January 28, 2012

3.2.12 Parming

Pharming

Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet.

Compromised DNS servers are sometimes referred to as "poisoned".

More worrisome than host file attacks is the compromise of a local network router. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN.

Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent.

In pharming, larger numbers of computer users can be victimized because it is not necessary to target individuals one by one and no conscious action is required on the part of the victim.
Pharming has been called "phishing with a grenade."

Pharming is more difficult to detect because it does not rely on the victim accepting a “bait” message. Users can be redirect to bogus Web site for example, even if they type the right Web address of their bank or other online service into their Web browser.

Related Terms
DNS cache poisoning – an attack on the Internet naming system
Domain spoofing

References:

3.2.11 Xmas Attack

Xmas Attack

One of the three Nmap scan types:
Xmas scan (-sX) – Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
Null scan (-sN) – Does not set any bits (TCP flag header is 0)
FIN scan (-sF) – Sets just the TCP FIN bit.

One of the most popular attacks that utilizes Nmap is the Xmas attack (also known as the Xmas scan and Christmas attack). This is an advanced scan that tries to get around firewall detection and look for open ports. It accomplishes this by setting three flags (FIN, PSH, and URG).

References:

  • http://nmap.org/book/man-port-scanning-techniques.html
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney


3.2.10 Vishing & Spear Phishing

Vishing

When you combine phishing with Voice over IP (VoIP), it becomes known as vishing and is just an elevated form of social engineering.

Spear phishing

Spear phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.

In spear phishing, the attacker uses information that the target would be less likely to question because it appears to be coming from a trusted source. Because it appears far more likely to be a legitimate message, it cuts through the user's standard defenses like a spear and has a higher likelihood of being clicked.

With spear phishing, you might get a message that appears to be from your boss telling you that there is a problem with your direct deposit account and you need to access this HR link right now to correct it.

Spear phishing works because it uses information it can find about you from email databases, friends lists, and the like.

References:
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.9 Spim

Spim

SpIM is short for "Spam via Instant Messenger" and is a term that refers to unwanted and unsolicited junk messages sent via an instant messenger (instead of through e-mail messaging).

Most Spim comes in the form of chat requests/sessions from unknown people who then send you text messages about their products or services. Some may ask you to visit a website, which may contain malware or they may try to send you files to download.

The immediacy of IM makes users more likely to reflexively click links. Furthermore, because it bypasses anti-virus software and firewalls. IM is an easy means of passing on not only commercial messages, but also viruses and other malware.

Never accept or open attachments from people you don’t know.

Turn off the automatic download features in your instant messenger client.

Send all downloads to the same folder on your hard drive and then use your anti-virus software to scan that folder each time a new file is added.

Related Terms
SPIT – Spam over Internet Telephony

References:
  • http://housing.uncc.edu/technology/securemypc/alt_spam.htm
  • http://www.webopedia.com/DidYouKnow/Internet/2006/spam_spit_spim.asp
  • http://searchexchange.techtarget.com/definition/spim

3.2.8 Phishing

Phishing

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is an example of social engineering techniques used to deceive users; in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request.

Vishing involves combining phishing with Voice over IP.

An email might look as if it is from a bank and contain some basic information, such as the user's name. A fake website might be created to look just like a legitimate site. It can then gather personal information from the user.

The person instigating the phishing can then use the values entered there to access the legitimate account.

One of the best counters to phishing is to simply mouse over the “Click Here” link and read the URL.

Phishing email messages, websites, and phone calls are designed to steal money, access, information, etc.

References:

  • http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
  • http://www.fraud.org/tips/internet/phishing.htm
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.7 Spam

Spam

Spam is the use of electronic messaging systems, particularly e-mail but including most broadcast media, digital delivery systems, to send unsolicited bulk messages indiscriminately. In general, e-mail messages you didn’t ask for, from people you don’t know are considered ‘spam’.

Spam can contain viruses or other malware, or it may try to trick the recipient to give up passwords and user names, or visit a harmful site.

Spam is not actually an acronym.

According to the Internet Society and other sources, the term spam is derived from the 1970 Spam sketch of the BBC television comedy series Monty Python's Flying Circus. The sketch is set in a cafe where nearly every item on the menu includes Spam canned luncheon meat. As the waiter recites the Spam-filled menu, a chorus of Viking patrons drowns out all conversations with a song repeating "Spam, Spam, Spam, Spam... lovely Spam! wonderful Spam!", hence "Spamming" the dialogue.

Related Terms
SPAM – Hormel Foods Corporation, the maker of SPAM luncheon meat, has asked that the capitalized word "Spam" be reserved to refer to their product and trademark.

References:
  • http://en.wikipedia.org/wiki/Spam_(electronic)

3.2.5 Smurf Attack

Smurf Attack

The smurf attack, named after its exploit program, is a denial-of-service  attack which uses spoofed broadcast ping messages to flood a target system.

In the "smurf" attack, from remote location, an attacker sends forged ICMP echo packets directed to the broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

This generates a denial-of-service attack. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim).

The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.

When the attackers create these packets, they do not use the IP address of their own machine as the source address. The victim is subjected to network congestion that could potentially make the network unusable.

One solution to prevent your site from being used as an intermediary in this attack is to disable IP-directed broadcasts at your router. By disabling these broadcasts, you configure your router to deny IP broadcast traffic onto your network from other networks.

