message Digest (MD)

Message digest 2 (MD2) takes plaintext of any length and creates a hash 128 bits long MD2 divides the message into 128-bit

sections If the message is less than 128 bits, data

known as padding is added Message digest 4 (MD4) was developed in

1990 for computers that processed 32 bits at a time Takes plaintext and creates a hash of 128 bits The plaintext message itself is padded to a

length of 512 bits

Message Digest (MD)

Message digest 5 (MD5) is a revision of MD4 designed to address its weaknesses The length of a message is padded to 512

bits The hash algorithm then uses four

variables of 32 bits each in a round-robin fashion to create a value that is compressed to generate the hash

Secure Hash Algorithm (SHA)

Patterned after MD4 but creates a hash that is 160 bits in length instead of 128 bits

The longer hash makes it more resistant to attacks

SHA pads messages less than 512 bits with zeros and an integer that describes the original length of the message

Protecting with Symmetric Encryption Algorithms

A block cipher manipulates an entire block of plaintext at one time

The plaintext message is divided into separate blocks of 8 to 16 bytes and then each block is encrypted independently

The blocks can be randomized for additional security

Data Encryption Standard (DES)

One of the most popular symmetric cryptography algorithms

DES is a block cipher and encrypts data in 64-bit blocks

The 8-bit parity bit is ignored so the effective key length is only 56 bits

DES encrypts 64-bit plaintext by executing the algorithm 16 times

The four modes of DES encryption are summarized on pages 282 and 283

Triple Data Encryption Standard (3DES)

Uses three rounds of encryption instead of just one

The ciphertext of one round becomes the entire input for the second iteration

Employs a total of 48 iterations in its encryption (3 iterations times 16 rounds)

The most secure versions of 3DES use different keys for each round

Advanced Encryption Standard (AES)

Approved by the NIST in late 2000 as a replacement for DES

Process began with the NIST publishing requirements for a new symmetric algorithm and requesting proposals

Requirements stated that the new algorithm had to be fast and function on older computers with 8-bit, 32-bit, and 64-bit processors

Advanced Encryption Standard (AES)

Performs three steps on every block (128 bits) of plaintext

Within step 2, multiple rounds are performed depending upon the key size: 128-bit key performs 9 rounds 192-bit key performs 11 rounds 256-bit key uses 13 rounds

Hardening with Asymmetric Encryption Algorithms

The primary weakness of symmetric encryption algorithm is keeping the single key secure

This weakness, known as key management, poses a number of significant challenges

Asymmetric encryption (or public key cryptography) uses two keys instead of one The private key typically is used to encrypt the

message The public key decrypts the message

Hardening with Asymmetric Encryption Algorithms

Rivest Shamir Adleman (RSA)

Asymmetric algorithm published in 1977 and patented by MIT in 1983

Most common asymmetric encryption and authentication algorithm

Included as part of the Web browsers from Microsoft and Netscape as well as other commercial products

Multiplies two large prime numbers

Diffie-Hellman

Unlike RSA, the Diffie-Hellman algorithm does not encrypt and decrypt text

Strength of Diffie-Hellman is that it allows two users to share a secret key securely over a public network

Once the key has been shared, both parties can use it to encrypt and decrypt messages using symmetric cryptography

Elliptic Curve Cryptography

First proposed in the mid-1980s Instead of using prime numbers, uses

elliptic curves An elliptic curve is a function drawn on

an X-Y axis as a gently curved line By adding the values of two points on

the curve, you can arrive at a third point on the curve

Understanding How to Use Cryptography

Cryptography can provide a major defense against attackers

If an e-mail message or data stored on a file server is encrypted, even a successful attempt to steal that information will be of no benefit if the attacker cannot read it

Understanding Cryptography Strengths and Vulnerabilities

Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored

When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext

Symmetric Cryptography Strengths and Weaknesses

Identical keys are used to both encrypt and decrypt the message

Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish

Disadvantages of symmetric encryption relate to the difficulties of managing the private key

Asymmetric Cryptography Strengths and Vulnerabilities

With asymmetric encryption, two keys are used instead of one The private key encrypts the message The public key decrypts the message

Digital Signatures

Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message

A digital signature helps to prove that: The person sending the message with a

public key is who they claim to be The message was not altered It cannot be denied the message was sent

Digital Certificates

Digital documents that associate an individual with its specific public key

Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party

Certification Authority (CA)

The owner of the public key listed in the digital certificate can be identified to the CA in different ways By their e-mail address By additional information that describes

the digital certificate and limits the scope of its use

Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users

Certification Authority (CA)

The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes

Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)

Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users

Understanding Public Key Infrastructure (PKI)