Some operating systems can be configured to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. Configuring machines so that they do not respond to these packets can prevent your machines from being used as intermediaries in this type of attack.

References:
  • http://searchcio-midmarket.techtarget.com/definition/adware
  • http://www.softpanorama.org/Net/Internet_layer/ICMP/smurf_attack.shtml
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2 Analyze and differentiate among types of attacks

Analyze and differentiate among types of attacks

  • Man-in-the-middle 
  • DDoS 
  • DoS 
  • Replay 
  • Smurf attack 
  • Spoofing 
  • Spam 
  • Phishing 
  • Spim 
  • Vishing 
  • Spear phishing 
  • Xmas attack 
  • Pharming 
  • Privilege escalation 
  • Malicious insider threat 
  • DNS poisoning and ARP poisoning 
  • Transitive access 
  • Client-side attacks 

January 25, 2012

3.1.6 Rootkits

Rootkits

Rootkits are software programs that have the ability to hide certain things from the operating system. Theoretically, rootkits could hide anywhere there is enough memory to reside: video cards, PCI cards, and the like. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.

A rootkit is a type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at a privileged level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. If a rootkit has been installed, you may not be aware that your computer has been compromised, and traditional anti-virus software may not be able to detect the malicious programs.

Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected.

Rootkits can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of a vulnerability on your computer or has convinced you to download it.

Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel.

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers.

The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected.

Types of rootkits include the following:
  • Firmware – embedded in the firmware; always available
  • Kernel – embedded in the operating system; practically invisible; privileged
  • Persistent – activates on boot up and stays active while computer is running
  • Application – activates with a specific application
  • Library – associated with library files (e.g. DLLs); interjects own code via API and system calls
References:
  • http://en.wikipedia.org/wiki/Rootkit
  • http://www.us-cert.gov/cas/tips/ST06-001.html
  • http://www.pcmag.com/encyclopedia_term/0,2542,t=root+kit&i=55733,00.asp

3.1.4 Spyware

Spyware

Spyware is software that can display advertisements, collect information about you, or change settings on your computer, generally without appropriately obtaining your consent. For example, spyware can install unwanted toolbars, links, or favorites in your web browser, change your default home page, or display pop-up ads frequently.

Some spyware displays no symptoms that you can detect, but it secretly collects sensitive information, such as the websites you visit or the text you type. Most spyware is installed through free software that you download, but in some cases simply visiting a website results in a spyware infection.

Spyware gathers information on you to pass on to marketers or intercepts personal data such as credit card numbers and makes them available to third parties.

References:

  • http://windows.microsoft.com/en-US/windows7/Understanding-security-and-safer-computing

3.1.1 Adware

Adware

Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during the installation process. The object of the Adware is to generate revenue for its author.

Adware, by itself, is harmless; however, some adware may come with integrated spyware such as keyloggers and other privacy-invasive software.

The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.

Adware is criticized because it can include code that tracks a user's personal information and pass it on to third parties, without the user's authorization or knowledge.

Adware is considered a nuisance when:
  • It can contain code that tracks a user's network usage patterns and personal information and pass it on to third parties, without the user's authorization or knowledge.
  • It puts additional load on your computer by consuming part of your CPU, memory and network resources.
  • It can be a distraction by displaying messages on your screen real-estate.
  • It is introduced without the consent of the computer user

There are legitimate uses of adware. At its best adware is a legitimate way for developers to cover the cost of content development. Instead of making the user pay for access, the developer might use adware to create “ad-supported” content and present it free to consumers.

In its more benign form, adware is an ad-support or sponsored software, offsetting the cost of
development, allowing the content to be made freely available to the consumer. In this form it is an inconvenience that is tolerated.

In its less benign form, adware is spyware that uses the resources of the computer (e.g. CPU, memory, network, to surreptitiously gather tracking and personal data and make it available to the adware developers. In this form, it compromises the user’s privacy and security. 

References:
  • http://searchcio-midmarket.techtarget.com/definition/adware
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.1 Analyze and differentiate among types of malware

Analyze and differentiate among types of malware

  • Adware 
  • Virus 
  • Worms 
  • Spyware 
  • Trojan 
  • Rootkits 
  • Backdoors 
  • Logic bomb 
  • Botnets 

January 23, 2012

2.2.3 Incident Management

Incident management

Incident management—the steps followed when events occur.

A clearly defined incident response policy can help contain a problem and provide quick recovery to normal operations.

In the event of some form of security incident, some form of procedure should be in place to deal with these events as they happen.

The policy should cover each type of compromised security scenario and list the procedures to follow when they happen.

The incident response policy should cover the following areas:

  • Contact information for emergency services and other outside resources.
  • Methods of securing and preserving evidence of a security breach.
  • Scenario-based procedures of what to do with computer and network equipment depending on the security problem.
  • How to document the problem and the evidence properly.

The components of an incidence-response plan should include preparation, roles, rules, and procedures. Incident-response procedures should define how to maintain business continuity while defending against further attacks.


References:

  • http://www.informit.com/articles/article.aspx?p=1809117&seqNum=3
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.2.2 Change Management

Change management

Change management policies are official company procedures used to identify and communicate current or forthcoming changes to some aspect of the company’s networks and communications services.

Change documentation should include the following:

  • Specific details, about the change being proposed/implemented
  • The name of the authority who approved the changes
  • A list of the departments and the names of the supervisors involved in performing the change
  • What the immediate effect of the change will be
  • What the long-term effect of the change will be
  • The date and time the change will occur

After the change has occurred, the following should be added to the documentation:

  • Specific problems and issues that occurred during the process
  • Any known workarounds if issues have occurred
  • Recommendations and notes on the event

After the change has been requested, documented, and approved, you should then send out notification to the users so that they know what to expect when the change has been implemented.

References:
  • http://www.informit.com/articles/article.aspx?p=1809117&seqNum=3
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.2 Carry out appropriate risk mitigation strategies

Carry out appropriate risk mitigation strategies

2.1.7 Risks associated to Cloud Computing and Virtualization

Risks associated to Cloud Computing and Virtualization

If you ask two people a question about what cloud computing is, you are likely to get four different answers. That in itself should be considered a risk. For our purpose, we will consider cloud computing as the use of the Internet to host services and data instead of hosting it locally. Implementation of this include Google Mail, Amazon EC2, Salesforce.com, etc.

The Security+ certification exam considers the following three ways of implementing cloud computing:
  • The Platform as a Service (PaaS) model, vendors provide a platform for customers to build and run custom applications.
  • Software as a Service (SaaS) is a way of delivering Web-based, on-demand, or hosted applications.
  • Infrastructure as a Service The Infrastructure as a Service (IaaS) model closely resembles the traditional utility model used by electric, gas, and water providers. It delivers computer infrastructure – typically a platform virtualization environment – as a service, along with raw (block) storage and networking.
Risk-related issues associated with cloud computing include the following:
  • Regulatory Compliance such as Sarbanes-Oxley's act.
  • User Privileges such as preventing privilege escalation.
  • Data Segregation keeps customer’s data secure and private, particularly important in a multi-tenant cloud computing implementation.
Some of the security risks that are possible with virtualization include the following:
  • Breaking Out of the Virtual Machine.
  • Network and Security Controls Can Intermingle.
  • Lax patch/update policy.
References:
  • http://en.wikipedia.org/wiki/Cloud_computing
  • http://onekobo.com/Cloud/TagCloud.html
  • https://cloudsecurityalliance.org/
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

January 22, 2012

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk Avoidance Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to exposure to the risk. One of the biggest problems with risk avoidance is that you are steering clear of activities you may benefit from.

This is the most effective solution, but often not possible due to organizational requirements.
Risk transference, you do not simply shift the risk completely to another entity, instead you share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all the steps were in place to reduce risk and your system still was harmed.

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:

  • Keep security messages fresh and in circulation.
  • Target new employees and current staff members.
  • Set goals to ensure a high percentage of the staff is trained on security best practices.
  • Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you. The easiest way to think of risk deterrence is to think of it as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing them that you have steps in place to identify intrusions and act on them.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the responsible parties must know that it exists and can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing further.

The risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

  • Risk Appetite – the level of risk tolerance.
  • Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
  • Threat – A threat is the potential that a vulnerability will be identified and exploited.
  • Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.

References:

2.1.4 Risk Calculation

Risk Calculation

The likelihood and impact of a risk has a strong measure on your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is Annual Loss Expectancy (ALE).

You must calculate the chance of a risk occurring, sometimes called the Annual Rate of Occurrence (ARO), and the potential loss of revenue based on a specific period of downtime, which is called the Single Loss Expectancy (SLE). By multiplying these factors together, you arrive at the ALE. This is how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk.

When you're doing a risk assessment, one of the most important things to do is to prioritize. Take into account the likelihood of an event happening and the impact to your organization if it does. Focus on the events that are likely and would have an impact. Not everything should be weighed evenly.

One method of measurement to consider is annualized rate of occurrence (ARO). This is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:
SLE x ARO = ALE
Thus, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.
The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:
ALE = SLE * ARO
where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending more resources per year on a security measure which will eliminate it.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

Know how to calculate risk. Risk can be calculated either qualitatively (subjective) or quantitatively (objective). Quantitative calculations assign dollar amounts, and the basic formula is SLE × ARO = ALE where SLE is the single loss expectancy, ARO is the annualized rate of occurrence, and ALE is the annual loss expectancy.

ALE – A calculation that is used to identify risks and calculate the expected loss each year.
For each vulnerability associated with each asset, you must do the following to quantify risk:
  1. Estimate the cost of replacing or restoring that asset (its Single Loss Expectancy)
  2. Estimate the vulnerability's expected Annual Rate of Occurrence
  3. Multiply these to obtain the vulnerability's Annualized Loss Expectancy
The three categories commonly used to identify the likelihood of a risk: High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.

References:

2.1 Explain risk related concepts

Explain risk related concepts

1.5 Identify commonly used default network ports

Identify commonly used default network ports

TCP Port # UDP Port # Service
20 FTP (data channel)
21 FTP (control channel)
22 SSH; SCP; SFTP (over SSH)
989 989 FTPS (data): FTP over TLS/SSL
990 990 FTPS (control): FTP over TLS/SSL
69 Trivial File Transfer Protocol (TFTP)
23 Telnet
80 Hypertext Transfer Protocol (HTTP)
443 HTTPS (Hypertext Transfer Protocol over SSL/TLS)
137 137 NetBIOS Name Service
138 138 NetBIOS Datagram Service
139 139 NetBIOS Session Service

1.6.8 SSID Broadcast

SSID broadcast

The SSID (Service Set IDentifier), or network name, of your wireless network is required for devices to connect to it.