Weaknesses associated with asymmetric cryptography led to the development of PKI

A CA is an important trusted party who can sign and issue certificates for users

Some of its tasks can also be performed by a subordinate function, the RA

Updated certificates and CRLs are kept in a CR for users to refer to

The Need for PKI

Description of PKI Manages keys and identity information

required for asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs

For a typical enterprise: Provides end-user enrollment software Integrates corporate certificate directories Manages, renews, and revokes certificates Provides related network services and security

Typically consists of one or more CA servers and digital certificates that automate several tasks

PKI Standards and Protocols

A number of standards have been proposed for PKI Public Key Cryptography Standards (PKCS) X509 certificate standards

Public Key Cryptography Standards (PKCS)

Numbered set of standards that have been defined by the RSA Corporation since 1991

Composed of 15 standards detailed on pages 318 and 319 of the text

X509 Digital Certificates

X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate

Most widely used certificate format for PKI

X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)

X509 Digital Certificates

Trust Models Refers to the type of relationship that can

exist between people or organizations In the direct trust, a personal relationship

exists between two individuals Third-party trust refers to a situation in

which two individuals trust each other only because each individually trusts a third party

The three different PKI trust models are based on direct and third-party trust

Hardening Physical Security with Access Controls

Adequate physical security is one of the first lines of defense against attacks

Protects equipment and the infrastructure itself

Has one primary goal: to prevent unauthorized users from reaching equipment to use, steal, or vandalize

Hardening Physical Security with Access Controls

Configure an operating system to enforce access controls through an access control list (ACL), a table that defines the access rights each subject has to a folder or file

ACLs are also configured on network devices to permit or deny packets to the network.

Access control also refers to restricting physical access to computers or network devices

Controlling Access with Physical Barriers

Most servers are rack-mounted servers A rack-mounted server is 175 inches

(445 cm) tall and can be stacked with up to 50 other servers in a closely confined area

Rack-mounted units are typically connected to a KVM (keyboard, video, mouse) switch, which in turn is connected to a single monitor, mouse, and keyboard


In addition to securing a device itself, you should also secure the room containing the device

Two basic types of door locks require a key: A preset lock (key-in-knob lock) requires

only a key for unlocking the door from the outside

A deadbolt lock extends a solid metal bar into the door frame for extra security

To achieve the most security when using door locks, observe the good practices listed on pages 345 and 346 of the text


Cipher locks are combination locks that use buttons you push in the proper sequence to open the door

Can be programmed to allow only the code of certain people to be valid on specific dates and times

Basic models can cost several hundred dollars each while advanced models can run much higher

Users must be careful to conceal which buttons they push to avoid someone seeing the combination (shoulder surfing)

Limiting Wireless Signal Range

Use the following techniques to limit the wireless signal range: Relocate the access point Add directional antenna Reduce power Cover the device Modify the building

Reducing the Risk of Fires

Systems can be classified as: Water sprinkler systems that spray the

room with pressurized water Dry chemical systems that disperse a fine,

dry powder over the fire Clean agent systems that do not harm

people, documents, or electrical equipment in the room

Types of Security Policies

Acceptable Use Policy (AUP)

Defines what actions users of a system may perform while using computing and networking equipment

Should have an overview regarding what is covered by this policy

Unacceptable use should also be outlined

Understanding Identity Management (continued)

Four key elements: Single sign-on (SSO) Password synchronization Password resets Access management


SSO allows user to log on one time to a network or system and access multiple applications and systems based on that single password

Password synchronization also permits a user to use a single password to log on to multiple servers Instead of keeping a repository of user

credentials, password synchronization ensures the password is the same for every application to which a user logs on


Password resets reduce costs associated with password-related help desk calls Identity management systems let users

reset their own passwords and unlock their accounts without relying on the help desk

Access management software controls who can access the network while managing the content and business that users can perform while online

Auditing Privileges

You should regularly audit the privileges that have been assigned

Without auditing, it is impossible to know if users have been given too many unnecessary privileges and are creating security vulnerabilities

Usage Audit

Process of reviewing activities a user has performed on the system or network

Provides a detailed history of every action, the date and time, the name of the user, and other information

Usage Audits (continued)

Privilege Audit

Reviews privileges that have been assigned to a specific user, group, or role

Begins by developing a list of the expected privileges of a user

Escalation Audits

Reviews of usage audits to determine if privileges have unexpectedly escalated

Privilege escalation attack: attacker attempts to escalate her privileges without permission

Certain programs on Mac OS X use a special area in memory called an environment variable to determine where to write certain information

CIT 016 Review for Final Security+ Guide to Network Security Fundamentals Second Edition.

Documents

Transcript of CIT 016 Review for Final Security+ Guide to Network Security Fundamentals Second Edition.