SSID is a function performed by an Access Point (AP) that transmits its name so that wireless stations searching for a network connection can 'discover' it. It's what allows your wireless adapter's software to give you a list of the AP in range.

Wireless APs and routers can automatically broadcast their network name (SSID) into open air at regular intervals (every few seconds) to announce their presence. This feature of Wi-Fi network protocols is intended to allow clients to dynamically discover and roam between WLANs.

One method of "protecting" the network that is often recommended is to turn off the SSID broadcast. This should be considered a very weak form of security because it is a trivial process for an attacker to discover the presence of the access point besides the SSID broadcast.

Security by obscurity is no security at all.

SSIDs are not encrypted or otherwise scrambled, it becomes easy to grab one by snooping the WLAN looking for SSID broadcast messages coming from the router or AP. Knowing your SSID brings hackers one step closer to a successful intrusion.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

An SSID is a network name, not a password. It is not designed to be hidden.

A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. It's a violation of the 802.11 specification to keep your SSID hidden and, even if you think your SSID is hidden, it really isn't.

Having SSID broadcast disabled essentially makes your Access Point invisible unless a wireless client already knows the SSID, or is using tools that monitor or 'sniff' traffic from an AP's associated clients.

Related Terms
  • Site survey
  • War driving
  • War chalking
  • Basic Service Set (BSS)
  • Access Point (AP)
References:
  • http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx
  • http://compnetworking.about.com/cs/wirelessproducts/qt/disablessidcast.htm
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.6.4 EAP

EAP

Extensible Authentication Protocol (EAP) is an Internet Engineering Task Force (IETF) standard that provides an infrastructure for network access clients and authentication servers to host plug-in modules for current and future authentication methods. EAP is used to authenticate Point-to-Point Protocol (PPP)-based connections (such as dial-up, virtual private network remote access, and site-to-site connections) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs).

EAP is used primarily in WEP/WPA/WPA2-based wireless networks for securely transporting authentication data. EAP separates the message exchange from the authentication process through the use of a different exchange layer and it provides a module-based infrastructure that supports several different authentication methods.

EAP, is an authentication framework (not a specific authentication mechanism) frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.

It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.

Five EAP methods are adopted by the WPA/WPA2 standard: EAP-TLS, EAP-PSK, EAP-MD5, and LEAP and PEAP.

The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard.

The Protected Extensible Authentication Protocol, (Protected EAP or PEAP), is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP which assumed a protected communication channel, so facilities for protection of the EAP conversation were not provided. PEAP is more secure since it establishes an encrypted channel between the server and the client.

References:
  • http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
  • http://technet.microsoft.com/en-us/network/bb643147
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.4.10 SFTP

SFTP

In computing, the SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionality over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0, but is also intended to be usable with other protocols.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group.

The protocol itself does not provide authentication and security; it assumes that it is run over a secure channel, i.e. it expects the underlying protocol to secure this and that the server has already authenticated the client, and the identity of the client user is available to the protocol. SFTP is most often used as subsystem of SSH protocol version 2 implementations.

Unlike standard FTP, SFTP encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

References:

1.6.1 WPA

WPA

Wi-Fi Protected Access (WPA) is a security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless networks and surpass the older Wired Equivalent Privacy (WEP) protocol. The Alliance defined WPA in response to serious weaknesses researchers had found in WEP.

WPA (defined in the draft IEEE 802.11i standard) became available around 1999 and was intended as an intermediate measure in anticipation that it would be replaced by the more secure WPA2 protocol.

There are two versions, WPA and WPA2, with the latter being the full implementation of the security features.
The difference between WPA and WPA2 is that WPA implements most—but not all—of 802.11i in order to be able to communicate with older wireless cards and it used the RC4 encryption algorithm with TKIP, while WPA2 implements the full standard and is not compatible with older cards.

WPA also mandates the use of the Temporal Key Integrity Protocol (TKIP), while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of replay.

WEP used a 40-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.

TKIP basically works by generating a sequence of WEP keys based on a master key, and re-keying periodically before enough data volume could be captured to allow recovery of the WEP key. TKIP changes the Key every 10,000 packets, which is quick enough to combat statistical methods to analyze the cipher.
TKIP also adds into the picture the Message Integrity Code (MIC). The transmission’s CRC, and ICV (Integrity Check Value) is checked. If the packet was tampered with, WPA stops using the current keys and re-keys.

As a simplified timeline useful for exam study, think of WEP as coming first. It was fraught with errors and WPA (with TKIP) was used as an intermediate solution, implementing a portion of the 802.11i standard. The final solution—a full implementation of the 802.11i standard—is WPA2 (with CCMP).5

WPA (and WEP before it) couples the RC4 encryption algorithm with TKIP, while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector.

WPA was an intermediate solution that implemented only a portion of the 802.11i standard. The final solution—a full implementation of the 802.11i standard—is WPA2, which uses CCMP.

Security researchers showed theoretically how WPA could be broken in November 2008, in what is known as the “Becks-Tews method” developed by researchers Martin Beck and Erik Tews3.

The attack works only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm, and do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard, or AES, algorithm.

WPA can use a pre-shared key (PSK or Personal WPA) or it can use an authentication server (Enterprise) that distributes the keys. In the PSK method, all devices on the wireless LAN must use the same passphrase key to access the network. The authentication server method is more scalable to support environments with a large number of clients.

The strength of a WPA network, is only as strong as the passphrase used, which consists of from 8 to 63 characters.

References:

  1. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
  2. http://www.ezlan.net/wpa_wep.html
  3. http://www.zdnet.com/blog/btl/researchers-crack-wpa-wi-fi-encryption-in-60-seconds/23384
  4. http://www.practicallynetworked.com/security/041207wpa_psk.htm
  5. CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  6. CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.4.9 HTTPS

HTTPS

Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

HTTPS combines HTTP with SSL/TLS to provide encrypted communication. When a user connects to a website via HTTPS, the website encrypts the session with a digital certificate. A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://.

The default port is 443 and the URL begins with https://.

The main idea of HTTPS is to create a secure channel over an insecure network.

HTTPS is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.

HTTPS uses SSL to secure the channel between the client and server.

HTTPS is not to be confused with S-HTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

The protocol was originally created by Netscape for use with their browser and became a finalized standard with RFC 2818.

Secure Hypertext Transport Protocol (S-HTTP) is HTTP with message security (added by using RSA or a digital certificate). Whereas HTTPS creates a secure channel, S-HTTP creates a secure message. S-HTTP can use multiple protocols and mechanisms to protect the message. It also provides data integrity and authentication.

S-HTTP is seldom used and defaults to using port 80 (the HTTP port).

References:

1.4.8 FTPS

FTPS

FTPS (FTP over SSL) is an extension to the File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols for channel encryption as defined in RFC 2228.

Well-known TCP & UDP ports for FTPS:
  • 989 – FTPS (data channel)
  • 990 – FTPS (control channel)
Much like HTTPS, but unlike SFTP, FTPS servers may provide a public key certificate.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twofish and so on), and a key-exchange algorithm. For authentication, FTPS uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices or from some specific operating systems that have FTP support but don't have SSH/SFTP clients.

Pros of FTPS:
  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks
Cons of FTPS:
  • Doesn't have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn't define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn't have a standard way to get and change file and directory attributes
SFTP (“SSH FTP”) is based on SSH (Secure Shell) version 2. It uses the same communication channels and encryption mechanisms as SSH.

There are several implementations of FTPS, including those with “implicit SSL” where a distinct service listens for encrypted connections, and “explicit SSL” where the connection runs over the same service and is switched to an encrypted connection by a protocol option. In addition, there are several potential combinations of what parts of an FTPS connection are actually being encrypted, such as “only encrypted login” or “encrypted login and data transfer”.

References:

1.6 Implement wireless network in a secure manner

Implement wireless network in a secure manner


  • WPA
  • WPA2
  • WEP
  • EAP
  • PEAP
  • LEAP
  • MAC filter
  • SSID broadcast
  • TKIP
  • CCMP
  • Antenna Placement
  • Power level controls

1.4.6 SSL

SSL

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols that provide communication security over the Internet. SSL (and TLS) encrypt the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.
The primary goal of the SSL protocol is to provide privacy and reliability between two communicating applications.

The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme.

TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses port 443 and TCP for connections.

When a connection request is made to the server, the server sends a message back that initiates the connection negotiation process. This negotiation includes the capabilities of the parties and sharing of certificates, session keys and encryption keys. The session is secure at the end of this process.


This session will stay open until one end or the other issues a command to close it. The command is typically issued when a browser is closed or another URL is requested.

Earlier browsers often use 40- or 56-bit SSL encryption. Modern browsers can work with 128-bit or higher encrypted sessions/certificates.

An SSL certificate enables encryption of sensitive information during online transactions. Each SSL certificate is a unique credential identifying the certificate owner. A Certificate Authority (CA) authenticates the identity of the certificate owner before it is issued.

Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it.

TLS is a security protocol that uses SSL, and it allows the use of other security protocols. The TLS protocol is also referred to as SSL 3.1, but despite its name, it doesn't interoperate with SSL. However, a message sent with TLS can be handled by a client that handles SSL but not TLS.


References:





1.4.4 DNS

DNS

DNS (Domain Name Server) allows you to use a host name such as www.google.com instead of 74.125.239.50 (or any one of several IP addresses used to reach the Google web site). DNS makes it more convenient to use the Internet.

The Microsoft Outlook mail server may respond when you refer to it as outlook.com, however at its core it wants to be addressed as 157.56.238.11 or whatever its current IP address is. It would be very inconvenient to have to use IP addresses exclusively; DNS was invented to allow the use of the more user-friendly host names.


It provides a distributed and robust mechanism that resolves Internet host names into IP addresses and vice versa. Unfortunately many security weaknesses surround IP and the protocols carried by IP. DNS is not immune to these security weaknesses.

DNS provides a way to know the IP address of any host on the Internet.

DNS attacks can be aimed at the DNS protocol (DNS spoofing, DNS ID hacking, DNS cache poisoning) or the DNS server (software bugs, denial of service).

DNS can be hacked in one of two ways:
  • Protocol-based: attacks based on how DNS actually works
  • Server-based – attacks based on exploiting flaws in the software on the servers running the DNS services.
Here are some specific DNS compromises:
  1. Malicious Cache Poisoning or DNS Spoofing – When a DNS server does not have the answer to a query within its cache, the DNS server can pass the query onto another DNS server on behalf of the client. If the server passes the query onto another DNS server that has intentionally tainted information, then the result is malicious cache poising or DNS spoofing. Cache poisoning relates to an attack consisting of making a DNS server cache false information.
  2. Rogue DNS servers– Unauthorized servers that can intercept DNS queries and provide tainted responses. Rogue DNS servers pose a threat to the Internet community because the information these servers contain may not be trustworthy.
  3. Redirection – When an attacker is able to redirect queries for DNS names to servers under the control of the attacker.
  4. Footprinting – The process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources.
  5. Denial-of-service attack – When an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries.
Countermeasures to DNS attacks include keeping up-to-date with system and application patches, implement DNSSEC whenever possible, secure open DNS servers, etc.

DNS visualization and analyzer tools such as: dnsviz.net and dnssec-debugger.verisignlabs.com will attempt to test whether a particular site has deployed DNSSEC.

References:

1.4.3 SSH

SSH

Secure Shell (SSH) is a protocol for securely connecting to and opening a remote login connection or and other network services over an insecure network. It is a secure replacement for the ARPA/Berkeley services: Telnet, rlogin, rsh and rcp and it consists of four major components:
  • The Transport Layer Protocol – This layer handles initial key exchange as well as server authentication, and sets up encryption, compression and integrity verification.
  • The User Authentication Protocol – This layer authenticates the client-side user to the server.  It runs over the transport layer protocol.
  • The Connection Protocol – This layer defines the concept of channels, channel requests and global requests using which SSH services are provided. It multiplexes the encrypted tunnel into several logical channels.  It runs over the user authentication protocol.
  • The SSHFP DNS record – This layer provides the public host key fingerprints in order to aid in verifying the authenticity of the host.
A remote access method provides the ability for users to connect to devices remotely. SSH is one of many remote access methods. Others include Virtual Private Network (VPN), IPSec, Terminal Access Controller Access Control System (TACACS/TACACS+) and Remote Authentication Dial-In Use Service (RADIUS).

SSH allows connections to be secured by encrypting the session between the client and the server.
SSH is a tunneling protocol. It uses encryption to establish a secure connection between two systems. It transmits both authentication and data traffic in a secured encrypted form. No information is exchanged in clear text. SSH listens at TCP port 22 for connection requests.

SSH is primarily intended for interactive terminal sessions such as logging onto a remote host, however it can be used to encrypt and authenticate a variety of communication sessions and remote command execution.

SSHv2 includes security improvements, e.g. Diffie-Hellman key exchange and message authentication codes for strong integrity checking over the original, SSHv1.

The SSH suite encapsulates three secure utilities: slogin, ssh and scp.
Secure Shell (SSH) is a network protocol that allows data to be exchanged using a secure channel between two computers. Encryption provides confidentiality and integrity of data over an insecure network, such as the Internet. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user.

SSH is used to log into a remote machine and execute commands. It can transfer files using the associated SFTP or SCP protocols. It also supports tunneling, forwarding arbitrary TCP ports and X11 connections; The SSH server listens on the standard TCP port 22.
SSH-1 has inherent design flaws which make it vulnerable to a variety of attacks, it is considered obsolete and should be avoided by explicitly disabling fallback to SSH-1, when possible.
References:

1.4.5 TLS

TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as checking your email. The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

The main benefit in opting for TLS over SSL is that TLS was incepted as an open-community standard, meaning TLS is more extensible and will likely be more widely supported in the future with other Internet standards. TLS is even backwards compatible, possessing the ability to “scale down” to SSL if necessary to support secure client-side connections that only understand SSL.

Another more immediate benefit, however, is that TLS allows both secure and insecure connections over the same port, whereas SSL requires a designated secure-only port.

TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

TLS is an IETF standards track protocol, last updated in RFC 5246, and is based on the earlier SSL specifications developed by Netscape Communications.

References:

1.4.2 SNMP

SNMP

Simple Network Management Protocol(SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices. It is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP is used for collecting information from, and configuring network devices, such as servers, printers, switches, and routers on a TCP/IP network. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

Three versions of SNMP exist: SNMPv1, SNMPv2 and SNMPv3. SNMPv2 provides security and improved remote monitoring over SNMPv1. Security in v1 and v2 consisted of a password (known as a community string) sent in the clear between the management station and the agent. SNMPv3 primarily added security and remote configuration enhancements.

Two versions of SNMP exist: SNMP Version 1 (SNMPv1) and SNMP Version 2 (SNMPv2). Both versions have a number of features in common, but SNMPv2 offers enhancements, such as additional protocol operations.

An SNMP managed network consists of four key components: managed devices, agents, network-management systems (NMS) and Management Information Base (MIB).
  • Managed device – a network device that contains an SNMP agent and resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP.
  • Agent – a software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP.
  • NMS – runs on the management station and executes applications that monitor and control managed devices.
  • MIB – data shared between the agent and the NMS. The Agent collects data locally and stores it, as defined in the MIB. 
SNMP can access information stored in MIBs. A MIB (Management Information Base) is a collection of information that is organized hierarchically. MIBs hold information about managed objects and are identified by object identifiers.

Managed devices are monitored and controlled using four basic SNMP commands: read, write, trap, and traversal operations.

SNMPv3: RFC 3411–RFC 3418
SNMPv2: RFC 1441–RFC 1452
SNMPv1: RFC 1157

Vulnerabilities in SNMP include packet sniffing of the cleartext community strings (v1 & v2), brute force and dictionary attacks of keys, IP spoofing over UDP connections.

References:

1.4.1 IPSec

IPSec

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks.

Its primary goals are data confidentiality, data integrity, and host authentication. The combination of integrity and authentication provides non-repudiation. IPSec also detects replay attacks.

IPSec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

Unlike protocols such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), that operate in the upper layers of the TCP/IP model, IPSec operates in the Internet Layer of the Internet Protocol Suite and protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPSec.

Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need to configure separate security for each application that uses TCP/IP.

IPSec, although not a tunneling protocol, provides encryption to tunneling protocols; it's often used to enhance tunnel security.

Internet Protocol Security Internet Protocol Security (IPSec) isn't a tunneling protocol, but it's used in conjunction with tunneling protocols. IPSec is oriented primarily toward LAN-to-LAN connections, but it can also be used with remote connections. IPSec provides secure authentication and encryption of data and headers; this makes it a good choice for security. IPSec can work in either Tunneling mode or Transport mode. In Tunneling mode, the data or payload and message headers are encrypted. Transport mode encrypts only the payload. IPSec is an add-on to IPv4 and built into IPv6.

References:

1.4 Implement and use common protocols

Implement and use common protocols


1.3.8 Virtualization

Virtualization

Virtualization providers include proprietary solutions from VMware, Citrix, Microsoft and Red Hat open source solutions from Xen and VirtualBox, for example.

Virtualization technology allows you to take any single physical device and hide its characteristics from users—in essence allowing you to run multiple items on one device and make them appear as if they are stand-alone entities.

Virtualization is a method of running multiple independent virtual operating systems on a single physical computer.  It is a way of maximizing physical resources to maximize the investment in hardware.

A single server can host multiple (logical) virtual machines. Each virtual machine (VM) can run a different operating system, e.g. Ubuntu Linux, Microsoft Windows 2008 R2, etc. By using one host to do multiple functions, you can immediately gain cost savings in terms of hardware, utility, infrastructure, etc.

Virtualization presents security challenges. A user accessing the system could have access to everything on the system (not just within their virtual machine) if they could override the physical layer protection.

Some of the security risks that are possible with virtualization include the following:
  • Breaking Out of the Virtual Machine – If a malcontent could break out of the virtualization layer and be able to access the other virtual machines, they could access data they should never have access to.
  • Network and Security Controls Can Intermingle – The tools used to administer the virtual machine may not have the same granularity as those used to manage the network. This could lead to privilege escalation and a compromise of security.
  • Virtualization software, also called a hypervisor or the virtual machine monitor, emulates computer hardware allowing multiple operating systems to run on a single physical computer host. It is the software that allows the virtual machines to exist. If the hypervisor can be successfully attacked, the attacker can gain root-level access to all virtual systems.
There are two types of x86 server virtualization: bare-metal and hosted. Sometimes these types are referred to as Type-1 and Type-2 hypervisors respectively. Bare-metal means the virtualization layer (hypervisor) installs directly onto a server without the need for a traditional operating system like Windows or Linux to be installed first. “Hosted” means that an operating system must first be installed on a server, and the virtualization layer is installed afterwards, just like an application.

Types of virtualization include:
  • Server virtualization – run multiple independent virtual operating systems on a single physical computer.  
  • Desktop virtualization –separating the logical desktop from the physical machine, e.g. virtual desktop infrastructure (VDI).
  • Application virtualization – hosting individual applications in an environment separated from the underlying OS.
  • Memory virtualization – aggregation of RAM resources from networked systems into a single memory pool
  • Network virtualization – creation of a virtualized network addressing space within or across network subnets
  • Storage virtualization –abstracting logical storage from physical storage
References:

1.3.7 NAC

NAC

NAC – Network access control is a method of bolstering the security of a proprietary network by restricting the availability of network resources only to endpoint devices that comply with a defined security policy.

NAC aims to control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

When a computer connects to a computer network, it is not permitted to access anything unless it complies with a minimum set of parameters. Checks include the devices operating system, application patch level, anti-virus protection level, user access rights, system update level and configuration.

While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system.

NAC’s goals include:

  • Mitigation of proliferation – NAC solutions attempt to block end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk.
  • Policy enforcement – NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in the network.
  • Identity and access management – Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities.
  • Operational security issues include network access control (NAC), authentication, and security topologies after the network installation is complete.

References:

  • http://en.wikipedia.org/wiki/Network_Access_Control
  • http://searchnetworking.techtarget.com/definition/network-access-control
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.6 Telephony

Telephony

When telephone technology is married with information technology, the result is known as telephony. A breach in your telephony infrastructure is just as devastating as any other violation and can lead to the loss of valuable data.

Telephony is the technology associated with the electronic transmission of voice, fax, or other information between distant parties using systems historically associated with the telephone.

Internet telephony is the use of the Internet rather than the traditional telephone company infrastructure and rate structure to exchange spoken or other telephone information. The term is used frequently to refer to computer hardware and software that performs functions traditionally performed by telephone equipment.

As more organizations migrate from land lines to Voice over IP (VoIP) for cost savings and agility, security is increasingly important for Internet Telephony. VOIP can be easily sniffed with tools such as Cain & Abel and is susceptible to Denial of Service (DoS) attacks because it rides on UDP. There is also the outage issue with VoIP in cases where the data network goes down and you lose the telephony as well.

Related terms include: POTS – plain old telephone system; PSTN – public switched telephone network; VoIP – voice over IP; PBX – private branch exchange; SPIT – spam over Internet Telephony.

References:
  • http://www.webopedia.com/TERM/T/telephony.html
  • http://searchunifiedcommunications.techtarget.com/definition/Telephony
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.5 Remote Access

Remote Access

Remote access is the broad collection of mechanisms that allow external entities to interact with an internal closed environment. One of the first tools for remote access was the dial-up modem. Today we regularly employ encrypted VPN tunnels.

Security over a remote access connection is critical, e.g. via an encrypted tunnel, one-time passwords, etc. Additionally, you need to be aware of every flow of data that penetrates the boundaries of your private LAN and fully control each and every bit of data moving across such a gateway. Monitor your environment and review logs.

A first-stage remote access defense is a separate authentication system for remote access that preauthenticates all connections before they are allowed to interact with the LAN itself. If the remote access user fails to properly authenticate to the first-stage defense barrier, they are denied access to the servers on the LAN.

Preauthentication systems make full network attacks from remote links more difficult. If the preauthentication system is disabled, then no communication is allowed from any remote access link. It is better to lose remote access capabilities than it is to lose the entire private LAN.

Remote access can occur over many pathways including broadband, VPN, wireless, satellite, remote control, and remote shell.

Connection filtering, offered by some preauthentication systems, allows for restrictions to be placed on remote access links. These restrictions can include the type of OS used, the protocols supported, the user accounts involved, the time of day, the logical addressing of the client, the LAN systems the remote client is allowed to communicate with, and even the content of the communication.

Another important aspect of remote access to consider is that even with the best security on the remote access link itself, if the remote client is compromised, it could lead to the compromise of the LAN. Remote clients can be compromised by malware, theft, or physical intrusion of their storage location.

References:
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.4 NAT

NAT

Network Address Translation (NAT) as defined in RFC 1631 enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.

NAT acts as a proxy between the local area network (which can be using private IP addresses) and the Internet (which must use public IP addresses).

Most NAT implementations assign internal hosts private IP address numbers and use public addresses only for the NAT to translate to and communicate with the outside world. The private address ranges are as follows:
  • 10.0.0.0–10.255.255.255
  • 172.16.0.0–172.31.255.255
  • 192.168.0.0–192.168.255.255
NAT is like the receptionist in a large office. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.

NAT has many forms and can work in several ways including: Static NAT – Mapping an unregistered IP address to a registered IP address on a one-to-one basis., Port Address Translation  – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports.
NAT only allows connections that originated on the inside network. This means, that an internal client can connect to an outside FTP server, however an outside client will not be able to connect to an internal FTP server because it would have to originate the connection and NAT will not allow that.

The value of using NAT includes:

  • Security – external users do not know the real IP addresses of internal hosts
  • Efficiency – as it limits the number of public IP addresses an organization or company must use

NAT effectively hides your network from the world, making it much harder to determine what systems exist on the other side of the router. The NAT server effectively operates as a firewall for the network.
In addition to NAT, Port Address Translation (PAT) is possible. Whereas NAT can use multiple public IP addresses, PAT uses a single one and shares the port with the network.

Along with Classless Interdomain Routing (CIDR), NAT helps reduce the need for a large amount of publicly known IP addresses by an organization or user.

References:

  • http://computer.howstuffworks.com/nat1.htm
  • http://www.vicomsoft.com/learning-center/network-address-translation/
  • http://www.faqs.org/rfcs/
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.3 VLAN

VLAN

A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location.
A VLAN allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access. You can also set up VLANs to control the paths that data takes to get from one point to another. A VLAN is a good way to contain network traffic to a certain area in a network.

A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch. VLAN membership can be configured through software instead of physically relocating devices or connections.

VLANs address issues such as scalability, security, and network management.

By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.

On a LAN, hosts can communicate with each other directly through broadcasts, no forwarding devices such as routers, are needed. As the LAN grows, the amount of broadcast traffic grows. Shrinking the size of the LAN by segmenting it into smaller groups (VLANs) reduces the size of the broadcast domains. The advantages of doing this include reducing the scope of the broadcasts, improving performance and manageability, and decreasing dependence on the physical topology. A key benefit is that VLANs can increase security by allowing users with similar data sensitivity levels to be segmented together.

A VLAN is a broadcast domain created by switches.

References:
  • http://www.cs.wustl.edu/~jain/cis788-97/ftp/virtual_lans/index.htm
  • http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm
  • http://www.tech-faq.com/vlan.html
  • http://en.wikipedia.org/wiki/Virtual_LAN
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney